Activity Log Event Fdr/Ingest
Event for FDR ingest
| Field Type | Type | Value | Availability | Description |
|---|---|---|---|---|
| 0] | ||||
| @id | A unique identifier for the event. Can be used to refer to and re-find specific events. | |||
| @ingesttimestamp | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. | |||
| @rawstring | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. | |||
| @timestamp | Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp. | |||
| @timestamp.nanos | Extended precision of timestamp below millisecond. E.g. 295000 | |||
| @timezone | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. | |||
| bucket | Bucket for FDR events | |||
| category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | |||
| dataspace | Repository or view name | |||
| dataspaceId | Dataspace ID | |||
| eventsCount | Count of FDR events | |||
| exception | Path of the exception file and the exception message of the event; only for scheduled search events | |||
| exceptionCause[0] | Exception cause | |||
| exceptionMessage | Detailed error message that will include errors at the cluster-level that may have contributed; for example permission, API, or network issues | |||
| fdrFeedId | FDR feed ID | |||
| fdrFeedName | FDR feed name | |||
| #category | Category of the event | |||
| #repo | Name of the repo where the event is stored | |||
| #severity | Severity of the event from original log source | |||
| key | Location of the block loaded when processing bucket data | |||
| message | Message of the alert or event | |||
| orgId | Organization ID | |||
| s3File.bucket | S3 bucket name | |||
| s3File.key | S3 File object key | |||
| s3File.size | Size of incoming file from SQS | |||
| severity | Severity of the event | |||
| size | Size of the incoming data during FDR ingest | |||
| sqsAckResponse.content | Content of SQS acknowledgement response | |||
| sqsAckResponse.statusCode | Status code of SQS acknowledgement response | |||
| sqsMessage.body | Body of SQS message | |||
| sqsMessage.bodyChecksum | Checksum for body of SQS message | |||
| sqsMessage.bucket | Bucket of SQS message | |||
| sqsMessage.cid | CID of the SQS message | |||
| sqsMessage.fileCount | Number of files from SQS message included in the event | |||
| sqsMessage.id | SQS message ID | |||
| sqsMessage.latestReceiveTimestamp | Latest received message timestamp | |||
| sqsMessage.pathPrefix | Path prefix of the SQS message | |||
| sqsMessage.receiptHandle | The receipt handle of the SQS message; the receipt handle is specific to the action of receiving the message and not the SQS message itself | |||
| sqsMessage.timestamp | Timestamp of SQS message | |||
| sqsMessage.totalSize | Total size of SQS message | |||
| sqsMessageAttribute.ApproximateFirstReceiveTimestamp | Time the message was first received in SQS from the queue | |||
| sqsMessageAttribute.ApproximateReceiveCount | Approximate number of messages received | |||
| sqsMessageAttribute.SenderId | Sender ID of SQS message | |||
| sqsMessageAttribute.SentTimestamp | Timestamp from SQS message for when SQS message sent | |||
| startFileDownloadTimestamp | Timestamp when file download started | |||
| streamId | Stream ID | |||
| subCategory | Subcategory of the event | |||
| timestamp | Timestamp in milliseconds of the event |