Product Field Mappings
AWS CloudTrail
AWS CloudTrail is a service that records actions taken by users, roles, or AWS services, capturing events from the AWS Management Console, AWS CLI, SDKs, and APIs. AlphaSOC processes AWS CloudTrail logs to identify potential threats based on these actions.
Learn how to enable AWS CloudTrail logging here.
Query log examples
To see query log examples, visit the AWS CloudTrail documentation.
Log field mapping
Data type: Audit
Data origin: aws-cloudtrail
| AlphaSOC field | Log field | Notes |
|---|---|---|
id | eventID | |
ts | eventTime | |
type | eventType | |
service | eventSource | |
action | eventName | |
region | awsRegion | |
readOnly | readOnly | |
ip | sourceIPAddress | |
userAgent | userAgent | |
srcID | recipientAccountId | aws/{recipientAccountId} |
errorMessage | errorMessage | |
identityType | userIdentity.type | |
identityARN | userIdentity.arn | |
accessKeyID | userIdentity.accessKeyId | |
invokedBy | userIdentity.invokedBy | The name of the AWS service that made the request. This field should not be populated for user-initiated requests |
identityUsername | userIdentity.userName | |
ec2RoleDelivery | userIdentity.sessionContext.ec2RoleDelivery | This field is populated only when the temporary credentials are obtained from the AWS EC2 instance |
bucketName | requestParameters.bucketName | |
noMFA | additionalEventData.MFAUsed | By default, this field is set to false, indicating that MFA is enabled or that no information is available regarding the MFA status |
samlProviderARN | additionalEventData.SamlProviderArn | |
dataScope | recipientAccountIdawsRegion | recipientAccountId and awsRegion are mapped into the string format aws:{recipientAccountId}:{awsRegion}: |
labels | recipientAccountIdawsRegion | A key-value pair where aws/accountId is assigned the value of recipientAccountId, and aws/region is assigned the value of awsRegion |
AWS Route 53
AWS Route 53 is a scalable DNS web service by Amazon that translates domain names into IP addresses. AlphaSOC processes AWS Route 53 logs to help you identify potential threats related to DNS activity.
Learn how to enable AWS Route 53 logging here.
Query log examples
To see query log examples, visit the AWS Route 53 documentation.
Log field mapping
Data type: DNS
Data origin: aws-route53
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | query_timestamp | |
srcIP | srcaddr | |
srcPort | srcport | |
fqdn | query_name | |
qtype | query_type | |
rcode | rcode | |
srcID | srcids.instance | |
srcHost | srcids.instance | |
dataScope | account_idregionvpc_id | account_id, region, and vpc_id are mapped into the string format aws:{account_id}:{region}:{vpc_id} |
labels | account_idregion | A key-value pair where aws/accountId is assigned the value of account_id, and aws/region is assigned the value of region |
AWS VPC Flow
AWS Virtual Private Cloud (VPC) is a data collection feature that logs IP network traffic flow from the VPC, VPC subnet, or Elastic Network Interface (ENI). AlphaSOC processes AWS VPC Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable AWS VPC Flow logging here.
Query log examples
To see query log examples, visit the VPC Flow log records.
Log field mapings
Data type: IP
Data origin: aws-vpc-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | start | |
duration | This field is based on the difference between the end and start timestamps | |
srcIP | pkt-srcaddrsrcaddr | pkt-srcaddr takes priority over srcaddr |
destIP | pkt-dstaddr dstaddr | pkt-dstaddr takes priority over dstaddr |
srcPort | srcport | |
destPort | dstport | |
proto | protocol | |
packetsOut | packets | |
srcHost | instance-id | |
srcID | instance-id | |
action | action | |
bytesOut | bytes | |
dataScope | account-idregion | account_id and region are mapped into the string format aws:{account_id}:{region} |
Azure Device Network
Azure Device Network is a data format used by Microsoft Defender to collect and store metadata about device network activity. AlphaSOC processes Azure Device Network logs to help analyze IP network and DNS traffic and identify potential threats.
Query log examples
To see query log fields, visit the Device Network documentation.
Log field mapings
Data origin: azure-device-network
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcIP | localIP | |
srcPort | localPort | |
srcHost | DeviceName | |
srcID | DeviceId | |
srcUser | InitiatingProcessAccountUpn | |
fqdn | RemoteUrl | |
destIP | RemoteIP | |
destPort | RemotePort | |
proto | Protocol |
Azure NSG Flow
Azure Network Security Group (NSG) Flow is a data collection feature that captures and logs metadata about network traffic processed by Network Security Groups (NSGs). AlphaSOC processes Azure NSG Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable Azure NSG Flow logging here.
Query log examples
To see query log examples, visit the NSG Flow query results.
Log field mapings
Data type: IP
Data origin: azure-nsg-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcIP | sourceIP | |
destIP | destinationIP | |
srcPort | sourcePort | |
destPort | destinationPort | |
proto | protocol | |
action | trafficDecision | |
packetsOut | packetsSent | |
bytesOut | bytesSent | |
packetsIn | packetsReceived | |
bytesIn | bytesReceived | |
srcMac | macmacAddress | mac takes priority over macAddress |
labels | resourceId |
Azure VNet Flow
Azure Virtual Network (VNet) Flow is a data collection feature that captures and logs metadata about network traffic flowing through Network Security Groups (NSGs). AlphaSOC processes Azure VNet Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable Azure VNet Flow logging here.
Query log examples
To see query log examples, visit the VNet Flow query results.
Log field mapings
Data type: IP
Data origin: azure-vnet-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcIP | sourceIP | |
destIP | destinationIP | |
srcPort | sourcePort | |
destPort | destinationPort | |
proto | protocol | |
packetsOut | packetsSent | |
bytesOut | bytesSent | |
packetsIn | packetsReceived | |
bytesIn | bytesReceived | |
srcMac | macmacAddress | mac takes priority over macAddress |
labels | flowLogResourceID |
Carbon Black Netconn
Carbon Black Netconn is a feature within Carbon Black Endpoint Detection and Response (EDR), providing detailed information about network connections on endpoints. AlphaSOC processes Carbon Black Netconn data to help you analyze IP network traffic and identify potential threats.
Learn how to enable Carbon Black Netconn logging here.
Query log examples
To see query log examples, visit the Netconn log records.
Log field mapings
Data type: IP
Data origin: carbonblack-netconn
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcHost | computer_name | |
direction | This field is used to filter and process outbound traffic | |
fqdn | domain | |
eventType | event_type | |
ja3 | ja3 | |
ja3s | ja3s | |
srcIP | local_ip | |
srcPort | local_port | |
proto | protocol | |
destIP | remote_ip | |
destPort | remote_port |
Crowdstrike FDR
Crowdstrike Falcon Data Replicator (FDR) is a data collection and replication feature that captures and logs metadata about network traffic collected by Crowdstrike Falcon. AlphaSOC processes Crowdstrike FDR logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable Crowdstrike FDR logging here.
Query log examples
To see query log examples, visit the Crowdstrike FDR documentation.
Log field mapings
Data origin: crowdstrike-data
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestampLogonTimeLogoffTime | Please refer to the note below |
srcID | aid | |
srcHost | ClientComputerName | |
srcUser | UserName | |
fqdn | DomainName | |
qtype | RequestType | |
rcode | QueryStatus | |
srcIP | LocalAddressIP4LocalAddressIP6 | LocalAddressIP4 takes priority over LocalAddressIP6 |
srcPort | LocalPort | |
destIP | RemoteAddressIP4RemoteAddressIP6 | RemoteAddressIP4 takes priority over RemoteAddressIP6 |
destPort | RemotePort | |
proto | Protocol |
Log field names are determined by the EventName value:
- DnsRequest, NetworkConnectIP4, and NetworkConnectIP6 events use
timestamp. - UserLogon events use
LogonTime. - UserLogoff events use
LogoffTime.
Data origin: crowdstrike-aid-master
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | Time | |
srcID | aid | |
srcHost | ComputerName |
DNSTap
DNSTap is a data collection feature that captures and logs metadata about DNS traffic. AlphaSOC processes DNSTap logs to help you analyze DNS traffic and identify potential threats.
Learn how to enable DNSTap logging via CoreDNS here.
Query log examples
The queries conform to the standard DNS format.
Log field mapings
Data type: DNS
Data origin: dnstap
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | query_time_secquery_time_nsec | Timestamp values, represented as separate seconds (query_time_sec) and nanoseconds (query_time_nsec), are combined and converted into a UTC |
srcIP | query_address | |
srcPort | query_port | |
fqdn | query_name | |
qtype | query_type | |
rcode | query_rcode |
The log fields names are derived directly from the Protocol Buffers definitions.
GCP Cloud DNS
GCP Cloud Domain Name System (DNS) is a service that captures and logs data related to DNS queries and responses. AlphaSOC processes GCP Cloud DNS logs to help you analyze DNS queries and responses and identify potential threats.
Learn how to enable GCP Cloud DNS logging here.
Query log examples
To see query log fields, visit the Cloud DNS query results.
Log field mapings
Data type: DNS
Data origin: gcp-dns
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
qtype | queryType | |
fqdn | queryName | |
srcID | vmInstanceNamevmInstanceIdString | VMInstanceIDString takes priority over vmInstanceName |
rcode | responseCode | |
srcIP | sourceIP |
GCP GKE
GCP Google Kubernetes Engine (GKE) enables audit logging capabilities, with the audit logs being captured and stored by Cloud Audit Logs. AlphaSOC processes GCP GKE audit logs to help you analyze them and identify potential threats.
Learn how to enable GCP GKE logging here.
Query log examples
To see query log examples, visit the GKE query results.
Log field mapings
Data type: Audit
Data origin: gcp-dns
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | timestamp | |
srcID | principalEmail | |
callerIP | callerIp | |
userAgent | callerSuppliedUserAgent | |
auditBody | resourceName | |
methodName | This field identifies accessed resources and actions performed | |
code | code | |
type | This field is used to exclude log entries not associated with Kubernetes clusters | |
dataScope | cluster_name location project_id | cluster_name, location, and project_id are mapped into the string format gcp:{cluster_name}"{location}:{project_id} |
GCP VPC Flow
GCP Virtual Private Cloud (VPC) is a data collection feature that captures and logs metadata about network traffic flowing to and from virtual machine instances within a GCP VPC. AlphaSOC processes GCP VPC Flow logs to help you analyze IP network traffic and identify potential threats.
Learn how to enable GCP VPC Flow logging here.
Query log examples
To see query log examples, visit the VPC Flow query results.
Log field mapings
Data type: IP
Data origin: gcp-vpc-flow
| AlphaSOC field | Log field | Notes |
|---|---|---|
bytesOut | bytes_sent | |
packetsOut | packets_send | |
destIP | dest_ip | |
destPort | dest_port | |
proto | protocol | |
srcIP | src_ip | |
srcPort | src_port | This field is used to filter and process outbound traffic from the VM to the internet |
ts | start_time | |
duration | This field is based on the difference between the end and start timestamps | |
srcHost | vm_nameproject_id | Both values are used to determine the srcHost |
Zeek
Zeek is an open-source network traffic analyzer. AlphaSOC processes Zeek logs for IP, DNS, HTTP, TLS, and DHCP activity to help identify potential threats.
Learn how to enable Zeek logging here.
Query log examples
To see query log examples, visit the Zeek documentation.
Log field mapping
Data type: IP
Data origin: zeek-conn
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
destIP | id.resp_h | |
destPort | id.resp_p | |
proto | proto | |
bytesIn | orig_ip_bytes | |
bytesOut | resp_ip_bytes | |
packetsIn | orig_pkts | |
packetsOut | resp_pkts | |
app | service | |
duration | duration | |
connState | conn_state | New, open, closed, or unknown |
connDirection | local_orig | This field applies only to outbound connections |
Data type: DHCP
Data origin: zeek-dhcp
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
srcIP | client_addr | |
srcMac | mac | |
srcHost | host_name | |
duration | lease_time | |
type | Type of lease |
Data type: DNS
Data origin: zeek-dns
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
fqdn | query | |
qtype | qtype_name | |
rcode | rcode_name |
Data type: HTTP
Data origin: zeek-http
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
url | id.resp_phosturi | urlis constructed using id.resp_p, host, and uri. The host field is a required parameter for this field to be constructed |
method | method | |
status | status_code | |
bytesIn | request_body_len | |
bytesOut | response_body_len | |
contentType | resp_mime_types | The first occurring mime type |
referrer | referrer | |
userAgent | user_agent |
Data type: TLS
Data origin: zeek-ssl
| AlphaSOC field | Log field | Notes |
|---|---|---|
ts | tstimestamp | ts takes priority over timestamp |
connID | uid | |
srcIP | id.orig_h | |
srcPort | id.orig_p | |
destIP | id.resp_h | |
destPort | id.resp_p | |
ja3 | ja3 | |
ja3s | ja3s | |
certHash | cert_hash | |
issuer | issuercertificate_issuer | issuer takes priority over certificate_issuer |
subject | subjectcertificate_subject | subject takes priority over certificate_subject |