enrichment_fields.md

Schema: Fields with Enrichment

Here is a list of schema fields which Cloud SIEM has automatic enrichements for.

Field	Enrichment Type	Populated
bro_dhcp_assignedIp	ip	bro_dhcp_assignedIp_asnNumber, bro_dhcp_assignedIp_asnOrg, bro_dhcp_assignedIp_city, bro_dhcp_assignedIp_countryCode, bro_dhcp_assignedIp_countryName, bro_dhcp_assignedIp_ipv4IntValue, bro_dhcp_assignedIp_isInternal, bro_dhcp_assignedIp_isp, bro_dhcp_assignedIp_latitude, bro_dhcp_assignedIp_location, bro_dhcp_assignedIp_longitude, bro_dhcp_assignedIp_region, bro_dhcp_assignedIp_version
bro_ftp_dataChannel.originH	ip	bro_ftp_dataChannel.originH_asnNumber, bro_ftp_dataChannel.originH_asnOrg, bro_ftp_dataChannel.originH_city, bro_ftp_dataChannel.originH_countryCode, bro_ftp_dataChannel.originH_countryName, bro_ftp_dataChannel.originH_ipv4IntValue, bro_ftp_dataChannel.originH_isInternal, bro_ftp_dataChannel.originH_isp, bro_ftp_dataChannel.originH_latitude, bro_ftp_dataChannel.originH_location, bro_ftp_dataChannel.originH_longitude, bro_ftp_dataChannel.originH_region, bro_ftp_dataChannel.originH_version
bro_ftp_dataChannel.respH	ip	bro_ftp_dataChannel.respH_asnNumber, bro_ftp_dataChannel.respH_asnOrg, bro_ftp_dataChannel.respH_city, bro_ftp_dataChannel.respH_countryCode, bro_ftp_dataChannel.respH_countryName, bro_ftp_dataChannel.respH_ipv4IntValue, bro_ftp_dataChannel.respH_isInternal, bro_ftp_dataChannel.respH_isp, bro_ftp_dataChannel.respH_latitude, bro_ftp_dataChannel.respH_location, bro_ftp_dataChannel.respH_longitude, bro_ftp_dataChannel.respH_region, bro_ftp_dataChannel.respH_version
bro_radius_remoteIp	ip	bro_radius_remoteIp_asnNumber, bro_radius_remoteIp_asnOrg, bro_radius_remoteIp_city, bro_radius_remoteIp_countryCode, bro_radius_remoteIp_countryName, bro_radius_remoteIp_ipv4IntValue, bro_radius_remoteIp_isInternal, bro_radius_remoteIp_isp, bro_radius_remoteIp_latitude, bro_radius_remoteIp_location, bro_radius_remoteIp_longitude, bro_radius_remoteIp_region, bro_radius_remoteIp_version
bro_smtp_headers.xOriginatingIp	ip	bro_smtp_headers.xOriginatingIp_asnNumber, bro_smtp_headers.xOriginatingIp_asnOrg, bro_smtp_headers.xOriginatingIp_city, bro_smtp_headers.xOriginatingIp_countryCode, bro_smtp_headers.xOriginatingIp_countryName, bro_smtp_headers.xOriginatingIp_ipv4IntValue, bro_smtp_headers.xOriginatingIp_isInternal, bro_smtp_headers.xOriginatingIp_isp, bro_smtp_headers.xOriginatingIp_latitude, bro_smtp_headers.xOriginatingIp_location, bro_smtp_headers.xOriginatingIp_longitude, bro_smtp_headers.xOriginatingIp_region, bro_smtp_headers.xOriginatingIp_version
bro_socks_boundIp	ip	bro_socks_boundIp_asnNumber, bro_socks_boundIp_asnOrg, bro_socks_boundIp_city, bro_socks_boundIp_countryCode, bro_socks_boundIp_countryName, bro_socks_boundIp_ipv4IntValue, bro_socks_boundIp_isInternal, bro_socks_boundIp_isp, bro_socks_boundIp_latitude, bro_socks_boundIp_location, bro_socks_boundIp_longitude, bro_socks_boundIp_region, bro_socks_boundIp_version
bro_socks_requestIp	ip	bro_socks_requestIp_asnNumber, bro_socks_requestIp_asnOrg, bro_socks_requestIp_city, bro_socks_requestIp_countryCode, bro_socks_requestIp_countryName, bro_socks_requestIp_ipv4IntValue, bro_socks_requestIp_isInternal, bro_socks_requestIp_isp, bro_socks_requestIp_latitude, bro_socks_requestIp_location, bro_socks_requestIp_longitude, bro_socks_requestIp_region, bro_socks_requestIp_version
bro_ssl_serverName	domain	bro_ssl_serverName_alexaRank, bro_ssl_serverName_conditionalFrequency, bro_ssl_serverName_rootDomain, bro_ssl_serverName_fqdn, bro_ssl_serverName_entropyFqdn, bro_ssl_serverName_entropyRootDomain, bro_ssl_serverName_entropySubDomain, bro_ssl_serverName_possibleDga, bro_ssl_serverName_possibleDynDns, bro_ssl_serverName_tld
device_hostname	normalizedHostname	device_hostname_raw
device_ip	ip	device_ip_asnNumber, device_ip_asnOrg, device_ip_city, device_ip_countryCode, device_ip_countryName, device_ip_ipv4IntValue, device_ip_isInternal, device_ip_isp, device_ip_latitude, device_ip_location, device_ip_longitude, device_ip_region, device_ip_version
device_k8s_deployment	normalizedDeploymentName
device_k8s_pod	normalizedPodName
device_k8s_replicaSet	normalizedReplicaSetName
device_natIp	ip	device_natIp_asnNumber, device_natIp_asnOrg, device_natIp_city, device_natIp_countryCode, device_natIp_countryName, device_natIp_ipv4IntValue, device_natIp_isInternal, device_natIp_isp, device_natIp_latitude, device_natIp_location, device_natIp_longitude, device_natIp_region, device_natIp_version
dns_queryDomain	domain	dns_queryDomain_alexaRank, dns_queryDomain_conditionalFrequency, dns_queryDomain_rootDomain, dns_queryDomain_fqdn, dns_queryDomain_entropyFqdn, dns_queryDomain_entropyRootDomain, dns_queryDomain_entropySubDomain, dns_queryDomain_possibleDga, dns_queryDomain_possibleDynDns, dns_queryDomain_tld
dns_replyDomain	domain	dns_replyDomain_alexaRank, dns_replyDomain_conditionalFrequency, dns_replyDomain_rootDomain, dns_replyDomain_fqdn, dns_replyDomain_entropyFqdn, dns_replyDomain_entropyRootDomain, dns_replyDomain_entropySubDomain, dns_replyDomain_possibleDga, dns_replyDomain_possibleDynDns, dns_replyDomain_tld
dns_replyIp	ip	dns_replyIp_asnNumber, dns_replyIp_asnOrg, dns_replyIp_city, dns_replyIp_countryCode, dns_replyIp_countryName, dns_replyIp_ipv4IntValue, dns_replyIp_isInternal, dns_replyIp_isp, dns_replyIp_latitude, dns_replyIp_location, dns_replyIp_longitude, dns_replyIp_region, dns_replyIp_version
dstDevice_hostname	normalizedHostname	dstDevice_hostname_raw
dstDevice_ip	ip	dstDevice_ip_asnNumber, dstDevice_ip_asnOrg, dstDevice_ip_city, dstDevice_ip_countryCode, dstDevice_ip_countryName, dstDevice_ip_ipv4IntValue, dstDevice_ip_isInternal, dstDevice_ip_isp, dstDevice_ip_latitude, dstDevice_ip_location, dstDevice_ip_longitude, dstDevice_ip_region, dstDevice_ip_version
dstDevice_k8s_deployment	normalizedDeploymentName
dstDevice_k8s_pod	normalizedPodName
dstDevice_k8s_replicaSet	normalizedReplicaSetName
dstDevice_natIp	ip	dstDevice_natIp_asnNumber, dstDevice_natIp_asnOrg, dstDevice_natIp_city, dstDevice_natIp_countryCode, dstDevice_natIp_countryName, dstDevice_natIp_ipv4IntValue, dstDevice_natIp_isInternal, dstDevice_natIp_isp, dstDevice_natIp_latitude, dstDevice_natIp_location, dstDevice_natIp_longitude, dstDevice_natIp_region, dstDevice_natIp_version
http_referer	url_domain	http_referer_alexaRank, http_referer_conditionalFrequency, http_referer_rootDomain, http_referer_fqdn, http_referer_entropyFqdn, http_referer_entropyRootDomain, http_referer_entropySubDomain, http_referer_possibleDga, http_referer_possibleDynDns, http_referer_queryParameters, http_referer_tld, http_referer_protocol, http_referer_path
http_url	url_domain	http_url_alexaRank, http_url_conditionalFrequency, http_url_rootDomain, http_url_fqdn, http_url_entropyFqdn, http_url_entropyRootDomain, http_url_entropySubDomain, http_url_possibleDga, http_url_possibleDynDns, http_url_queryParameters, http_url_tld, http_url_protocol, http_url_path
normalizedSeverity	severity	normalizedSeverity_description
srcDevice_hostname	normalizedHostname	srcDevice_hostname_raw
srcDevice_ip	ip	srcDevice_ip_asnNumber, srcDevice_ip_asnOrg, srcDevice_ip_city, srcDevice_ip_countryCode, srcDevice_ip_countryName, srcDevice_ip_ipv4IntValue, srcDevice_ip_isInternal, srcDevice_ip_isp, srcDevice_ip_latitude, srcDevice_ip_location, srcDevice_ip_longitude, srcDevice_ip_region, srcDevice_ip_version
srcDevice_k8s_deployment	normalizedDeploymentName
srcDevice_k8s_pod	normalizedPodName
srcDevice_k8s_replicaSet	normalizedReplicaSetName
srcDevice_natIp	ip	srcDevice_natIp_asnNumber, srcDevice_natIp_asnOrg, srcDevice_natIp_city, srcDevice_natIp_countryCode, srcDevice_natIp_countryName, srcDevice_natIp_ipv4IntValue, srcDevice_natIp_isInternal, srcDevice_natIp_isp, srcDevice_natIp_latitude, srcDevice_natIp_location, srcDevice_natIp_longitude, srcDevice_natIp_region, srcDevice_natIp_version
targetUser_username	normalizedUsername	targetUser_username_raw, targetUser_username_role
user_username	normalizedUsername	user_username_raw, user_username_role