nodes

appliance_host	The hostname of the sensor where this entity has been observed
label	Name of the node
id	Primary key of this query source
ip	internet protocol (IP) address of the node. It can be either IPv4, IPv6 or empty (in case of L2 node)
mac_address	media access control (MAC) address of the node. It can be missing in some situations (serial nodes)
mac_address:info	This is a metadata field about the mac_address field. protocol_source - is the cause of the latest mac_address:info change likelihood - a value between 0.1 and 1.0 where 1.0 represents the maximum likelihood that the MAC address is the native one from the node. likelihood_level - level of confidence regarding whether the MAC address is the native one from the node, or it is one routed/substituted by the network. Values: unconfirmed (no information is available) likely (some information indicates it can be native) confirmed (it is definitely native) source - indicates where the information comes from: manual: information that is manually added from the configuration import: imported information passive: information from Deep Packet Inspection asset-kb: information from Asset Intelligence smart-polling: information from Smart Polling granularity - is the level of detail of the information. Values: manual-or-import: information manually added or imported complete: detailed information has been extracted. partial: detailed, but still not complete. generic: a family/generic value has been found, but is not detailed. unknown confidence - measures the confidence that the information is the one published. Values: manual-or-import: information manually added or imported, therefore the highest confidence high good low unknown
mac_vendor	MAC address vendor. Is not empty when the MAC address is present and the corresponding Vendor name is known.
subnet	The subnet to which this node belongs, if any.
vlan_id	The virtual local area network (VLAN) identifier (ID) of the node. It can be absent if the traffic to/from the node is not VLAN-tagged.
vlan_id:info	This is a metadata field about the vlan_id field.
zone	The zone name to which this node belongs to
level	The purdue-model level of the node
type	The type of the node
type:info	This is a metadata field about the type field.
os	Operating System of the node, if available. This field is not present when the firmware_version is available.
vendor	Vendor of the node
vendor:info	This is a metadata field about the vendor field.
product_name	The product name of the node
product_name:info	This is a metadata field about the product_name field.
firmware_version	The firmware version of the node. The field is not present when the os field is available.
firmware_version:info	This is a metadata field about the firmware_version field.
serial_number	The serial number of the node
serial_number:info	This is a metadata field about the serial_number field.
is_broadcast	True if this is not a real node but a broadcast or multicast entry
is_public	True if this not a local node but an outside, public IP address.
reputation	This can be good or bad depending on information coming from STIX indicators
is_confirmed	This is true for nodes that are confirmed to exist. Non-existing targets of port scans for instance are not confirmed
is_compromised	This is true for nodes that have been recognised as compromised according to threat indicators
is_learned	This is true for nodes that were observed during the learning phase
is_fully_learned	This is true for nodes that were observed also during the learning phase and which properties are not changed since then
is_disabled	This is true for nodes that are hidden from graphs because too noisy
roles	The set of application-level roles of the node. Differently from the type, these are behaviors.
links	The set of links to which this node is related
links_count	The total number of links from and to this node
protocols	The unique protocols used from and to this node
created_at	Timestamp in epoch milliseconds when this node was first observed
first_activity_time	Timestamp in epoch milliseconds when this node send a packet for the first time
last_activity_time	Timestamp in epoch milliseconds when this node send a packet for the last time
received.packets	Total number of packets received
received.bytes	Total number of bytes received
received.last_5m_bytes	Number of bytes received in the last 5 minutes
received.last_15m_bytes	Number of bytes received in the last 15 minutes
received.last_30m_bytes	Number of bytes received in the last 30 minutes
sent.packets	Total number of packets sent
sent.bytes	Total number of bytes sent
sent.last_5m_bytes	Number of bytes sent in the last 5 minutes
sent.last_15m_bytes	Number of bytes sent in the last 15 minutes
sent.last_30m_bytes	Number of bytes sent in the last 30 minutes
tcp_retransmission.percent	Percentage of transmission control protocol (TCP) packets that have been retransmitted
tcp_retransmission.packets	Total number of TCP packets that have been retransmitted
tcp_retransmission.bytes	Total amount of bytes for TCP packets that have been retransmitted
tcp_retransmission.last_5m_bytes	Amount of bytes of TCP packets that have been retransmitted in the last 5 minutes
tcp_retransmission.last_15m_bytes	Amount of bytes of TCP packets that have been retransmitted in the last 15 minutes
tcp_retransmission.last_30m_bytes	Amount of bytes of TCP packets that have been retransmitted in the last 30 minutes
variables_count	Amount of variables attached to the node
device_id	(Internal use)
properties	Additional properties found by several protocols attached to the node
custom_fields	Any additional custom field defined in the Custom fields
bpf_filter	Berkeley Packet Filter (BPF) filter for the node, used when performing traces for this node and as building block for link traces too
device_modules	Set of modules of this devices, if any
capture_device	Name of the interface from which this entity has been detected

appliance_host

The hostname of the sensor where this entity has been observed

label

Name of the node

id

Primary key of this query source

ip

internet protocol (IP) address of the node. It can be either IPv4, IPv6 or empty (in case of L2 node)

mac_address

media access control (MAC) address of the node. It can be missing in some situations (serial nodes)

mac_address:info

This is a metadata field about the mac_address field.

protocol_source - is the cause of the latest mac_address:info change
likelihood - a value between 0.1 and 1.0 where 1.0 represents the maximum likelihood that the MAC address is the native one from the node.
likelihood_level - level of confidence regarding whether the MAC address is the native one from the node, or it is one routed/substituted by the network. Values:
- unconfirmed (no information is available)
- likely (some information indicates it can be native)
- confirmed (it is definitely native)
source - indicates where the information comes from:
- manual: information that is manually added from the configuration
- import: imported information
- passive: information from Deep Packet Inspection
- asset-kb: information from Asset Intelligence
- smart-polling: information from Smart Polling
granularity - is the level of detail of the information. Values:
- manual-or-import: information manually added or imported
- complete: detailed information has been extracted.
- partial: detailed, but still not complete.
- generic: a family/generic value has been found, but is not detailed.
- unknown
confidence - measures the confidence that the information is the one published. Values:
- manual-or-import: information manually added or imported, therefore the highest confidence
- high
- good
- low
- unknown

mac_vendor

MAC address vendor. Is not empty when the MAC address is present and the corresponding Vendor name is known.

subnet

The subnet to which this node belongs, if any.

vlan_id

The virtual local area network (VLAN) identifier (ID) of the node. It can be absent if the traffic to/from the node is not VLAN-tagged.

vlan_id:info

This is a metadata field about the vlan_id field.

zone

The zone name to which this node belongs to

level

The purdue-model level of the node

type

The type of the node

type:info

This is a metadata field about the type field.

os

Operating System of the node, if available. This field is not present when the firmware_version is available.

vendor

Vendor of the node

vendor:info

This is a metadata field about the vendor field.

product_name

The product name of the node

product_name:info

This is a metadata field about the product_name field.

firmware_version

The firmware version of the node. The field is not present when the os field is available.

firmware_version:info

This is a metadata field about the firmware_version field.

serial_number

The serial number of the node

serial_number:info

This is a metadata field about the serial_number field.

is_broadcast

True if this is not a real node but a broadcast or multicast entry

is_public

True if this not a local node but an outside, public IP address.

reputation

This can be good or bad depending on information coming from STIX indicators

is_confirmed

This is true for nodes that are confirmed to exist. Non-existing targets of port scans for instance are not confirmed

is_compromised

This is true for nodes that have been recognised as compromised according to threat indicators

is_learned

This is true for nodes that were observed during the learning phase

is_fully_learned

This is true for nodes that were observed also during the learning phase and which properties are not changed since then

is_disabled

This is true for nodes that are hidden from graphs because too noisy

roles

The set of application-level roles of the node. Differently from the type, these are behaviors.

links

The set of links to which this node is related

links_count

The total number of links from and to this node

protocols

The unique protocols used from and to this node

created_at

Timestamp in epoch milliseconds when this node was first observed

first_activity_time

Timestamp in epoch milliseconds when this node send a packet for the first time

last_activity_time

Timestamp in epoch milliseconds when this node send a packet for the last time

received.packets

Total number of packets received

received.bytes

Total number of bytes received

received.last_5m_bytes

Number of bytes received in the last 5 minutes

received.last_15m_bytes

Number of bytes received in the last 15 minutes

received.last_30m_bytes

Number of bytes received in the last 30 minutes

sent.packets

Total number of packets sent

sent.bytes

Total number of bytes sent

sent.last_5m_bytes

Number of bytes sent in the last 5 minutes

sent.last_15m_bytes

Number of bytes sent in the last 15 minutes

sent.last_30m_bytes

Number of bytes sent in the last 30 minutes

tcp_retransmission.percent

Percentage of transmission control protocol (TCP) packets that have been retransmitted

tcp_retransmission.packets

Total number of TCP packets that have been retransmitted

tcp_retransmission.bytes

Total amount of bytes for TCP packets that have been retransmitted

tcp_retransmission.last_5m_bytes

Amount of bytes of TCP packets that have been retransmitted in the last 5 minutes

tcp_retransmission.last_15m_bytes

Amount of bytes of TCP packets that have been retransmitted in the last 15 minutes

tcp_retransmission.last_30m_bytes

Amount of bytes of TCP packets that have been retransmitted in the last 30 minutes

variables_count

Amount of variables attached to the node

device_id

(Internal use)

properties

Additional properties found by several protocols attached to the node

custom_fields

Any additional custom field defined in the Custom fields

bpf_filter

Berkeley Packet Filter (BPF) filter for the node, used when performing traces for this node and as building block for link traces too

device_modules

Set of modules of this devices, if any

capture_device

Name of the interface from which this entity has been detected