1. Reference Guide

1.1. Available Event Columns

bayesian_weight (float):

Bayesian score showing the probability of the event being good or bad. SOC Analyst can tune the Bayesian algorithm by marking learning events as bad or good.

weight (float):

Commutative weight assigned to a event based off Analytic Scores.

date_added (string):

Date event was added to the HAWK system.

hid (string):

HAWK ID, HAWK assigned ID associated to the Alert Name. Click HERE to see a full list of available HAWK ID’s.

alert_name (string):

Alert name assigned to the event.

priority (integer):

Priority, Values 1 - 5. One being the highest priority and five being the lowest priority.

app (string):

Application, Application event is from. Using map-replace on HAWK engines you can map application id’s to application names.

action (string):

Action performed. A few examples: “quarantined”, “ignored”, “removed”

alerts_type_name (string):

Alert Category assigned to the event. Click HERE to see a full list of Alert Categories.

blocked (boolean):

True or False if the event was blocked.

vendor_id (string):

Vendor assigned id. A few Examples: Windows event ids, Snort ids, Cisco ids (3-710003).

resource_name (string):

Hostname of the resource sending the event.

resource_addr (string):

IPv4 address of the resource.

resource_asset_criticality (integer):

Resource asset criticality assigned to the resource.

compliance_asset (boolean):

True or False if resource is a compliance asset.

group_name (string):

Group Name assigned to resource.

icmp_type (integer):

ICMP Type code. ICMP Types and Codes explained here

icmp_code (integer):

ICMP Code. ICMP Types and Codes explained here

icmp_csum (integer):

ICMP Checksum of event

icmp_id (integer):

ICMP Identifier

icmp_seq (integer):

ICMP Sequence

ip_src (string):

IPv4 address of the sender of the packet

ip_src_host (string):

Source hostname of the sender of the packet

ip_src_geoip_name (string):

Source Address GeoIP Name

ip_src_geoip_cc2 (string):

Source Address GeoIP Country Code

ip_src_geoip_reg (string):

Source Address GeoIP Region

ip_src_geoip_city (string):

Source Address GeoIP City

ip_src_geoip_latitude (float):

Source Address GeoIP Latitude

ip_src_geoip_longitude (float):

Source Address GeoIP Longitude

ip_dst (string):

IPv4 address of the receiver of the packet

ip_dst_host (string):

Destination hostname of the receiver of the packet

ip_dst_geoip_name (string):

Destination Address GeoIP Name

ip_dst_geoip_cc2 (string):

Destination Address GeoIP Country Code

ip_dst_geoip_reg (string):

Destination Address GeoIP Region

ip_dst_geoip_city (string):

Destination Address GeoIP City

ip_dst_geoip_latitude (float):

Destination Address GeoIP Latitude

ip_dst_geoip_longitude (float):

Destination Address GeoIP Longitude

ip_sport (integer):

Identifies the sending port

ip_dport (integer):

Identifies the receiving port

ip_ver (integer):

IP Version: 4 = IPv4, and 6 = IPv6

ip_hlen (integer):

IP Header Length

ip_tos (integer):

IP Type of Service or Differentiated Services Code Point (DSCP). IP header for packet classification purposes.

ip_id (integer):

IP Identification. Primarily used for uniquely identifying the group of fragments of a single IP datagram.

ip_flags (integer):

IP Flags used to control or identify fragments.

ip_off (integer):

IP fragment offset field.

ip_ttl (integer):

IP Time to Live.

ip_proto (integer):

Defines the IP Protocol used in the data portion of the IP datagram. List of IP protocols here

ip_csum (integer):

IP Checksum

hash (string):

Stores the md5 hash of the raw payload.

payload (string):

Raw event payload.

packet (string):

Raw event packet if provided.

tcp_seq (integer):

TCP Sequence number

tcp_ack (integer):

TCP Acknowledgement

tcp_off (integer):

Specifies the size of the TCP header

tcp_res (integer):

TCP Reserved for future use and should not be used.

tcp_flags (integer):

TCP Flags. Example ACK, RST, SYN, FIN. List of flags can be found here

tcp_win (integer):

TCP Window size of the receiving window size in bytes.

tcp_csum (integer):

TCP Checksum

tcp_urp (integer):

TCP Urgent Pointer

udp_len (integer):

Specifies the length in bytes of the UDP header and UDP data

udp_csum (integer):

UDP Checksum

class_type (string):

Host classification type. You can find a list of host classifications here

class_name (string):

Host classification name. You can find a list of host classifications here

os_type_name (string):

Operating System/Specific Vendor Name. You can find the full list here

correlation_username (string):

Username

target_username (string):

Target Username

audit_login (boolean):

Audit Login

audit_logoff (boolean):

Audit Logoff

audit_policy_change (boolean):

Audit Policy Change

audit_log_change (boolean):

Audit Log Change

audit_object_access (boolean):

Audit Object Access

audit_user_action (boolean):

Audit User Action

audit_system_event (boolean):

Audit System Event

audit_session_status (boolean):

Audit Session Status

audit_account_validation (boolean):

Audit Account Validation

audit_user_change (boolean):

Audit User Change

audit_group_change (boolean):

Audit Group Change

net_if_id (string):

Network Interface ID.

net_if_collisions (string):

Network Interface Collisions

net_if_packets (integer):

Network Interface Packets

net_if_bytes (integer):

Network Interface Bytes

net_if_in_packets (integer):

Network Interface Incoming Packets

net_if_in_bytes (integer):

Network Interface Incoming Bytes

net_if_in_dropped (integer):

Network Interface Incoming Dropped Packets

net_if_in_errors (integer):

Network Interface Incoming Errors

net_if_out_packets (integer):

Network Interface Outgoing Packets

net_if_out_bytes (integer):

Network Interface Outgoing Bytes

net_if_out_dropped (integer):

Network Interface Outgoing Dropped Packets

net_if_out_errors (integer):

Network Interface Outgoing Errors

net_if_name (string):

Network Interface Name

health_service_ping (boolean):

Health Service Status Check

sys_cpu_id (string):

CPU ID

sys_cpu_load_total (integer):

CPU Total Load

sys_cpu_load_user (integer):

CPU User Load

sys_cpu_load_sys (integer):

CPU System Load

sys_cpu_load_wait (integer):

CPU Wait Load

sys_cpu_load_idle (integer):

CPU Idle Load

sys_uptime (string):

System Uptime

sys_version (string):

System Version

sys_uname (string):

System Unique Name

sys_mem_size_total (integer):

System Memory Total Size

sys_mem_size_free (integer):

System Memory Free Size

vm_mem_size_total (integer):

Virtual Memory Total Size

vm_mem_size_free (integer):

Virtual Memory Free Size

vm_mem_size_cached (integer):

Virtual Memory Cached Size

vm_mem_size_buffers (integer):

Virtual Memory Buffers Size

vfs_dev_id (string):

Filesystem Device ID

vfs_dev_read_sectors (integer):

Filesystem Device Read Sectors

vfs_dev_read_ops (integer):

Filesystem Device Read Operations

vfs_dev_write_sectors (integer):

Filesystem Device Write Sectors

vfs_fs_id (string):

Filesystem ID

vfs_fs_size_total (integer):

Filesystem Total Size

vfs_fs_size_free (integer):

Filesystem Free Size

1.2. Available Audit Columns

Audit columns are for gathering information about changes to your HAWK system and what users have logged in. From the HAWK portal navigation panel click on System ‣ Audit Log for a table showing this information.

Column Name

Column Type

Column Description

audit_id

id

Audit Unique ID

username

string

Audit Username

group

string

Audit Group

category

string

Audit Category

method

string

Audit Method

status

string

Audit Status

action

string

Audit Action

criteria

string

Audit Criteria

date_added

date

Audit Date Added

1.3. Available Vulnerability columns

Vulnerability columns, is data gathered by vulnerability assessment tools. Giving you more data to correlate with.

Column Name

Column Type

Column Description

vulnerability_id

id

Vulnerability Unique ID

group_name

string

Group Name

ts

string

Time Stamp

date_added

date

Date Added

resource_name

string

Resource/Device Name

resource_address

string

Resource IPv4 Address

resource_address6

string

Resource IPv6 Address

engine

string

Vulnerability Vendor Name

cvss

integer

Common Vulnerability Scoring System

cve

string

Common Vulnerabilities and Exposures

vuln_summary

string

Vulnerability Summary

vuln_name

string

Vulnerability Name

risk

string

Risk Value from Vendor (i.e. Low, Medium, High)

ip_port

integer

IP Port Number

vuln_details

string

Vulnerability Details

os_type_name

string

Operating System Name

severity

integer

Severity Rating

vuln_family

string

Vulnerability Family

ip_service

string

IP Type of Service

ip_proto

integer

IP Prototype (i.e. 1 (icmp), 6 (tcp))

vuln_solution

string

Vulnerability Solution

class_type

string

Host Classification Type/Key

class_name

string

Host Classification Name

1.4. Available Incident columns

Column Name

Column Type

Column Description

incident_id

id

Incident Unique ID

group_name

string

Group Name

date_added

date

The time this Incident was created

key

string

Incident Key

name

string

Incident Name

status

string

Status of Incident

owner

string

Owner of Incident

owner_name

string

Owner of Incident

last_seen

date

Date Incident was Last Seen

records_hid

string

HAWK ID

records_ip_src

string

Source IP Address

records_ip_dst

string

Destination IP Address

records_ip_proto

integer

IP Protocol Type (i.e. 1-ICMP, 6-TCP, 17-UDP)

records_ip_sport

integer

IP Source Port

records_ip_dport

integer

IP Destination Port

records_payload

string

Payload of the given event

records_hash

string

Payload Checksum

records_event_id

string

Event ID

records_group_name

string

Group Name

records_date_added

date

Event Date added

records_resource_addr

string

Resource IP Address

records_resource_name

string

Resource Name

records_alert_name

string

Event Alert Name

records_alerts_type_name

string

Event Alert Type Name

records_priority

integer

Event Priority

records_weight

float

Weight

records_class_type

string

Host Classification Type/Key

records_os_type_name

string

Operating System / Specific Vendor Name

records_blocked

boolean

Was Event Blocked or Not

records_vendor_id

string

Vendor ID

notes_date_added

date

Date Incident Note was Added

notes_username

string

HAWK Username who made the Note

notes_fullname

string

HAWK Full Name who made the Note

notes_message

string

Incident Note

records_ip_src_geoip_cc2

string

Source Address GeoIP Country Code

records_ip_src_geoip_name

string

Source Address GeoIP Name

records_ip_src_geoip_region

string

Source Address GeoIP Region

records_ip_src_geoip_city

string

Source Address GeoIP City

records_ip_src_geoip_latitude

integer

Source Address GeoIP Latitude

records_ip_src_geoip_longitude

integer

Source Address GeoIP Longitude

records_ip_dst_geoip_cc2

string

Destination Address GeoIP Country Code

records_ip_dst_geoip_name

string

Destination Address GeoIP Name

records_ip_dst_geoip_region

string

Destination Address GeoIP Region

records_ip_dst_geoip_city

string

Destination Address GeoIP City

records_ip_dst_geoip_latitude

integer

Destination Address GeoIP Latitude

records_ip_dst_geoip_longitude

integer

Destination Address GeoIP Longitude

1.5. Available Resource Columns

Resource columns are information about resources reporting to your HAWK system. From the HAWK portal navigation panel click on Administration ‣ Resources for a table showing this information.

Column Name

Column Type

Column Description

resource_id

id

Resource Unique ID

resource_name

string

Resource/Device Name

resource_details

string

Resource Details

resource_address

string

Resource IPv4 Address

resource_address6

string

Resource IPv6 Address

resource_group

string

Resource Group

pulse_templates

array

Resource Template

class_name

string

Host Classification Type/Key

class_type

string

Host Classification Name

os_type_name

string

Operating System Name

date_added

date

Date Resource Was Added

last_seen

date

Date Resource Last Seen

1.6. Available Column Parameters

Parameter
Description
New Column Name
count
Count the number of instances based
upon the specified ‘group by’.
Column_name + ‘_count’
(column_name_count)
distinct count

Count the number of distinct instance
based upon the specfied ‘group by’.
Column_name + ‘_distinct_count’
(column_name_distinct_count)
hour

The hour of the available datetime
field.
Column_name + ‘_hour’
(column_name_hour)
minute

The minute of the available datetime
field.
Column_name + ‘_minute’
(column_name_minute)
second

The second of the available datetime
field.
Column_name + ‘_second’
(column_name_second)
day

The day of the available datetime
field.
Column_name + ‘_day’
(column_name_day)
avg

The average number of instances based
upon the specified ‘group by’.
Column_name + ‘_avg’
(column_name_avg)
min

The minimum number of instances based
upon the specified ‘group by’.
Column_name + ‘_min’
(column_name_min)
max

The maximum number of instances based
upon the specified ‘group by’.
Column_name + ‘_max’
(column_name_max)

1.7. Available Where Comparisons

Comparison
Name
Description
> (integer)

Greater than

The associated column is greater than
the value provided.
>= (integer)

Greater than or equal to

The associated column is greater than
or equal to the value provided.
< (integer)

Less than

The associated column is less than
the value provided.
<= (integer)

Less than or equal to

The associated column is less than or
equal to the value provided.
!= (integer,
string)
Does not equal

The associated column does not equal
the value provided.
= (integer,
string)
Equal to

The associated column equals the
value provided.
regex
(string)
Regular expression comparison
is true.
String matches the regular expression.

1.8. Event Alert Type Categories

Alert Type Category

Description

Scanning/Recon

Scanning & Recon Related Events

Suspicious Activity

Suspicious Activity Related Events

Possible Malicious Activity

General Malicious Activity Related Events

Malicious HTTP

Generl Malicious Web Realted Events

Malicious HTTP Activity

Malicious Web Activity Events

Attempted Authentication

General Attempted Authentiation both Failure and Successful

Miscellaneous Attack

General Miscellaneous Attack Related Events

False Positive

False Positive Events

Miscellaneous Information

General Miscellaneous Information

Possible Worm/Trojan Activity

Worm/Virus/Trojan Realated Events

Potential Policy Violation

Potential Policy Violation Events

Denial of Service

Denial of Service Events

1.9. Resource OS Type Table

os_type_name

os_type_details

class_type

class_name

HAWK Event Correlation Engine

HAWK Event Correlation Engine

HAWK

HAWK Event Correlation Engine

AIX

IBM AIX Operating System

AIX

IBM AIX Operating System

IBM AS/400

IBM System i / AS/400

AS/400

IBM AS/400

Imperva Web Firewall

Imperva Web Firewall

WAF

Web Application Firewall

Generic Firewall

Generic Firewall

Firewall

Network Firewall

WatchGuard Firewall

WatchGuard Firewall

Firewall

Network Firewall

SonicWall Firewall

SonicWall Firewall

Firewall

Network Firewall

AdTran Firewall

AdTran Firewall

Firewall

Network Firewall

2WIRE Firewall

2WIRE Firewall

Firewall

Network Firewall

Cisco Firewall

Cisco Firewall

Firewall

Network Firewall

Checkpoint Firewall

Checkpoint Firewall

Firewall

Network Firewall

Juniper Netscreen Firewall

Juniper Network Firewall

Firewall

Network Firewall

Barracuda Spam Firewall

Barracuda Spam Firewall

BARRACUDA

Barracuda Spam Firewall

Dragon Intrusion Detection System

Dragon IDS/IPS

IDS

Intrusion Detection/Prevention System

McAfee Intrusion Detection System

McAfee IDS/IPS

IDS

Intrusion Detection/Prevention System

Sourcefire Defense Center

Sourcefire Defense Center

IDS

Intrusion Detection/Prevention System

Snort Intrusion Detection System

Snort IDS

IDS

Intrusion Detection/Prevention System

Radware IPS

Radware DefensePro IPS

IDS

Intrusion Detection/Prevention System

TippingPoint IPS

TippingPoint IPS

IDS

Intrusion Detection/Prevention System

AirMagnet Wireless IPS

AirMagnet Wireless IPS

IDS

Intrusion Detection/Prevention System

Fortinet FortiGate IPS

Fortinet FortiGate IPS

IDS

Intrusion Detection/Prevention System

NetBSD

NetBSD Operating System

NetBSD

NetBSD Operating System

OpenBSD

OpenBSD Operating System

OpenBSD

OpenBSD Operating System

FreeBSD

FreeBSD

FreeBSD

FreeBSD Operating System

Linux Operating System

Linux Operating System

Linux

GNU/Linux Operating System

Apple OS X

Mac OS X

MacOSX

Apple OS X

Microsoft Windows

Microsoft Windows

Windows

Microsoft Windows

Unknown OS

Unknown Operating System

UNKNOWN

Unknown Device

Solaris

Solaris Operating System

Solaris

Solaris Operating System

HP-UX

HP-UX

HP-UX

HP-UX

Generic Router

Generic Router

Router

Network Router

Cisco Router

Cisco Router

Router

Network Router

Juniper Router

Juniper Network Router

Router

Network Router

Cisco VPN Concentrator

Cisco Network VPN Concentrator

VPN

VPN Concentrator/Router

Generic Switch

Generic Network Switch

Switch

Network Switch

Foundry Switch

Foundry Network Switch

Switch

Network Switch

Cisco Switch

Cisco Network Switch

Switch

Network Switch

HP ProCurve Network Switch

HP ProCurve Network Switch

Switch

Network Switch

Citrix NetScaler

Citrix NetScaler

Load Balancer

Load Balancer

Arbor NetFlow

Arbor Networks NetFlow

ARBOR

Arbor Networks NetFlow

CriticalWatch FusionVM

CriticalWatch FusionVM

VULNMGMT

Vulnerability Management

Rapid7 Nexpose

Rapid7 Nexpose

VULNMGMT

Vulnerability Management

Cisco Wireless Access Point

Cisco Wireless Access Point

WAP

Wireless Access Point

Buffalo Wireless Access Point

Buffalo Wireless Access Point

WAP

Wireless Access Point

Apple Airport Wireless Access Point

Apple Airport Wireless AP

WAP

Wireless Access Point

Ubiquiti Wireless Access Point

Ubiquiti Wireless Access Point

WAP

Wireless Access Point

APC UPS Battery Backup

APC UPS Battery Backup

Battery Backup

Battery Backup

Brother Printer

Brother Printer

Printer

Printer

Canon Printer

Canon Printer

Printer

Printer

Epson Printer

Epson Printer

Printer

Printer

Lexmark Printer

Lexmark Printer

Printer

Printer

Panasonic Printer

Panasonic Printer

Printer

Printer

Samsung Printer

Samsung Printer

Printer

Printer

Sharp Printer

Sharp Printer

Printer

Printer

Toshiba Printer

Toshiba Printer

Printer

Printer

Xerox Printer

Xerox Printer

Printer

Printer

HP Printer

HP Printer

Printer

Printer

Dell Printer

Dell Printer

Printer

Printer