field identifier | Field Type | Field Name | Field description | Reference Value | Subcategory |
instance_id | string | Victim-related asset ID. | - | probe-okqbewghgc6e | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
time | int64 | Alarm occurrence time. | Alarm occurrence time (UTC+8). | 1742109846 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
src_ip | string | Source IP | - | 192.168.0.1 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
dst_ip | string | Destination IP | - | 192.168.0.1 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
src_port | int64/int | Source Port | - | 54321 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
dst_port | int64/int | Destination port | - | 80 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
direction | int64 | Direction | 0: Outbound 1: Inbound TCP Protocol Alarm: for Session Direction Non-session protocol: for Traffic Direction | 0 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
protocol | string | Protocol | - | TCP | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
strategy | string | Alarm Action | Response Action for Alarms 0: Observe 1: Block 2: Allow 3: Spoof | 0 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
strategy_res | string | Alarm Action Identifier ID | - | Observe | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog |
event_name | string | Attack Event Type | - | Log4j2 Exploit | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
eventname_res(event_name_res) | string | Attack Event Type Identifier ID | - | log4j2_exploit | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog |
dst_domain | string | External Domain | - | www.example.com | HoneyPotHost,HoneyPotNetwork,BlockList,TiLog,BaseLineLog |
level | string | Alarm level | Alarm Severity | Critical | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
level_res | string | Alarm Level Identifier ID | - | level_serious | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog |
level_int | int | Alarm Level Number | - | 5 | HoneyPotHost,HoneyPotNetwork |
address | string | Attack IP address city | - | Tokyo, Japan | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
address_en | string | Attack IP address city | - | Tokyo,Japan | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog |
insert_time | int64 | Alarm storage time | Alarm storage time (UTC+8) | 1742022307 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
service_id | string | Network Honeypot ID | - | hp-qlavpg5iwcaq | HoneyPotHost,HoneyPotNetwork |
type | string | Alarm Subtype Identifier | - | ti | HoneyPotHost,HoneyPotNetwork,TiLog,BaseLineLog |
sub_source_type | string | Alarm subtype | Alarm classification, including: virtual patch, basic defense, blocklist, Network Honeypot, and so on. | Virtual patch | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
sub_source_type_res | string | Alarm Subtype Identifier ID | alarm subtype identifier ID, source_virtualpatch virtual patch, source_basicrule basic defense, and so on | source_virtualpatch | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog |
payload | string | attack payload | payload of attack traffic | Hex Message:... | HoneyPotHost,HoneyPotNetwork,IdsLog,TiLog |
cmdline | string | Execute command | Network Honeypot host events, sensitive commands executed within the honeypot | bash -c ifconfig execve /bin/bash|m=100755|o=0:0 | HoneyPotHost |
template_id | string | Network Honeypot Template ID | - | hp-qlavpg5iwcaq | HoneyPotHost |
docker_id | string | Network Honeypot unique ID | - | hp-qlavpg5iwcaq | HoneyPotHost,HoneyPotNetwork |
proc_chan | string | Process tree. | Network Honeypot host events process tree | bashP{ | HoneyPotHost |
kill_chain | string | attack chain | attack chain, the attack stage of the alarm event | Exploit | HoneyPotHost,HoneyPotNetwork |
kill_chain_res | string | Attack chain identifier ID | - | kill_chain_exploit | HoneyPotHost,HoneyPotNetwork |
event_id | string | Alarm ID | - | b5871755da5f0d151f3e51b971c8bccd | HoneyPotHost,HoneyPotNetwork |
exe | string | Executable file path | - | /sbin/ifconfig | HoneyPotHost |
probe_id | string | Probe ID | - | probe-id | HoneyPotHost,HoneyPotNetwork |
service_type | string | Network Honeypot type | Network Honeypot type | SSH Honeypot | HoneyPotHost,HoneyPotNetwork |
service_type_res | string | Network Honeypot type identifier ID | - | ssh_honeypot | HoneyPotHost,HoneyPotNetwork |
script_name | string | Network Honeypot script name | - | SSH Honeypot | HoneyPotHost,HoneyPotNetwork |
log_source | string | Data source. | Alarm for firewalls between VPCs and private network honeypot, value is move. Honeypot host alarm value is host. Honeypot public network alarm value is network. | move | HoneyPotHost,HoneyPotNetwork,IdsLog |
login_user | string | Attack logged-in users | - | [root, 1qaz!QAZ] | HoneyPotHost,HoneyPotNetwork |
visible_tag | int | Visibility | 0: Hidden 1: Visible | 1 | HoneyPotHost,HoneyPotNetwork |
timestamp | string | alarm timestamp | alarm timestamp (UTC+8) | 2023-01-01T00:00:00+08:00 | HoneyPotHost,HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
ti_type | string | Associated Intelligence Threat Type Tag (included in alarms) | - | ["SSH honeypot attack", "Conventional network brute force", "Brute force attack"] | HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
ti_type_en | string | Associated Intelligence Threat Type Tag (included in alarms) | - | ["SSH honeypot attack","General network cracking","Brute force"] | HoneyPotNetwork,BlockList,IdsLog,TiLog |
ti_white | string | allowlist Tag (included in alarms) | - | Intelligence allowlist | HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
ti_white_res | string | allowlist Tag (included in alarms) Identifier ID | - | intelligence_allowlist | HoneyPotNetwork,BlockList,IdsLog,TiLog,BaseLineLog |
src_country | string | Source Country | Source IP address country | United States | BlockList,IdsLog,TiLog,BaseLineLog |
src_country_en | string | Source Country-English | Source IP address location country-English | United States of America | BlockList,IdsLog,TiLog |
dst_country | string | Destination Country | Destination IP address country | United States | BlockList,IdsLog,TiLog,BaseLineLog |
dst_country_en | string | Destination Country-English | Destination IP location country-English | United States of America | BlockList,IdsLog,TiLog |
attack_vector | string | Exploitation methods. | - | code-exec | IdsLog |
attack_count | int | Number of alarms. | - | 156 | IdsLog |
nat_ip | string | NAT IP address | NAT's public IP address | 8.8.8.8 | IdsLog,TiLog,BaseLineLog |
nat_port | int | NAT port | NAT public port | 19095 | IdsLog,TiLog,BaseLineLog |
fws_id | string | Firewall ID | - | cfws-e5b4bf5f3f | IdsLog |
fw_type | string | Firewall Type | Firewall Type, including: vpc: VPC Firewall nat: NAT Firewall sg: Enterprise Security Group Empty: Internet Boundary | nat | IdsLog |
src_vpc | string | Attacker's asset VPC ID | - | vpc-xxx | IdsLog |
dst_vpc | string | Victim's asset VPC ID | - | vpc-dl16mzr7 | IdsLog |
src_ins_id | string | Attacker-related asset ID | - | ins-xxx | IdsLog |
dst_ins_id | string | Victim-related asset ID. | - | ins-yyy | IdsLog |
nat_ins_id | string | NAT's instance ID | - | cfwnat-3944e08e | TiLog,BaseLineLog |
nat_ins_name | string | NAT's instance name | - | Egress NAT | TiLog |
Was this page helpful?
You can also Contact sales or Submit a Ticket for help.
Help us improve! Rate your documentation experience in 5 mins.
Feedback