updated docs

docs/_build/html/_sources/cdm/entities/any.md.txt

@@ -9,7 +9,7 @@ Fields used to define metadata for a single field to include data from multiple
  | any_event_uid | string | Allows searching a single field for all log IDs. All log ID fields copied/duplicated to a single field as an array. | ```````` |
  | any_hash | string | Allows searching a single field for all hashes. All hash fields copied/duplicated to a single field as an array. | ```````` |
  | any_ip_addr | ip | Allows searching a single field for all IPs. All IP fields copied/duplicated to a single field as an array. | ```````` |
- | any_ip_addr | ip | IP address captures in a network connection. This could be used in the context of source, destination and even NAT when it is provided by an intermediary NAT device such as a firewall. | ```192.168.1.2``` |
+ | any_ip_addr | ip | IP address captured in a network connection. This could be used in the context of source, destination and even NAT when it is provided by an intermediary NAT device such as a firewall. | ```192.168.1.2``` |
  | any_ip_bytes | integer | network IP (header) bytes sent by the either the source or destination ip address | ```100``` |
  | any_ip_dhcp_assigned_ip_addr | ip | IP address assigned by the DHCP server. | ```192.168.1.2``` |
  | any_ip_geo.as_org | string | Allows searching a single field for all BGP AS Organization Names. All AS name fields copied/duplicated to a single field as an array. | ```````` |

docs/_build/html/_sources/cdm/entities/destination.md.txt

@@ -20,8 +20,6 @@ Event fields used to define the destination (server) in a network connection eve
  | dst_certificate_issuer | string | Information about the CA that issued the certificate | ```CN=neu5ron.local,OU=Admin``` |
  | dst_certificate_serial_number | string | Serial number, this is chosen by the CA (certificate authority) which issued the certificate. Therefore this can relatively be arbritary if the CA does not follow a standard or is malicious. | ```5157550``` |
  | dst_certificate_subject | string | Information about the CA that issued the certificate | ```CN=natetoken,OU=Admin,DC=neu5ron,DC=local``` |
- | dst_city | string | The city associated with the destination IP address | ```Burlington``` |
- | dst_country | country | The country associated with the destination IP address | ```USA``` |
  | dst_domain | string | The (DNS) hierarchy that encompasses multiple hosts (i.e a Windows Active Directory environment). | ```bigwheel.corporation.local``` |
  | dst_file_accessed_time | date | When the file was last accessed . Also known as `atime` | ```2016-11-25 18:21:47``` |
  | dst_file_changed_time | date | When the file was last changed. Also known as `ctime` | ```2016-11-25 18:21:47``` |
@@ -47,6 +45,14 @@ Event fields used to define the destination (server) in a network connection eve
  | dst_file_system_block_size | integer | Block size of filesystem | `````` |
  | dst_file_system_type | string | The file system type, ex: fat32, ntfs, vmfs, ext3, ext4, xfs | ```ntfs``` |
  | dst_fqdn | string | The absolute (entire) value of the DNS hierarchy from the lowest level to the top level domain (TLD). Consists of the Hostname and Domain. This is best defined in [this Wikipedia](https://en.wikipedia.org/w/index.php?title=Fully_qualified_domain_name&oldid=911195384#Syntax) article on FQDN. | ```bob-berto-pc.bigwheel.corporation.local``` |
+ | dst_geo_city | string | name of the city | ```San Miguel``` |
+ | dst_geo_continent | string | continent in the world | ```South America``` |
+ | dst_geo_country | string | name of the country | ```Peru``` |
+ | dst_geo_country_capital | string | capital of the country | ```Lima``` |
+ | dst_geo_country_code | string | 51 | ```Country code``` |
+ | dst_geo_latitude | string | Latitude is a measurement on a globe or map of location north or south of the Equator. | ```38.8951``` |
+ | dst_geo_longitude | string | Longitude is a measurement of location east or west of the prime meridian at Greenwich, the specially designated imaginary north-south line that passes through both geographic poles and Greenwich, London. | ```-77.0364``` |
+ | dst_geo_region | string | name of region | ```East US``` |
  | dst_host_domain | string | Name of the domain the host is part of or joined. | ```hunt.wardog.com``` |
  | dst_host_fqdn | string | The fully qualified domain name of the host | ```WKHR001.hunt.wardog.com``` |
  | dst_host_interface_guid | string | GUID of the network interface which was used for authentication request | ```{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}``` |
@@ -63,14 +69,11 @@ Event fields used to define the destination (server) in a network connection eve
  | dst_ip_bytes | integer | network IP (header) bytes sent by the either the source or destination ip address | ```100``` |
  | dst_ip_dhcp_assigned_ip_addr | ip | IP address assigned by the DHCP server. | ```192.168.1.2``` |
  | dst_ip_is_ipv6 | boolean | If source or destination IP address is IP version 6 | ```false``` |
- | dst_latitude | real | The latitude of the geographical coordinate associated with the destination IP address | ```44.475833``` |
- | dst_longitude | real | The longitude of the geographical coordinate associated with the destination IP address | ```-73.211944``` |
- | dst_mac_address | mac | MAC address of an endpoint or network interface where a connection starts or ends. | ```00:11:22:33:44:55``` |
+ | dst_mac_addr | mac | MAC address of an endpoint or network interface where a connection starts or ends. | ```00:11:22:33:44:55``` |
  | dst_mime_type | string | Destination MIME type as seen in (layer 7) application layer details or as defined by an application scanner such as an anti-virus/EDR. For HTTP this is usually from the server's "Content-Type" header. https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types | ```application/pdf``` |
  | dst_packets | integer | Network packets sent by the destination (Reply) | ```5``` |
  | dst_port_name | string | Name of the port used in a network connection. This is usually determined by IANA common port assignment. Therefore, this means its a guess and NOT actually what the application/ is what the actually. | ```netbios-dgm``` |
  | dst_port_number | integer | Port number used in a network connection. This could be used in the context of source, destination and even NAT when it is provided by an intermediary NAT device such as a firewall. | ```138``` |
- | dst_region | string | The region within a country associated with the destination IP address | ```Vermont``` |
  | dst_resource_group | string | The ID of the group to which the destination device belongs in a network connection. This might be an AWS account, or an Azure subscription or Resource Group | ```DatabaseVMs``` |
  | dst_resource_id | string | The resource Id of the destination device in a network connection | ```/subscriptions/33333333-8888-4444-a115-aaaaaaaaaaaa/resourcegroups/shokobo/providers/microsoft.compute/virtualmachines/sysmachine2``` |
  | dst_vlan_id | integer | The destination VLAN ID if it can be determined. Most commonly if from a firewall/switch/router then it can be determined | ```1000``` |

docs/_build/html/_sources/cdm/entities/event.md.txt

@@ -6,24 +6,38 @@ Event fields used to define specific metadata of the event itself. For example u
 
 | Name | Type | Description | Sample Value |
 |:---|:---|:---|:---|
+ | event_category_type | string | A description of the event, which can help with categorization. If the vendor defines a category/grouping for its log. i.e. Zeek has a few category types for its many logs (network-protocols, network-observations, etc...). Example. sysmon event id 12 is EventType field is this. | ```network-protocols``` |
  | event_count | integer | The number of aggregated events, if applicable | ```10``` |
  | event_creation_time | datetime | original time when event/log was created as reported from the log source itself | ```2017-01-21 09:12:34``` |
  | event_duration | float | The length/duration of the event in seconds (e.g., 1 min is 60.0) | ```60``` |
  | event_endtime | datetime | The time in which the event ended | ```2017-04-12 12:00:00``` |
  | event_error | string | Information about an error | ```an error occurred``` |
  | event_error_code | integer | Integer that defines a particular error | ```4564``` |
+ | event_event_host_name | string | The host name from which the event/log came from. There may be multiple host names in an event (i.e. syslog could have forwarder host name), this field is to be the most true log host name (i.e. NOT the forwarders name). | ```bobs.uncle-pc``` |
+ | event_event_ip_addr | string | The IP address from which the event/log came from. There may be multiple IP addresses in an event (i.e. syslog could have forwarder IP), this field is to be the most true log IP (i.e. NOT the forwarders IP). | ```10.10.10.10``` |
  | event_id | integer | event identifier for specific event logs. Event ids might repeat across different data sources. This is most common in Windows using EventID | ```4688``` |
  | event_message | string | A general message or description, either included in, or generated from the record | ```TCP access denied``` |
  | event_original_message | string | The (original) log message from the source before any ETL manipulations/modifications | ```a long message``` |
+ | event_original_time | datetime | original time when event/log was created as reported from the log source itself. | ```4/11/2018 5:46:18``` |
  | event_original_uid | string | Original unique ID specific to the log/event as recorded from the source. | ```CMzY3i4YoNZ3mT5yu5``` |
+ | event_product | string | The product generating the event. | ```OfficeSharepoint``` |
+ | event_product_ver | string | The version of the product generating the event | ```0.2``` |
+ | event_recorded_time | datetime | The time the log was recorded on disk or data plane or if there is another timestamp with the log (common scenario if there is a a manager of many devices or the log itself tracks log time and log written/recorded time) (e.g., 1 min is 60.0). | ```4/11/2018 5:46:18``` |
+ | event_report_url | string | url of the full analysis report, if applicable | ```https://192.168.1.1/reports/ade-123-afa.log``` |
+ | event_resource_group | string | The resource group to which the device generating the record belongs. This might be an AWS account, or an Azure subscription or Resource Group | ```DBVM``` |
+ | event_resource_id | string | The resource ID of the device generating the message. | ```/subscriptions/aaabbbcc-dddd-eeee-1234-1234567890ab/resourcegroups/shokobo/providers/microsoft.compute/virtualmachines/sysmachine``` |
  | event_severity | string | The severity of the event as defined manually or usually via the original log, commonly this would be syslog severity. The number codes should be converted to their corresponding string value. | ```high``` |
  | event_start_time | datetime | The time in which the event stated | ```2017-01-21 09:12:34``` |
  | event_status | string | Defines the status of a particular event | ```User logon with expired account``` |
  | event_status_code | integer | Integer that defines a particular status | ```3221225875``` |
- | event_status_code | integer | Integer that defines a particular sub_status | ```0``` |
+ | event_sub_category_type | string | What sub type is for the given event_category_type, | ```Microsoft-Windows-Sysmon/Operational``` |
  | event_sub_status | string | Additional status information | ```Account expired 300 days ago``` |
+ | event_sub_status_code | integer | Integer that defines a particular event_sub_status | ```0``` |
+ | event_sub_type | string | What sub type is for the given event_type, this should be closest to what the vendor calls it. i.e. Zeek Conn log would be conn. PaloAlto traffic log would be traffic. Additonal example, for wef the channel Sysmon would be Microsoft-Windows-Sysmon/Operational | ```Microsoft-Windows-Sysmon/Operational``` |
  | event_time_ingested | datetime | The time the event was ingested to SIEM or data pipeline. | ```2157-01-21 09:12:34``` |
  | event_timestamp | datetime | The most accurate timestamp of the log. Commonly this will be the original reporting timestamp from the log. However, if you believe the log timestamp has been altered or skewed (ie: either due to timezone issues or NTP skew)then replace this field with the most likely timestamp. Always keep the original log timestamp in the field creation_timestamp | ```2017-01-21 09:12:34``` |
+ | event_timezone | string | Timezone of the event if it can be determined. Format such as UTC, UTC+1, UTC-5, etc.. | ```UTC``` |
  | event_type | string | A description of the event, which can help with categorization. | ```Login``` |
  | event_type_detailed | string | Additional description of type if applicable | ```````` |
  | event_uid | string | Original unique ID specific to the log/event assigned to the event (not original). | ```CMzY3i4YoNZ3mT5yu5``` |
+ | event_vendor | string | The vendor of the product generating the event | ```Microsoft``` |

docs/_build/html/_sources/cdm/entities/geo.md.txt

@@ -0,0 +1,16 @@
+# geo
+
+Event fields used to define metadata about a geographical.
+
+## Attributes
+
+| Name | Type | Description | Sample Value |
+|:---|:---|:---|:---|
+ | geo_city | string | name of the city | ```San Miguel``` |
+ | geo_continent | string | continent in the world | ```South America``` |
+ | geo_country | string | name of the country | ```Peru``` |
+ | geo_country_capital | string | capital of the country | ```Lima``` |
+ | geo_country_code | string | 51 | ```Country code``` |
+ | geo_latitude | string | Latitude is a measurement on a globe or map of location north or south of the Equator. | ```38.8951``` |
+ | geo_longitude | string | Longitude is a measurement of location east or west of the prime meridian at Greenwich, the specially designated imaginary north-south line that passes through both geographic poles and Greenwich, London. | ```-77.0364``` |
+ | geo_region | string | name of region | ```East US``` |

docs/_build/html/_sources/cdm/entities/mac.md.txt

@@ -6,4 +6,4 @@ Event fields used to define metadata about MAC addresses in a network. It follow
 
 | Name | Type | Description | Sample Value |
 |:---|:---|:---|:---|
- | mac_address | mac | MAC address of an endpoint or network interface where a connection starts or ends. | ```00:11:22:33:44:55``` |
+ | mac_addr | mac | MAC address of an endpoint or network interface where a connection starts or ends. | ```00:11:22:33:44:55``` |

docs/_build/html/_sources/cdm/entities/source.md.txt

@@ -7,8 +7,6 @@ Event fields used to define the source (client) in a network connection event.
 | Name | Type | Description | Sample Value |
 |:---|:---|:---|:---|
  | src_bytes | integer | network bytes sent by the src_ip_addr | ```100``` |
- | src_city | string | The city associated with the source IP address | ```Burlington``` |
- | src_country | country | The country associated with the source IP address | ```USA``` |
  | src_domain | string | The (DNS) hierarchy that encompasses multiple hosts (i.e a Windows Active Directory environment). | ```bigwheel.corporation.local``` |
  | src_file_accessed_time | date | When the file was last accessed . Also known as `atime` | ```2016-11-25 18:21:47``` |
  | src_file_changed_time | date | When the file was last changed. Also known as `ctime` | ```2016-11-25 18:21:47``` |
@@ -34,6 +32,14 @@ Event fields used to define the source (client) in a network connection event.
  | src_file_system_block_size | integer | Block size of filesystem | `````` |
  | src_file_system_type | string | The file system type, ex: fat32, ntfs, vmfs, ext3, ext4, xfs | ```ntfs``` |
  | src_fqdn | string | The absolute (entire) value of the DNS hierarchy from the lowest level to the top level domain (TLD). Consists of the Hostname and Domain. This is best defined in [this Wikipedia](https://en.wikipedia.org/w/index.php?title=Fully_qualified_domain_name&oldid=911195384#Syntax) article on FQDN. | ```bob-berto-pc.bigwheel.corporation.local``` |
+ | src_geo_city | string | name of the city | ```San Miguel``` |
+ | src_geo_continent | string | continent in the world | ```South America``` |
+ | src_geo_country | string | name of the country | ```Peru``` |
+ | src_geo_country_capital | string | capital of the country | ```Lima``` |
+ | src_geo_country_code | string | 51 | ```Country code``` |
+ | src_geo_latitude | string | Latitude is a measurement on a globe or map of location north or south of the Equator. | ```38.8951``` |
+ | src_geo_longitude | string | Longitude is a measurement of location east or west of the prime meridian at Greenwich, the specially designated imaginary north-south line that passes through both geographic poles and Greenwich, London. | ```-77.0364``` |
+ | src_geo_region | string | name of region | ```East US``` |
  | src_host_domain | string | Name of the domain the host is part of or joined. | ```hunt.wardog.com``` |
  | src_host_fqdn | string | The fully qualified domain name of the host | ```WKHR001.hunt.wardog.com``` |
  | src_host_interface_guid | string | GUID of the network interface which was used for authentication request | ```{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}``` |
@@ -50,9 +56,8 @@ Event fields used to define the source (client) in a network connection event.
  | src_ip_bytes | integer | network IP (header) bytes sent by the either the source or destination ip address | ```100``` |
  | src_ip_dhcp_assigned_ip_addr | ip | IP address assigned by the DHCP server. | ```192.168.1.2``` |
  | src_ip_is_ipv6 | boolean | If source or destination IP address is IP version 6 | ```false``` |
- | src_latitude | real | The latitude of the geographical coordinate associated with the source IP address | ```44.475833``` |
  | src_longitude | real | The longitude of the geographical coordinate associated with the source IP address | ```-73.211944``` |
- | src_mac_address | mac | MAC address of an endpoint or network interface where a connection starts or ends. | ```00:11:22:33:44:55``` |
+ | src_mac_addr | mac | MAC address of an endpoint or network interface where a connection starts or ends. | ```00:11:22:33:44:55``` |
  | src_mime_type | string | Source MIME type as seen in (layer 7) application layer details or as defined by an application scanner such as an anti-virus/EDR. For HTTP this is usually from the server's "Content-Type" header. https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types | ```application/pdf``` |
  | src_packets | integer | Network packets sent by the source | ```5``` |
  | src_port_name | string | Name of the port used in a network connection. This is usually determined by IANA common port assignment. Therefore, this means its a guess and NOT actually what the application/ is what the actually. | ```netbios-dgm``` |
@@ -99,7 +104,6 @@ Event fields used to define the source (client) in a network connection event.
  | src_process_parent_integrity_level | string | Integrity label assigned to a process | ```Medium``` |
  | src_process_parent_is_hidden | boolean | Describes if the process is hidden. | ```True``` |
  | src_process_parent_name | string | Name of the process derived from the Image file or executable file used to define the initial code and data mapped into the process' virtual address space. This does not contain the full patth of the Image file. | ```conhost.exe``` |
- | src_region | string | The region within a country associated with the source IP address | ```Vermont``` |
  | src_resource_group | string | The ID of the group to which the source device belongs in a network connection. This might be an AWS account, or an Azure subscription or Resource Group | ```DatabaseVMs``` |
  | src_resource_id | string | The resource Id of the source device in a network connection | ```/subscriptions/33333333-8888-4444-a115-aaaaaaaaaaaa/resourcegroups/shokobo/providers/microsoft.compute/virtualmachines/sysmachine2``` |
  | src_user_cred_type | string | types of credentials which were presented for delegation | ```%%8098``` |