Key Name	Description
analysisType	The analytic plugin or plugins that returned a result for the transaction
categoryCode	The URL category assigned to an HTTP request by Content Analysis To correlate category codes to category names, see RiskVision category code reference.
destinationIP	IP address of the recipient of an HTTP request
destinationPort	Port used on the destination device
direction	Inbound or outbound
domain	Destination domain name for an HTTP request
fileHash	SHA-1 hash of the analyzed file
filename	Name of the analyzed file
fileSize	Size on disk of the analyzed file
fileType	File type assigned based on file analysis
manualPcap	Whether the transaction was found in a manually submitted pcap file or via traffic capture
productVersion	Current version of the RiskVision software
protocol	Protocol used in the transaction (HTTP, SMTP)
reason	A string describing why a transaction was classified as malicious or suspicious. Includes: A numeric internal code for the analytic that identified the malicious software The threat name (corresponding to the Threat Name column in the table) The attack stage (corresponding to the Attack Stage column in the table). See RiskVision attack stage definitions. The channel used to spread the attack (Web or Email) An internal alphabetic code for the analytic that identified the malicious software
requestMethod	HTTP method used in the transaction: GET, PUT, POST, CONNECT, and so on
sessionId	Unique identifier for the TCP session in which the incident was detected
sourceIP	The IP address of the source of a request If client traffic goes through a proxy before reaching RiskVision, this is the proxy IP address. Add the %<clientIP> variable to the SIEM format string to see the client IP address.
sourcePort	Port on which a request was sent
sourceServer	Hostname of the RiskVision appliance
status	Transaction analysis status (for example, pending, in progress, or completed)
threatLevel	Malicious / Suspicious / No threat detected A fourth threat level, "File Queued," may be displayed when an incident is in the process of being analyzed. This indicates that one or more of the plugins contributing to the analysis has not yet returned a result.
threatName	The name of the malware, if known, or a description of the type of malicious activity
ticketNumber	Not used (placeholder for a future tool)
transactionId	An internal identifier provided by Transaction Processor
tsScore	A numeric value that combines analytic results to assess the potential severity of an incident
txnStartTime	Time that the transaction started, as reported by Capture
URL	Full URL associated with an HTTP request
userAgent	The user agent header associated with an HTTP request
userName	The name of the user who initiated an HTTP request This requires integration with TRITON AP-WEB or a third-party product that provides X-Authenticated-For headers.
xAuthenticatedUser	The user name identified by the X-Authenticated-User header field in HTTP transactions passed by an upstream proxy