Extensions Fields¶
All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.
Extensions Field Details¶
extensions.auth.auth_details¶
Description: The vendor defined details of the authentication.
Type: String
extensions.auth.mechanism¶
Description: The authentication mechanism.
Type: ArrayEnum
| Enum | Description |
|---|---|
| MECHANISM_UNSPECIFIED | The default mechanism. |
| USERNAME_PASSWORD | Username + password authentication. |
| OTP | OTP authentication. |
| HARDWARE_KEY | Hardware key authentication. |
| LOCAL | Local authentication. |
| REMOTE | Remote authentication. |
| REMOTE_INTERACTIVE | RDP, Terminal Services, VNC, etc. |
| MECHANISM_OTHER | Some other mechanism that is not defined here. |
| BADGE_READER | Badge reader authentication |
| NETWORK | Network authentication. |
| BATCH | Batch authentication. |
| SERVICE | Service authentication |
| UNLOCK | Direct human-interactive unlock authentication. |
| NETWORK_CLEAR_TEXT | Network clear text authentication. |
| NEW_CREDENTIALS | Authentication with new credentials. |
| INTERACTIVE | Interactive authentication. |
| CACHED_INTERACTIVE | Interactive authentication using cached credentials. |
| CACHED_REMOTE_INTERACTIVE | Cached Remote Interactive authentication using cached credentials. |
| CACHED_UNLOCK | Cached Remote Interactive authentication using cached credentials. |
extensions.auth.type¶
Description: The type of authentication.
Type: Enum
| Enum | Description |
|---|---|
| AUTHTYPE_UNSPECIFIED | The default type. |
| MACHINE | A machine authentication. |
| SSO | An SSO authentication. |
| VPN | A VPN authentication. |
| PHYSICAL | A Physical authentication (e.g. "Badge reader"). |
| TACACS | A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). |
extensions.vulns.vulnerabilities[n].cve_description¶
Description: Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
Type: String
extensions.vulns.vulnerabilities[n].cve_id¶
Description: Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
Type: String
extensions.vulns.vulnerabilities[n].cvss_base_score¶
Description: CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
Type: Number
extensions.vulns.vulnerabilities[n].cvss_vector¶
Description: Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE
Type: String
extensions.vulns.vulnerabilities[n].cvss_version¶
Description: Version of CVSS Vector/Score.
Type: String
extensions.vulns.vulnerabilities[n].description¶
Description: Description of the vulnerability.
Type: String
extensions.vulns.vulnerabilities[n].first_found¶
Description: Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
Type: String
extensions.vulns.vulnerabilities[n].last_found¶
Description: Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
Type: String
extensions.vulns.vulnerabilities[n].name¶
Description: Name of the vulnerability (e.g. "Unsupported OS Version detected").
Type: String
extensions.vulns.vulnerabilities[n].scan_end_time¶
Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
Type: String
extensions.vulns.vulnerabilities[n].scan_start_time¶
Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
Type: String
extensions.vulns.vulnerabilities[n].severity¶
Description: The severity of the vulnerability.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_SEVERITY | The default severity level. |
| LOW | Low severity. |
| MEDIUM | Medium severity. |
| HIGH | High severity. |
| CRITICAL | Critical severity. |
extensions.vulns.vulnerabilities[n].severity_details¶
Description: Vendor-specific severity
Type: String
extensions.vulns.vulnerabilities[n].vendor¶
Description: Vendor of scan that discovered vulnerability.
Type: String
extensions.vulns.vulnerabilities[n].vendor_knowledge_base_article_id¶
Description: Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft) https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase
Type: String
extensions.vulns.vulnerabilities[n].vendor_vulnerability_id¶
Description: Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
Type: String
extensions.vulns.vulnerabilities¶
Description: A list of vulnerabilities.
Type: Array