Source

Top Level Fieldset: True

Source fields capture information about the sender of an event.

Source Fields

source.address

Required Field: False
Type: STRING
Example: 8.8.8.8
Detection Supported Field: True

The raw address of the source. This value should be duplicated to source.ip or source.domain, depending on which one applies.

source.domain

Required Field: False
Type: STRING
Example: example.com
Detection Supported Field: True

The domain name of the source. This value can be a host name or FQDN.

source.indicators

Required Field: False
Type: ARRAY
Example: ['malicious']
Detection Supported Field: True

Threat indicators identified through enrichment, specific to a source.

source.ip

Required Field: False
Type: STRING
Example: 8.8.8.8
Detection Supported Field: True

IP address of the source (IPv4 or IPv6.)

source.mac

Required Field: False
Type: STRING
Example: 00-00-5E-00-53-23
Detection Supported Field: True

MAC address of the source.

source.port

Required Field: False
Type: INTEGER
Example: 53
Detection Supported Field: True

Port of the source.