Threat Events Stream Dictionary
- Last UpdatedSep 5, 2023
- 2 minute read
| Common Event Format (CEF) Name | JSON Name | Description | Field Type | Example Value |
|---|---|---|---|---|
Timestamp | timestamp | Timestamp of the threat event | String (ISO 8601) | 2019-11-01T02:04:56.084Z |
AlertID | alertId | The threat event ID | String | a111111a-11a1-4f80-9905-24f90bfe26bf |
DeviceID | device.externalId | Device Identifier as obtained from a connected UEM. Usually the device's UDID. | String | 59fa173f6c7ca6e7516fa27632f0fa14aaaaaaaa |
GUID | device.deviceId | Jamf unique identifier for the device. | String | a111111a-11a1-4266-9609-fbee82a8a4f9 |
DeviceName | device.deviceName | Platform and version of the device | String | Apple iPhone 6s (12.2) |
Event | eventType.description | The threat event that was detected | String | Malware |
AppName | app.name | Name of the application identified for this threat event | String | MyFreeCalculator |
AppID | app.id | packageName (Android) or bundleId (iOS and iPadOS) of the application identified for this threat event (if applicable) | String | ru.freeapps.calc |
Severity | severity | Severity level of the threat event | String with possible values: | 6 |
Destination | destination.name | Destination URL of malicious network activity (if applicable) | String | http://badsite.com/exa_mple1 |
ACT | action | The policy action taken | String with possible values: | Detected |
OS | device.os | OS and version of the device | String | iOS / iPadOS 12.2 |
Location | location | Location of the device when the threat event was detected in 2-letter ISO country code | String | gb |
AccessPoint | accessPoint | The access point that a network threat was detected on | String | Starbucks_FREE_WIFI |
EventURL | eventUrl | URL link to the Jamf Security Cloud Event Detail report | String | |
AccountName | account.name | Customer account name | String | Megacorp GB |
UserEmail | user.email | Device user email address | String | john.smith@megacorp.com |
SourceIP | source.ip | IP address of the device where potential malicious network activity originated | String | 123.45.6.789 |
CustomerId | account.customerId | Customer account ID | String | 4444defa-1042-4a85-9fff-763ae00c8354 |
AppVersion | app.version | Version of the application identified for this threat event | String | 10.4 |
AppSha256 | app.sha256 | SHA-256 hash of the application identified for this threat event | String | 50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c |
AppSha1 | app.sha1 | SHA-1 hash of the application | String | c3499c2729730a7f807efb8676a92dcb6f8a3f8f |
DestinationIP | destination.ip | IP address of the destination server | String | 123.45.6.789 |
ParentId | account.parentId | Customer global account ID | String | 5555defa-1042-4a85-9fff-763ae00c8354 |
AccessPointBSSID | accessPointBssid | The BSSID of an access point that a network threat was detected on | String | 23:8f:cf:0:9d:23 |
EventType | eventType.name | The granular threat event that was detected | String | POTENTIALLY_UNWANTED_APP_IN_INVENTORY |
spt | source.port | Port where the request originated | String | 1234 |
dpt | destination.port | Port of the destination server where the request is going | String | 80 |
UserDeviceName | device.userDeviceName | The name of the device set by the end user or admin | String | Lesley's iPhone or artificial guide depending on UEM presence |
suser | sourceUserName | Identifies the source user by name | String | Joanne Smith |