Counter Details

counterType may be a single type or a comma seperated list of types.

Examples: ‘bandwidth’, ‘http,https’, ‘lowObs, mediumObs, highObs’

A list of available counter types: ¶

• reconObs - Observation count for killchain stage recon.

• deliveryObs - Observation count for killchain stage delivery.

• exploitObs - Observation count for killchain stage exploit.

• beaconObs - Observation count for killchain stage beacon.

• cncObs - Observation count for killchain stage cnc.

• fortificationObs - Observation count for killchain fortification

• dataTheftObs - Observation count for killchain stage data theft

• lowObs - Count of low severity observations.

• mediumObs - Count of medium severity observations.

• highObs - Count of high severity observations.

• bandwidth - Total bandwidth usage observed by the sensor. (bytes)

• internal Bandwidth usage of internal traffic only. (bytes)

• external Bandwidth usage of traffic with an external origin or destination. (bytes)

• http - HTTP bandwidth usage. (bytes)

• https - HTTPS bandwidth usage. (bytes)

• smtp - SMTP bandwidth usage. (bytes)

• ssh - SSH bandwidth usage. (bytes)

The interval property is an optional number followed by a unit. If no number is defined, it is assumed to be 1.

Examples of valid interval parameters: ‘second’, ‘1second’, ‘1seconds’ are all equivilent (the ‘s’ at the end of the unit is optional) ‘5minutes’, ‘5minute’

Available interval units: ¶

• second

• minute

• hour

• day

stackBy is an optional parameter that defaults to ‘none’.

When set to ‘none’, the combination of all sensors and counter types are added together into a single value per timestamp.

When set to ‘type’, for each timestamp the values will be grouped by counter type.

When set to ‘sensor’, for each timestamp the values will be grouped by sensor id.