ClickHouse DB Schema -------------------- Here the full list schema available for ClickHouse; Three columns are shown in the below table: - Field: field used when doing queries on the DB - Readable Name: Which information the column contains in a human readable format - Type: Value data type - Description: Description of the data The list of protocols and alert categories can be found below the table. Flows table description: +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +===========================+===========================+================+==========================================================================================================================+ | FLOW_ID | Flow ID | UInt64 | Unique Identifier of the flow, each flow has a different Flow ID | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IP_PROTOCOL_VERSION | IP Version | UInt8 | IP protocol version, 0 if the protocol is IPv6, 1 if it's IPv4 | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | FIRST_SEEN | First Seen | DateTime | The date (down to milliseconds) of the first time the flow was seen on the network | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | LAST_SEEN | Last Seen | DateTime | The date (down to milliseconds) of the last time the flow was seen on the network | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | VLAN_ID | VLAN ID | UInt16 | The VLAN on which the flow was seen | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | PACKETS | Total Packets | UInt32 | The number of Packets exchanged during the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | TOTAL_BYTES | Total Bytes | UInt64 | The number of Bytes exchanged during the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC2DST_BYTES | Source to Dest. Bytes | UInt64 | The number of Bytes sent from the source towards the destination during the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST2SRC_BYTES | Dest. to Source Bytes | UInt64 | The number of Bytes sent from the destination towards the source during the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC2DST_DSCP | Source to Dest. DSCP | UInt8 | The DSCP from the source towards the destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST2SRC_DSCP | Dest. to Source DSCP | UInt8 | The DSCP from the destination towards the source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | PROTOCOL | Layer 4 Protocol | UInt8 | The Layer 4 protocol used during the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IPV4_SRC_ADDR | IPv4 Source Address | UInt32 | The IPv4 address of the source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IPV6_SRC_ADDR | IPv6 Source Address | UInt32 | The IPv6 address of the source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IP_SRC_PORT | Source Port | UInt16 | The port used by the source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IPV4_DST_ADDR | IPv4 Destination Address | UInt32 | The IPv4 address of the destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IPV6_DST_ADDR | IPv6 Destination Address | UInt32 | The IPv6 address of the destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IP_DST_PORT | Destination Port | UInt16 | The port used by the destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | L7_PROTO | Layer 7 Application Proto | UInt16 | The Application Protocol of the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | L7_PROTO_MASTER | Layer 7 Master Proto | UInt16 | The Master Protocol of the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | L7_CATEGORY | Layer 7 Category | UInt16 | The Category of the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | FLOW_RISK | Flow Risk | UInt64 | A bitmap containing the Flow Risk set during communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | INFO | Flow Info | String | Contains extra informations regarding the communication (e.g. the URL requested) | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | PROFILE | Profile Name | String | Contains the profile name | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | NTOPNG_INSTANCE_NAME | Instance Name | String | ntopng instance name | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | INTERFACE_ID | Interface ID | UInt16 | The Interface identifier where the flow was seen | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | STATUS | Predominant Alert ID | UInt8 | The ID of the most important alert (based on Score) the flow triggered | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_COUNTRY_CODE | Source Country Code | UInt16 | The country code of the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_COUNTRY_CODE | Destination Country Code | UInt16 | The country code of the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_LABEL | Source Host Name | String | The Host Name of the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_LABEL | Destination Host Name | String | The Host Name of the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_MAC | Source MAC Address | UInt64 | The MAC Address of the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_MAC | Destination MAC Address | UInt64 | The MAC Address of the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | COMMUNITY_ID | Community ID | String | The community ID of the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_ASN | Source AS | UInt32 | Autonomous system of the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_ASN | Destination AS | UInt32 | Autonomous system of the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | PROBE_IP | Probe IP | UInt32 | IP address of the nProbe instance that sent the flow to ntopng | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | OBSERVATION_POINT_ID | Observation Point ID | UInt16 | The Observation Point ID where the flow was seen | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC2DST_TCP_FLAGS | Source TCP Flags | UInt8 | A bitmap containing the TCP Flags sent from the Source to the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST2SRC_TCP_FLAGS | Destination TCP Flags | UInt8 | A bitmap containing the TCP Flags sent from the Destination to the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SCORE | Score | UInt16 | The score indicator of the flow | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | CLIENT_NW_LATENCY_US | Source Network Latency | UInt32 | The Source Network Latency | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SERVER_NW_LATENCY_US | Dest. Network Latency | UInt32 | The Dest. Network Latency | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | CLIENT_LOCATION | Source Location | UInt8 | 0 stands for Remote Host; 1 stands for Local Host; 2 stands for Multicast Host | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SERVER_LOCATION | Destination Location | UInt8 | 0 stands for Remote Host; 1 stands for Local Host; 2 stands for Multicast Host | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_NETWORK_ID | Source Network ID | UInt32 | The Network ID of the Source address | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_NETWORK_ID | Destination Network ID | UInt32 | The Network ID of the Destination address | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | INPUT_SNMP | Input SNMP Interface | UInt32 | If SNMP is enabled, contains the Input Interface ID of the device where the flow was seen | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | OUTPUT_SNMP | Output SNMP Interface | UInt32 | If SNMP is enabled, contains the Output Interface ID of the device where the flow was seen | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_HOST_POOL_ID | Source Host Pool ID | UInt16 | The Host Pool ID of the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_HOST_POOL_ID | Dest. Host Pool ID | UInt16 | The Host Pool ID of the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_PROC_NAME | Source Process Name | String | If enabled by using nProbe Agent, contains the Source process that generate the flow | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_PROC_NAME | Destination Process Name | String | If enabled by using nProbe Agent, contains the Destination process of the flow | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC_PROC_USER_NAME | Source Process Username | String | If enabled by using nProbe Agent, contains the Username of the Source that executed the Process | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST_PROC_USER_NAME | Dest. Process Username | String | If enabled by using nProbe Agent, contains the Username of the Destination that executed the Process | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | ALERTS_MAP | Alerts Bitmap | String | A bitmap containing all the alerts triggered by the flow | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SEVERITY | Alert Severity | String | The severity of the communication | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_CLI_ATTACKER | Source Attacker | UInt8 | A Boolean representing if ntopng flagged the Source as an Attacker (1) or not (0) | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_CLI_VICTIM | Source Victim | UInt8 | A Boolean representing if ntopng flagged the Source as a Victim (1) or not (0) of an attack | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_CLI_BLACKLISTED | Blacklisted Source | UInt8 | 1 if the Source was blacklisted, 0 otherwise | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_SRV_ATTACKER | Destination Attacker | UInt8 | A flags representing if ntopng flagged the Destination as an Attacker (1) or not (0) | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_SRV_VICTIM | Destination Victim | UInt8 | A Boolean representing if ntopng flagged the Destination as a Victim (1) or not (0) of an attack | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_SRV_BLACKLISTED | Blacklisted Destination | UInt8 | 1 if the Destination was blacklisted, 0 otherwise | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | ALERT_STATUS | Alert Acknowledged | UInt8 | 1 if the alert was acknowledged, 0 otherwise | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | USER_LABEL | User Customizable Message | String | A description that users can add when acknowledging alerts | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | USER_LABEL_TSTAMP | Date of User Message | DateTime | The Date when the User Message was customized | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | ALERT_JSON | Extra Protocol Info | String | A JSON field containing extra informations regarding the procotocol (e.g. In HTTP, contains the HTTP URL) | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | IS_ALERT_DELETED | Alert Deleted | UInt8 | 1 if the alert was deleted, 0 otherwise | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | SRC2DST_PACKETS | Source to Dest. Packets | UInt32 | The number of packets sent from the Source towards the Destination | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | DST2SRC_PACKETS | Dest. to Source Packets | UInt32 | The number of packets sent from the Destination towards the Source | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ | ALERT_CATEGORY | Alert Category | UInt8 | Category of the alert (e.g. Flow alert, Host alert) | +---------------------------+---------------------------+----------------+--------------------------------------------------------------------------------------------------------------------------+ The list of the Layer 7 protocols can be found `here `__ The list of the Layer 4 protocols can be found `here https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml`__ An updated list of Application Categories can be found `here `__ +--------+---------------------------+ | ID | Category | +========+===========================+ | 0 | Unspecified | +--------+---------------------------+ | 1 | Media | +--------+---------------------------+ | 2 | VPN | +--------+---------------------------+ | 3 | Mail | +--------+---------------------------+ | 4 | Data Transfer | +--------+---------------------------+ | 5 | Web | +--------+---------------------------+ | 7 | Social Network | +--------+---------------------------+ | 8 | Download FT | +--------+---------------------------+ | 9 | Game | +--------+---------------------------+ | 10 | Chat | +--------+---------------------------+ | 11 | VoIP | +--------+---------------------------+ | 12 | Database | +--------+---------------------------+ | 13 | Remote Access | +--------+---------------------------+ | 14 | Cloud | +--------+---------------------------+ | 16 | Network | +--------+---------------------------+ | 17 | Collaborative | +--------+---------------------------+ | 18 | RPC | +--------+---------------------------+ | 19 | Streaming | +--------+---------------------------+ | 20 | System OS | +--------+---------------------------+ | 21 | Software Update | +--------+---------------------------+ | 22 | Custom Category 1 | +--------+---------------------------+ | 23 | Custom Category 2 | +--------+---------------------------+ | 24 | Custom Category 3 | +--------+---------------------------+ | 25 | Custom Category 4 | +--------+---------------------------+ | 26 | Custom Category 5 | +--------+---------------------------+ | 27 | Music | +--------+---------------------------+ | 28 | Video | +--------+---------------------------+ | 29 | Shopping | +--------+---------------------------+ | 30 | Productivity | +--------+---------------------------+ | 31 | File Sharing | +--------+---------------------------+ | 32 | Connectivity Check | +--------+---------------------------+ | 33 | IOT SCADA | +--------+---------------------------+ | 34 | Virtual Assistant | +--------+---------------------------+ | 35 | Cybersecurity | +--------+---------------------------+ | 36 | Adult Content | +--------+---------------------------+ | 99 | Mining | +--------+---------------------------+ | 100 | Malware | +--------+---------------------------+ | 101 | Advertisement | +--------+---------------------------+ | 102 | Banned Site | +--------+---------------------------+ | 103 | Site Unavailable | +--------+---------------------------+ | 104 | Allowed Site | +--------+---------------------------+ | 105 | AntiMalware | +--------+---------------------------+ | 106 | Crypt Currency | +--------+---------------------------+ | 107 | Gambling | +--------+---------------------------+ | 108 | Health | +--------+---------------------------+ The list of Alerts Category Available: +--------+---------------------------+ | ID | Alert Category | +========+===========================+ | 0 | Interface Alert | +--------+---------------------------+ | 1 | Host Alert | +--------+---------------------------+ | 2 | Network Alert | +--------+---------------------------+ | 3 | SNMP Alert | +--------+---------------------------+ | 4 | Flow Alert | +--------+---------------------------+ | 5 | MAC Alert | +--------+---------------------------+ | 7 | User Alert | +--------+---------------------------+ | 8 | Active Monitoring Alert | +--------+---------------------------+ | 9 | System Alert | +--------+---------------------------+ | 15 | Other Alert | +--------+---------------------------+ The list of Alert Severities: +--------+---------------------------+ | ID | Alert Severity | +========+===========================+ | 0 | None | +--------+---------------------------+ | 1 | Debug | +--------+---------------------------+ | 2 | Info | +--------+---------------------------+ | 3 | Notice | +--------+---------------------------+ | 4 | Warning | +--------+---------------------------+ | 5 | Error | +--------+---------------------------+ | 7 | Critical | +--------+---------------------------+ | 8 | Emergency | +--------+---------------------------+ Active monitoring description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Unique identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | resolved_ip | Resolved IP | String | IP address associated with the alert, if resolved | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | resolved_name | Resolved Name | String | Hostname associated with the alert, if resolved | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | measurement | Measurement | String | Type or name of the measurement that triggered the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | measure_threshold| Measure Threshold | UInt32 | Threshold value that triggered the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | measure_value | Measure Value | REAL | Actual measured value that triggered the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert, possibly indicating its importance or priority | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, possibly indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert, added in an ALTER TABLE statement | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ Flow alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Unique identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert has ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert (See the Alert Severities table above) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | ip_version | IP Version | UInt8 | Version of IP protocol used (4 or 6) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_ip | Client IP | String | IP address of the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_ip | Server IP | String | IP address of the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_port | Client Port | UInt16 | Port number used by the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_port | Server Port | UInt16 | Port number used by the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | vlan_id | VLAN ID | UInt16 | VLAN identifier | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_cli_attacker | Is Client Attacker | UInt8 | Flag indicating if the client is classified as an attacker | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_cli_victim | Is Client Victim | UInt8 | Flag indicating if the client is classified as a victim | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_srv_attacker | Is Server Attacker | UInt8 | Flag indicating if the server is classified as an attacker | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_srv_victim | Is Server Victim | UInt8 | Flag indicating if the server is classified as a victim | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | proto | Protocol | UInt8 | IP protocol number (A list of L4 Protocols can be found above) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | l7_proto | L7 Protocol | UInt16 | Layer 7 protocol identifier | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | l7_master_proto | L7 Master Protocol | UInt16 | Master Layer 7 protocol identifier | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | l7_cat | L7 Category | UInt16 | Category of Layer 7 protocol (A list of Application Categories can be found above) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_name | Client Name | String | Name or hostname of the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_name | Server Name | String | Name or hostname of the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_country | Client Country | String | Country of the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_country | Server Country | String | Country of the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_blacklisted | Client Blacklisted | UInt8 | Flag indicating if the client is blacklisted | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_blacklisted | Server Blacklisted | UInt8 | Flag indicating if the server is blacklisted | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli2srv_bytes | Client to Server Bytes | UInt8 | Number of bytes transferred from client to server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv2cli_bytes | Server to Client Bytes | UInt8 | Number of bytes transferred from server to client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli2srv_pkts | Client to Server Pkts | UInt8 | Number of packets transferred from client to server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv2cli_pkts | Server to Client Pkts | UInt8 | Number of packets transferred from server to client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | first_seen | First Seen | DateTime | Timestamp when the flow was first observed | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | community_id | Community ID | String | Community identifier for the flow | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alerts_map | Alerts Map | String | HEX bitmap of all flow statuses | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | flow_risk_bitmap | Flow Risk Bitmap | UInt64 | Bitmap representing risk factors associated with the flow | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_host_pool_id | Client Host Pool ID | UInt16 | Host pool identifier for the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_host_pool_id | Server Host Pool ID | UInt16 | Host pool identifier for the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_network | Client Network | UInt16 | Network identifier for the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_network | Server Network | UInt16 | Network identifier for the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | info | Info | String | Additional information about the flow alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | cli_location | Client Location | UInt8 | Location identifier for the client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | srv_location | Server Location | UInt8 | Location identifier for the server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | probe_ip | Probe IP | String | IP address of the probe that detected the flow | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | input_snmp | Input SNMP | UInt32 | SNMP interface index for input | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | output_snmp | Output SNMP | UInt32 | SNMP interface index for output | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ Host alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | ip_version | IP Version | UInt8 | Version of IP protocol used (4 or 6) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | ip | IP Address | String | IP address of the alerted host | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | vlan_id | VLAN ID | UInt16 | VLAN identifier | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | name | Host Name | String | Name or hostname of the host | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_attacker | Is Attacker | UInt8 | Flag indicating if the host is classified as an attacker | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_victim | Is Victim | UInt8 | Flag indicating if the host is classified as a victim | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_client | Is Client | UInt8 | Flag indicating if the host is acting as a client | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_server | Is Server | UInt8 | Flag indicating if the host is acting as a server | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert has ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, possibly indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | host_pool_id | Host Pool ID | UInt16 | Identifier for the pool of hosts this host belongs to | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | network | Network ID | UInt16 | Identifier for the network this host belongs to | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | country | Country | String | Country associated with the host's IP address | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ Mac address alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | address | MAC Address | String | MAC address of the device | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | device_type | Device Type | UInt8 | Type of the device (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | name | Device Name | String | Name or hostname of the device | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_attacker | Is Attacker | UInt8 | Flag indicating if the device is classified as an attacker | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | is_victim | Is Victim | UInt8 | Flag indicating if the device is classified as a victim | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, possibly indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ SNMP alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | ip | IP Address | String | IP address of the SNMP device | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | port | Port | UInt32 | Port number of the SNMP device | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | name | Device Name | String | Name or hostname of the SNMP device | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | port_name | Port Name | String | Name of the port on the SNMP device | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data for this alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ Network alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | local_network_id | Local Network ID | UInt16 | Identifier for the local network associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | name | Network Name | String | Name of the network | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alias | Network Alias | String | Alias or alternative name for the network | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, possibly indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ Interface alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | ifid | Interface ID | UInt8 | Identifier for the network interface | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Additional identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | subtype | Alert Subtype | String | Subtype of alert_id | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | name | Interface Name | String | Name of the network interface | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alias | Interface Alias | String | Alias or alternative name for the interface | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, possibly indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ User alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user | User | String | Username or identifier of the user associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, possibly indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data or full representation of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ System alerts description: +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +==================+========================+==========+==========================================================================================================+ | rowid | Row ID | UUID | Unique identifier for each row in the table | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_id | Alert ID | UInt32 | Identifier for each alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_status | Alert Status | UInt8 | Current status of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | interface_id | Interface ID | UInt16 | Identifier of the network interface associated with the alert (nullable) | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | name | System Name | String | Name or identifier of the system associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp | Timestamp | DateTime | Time when the alert was created or detected | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | tstamp_end | End Timestamp | DateTime | Time when the alert was resolved or ended | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | severity | Severity | UInt8 | Severity level of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | score | Score | UInt16 | Numerical score associated with the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | granularity | Granularity | UInt8 | Frequency of alert check execution | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | counter | Counter | UInt32 | Counter value, indicating the number of times this alert has occurred | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | description | Description | String | Textual description of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | json | JSON | String | JSON-formatted additional data | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label | User Label | String | Custom label assigned by a user when silencing the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | user_label_tstamp| User Label Timestamp | DateTime | Timestamp when the user label was last modified | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ | alert_category | Alert Category | UInt8 | Category of the alert | +------------------+------------------------+----------+----------------------------------------------------------------------------------------------------------+ Vulnerability scan data: +----------------+------------------+----------+----------------------------------------------------------------------------------------------------------+ | Field | Readable Name | Type | Description | +================+==================+==========+==========================================================================================================+ | HOST | Host | String | The hostname or identifier of the scanned host | +----------------+------------------+----------+----------------------------------------------------------------------------------------------------------+ | SCAN_TYPE | Scan Type | String | The type or method of vulnerability scan performed | +----------------+------------------+----------+----------------------------------------------------------------------------------------------------------+ | LAST_SCAN | Last Scan Time | DateTime | The timestamp of when the last scan was performed | +----------------+------------------+----------+----------------------------------------------------------------------------------------------------------+ | JSON_INFO | JSON Information | String | Additional information about the scan in JSON format | +----------------+------------------+----------+----------------------------------------------------------------------------------------------------------+ | VS_RESULT_FILE | Result File Path | String | The file path or identifier for the full vulnerability scan results | +----------------+------------------+----------+----------------------------------------------------------------------------------------------------------+