Documentation Center
AlienVault® USM Anywhere™

Event Keys

  Role Availability   Read-Only   Analyst   Manager

The following is a list of all the event keys with a definition of their function and the type of the key.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Event Key Definition Type
Access Control Outcome Outcome from Access Control String
Access Key ID The access key ID String
Account ID The account ID that generated the event String
Account Name The account name that generated the event String
Action The action outcome String
Action Token JTI The action token's JTI String
Affected Family Software family affected by the current CPE String
Affected Platform The platform (Linux, Mac OSX, Windows) affected by an IDS event String
Affected Platforms Software Platforms affected by the current CPE String
Affected Products Software Products affected by the current CPE String
Alarm Destination Asset IDs CSV of alarm destination asset IDs String Array
Alarm Destination Organisations CSV of alarm destination organisations String Array
Alarm Destination Users An array of alarm destination users String Array
Alarm Destination Zones CSV of alarm destination zones String Array
Alarm Source Organisations CSV of alarm source organisations String Array
Alarm Source Zones CSV of alarm source zones String Array
Alarm Status The status of the alarm String
App Execution Parameters The application execution parameters String
App ID The ID of the App which generated this event String
App Name The Name of the App which generated this event String
Application Application name String
Application Protocol Layer-7 protocol observed in the event (eg SSH, FTP, SNMP) String
Application Type Application type String
Asset Group ID The ID of the Asset Group in AssetDB String
Asset Status Asset Status String
Asset Tag Asset metadata name String
Asset Tag Value Asset metadata value String
Audit Reason The reason an audit event was generated String
Authentication Mode Authentication Mode String
Authentication Type The method used be the user to authenticate, such as RSA Key, Password, Domain Credentials String

Event Key Definition Type
Base Event Count A count associated with how many times was this same event observed Integer
Blacklist Name The name listed on the blacklist String
Blacklist Reference Url The referencing URL from the blacklist URL
Blacklist Violating IP The IP reglistered to the blacklist IP

Event Key Definition Type
Certificate Issuer Name Name of the authorizarion certificate issuer. String
Certificate Serial Number Serial Number of the authorization certificate. String
Certificate Subject Name Subject name in the authorization certificate. String
Confidence Confidence level Integer
Connection Count Number of incoming connections Long
Console Login The outcome of a AWS console login try String
Consumer Consumer of the event String
Container ID The ID of the container String
Container Image The image name used to launch the container String
Container Image ID The id of the image used to launch the container String
Container Name The name of the container String
Container State The state of the the container String
Contains Credit Card Number The event contains credit card numbers Boolean
Content Category Category of the content is being inspected as part of the connection For example in a Content Filtering or Proxy device String
Control ID The Control Node ID which will process this event String
Current PPS Number of current packets per second (PPS) Integer
Current Working Directory The Current Working Directory (CWD) referenced in the event String

Event Key Definition Type
Destination This is compared against several known formats to extract relevant data eg [hostname] [port] [zone] etc Network Info
Destination Additional Hostnames Destination additional hostnames String Array
Destination Address Destination IP Address IP
Destination Address 6 Destination IP Address in v6 format String
Destination ASN Destination ASN String
Destination City Destination City String
Destination Country Destination Country String
Destination CPE Destination CPE String
Destination Datacenter Destination data center String
Destination Datastore Destination data store String
Destination DNS Domain The DNS domain part of the complete fully qualified domain name String
Destination FQDN Destination FQDN String
Destination Hostname Destination hostname String
Destination Infrastructure Name Destination Infrastructure Name String
Destination Infrastructure Type Destination Infrastructure Type String
Destination Instance ID Instance ID for destination device String
Destination Latitude Destinations Latitude String
Destination Location ID This is an internal field used to associate this event with a particular location String
Destination Location Name This is an internal field used to associate this event with a particular location String
Destination Longitude Destinations Longitude String
Destination MAC Vendor Destination MAC Address MAC
Destination MAC Vendor Destination MAC Vendor String
Destination Name Destination Name String
Destination NAT Address Destination NAT IP Address IP
Destination NAT Port Destination NAT Port Integer
Destination Netmask Destination IP Address mask IP
Destination Network Destination network String
Destination NT domain Destination Windows Domain String
Destination Organisation Destinations Organisation String
Destination Port Label Destination Port Label String
Destination Post NAT Address Destination address for the event message after NAT occurred IP
Destination Post NAT Port Port number of the event destination after NAT Integer
Destination Pre NAT Address Destination address for the event message before NAT IP
Destination Pre NAT Port Port number of the event destination before NAT Integer
Destination Process Destination Process Name String
Destination Process ID Destination Process ID String
Destination Process User Destination Process User String
Destination Region Destinations Region String
Destination Registered Country Destination Registered Country String
Destination Service Name The service which is targeted by this event String
Destination Translated Address Identifies the translated destination address that the event refers to in an IP network IP
Destination Translated Port Port after it was translated Integer
Destination User Email Destinations User email String
Destination User Group The destination user group String
Destination User Privileges Destinations Users privileges String
Destination Username Destinations User name String
Destination VGuest Destination virtual guest String
Destination VHost Destination virtual host String
Destination Workstation Destinations workstation name String
Destination Zone Destinations Zone (DMZ Office Outside) String
Device Class The Device Class listed in the system String
Device Configuration Configuration scheme/type set in a device String
Device Custom Date 1-2 There are two timestamps fields available which can be used to map fields which do not fit any other field of this dictionary String
Device Custom Date 1-2 Label All custom fields have a corresponding label field where the field itself can be described String
Device Custom Number 1-3 Label There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary Integer
Device Custom Number 1-3 Label All custom fields have a corresponding label field where the field itself can be described String
Device Direction Any information about what direction the communication that was observed has taken String
Device DNS Domain The DNS domain part of the complete fully qualified domain name String
Device Event Category Represents the category assigned by the originating device String
Device External ID A name that uniquely identifies the device generating this event String
Device Facility The facility generating this event String
Device Inbound Interface Interface on which the packet or data entered the device String
Device Name The Device Name listed in the system String
Device NT Domain Device Windows Domain String
Device Outbound Interface Interface on which the packet or data left the device String
Device Process Name Process name associated to the event String
Device Time Format Format of the timestamp attached to this event String
Device Translated Address Identifies the translated device address that the event refers to in an IP network IP
DNS Message DNS response message String
DNS Rcode DNS return message Integer
DNS RR Name The DNS Request/Response Resource Name String
DNS RR Type The DNS Resource Type String
DNS Server Address The address of the DNS server referenced in the event String
DNS TTL The DNS Time to Live String
DNS Type The DNS Type (Query / Answer) String
Duration The duration of the connection String

Event Key Definition Type
Email Recipient The Email recipient Email
Email Relay The relay the email was delivered through String
Email Sender The Email sender Email
Email Subject The subject of the email String
Entity Category The zone category of incident that is being reported String
Environment Variable Key The Environment Variable key referenced in the event String
Environment Variable Value The Environment Variable value referenced in the event String
Error Code The error code for a HTTP response String
Error Message The error message for a response String
Event Action The implied action of the event - Create Read Update Delete String
Event Activity The activity related to an event In an IDS event this would be the activity being detected String
Event Auth Action Action of the authorization event String
Event Auth Role Role of the authorization event String
Event Auth Scope Scope of the authorization event String
Event Change The event change/action made by the user String
Event CVE Contains information about the CVE associated with an event as an example an IDS signature String
Event Group Event Grouping that this event belongs to String
Event Group Job ID When this group has been created from a job, the job ID String
Event Name The short user-readable description of the event String
Event Outcome Displays the outcome, generally "success" or "failure" String
Event Receipt Time The time at which the event related to the activity was received Date
Event Ref Date When the issue was first published String
Event Ref ID Event reference ID (CVE, etc) String
Event Ref IDS Event reference IDs (CVE, OSVDB, etc) String Array
Event Ref Source Issue Reference Source (CVE etc) String
Event Type The event type String
Event Violation The culprit String
External ID An ID used by the originating device String

Event Key Definition Type
File Create Time The timestamp of when the file was created String
File Hash The hash of the file String
File Hash Algorithm The algorithm used to produce the file hash - SH256 MD5 etc String
File Hash Md5 The MD5 of the file String
File Hash Sha1 The SHA1 of the file String
File Hash Sha256 The SHA256 of the file String
File ID The Operating System ID of the file String
File Modification Time The last modification time of a file String
File Name The short name of a file String
File Old Owner Old file owner String
File Owner The current owner of a file String
File Path Full path of the file String
File Permission The OS permissions of the file String
File Type The type of the file String
Full Message A long message String

Event Key Definition Type
Global List Name Name of the Global List String
Global List Value Value from the list String
Group Policy Group Policy that the event refers to, for example a Active Directory Group Policy String

Event Key Definition Type
Has Alarm If this event is used by an alarm Boolean
HTML Link A specified HTML link address URL
HTML Snippet A specified HTML link snippet String
HHTML Title A specified HTML link title String
HTTP Hostname The hostname present in a HTTP connection String
HTTP Referrer The HTTP referer in a HTTP request String

Event Key Definition Type
Identity Group Name Group name associated with the identity source address to further identify the identity event with Group name resolution String
Identity Host Name Host name information associated with the identity source address to further identify the true hostname tied to an event String
Identity MAC MAC associated with the identity source address to further identify the identity event with MAC resolution String
Identity NetBIOS NetBIOS name associated with the identity source address to further identify the identity event with NetBIOS name resolution String
Identity Source Address IPv4 or IPv6 address that can connect an event with a true user identify or true computer identity IP
Incident ID ID provided by the event source String
IOCs Array with the matched Indicators of Compromise String Array
IP Addresses List of IP Addresses String Array

Event Key Definition Type
Legacy Tzone Unused String
Level The standard syslog level Long
Log File The Log File String

Event Key Definition Type
Malware Family Malware Family String
Malware Variant Virus or Malware Variant String
Matched Value The value that was matched for the enrichment metadata String

Event Key Definition Type
Needs Enrichment If the event needs to be enriched Boolean

Event Key Definition Type
Object Type The object type of the source (if applies) String
Operating System Operating System String

Event Key Definition Type
Package Architecture The architecture of the package String
Package Name The name of the package String
Package Revision The revision of the package String
Package Source The source of the package String
Package Version The version of the package String
Packet Payload Packet payload information from Suricata String
Packet Type What type of packet this is String
Packets Received The number of packets received Integer
Packets Sent The number of packets sent Integer
Patch Reference ID Patch reference id (Oval rule, etc) String
Patch Vulnerability Reference List List of reference ID's (CVE, etc) for the patch event String Array
Peak PPS Packets per second (PPS) peak value Integer
Pefile Company Company authoring Pefile String
Pefile Description Description of Pefile String
Pefile Fileversion File version of Pefile String
Pefile Product Product pefile is related to String
Plugin Rule Plugin Rule String
Plugin Vendor The vendor of the device this plugin was made for String
Policy Policy that the event refers to, for example a Firewall or Content Filtering Policy String
Policy Address Address referenced on a db policy firewall rule etc String
Policy Interface Network Interface referenced on a db policy firewall rule etc String
Policy Mac Mac address referenced on a db policy firewall rule etc String
Priority Priority of Alarm String
Protocol Version Version of the current protocol String

Event Key Definition Type
Realm Realm where the user roles and permissions apply String
Received From Source this event was received from String
Rep Device Address 6 Reporting device address version 6 String
Rep Device Asset ID Instance ID for reporting device String
Rep Device FQDN Reporting device FQDN String
Rep Device Location ID This is an internal field used to associate this event with a particular location String
Rep Device Location Name This is an internal field used to associate this event with a particular location String
Reporting Device Address Reporting device address IP
Reporting Device Hostname Reporting device hostname String
Reporting Device Instance ID Instance ID for the reporting device String
Reporting Device MAC Reporting device MAC MAC
Reporting Device Model The model of the reporting device String
Reporting Device Outbound Interface The network interface passing through the traffic generating the event on the reporting device String
Reporting Device Rule ID The ID of the rule used by the reporting device to generate this event (ie firewall rule, CVE, IDS rule String
Reporting Device Type The device type of the reporting device String
Reporting Device Vendor The vendor of the reporting device String
Reporting Device Version The version of the reporting device String
Reputation Score Risk or reputation score for a host String
Resource Provider Provider of resource String
Resource URI URI representing a resource uniquely String
Response Content Type HTTP response content type String
Return Value Return value String
Role Role or roles of the user in the organization String
Rule Dictionary Rule Dictionary String
Rule UUID Rule ID which triggered event String

Event Key Definition Type
Searched Site Site searched String
Security Group ID Security Group ID String
Security Group Name Security Group Name String
Sensor App Action The Sensor App Action Called String
Sensor Event Rate The value of the sensor event rate Long
Session Session Identifier String
Short Message A short descriptive message String
Source Additional Hostnames Source additional hostnames String Array
Source Address 6 Source IP Address in v6 format String
Source ASN Source ASN String
Source City Source City String
Source Country Source Country String
Source CPE Source CPE String
Source Datacenter Source data center String
Source Datastore Source data store String
Source DNS Domain The DNS domain part of the complete fully qualified domain name String
Source FQDN Source FQDN String
Source Hostname Source hostname String
Source Infrastructure Name Source Infrastructure Name String
Source Infrastructure Type Source Infrastructure Type String
Source Instance ID Instance ID for source device String
Source Latitude Source Latitude String
Source Location ID This is an internal field used to associate this event with a particular location String
Source Location Name This is an internal field used to associate this event with a particular location String
Source Longitude Source Longitude String
Source MAC Source MAC Address MAC
Source MAC Vendor Source MAC Vendor String
Source Name Source Name String
Source NAT Address Source NAT IP Address IP
Source NAT Port Source NAT Port Integer
Source Netmask Source IP Address mask IP
Source Network Source network String
Source NT Domain Source Windows Domain String
Source Organisation Source Organisation String
Source Port Label Source Port Label String
Source Post Nat Address Source address for the event message after NAT occurred IP
Source Post Nat Port Port number of the event source after NAT Integer
Source Pre Nat Address Source address for the event message before NAT IP
Source Pre Nat Port Port number of the event source before NAT Integer
Source Process Source Process name String
Source Process Command Line The Process Command line String
Source Process ID Source Process ID String
Source Process Parent The Process Parent String
Source Process Parent Commandline The Parent Command Line String
Source Process Parent Process ID The Parent Process ID String
Source Process User Source Process User String
Source Region Source Region String
Source Registered Country Source Registered Country String
Source Service Name The service which is responsible for generating this event String
Source Translated Address Identifies the translated source address that the event refers to in an IP network IP
Source Translated Port Port after it was translated Integer
Source User Email Source user email String
Source User Group The source user group String
Source User Privileges Source Users privileges String
Source Vguest Source virtual guest String
Source Vhost Source virtual host String
Source Workstation Source Workstation String
Source Zone Source Zone String
Sources List of source asset IDs String Array
SSH Authorized Key The SSH authorized key String
SSH Client Proto Identifies the SSH client protocol String
SSH Client Software Identifies the SSH client software String
SSH Server Proto Identifies the SSH server protocol String
SSH Server Software Identifies the SSH server software String
SSH Server Version Identifies the SSH server version String
Stat Name The name of the stat that has exceeded its threshold String
Stat Value The value of the stat that has exceeded its threshold Integer
Suppress Rule ID ID of the rule that suppressed this log String
Suppress Rule Name Name of the rule that suppressed this log String
Suppressed If event is suppressed String
System Event Type The system event type generated String

Event Key Definition Type
Tag The syslog tag (the data found before the [] after the timestamp) String
Time Zone The timezone the event occured in String
Timestamp End Process end timestamp Date
Timestamp Start Process start timestamp Date
TLS Cipher The cipher algorithm used for this TLS connection String
TLS Fingerprint Identifies the SHA1 fingerprint of the certificate String
TLS IssuerDN Identifies the issuer DN of certificate String
TLS SNI Identifies the server name indication sent by a client String
TLS Subject Identifies the subject of the TLS protocol String
TLS Version Identifies the version of TLS protocol String
Total Packets The total number of packets transmitted Integer
Transaction Status Transaction status String
Transient Is the event transient Boolean
TTY Terminal The TTY referenced in the event String

Event Key Definition Type
Used Hint If a hint was used to find the plugin Boolean
User Group ID Group ID that is associated with the user account String
User Policy Policy associated with the user account String
User Realm Portal name associated with the event String
User Resource Resource associated with the user account String
User Role Role type associated with the user account that created the event String
UUID The unique ID for this Event String

Event Key Definition Type
Virtual Source Address IP address of the virtual event source IP
Virtual Source Name Name of the virtual event source String

Event Key Definition Type
Was Fuzzied If fuzzied parser was used to generate the event Boolean
Was Guessed If we brute forced the plugin Boolean
Wireless Access Point The access point of the wireless network String
Wireless BSSID The BSSID of the wireless network String
Wireless Channel The channel of the wireless network String
Wireless Encryption The encryption mechanism used by the wireless network String
Wireless SSID The SSID of the wireless network String

Event Key Definition Type
Yara Signature Yara Signatures String Array

Note: Keep in mind that the order of the conditions is significant and USM Anywhere follows a specific order in the rules conditions; they are read from left to right. In addition, if your rule includes the packet_type and plugin_device fields they should always go first and in that order.