trellix-nx-alerts
Fetch alerts from Trellix Network Security devices
trellix-nx-alerts [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero. Tomorrow 00:00 by default.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | Detection time |
| profile | String | Profile | Connect profile name |
| ack | Bool | Ack | Acknowledged or not |
| type | String | Type | |
| inf_id | Integer | Infection ID | |
| file_type | String | File type | |
| signature | String | Signature | |
| severity | Integer | Severity | |
| src_ip | IP address | Source IP | |
| dst_ip | IP address | Destination IP | |
| url | String | URL | |
| md5 | String | MD5 | |
| sha256 | String | SHA256 | |
| sc_version | String | SC Version | Content version |
| parent | Bool | Parent | Parent alert or not |
| child | Bool | Child | Child alert or not |
| uuid | String | GUID | |
| blocked_badge | Bool | Blocked tag | |
| threat_info_badge | Bool | Threat info tag | |
| ips_badge | Bool | IPS tag | |
| data_theft_badge | Bool | Data leak tag | |
| erspan_badge | Bool | ERSPAN tag | |
| icap_badge | Bool | ICAP tag | |
| mtp_badge | Bool | MTP tag | |
| retroactive_badge | Bool | Retroactive tag | |
| vxlan_badge | Bool | VXLAN tag |