Enriched Inspection
SUMMARY At the Enriched inspection level, each flow is identified and inspected by a protocol or domain inspector. When the flow inspection level is set to Enriched, Network Insights creates content flows.
The data must exist in the source content so that the field is populated in JSA. For example, some content is populated by the X-Force Threat Intelligence feed, but the field might appear empty in JSA if the information is not available in X-Force.
The following table shows the fields that are populated when Network Insights is configured to use the Enriched inspection level.
Query Builder name | Advanced Search name | Description |
---|---|---|
Action | action |
Populated when the flow analysis indicates an action on an HTTP flow. Possible values for the
action are:
|
Authentication mechanism |
"authentication mechanism" |
The means by which the client was authenticated. |
Content subject | "content subject" |
If populated, extracted from the Subject field of the flow content. For example, the subject might come from an email or it might be embedded in the metadata. |
Content Type | "content type" |
HTTP, Content Inspector Populated only when the file type is not recognized. |
DNS Query ID | "dns query id" |
Populated only if the flow contains information about a DNS request or response. |
DNS Domain Name | "dns domain name" |
Populated only if the flow contains information about a DNS request. |
DNS Request Type | "dns request type" |
Populated only if the flow contains information about a DNS request. |
DNS Response Code | "dns response code" |
Populated only if the flow contains information about a DNS response. |
DNS Flags | "dns flags" |
Populated only if the flow contains information about a DNS request. |
DNS Answers | "dns answers" |
All DNS fields (formatted list). Populated only if the flow contains information about a DNS response. |
DNS Raw Answer | "dns raw answer" |
All DNS fields (binary format). Populated only if the flow contains information about a DNS response. |
File Entropy | "file entropy" |
Populated only when a complete file is found embedded in the flow data. |
File Name | "file name" |
Populated only when a named file is found embedded in the flow data. |
File Size | "file size" |
Populated only when a complete file is found embedded in the flow data. |
FTP Command | "ftp command" |
FTP command that was used. |
FTP ReplyCode | "ftp reply code" |
Numerical code that is issued by the FTP server in response to the FTP command. |
FTP Response | "ftp response" |
Description for the numerical reply code that is issued by the FTP server. |
HTTP Host | "http host" |
Host field in the HTTP request. Populated only if HTTP protocol is used. |
HTTP Method | "http method" |
Method in the HTTP request, indicating the preferred action to be performed. Populated only if the HTTP protocol is used. |
HTTP Referrer | "http referrer" |
Referrer field in the HTTP request. Populated only if HTTP protocol is used. |
HTTP Response Code | "http response code" |
Response from the HTTP request. Populated only if HTTP protocol is used. |
HTTP Server | "http server" |
Server field in the HTTP request. Populated only if HTTP protocol is used. |
HTTP User Agent | "http user agent" |
User Agent field in the HTTP request. Populated only if HTTP protocol is used. |
HTTP Version | "http version" |
Version field in the HTTP request. Populated only if HTTP protocol is used. |
Kerberos Cipher Suite |
"kerberos cipher suite" |
The suite of ciphers that is used to encrypt the Kerberos ticket. |
Kerberos Client Principal Name |
"kerberos client principal name" |
The identity that the ticket is being issued to. For example, the user or device that is seeking a ticket to authenticate themselves to a service. |
Kerberos Issued Ticket Hash |
"kerberos issued ticket hash" |
A hash of the Kerberos ticket that was issued to the client. |
Kerberos Presented Ticket Hash |
"kerberos presented ticket hash" |
A hash of the Kerberos ticket that was presented to gain access to a resource. This property is populated by the Kerberos inspector, as well as the HTTP and SMB inspectors when applicable. |
Kerberos Realm |
"kerberos realm" |
The Kerberos realm in which this activity takes place. |
Kerberos Server Principal Name |
"kerberos server principal name" |
The identity of the service that the ticket is being issued for. For example, the service that the user wants to access. |
Last Proxy Basis | "last proxy basis" |
Where an HTTP request was found to be explicitly forwarded, the type of HTTP header that directed the forwarding. The Last Proxy Basis attribute might include one of the following values:
|
Last Proxy IPv4 | "last proxy ipv4" |
The final forwarded destination, which is shown as an IPv4 address. Populated only if HTTP protocol is used and forwarding was detected. |
Last Proxy IPv6 | "last proxy ipv6" |
The final forwarded destination, which is shown as an IPv6 address. Populated only if HTTP protocol is used and forwarding was detected. |
MD5 File Hash | "md5 file hash" |
Populated with the MD5 hash of the original file when a file is extracted from the flow data. |
Originating User | "originating user"
|
Populated from multiple sources when the origin user can be detected, such as flow data for email or chat messages. |
Password | password |
Populated only when a cleartext password exchange is detected in the flow. For example, a cleartext password exchange in an FTP flow. |
Protocol Name | "protocol name" |
Populated on all flows that are processed by an inspector. |
Protocol Version | "protocol version" |
Populated only when the version is extracted by the inspector. Protocol version extraction
is supported by the following inspectors:
|
RDP Encryption Method | "rdp encryption method" |
Populated with the encryption method when the flow is associated with Remote Desktop Protocol (RDP). |
RDP Encryption Level | "rdp encryption level" |
Populated with the encryption level when the flow is associated with Remote Desktop Protocol (RDP). |
Recipient Users | "recipient users" |
Populated if one or more destination users are detected in the flow. |
Request URL | "request url" |
Populated only when a URL string is detected in HTTP flow data. |
Search Arguments | "search arguments" |
Populated only when the pattern of a search request is detected in HTTP flow data. |
SHA1 File Hash | "sha1 file hash" |
Populated with the SHA1 hash of the original file when a file is extracted from the flow data. |
SHA256 File Hash | "sha256 file hash" |
Populated with the SHA256 hash of the original file when a file is extracted from the flow data. |
SMTP Hello | "smtp hello" |
Populated for flows that initiate an SMTP request. Captures the data that follows the
|
SSL/TLS Cipher Suite | "ssl/tls cipher suite" |
The cipher suite specification that is agreed upon by the client and server to use for the session. |
SSL/TLS Compression Method | "ssl/tls compression method" |
The compression method that is agreed upon by the client and server to use for the session.
The method is typically null, as most clients do not support TLS compression due to the susceptibility to protocol level attacks. |
SSL/TLS Session ID | "ssl/tls session id" |
The session identifier. |
SSL/TLS Version | "ssl/tls version" |
The version of SSL or TLS. The following versions are detected:
|
Suspect Content Descriptions | "suspect content descriptions" |
Populated from multiple sources when a suspicious entity is detected. For example, the suspect content might come from the website category, embedded links, or Yara rules. |
TFTP Status |
"tftp status" |
TFTP read or write request. Populated only if the transfer protocol is TFTP. |
TFTP Mode |
"tftp mode" |
The mode of the TFTP file transfer. Possible values are netascii or
octet .Populated only when the transfer protocol is TFTP. |
TFTP Requested Options |
"tftp requested options" |
The TFTP file transfer options that are negotiated before the transfer, which includes the
following options:
Populated only when the transfer protocol is TFTP. |
TLS Application Layer Protocol | "tls application layer protocol" |
The value of the application layer protocol that is agreed upon by the client and server, through the Application Layer Protocol Negotiation TLS extension. |
TLS JA3 Hash | "tls ja3 hash" |
Populated with the JA3 hash of the original file that is sent by the client. |
TLS JA3S Hash | "tls ja3s hash" |
Populated with the JA3S hash of the original file that is returned by the server. |
TLS Server Name Indication | "tls server name indication" |
The value of the TLS Server Name Indication (SNI) extension. The client sends the SNI extension at the start of the handshake process to identify the server that they want to communicate with. |
Web Categories | "web categories" |
Populated only when the HTTP URL or endpoint matches a known X-Force web category. |
X509 Certificate Extensions | "x509 certificate extensions" |
Shows additional information about how the certificate can be used, identified, and
verified. The X509 certificate extensions are shown as a comma-separated list. |
X509 Certificate Fingerprint Hash | "x509 certificate fingerprint hash" |
A hash of various fields in the certificate that can be used to fingerprint the
certificate. This value can be useful in threat hunting and anomaly detection scenarios. For example, if valid certificates for the same subject with different fingerprint hashes are seen concurrently on different flows, then it might indicate that a man-in-the-middle attack is occurring on one set of flows. |
X509 Certificate Issuer Common Name | "x509 certificate issuer common name" |
The common name of the entity that issued the certificate. This field is the last 'CN = '
segment of the Issuer Name. For example, the value might look similar to this string:
|
X509 Certificate Issuer Name | "x509 certificate issuer name" |
The full name of the entity that issued the certificate. For example, the issuer name might
look similar to this string: |
X509 Certificate Not-After Validity Timestamp | "x509 certificate not-after validity timestamp" |
The timestamp of the last time that the certificate was valid. The value is the number of
seconds since the epoch (1970-01-01 00:00:00 UTC). This value might be useful in understanding why
the |
X509 Certificate Not-Before Validity Timestamp | "x509 certificate not-before validity timestamp" |
The timestamp of the earliest time at which the certificate is valid. The value is the
number of seconds since the epoch (1970-01-01 00:00:00 UTC). This value might be useful in
understanding why the |
X509 Certificate Public Key Algorithm | "x509 certificate public key algorithm" |
Identifies the algorithm that is used for the public key in the certificate; For example,
rsaEncryption . |
X509 Certificate Public Key Size | "x509 certificate public key size" |
The size of the public key in the certificate. For example, the size of the key might be 2048
bits. This value can be useful in understanding why a |
X509 Certificate Serial Number | "x509 certificate serial number" |
The serial number of the certificate. This is a number that uniquely identifies the certificate at the certificate authority. This value might be useful when cross referencing against a certificate revocation list. |
X509 Certificate Signature Algorithm | "x509 certificate signature algorithm" |
Identifies the algorithm that was used to sign the certificate. For example, the algorithm
might be sha256WithRSAEncryption .If this value doesn't match the
|
X509 Certificate Subject Alternative Names | "x509 certificate subject alternative names" |
Names that the certificate can also be used for. The names are displayed as a
comma-separated list; For example, |
X509 Certificate Subject Common Name | "x509 certificate subject common name" |
The common name of the entity that the certificate belongs to. This entry is the last 'CN =
' segment of the Subject Name; for example, |
X509 Certificate Subject Name | "x509 certificate subject name" |
The full name of the entity that the certificate belongs to; For example, C=US,
ST=New York, L=Armonk, O=IBM, CN=www.ibm.com .The Subject Name, Subject Common Name, and Subject Alternative Names fields are useful in providing context about a flow that would otherwise appear as SSL/TLS. |
X509 Certificate To-Be-Signed Signature Algorithm | "x509 certificate to-be-signed signature algorithm" |
Identifies the algorithm that might have been used to sign the certificate. If this value
doesn't match the Signature Algorithm, then a |
X509 Certificate Version | "x509 certificate version" |
The version of the X509 protocol that the certificate conforms to. For most certificates, this value is 3. |