Activity Log Event Fdr/Ingest
Event for FDR ingest
| Field Name | Type | Value | Availability | Description |
|---|---|---|---|---|
0] | Â | Â | Â | Â |
@id | Â | Â | Â | A unique identifier for the event. Can be used to refer to and re-find specific events. |
@ingesttimestamp | Â | Â | Â | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. |
@rawstring | Â | Â | Â | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. |
@timestamp | Â | Â | Â | Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp. |
@timestamp.nanos | Â | Â | Â | Extended precision of timestamp below millisecond. E.g. 295000 |
@timezone | Â | Â | Â | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. |
bucket | Â | Â | Â | Bucket for FDR events |
category | Â | Â | Â | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch |
dataspace | Â | Â | Â | Repository or view name |
dataspaceId | Â | Â | Â | Dataspace ID |
eventsCount | Â | Â | Â | Count of FDR events |
exception | Â | Â | Â | Path of the exception file and the exception message of the event; only for scheduled search events |
exceptionCause[0] | Â | Â | Â | Exception cause |
exceptionMessage | Â | Â | Â | Detailed error message that will include errors at the cluster-level that may have contributed; for example permission, API, or network issues |
fdrFeedId | Â | Â | Â | FDR feed ID |
fdrFeedName | Â | Â | Â | FDR feed name |
#category | Â | Â | Â | Category of the event |
#repo | Â | Â | Â | Name of the repo where the event is stored |
#severity | Â | Â | Â | Severity of the event from original log source |
key | Â | Â | Â | Location of the block loaded when processing bucket data |
message | Â | Â | Â | Message of the alert or event |
orgId | Â | Â | Â | Organization ID |
s3File.bucket | Â | Â | Â | S3 bucket name |
s3File.key | Â | Â | Â | S3 File object key |
s3File.size | Â | Â | Â | Size of incoming file from SQS |
severity | Â | Â | Â | Severity of the event |
size | Â | Â | Â | Size of the incoming data during FDR ingest |
sqsAckResponse.content | Â | Â | Â | Content of SQS acknowledgement response |
sqsAckResponse.statusCode | Â | Â | Â | Status code of SQS acknowledgement response |
sqsMessage.body | Â | Â | Â | Body of SQS message |
sqsMessage.bodyChecksum | Â | Â | Â | Checksum for body of SQS message |
sqsMessage.bucket | Â | Â | Â | Bucket of SQS message |
sqsMessage.cid | Â | Â | Â | CID of the SQS message |
sqsMessage.fileCount | Â | Â | Â | Number of files from SQS message included in the event |
sqsMessage.id | Â | Â | Â | SQS message ID |
sqsMessage.latestReceiveTimestamp | Â | Â | Â | Latest received message timestamp |
sqsMessage.pathPrefix | Â | Â | Â | Path prefix of the SQS message |
sqsMessage.receiptHandle | Â | Â | Â | The receipt handle of the SQS message; the receipt handle is specific to the action of receiving the message and not the SQS message itself |
sqsMessage.timestamp | Â | Â | Â | Timestamp of SQS message |
sqsMessage.totalSize | Â | Â | Â | Total size of SQS message |
sqsMessageAttribute.ApproximateFirstReceiveTimestamp | Â | Â | Â | Time the message was first received in SQS from the queue |
sqsMessageAttribute.ApproximateReceiveCount | Â | Â | Â | Approximate number of messages received |
sqsMessageAttribute.SenderId | Â | Â | Â | Sender ID of SQS message |
sqsMessageAttribute.SentTimestamp | Â | Â | Â | Timestamp from SQS message for when SQS message sent |
startFileDownloadTimestamp | Â | Â | Â | Timestamp when file download started |
streamId | Â | Â | Â | Stream ID |
subCategory | Â | Â | Â | Subcategory of the event |
timestamp | Â | Â | Â | Timestamp in milliseconds of the event |