| Field Name | Type | Description |
|---|---|---|
| Field name | Type | Description |
p_log_type | string | The type of log. |
p_row_id | string | Unique id (UUID) for the row. |
p_event_time | timestamp | The associated event time for the log type is copied here and normalized to UTC. Format: YYYY-MM-DD HH:MM:SS.fff |
p_parse_time | timestamp | The current time when the event was parsed, normalized to UTC. Format: YYYY-MM-DD HH:MM:SS.fff |
p_schema_version | integer | The version of the schema used for this row. |
p_source_id | string | The Panther generated internal id for the source integration. |
p_source_label | string | The user supplied label for the source integration (may change if edited). |
p_source_file | object | Available for S3 sources only, this field contains metadata of the file that this event originated from, including the bucket name and object key. |
p_header | object | Contains envelope metadata when Retain envelope fields is enabled for CloudWatch log sources. Includes information like log group, log stream, owner account, and subscription filters. |
| Field Name | Type | Description |
|---|---|---|
| Field name in panther_rule_matches | Type | Description |
p_alert_id | string | Id of alert related to row. |
p_alert_creation_time | timestamp | Time of alert creation related to row. |
p_alert_context | object | A JSON object returned from the rule's alert_context() function. |
p_alert_severity | string | The severity level of the rule at the time of the alert. This could be different from the default severity as it can be dynamically set. |
p_alert_update_time | timestamp | Time of last alert update related to row. |
p_rule_id | string | The id of the rule that generated the alert. |
p_rule_error | string | The error message if there was an error running the rule. |
p_rule_reports | map[string]array[string] | List of user defined rule reporting tags related to row. |
p_rule_severity | string | The default severity of the rule. |
p_rule_tags | array[string] | List of user defined rule tags related to row. |
| Indicator Name | Extracted into fields | Description |
|---|---|---|
| actor_id | p_any_actor_ids | Append value to p_any_actor_ids. |
| aws_account_id | p_any_aws_account_ids | If the value is a valid AWS account id, append to p_any_aws_account_ids. |
| aws_arn | p_any_aws_arns, p_any_aws_instance_ids, p_any_aws_account_ids, p_any_emails | If value is a valid AWS ARN then append to p_any_aws_arns. If the ARN contains an AWS account id, extract and append to p_any_aws_account_ids. If the ARN contains an EC2 instance id, extract and append to p_any_aws_instance_ids. If the ARN references an AWS STS Assume Role and contains and email address, then extract email address into p_any_emails. |
| aws_instance_id | p_any_aws_instance_ids | If the value is a valid AWS instance id then append to p_any_aws_instance_ids. |
| aws_tag | p_any_aws_tags | Append value into p_any_aws_tags. |
| cve | p_any_cves | Extract any values matching the regex ^[Cc][Vv][Ee]-\d{4}-\d+$ and append to p_any_cves |
| domain | p_any_domain_names | Append value to p_any_domain_names. |
| p_any_emails | If value is a valid email address then append value into p_any_emails. The portion of the value that precedes @ will also be populated in p_any_usernames | |
| hostname | p_any_domain_names, p_any_ip_addresses | Append value to p_any_domain_names. If value is a valid ipv4 or ipv6 address then append to p_any_ip_addresses. |
| ip | p_any_ip_addresses | If value is a valid ipv4 or ipv6 address then append to p_any_ip_addresses. |
| mac | p_any_mac_addresses | If a value is a valid IEEE 802 MAC-48, EUI-48, EUI-64, or a 20-octet IP over InfiniBand link-layer address then append to p_any_mac_addresses. |
| md5 | p_any_md5_hashes | If the value is a valid md5 then append value into p_any_md5_hashes. |
| mitre_attack_technique | p_any_mitre_attack_techniques | Extract any values matching the regex \b[Tt]\d{4}(?:\.\d{3})?\b and append to p_any_mitre_attack_techniques. For example, if the field value is "Technique: T1234", p_any_mitre_attack_techniques would have a value of ["T1234"] |
| net_addr | p_any_domain_names, p_any_ip_addresses | Extracts from values of the form <host>:<port> and appends host portion to p_any_domain_names.If host portion is a valid ipv4 or ipv6 address, then append to p_any_ip_addresses. |
| serial_number | p_any_serial_numbers | Append value to p_any_serial_numbers. |
| sha1 | p_any_sha1_hashes | If the value is a valid sha1 then append to p_any_sha1_hashes. |
| sha256 | p_any_sha256_hashes | If the value is a valid sha256 then append to p_any_sha256_hashes. |
| trace_id | p_any_trace_ids | Append value to p_any_trace_ids. Tag fields such as session ids and document ids that are used to associated elements with other logs in order to trace the full activity of a sequence of related events. |
| url | p_any_domain_names, p_any_ip_addresses | Parse url, extract the host portion after "http://" or "https://". Append host portion to p_any_domain_names. |
| username | p_any_usernames | Append value into p_any_usernames. This field is also populated with values marked with the email indicator. The portion of the email value that precedes @ will be appended to this field. |
| Enrichment Field Name | Type | Description of Enrichment Field |
|---|---|---|
p_enrichment | object | Dictionary of lookup results where matching rows were found. |
p_match | string | p_match is injected into the data of each matching row within p_enrichment. Its value is the value that matched in the event. |