Skip to main content

Match Fields Reference

This topic is a reference to the record fields that a match list with a given target column will be compared to. Each header below—Hostname, Domain, Username, and—is a supported target column for a Cloud SIEM match list. The items listed below each header are record fields 

If a record contains a field whose name matches one of the match fields for a target column, the name of the match list, Cloud SIEM will append the match list name to the record in the list_matches array. 

Hostname​

  • device_hostname
  • dstDevice_hostname
  • srcDevice_hostname
  • http_hostname
  • http_referrerHostname
  • bro_ssl_serverName

Domain​

  • bro_ntlm_domainame
  • bro_ssl_serverName_rootDomain
  • dns_queryDomain
  • dns_replyDomain
  • fromUser_authDomain
  • http_referrerDomain
  • http_url_rootDomain
  • http_url_fqdn

Username​

  • username
  • fromUser_username
  • user_username

File Hash​

  • file_hash_md5
  • file_hash_sha1
  • file_hash_sha256
  • file_hash_ssdeep
  • file_hash_imphash
  • file_hash_pehash

URL​

  • http_url

IP Address​

  • srcDevice_ip
  • srcDevice_natIp
  • bro_dhcp_assignedIp
  • bro_smtp_headers.xOriginatingIp
  • bro_socks_boundIp
  • device_ip
  • device_natIp
  • dstDevice_ip
  • dstDevice_natIp
  • bro_radius_remoteIp
  • bro_socks_requestIp
  • dns_replyIp

Source IP Address​

  • srcDevice_ip
  • srcDevice_natIp
  • bro_dhcp_assignedIp
  • bro_smtp_headers.xOriginatingIp
  • bro_socks_boundIp
  • device_ip
  • device_natIp

Destination IP Address​

  • dstDevice_ip
  • dstDevice_natIp
  • bro_radius_remoteIp
  • bro_socks_requestIp
  • dns_replyIp

IP ASN​

  • srcDevice_ip_asnNumber
  • srcDevice_natIp_asnNumber
  • bro_dhcp_assignedIp_asnNumber
  • bro_smtp_headers.xOriginatingIp_asnNumber
  • bro_socks_boundIp_asnNumber
  • device_ip_asnNumber
  • device_natIp_asnNumber
  • dstDevice_ip_asnNumber
  • dstDevice_natIp_asnNumber
  • bro_radius_remoteIp_asnNumber
  • bro_socks_requestIp_asnNumber
  • dns_replyIp_asnNumber

Source IP ASN​

  • srcDevice_ip_asnNumber
  • srcDevice_natIp_asnNumber
  • bro_dhcp_assignedIp_asnNumber
  • bro_smtp_headers.xOriginatingIp_asnNumber
  • bro_socks_boundIp_asnNumber
  • device_ip_asnNumber
  • device_natIp_asnNumber

Destination IP ASN​

  • dstDevice_ip_asnNumber
  • dstDevice_natIp_asnNumber
  • bro_radius_remoteIp_asnNumber
  • bro_socks_requestIp_asnNumber
  • dns_replyIp_asnNumber

IP ISP​

  • srcDevice_ip_isp
  • srcDevice_natIp_isp
  • bro_dhcp_assignedIp_isp
  • bro_smtp_headers.xOriginatingIp_isp
  • bro_socks_boundIp_isp
  • device_ip_isp
  • device_natIp_isp
  • dstDevice_ip_isp
  • dstDevice_natIp_isp
  • bro_radius_remoteIp_isp
  • bro_socks_requestIp_isp
  • dns_replyIp_isp

Source IP ISP​

  • srcDevice_ip_isp
  • srcDevice_natIp_isp
  • bro_dhcp_assignedIp_isp
  • bro_smtp_headers.xOriginatingIp_isp
  • bro_socks_boundIp_isp
  • device_ip_isp
  • device_natIp_isp

Destination IP ISP​

  • dstDevice_ip_isp
  • dstDevice_natIp_isp
  • bro_radius_remoteIp_isp
  • bro_socks_requestIp_isp
  • dns_replyIp_isp

IP Organization​

  • srcDevice_ip_asnOrg
  • srcDevice_natIp_asnOrg
  • bro_dhcp_assignedIp_asnOrg
  • bro_smtp_headers.xOriginatingIp_asnOrg
  • bro_socks_boundIp_asnOrg
  • device_ip_asnOrg
  • device_natIp_asnOrg
  • dstDevice_ip_asnOrg
  • dstDevice_natIp_asnOrg
  • bro_radius_remoteIp_asnOrg
  • bro_socks_requestIp_asnOrg
  • dns_replyIp_asnOrg

Source IP Organization​

  • srcDevice_ip_asnOrg
  • srcDevice_natIp_asnOrg
  • bro_dhcp_assignedIp_asnOrg
  • bro_smtp_headers.xOriginatingIp_asnOrg
  • bro_socks_boundIp_asnOrg
  • device_ip_asnOrg
  • device_natIp_asnOrg

Destination IP Organization​

  • dstDevice_ip_asnOrg
  • dstDevice_natIp_asnOrg
  • bro_radius_remoteIp_asnOrg
  • bro_socks_requestIp_asnOrg
  • dns_replyIp_asnOrg  
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.