Data dictionaries for Syslog
Data dictionary for User Activity
This section details the user activity fields. The table displays Syslog and Kinesis output data elements for user activity. The table entries are alphabetized.
Note
For the Amazon Kinesis and General SIEM System destination types, you can request threats and user activity.
Field Name | Type | Description |
|---|---|---|
action | String | A description of the action that occurred in the Mobile Security console, such as User Login Failed or Policy Published. The list of actions is listed below. |
date | String | The date and time of the action in a format such as “04 15 2021 15:00:03 UTC”. |
user | String | The email of the user performing the action or the name of the program making the change. |
The list of actions can include the following events:
Audit Event Sample Analysis Event
Developer Sign Added Event
Developer Sign Already Exist Event
Developer Sign Removed Event
ExportConfigurationCreated
ExportConfigurationUpdated
Mark as Approved
Mark as Fixed
Privacy Published
Privacy Published
Sample Blacklisted Event
Sample Created Event
Sample Out Of Compliance Event
Sample Removed From Blacklist Event
Sample Removed From Out Of Compliance Event
Sample Removed From Whitelist Event
Sample Renamed Event
Sample Rescanned Event
Sample Whitelisted Event
User Deleted
User Login Failed
User Logout
User Updated
UserInvited
UserLogin
Data dictionary for Syslog threats
About field availability
Syslog output fields for each mode are detailed in the following sections. The field table's rows indicate if the field is "available" for all or some threat types. Field availability is described below.
All Threats: This field can be applied to all threat types.
Multiple Threats: This field is applicable to more than one threat type.
Threat Specific: This field is applicable to only one threat type.
Concise mode fields
This table shows the data elements in the Syslog output for a concise mode request. These table entries are in alphabetical order.
Note
Not all fields are available, even though they may apply to all threats. For instance, a field value can be null, or the field may not be captured and reported because of the Mobile Security console policy settings.
Field Name | Description | Availability |
|---|---|---|
device_info | Device information with the fields below | All Threats |
device_info.app | App name reporting the threat events | All Threats |
device_info.app_version | Version of the app reporting the threat events | All Threats |
device_info_developer_options_on (a) | Applies to Android devices and indicates that the developer option is turned on | All Threats |
device_info.device_id | Device identifier. | All Threats |
device_info.device_time | Timestamp on the device at the time of the event and the time zone. | All Threats |
device_info,disk_not_encrypted (a) | The device encryption is not enabled on the device. | All Threats |
device_info.imei | Unique device identifier. | All Threats |
device_info.jailbroken | Jailbroken status as a boolean | All Threats |
device_info.lock_screen_unprotected (a) | The device pin is not set on the device. | All Threats |
device_info.model | Device model string, for instance, “Nexus 5” | All Threats |
device_info.mdm_id | MDM identifier if the device is part of an MDM deployment. | All Threats |
device_info.mam_id (c) | MAM identifier if the device is part of a MAM deployment. | All Threats |
device_info.operator | Mobile network operator | All Threats |
device_info.os | Operating system, for instance, “Android” | All Threats |
device_info.os_version | Operating system version, for instance, 7.1.1. | All Threats |
device_info.stagefright_vulnerable (a) | The Stagefright vulnerability is present on the device. | All Threats |
device_info.tag1 | Unique tag from IAP SDK from the setTrackingIds() method. | All Threats |
device_info.tag2 | Unique tag from IAP SDK from the setTrackingIds() method. | All Threats |
device_info.type | Device name or model | All Threats |
device_info.usb_debugging_enabled (a) | The debugging mode for USB on Android devices is turned on | All Threats |
device_info.app_instance_id | App instance identifier (bundle identifier) | All Threats |
device_info.zdid | An internal database identifier, for instance, “5b9938d4f92a260e08a1812a” | All Threats |
event_id | Threat event identifier | All Threats |
eventtimestamp | Timestamp at the time of the event and the time zone. | All Threats |
location | User device location with the fields shown below: Note: The following must be set for all of the location-related entries: Enable Forensics Data in the Privacy Policy. The Privacy Policy is received by the device. The End-User accepted location permission for the Mobile Security app and apps using an MDM solution. | All Threats |
location.accuracy | Accuracy information | All Threats |
location.country_name | Country name (optional) | All Threats |
location.exact | Indicates a Boolean if the location of the device is exact | All Threats |
location.p | Current user device GPS location | All Threats |
location.p.[n] | Sequence of the current user device GPS location | All Threats |
location.previous_sample | Previous user device GPS location | All Threats |
location.previous_sample.p | Previous user device GPS location | All Threats |
location.previous_sample.p.[n] | Sequence of the previous user device GPS location | All Threats |
location.previous_sample.time | Previous location sampling timestamp | All Threats |
location.previous_sample.time.$date | Previous location sampling timestamp | All Threats |
location.sampled_time | Location sampling timestamp | All Threats |
location.sampled_time.$date | Location sampling timestamp | All Threats |
location.source | GPS or geo IP address | All Threats |
location.state_name | State | All Threats |
mitigated | Boolean indicating if the end-user took an action | All Threats |
severity | Threat severity where: 0: Normal 1: Low 2: Elevated 3: Critical | All Threats |
system_token | Unique identifier for a customer | All Threats |
threat | Threat information | All Threats |
threat.category (b) | Indicates if the threat is a singular or composite threat. Values are: Singular Composite | All Threats |
threat.child_threat_uuids (b) | This is the set of child or singular threats for the composite threat. These map to the “threat_uuid” field in the composite threat. | Multiple Threats |
threat.general | General threat information with the fields below | All Threats |
threat.general.action_triggered | Action triggered on the user device as a string, for instance, “Alert User” | All Threats |
threat.general.attacker_bssid | Attacker MAC address of the wireless access point | Multiple Threats |
threat.general.attacker_ip | Attacker device IP address | Multiple Threats |
threat.general.attacker_mac | Attacker device MAC address | Multiple Threats |
threat.general.attacker_ssid | Attacker network name of the wireless access point | Multiple Threats |
threat.general.basestation | Cellular base station information | All Threats |
threat.general.basestation.mnc | Mobile network code | All Threats |
threat.general.basestation.psc | Primary scrambling code | All Threats |
threat.general.basestation.type | Base station type | All Threats |
threat.general.basestation.cid | Base station cell identifier | All Threats |
threat.general.basestation.mcc | Mobile country code | All Threats |
threat.general.basestation.lac | Location area code | All Threats |
threat.general.certificate | SSL certificate collected | Multiple Threats |
threat.general.change_type | Change Type | Multiple Threats |
threat.general.device_ip | User device IP | All Threats |
threat.general.device_mac | User device MAC address | All Threats |
threat.general.device_time | User device Timestamp | All Threats |
threat.general.dns_after_change | DNS IP After Change | Threat Specific |
threat.general.dns_before_change | DNS IP Before Change | Threat Specific |
threat.general.event | Reason for the detection | Threat Specific |
threat.general.external_ip | User device External IP address | All Threats |
threat.general.file_hash | File hash of the downloaded or installed app | Threat Specific |
threat.general.file_name | File name of the downloaded or installed app | Threat Specific |
threat.general.file_path | File path of the file system change | Threat Specific |
threat.general.gateway_after_change | Gateway IP after change | Threat Specific |
threat.general.gateway_before_chang e | Gateway IP before change | Threat Specific |
threat.general.gateway_ip | User device Gateway IP | All Threats |
threat.general.gateway_mac | User device Gateway MAC address | All Threats |
threat.general.imei | Unique device identifier | All Threats |
threat.general.jailbreak_reasons | Reasons for the jailbreak detection | Multiple Threats |
threat.general.malware_list | Malware threat family name, score | All Threats |
threat.general.network | Network name where the user device was connected at the time of event | All Threats |
threat.general.network_bssid | Network BSSID where the user device was connected at the time of event | All Threats |
threat.general.network_interface | Network interface information | Multiple Threats |
threat.general.process | Process name | Multiple Threats |
threat.general.proxy_after_change | Proxy IP after change | Threat Specific |
threat.general.sideloaded_app_devel oper | Developer of the sideloaded app | Multiple Threats |
threat.general.sideloaded_app_name | App name of the sideloaded app | Threat Specific |
threat.general.sideloaded_app_packa ge | Package name of the sideloaded app | Threat Specific |
threat.general.stagefright_vulnerabilit y_report | Stagefright CVE list | Threat Specific |
threat.general.suspected_url | Suspicious URL | Multiple Threats |
threat.general.suspicious_profile_info | Suspicious profile information | Multiple Threats |
threat.general.suspicious_profile_na me | Suspicious profile name | Multiple Threats |
threat.general.suspicious_profile_typ e | Suspicious profile type | Multiple Threats |
threat.general.threat_type | Threat name, for instance, MITM - Fake SSL certificate | All Threats |
threat.general.time_interval | Time that has passed since connecting to the network (in seconds) | All Threats |
threat.mitre_tactics (b) | A list of the MITRE tactics for the threat. These apply to most threats. | Multiple Threats |
threat.name | Threat name, for instance, MITM - Fake SSL certificate | All Threats |
threat.story | Threat summary, for instance "Detected a network interception attack. The attack took place at ..." | All Threats |
threat.threat_uuid (b) | This is an internal identifier for the threat and is used with ‘child_threat_uuids’ to identify components or children of a composite threat. | All Threats |
user_info | User information with the fields below | All Threats |
user_info.employee_name | End user’s name on the Mobile Security console , for instance, “Becky Smith” | All Threats |
user_info.user_email | End user’s email on the Mobile Security console , for instance, “[email protected]” | All Threats |
user_info.user_id (a) | This is the user’s identifier if it is available. | All Threats |
user_info.user_group | End user’s group on the Mobile Security console , for instance, “Default Group” | All Threats |
user_info.user_role | End user’s role on the Mobile Security console , for instance, “End User” | All Threats |
Verbose/forensics mode fields
The table displays extra items in verbose mode. Verbose mode includes forensic threat data. The concise mode items now include these additional fields.
Note
Some specific threat types provide additional fields outside of the data fields listed.
Field Name | Description | Availability |
|---|---|---|
forensics | Forensics information | All Threats |
forensics.BSSID | MAC address of the wireless access point (BSSID) | All Threats |
forensics.SSID | Network name | All Threats |
forensics.android_compatibility_chec k_response | Android compatibility check response collected for the following threats: Android Device Compatibility Not Test By Google Android Device Possible Tampering | Multiple Threats |
forensics.app_tampering_reasons | Reasons to detect app tampering event | Threat Specific |
forensics.attack_time | Unix timestamp at the time of event | All Threats |
forensics.attack_time.$date | Unix timestamp at the time of event | All Threats |
forensics.baseline_traceroute | Bitdefender internal field | Threat Specific |
forensics.captive_portal_after | HTML response collected for the Bitdefender URL after the attack | Multiple Threats |
forensics.captive_portal_before | HTML response collected for the Bitdefender URL before the attack | Multiple Threats |
forensics.close_networks | Android shows the nearby networks and iOS shows the currently connected network | All Threats |
forensics.close_networks.[n] | Sequence where Android shows the nearby networks and iOS shows the current connected network | All Threats |
forensics.close_networks.[n].BSSID | Android shows the BSSID of the nearby networks and iOS shows the BSSID of the current connected network | All Threats |
forensics.close_networks.[n].SSID | Android shows the network name (SSID) of the nearby networks and iOS shows the network name (SSID) of the current connected network | All Threats |
forensics.close_networks.[n].capabilit ies | Wireless security protocols supported by the nearby networks for example, WEP, WPA, and WPA2 | All Threats |
forensics.close_networks.[n].frequen cy | Frequency of the nearby networks, for example, 2.4 GHz and 5 GHz | All Threats |
forensics.close_networks.[n].level | Signal strength (-35 to -95) | All Threats |
forensics.dangerzone_nearby_wifi | Suspicious nearby network | Multiple Threats |
forensics.directory_entries | Files listed in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n] | Sequence of the files listed in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n].file_na me | File name of the files in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n].file_size | File size of the files in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n].hash | File hash of the files in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n].is_sym link | Files listed is a symlink or not in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n].nlink | Number of hard links of the files listed in the /usr/lib/ folder of an iOS device | All Threats |
forensics.directory_entries.[n].permis sion | Permission of the files listed in the /usr/lib/ folder of an iOS device | All Threats |
forensics.dynamic_internal_name | An internal field used for detection- related debugging | Multiple Threats |
forensics.dynamic_trigger | An internal token or identifier for trigger information | Multiple Threats |
forensics.file_system_change | File system change event | Threat Specific |
forensics.file_system_change.change _type | Type of file system change | Threat Specific |
forensics.file_system_change.event | Reason for the file system change | Threat Specific |
forensics.file_system_change.full_pat h | Path of the file system change | Threat Specific |
forensics.forensics_app_version | If the app contains an MDM solution inside then this field reports the version of the app | Multiple Threats |
forensics.forensics_os_version | If the app contains an MDM solution inside then this field reports the OS version | Multiple Threats |
forensics.forensics_ziap_version | If the app contains an MDM solution inside then this field reports the version of the MDM | Multiple Threats |
forensics.general | General information of the event | All Threats |
forensics.general.[n] | Sequence of general information of the event | All Threats |
forensics.general.[n].name | Multiple fields | All Threats |
forensics.general.[n].type | Multiple fields | All Threats |
forensics.general.[n].val | Multiple fields | All Threats |
forensics.host_attack | Device attack - event information | All Threats |
forensics.host_attack.application | App name of the suspicious Android app | Threat Specific |
forensics.host_attack.daemon_minflt | Bitdefender internal field | Threat Specific |
forensics.host_attack.daemon_minflt .[n] | Bitdefender internal fields | Threat Specific |
forensics.host_attack.daemon_rss | Bitdefender internal field | Threat Specific |
forensics.host_attack.daemon_rss.[n] | Bitdefender internal fields | Threat Specific |
forensics.host_attack.detected_locall y | Detection source: DB or Cogito | Threat Specific |
forensics.host_attack.file_hash | Hash of the file download or installed | Threat Specific |
forensics.host_attack.filename | Name of the file download or installed | Threat Specific |
forensics.host_attack.info_after | Bitdefender internal field | Multiple Threats |
forensics.host_attack.info_after.selin ux_context | Bitdefender internal field | Multiple Threats |
forensics.host_attack.info_after.user _id | Bitdefender internal field | Multiple Threats |
forensics.host_attack.info_before | Bitdefender internal field | Multiple Threats |
forensics.host_attack.info_before.seli nux_context | Bitdefender internal field | Multiple Threats |
forensics.host_attack.info_before.us er_id | Bitdefender internal field | Multiple Threats |
forensics.host_attack.is_blacklisted | Is the iOS app blacklisted by the administrator | Threat Specific |
forensics.host_attack.is_malicious | If the iOS app is already listed as malicious in the database | Threat Specific |
forensics.host_attack.malware_detec tion_source | Detection Source where:
| Multiple Threats |
forensics.host_attack.malware_matc hes | Malware information | Multiple Threats |
forensics.host_attack.malware_matc hes.[n] | Sequence of malware information | Multiple Threats |
forensics.host_attack.malware_matc hes.[n].name | Malware threat family name | Multiple Threats |
forensics.host_attack.malware_matc hes.[n].score | Bitdefender internal field | Multiple Threats |
forensics.host_attack.malware_matc hes.[n].signatures | Bitdefender internal field | Threat Specific |
forensics.host_attack.malware_matc hes.[n].signatures.[n] | Bitdefender internal field | Multiple Threats |
forensics.host_attack.malware_matc hes.[n].signatures.[n].hash | Bitdefender internal field | Multiple Threats |
forensics.host_attack.malware_matc hes.[n].signatures.[n].size | Bitdefender internal field | Multiple Threats |
forensics.host_attack.malware_matc hes.[n].signatures.[n].type | Bitdefender internal field | Multiple Threats |
forensics.host_attack.malware_scan_category | Category where:
| Multiple Threats |
forensics.host_attack.malware_threa t_name | Malware threat family name | Threat Specific |
forensics.host_attack.process | Process name | Multiple Threats |
forensics.host_attack.process_pid | Process identifier | Multiple Threats |
forensics.host_attack.suspected_url | Suspicious URL | Multiple Threats |
forensics.installer_source | Information on the installer source of the app | Multiple Threats |
forensics.json_jailbreak_reasons | Reasons for the jailbreak detection | Multiple Threats |
forensics.mitm_traceroute | Bitdefender internal field | Threat Specific |
forensics.network_encryption | Reports the network capabilities. For Android, this shows the supported encryptions on the network such as WEP, WPA, and WP2. For iOS, this field shows "Secured" or "Unsecured" | Multiple Threats |
forensics.network_subnet | Network subnet address if applicable | Multiple Threats |
forensics.network_threat | Network forensics | All Threats |
forensics.network_threat.arp_tables | ARP tables | All Threats |
forensics.network_threat.arp_tables. after | ARP tables collected seconds after detecting the attack | All Threats |
forensics.network_threat.arp_tables. after.table | ARP tables collected seconds after detecting the attack | All Threats |
forensics.network_threat.arp_tables. after.table.[n] | Sequence of the ARP tables collected seconds after detecting the attack | All Threats |
forensics.network_threat.arp_tables. after.table.[n].ip | IP address in the ARP tables collected seconds after detecting the attack | All Threats |
forensics.network_threat.arp_tables. after.table.[n].mac | MAC address in the ARP tables collected seconds after detecting the attack | All Threats |
forensics.network_threat.arp_tables. before | ARP tables collected seconds before detecting the attack | All Threats |
forensics.network_threat.arp_tables. before.table | ARP tables collected seconds before detecting the attack | All Threats |
forensics.network_threat.arp_tables. before.table.[n] | Sequence of the ARP tables collected seconds before detecting the attack | All Threats |
forensics.network_threat.arp_tables. before.table.[n].ip | IP address in the ARP tables collected seconds before detecting the attack | All Threats |
forensics.network_threat.arp_tables. before.table.[n].mac | MAC address in the ARP tables collected seconds before detecting the attack | All Threats |
forensics.network_threat.arp_tables.i nitial | ARP tables collected when the device was initially connected to the network | All Threats |
forensics.network_threat.arp_tables.i nitial.table | ARP tables collected when the device was initially connected to the network | All Threats |
forensics.network_threat.arp_tables.i nitial.table.[n] | Sequence of the ARP tables collected when the device was initially connected to the network | All Threats |
forensics.network_threat.arp_tables.i nitial.table.[n].ip | IP address in the ARP tables collected when the device was initially connected to the network | All Threats |
forensics.network_threat.arp_tables.i nitial.table.[n].mac | MAC address in the ARP tables collected when the device was initially connected to the network | All Threats |
forensics.network_threat.attacker_ip | IP address of the attacker's device | All Threats |
forensics.network_threat.attacker_m ac | MAC address of the attacker's device | Multiple Threats |
forensics.network_threat.basestation | Cellular base station information | All Threats |
forensics.network_threat.delta_route _cache | Bitdefender internal field | Multiple Threats |
forensics.network_threat.delta_route _cache.table | Bitdefender internal field | Multiple Threats |
forensics.network_threat.delta_route _cache.table.[n] | Bitdefender internal fields | All Threats |
forensics.network_threat.delta_route _cache.table.[n].gateway | Bitdefender internal field | All Threats |
forensics.network_threat.delta_route _cache.table.[n].ip | Bitdefender internal field | All Threats |
forensics.network_threat.gw_ip | User gateway IP address | All Threats |
forensics.network_threat.gw_mac | User gateway MAC address | All Threats |
forensics.network_threat.interface | User device network interface | All Threats |
forensics.network_threat.my_ip | User device IP address | All Threats |
forensics.network_threat.my_mac | User device MAC | All Threats |
forensics.network_threat.net_stat | Device network status information | All Threats |
forensics.network_threat.net_stat.[n] | Sequence of the device network status information | All Threats |
forensics.network_threat.net_stat.[n] .ForeignAddress | Foreign host and port with connection state | All Threats |
forensics.network_threat.net_stat.[n] .LocalAddress | Local host and port with connection state | All Threats |
forensics.network_threat.net_stat.[n] .Proto | Protocol | All Threats |
forensics.network_threat.net_stat.[n] .Recv-Q | Represents data in queue for the socket waiting to read | All Threats |
forensics.network_threat.net_stat.[n] .Send-Q | Represents data in queue for the socket waiting to be sent | All Threats |
forensics.network_threat.net_stat.[n] .State | Socket state | All Threats |
forensics.network_threat.routing_tab le | Routing table information | All Threats |
forensics.network_threat.routing_tab le.[n] | Sequence of the routing table information | All Threats |
forensics.network_threat.routing_tab le.[n].Destination | Destination network IP | All Threats |
forensics.network_threat.routing_tab le.[n].Flags | Flags for the threat routing table. | All Threats |
forensics.network_threat.routing_tab le.[n].Gateway | Network gateway IP | All Threats |
forensics.network_threat.routing_tab le.[n].Netif | Network interface for instance: lo (local interface) wlan0 (wireless interface) rmnet (cellular network) | All Threats |
forensics.network_threat.routing_tab le.[n].Refs | Bitdefender internal field | All Threats |
forensics.network_threat.routing_tab le.[n].Use | Bitdefender internal field | All Threats |
forensics.os | Operating system | All Threats |
forensics.os_forensics (d) | This helps with security patch information for the device and the next available security patch. These field values typically apply to only these threats:
Note: To be populated, this requires Mobile Security app Release 4.22 or later and Mobile Security console Release 4.41 or later. | Multiple Threats |
forensics.os_forensics.build_informat ion | This is additional firmware-related information for the device at the time of the threat. For instance, "RP1A.200720.012" is a possible value. This field is for Android only. | Multiple Threats |
forensics.os_forensics.device_manuf acturer | This is the manufacturer of the device. For instance, "samsung" and "Apple" are possible values. | Multiple Threats |
forensics.os_forensics.device_model | This is the device's model information. For instance, "SM-M025F" and "iPhone 11" are possible values. | Multiple Threats |
forensics.os_forensics.expected_os_v ersion | This is the device's OS version that is expected for the device when reporting the threat. For instance, "11" is a possible value. | Multiple Threats |
forensics.os_forensics.expected_secu rity_patch | This is the device's security patch level that is expected for the device at the time of the threat event. For instance, "20220101" is a possible value. This field is for Android only. This value can appear as a date field, but instead is a string value of the patch identification. | Multiple Threats |
forensics.os_forensics.vulnerable_os _version | This is the device's OS version at the time of the threat. For instance, "11" is a possible value. | Multiple Threats |
forensics.os_forensics.vulnerable_sec urity_patch | This is the device's security patch level at the time of the threat event. For instance, "2021-08-01" is a possible value. This field is for Android only. This value can appear as a date field, but instead is a string value of the patch identification. | Multiple Threats |
forensics.probabilities | Bitdefender internal field | All Threats |
forensics.probabilities.[n] | Bitdefender internal field | All Threats |
forensics.process_list | Device process list | All Threats |
forensics.process_list.[n] | Sequence of the device process list collected at the time of the event | All Threats |
forensics.process_list.[n].Parent process(PPID) | Parent process identifier | All Threats |
forensics.process_list.[n].Process ID(PID) | Process identifier | All Threats |
forensics.process_list.[n].Process Name | Process name | All Threats |
forensics.process_list.[n].Service | Process service | All Threats |
forensics.process_list.[n].User | Process username | All Threats |
forensics.proxy_conf | Proxy configuration | Multiple Threats |
forensics.proxy_conf.ip_after | Proxy configuration: IP address after change | Multiple Threats |
forensics.proxy_conf.ip_before | Proxy configuration: IP address before change | Multiple Threats |
forensics.responses | Device action triggered | All Threats |
forensics.responses.[n] | Sequence of the device action triggered | All Threats |
forensics.rogue_access_point | Rogue access point information | Multiple Threats |
forensics.rogue_access_point.BSSID | MAC address of the wireless access point | Multiple Threats |
forensics.rogue_access_point.SSID | Network name of the rogue access point | Multiple Threats |
forensics.rogue_access_point.freque ncy | Frequency of the rogue access point | Multiple Threats |
forensics.routing_table | Routing table information | All Threats |
forensics.routing_table.[n] | Sequence of the routing table information | All Threats |
forensics.routing_table.[n].destination | Destination network IP | All Threats |
forensics.routing_table.[n].flags | Bitdefender internal field | All Threats |
forensics.routing_table.[n].gateway | Network gateway IP | All Threats |
forensics.routing_table.[n].netif | Network interface | All Threats |
forensics.routing_table.[n].flags | Bitdefender internal field | All Threats |
forensics.routing_table.[n].use | Bitdefender internal field | All Threats |
forensics.sample_data | Bitdefender internal field | All Threats |
forensics.severity | Threat severity | All Threats |
forensics.sideloaded_app_developer | Developer of the sideloaded app | Multiple Threats |
forensics.sideloaded_app_filehash | File hash of the sideloaded app | Multiple Threats |
forensics.sideloaded_app_name | App name of the sideloaded app | Multiple Threats |
forensics.sideloaded_app_package | Package name of the sideloaded app | Multiple Threats |
forensics.ssl_downgrade_description | Bitdefender internal field | Multiple Threats |
forensics.ssl_mitm_certificate | SSL certificate collected | Multiple Threats |
forensics.ssl_strip_reply | HTML response collected | Multiple Threats |
forensics.stagefright_vulnerability_re port | Stagefright CVE list | Threat Specific |
forensics.suspicious_profile | Suspicious profile information | Multiple Threats |
forensics.suspicious_profile.profile_i nformation | Suspicious profile information | Multiple Threats |
forensics.suspicious_profile.profile_n ame | Suspicious profile name | Multiple Threats |
forensics.suspicious_profile.profile_t ype | Suspicious profile type | Multiple Threats |
forensics.system_tampering_reasons | Reasons for the system tampering detection | Threat Specific |
forensics.threat_uuid | Bitdefender internal field | All Threats |
forensics.time_interval | Time that has passed since connecting to the network (in seconds). | All Threats |
forensics.type | Internal threat identifier | All Threats |