Key Name	Description
analysisType	The analytic plugin or plugins that returned a result for the transaction
bytesReceived	Number of bytes received by the source machine
bytesSent	Number of bytes sent from the source machine
categoryCode	The URL category assigned to an HTTP request by Content Analysis To correlate category codes to category names, see RiskVision category code reference.
cloudName	Name of the cloud app associated with the incident
cloudRiskLevel	Risk level associated with the cloud app accessed as part of the incident
dbCategories	List of category codes returned by the analytic plugins
destinationIP	IP address of the recipient of an HTTP request
destinationPort	Port used on the destination device
direction	Inbound or outbound
domain	Destination domain name for an HTTP request
fileHash	SHA-1 hash of the analyzed file
fileHash256	SHA-256 hash of the analyzed file
filename	Name of the analyzed file
filnameOnDisk	Full path to the analyzed file on the RiskVision appliance
fileSize	Size on disk of the analyzed file
fileType	File type assigned based on file analysis
httpReturnCode	HTTP status code returned in response to a request
manualPcap	Whether the transaction was found in a manually submitted pcap file or via traffic capture
nCategories	Total number of categories assigned to an incident by the analytic plugins
pcapLocation	Full path to a PCAP file on the RiskVision appliance
platform	Indicates the advanced file analysis platform: File Sandbox or Threat Protection
pluginType	Internal name of each analytic plugin that returned results for the incident
productVersion	Current version of the RiskVision software
protocol	Protocol used in the transaction (HTTP, SMTP)
reason	A string describing why a transaction was classified as malicious or suspicious. Includes: A numeric internal code for the analytic that identified the malicious software The threat name (corresponding to the Threat Name column in the table) The attack stage (corresponding to the Attack Stage column in the table). See RiskVision attack stage definitions. The channel used to spread the attack (Web or Email) An internal alphabetic code for the analytic that identified the malicious software
reportURL	A link to the File Sandboxing or Threat Protection Appliance report (if any) associated with an incident
requestClientApplication	The user agent string (if any) associated with a request.
requestMethod	HTTP method used in the transaction: GET, PUT, POST, CONNECT, and so on
sessionId	Unique identifier for the TCP session in which the incident was detected
sourceIP	The IP address of the source of a request If client traffic goes through a proxy before reaching RiskVision, this is the proxy IP address. Add the %<clientIP> variable to the SIEM format string to see the client IP address.
sourcePort	Port on which a request was sent
sourceServer	Hostname of the RiskVision appliance
sourceServerIP	IP address of the RiskVision appliance
status	Transaction analysis status (for example, pending, in progress, or completed)
threatLevel	Malicious / Suspicious / No threat detected A fourth threat level, "File Queued," may be displayed when an incident is in the process of being analyzed. This indicates that one or more of the plugins contributing to the analysis has not yet returned a result.
threatName	The name of the malware, if known, or a description of the type of malicious activity
threatStage	Stage of the advanced malware threat kill chain the analyzed file represents See RiskVision attack stage definitions.
ticketNumber	Not used (placeholder for a future tool)
transactionId	An internal identifier provided by Transaction Processor
tsScore	A numeric value that combines analytic results to assess the potential severity of an incident
txnDate	Date the transaction occurred, in ISO format
txnStartTime	Time that the transaction started, as reported by Capture
URL	Full URL associated with an HTTP request
userAgent	The user agent header associated with an HTTP request
userName	The name of the user who initiated an HTTP request This requires integration with TRITON AP-WEB or a third-party product that provides X-Authenticated-For headers.
xAuthenticatedUser	The user name identified by the X-Authenticated-User header field in HTTP transactions passed by an upstream proxy