Parameters and Field Descriptions of NetWitness IoT Alerts
This topic provides details on the parameter and field descriptions of NetWitness IoT alerts.
Here are the parameters and field descriptions:
- Core field descriptions
- Extended field descriptions
- meta.container fields descriptions
- meta.endpoint category field descriptions
- meta.processProfile field descriptions
- meta.events field descriptions
Core field descriptions
| Core Field | Descriptions |
|---|---|
| id | Unique id for the alert. |
| rule | Name of rule that was violated and is the reason for this alert. Currently one of ANOMALOUS_OUTBOUND_CONNECTION, KNOWN_RISKY_OUTBOUND_CONNECTION, ANOMALOUS_INBOUND_CONNECTION_CONTAINER, ANOMALOUS_INBOUND_CONNECTION_SITELOCAL, ANOMALOUS_INBOUND_CONNECTION_EXTERNAL, ANOMALOUS_NEW_CONNECTION_VOLUME, PCR, BLACKLISTED_PROCESS, ANOMALOUS_PROCESS, UNGRACEFUL_CONTAINER_SHUTDOWN. |
| severityScore | Numeric score corresponding to the severity field, from 0 (EMERGENCY) to 7 (DEBUG). |
| recordCreated | UTC timestamp on which this alert record was created. |
| created | UTC timestamp that the actual alert violation occurred on the offending container. |
| viewed | Boolean value, which indicates whether this alert has been viewed by the end user in Netwitness IoT. Note: Viewed flag is configured by an analyst and is not calculated by NetWitness IoT. |
| falsePositive | Boolean value, which indicates whether this alert has been marked as a false positive. Note: falsePositive flag is configured by an analyst and is not calculated by NetWitness IoT. |
Extended field descriptions
| Extended field | Descriptions |
|---|---|
| meta.container | Contains attributes about the container for which the alert was generated. |
| meta.endpointCategory | Contains attributes about the network source or destination related to this alert. This field is available only for the network-related alert rules (ANOMALOUS_OUTBOUND_CONNECTION, KNOWN_RISKY_OUTBOUND_CONNECTION, ANOMALOUS_INBOUND_CONNECTION_CONTAINER, ANOMALOUS_INBOUND_CONNECTION_SITELOCAL, ANOMALOUS_INBOUND_CONNECTION_EXTERNAL, ANOMALOUS_NEW_CONNECTION_VOLUME, PCR, UNGRACEFUL_CONTAINER_SHUTDOWN). |
| meta.processProfile | Contains attributes about the processes related to this alert. This field is available only for process-related alert rules (BLACKLISTED_PROCESS, ANOMALOUS_PROCESS). |
| meta.events | Contains a list of Docker events related to this alert. This field is available only for an alert of rule type UNGRACEFUL_CONTAINER_SHUTDOWN. |
| meta.actual | For alerts based on numerical scores, this field contains a value that triggered the alert. Set for alerts with rule types: • KNOWN_RISKY_OUTBOUND_CONNECTION • ANOMALOUS_NEW_CONNECTION_VOLUME • PCR |
| meta.expected | For alerts based on numerical scores, this field contains an expected (normal) value. Set for alerts with rule types: • KNOWN_RISKY_OUTBOUND_CONNECTION • ANOMALOUS_NEW_CONNECTION_VOLUME• PCR |
| meta.threshold | For alerts based on numerical scores, this field contains a threshold value that was crossed by the meta.actual value to generate this alert. Set for alerts with rule types: • KNOWN_RISKY_OUTBOUND_CONNECTION • ANOMALOUS_NEW_CONNECTION_VOLUME• PCR |
meta.container fields descriptions
| meta.container | Descriptions |
|---|---|
| meta.container.id | Docker container id. |
| meta.container.hostname | Name of the physical or virtual host on which the offending container is running. |
| meta.container.hostIp | IP address of the physical or virtual host on which the offending container is running |
| meta.container.hostId | Id of the physical or virtual host on which the offending container is running. Id is unique to NetWitness IoT cloud service. Always present. |
| meta.container.recordCreated | UTC timestamp that the container first became known to NetWitness IoT cloud service. Always present. |
| meta.container.recordUpdated | UTC timestamp of when this container was last updated by NetWitness IoT cloud service. Always present. |
| meta.container.name | Docker container name. |
| meta.container.imageName | Full Docker image name. |
| meta.container.created | UTC timestamp when the container was actually created on its Docker host. |
| meta.container.updated | UTC timestamp of the last data generated by this container that was consumed by NetWitness IoT cloud service. This comes from the container, as opposed to the meta.container.recordUpdated field, which is generated by NetWitness IoT cloud service. |
| meta.container.running | Boolean value. Whether the container was last reported to be running or not at the time the alert was generated. |
| meta.container.command | Primary command that the container was launched under. |
| meta.container.status | Last reported Docker status of the container at the time the alert was generated. |
| meta.container.ports | A list of network ports exposed by this container. This field is available if the container exposes any ports. Each network port entry contains the following attributes: • meta.container.port.privatePort: Private port, only accessible to the container and other containers running on the same private network as the container. • meta.container.port.publicPort: Public port that maps to the private port. This is the port exposed to other services running on the Docker host or on the network. • meta.container.port.type: Protocol accepted on this port (UDP or TCP) meta.container.events: If available, a list of recent Docker events reported against this container. Each Docker event contains the following fields: • meta.container.event.containerId: Same as the meta.container.id value. • meta.container.event.recordCreated: UTC timestamp when this event record was created by Netwitness IoT service. • meta.container.event.created: UTC timestamp of the container event on the Docker host where the event took place • meta.container.event.action: The container event type that took place. One of: attach, create, destroy, detach, die, exec_create, exec_detach, exec_start, kill, oom, pause, rename, restart, start, stop, unpause, update. • meta.container.processProfiles: List of all process types that normally run in this container. Generally present. Each process profile entry contains the following fields: firstSeen: UTC timestamp when this process profile was first observed to be running in this container. Always present. • lastSeen: UTC timestamp when this process profile was last observed to be running in this container. Always present. • id: Unique identifier • pid: Process Id that this process was last running under in this container. Always present. • ppid: Last reported parent process id of this process in this container. Always present. • executable: The process executable. Always present. • cmd: Full process command (executable plus arguments). Always present. • eUser: Last reported effective user name (or id) for this process. May not be present. • rUser: Last reported real user name (or id) for this process. May not be present. • sUser: Last reported saver user name (or id) for this process. May not be present. • eGroup: Last reported effective group name (or id) for this process. May not be present. • rGroup: Last reported real group name (or id) for this process. May not be present. • sGroup: Last reported saved group name (or id) for this process. May not be present. • tt: The terminal associated with this process, if applicable. May not be present. • pcpu: Last reported % CPU for this process. May not be present. • pmem: Last reported % memory for this process. May not be present. |
meta.endpoint category field descriptions
| meta.endpoint category | Descriptions |
|---|---|
| id | Category id. This represents an abstract grouping of similar traffic, based on attributes such as protocol, geo-location, port, destination IP, etc. |
| isOutbound | Boolean value. Set to true if this endpoint category is for a destination (i.e. the container in meta.container initiated the connection). False if this endpoint category is for a source (i.e. the endpoint initiated the connection into the container in meta.container). |
| firstSeen | UTC timestamp when an endpoint in this category was first observed communicating with the meta.container. |
| lastSeen | UTC timestamp when an endpoint in this category was last observed communicating with the container in meta.container. |
| protocol | Protocol last used by any endpoint falling in this endpoint category. Generally One of udp, tcp, or icmp. |
| ipAddress | IP address used by the last endpoint falling in this endpoint category. |
| dnsName | DNS name of the last endpoint falling in this endpoint category. Only available for external endpoints (endpoints not on the local network). May not be present. |
| port | Destination port used in communicating with the last endpoint falling in this endpoint category. If isOutbound is true, this is a destination port that the endpoint is listening on. If isOutbound is false, this is the destination port that the container in meta.container is listening on. Generally present except for protocols that don’t use ports such as ICMP. |
| risk | Risk description from Live Connect for the last endpoint falling in this endpoint category. May not be present. |
| riskScore | Risk score from Live Connect for the last endpoint falling in this endpoint category. May not be present. |
| countryCode | ISO 2 digit country code of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| country | Country name of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| continentCode | 2 digit continent code of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| continent | Continent name of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| subdivisionCode | Subdivision code of the last endpoint falling in this endpoint category. A subdivision is equivalent to a province or state or other region within a country. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| subdivision | Subdivision name of the last endpoint falling in this endpoint category. A subdivision is equivalent to a province or state or other region within a country. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| city | City name of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| latitude | Latitude of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| longitude | Longitude of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present. |
| isContainer | Boolean value. True if the last endpoint falling in this endpoint category is a container running on the same host. False otherwise. Always present. |
| containerId | Docker id of the container corresponding to the last endpoint falling in this endpoint category. Only present if isContainer is true. |
| containerName | Docker name of the container corresponding to the last endpoint falling in this endpoint category. Only present if isContainer is true. |
| containerImage | Docker image name of the container corresponding to the last endpoint falling in this endpoint category. Only present if isContainer is true. |
| isLocalhost | Boolean value. True if the last endpoint falling in this endpoint category is a service running on the localhost, but is not a container. False otherwise. Always present. |
| isSiteLocal | Boolean value. True if the last endpoint falling in this endpoint category is a remote endpoint on the local network. False otherwise. Always present. |
| isExternal | Boolean value. True if the last endpoint falling in this endpoint category is a remote endpoint on the external (public) network. False otherwise. Always present. |
meta.processProfile field descriptions
If present, this field contains a description of the specific process that triggered this alert. Refer to the description under meta.container.processProfiles.
meta.events field descriptions
If present, this field contains a subset of events in meta.container.events proximate to when this alert was triggered. Refer to the description under meta.container.events.