Normalized event data model

This section presents the KUMA normalized event data model. All events that are processed by KUMA Correlator to detect alerts must be compliant to this model.

Events that are not compliant to this data model must be converted to this format (or normalized) using Collectors.

Normalized event data model

Field name

Data type

Field size

Description

The name of a field reflects its purpose. The fields can be modified.

 

ApplicationProtocol

String

31 characters

Name of the application layer protocol. For example, HTTPS, SSH, Telnet.

BytesIn

Number

From -9223372036854775808 to 9223372036854775807

Number of bytes received.

BytesOut

Number

From -9223372036854775808 to 9223372036854775807

Number of bytes sent.

DestinationAddress

String

45 characters

IPv4 or IPv6 address of the asset that the action will be performed on. For example, 0.0.0.0 or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

DestinationCity

String

1,023 characters

City corresponding to the IP address from the DestinationAddress field.

DestinationCountry

String

1023 characters

Country corresponding to the IP address from the DestinationAddress field.

DestinationDnsDomain

String

255 characters

The DNS portion of the fully qualified domain name of the destination.

DestinationHostName

String

1023 characters

Host name of the destination. FQDN of the destination, if available.

DestinationLatitude

Floating point number

+/- 1.7E-308 to 1.7E+308

Longitude corresponding to the IP address from the DestinationAddress field.

DestinationLongitude

Floating point number

+/- 1.7E-308 to 1.7E+308

Latitude corresponding to the IP address from the DestinationAddress field.

DestinationMacAddress

String

17 characters

MAC address of the destination. For example, aa:bb:cc:dd:ee:00

DestinationNtDomain

String

255 characters

Windows Domain Name of the destination.

DestinationPort

Number

From -9223372036854775808 to 9223372036854775807

Port number of the destination.

DestinationProcessID

Number

From -9223372036854775808 to 9223372036854775807

System process ID registered on the destination.

DestinationProcessName

String

1023 characters

Name of the system process registered on the destination. For example, sshd, telnet.

DestinationRegion

String

1023 characters

Region corresponding to the IP address from the DestinationAddress field.

DestinationServiceName

String

1023 characters

Name of the service on the destination side. For example, sshd.

DestinationTranslatedAddress

String

45 characters

Translated IPv4 or IPv6 address of the destination. For example, 0.0.0.0 or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

DestinationTranslatedPort

Number

From -9223372036854775808 to 9223372036854775807

Port number at the destination after translation.

DestinationUserID

String

1023 characters

User ID of the destination.

DestinationUserName

String

1023 characters

User name of the destination.

DestinationUserPrivileges

String

1023 characters

Names of roles that identify user privileges at the destination. For example, User, Guest, Administrator, etc.

DeviceAction

String

63 characters

Action that was taken by the event source. For example, blocked, detected.

DeviceAddress

String

45 characters

IPv4 or IPv6 address of the device from which the event was received. For example, 0.0.0.0 or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

DeviceCity

String

1023 characters

City corresponding to the IP address from the DeviceAddress field.

DeviceCountry

String

1023 characters

Country corresponding to the IP address from the DeviceAddress field.

DeviceDnsDomain

String

255 characters

DNS part of the fully qualified domain name of the device from which the event was received.

DeviceEventClassID

String

1023 characters

Event type ID assigned by the event source.

DeviceExternalID

String

255 characters

ID of the device or product assigned by the event source.

DeviceFacility

String

1023 characters

Value of the facility parameter set by the event source.

DeviceHostName

String

100 characters

Name of the device from which the event was received. FQDN of the device, if available.

DeviceInboundinterface

String

128 characters

Name of the incoming connection interface.

DeviceLatitude

Floating point number

+/- 1.7E-308 to 1.7E+308

Longitude corresponding to the IP address from the DeviceAddress field.

DeviceLongitude

Floating point number

+/- 1.7E-308 to 1.7E+308

Latitude corresponding to the IP address from the DeviceAddress field

DeviceMacAddress

String

17 characters

MAC address of the asset from which the event was received. For example, aa:bb:cc:dd:ee:00

DeviceNtDomain

String

255 characters

Windows Domain Name of the device.

DeviceOutboundinterface

String

128 characters

Name of the outgoing connection interface.

DevicePayloadID

String

128 characters

The payload's unique ID that is associated with the raw event.

DeviceProcessID

Number

From -9223372036854775808 to 9223372036854775807

ID of the system process on the device that generated the event.

DeviceProcessName

String

1023 characters

Name of the process.

DeviceProduct

String

63 characters

Name of the product that generated the event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source.

DeviceReceiptTime

Number

From -9223372036854775808 to 9223372036854775807

Time when the device received the event.

DeviceRegion

String

1023 characters

Region corresponding to the IP address from the DeviceAddress field.

DeviceTimeZone

String

255 characters

Time zone of the device on which the event was generated.

DeviceTranslatedAddress

String

45 characters

Re-translated IPv4 or IPv6 address of the device from which the event was received. For example, 0.0.0.0 or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

DeviceVendor

String

63 characters

Vendor name of the event source. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source.

DeviceVersion

String

31 characters

Product version of the event source. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source.

EndTime

Number

From -9223372036854775808 to 9223372036854775807

Date and time (timestamp) when the event ended.

EventOutcome

String

63 characters

Result of the operation. For example, success, failure.

ExternalID

String

40 characters

Field in which the ID can be saved.

FileCreateTime

Number

From -9223372036854775808 to 9223372036854775807

File creation time.

FileHash

String

255 characters

Hash of the file. Example: CA737F1014A48F4C0B6DD43CB177B0AFD9E5169367544C494011E3317DBF9A509CB1E5DC1E85A941BBEE3D7F2AFBC9B1

FileID

String

1023 characters

ID of the file.

FileModificationTime

Number

From -9223372036854775808 to 9223372036854775807

Time when the file was last modified.

FileName

String

1023 characters

Filename without specifying the file path.

FilePath

String

1023 characters

File path, including the file name.

FilePermission

String

1023 characters

List of file permissions.

FileSize

Number

From -9223372036854775808 to 9223372036854775807

File size.

FileType

String

1023 characters

File type.

Message

String

1023 characters

Brief description of the event.

Name

String

512 characters

Name of the event.

OldFileCreateTime

Number

From -9223372036854775808 to 9223372036854775807

Time when the OLD file was created from the event. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.

OldFileHash

String

255 characters

Hash of the OLD file. Example: CA737F1014A48F4C0B6DD43CB177B0AFD9E5169367544C494011E3317DBF9A509CB1E5DC1E85A941BBEE3D7F2AFBC9B1

OldFileID

String

1023 characters

ID of the OLD file.

OldFileModificationTime

Number

From -9223372036854775808 to 9223372036854775807

Time when the OLD file was last modified.

OldFileName

String

1023 characters

Name of the OLD file (without the file path).

OldFilePath

String

1023 characters

Path to the OLD file, including the file name.

OldFilePermission

String

1023 characters

List of permissions of the OLD file.

OldFileSize

Number

From -9223372036854775808 to 9223372036854775807

Size of the OLD file.

OldFileType

String

1023 characters

Type of the OLD file.

Reason

String

1023 characters

Information about the reason for the event.

RequestClientApplication

String

1023 characters

Value of the "user-agent" parameter of the http request.

RequestContext

String

2,048 characters

Description of the http request context.

RequestCookies

String

1023 characters

Cookies associated with the http request.

RequestMethod

String

1023 characters

Method used when making the http request.

RequestUrl

String

1023 characters

Requested URL.

Severity

String

1023 characters

Priority. This can be the Severity field or the Level field of the raw event.

SourceAddress

String

45 characters

IPv4 or IPv6 address of the source. Example format: 0.0.0.0 or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

SourceCity

String

1023 characters

City corresponding to the IP address from the SourceAddress field.

SourceCountry

String

1023 characters

Country corresponding to the IP address from the SourceAddress field.

SourceDnsDomain

String

255 characters

The DNS portion of the fully qualified domain name of the source.

SourceHostName

String

1023 characters

Windows Domain Name of the event source device.

SourceLatitude

Floating point number

+/- 1.7E-308 to 1.7E+308

Longitude corresponding to the IP address from the SourceAddress field.

SourceLongitude

Floating point number

+/- 1.7E-308 to 1.7E+308

Latitude corresponding to the IP address from the SourceAddress field.

SourceMacAddress

String

17 characters

MAC address of the source. Format example: aa:bb:cc:dd:ee:00

SourceNtDomain

String

255 characters

Windows Domain Name of the source.

SourcePort

Number

From -9223372036854775808 to 9223372036854775807

Source port number.

SourceProcessID

Number

From -9223372036854775808 to 9223372036854775807

System process ID.

SourceProcessName

String

1023 characters

Name of the system process at the source. For example, sshd, telnet, etc.

SourceRegion

String

1023 characters

Region corresponding to the IP address from the SourceAddress field.

SourceServiceName

String

1023 characters

Name of the service on the source side. For example, sshd.

SourceTranslatedAddress

String

45 characters

Translated IPv4 or IPv6 address of the source. Example format: 0.0.0.0 or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

SourceTranslatedPort

Number

From -9223372036854775808 to 9223372036854775807

Port number of the source after translation.

SourceUserID

String

1023 characters

User ID of the source.

SourceUserName

String

1023 characters

User name of the source.

SourceUserPrivileges

String

1023 characters

Names of roles that identify user privileges of the source. For example, User, Guest, Administrator, etc.

StartTime

Number

From -9223372036854775808 to 9223372036854775807

Date and time (timestamp) when the activity associated with the event began.

Tactic

String

128 characters

Name of the tactic from the MITRE ATT&CK matrix.

Technique

String

128 characters

Name of the technique from the MITRE ATT&CK matrix.

TransportProtocol

String

31 characters

Name of the Transport layer protocol of the OSI model (TCP, UDP, etc).

Type

Number

From -9223372036854775808 to 9223372036854775807

Event type: 1 - basic, 2 - aggregated, 3 - correlation, 4 - audit, 5 - monitoring.

Fields the purpose of which can be defined by the user. The fields can be modified.

DeviceCustomDate1

Number, timestamp

From -9223372036854775808 to 9223372036854775807

Field for mapping a date and time value (timestamp). The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.

DeviceCustomDate1Label

String

1023 characters

Field for describing the purpose of the DeviceCustomDate1 field.

DeviceCustomDate2

Number, timestamp

From -9223372036854775808 to 9223372036854775807

Field for mapping a date and time value (timestamp). The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.

DeviceCustomDate2Label

String

1023 characters

Field for describing the purpose of the DeviceCustomDate2 field.

DeviceCustomFloatingPoint1

Floating point number

+/- 1.7E-308 to 1.7E+308

Field for mapping floating point numbers.

DeviceCustomFloatingPoint1Label

String

1023 characters

Field for describing the purpose of the DeviceCustomFloatingPoint1 field.

DeviceCustomFloatingPoint2

Floating point number

+/- 1.7E-308 to 1.7E+308

Field for mapping floating point numbers.

DeviceCustomFloatingPoint2Label

String

1023 characters

Field for describing the purpose of the DeviceCustomFloatingPoint2 field.

DeviceCustomFloatingPoint3

Floating point number

+/- 1.7E-308 to 1.7E+308

Field for mapping floating point numbers.

DeviceCustomFloatingPoint3Label

String

1023 characters

Field for describing the purpose of the DeviceCustomFloatingPoint3 field.

DeviceCustomFloatingPoint4

Floating point number

+/- 1.7E-308 to 1.7E+308

Field for mapping floating point numbers.

DeviceCustomFloatingPoint4Label

String

1023 characters

Field for describing the purpose of the DeviceCustomFloatingPoint4 field.

DeviceCustomIPv6Address1

String

45 characters

Field for mapping an IPv6 address value. Format example: y:y:y:y:y:y:y:y

DeviceCustomIPv6Address1Label

String

1023 characters

Field for describing the purpose of the DeviceCustomIPv6Address1 field.

DeviceCustomIPv6Address2

String

45 characters

Field for mapping an IPv6 address value. Format example: y:y:y:y:y:y:y:y

DeviceCustomIPv6Address2Label

String

1023 characters

Field for describing the purpose of the DeviceCustomIPv6Address2 field.

DeviceCustomIPv6Address3

String

45 characters

Field for mapping an IPv6 address value. Format example: y:y:y:y:y:y:y:y

DeviceCustomIPv6Address3Label

String

1023 characters

Field for describing the purpose of the DeviceCustomIPv6Address3 field.

DeviceCustomIPv6Address4

String

45 characters

Field for mapping an IPv6 address value. For example, y:y:y:y:y:y:y:y

DeviceCustomIPv6Address4Label

String

1023 characters

Field for describing the purpose of the DeviceCustomIPv6Address4 field.

DeviceCustomNumber1

Number

From -9223372036854775808 to 9223372036854775807

Field for mapping an integer value.

DeviceCustomNumber1Label

String

1023 characters

Field for describing the purpose of the DeviceCustomNumber1 field.

DeviceCustomNumber2

Number

From -9223372036854775808 to 9223372036854775807

Field for mapping an integer value.

DeviceCustomNumber2Label

String

1023 characters

Field for describing the purpose of the DeviceCustomNumber2 field.

DeviceCustomNumber3

Number

From -9223372036854775808 to 9223372036854775807

Field for mapping an integer value.

DeviceCustomNumber3Label

String

1023 characters

Field for describing the purpose of the DeviceCustomNumber3 field.

DeviceCustomString1

String

4,000 characters

Field for mapping a string value.

DeviceCustomString1Label

String

1,023 characters

Field for describing the purpose of the DeviceCustomString1 field.

DeviceCustomString2

String

4,000 characters

Field for mapping a string value.

DeviceCustomString2Label

String

1023 characters

Field for describing the purpose of the DeviceCustomString2 field.

DeviceCustomString3

String

4,000 characters

Field for mapping a string value.

DeviceCustomString3Label

String

1023 characters

Field for describing the purpose of the DeviceCustomString3 field.

DeviceCustomString4

String

4,000 characters

Field for mapping a string value.

DeviceCustomString4Label

String

1023 characters

Field for describing the purpose of the DeviceCustomString4 field.

DeviceCustomString5

String

4,000 characters

Field for mapping a string value.

DeviceCustomString5Label

String

1023 characters

Field for describing the purpose of the DeviceCustomString5 field.

DeviceCustomString6

String

4,000 characters

Field for mapping a string value.

DeviceCustomString6Label

String

1023 characters

Field for describing the purpose of the DeviceCustomString6 field.

DeviceDirection

Number

From -9223372036854775808 to 9223372036854775807

Field for describing the direction of connection for an event. "0" - incoming connection, "1" - outgoing connection.

DeviceEventCategory

String

1023 characters

Event category assigned by the device that sent the event to SIEM.

FlexDate1

Number, timestamp

From -9223372036854775808 to 9223372036854775807

Field for mapping a date and time value (timestamp). The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.

FlexDate1Label

String

128 characters

Field for describing the purpose of the FlexDate1Label field.

FlexNumber1

Number

From -9223372036854775808 to 9223372036854775807

Field for mapping an integer value.

FlexNumber1Label

String

128 characters

Field for describing the purpose of the FlexNumber1Label field.

FlexNumber2

Number

From -9223372036854775808 to 9223372036854775807

Field for mapping an integer value.

FlexNumber2Label

String

128 characters

Field for describing the purpose of the FlexNumber2Label field.

FlexString1

String

1023 characters

Field for mapping a string value.

FlexString1Label

String

128 characters

Field for describing the purpose of the FlexString1Label field.

FlexString2

String

1023 characters

Field for mapping a string value.

FlexString2Label

String

128 characters

Field for describing the purpose of the FlexString2Label field.

Service fields. Cannot be edited.

AffectedAssets

Nested [Affected] structure

-

Nested structure from which you can query alert-related assets and user accounts, and find out the number of times they appear in alert events.

AggregationRuleID

String

-

ID of the aggregation rule.

AggregationRuleName

String

-

Name of the aggregation rule that processed the event.

BaseEventCount

Number

-

For an aggregated base event, this is the number of base events that were processed by the aggregation rule. For a correlation event, this is the number of base events that were processed by the correlation rule that generated the correlation event.

BaseEvents

Nested [Event] list

-

Nested structure containing a list of base events. This field can be filled in for correlation events.

Code

String

-

In a base event, this is the code of a process, function or operation return from the source.

CorrelationRuleID

String

-

ID of the correlation rule.

CorrelationRuleName

String

-

Name of the correlation rule that triggered the creation of the correlation event. Filled only for correlation events.

DestinationAccountID

String

-

This field stores the user ID.

DestinationAssetID

String

-

This field stores the asset ID of the destination.

DeviceAssetID

String

-

This field stores the ID of the asset that sent the event to SIEM.

Extra

Nested [string:string] dictionary

-

During normalization of a raw event, this field can be used to place those fields that have not been mapped to KUMA event fields. This field can be filled in only for base events. The maximum size of the field is 4 MB.

GroupedBy

String

-

List of names of the fields that were used for grouping in the correlation rule. It is filled in only for the correlation event.

ID

String

-

Unique event ID of UUID type. The collector generates the ID for a base event that is generated by the collector. The correlator generates the ID of a correlation event. The ID never changes its value.

Raw

String

-

Non-normalized text of the original 'raw' event. Maximum field size is 16,384 bytes.

ReplayID

String

-

ID of the retroscan that generated the event.

ServiceID

String

-

ID of the service instance: correlator, collector, storage.

ServiceName

String

-

Name of the microservice instance that the KUMA administrator assigns when creating the microservice.

SourceAccountID

String

-

This field stores the user ID.

SourceAssetID

String

-

This field stores the asset ID of the event source.

SpaceID

String

-

ID of the space.

TenantID

String

-

This field stores the ID of the tenant.

TI

Nested [string:string] dictionary

-

Field that contains categories in a dictionary format received from an external Threat Intelligence source based on indicators from an event.

TICategories

map[string]

-

This field contains categories received from an external TI provider based on the indicators contained in the event.

Timestamp

Number

-

Timestamp of the base event created in the collector. Creation time of the correlation event created by the collector. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.

Nested Affected structure

Field

Data type

Description

Assets

Nested [AffectedRecord] list

List and number of assets associated with the alert.

Accounts

Nested [AffectedRecord] list

List and number of user accounts associated with the alert.

Nested AffectedRecord structure

Field

Data type

Description

Value

String

ID of the asset or user account.

Count

Number

The number of times an asset or user account appears in alert-related events.

Fields generated by KUMA

KUMA generates the following fields that cannot be modified: BranchID, BranchName, DestinationAccountName, DestinationAssetName, DeviceAssetName, SourceAccountName, SourceAssetName, TenantName.

Page top