1. Reference Guide¶
1.1. Available Event Columns¶
- bayesian_weight (float):¶
Bayesian score showing the probability of the event being good or bad. SOC Analyst can tune the Bayesian algorithm by marking learning events as bad or good.
- weight (float):¶
Commutative weight assigned to a event based off Analytic Scores.
- date_added (string):¶
Date event was added to the HAWK system.
- hid (string):¶
HAWK ID, HAWK assigned ID associated to the Alert Name. Click HERE to see a full list of available HAWK ID’s.
- alert_name (string):¶
Alert name assigned to the event.
- priority (integer):¶
Priority, Values 1 - 5. One being the highest priority and five being the lowest priority.
- app (string):¶
Application, Application event is from. Using map-replace on HAWK engines you can map application id’s to application names.
- action (string):¶
Action performed. A few examples: “quarantined”, “ignored”, “removed”
- alerts_type_name (string):¶
Alert Category assigned to the event. Click HERE to see a full list of Alert Categories.
- blocked (boolean):¶
True or False if the event was blocked.
- vendor_id (string):¶
Vendor assigned id. A few Examples: Windows event ids, Snort ids, Cisco ids (3-710003).
- resource_name (string):¶
Hostname of the resource sending the event.
- resource_addr (string):¶
IPv4 address of the resource.
- resource_asset_criticality (integer):¶
Resource asset criticality assigned to the resource.
- compliance_asset (boolean):¶
True or False if resource is a compliance asset.
- group_name (string):¶
Group Name assigned to resource.
- icmp_type (integer):¶
ICMP Type code. ICMP Types and Codes explained here
- icmp_code (integer):¶
ICMP Code. ICMP Types and Codes explained here
- icmp_csum (integer):¶
ICMP Checksum of event
- icmp_id (integer):¶
ICMP Identifier
- icmp_seq (integer):¶
ICMP Sequence
- ip_src (string):¶
IPv4 address of the sender of the packet
- ip_src_host (string):¶
Source hostname of the sender of the packet
- ip_src_geoip_name (string):¶
Source Address GeoIP Name
- ip_src_geoip_cc2 (string):¶
Source Address GeoIP Country Code
- ip_src_geoip_reg (string):¶
Source Address GeoIP Region
- ip_src_geoip_city (string):¶
Source Address GeoIP City
- ip_src_geoip_latitude (float):¶
Source Address GeoIP Latitude
- ip_src_geoip_longitude (float):¶
Source Address GeoIP Longitude
- ip_dst (string):¶
IPv4 address of the receiver of the packet
- ip_dst_host (string):¶
Destination hostname of the receiver of the packet
- ip_dst_geoip_name (string):¶
Destination Address GeoIP Name
- ip_dst_geoip_cc2 (string):¶
Destination Address GeoIP Country Code
- ip_dst_geoip_reg (string):¶
Destination Address GeoIP Region
- ip_dst_geoip_city (string):¶
Destination Address GeoIP City
- ip_dst_geoip_latitude (float):¶
Destination Address GeoIP Latitude
- ip_dst_geoip_longitude (float):¶
Destination Address GeoIP Longitude
- ip_sport (integer):¶
Identifies the sending port
- ip_dport (integer):¶
Identifies the receiving port
- ip_ver (integer):¶
IP Version: 4 = IPv4, and 6 = IPv6
- ip_hlen (integer):¶
IP Header Length
- ip_tos (integer):¶
IP Type of Service or Differentiated Services Code Point (DSCP). IP header for packet classification purposes.
- ip_id (integer):¶
IP Identification. Primarily used for uniquely identifying the group of fragments of a single IP datagram.
- ip_flags (integer):¶
IP Flags used to control or identify fragments.
- ip_off (integer):¶
IP fragment offset field.
- ip_ttl (integer):¶
IP Time to Live.
- ip_proto (integer):¶
Defines the IP Protocol used in the data portion of the IP datagram. List of IP protocols here
- ip_csum (integer):¶
IP Checksum
- hash (string):¶
Stores the md5 hash of the raw payload.
- payload (string):¶
Raw event payload.
- packet (string):¶
Raw event packet if provided.
- tcp_seq (integer):¶
TCP Sequence number
- tcp_ack (integer):¶
TCP Acknowledgement
- tcp_off (integer):¶
Specifies the size of the TCP header
- tcp_res (integer):¶
TCP Reserved for future use and should not be used.
- tcp_flags (integer):¶
TCP Flags. Example ACK, RST, SYN, FIN. List of flags can be found here
- tcp_win (integer):¶
TCP Window size of the receiving window size in bytes.
- tcp_csum (integer):¶
TCP Checksum
- tcp_urp (integer):¶
TCP Urgent Pointer
- udp_len (integer):¶
Specifies the length in bytes of the UDP header and UDP data
- udp_csum (integer):¶
UDP Checksum
- class_type (string):¶
Host classification type. You can find a list of host classifications here
- class_name (string):¶
Host classification name. You can find a list of host classifications here
- os_type_name (string):¶
Operating System/Specific Vendor Name. You can find the full list here
- correlation_username (string):¶
Username
- target_username (string):¶
Target Username
- audit_login (boolean):¶
Audit Login
- audit_logoff (boolean):¶
Audit Logoff
- audit_policy_change (boolean):¶
Audit Policy Change
- audit_log_change (boolean):¶
Audit Log Change
- audit_object_access (boolean):¶
Audit Object Access
- audit_user_action (boolean):¶
Audit User Action
- audit_system_event (boolean):¶
Audit System Event
- audit_session_status (boolean):¶
Audit Session Status
- audit_account_validation (boolean):¶
Audit Account Validation
- audit_user_change (boolean):¶
Audit User Change
- audit_group_change (boolean):¶
Audit Group Change
- net_if_id (string):¶
Network Interface ID.
- net_if_collisions (string):¶
Network Interface Collisions
- net_if_packets (integer):¶
Network Interface Packets
- net_if_bytes (integer):¶
Network Interface Bytes
- net_if_in_packets (integer):¶
Network Interface Incoming Packets
- net_if_in_bytes (integer):¶
Network Interface Incoming Bytes
- net_if_in_dropped (integer):¶
Network Interface Incoming Dropped Packets
- net_if_in_errors (integer):¶
Network Interface Incoming Errors
- net_if_out_packets (integer):¶
Network Interface Outgoing Packets
- net_if_out_bytes (integer):¶
Network Interface Outgoing Bytes
- net_if_out_dropped (integer):¶
Network Interface Outgoing Dropped Packets
- net_if_out_errors (integer):¶
Network Interface Outgoing Errors
- net_if_name (string):¶
Network Interface Name
- health_service_ping (boolean):¶
Health Service Status Check
- sys_cpu_id (string):¶
CPU ID
- sys_cpu_load_total (integer):¶
CPU Total Load
- sys_cpu_load_user (integer):¶
CPU User Load
- sys_cpu_load_sys (integer):¶
CPU System Load
- sys_cpu_load_wait (integer):¶
CPU Wait Load
- sys_cpu_load_idle (integer):¶
CPU Idle Load
- sys_uptime (string):¶
System Uptime
- sys_version (string):¶
System Version
- sys_uname (string):¶
System Unique Name
- sys_mem_size_total (integer):¶
System Memory Total Size
- sys_mem_size_free (integer):¶
System Memory Free Size
- vm_mem_size_total (integer):¶
Virtual Memory Total Size
- vm_mem_size_free (integer):¶
Virtual Memory Free Size
- vm_mem_size_cached (integer):¶
Virtual Memory Cached Size
- vm_mem_size_buffers (integer):¶
Virtual Memory Buffers Size
- vfs_dev_id (string):¶
Filesystem Device ID
- vfs_dev_read_sectors (integer):¶
Filesystem Device Read Sectors
- vfs_dev_read_ops (integer):¶
Filesystem Device Read Operations
- vfs_dev_write_sectors (integer):¶
Filesystem Device Write Sectors
- vfs_fs_id (string):¶
Filesystem ID
- vfs_fs_size_total (integer):¶
Filesystem Total Size
- vfs_fs_size_free (integer):¶
Filesystem Free Size
1.2. Available Audit Columns¶
Audit columns are for gathering information about changes to your HAWK system and what users have logged in. From the HAWK portal navigation panel click on
for a table showing this information.Column Name |
Column Type |
Column Description |
---|---|---|
audit_id |
id |
Audit Unique ID |
username |
string |
Audit Username |
group |
string |
Audit Group |
category |
string |
Audit Category |
method |
string |
Audit Method |
status |
string |
Audit Status |
action |
string |
Audit Action |
criteria |
string |
Audit Criteria |
date_added |
date |
Audit Date Added |
1.3. Available Vulnerability columns¶
Vulnerability columns, is data gathered by vulnerability assessment tools. Giving you more data to correlate with.
Column Name |
Column Type |
Column Description |
---|---|---|
vulnerability_id |
id |
Vulnerability Unique ID |
group_name |
string |
Group Name |
ts |
string |
Time Stamp |
date_added |
date |
Date Added |
resource_name |
string |
Resource/Device Name |
resource_address |
string |
Resource IPv4 Address |
resource_address6 |
string |
Resource IPv6 Address |
engine |
string |
Vulnerability Vendor Name |
cvss |
integer |
Common Vulnerability Scoring System |
cve |
string |
Common Vulnerabilities and Exposures |
vuln_summary |
string |
Vulnerability Summary |
vuln_name |
string |
Vulnerability Name |
risk |
string |
Risk Value from Vendor (i.e. Low, Medium, High) |
ip_port |
integer |
IP Port Number |
vuln_details |
string |
Vulnerability Details |
os_type_name |
string |
Operating System Name |
severity |
integer |
Severity Rating |
vuln_family |
string |
Vulnerability Family |
ip_service |
string |
IP Type of Service |
ip_proto |
integer |
IP Prototype (i.e. 1 (icmp), 6 (tcp)) |
vuln_solution |
string |
Vulnerability Solution |
class_type |
string |
Host Classification Type/Key |
class_name |
string |
Host Classification Name |
1.4. Available Incident columns¶
Column Name |
Column Type |
Column Description |
---|---|---|
incident_id |
id |
Incident Unique ID |
group_name |
string |
Group Name |
date_added |
date |
The time this Incident was created |
key |
string |
Incident Key |
name |
string |
Incident Name |
status |
string |
Status of Incident |
owner |
string |
Owner of Incident |
owner_name |
string |
Owner of Incident |
last_seen |
date |
Date Incident was Last Seen |
records_hid |
string |
HAWK ID |
records_ip_src |
string |
Source IP Address |
records_ip_dst |
string |
Destination IP Address |
records_ip_proto |
integer |
IP Protocol Type (i.e. 1-ICMP, 6-TCP, 17-UDP) |
records_ip_sport |
integer |
IP Source Port |
records_ip_dport |
integer |
IP Destination Port |
records_payload |
string |
Payload of the given event |
records_hash |
string |
Payload Checksum |
records_event_id |
string |
Event ID |
records_group_name |
string |
Group Name |
records_date_added |
date |
Event Date added |
records_resource_addr |
string |
Resource IP Address |
records_resource_name |
string |
Resource Name |
records_alert_name |
string |
Event Alert Name |
records_alerts_type_name |
string |
Event Alert Type Name |
records_priority |
integer |
Event Priority |
records_weight |
float |
Weight |
records_class_type |
string |
Host Classification Type/Key |
records_os_type_name |
string |
Operating System / Specific Vendor Name |
records_blocked |
boolean |
Was Event Blocked or Not |
records_vendor_id |
string |
Vendor ID |
notes_date_added |
date |
Date Incident Note was Added |
notes_username |
string |
HAWK Username who made the Note |
notes_fullname |
string |
HAWK Full Name who made the Note |
notes_message |
string |
Incident Note |
records_ip_src_geoip_cc2 |
string |
Source Address GeoIP Country Code |
records_ip_src_geoip_name |
string |
Source Address GeoIP Name |
records_ip_src_geoip_region |
string |
Source Address GeoIP Region |
records_ip_src_geoip_city |
string |
Source Address GeoIP City |
records_ip_src_geoip_latitude |
integer |
Source Address GeoIP Latitude |
records_ip_src_geoip_longitude |
integer |
Source Address GeoIP Longitude |
records_ip_dst_geoip_cc2 |
string |
Destination Address GeoIP Country Code |
records_ip_dst_geoip_name |
string |
Destination Address GeoIP Name |
records_ip_dst_geoip_region |
string |
Destination Address GeoIP Region |
records_ip_dst_geoip_city |
string |
Destination Address GeoIP City |
records_ip_dst_geoip_latitude |
integer |
Destination Address GeoIP Latitude |
records_ip_dst_geoip_longitude |
integer |
Destination Address GeoIP Longitude |
1.5. Available Resource Columns¶
Resource columns are information about resources reporting to your HAWK system. From the HAWK portal navigation panel click on
for a table showing this information.Column Name |
Column Type |
Column Description |
---|---|---|
resource_id |
id |
Resource Unique ID |
resource_name |
string |
Resource/Device Name |
resource_details |
string |
Resource Details |
resource_address |
string |
Resource IPv4 Address |
resource_address6 |
string |
Resource IPv6 Address |
resource_group |
string |
Resource Group |
pulse_templates |
array |
Resource Template |
class_name |
string |
Host Classification Type/Key |
class_type |
string |
Host Classification Name |
os_type_name |
string |
Operating System Name |
date_added |
date |
Date Resource Was Added |
last_seen |
date |
Date Resource Last Seen |
1.6. Available Column Parameters¶
Parameter
|
Description
|
New Column Name
|
---|---|---|
count
|
Count the number of instances based
upon the specified ‘group by’.
|
Column_name + ‘_count’
(column_name_count)
|
distinct count
|
Count the number of distinct instance
based upon the specfied ‘group by’.
|
Column_name + ‘_distinct_count’
(column_name_distinct_count)
|
hour
|
The hour of the available datetime
field.
|
Column_name + ‘_hour’
(column_name_hour)
|
minute
|
The minute of the available datetime
field.
|
Column_name + ‘_minute’
(column_name_minute)
|
second
|
The second of the available datetime
field.
|
Column_name + ‘_second’
(column_name_second)
|
day
|
The day of the available datetime
field.
|
Column_name + ‘_day’
(column_name_day)
|
avg
|
The average number of instances based
upon the specified ‘group by’.
|
Column_name + ‘_avg’
(column_name_avg)
|
min
|
The minimum number of instances based
upon the specified ‘group by’.
|
Column_name + ‘_min’
(column_name_min)
|
max
|
The maximum number of instances based
upon the specified ‘group by’.
|
Column_name + ‘_max’
(column_name_max)
|
1.7. Available Where Comparisons¶
Comparison
|
Name
|
Description
|
---|---|---|
> (integer)
|
Greater than
|
The associated column is greater than
the value provided.
|
>= (integer)
|
Greater than or equal to
|
The associated column is greater than
or equal to the value provided.
|
< (integer)
|
Less than
|
The associated column is less than
the value provided.
|
<= (integer)
|
Less than or equal to
|
The associated column is less than or
equal to the value provided.
|
!= (integer,
string)
|
Does not equal
|
The associated column does not equal
the value provided.
|
= (integer,
string)
|
Equal to
|
The associated column equals the
value provided.
|
regex
(string)
|
Regular expression comparison
is true.
|
String matches the regular expression.
|
1.8. Event Alert Type Categories¶
Alert Type Category |
Description |
---|---|
Scanning/Recon |
Scanning & Recon Related Events |
Suspicious Activity |
Suspicious Activity Related Events |
Possible Malicious Activity |
General Malicious Activity Related Events |
Malicious HTTP |
Generl Malicious Web Realted Events |
Malicious HTTP Activity |
Malicious Web Activity Events |
Attempted Authentication |
General Attempted Authentiation both Failure and Successful |
Miscellaneous Attack |
General Miscellaneous Attack Related Events |
False Positive |
False Positive Events |
Miscellaneous Information |
General Miscellaneous Information |
Possible Worm/Trojan Activity |
Worm/Virus/Trojan Realated Events |
Potential Policy Violation |
Potential Policy Violation Events |
Denial of Service |
Denial of Service Events |
1.9. Resource OS Type Table¶
os_type_name |
os_type_details |
class_type |
class_name |
---|---|---|---|
HAWK Event Correlation Engine |
HAWK Event Correlation Engine |
HAWK |
HAWK Event Correlation Engine |
AIX |
IBM AIX Operating System |
AIX |
IBM AIX Operating System |
IBM AS/400 |
IBM System i / AS/400 |
AS/400 |
IBM AS/400 |
Imperva Web Firewall |
Imperva Web Firewall |
WAF |
Web Application Firewall |
Generic Firewall |
Generic Firewall |
Firewall |
Network Firewall |
WatchGuard Firewall |
WatchGuard Firewall |
Firewall |
Network Firewall |
SonicWall Firewall |
SonicWall Firewall |
Firewall |
Network Firewall |
AdTran Firewall |
AdTran Firewall |
Firewall |
Network Firewall |
2WIRE Firewall |
2WIRE Firewall |
Firewall |
Network Firewall |
Cisco Firewall |
Cisco Firewall |
Firewall |
Network Firewall |
Checkpoint Firewall |
Checkpoint Firewall |
Firewall |
Network Firewall |
Juniper Netscreen Firewall |
Juniper Network Firewall |
Firewall |
Network Firewall |
Barracuda Spam Firewall |
Barracuda Spam Firewall |
BARRACUDA |
Barracuda Spam Firewall |
Dragon Intrusion Detection System |
Dragon IDS/IPS |
IDS |
Intrusion Detection/Prevention System |
McAfee Intrusion Detection System |
McAfee IDS/IPS |
IDS |
Intrusion Detection/Prevention System |
Sourcefire Defense Center |
Sourcefire Defense Center |
IDS |
Intrusion Detection/Prevention System |
Snort Intrusion Detection System |
Snort IDS |
IDS |
Intrusion Detection/Prevention System |
Radware IPS |
Radware DefensePro IPS |
IDS |
Intrusion Detection/Prevention System |
TippingPoint IPS |
TippingPoint IPS |
IDS |
Intrusion Detection/Prevention System |
AirMagnet Wireless IPS |
AirMagnet Wireless IPS |
IDS |
Intrusion Detection/Prevention System |
Fortinet FortiGate IPS |
Fortinet FortiGate IPS |
IDS |
Intrusion Detection/Prevention System |
NetBSD |
NetBSD Operating System |
NetBSD |
NetBSD Operating System |
OpenBSD |
OpenBSD Operating System |
OpenBSD |
OpenBSD Operating System |
FreeBSD |
FreeBSD |
FreeBSD |
FreeBSD Operating System |
Linux Operating System |
Linux Operating System |
Linux |
GNU/Linux Operating System |
Apple OS X |
Mac OS X |
MacOSX |
Apple OS X |
Microsoft Windows |
Microsoft Windows |
Windows |
Microsoft Windows |
Unknown OS |
Unknown Operating System |
UNKNOWN |
Unknown Device |
Solaris |
Solaris Operating System |
Solaris |
Solaris Operating System |
HP-UX |
HP-UX |
HP-UX |
HP-UX |
Generic Router |
Generic Router |
Router |
Network Router |
Cisco Router |
Cisco Router |
Router |
Network Router |
Juniper Router |
Juniper Network Router |
Router |
Network Router |
Cisco VPN Concentrator |
Cisco Network VPN Concentrator |
VPN |
VPN Concentrator/Router |
Generic Switch |
Generic Network Switch |
Switch |
Network Switch |
Foundry Switch |
Foundry Network Switch |
Switch |
Network Switch |
Cisco Switch |
Cisco Network Switch |
Switch |
Network Switch |
HP ProCurve Network Switch |
HP ProCurve Network Switch |
Switch |
Network Switch |
Citrix NetScaler |
Citrix NetScaler |
Load Balancer |
Load Balancer |
Arbor NetFlow |
Arbor Networks NetFlow |
ARBOR |
Arbor Networks NetFlow |
CriticalWatch FusionVM |
CriticalWatch FusionVM |
VULNMGMT |
Vulnerability Management |
Rapid7 Nexpose |
Rapid7 Nexpose |
VULNMGMT |
Vulnerability Management |
Cisco Wireless Access Point |
Cisco Wireless Access Point |
WAP |
Wireless Access Point |
Buffalo Wireless Access Point |
Buffalo Wireless Access Point |
WAP |
Wireless Access Point |
Apple Airport Wireless Access Point |
Apple Airport Wireless AP |
WAP |
Wireless Access Point |
Ubiquiti Wireless Access Point |
Ubiquiti Wireless Access Point |
WAP |
Wireless Access Point |
APC UPS Battery Backup |
APC UPS Battery Backup |
Battery Backup |
Battery Backup |
Brother Printer |
Brother Printer |
Printer |
Printer |
Canon Printer |
Canon Printer |
Printer |
Printer |
Epson Printer |
Epson Printer |
Printer |
Printer |
Lexmark Printer |
Lexmark Printer |
Printer |
Printer |
Panasonic Printer |
Panasonic Printer |
Printer |
Printer |
Samsung Printer |
Samsung Printer |
Printer |
Printer |
Sharp Printer |
Sharp Printer |
Printer |
Printer |
Toshiba Printer |
Toshiba Printer |
Printer |
Printer |
Xerox Printer |
Xerox Printer |
Printer |
Printer |
HP Printer |
HP Printer |
Printer |
Printer |
Dell Printer |
Dell Printer |
Printer |
Printer |