Skip to content

Documentation

Frequently Asked Questions

CYBERQUEST is a sophisticated platform that sits on top of all security-related data/applications/sensors/servers, Defined as a Security-Driven Analytics…

1. Why CYBERQUEST?

CYBERQUEST is a sophisticated platform that sits on top of all security-related data/applications/sensors/servers, Defined as a Security-Driven Analytics platform or “Next Generation SIEM”. It gathers valuable data from multiple technology sources and empowers users to take actionable, critical decisions in real-time to keep the company safety.

Main benefits of the solution:

  • suitable for SMBs as well as Enterprise
  • predictable & no hidden costs – lowering the TCO
  • unlimited flexibility for log/application data
  • no vendor lock, NoSQL Database
  • End-to-End Fast Deployment
  • GDPR Compliance – fit per industry standards
  • single point of access to all data
  • reduces investigation time up to 10 times

2. How CYBERQUEST is licensed?

CYBERQUEST solution is available with Subscription or Perpetual for On-premise.

The licensing is based on CPU Cores.

The commercial editions are: Logger, Light, Advanced, Enterprise and Ultimate.

To check more detailed information please follow the link: CYBERQUEST Licensing and Versioning

3. What are the system requirements for CYBERQUEST?

CYBERQUEST is a virtual appliance but can be installed as a physical appliance as well.

To check detailed system requirements please follow the link: Minimum system requirements

4. How could I download the demo version of CYBERQUEST?

You can download the latest release demo version for Nextgen Software product on https://nextgensoftware.eu/.

5. How can I contact CYBERQUEST support team?

Service requests can be accessed through https://support.nextgensoftware.solutions/ or by email at [email protected].

6. What is a Log Records Structure for CYBERQUEST?

CYBERQUEST events can have the follwing fields:

CategoryFieldTypeDescription
Generic Fields
CategorystringDefines the classification of the event
ComputerstringHostname of the system that generated the event
DescriptionstringTextual description or message associated with the event
DestIPstringIP address of the destination involved in the event
DestIP_Country_CodestringISO country code for the destination IP
DestIP_Country_NamestringCountry name associated with the destination IP
DestMACstringMAC address of the destination device
EventIDlongUnique identifier assigned to the event
EventLogstringLog where the event was recorded log
EventPathstringFile system path related to the event (e.g., location of the affected file or process)
EventTypelongSpecifies the type of event that occurred
GMTdateTimestamp of the event in Coordinated Universal Time (UTC)
IDstringGeneral identifier associated with the record
IsIncidentbooleanIf the event is categorized as security incident
LocalTimedateLocal timestamp of the event occurrence
N1 … N40longgeneral purpose numeric fields
PlatformIDstringIdentifier of the machine where the event originated
PostDtsSHA256stringlog hash after passing through Data Transformation Service
PreDtsSHA256stringlog hash before passing through Data Transformation Service
RawDatastringraw data
ReceivedTimedateTime when the event was received or processed
S1 … S150stringgeneral purpose string fields
SecondaryTagstringsecondary tag
SessionIDstringIdentifier for the session during which the event occurred
SourcestringOrigin or component related to the event
SrcIPstringIP address of the source involved in the event
SrcIP_Country_CodestringISO country code for the source IP
SrcIP_Country_NamestringCountry name associated with the source IP
SrcMACstringMAC address of the source device
TagstringTag assigned to categorize the event
isLastDuplicateBoolean indicating if this is the most recent duplicate in a series
Tenantstringtenant
TimeOfDaylongtime of day
UserDomainstringuser domain
UserNamestringusername
VersionMajorlongversion major
VersionMinorlongversion minor
contentstringcontent
_TimestampSkewedOffsetlongthe difference between real time and machine time
Timelongit is the number of seconds … as a scalar real number which represents the number of seconds that have passed since 00:00:00 UTC Thursday, 1 January 1970
TimeZoneOffSetlongadding the 80 seconds to the GMT
isDSTbooleanthe summer time if applied or not
_agentGUIDstringUnique identifier for the agent
NamestringName of the agent
SitestringLocation or site associated with the relevant agent
_assetApplicationstringApplication name associated with the asset
CriticalitylongCriticality level of the asset (rating)
LocationPhysical or logical location of the asset
NamestringName of the asset
OwnerstringOwner of the asset
ProjectstringAssociated project for the asset
SecurityValuelongSecurity rating or value of the asset
SitestringAsset site or location (city)
_attackDestIPstringdestination IP is the IP address of the device to which the packet is being sent.
GeoCitystringdecoded City from IP address
GeoCountrystringdecoded Country from IP address
Hoststringis a computer or other device that communicates with other hosts on a network, include clients and servers – that send or receive data, services or applications
GeoLatGEOdecoded latitude from IP address
GeoLongGEOdecoded longitude from IP address
Methodstringis a particular procedure for accomplishing or approaching something, especially a systematic or established one.
Objectstringnetwork objects are used to categorize IP addresses into different types of network entities
OtherInfoStringother information about our network
Resultbooleanthe result of the attack
SrcIPstringsource IP is the IP (Internet Protocol) address of the device sending the IP packet (the IP unit of data transfer).
TriggeredRulestringis use to define conditions under which a trigger action is to be executed.
_dataSourceNamestringName of the data source
SecurityAppliancestringPhysical name of the data source
VersionstringVersion of the data source generating the event
_eventCategorystringContext-specific classification assigned to the event by CYBERQUEST
ResultbooleanIndicates the outcome of the event (e.g., success or failure)
SourceObjectstringObject within the system that originated the event, providing a more precise indication of its source
SourceUserstringUser who triggered or is associated with the event, providing a more precise indication of their origin
SubCategorystringSubcategory classification assigned by CYBERQUEST based on the event’s main category
TargetObjectstringObject targeted by the event, indicating a more precise destination or endpoint
TargetUserstringUser targeted by the event, representing the intended recipient or destination of the action
URLstringURL associated with the event, identifying the location of a resource involved in the activity
CorrelationIDID used to correlate related events
_forensicsWhatstringAction or activity that occurred
WherestringLocation where the event or incident took place
WhostringIndividual or entity responsible for or involved in generating the event
WhystringReason the event was generated
_geoLocationDestIPGeoCountrystringDestination IP coordinates of the country
DestIPGeoPointgeo_pointGeolocation point of the destination IP
DestIPGeocitystringDestination IP coordinates of the city
HoststringHostname associated with geolocation context
SrcIPGeoCountrystringSource IP coordinates of the country
SrcIPGeoPointgeo_pointGeolocation point of the source IP
SrcIPGeocitystringSource IP coordinates of the city
_incidentCategorystringClassification of the incident assigned by CYBERQUEST
ImpactstringImpact assessment of the incident, measuring the extent and potential damage before resolution
ScorelongScore assigned to quantify the severity of an unplanned situation that disrupts or degrades an IT service
SubCategorystringSubclassification of the incident assigned by CYBERQUEST based on its main category
_malwareDeliveryMethodstringdeliveryMethod (mail, file etc…)
NamestringName of the malware identified
_networkAplicationNamestringApplication name involved in the network event
DestIPv4ipDestination IPv4 address in the network context
DestIPv6stringDestination IPv6 address in the network context
DestInterfacestringNetwork interface used by the destination
DestPortlongDestination port used in the network connection
FlowIDstringIdentifier of the network flow
PostNATDestIPv4ipDest IPv4 address after NAT translation
PostNATDestIPv6stringDest IPv6 address after NAT translation
PostNATDestPortlongDestination port after NAT translation
PostNATSrcIPv4ipSource IPv4 address after NAT translation
PostNATSrcIPv6stringSource IPv6 address after NAT translation
PostNATSrcPortlongSource port after NAT translation
ProtocolstringNetwork protocol used (e.g., TCP, UDP)
ReceivedByteslongNumber of bytes received through the network
SrcIPv4ipSource IPv4 address in the network context
SrcIPv6stringSource IPv6 address in the network context
SrcInterfacestringInterface used by the source in the network
SrcPortlongSource port used in the network connection
ClientIPGeoCityCity location of the client IP
ClientIPClient IP address in the network
TransferedByteslongTotal bytes transferred in the network flow
_riskRiskScoreAssetRisk score assigned to the affected asset
RiskScoreUserRisk score assigned to the affected user
RiskNamesNamed risks identified for the event
FullRuleMatchDetails of full rule matches that triggered the risk
RiskScoreEventRisk score associated with the event
GeoCountryCountry location associated with the attack context
DestIPDestination IP involved in the attack context
TriggeredRuleSecurity rule that was triggered by the attack
HostHost targeted in the attack
ObjectObject targeted or affected during the attack
MethodMethod or technique used in the attack
GeoCityCity location associated with the attack context
SrcIPSource IP used in the attack
LocationLocation context of the attack
OtherInfoAdditional context or metadata for the attack
ResultResult or outcome of the attack

7. Alert Records Structure

CYBERQUEST Alerts can have the follwing fields:

CategoryFieldTypeDescription
Generic Fields
CategorystringClassification or type assigned to the event
ComputerstringName of the computer where the event was generated
DescriptionstringTextual description or message associated with the event
DestIPstringIP address of the destination involved in the event
EventIDlongUnique identifier assigned to the event
EventLogstringLog where the event was recorded log
EventTypelongSpecifies the type of event that occurred
GMTdateTimestamp of the event in Coordinated Universal Time (UTC)
LocalTimedateLocal timestamp of the event occurrence
PlatformIDstringIdentifier of the machine where the event originated
S1…S150stringGeneral purpose string fields
Destination PortlongDestination port
Application namestringApplication name
SourcePortstringsource port
Flow IDstringNetflowID
Sourcestringsource
SrcIPstringsource IP is the IP (Internet Protocol) address of the device sending the IP packet (the IP unit of data transfer)
Tagstringtag
VersionMajorlongversion major
VersionMinorlongversion minor
ReceivedTimedatereceived time
SecurityScorelongNumeric score indicating security impact of the event
SecurityLevellongsecurity level
SrcIP_Country_Codestringcountry code of SrcIP
SrcIP_Country_Namestringcountry name of SrcIP
DestIP_Country_Codestringcountry code of DestIP
DestIP_Country_Namestringcountry name of DestIP
EventPathstringevent path
TimeOfDaylongtime of day
_anomalyAnomalyIDIdentifier of the anomaly detected
RelativeScoreRelative score representing anomaly severity
ScoreAbsolute score of the anomaly detected
_networkAplicationNamestringapplication name
DestIPv4ipdestination IP(IPv4)
DestInterfacestringdestination interface
DestPortlongdestination port
FlowIDstringNetflowID
PostNATDestIPv4ipdestination IP(IPv4) after network translation
PostNATDestPortlongdestination port after network translation
PostNATSrcIPv4ipsource IP(IPv4) after network translation
PostNATSrcPortlongsource port after network translation
Protocolstringprotocol
ReceivedByteslongreceived bytes
SrcIPv4ipdestination IP(IPv4)
SrcInterfacestringsource interface
SrcPortlongsource port
TransferedByteslongtransferred bytes
_TimestampisDSTbooleanIndicates whether the timestamp falls within Daylight Saving Time (summer time) period
TimeZoneOffSetlongTime zone offset applied to the timestamp, representing the difference from GMT/UTC
SkewedOffsetlongOffset representing the difference between the system’s time and the actual (real) time
TimelongRecorded event time represented as the number of seconds elapsed since 00:00:00 UTC on January 1, 1970 (Unix epoch time)
_assetGUIDstringasset globally unique identifier
Namestringthe actual name of asset
SecurityValuelongsecurity level
_eventCategorystringa category is assigned by CYBERQUEST for each event
SubCategorystringa Subcategory is assigned by CYBERQUEST for each event depending on the main category
_geoLocationSrcIPGeoCountrystringsource IP coordinates of the country
SrcIPGeocitystringsource IP coordinates of the city
SrcIPGeoPointgeo_pointsource IP coordinates of the point
DestIPGeoCountrystringdestination IP coordinates of the country
DestIPGeocitystringdestination IP coordinates of the city
DestIPGeoPointgeo_pointdestination IP coordinates of the point