Frequently Asked Questions
1. Why CYBERQUEST?
CYBERQUEST is a sophisticated platform that sits on top of all security-related data/applications/sensors/servers, Defined as a Security-Driven Analytics platform or “Next Generation SIEM”. It gathers valuable data from multiple technology sources and empowers users to take actionable, critical decisions in real-time to keep the company safety.
Main benefits of the solution:
- suitable for SMBs as well as Enterprise
- predictable & no hidden costs – lowering the TCO
- unlimited flexibility for log/application data
- no vendor lock, NoSQL Database
- End-to-End Fast Deployment
- GDPR Compliance – fit per industry standards
- single point of access to all data
- reduces investigation time up to 10 times
2. How CYBERQUEST is licensed?
CYBERQUEST solution is available with Subscription or Perpetual for On-premise.
The licensing is based on CPU Cores.
The commercial editions are: Logger, Light, Advanced, Enterprise and Ultimate.
To check more detailed information please follow the link: CYBERQUEST Licensing and Versioning
3. What are the system requirements for CYBERQUEST?
CYBERQUEST is a virtual appliance but can be installed as a physical appliance as well.
To check detailed system requirements please follow the link: Minimum system requirements
4. How could I download the demo version of CYBERQUEST?
You can download the latest release demo version for Nextgen Software product on https://nextgensoftware.eu/.
5. How can I contact CYBERQUEST support team?
Service requests can be accessed through https://support.nextgensoftware.solutions/ or by email at [email protected].
6. What is a Log Records Structure for CYBERQUEST?
CYBERQUEST events can have the follwing fields:
| Category | Field | Type | Description |
|---|---|---|---|
| Generic Fields | |||
| Category | string | Defines the classification of the event | |
| Computer | string | Hostname of the system that generated the event | |
| Description | string | Textual description or message associated with the event | |
| DestIP | string | IP address of the destination involved in the event | |
| DestIP_Country_Code | string | ISO country code for the destination IP | |
| DestIP_Country_Name | string | Country name associated with the destination IP | |
| DestMAC | string | MAC address of the destination device | |
| EventID | long | Unique identifier assigned to the event | |
| EventLog | string | Log where the event was recorded log | |
| EventPath | string | File system path related to the event (e.g., location of the affected file or process) | |
| EventType | long | Specifies the type of event that occurred | |
| GMT | date | Timestamp of the event in Coordinated Universal Time (UTC) | |
| ID | string | General identifier associated with the record | |
| IsIncident | boolean | If the event is categorized as security incident | |
| LocalTime | date | Local timestamp of the event occurrence | |
| N1 ... N40 | long | general purpose numeric fields | |
| PlatformID | string | Identifier of the machine where the event originated | |
| PostDtsSHA256 | string | log hash after passing through Data Transformation Service | |
| PreDtsSHA256 | string | log hash before passing through Data Transformation Service | |
| RawData | string | raw data | |
| ReceivedTime | date | Time when the event was received or processed | |
| S1 ... S150 | string | general purpose string fields | |
| SecondaryTag | string | secondary tag | |
| SessionID | string | Identifier for the session during which the event occurred | |
| Source | string | Origin or component related to the event | |
| SrcIP | string | IP address of the source involved in the event | |
| SrcIP_Country_Code | string | ISO country code for the source IP | |
| SrcIP_Country_Name | string | Country name associated with the source IP | |
| SrcMAC | string | MAC address of the source device | |
| Tag | string | Tag assigned to categorize the event | |
| isLastDuplicate | Boolean indicating if this is the most recent duplicate in a series | ||
| Tenant | string | tenant | |
| TimeOfDay | long | time of day | |
| UserDomain | string | user domain | |
| UserName | string | username | |
| VersionMajor | long | version major | |
| VersionMinor | long | version minor | |
| content | string | content | |
| _Timestamp | SkewedOffset | long | the difference between real time and machine time |
| Time | long | it is the number of seconds ... as a scalar real number which represents the number of seconds that have passed since 00:00:00 UTC Thursday, 1 January 1970 | |
| TimeZoneOffSet | long | adding the 80 seconds to the GMT | |
| isDST | boolean | the summer time if applied or not | |
| _agent | GUID | string | Unique identifier for the agent |
| Name | string | Name of the agent | |
| Site | string | Location or site associated with the relevant agent | |
| _asset | Application | string | Application name associated with the asset |
| Criticality | long | Criticality level of the asset (rating) | |
| Location | Physical or logical location of the asset | ||
| Name | string | Name of the asset | |
| Owner | string | Owner of the asset | |
| Project | string | Associated project for the asset | |
| SecurityValue | long | Security rating or value of the asset | |
| Site | string | Asset site or location (city) | |
| _attack | DestIP | string | destination IP is the IP address of the device to which the packet is being sent. |
| GeoCity | string | decoded City from IP address | |
| GeoCountry | string | decoded Country from IP address | |
| Host | string | is a computer or other device that communicates with other hosts on a network, include clients and servers -- that send or receive data, services or applications | |
| GeoLat | GEO | decoded latitude from IP address | |
| GeoLong | GEO | decoded longitude from IP address | |
| Method | string | is a particular procedure for accomplishing or approaching something, especially a systematic or established one. | |
| Object | string | network objects are used to categorize IP addresses into different types of network entities | |
| OtherInfo | String | other information about our network | |
| Result | boolean | the result of the attack | |
| SrcIP | string | source IP is the IP (Internet Protocol) address of the device sending the IP packet (the IP unit of data transfer). | |
| TriggeredRule | string | is use to define conditions under which a trigger action is to be executed. | |
| _dataSource | Name | string | Name of the data source |
| SecurityAppliance | string | Physical name of the data source | |
| Version | string | Version of the data source generating the event | |
| _event | Category | string | Context-specific classification assigned to the event by CYBERQUEST |
| Result | boolean | Indicates the outcome of the event (e.g., success or failure) | |
| SourceObject | string | Object within the system that originated the event, providing a more precise indication of its source | |
| SourceUser | string | User who triggered or is associated with the event, providing a more precise indication of their origin | |
| SubCategory | string | Subcategory classification assigned by CYBERQUEST based on the event’s main category | |
| TargetObject | string | Object targeted by the event, indicating a more precise destination or endpoint | |
| TargetUser | string | User targeted by the event, representing the intended recipient or destination of the action | |
| URL | string | URL associated with the event, identifying the location of a resource involved in the activity | |
| CorrelationID | ID used to correlate related events | ||
| _forensics | What | string | Action or activity that occurred |
| Where | string | Location where the event or incident took place | |
| Who | string | Individual or entity responsible for or involved in generating the event | |
| Why | string | Reason the event was generated | |
| _geoLocation | DestIPGeoCountry | string | Destination IP coordinates of the country |
| DestIPGeoPoint | geo_point | Geolocation point of the destination IP | |
| DestIPGeocity | string | Destination IP coordinates of the city | |
| Host | string | Hostname associated with geolocation context | |
| SrcIPGeoCountry | string | Source IP coordinates of the country | |
| SrcIPGeoPoint | geo_point | Geolocation point of the source IP | |
| SrcIPGeocity | string | Source IP coordinates of the city | |
| _incident | Category | string | Classification of the incident assigned by CYBERQUEST |
| Impact | string | Impact assessment of the incident, measuring the extent and potential damage before resolution | |
| Score | long | Score assigned to quantify the severity of an unplanned situation that disrupts or degrades an IT service | |
| SubCategory | string | Subclassification of the incident assigned by CYBERQUEST based on its main category | |
| _malware | DeliveryMethod | string | deliveryMethod (mail, file etc...) |
| Name | string | Name of the malware identified | |
| _network | AplicationName | string | Application name involved in the network event |
| DestIPv4 | ip | Destination IPv4 address in the network context | |
| DestIPv6 | string | Destination IPv6 address in the network context | |
| DestInterface | string | Network interface used by the destination | |
| DestPort | long | Destination port used in the network connection | |
| FlowID | string | Identifier of the network flow | |
| PostNATDestIPv4 | ip | Dest IPv4 address after NAT translation | |
| PostNATDestIPv6 | string | Dest IPv6 address after NAT translation | |
| PostNATDestPort | long | Destination port after NAT translation | |
| PostNATSrcIPv4 | ip | Source IPv4 address after NAT translation | |
| PostNATSrcIPv6 | string | Source IPv6 address after NAT translation | |
| PostNATSrcPort | long | Source port after NAT translation | |
| Protocol | string | Network protocol used (e.g., TCP, UDP) | |
| ReceivedBytes | long | Number of bytes received through the network | |
| SrcIPv4 | ip | Source IPv4 address in the network context | |
| SrcIPv6 | string | Source IPv6 address in the network context | |
| SrcInterface | string | Interface used by the source in the network | |
| SrcPort | long | Source port used in the network connection | |
| ClientIPGeoCity | City location of the client IP | ||
| ClientIP | Client IP address in the network | ||
| TransferedBytes | long | Total bytes transferred in the network flow | |
| _risk | RiskScoreAsset | Risk score assigned to the affected asset | |
| RiskScoreUser | Risk score assigned to the affected user | ||
| RiskNames | Named risks identified for the event | ||
| FullRuleMatch | Details of full rule matches that triggered the risk | ||
| RiskScoreEvent | Risk score associated with the event | ||
| GeoCountry | Country location associated with the attack context | ||
| DestIP | Destination IP involved in the attack context | ||
| TriggeredRule | Security rule that was triggered by the attack | ||
| Host | Host targeted in the attack | ||
| Object | Object targeted or affected during the attack | ||
| Method | Method or technique used in the attack | ||
| GeoCity | City location associated with the attack context | ||
| SrcIP | Source IP used in the attack | ||
| Location | Location context of the attack | ||
| OtherInfo | Additional context or metadata for the attack | ||
| Result | Result or outcome of the attack |
7. Alert Records Structure
CYBERQUEST Alerts can have the follwing fields:
| Category | Field | Type | Description |
|---|---|---|---|
| Generic Fields | |||
| Category | string | Classification or type assigned to the event | |
| Computer | string | Name of the computer where the event was generated | |
| Description | string | Textual description or message associated with the event | |
| DestIP | string | IP address of the destination involved in the event | |
| EventID | long | Unique identifier assigned to the event | |
| EventLog | string | Log where the event was recorded log | |
| EventType | long | Specifies the type of event that occurred | |
| GMT | date | Timestamp of the event in Coordinated Universal Time (UTC) | |
| LocalTime | date | Local timestamp of the event occurrence | |
| PlatformID | string | Identifier of the machine where the event originated | |
| S1...S150 | string | General purpose string fields | |
| Destination Port | long | Destination port | |
| Application name | string | Application name | |
| SourcePort | string | source port | |
| Flow ID | string | NetflowID | |
| Source | string | source | |
| SrcIP | string | source IP is the IP (Internet Protocol) address of the device sending the IP packet (the IP unit of data transfer) | |
| Tag | string | tag | |
| VersionMajor | long | version major | |
| VersionMinor | long | version minor | |
| ReceivedTime | date | received time | |
| SecurityScore | long | Numeric score indicating security impact of the event | |
| SecurityLevel | long | security level | |
| SrcIP_Country_Code | string | country code of SrcIP | |
| SrcIP_Country_Name | string | country name of SrcIP | |
| DestIP_Country_Code | string | country code of DestIP | |
| DestIP_Country_Name | string | country name of DestIP | |
| EventPath | string | event path | |
| TimeOfDay | long | time of day | |
| _anomaly | AnomalyID | Identifier of the anomaly detected | |
| RelativeScore | Relative score representing anomaly severity | ||
| Score | Absolute score of the anomaly detected | ||
| _network | AplicationName | string | application name |
| DestIPv4 | ip | destination IP(IPv4) | |
| DestInterface | string | destination interface | |
| DestPort | long | destination port | |
| FlowID | string | NetflowID | |
| PostNATDestIPv4 | ip | destination IP(IPv4) after network translation | |
| PostNATDestPort | long | destination port after network translation | |
| PostNATSrcIPv4 | ip | source IP(IPv4) after network translation | |
| PostNATSrcPort | long | source port after network translation | |
| Protocol | string | protocol | |
| ReceivedBytes | long | received bytes | |
| SrcIPv4 | ip | destination IP(IPv4) | |
| SrcInterface | string | source interface | |
| SrcPort | long | source port | |
| TransferedBytes | long | transferred bytes | |
| _Timestamp | isDST | boolean | Indicates whether the timestamp falls within Daylight Saving Time (summer time) period |
| TimeZoneOffSet | long | Time zone offset applied to the timestamp, representing the difference from GMT/UTC | |
| SkewedOffset | long | Offset representing the difference between the system's time and the actual (real) time | |
| Time | long | Recorded event time represented as the number of seconds elapsed since 00:00:00 UTC on January 1, 1970 (Unix epoch time) | |
| _asset | GUID | string | asset globally unique identifier |
| Name | string | the actual name of asset | |
| SecurityValue | long | security level | |
| _event | Category | string | a category is assigned by CYBERQUEST for each event |
| SubCategory | string | a Subcategory is assigned by CYBERQUEST for each event depending on the main category | |
| _geoLocation | SrcIPGeoCountry | string | source IP coordinates of the country |
| SrcIPGeocity | string | source IP coordinates of the city | |
| SrcIPGeoPoint | geo_point | source IP coordinates of the point | |
| DestIPGeoCountry | string | destination IP coordinates of the country | |
| DestIPGeocity | string | destination IP coordinates of the city | |
| DestIPGeoPoint | geo_point | destination IP coordinates of the point |