Product Field Mappings
AWS CloudTrail
AWS CloudTrail is a service that records actions taken by users, roles, or AWS services, capturing events from the AWS Management Console, AWS CLI, SDKs, and APIs. AlphaSOC processes AWS CloudTrail logs to identify potential threats based on these actions.
Learn how to enable AWS CloudTrail logging here.
Additional AWS CloudTrail log fields can be found in the raw event.
Query log examples
To see query log examples, visit the AWS CloudTrail documentation.
Log field mappings
Data type: Audit: AWS CloudTrail
Data origin: aws-cloudtrail
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | eventTime | |
srcID | recipientAccountId | aws/{recipientAccountId} |
dataScope | recipientAccountIdawsRegion | recipientAccountId and awsRegion are mapped into the string format aws:{recipientAccountId}:{awsRegion}: |
AWS Route 53
AWS Route 53 is a scalable DNS web service by Amazon that translates domain names into IP addresses. AlphaSOC processes AWS Route 53 logs to help you identify potential threats related to DNS activity.
Learn how to enable AWS Route 53 logging here.
Query log examples
To see query log examples, visit the AWS Route 53 documentation.
Log field mappings
Data type: DNS
Data origin: aws-route53
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | query_timestamp | |
srcIP | srcaddr | |
srcPort | srcport | |
fqdn | query_name | |
qtype | query_type | |
rcode | rcode | |
srcID | srcids.instance | |
srcHost | srcids.instance | |
dataScope | account_idregionvpc_id | account_id, region, and vpc_id are mapped into the string format aws:{account_id}:{region}:{vpc_id} |
labels | account_idregion | A key-value pair where aws/accountId is assigned the value of account_id, and aws/region is assigned the value of region |
AWS VPC Flow
AWS Virtual Private Cloud (VPC) is a data collection feature that logs IP network traffic flow from the VPC, VPC subnet, or Elastic Network Interface (ENI). AlphaSOC processes AWS VPC Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable AWS VPC Flow logging here.
Query log examples
To see query log examples, visit the VPC Flow log records.
Log field mappings
Data type: IP
Data origin: aws-vpc-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | start | |
duration | This field is based on the difference between the end and start timestamps | |
srcIP | pkt-srcaddrsrcaddr | pkt-srcaddr takes priority over srcaddr |
destIP | pkt-dstaddr dstaddr | pkt-dstaddr takes priority over dstaddr |
srcPort | srcport | |
destPort | dstport | |
proto | protocol | |
packetsOut | packets | |
srcHost | instance-id | |
srcID | instance-id | |
action | action | |
bytesOut | bytes | |
dataScope | account-idregion | account_id and region are mapped into the string format aws:{account_id}:{region} |
Azure Device Network
Azure Device Network is a data format used by Microsoft Defender to collect and store metadata about device network activity. AlphaSOC processes Azure Device Network logs to help analyze IP network and DNS traffic and identify potential threats.
Query log examples
To see query log fields, visit the Device Network documentation.
Log field mappings
Data origin: azure-device-network
| AlphaSOC field | Log field |
|---|---|
ts | timestamp |
srcIP | localIP |
srcPort | localPort |
srcHost | DeviceName |
srcID | DeviceId |
srcUser | InitiatingProcessAccountUpn |
fqdn | RemoteUrl |
destIP | RemoteIP |
destPort | RemotePort |
proto | Protocol |
Azure NSG Flow
Azure Network Security Group (NSG) Flow is a data collection feature that captures and logs metadata about network traffic processed by Network Security Groups (NSGs). AlphaSOC processes Azure NSG Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable Azure NSG Flow logging here.
Query log examples
To see query log examples, visit the NSG Flow query results.
Log field mappings
Data type: IP
Data origin: azure-nsg-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcIP | sourceIP | |
destIP | destinationIP | |
srcPort | sourcePort | |
destPort | destinationPort | |
proto | protocol | |
action | trafficDecision | |
packetsOut | packetsSent | |
bytesOut | bytesSent | |
packetsIn | packetsReceived | |
bytesIn | bytesReceived | |
srcMac | macmacAddress | mac takes priority over macAddress |
labels | resourceId |
Azure VNet Flow
Azure Virtual Network (VNet) Flow is a data collection feature that captures and logs metadata about network traffic flowing through Network Security Groups (NSGs). AlphaSOC processes Azure VNet Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable Azure VNet Flow logging here.
Query log examples
To see query log examples, visit the VNet Flow query results.
Log field mappings
Data type: IP
Data origin: azure-vnet-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcIP | sourceIP | |
destIP | destinationIP | |
srcPort | sourcePort | |
destPort | destinationPort | |
proto | protocol | |
packetsOut | packetsSent | |
bytesOut | bytesSent | |
packetsIn | packetsReceived | |
bytesIn | bytesReceived | |
srcMac | macmacAddress | mac takes priority over macAddress |
labels | flowLogResourceID |
Carbon Black Netconn
Carbon Black Netconn is a feature within Carbon Black Endpoint Detection and Response (EDR), providing detailed information about network connections on endpoints. AlphaSOC processes Carbon Black Netconn data to help you analyze IP network traffic and identify potential threats.
Learn how to enable Carbon Black Netconn logging here.
Query log examples
To see query log examples, visit the Netconn log records.
Log field mappings
Data type: IP
Data origin: carbonblack-netconn
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcHost | computer_name | |
direction | This field is used to filter and process outbound traffic | |
fqdn | domain | |
eventType | event_type | |
ja3 | ja3 | |
ja3s | ja3s | |
srcIP | local_ip | |
srcPort | local_port | |
proto | protocol | |
destIP | remote_ip | |
destPort | remote_port |
Confluence
Confluence is a collaboration knowledge management platform that allows teams to create, organize, and share information. AlphaSOC analyzes Confluence audit logs to help you monitor user activity and detect potential threats across your organization’s workspaces.
Learn how to enable Confluence logging here.
Additional Confluence log fields can be found in the raw event.
Log field mappings
Data type: Audit: Confluence
Data origin: confluence-audit
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | creationDate | All creationDate fields are standardized to UTC timezone. |
srcID | author.accountId | |
srcUser | author.displayName |
Crowdstrike FDR
Crowdstrike Falcon Data Replicator (FDR) is a data collection and replication feature that captures and logs metadata about network traffic collected by Crowdstrike Falcon. AlphaSOC processes Crowdstrike FDR logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable Crowdstrike FDR logging here.
Query log examples
To see query log examples, visit the Crowdstrike FDR documentation.
Log field mappings
Data origin: crowdstrike-data
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestampLogonTimeLogoffTime | Please refer to the note below |
srcID | aid | |
srcHost | ClientComputerName | |
srcUser | UserName | |
fqdn | DomainName | |
qtype | RequestType | |
rcode | QueryStatus | |
srcIP | LocalAddressIP4LocalAddressIP6 | LocalAddressIP4 takes priority over LocalAddressIP6 |
srcPort | LocalPort | |
destIP | RemoteAddressIP4RemoteAddressIP6 | RemoteAddressIP4 takes priority over RemoteAddressIP6 |
destPort | RemotePort | |
proto | Protocol |
Log field names are determined by the EventName value:
- DnsRequest, NetworkConnectIP4, and NetworkConnectIP6 events use
timestamp. - UserLogon events use
LogonTime. - UserLogoff events use
LogoffTime.
Data origin: crowdstrike-aid-master
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | Time | |
srcID | aid | |
srcHost | ComputerName |
DNSTap
DNSTap is a data collection feature that captures and logs metadata about DNS traffic. AlphaSOC processes DNSTap logs to help you analyze DNS traffic and identify potential threats.
Learn how to enable DNSTap logging in CoreDNS.
Query log examples
The queries conform to the standard DNS format.
Log field mappings
Data type: DNS
Data origin: dnstap
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | query_time_secquery_time_nsec | Timestamp values, represented as separate seconds (query_time_sec) and nanoseconds (query_time_nsec), are combined and converted into a UTC |
srcIP | query_address | |
srcPort | query_port | |
fqdn | query_name | |
qtype | query_type | |
rcode | query_rcode |
The log fields names are derived directly from the Protocol Buffers definitions.
GCP Cloud DNS
GCP Cloud Domain Name System (DNS) is a service that captures and logs data related to DNS queries and responses. AlphaSOC processes GCP Cloud DNS logs to help you analyze DNS queries and responses and identify potential threats.
Learn how to enable GCP Cloud DNS logging here.
Query log examples
To see query log fields, visit the Cloud DNS query results.
Log field mappings
Data type: DNS
Data origin: gcp-dns
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
qtype | queryType | |
fqdn | queryName | |
srcID | vmInstanceNamevmInstanceIdString | VMInstanceIDString takes priority over vmInstanceName |
rcode | responseCode | |
srcIP | sourceIP |
GCP VPC Flow
GCP Virtual Private Cloud (VPC) is a data collection feature that captures and logs metadata about network traffic flowing to and from virtual machine instances within a GCP VPC. AlphaSOC processes GCP VPC Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable GCP VPC Flow logging here.
Query log examples
To see query log examples, visit the VPC Flow query results.
Log field mappings
Data type: IP
Data origin: gcp-vpc-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
bytesOut | bytes_sent | |
packetsOut | packets_sent | |
destIP | dest_ip | |
destPort | dest_port | |
proto | protocol | |
srcIP | src_ip | |
srcPort | src_port | This field is used to filter and process outbound traffic from the VM to the internet |
ts | start_time | |
duration | This field is based on the difference between the end and start timestamps | |
srcHost | vm_nameproject_id | Both values are used to determine the srcHost |
GitHub
GitHub is a web-based platform for version control and collaboration. AlphaSOC processes GitHub audit logs to identify potential threats in GitHub Enterprise environments.
Learn how to enable GitHub logging here.
Additional GitHub log fields can be found in the raw event.
Log field mappings
Data type: Audit: GitHub
Data origin: github-audit
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | @timestamp | |
srcID | actor_id | |
srcUser | actor | |
dataScope | org | GitHub log field is mapped into the following format: github:org |
Jira
Jira is a project management and issue tracking tool. AlphaSOC processes Jira audit logs to help you analyze user activity and identify potential threats across your organization's collaborative workspaces.
Learn how to enable Jira logging here.
Additional Jira log fields can be found in the raw event.
Log field mappings
Data type: Audit: Jira
Data origin: jira-audit
| AlphaSOC field | Log field |
|---|---|
ts | created |
srcID | authorAccountId |
Kubernetes
Kubernetes is an open-source platform for managing containerized applications and automating deployment. AlphaSOC supports multiple Kubernetes providers, with log field mappings that may vary depending on your chosen provider.
Additional Kubernetes log fields can be found in the raw event.
AWS EKS
AWS Elastic Kubernetes Service (EKS) is a managed Kubernetes service that simplifies the deployment and management of Kubernetes clusters. AlphaSOC processes AWS EKS audit logs to help you analyze them and identify potential threats.
Learn how to enable AWS EKS logging here.
Log field mappings
Data type: Audit: Kubernetes
Data origin: kube-audit
| AlphaSOC field | Log field |
|---|---|
ts | requestReceivedTimestamp |
srcID | user.username |
GCP GKE
GCP Google Kubernetes Engine (GKE) enables audit logging capabilities, with the audit logs being captured and stored by Cloud Audit Logs. AlphaSOC processes GCP GKE audit logs to help you analyze them and identify potential threats.
Learn how to enable GCP GKE logging here.
Query log examples
To see query log examples, visit the GKE query results.
Log field mappings
Data type: Audit: Kubernetes
Data origin: gcp-kube-audit
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcID | protoPayload.authenticationInfo.principalEmail | |
dataScope | resource.labels.cluster_name resource.labels.location resource.labels.project_id | GCP GKE log fields are mapped into the following format:gcp:{resource.labels.project_id}:{resource.labels.location}:{resource.labels.cluster_name} |
Other Kubernetes providers
Log field mappings
Data type: Audit: Kubernetes
Data origin: kube-audit
| AlphaSOC field | Log field |
|---|---|
ts | requestReceivedTimestamp |
srcID | user.username |
Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service. AlphaSOC processes Microsoft Entra ID audit logs to help you monitor user activity and identify potential threats within your organization.
Learn how to enable Microsoft Entra ID logging here.
Additional Microsoft Entra ID log fields can be found in the raw event.
Log field mappings
Data type: Audit: Microsoft Entra ID
Data origin: microsoft-entra-audit
| AlphaSOC field | Log field |
|---|---|
ts | activityDateTime |
srcID | initiatedBy.user.userPrincipalName |
srcUser | initiatedBy.user.displayName |
Okta
Okta is a cloud-based identity and access management (IAM) platform that provides authentication, authorization, and user management services. AlphaSOC processes Okta System Logs to identify potential threats within your organization.
Learn how to enable Okta logging here.
Additional Okta log fields can be found in the raw event.
Log field mappings
Data type: Audit: Okta
Data origin: okta-audit
| AlphaSOC field | Log field |
|---|---|
ts | published |
srcID | actor.id |
srcUser | actor.displayName |
Slack
Slack is a team communication platform. AlphaSOC processes Slack audit logs to identify potential threats within Slack workspaces.
Learn how to enable Slack logging here.
Additional Slack log fields can be found in the raw event.
Query log examples
To see query log examples, visit the Slack API documentation.
Log field mappings
Data type: Audit: Slack
Data origin: slack-audit
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | date_create | |
srcID | actor.user.id | |
srcUser | actor.user.name | |
dataScope | context.location.id | Slack log field is mapped into the following format: slack:context.location.id |
Zeek
Zeek is an open-source network traffic analyzer. AlphaSOC processes Zeek logs for IP, DNS, HTTP, TLS, and DHCP activity to help identify potential threats.
Learn how to enable Zeek logging here.
Query log examples
To see query log examples, visit the Zeek documentation.
Log field mappings
Data type: IP
Data origin: zeek-conn
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
destIP | id.resp_h | |
destPort | id.resp_p | |
proto | proto | |
bytesIn | orig_ip_bytes | |
bytesOut | resp_ip_bytes | |
packetsIn | orig_pkts | |
packetsOut | resp_pkts | |
app | service | |
duration | duration | |
connState | conn_state | New, open, closed, or unknown |
connDirection | local_orig | This field applies only to outbound connections |
Data type: DHCP
Data origin: zeek-dhcp
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
srcIP | client_addr | |
srcMac | mac | |
srcHost | host_name | |
duration | lease_time | |
type | Type of lease |
Data type: DNS
Data origin: zeek-dns
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
fqdn | query | |
qtype | qtype_name | |
rcode | rcode_name |
Data type: HTTP
Data origin: zeek-http
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
url | id.resp_phosturi | urlis constructed using id.resp_p, host, and uri. The host field is a required parameter for this field to be constructed |
method | method | |
status | status_code | |
bytesIn | request_body_len | |
bytesOut | response_body_len | |
contentType | resp_mime_types | The first occurring mime type |
referrer | referrer | |
userAgent | user_agent |
Data type: TLS
Data origin: zeek-ssl
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
destIP | id.resp_h | |
destPort | id.resp_p | |
ja3 | ja3 | |
ja3s | ja3s | |
certHash | cert_hash | |
issuer | issuercertificate_issuer | issuer takes priority over certificate_issuer |
subject | subjectcertificate_subject | subject takes priority over certificate_subject |