Reference Guide --------------- Available Event Columns """"""""""""""""""""""" .. glossary:: bayesian_weight (float): Bayesian score showing the probability of the event being good or bad. SOC Analyst can tune the Bayesian algorithm by marking learning events as bad or good. weight (float): Commutative weight assigned to a event based off Analytic Scores. date_added (string): Date event was added to the HAWK system. hid (string): HAWK ID, HAWK assigned ID associated to the Alert Name. Click `HERE `_ to see a full list of available HAWK ID's. alert_name (string): Alert name assigned to the event. priority (integer): Priority, Values 1 - 5. One being the highest priority and five being the lowest priority. app (string): Application, Application event is from. Using map-replace on HAWK engines you can map application id's to application names. action (string): Action performed. A few examples: "quarantined", "ignored", "removed" alerts_type_name (string): Alert Category assigned to the event. Click `HERE `_ to see a full list of Alert Categories. blocked (boolean): True or False if the event was blocked. vendor_id (string): Vendor assigned id. A few Examples: Windows event ids, Snort ids, Cisco ids (3-710003). resource_name (string): Hostname of the resource sending the event. resource_addr (string): IPv4 address of the resource. resource_asset_criticality (integer): Resource asset criticality assigned to the resource. compliance_asset (boolean): True or False if resource is a compliance asset. group_name (string): Group Name assigned to resource. icmp_type (integer): ICMP Type code. ICMP Types and Codes explained `here `_ icmp_code (integer): ICMP Code. ICMP Types and Codes explained `here `_ icmp_csum (integer): ICMP Checksum of event icmp_id (integer): ICMP Identifier icmp_seq (integer): ICMP Sequence ip_src (string): IPv4 address of the sender of the packet ip_src_host (string): Source hostname of the sender of the packet ip_src_geoip_name (string): Source Address GeoIP Name ip_src_geoip_cc2 (string): Source Address GeoIP Country Code ip_src_geoip_reg (string): Source Address GeoIP Region ip_src_geoip_city (string): Source Address GeoIP City ip_src_geoip_latitude (float): Source Address GeoIP Latitude ip_src_geoip_longitude (float): Source Address GeoIP Longitude ip_dst (string): IPv4 address of the receiver of the packet ip_dst_host (string): Destination hostname of the receiver of the packet ip_dst_geoip_name (string): Destination Address GeoIP Name ip_dst_geoip_cc2 (string): Destination Address GeoIP Country Code ip_dst_geoip_reg (string): Destination Address GeoIP Region ip_dst_geoip_city (string): Destination Address GeoIP City ip_dst_geoip_latitude (float): Destination Address GeoIP Latitude ip_dst_geoip_longitude (float): Destination Address GeoIP Longitude ip_sport (integer): Identifies the sending port ip_dport (integer): Identifies the receiving port ip_ver (integer): IP Version: 4 = IPv4, and 6 = IPv6 ip_hlen (integer): IP Header Length ip_tos (integer): IP Type of Service or Differentiated Services Code Point (DSCP). IP header for packet classification purposes. ip_id (integer): IP Identification. Primarily used for uniquely identifying the group of fragments of a single IP datagram. ip_flags (integer): IP Flags used to control or identify fragments. ip_off (integer): IP fragment offset field. ip_ttl (integer): IP Time to Live. ip_proto (integer): Defines the IP Protocol used in the data portion of the IP datagram. List of IP protocols `here `_ ip_csum (integer): IP Checksum hash (string): Stores the md5 hash of the raw payload. payload (string): Raw event payload. packet (string): Raw event packet if provided. tcp_seq (integer): TCP Sequence number tcp_ack (integer): TCP Acknowledgement tcp_off (integer): Specifies the size of the TCP header tcp_res (integer): TCP Reserved for future use and should not be used. tcp_flags (integer): TCP Flags. Example ACK, RST, SYN, FIN. List of flags can be found `here `_ tcp_win (integer): TCP Window size of the receiving window size in bytes. tcp_csum (integer): TCP Checksum tcp_urp (integer): TCP Urgent Pointer udp_len (integer): Specifies the length in bytes of the UDP header and UDP data udp_csum (integer): UDP Checksum class_type (string): Host classification type. You can find a list of host classifications `here `_ class_name (string): Host classification name. You can find a list of host classifications `here `_ os_type_name (string): Operating System/Specific Vendor Name. You can find the full list `here `_ correlation_username (string): Username target_username (string): Target Username audit_login (boolean): Audit Login audit_logoff (boolean): Audit Logoff audit_policy_change (boolean): Audit Policy Change audit_log_change (boolean): Audit Log Change audit_object_access (boolean): Audit Object Access audit_user_action (boolean): Audit User Action audit_system_event (boolean): Audit System Event audit_session_status (boolean): Audit Session Status audit_account_validation (boolean): Audit Account Validation audit_user_change (boolean): Audit User Change audit_group_change (boolean): Audit Group Change net_if_id (string): Network Interface ID. net_if_collisions (string): Network Interface Collisions net_if_packets (integer): Network Interface Packets net_if_bytes (integer): Network Interface Bytes net_if_in_packets (integer): Network Interface Incoming Packets net_if_in_bytes (integer): Network Interface Incoming Bytes net_if_in_dropped (integer): Network Interface Incoming Dropped Packets net_if_in_errors (integer): Network Interface Incoming Errors net_if_out_packets (integer): Network Interface Outgoing Packets net_if_out_bytes (integer): Network Interface Outgoing Bytes net_if_out_dropped (integer): Network Interface Outgoing Dropped Packets net_if_out_errors (integer): Network Interface Outgoing Errors net_if_name (string): Network Interface Name health_service_ping (boolean): Health Service Status Check sys_cpu_id (string): CPU ID sys_cpu_load_total (integer): CPU Total Load sys_cpu_load_user (integer): CPU User Load sys_cpu_load_sys (integer): CPU System Load sys_cpu_load_wait (integer): CPU Wait Load sys_cpu_load_idle (integer): CPU Idle Load sys_uptime (string): System Uptime sys_version (string): System Version sys_uname (string): System Unique Name sys_mem_size_total (integer): System Memory Total Size sys_mem_size_free (integer): System Memory Free Size vm_mem_size_total (integer): Virtual Memory Total Size vm_mem_size_free (integer): Virtual Memory Free Size vm_mem_size_cached (integer): Virtual Memory Cached Size vm_mem_size_buffers (integer): Virtual Memory Buffers Size vfs_dev_id (string): Filesystem Device ID vfs_dev_read_sectors (integer): Filesystem Device Read Sectors vfs_dev_read_ops (integer): Filesystem Device Read Operations vfs_dev_write_sectors (integer): Filesystem Device Write Sectors vfs_fs_id (string): Filesystem ID vfs_fs_size_total (integer): Filesystem Total Size vfs_fs_size_free (integer): Filesystem Free Size Available Audit Columns """"""""""""""""""""""" Audit columns are for gathering information about changes to your HAWK system and what users have logged in. From the HAWK portal navigation panel click on :menuselection:`System --> Audit Log` for a table showing this information. =================== ============== ====================================== Column Name Column Type Column Description =================== ============== ====================================== audit_id id Audit Unique ID username string Audit Username group string Audit Group category string Audit Category method string Audit Method status string Audit Status action string Audit Action criteria string Audit Criteria date_added date Audit Date Added =================== ============== ====================================== Available Vulnerability columns """"""""""""""""""""""""""""""" Vulnerability columns, is data gathered by vulnerability assessment tools. Giving you more data to correlate with. =================== ============== ====================================== Column Name Column Type Column Description =================== ============== ====================================== vulnerability_id id Vulnerability Unique ID group_name string Group Name ts string Time Stamp date_added date Date Added resource_name string Resource/Device Name resource_address string Resource IPv4 Address resource_address6 string Resource IPv6 Address engine string Vulnerability Vendor Name cvss integer Common Vulnerability Scoring System cve string Common Vulnerabilities and Exposures vuln_summary string Vulnerability Summary vuln_name string Vulnerability Name risk string Risk Value from Vendor (i.e. Low, Medium, High) ip_port integer IP Port Number vuln_details string Vulnerability Details os_type_name string Operating System Name severity integer Severity Rating vuln_family string Vulnerability Family ip_service string IP Type of Service ip_proto integer IP Prototype (i.e. 1 (icmp), 6 (tcp)) vuln_solution string Vulnerability Solution class_type string Host Classification Type/Key class_name string Host Classification Name =================== ============== ====================================== Available Incident columns """""""""""""""""""""""""" ============================== ============== ========================================= Column Name Column Type Column Description ============================== ============== ========================================= incident_id id Incident Unique ID group_name string Group Name date_added date The time this Incident was created key string Incident Key name string Incident Name status string Status of Incident owner string Owner of Incident owner_name string Owner of Incident last_seen date Date Incident was Last Seen ------------------------------ -------------- ----------------------------------------- records_hid string HAWK ID records_ip_src string Source IP Address records_ip_dst string Destination IP Address records_ip_proto integer IP Protocol Type (i.e. 1-ICMP, 6-TCP, 17-UDP) records_ip_sport integer IP Source Port records_ip_dport integer IP Destination Port records_payload string Payload of the given event records_hash string Payload Checksum records_event_id string Event ID records_group_name string Group Name records_date_added date Event Date added records_resource_addr string Resource IP Address records_resource_name string Resource Name records_alert_name string Event Alert Name records_alerts_type_name string Event Alert Type Name records_priority integer Event Priority records_weight float Weight records_class_type string Host Classification Type/Key records_os_type_name string Operating System / Specific Vendor Name records_blocked boolean Was Event Blocked or Not records_vendor_id string Vendor ID ------------------------------ -------------- ----------------------------------------- notes_date_added date Date Incident Note was Added notes_username string HAWK Username who made the Note notes_fullname string HAWK Full Name who made the Note notes_message string Incident Note ------------------------------ -------------- ----------------------------------------- records_ip_src_geoip_cc2 string Source Address GeoIP Country Code records_ip_src_geoip_name string Source Address GeoIP Name records_ip_src_geoip_region string Source Address GeoIP Region records_ip_src_geoip_city string Source Address GeoIP City records_ip_src_geoip_latitude integer Source Address GeoIP Latitude records_ip_src_geoip_longitude integer Source Address GeoIP Longitude records_ip_dst_geoip_cc2 string Destination Address GeoIP Country Code records_ip_dst_geoip_name string Destination Address GeoIP Name records_ip_dst_geoip_region string Destination Address GeoIP Region records_ip_dst_geoip_city string Destination Address GeoIP City records_ip_dst_geoip_latitude integer Destination Address GeoIP Latitude records_ip_dst_geoip_longitude integer Destination Address GeoIP Longitude ============================== ============== ========================================= Available Resource Columns """""""""""""""""""""""""" Resource columns are information about resources reporting to your HAWK system. From the HAWK portal navigation panel click on :menuselection:`Administration --> Resources` for a table showing this information. =================== ============== ============================== Column Name Column Type Column Description =================== ============== ============================== resource_id id Resource Unique ID resource_name string Resource/Device Name resource_details string Resource Details resource_address string Resource IPv4 Address resource_address6 string Resource IPv6 Address resource_group string Resource Group pulse_templates array Resource Template class_name string Host Classification Type/Key class_type string Host Classification Name os_type_name string Operating System Name date_added date Date Resource Was Added last_seen date Date Resource Last Seen =================== ============== ============================== Available Column Parameters """"""""""""""""""""""""""" +------------------+-----------------------------------------+-----------------------------------+ | | Parameter | | Description | | New Column Name | +==================+=========================================+===================================+ | | count | | Count the number of instances based | | Column_name + '_count' | | | | upon the specified 'group by'. | | (column_name_count) | +------------------+-----------------------------------------+-----------------------------------+ | | distinct count | | Count the number of distinct instance | | Column_name + '_distinct_count' | | | | | based upon the specfied 'group by'. | | (column_name_distinct_count) | +------------------+-----------------------------------------+-----------------------------------+ | | hour | | The hour of the available datetime | | Column_name + '_hour' | | | | | field. | | (column_name_hour) | +------------------+-----------------------------------------+-----------------------------------+ | | minute | | The minute of the available datetime | | Column_name + '_minute' | | | | | field. | | (column_name_minute) | +------------------+-----------------------------------------+-----------------------------------+ | | second | | The second of the available datetime | | Column_name + '_second' | | | | | field. | | (column_name_second) | +------------------+-----------------------------------------+-----------------------------------+ | | day | | The day of the available datetime | | Column_name + '_day' | | | | | field. | | (column_name_day) | +------------------+-----------------------------------------+-----------------------------------+ | | avg | | The average number of instances based | | Column_name + '_avg' | | | | | upon the specified 'group by'. | | (column_name_avg) | +------------------+-----------------------------------------+-----------------------------------+ | | min | | The minimum number of instances based | | Column_name + '_min' | | | | | upon the specified 'group by'. | | (column_name_min) | +------------------+-----------------------------------------+-----------------------------------+ | | max | | The maximum number of instances based | | Column_name + '_max' | | | | | upon the specified 'group by'. | | (column_name_max) | +------------------+-----------------------------------------+-----------------------------------+ Available Where Comparisons """""""""""""""""""""""""""" +-----------------+-----------------------------------+------------------------------------------+ | | Comparison | | Name | | Description | +=================+===================================+==========================================+ | | > (integer) | | Greater than | | The associated column is greater than | | | | | | | the value provided. | +-----------------+-----------------------------------+------------------------------------------+ | | >= (integer) | | Greater than or equal to | | The associated column is greater than | | | | | | | or equal to the value provided. | +-----------------+-----------------------------------+------------------------------------------+ | | < (integer) | | Less than | | The associated column is less than | | | | | | | the value provided. | +-----------------+-----------------------------------+------------------------------------------+ | | <= (integer) | | Less than or equal to | | The associated column is less than or | | | | | | | equal to the value provided. | +-----------------+-----------------------------------+------------------------------------------+ | | != (integer, | | Does not equal | | The associated column does not equal | | | string) | | | | the value provided. | +-----------------+-----------------------------------+------------------------------------------+ | | = (integer, | | Equal to | | The associated column equals the | | | string) | | | | value provided. | +-----------------+-----------------------------------+------------------------------------------+ | | regex | | Regular expression comparison | | String matches the regular expression. | | | (string) | | is true. | | | +-----------------+-----------------------------------+------------------------------------------+ Event Alert Type Categories """"""""""""""""""""""""""" ============================== ======================================================================== Alert Type Category Description ============================== ======================================================================== Scanning/Recon Scanning & Recon Related Events Suspicious Activity Suspicious Activity Related Events Possible Malicious Activity General Malicious Activity Related Events Malicious HTTP Generl Malicious Web Realted Events Malicious HTTP Activity Malicious Web Activity Events Attempted Authentication General Attempted Authentiation both Failure and Successful Miscellaneous Attack General Miscellaneous Attack Related Events False Positive False Positive Events Miscellaneous Information General Miscellaneous Information Possible Worm/Trojan Activity Worm/Virus/Trojan Realated Events Potential Policy Violation Potential Policy Violation Events Denial of Service Denial of Service Events ============================== ======================================================================== Resource OS Type Table """"""""""""""""""""""" ===================================== ============================== =============== ======================================= os_type_name os_type_details class_type class_name ===================================== ============================== =============== ======================================= HAWK Event Correlation Engine HAWK Event Correlation Engine HAWK HAWK Event Correlation Engine AIX IBM AIX Operating System AIX IBM AIX Operating System IBM AS/400 IBM System i / AS/400 AS/400 IBM AS/400 Imperva Web Firewall Imperva Web Firewall WAF Web Application Firewall Generic Firewall Generic Firewall Firewall Network Firewall WatchGuard Firewall WatchGuard Firewall Firewall Network Firewall SonicWall Firewall SonicWall Firewall Firewall Network Firewall AdTran Firewall AdTran Firewall Firewall Network Firewall 2WIRE Firewall 2WIRE Firewall Firewall Network Firewall Cisco Firewall Cisco Firewall Firewall Network Firewall Checkpoint Firewall Checkpoint Firewall Firewall Network Firewall Juniper Netscreen Firewall Juniper Network Firewall Firewall Network Firewall Barracuda Spam Firewall Barracuda Spam Firewall BARRACUDA Barracuda Spam Firewall Dragon Intrusion Detection System Dragon IDS/IPS IDS Intrusion Detection/Prevention System McAfee Intrusion Detection System McAfee IDS/IPS IDS Intrusion Detection/Prevention System Sourcefire Defense Center Sourcefire Defense Center IDS Intrusion Detection/Prevention System Snort Intrusion Detection System Snort IDS IDS Intrusion Detection/Prevention System Radware IPS Radware DefensePro IPS IDS Intrusion Detection/Prevention System TippingPoint IPS TippingPoint IPS IDS Intrusion Detection/Prevention System AirMagnet Wireless IPS AirMagnet Wireless IPS IDS Intrusion Detection/Prevention System Fortinet FortiGate IPS Fortinet FortiGate IPS IDS Intrusion Detection/Prevention System NetBSD NetBSD Operating System NetBSD NetBSD Operating System OpenBSD OpenBSD Operating System OpenBSD OpenBSD Operating System FreeBSD FreeBSD FreeBSD FreeBSD Operating System Linux Operating System Linux Operating System Linux GNU/Linux Operating System Apple OS X Mac OS X MacOSX Apple OS X Microsoft Windows Microsoft Windows Windows Microsoft Windows Unknown OS Unknown Operating System UNKNOWN Unknown Device Solaris Solaris Operating System Solaris Solaris Operating System HP-UX HP-UX HP-UX HP-UX Generic Router Generic Router Router Network Router Cisco Router Cisco Router Router Network Router Juniper Router Juniper Network Router Router Network Router Cisco VPN Concentrator Cisco Network VPN Concentrator VPN VPN Concentrator/Router Generic Switch Generic Network Switch Switch Network Switch Foundry Switch Foundry Network Switch Switch Network Switch Cisco Switch Cisco Network Switch Switch Network Switch HP ProCurve Network Switch HP ProCurve Network Switch Switch Network Switch Citrix NetScaler Citrix NetScaler Load Balancer Load Balancer Arbor NetFlow Arbor Networks NetFlow ARBOR Arbor Networks NetFlow CriticalWatch FusionVM CriticalWatch FusionVM VULNMGMT Vulnerability Management Rapid7 Nexpose Rapid7 Nexpose VULNMGMT Vulnerability Management Cisco Wireless Access Point Cisco Wireless Access Point WAP Wireless Access Point Buffalo Wireless Access Point Buffalo Wireless Access Point WAP Wireless Access Point Apple Airport Wireless Access Point Apple Airport Wireless AP WAP Wireless Access Point Ubiquiti Wireless Access Point Ubiquiti Wireless Access Point WAP Wireless Access Point APC UPS Battery Backup APC UPS Battery Backup Battery Backup Battery Backup Brother Printer Brother Printer Printer Printer Canon Printer Canon Printer Printer Printer Epson Printer Epson Printer Printer Printer Lexmark Printer Lexmark Printer Printer Printer Panasonic Printer Panasonic Printer Printer Printer Samsung Printer Samsung Printer Printer Printer Sharp Printer Sharp Printer Printer Printer Toshiba Printer Toshiba Printer Printer Printer Xerox Printer Xerox Printer Printer Printer HP Printer HP Printer Printer Printer Dell Printer Dell Printer Printer Printer ===================================== ============================== =============== =======================================