Fields Descriptions

This table lists the Common Information Model fields that can be used to build events and to create searches and correlation rules.

Field	Data Type	Description
AA	string	The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
RA	string	The Recursion Available bit in a response message indicates that the name server supports recursive queries.
RD	string	The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
TC	string	The Truncation bit specifies that the message was truncated.
TTLs	string	The caching intervals of the associated RRs described by the answers field.
Z	string	A reserved field that is usually zero in queries and responses.
access	string	Access permissions given to the user when trying to access an object
access_group	string	name of the group in which access is managed in vpn-connection events
access_mask	string	bitmask that specifies a set of access rights in the access mask of an access control entry.
access_type	string	The type of access permissions given to the user when trying to access an object
accessor	string	Retrieve the value of the token for which capabilities are being queried.
access_list	string	Access list of permissions associated with a system resource
account	string	The account is the actual account that was used in the activity.
account_domain	string	The domain of the account the user operated on.
account_id	string	the user id associated with the user
account_name	string	Name of the account the user operated on
acl_content	string
acs_session_id	string	Unique identifier of a cisco secure access control server session.
action	string	An action that was taken against the event (allowed, blocked, quarantined...).
activity_details	string	details of the activity recorded in the events
activity_id	string	A unique identifier of the activity
activity_type	string	The activity type context element.
activity	string	The activity context element.
added_keys	string
added_member	string
added_member_type	string
added_permissions	array
added_role	string
added_role_name	string
added_users	array
additional_info	string	Additional descriptive information about the event.
admin_id	string	A unique identifier of an admin
admin_interface	string	Name of the interface through which the logged system messages can be accessed
adopter_id	string	A unique identifier for the adapter instance.
agent_id	string	The unique identifier of the agent of the product.
agent_name	string	The agent_name attribute specifies the name of an agent.
aid	string	The unique identifier of the agent
aip	string	This stands for Agent IP and represents the external IP address of the endpoint as seen by the Falcon Cloud
alert_description	string	Security alert message
alert_id	string	A unique identifier of the security alert.
alert_name	string	The name of the security alert.
alert_severity	string	The severity (level of urgency) of the alert as dictated by the vendor.
alert_source	string	The source of the alert, as dictated by the vendor.
alert_status	string	The status of the alert, as dictated by the vendor.
alert_subject	string	The subject (title) of the alert.
alert_type	string	The classification of the alert, as dictated by the vendor.
allowed_data_actions	array
allowed_ids	array
allowed_permissions	array	Permissions specify access to AWS resources.
allowed_resources	array	Lists all of the available resources that can be used in IAM policies to control access to AWS services
allowed_uris	array
allowed_user_types	array
allowed_users	array	They have the permissions to access the AWS resources.
analyzers	array	Framework for managing Zeek's protocol details.
app	string	The name of the application mentioned in the event.
app_code	string	The name of the folder which contains the application framework.
app_group	string	It allow multiple apps produced by a single team to access shared containers and communicate using interprocess communication.
app_id	string	A unique identifier of the application.
app_learntime	string
app_protocol	string	The network protocol the application used.
app_type	string	The type of the application.
app_version	string	The software version of the web conference application
apps	array
area_classification	string
arg	string	An argument, a value passed as a parameter.
asset_id	string	A unique identifier of the asset.
assignble_scope	string
assigned_apps	array	The assigned apps shows the apps that are visible to users with the selected permission set.
assigned_ip	ipv4/ipv6	Client's actual assigned IP address.
assignment_id	string
attachment	string	The attachments that were added to an email
attachment_count	integer	Number of attachments in the email
attachment_size	number	Size of attachments in the email
attack	string	Name of the vulnerability category in case of a host or network vulnerability.
attack_conf	string	Configuration of the vulnerability.
attack_info	string	Description of the vulnerability in case of a host or network vulnerability.
attribute	string	The attribute of the object which was accessed.
attribute_value	string
attributes	array	A list of attributes of the object which was accessed.
audit_category	string	The Windows category of the audit policy that was changed.
audit_id	string	A unique identifier of the audit.
audit_policy_name	string	The name of the audit policy document.
audit_subcategory	string
auth	string	The type of authentication that was used in the event.
auth_dn	string	The authentication domain name.
auth_level	string	The current authentication security level.
auth_method	string	The method/protocol package that was used in the authentication process.
auth_package	string	The method used to authenticate an account.
auth_process	string	The method/process used to authenticate an account.
auth_server	string	The server name that was in charge of performing the authentication
auth_type	string	The normalized authentication type used in the event.
authorization_scope	string
availabilty_zone	string
aws_account	string	An account alias or an account ID for the AWS account.
azure_category	string	It represents the category that belongs to the azure event.
azure_resource_type	string	The type of azure resource accessed by the event.
badge_id	string	The unique identifier of the physical badge.
badge_reader	string	Badge readers record information such as user ID, date and time of entry for each access attempt.
badge_status	string	A status badge shows whether a badge is currently valid or invalid.
base_risk_score	number	These are the sum of all scores generated by triggered rules during a user session.
bitdefender_operation_type	string
block_public_acls	array
block_public_policy	array
block_type	string	The block_type property specifies the block type of a particular memory object.
blocked	boolean	It allows users to enhance the security of a router by configuring options to automatically block further login attempts
blocking_group_name	string	It specifies the group name of a block that groups other blocks together inside one container.
branch_name	string
browser	string	The browser the user used in this activity.
bucket_arn	string
bucket_host	string
bucket_name	string	The name of a cloud storage container (bucket) that holds files/objects, in the cloud.
bytes	number	The size in bytes.
bytes_in	number	The amount of ingress bytes.
bytes_out	number	The amount of egress bytes.
bytes_unit	string	The measurement unit used to count the bytes.
ca_runtime	string	The runtime of a certificate authority (CA) that issues Secure Sockets Layer (SSL) certificates.
cabinet_name	string	The Cabinet name is the identities of an organization's Cabinet.
calling_station_id	string	The called station identifier allows a RADIUS server to specify the MAC addresses or networks that a client can connect.
card_num	string	The lenel card number is your identification at the university and your access to certain areas.
card_status	string	Provides the status of the card. Example: Active.
catalog	string	A catalog is a group of identical virtual machines.
categories	array	A class or division of things regarded as having particular shared characteristics.
category	string	A class or division of things regarded as having particular shared characteristics.
category_behavior	string	A class or division of things having particular similar behavior.
category_id	string	A unique identifier of the category.
category_significance	string
cc	string	It can be commonly understood to mean courtesy copy.
channel	string	A channel is an aggregation of multiple physical interfaces that creates a logical interface.
channel_name	string
cipher	string	A secret or disguised way of writing.
cipher_algorithm	string	A cipher algorithm is a mathematical formula designed specifically to obscure the value and content of data.
cipher_method	string
circumstances	string	The condition connected with or relevant to an event or action.
city	string	The name of the city.
class_id	string	A unique identifier of the class.
class_name	string	It is a globally unique identifier that identifies a COM class object.
classification_name	string	The name of the classes on the basis of whether the traffic matches specific criteria.
client	string	A desktop computer or workstation that is capable of obtaining information and applications from a server.
client_cert_subject	string	It is a comma separated list of distinguished name fields and values.
client_id	string	A unique identifier of the client.
client_name	string	The name of the client.
client_ssh_version	string	The ssh version of the client.
client_system	string	The name of the client system.
client_system_version	string	The system version of the client.
client_token	string	A client token is a signed JWT that includes configuration and authorization information required by the client.
client_type	string	The type of web conference application
client_version	string	The application/ssh version of the client.
cloud_drive_id	string	A unique identifier of the cloud drive.
cls_id	string	The class ID of the application component. Used in Windows for COM apps.
cluster_name	string	A name that identifies this database cluster (instance) for various purposes.
code_size	number
collaborators	array	A collaborator is any person who can access, view, preview, download, comment, or edit a managed asset.
command	string	A command is a specific instruction given to an application to perform some kind of task or function.
community	string	Community is defined as a knowledge sharing hub; a place to collaborate, share insights and experiences, and get answers to questions.
company	string	A company is a legal entity formed by a group of individuals to engage in and operate a business—commercial or industrial—enterprise.
compatible_id	string
compression_algotithm	string	Specifies the compression algorithm to be used when compressing dump file data
computer_name	string	A computer name is also called a PC name or device name which is used to help identify or locate a computer on a network.
confidence_level	string	The confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic.
connection_age	string	The time duration which the connection spanned.
connection_counter	string	The number of times the carrier request for a packet in transmission.
connection_id	string	The unique identifier of the network connection.
connection_state	string	The state of the network connection, as dictated by the vendor.
connection_status	string	The status of the connection. The expected values for this field are:Open, Close and Active.
connection_uid	string	Calculation of md5 of the IP and user name as UID.
connector_guid	string	Provides a list of all activities associated with a particular computer.
contact_id	string	A unique identifier for the contact.
contivity_session_id	string	A unique identifier of the contivity session.
corp_client	string	It is custom profile attributes which have pre-defined Profile values, an essential element for controlled profiling and management example: Client, Matter, Author, etc.
corp_matter	string	It allows users to view all matter-related information (documents, emails, etc.) in a single, logically organized interface.
correlation_id	string	The correlation identifier assigned to the event, used to correlate with other events with the same identifier.
count	number	It show the actual amount of connections that currently pass through the Security Gateway.
country	string	The location or region of the event.
country_code	string	The country code used to represent the event’s country.
create_result	string	String of the create/open result.
creator	string
creds_name	string
creds_path	string
cve_id	string	The unique identifier of the Common Vulnerabilities and Exposures.
cvss_base_score	string	CVSS base score is used to rank the characteristics and severity of a software's exploitable weaknesses.
cvss_impact_score	string
d_name	string	A dirent structure contains the character pointer d_name, which points to a string that gives the name of a file in the directory.
d_parent	string	A dirent structure contains the character pointer d_parent, which points to a string that gives the name of a parent process in the directory.
data	string	A data is an information that has been translated into a form that is efficient for movement or processing.
datacenter_name	string
datastore_name	string
db_domain	string	The domain that contains the database.
db_id	string	The unique identifier of the database.
db_name	string	The name of the database.
db_object	string	The database object that was referenced in the event.
db_operation	string	Type of database query (insert,update,delete etc.)
db_query	string	The full query that was sent to the database.
db_schema	string	A database schema defines how data is organized within a relational database; this is inclusive of logical constraints such as, table names, fields, data types, and the relationships between these entities.
db_user	string	The user name of the local database user in the event.
decoder_name	string	Name of the decoder to use.
denied_data_actions	array	It attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access.
denied_permissions	array	The permissions that are explicitly denied by some rule.
denied_resources	array	resources that are not available or accessible to a particular user or system.
denied_users	array	It refer to users who are not allowed to access certain resources or perform certain actions.
department	string	The company department of the user
depth	string	It can refer to the number of levels or layers in a data structure, such as a tree or a graph.
description	string	A description of the event.
desire_access	string	It refer to the desire or request to access a particular resource or service offered by Dell.
dest_country	string	The country of the machine the activity operated on.
dest_country_code	string
dest_dns_hostname	string
dest_domain	string	The domain of the destination user
dest_email	email
dest_email_address	email	The full destination email address.
src_email_address	email	The full source email address.
src_email_domain	string	The domain of the source email address.
dest_email_domain	string	The domain of the destination email address.
dest_email_folder	string
dest_email_user	string	The user of the destination email address.
dest_external_ip	ipv4/ipv6	It refer to the destination external IP address of a network connection.
dest_file_dir	string
dest_group	string	It refer to a group of destinations or recipients for a command or action.
dest_host	string	The destination endpoint name.
dest_interface	string	It refer to the destination interface of a network connection or packet.
dest_ip	ipv4/ipv6	The destination endpoint IP address.
dest_ipv6	ipv4/ipv6
dest_login_id	string	The login id of the destination.
dest_mac	string	The destination endpoint MAC address.
dest_network_zone	string	It refer to the destination network zone of a network connection or traffic flow.
dest_port	integer	The destination port used in the network communication.
dest_process_command_line	string	The full command line of the targeted process.
dest_process_dir	string	The directory that contains the targeted process.
dest_process_id	hexadecimal	The process ID of the targeted process.
dest_process_name	string	The process name of the targeted process.
dest_process_path	string	The full path of the targeted process.
dest_role	string
dest_service_name	string	The service name of the targeted service.
dest_translated_host	string	It refer to the destination host that has been translated as part of a network translation process.
dest_translated_ip	ipv4/ipv6	The NATed IPv4 or IPv6 address to which a packet has been sent.
dest_translated_port	integer	The NATed port to which a packet has been sent.
dest_user	string	The user name of the targeted user.
dest_user_arn	string
dest_user_dn	string
dest_user_id	string	The unique identifier of the targeted user.
dest_user_ou	string
dest_user_sid	string	A unique identification value that is assigned to dest user account and group in the system.
dest_user_type	string
dest_zone	string	It refer to the destination zone of a network connection or traffic flow.
detection_level	string
detection_method	string
detection_source_alias	string	Indicated the name which has been provided when the cloud data connection was initially configured in the Code42 console.
device	string
device_id	string	Unique identifier of a device such as a USB
device_ip	ipv4/ipv6
device_model	string	It refer to the model or type of device that is being used or managed by the software.
device_name	string	The name of a device such as a USB.
device_size	string	It refer to the size of a storage device such as a hard drive or a cloud storage service.
device_type	string	Typically in USB related events, the type of the device that was used. E.g. USB, DVD/CD-ROM
device_vendor	string	The vendor of the device.
device_version	string	The version of the device.
devid	string	It refer to a device identifier or a unique identification value that is associated with a particular device.
dhcp_ip	ipv4/ipv6	It refer to the IP address that is assigned to a device by a DHCP server.
dhcp_type	string	It refer to the type of dynamic host configuration protocol (DHCP) message or packet that is being sent or received.
direction	string	The directionality of the communication.
directory_id	string	The unique identifier of the file directory.
disk_mode	string
disk_name	string
disk_size	string
disk_state	string
disposition	string	It is used to specify what action to perform for an item that is returned by the customer.
dlp_dict	string	It refer to a dictionary or list of keywords or phrases that are used by the DLP feature to identify sensitive data.
dns_ip_flow	string	It refer to a stream of DNS traffic that is being monitored or analyzed by Splunk.
dns_query	string	The full DNS query in the packet.
dns_query_flags	string	The query flags of the DNS query packet.
dns_query_id	string	The identifier of the query in the DNS packet.
dns_query_type	string	The DNS query type.
dns_record_type	string	It refer to the type of DNS (Domain Name System) record that is being used or configured.
dns_response	string	The full DNS response in the packet.
dns_response_code	string	The response code given in the DNS packet.
dns_response_flags	string	The response flags of the DNS response packet.
doc_id	string	A unique identifier of the document.
document_name	string	Displays the full path and filename of the current document.
domain	string	The domain of the user
door_group_name	string	It include a user directory specification or unique identity attribute.
door_name	string	It is the last person or method that locked or unlocked the door.
door_side_id	string	The unique identifier of the door side.
download_source	string	Source code that is being downloaded in this build phase.
dproc	string	It is the time that a node spends processing a packet.
drive_letter	string	Used to specify the drive letter of the volume.
driver_name	string
ds_name	string	The name of the directory service.
ds_object_class	string	The directory service object class.
ds_object_type	string	The directory service object type.
ds_object_dn	string	The full distinguished name of the directory service object.
ds_object_name	string	The name of the directory service object.
ds_object_ou	string	The organizational unit of the directory service object.
ds_object_out	string
ds_type	string
dtz	string	These are file extensions that help computers locate correct application for specific files.
duration	string	The time duration which the event spanned.
edge_response_status	string	Edge response status code is an HTTP response code sent from Cloudflare to the client (end user).
egress_security_zone	string	It refer to a security zone that is used to enforce security policies on traffic that is leaving a network.
elevation_type	string
email_address	email	The full email address of the user.
email_attachment	string	The name of the file attachment attached to the email.
email_attachments	array	A full list of the attachment names in the email.
email_dlp_from	string	It is the practice of detecting and preventing data exfiltration.
email_dlp_policy_names	array
email_domain	string	The domain of the users’ email address.
email_id	string	The unique identifier of the user's email.
email_recipients	array	The full list of recipients in the email.
email_subject	string	The subject (title) of the email.
email_user	string	The user name of the users’ email address.
employee_id	string	The unique identifier of the employee.
employee_status	string	It means the full time, part time, casual and/or temporary capacity that an Employee is employed in.
employee_title	string	It is the position a person hold in an organisation.
employee_type	string	It refers to different kinds of employees an organization can hire.
end_time	datetime	The end_time property indicates a data set's lookback cutoff date; data older than this value is not included in the data set's calculation.
engine_version	string	The version number of the database engine to upgrade to.
environment	string	It is a part of the logical message tree in which you can store information.
error_code	string	A number that appears on a computer screen to show that you have made a particular mistake or that something has gone wrong in a program
error_info	string	It retrieves error information for operations performed directly on the database handle.
event_category	string	If a single log source can provide multiple categories of events, this field should represent the category that belongs to the event.
event_code	string	The code of the operation type recorded in the event, not to be confused with event_id. For example - 4624.
event_hub_name	string	It refer to the name of an event hub, which is a cloud-based data streaming platform that is used to collect, store, and process large amounts of data from a variety of sources.
event_hub_namespace	string	An Event Hubs namespace provides a unique scoping container, in which you create one or more event hubs.
event_id	string	the unique identification of a single generated event, not to be confused with event_code.
event_name	string	The name of the operation recorded in the event.
event_name_code	string
event_name_hub_name	string
event_name_hub_namespace	string
event_name_name	string
event_subtype	string	The sub category of the event.
event_time	datetime	It refer to the time at which a particular event occurred.
execution_status	string	It reflects the current status of the activity instance. ExecutionStatus is set by the runtime tracking infrastructure.
expiry_time	datetime	It contains the Date and Time at which the password will expire.
exploit_code_maturity	string	This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.
exposure_type	string	Different types of file activity occurring across the Code42 environment.
extension	string	An extension is a file containing programming that serves to extend the capabilities of or data available to a more basic program.
external_address	email	The email address of the external party in an email.
external_id	string	It contains unique record identifiers from a system outside of the current organization.
extracted	string	Local filename of extracted file.
extracted_cutoff	string	Set to true if the file being extracted was cut off so the whole file was not logged.
extracted_size	number	The number of bytes extracted to disk.
factor	string	It is a security process that helps verify users' identities before letting them access networks or online applications.
failure_code	string	A code indicating the reason of the failure.
failure_reason	string	A description of why the operation has failed.
falcon_host_link	string	URL to view the detection in Falcon.
field_name	string	It is the short name of your field.
file_arn	string
file_category	string	The general categories of file type.
file_dir	string	The directory of the file, not including the name.
file_dir_id	string
file_dir_uri	string
file_exposure_changed_to	string
file_ext	string	The file extension. If the file name is myfile.txt, file_ext will be txt
file_hash	string	A unique value that corresponds to the content of the file.
file_id	string	The unique identifier of the file the activity operated on.
file_name	string	The name of the file, not including the path.
file_owner	string	A file's owner is identified by the user ID of the person who created the file.
file_path	string	The full path of the file.
file_path_at	string
file_permissions	array	File permissions control what user is permitted to perform which actions on a file.
file_signature	string
file_signature_status	string
file_signed	string
file_type	string	The type of file accessed by the event. E.g file, folder, link.
file_url	string	The full URL of the file’s location.
fingerprint	string	It is the initial factor that unlocks the private cryptographic key that authenticates the user.
firewall	string	It is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies.
first_name	string	The first name of the user, without the last name.
firstseen	string
flow_end_time	datetime	The flow end time shows time or date when flow was ended.
flow_start_time	datetime	The flow start time shows time or date when flow was started.
folder_name	string	Name of the folder where the message is stored.
framed_addr	string	The address given to the network access server, if present.
from_user_at	string
full_name	string	The user full name.
dest_user_full_name	string	The destination user full name.
function_arn	string
function_name	string
function_role	string
function_runtime	string
gateway_station	string	The IP of the web application machine (PVWA) in cyberark.
grandparent_process_path	string
group_arn	string
group_domain	string	The domain of the group identity.
group_id	string	It distinguishes duplicate groups resulting from a GROUP BY specification.
group_info	string	It is an encoded value containing the number of groups of symbols bound to the key as well as the specification of the treatment of out-of-range groups.
group_name	string	The name of the group identity.
group_ou	string	It is a subdivision of groups within an Active Directory.
group_type	string	The type of the group, e.g. local, global, etc
handle_id	string	The unique identifier of the handle on an object.
hash_md5	hexadecimal	A md5 hash value.
hash_sha1	hexadecimal	It is a widely used hash function which takes an input and produces a 160-bit hash value known as a message digest - typically rendered as 40 hexadecimal digits.
hash_sha256	hexadecimal	A sha256 hash value.
hash_sha256_at	hexadecimal
hash_type	string	Different types of hash algorithms such as RipeMD, Tiger, xxhash and more, but the most common type of hashing used for file integrity checks are MD5, SHA-2 and CRC32.
hierarchy_code	string	The hierarchy code governs the order in which entries in a block are printed in the CINDA book, and is used to some extent as a measure of the importance of a particular reference.
history	string	Records the state history of connections as a string of letters.
host	string	The machine that logged the event. This can be either a hostname or an IP address
host_bytes_in	number
host_bytes_out	number
host_ip	ipv4/ipv6	IP address on which public port is listening
host_key	string	A host key is a cryptographic key used for authenticating computers in the SSH protocol.
host_key_alg	string	Host key algorithms specify which host key types are allowed to be used for the SSH connection.
host_type	string	A host type is a container for variables that are assigned to a particular host.
host_zen_code	string
http_response_code	integer	The code returned by the web server after a request was made.
identifier	string	An identifier is a token that is used to form a name.
identities	string	An identity is an internet capable entity that Umbrella protects through policies and monitors through reports.
identity_group	string	It is composed of information elements that identify and describe a specific group of users that belong to the same administrative group.
identity_type	string	The type of authentication credential depend upon the configuration of the supplicant software running on the endpoint device.
ignore_public_acls	string
image_file_name	string	File name of the associated process for the detection.
image_name	string	It specifies the name of the image installed.
image_publisher	string	Public image reference with publisher
image_release	string	It refer to the process of making a new version of an image file or software program available to users.
image_version	string	It refer to the specific version of an image file that is being used or referred to.
impact	string	It refers to the potential severity of a security vulnerability or threat.
in_reply_to	string	It refers to a relationship between two network communications where one communication is a response to the other.
case_name	string
ingress_interface	string	It refers to the network interface through which a packet enters a device.
ingress_security_zone	string
inode	string	The inode number is a unique identifier that is assigned to each file or directory on the file system.
instance_id	string	An instance ID is a unique identifier assigned to an instance (i.e., a virtual machine) when it is launched.
instance_profile_arn	string
instance_type	string	It is used to specify the hardware configuration of an instance, such as the number of vCPUs and amount of memory.
interface	string	An interface is a point of connection between a device and a network.
interface_id	string	An interface ID is a unique identifier assigned to a network interface when it is created.
interface_in	string	It refers to the network interface on a virtual machine (VM) that is used for incoming traffic.
interface_name	string	It refers to the name assigned to a physical or logical network interface on the firewall device.
inzone	string	The inzone is used to identify the source of network traffic in security rules, and to apply the appropriate access control policies.
ioc	string	An Indicator of Compromise (IOC) is a data point that can be used to identify malicious activity on a system or network.
ioc_number	string	An Indicator of Compromise (IOC) number is a unique identifier assigned to each IOC.
ip_lease_time	string	This is the length of time that the client can use the IP address it has been assigned.
ip_protocl_id	string
ip_reputation	ipv4/ipv6	It is a feature that allows you to identify and block traffic from known malicious IP addresses.
is_archived	boolean
is_consolidated	boolean	It is a field that indicates whether or not an event or message has been consolidated.
is_dok	boolean	A flag indicating that the operation took place on a peripheral device.
is_executable	boolean
is_orig	boolean	It is a field that is used to identify the direction of a network connection.
is_outbound	boolean	It is used to distinguish between connections that were initiated by the host and connections that were established as a result of an incoming request.
issue_time	datetime	It represents the time that an event was generated or issued.
item_creator	string	It represents the user or system that created an object.
item_name	string	It is a field that represents the name of an object.
item_type	string	It represents the type of object that is being used.
kerberos_service_name	string
kex_alg	string	It contains the name of the key exchange algorithm that is used in the SSH connection.
key_id	string
key_length	integer	It represents the length of a cryptographic key used for encryption or decryption.
key_name	string	It is a field that represents the name of a key that is used for encryption or decryption.
key_status	string
key_type	string	It specifies the algorithm used to generate the key.
asset_labels	array	It represents the labels that have been assigned to an asset.
landscape	string	Represents the landscape context element.
last_blocked_time	datetime	It represents the last time that a threat was blocked by the software.
last_known_ip	ipv4/ipv6	It represents the last known IP address of a resource or virtual machine.
last_name	string	The last name of the user, without the first name.
lease_time	string	It represents the amount of time a DHCP lease is valid for.
link	string	It is a field that represents a hyperlink to a resource or webpage.
link_id	string
linked_service_account	string	It represents the service account that is linked to a specific resource or project.
local_orig	string	It represents whether or not a network connection was initiated by a host on the local network.
local_resp	string	It is used to indicate whether or not the connection was responded to by a host on the local network or from an external network.
local_user_id	string	It represents the identifier of a user who is local to the Ping Identity platform.
location	string	The full location of the physical access event.
location_area	string	In physical access events, the name of the general area/compound in which the access took place.
location_building	string	In physical access events, the name of the building in which the access took place.
location_city	string	In physical access events, the name of the city in which the access took place.
location_country	string	In physical access events, the name of the country in which the access took place
location_door	string	In physical access events, the name of the door in which the access took place
location_door_id	string	It is a field or attribute used to track or identify the location.
location_full	string	It is a field or attribute that can be used to represent the full location of an object, event, or person.
location_information	string	It is an information, obtained by means of a tracking device, concerning the location of an electronic device.
location_state	string	In physical access events, the state of the physical location. E.g locked, disabled.
log_location	string	It refer to the directory or file path where log files are stored.
log_name	string	The name of the logging component that recorded the event.
log_path	string	It refers to the file path or directory where log files are stored.
log_severity	string	It refers to the level of importance assigned to a log entry or event.
log_source	string	The service that provided that data to the logging service.
log_time	datetime	It refers to the time when an event or log entry was recorded in the system.
log_uid	string	It refers to a unique identifier assigned to a log entry or event.
login_id	hexadecimal	The identifier of the depicted login session.
login_method	string	It refers to the process used by a client to authenticate to a server.
login_type	integer	In login events, used to describe the type of the login operation. E.g remote, local, kerberos…
login_type_text	string	It is a field that describes the type of logon that was performed by a user or system account.
mac_alg	string	It refers to the message authentication code (MAC) algorithm used to secure a connection.
machine_type	string	It refers to the specific virtual machine (VM) instance type that is used to host a particular workload.
mailbox_name	string
mailfrom	email	It is used to represent the sender of an email message.
malicious_file_count	integer	It is a metric that tracks the number of files detected as malicious by the security system.
malware_action	string	It is a field that specifies the action taken by the security system in response to a detected malware event.
malware_family	string	It is a field used to identify the specific family or group of malware associated with an event or alert.
malware_file_name	string	It is a field that identifies the file name associated with a piece of malware.
malware_file_type	string	It refers to the type of file that is determined to contain malicious content.
malware_id	string	It refers to a unique identifier assigned to a specific piece of malware.
malware_name	string	It contains the name of the malware family, variant, or specific instance of malware.
malware_score	string	The malware score assigned in the event by a security vendor.
malware_url	string	It refers to the URL or web address associated with a piece of malware that has been detected by the security solution.
malware_url_path	string	It refers to the path of a URL that is associated with malicious activity or a threat.
manager	string	It refer to an individual or department in charge of a particular area or project.
manager_email	email
manager_name	string	It is used to identify the name of an individual or entity that is responsible for overseeing a particular resource or asset.
mbps	string	It refers to megabits per second, which is a measure of data transfer rate.
meeting_duration	string	It is a field that indicates the length of time a Zoom meeting lasted for.
meeting_host_id	string	The ID given to the user acting as host of the web conference meeting.
meeting_name	string	The name of the web meeting.
meeting_number	string	It refers to a unique identifier assigned to each Zoom meeting, which is generated when the meeting is scheduled or started.
meeting_timezone	string	It refers to the time zone that is set for a particular Zoom meeting.
meeting_topic	string	It refers to the subject or title of a virtual meeting or conference.
meeting_type	string	It refers to the type of Zoom meeting being held.
member	string	In groups and similar organizational units, the member represents the full name of an identity that’s contained in them.
member_id	string
members	array	It refers to the users or groups that are part of an organization or a specific application or resource in Okta.
memory_address	string
memory_protection	string
memory_size	string
message_id	string	A unique identifier of a communication message.
method	string	Used in HTTP to describe the method of the web request. E.g GET, POST…
mfa	string	It is a security process that requires a user to provide two or more authentication factors to verify their identity and access a resource.
mime	string	Typically in web-access events, the media type of the content, e.g. text, audio/mpeg
miscellaneous	string	It could refer to a category or field in log data that contains information that does not fit into a more specific category.
missed_bytes	number	Indicates the number of bytes missed in content gaps, which is representative of packet loss.
mitre_labels	array	It refer to the specific MITRE ATT&CK techniques and tactics used in a particular security incident.
mobile_version	string
modified_keys	array	It refer to the modification of keys in a cryptographic context, such as encryption keys or access keys.
module_hash_names	array	It refers to a specific configuration or data structure within a Cisco product.
monitoring_plan	string	It refer to a plan for monitoring and auditing IT systems and infrastructure for compliance with regulations, best practices, and organizational policies.
more_info	string
msg_id	string	It refers to a message identifier used in Inter-Process Communication (IPC) mechanisms such as System V message queues.
name_at	string
nas_ip_address	ipv4/ipv6	It is used in the context of Remote Authentication Dial-In User Service (RADIUS), which is a protocol used to provide centralized authentication.
native_file_system	string	It is a custom file system specifically designed for processing and storing large amounts of network data.
network	string	The name of the network that was accessed in the event.
network_app	string	It is used to refer to an application or service running on a network.
new_attribute	string	It refer to a new attribute or field that has been added to a data structure or configuration in a Symantec product.
new_enrollment	string	It refer to a new process of enrolling a device or user into a Cisco security solution.
new_file_name	string
new_hash	string	It refer to a new hash value, which is a unique digital fingerprint of a file, document, or other digital content.
new_host	string
new_ip	ipv4/ipv6
new_multiattach	string
new_password	string	The new/latest password required to enter a web conference meeting
new_size	number
new_user_name	string	It refers to a new username that has been created for a user account.
new_value	string
num_external_recipients	integer	The amount of external (out of the organization) recipients that the communication message was sent to.
num_internal_recipients	integer	The amount of internal (in the organization) recipients that the communication message was sent to.
num_pages	integer	The amount of pages printed.
num_recipients	integer	The amount of recipients the communication message was sent to.
object	string	When representing a generic/unknown entity, the object is the full path of the entity.
object_class	string	It refers to a class of objects that are used to manage system resources.
object_dn	string	It is a unique identifier for an object in the Active Directory, and it is used to locate and manage the object.
object_handle	string
object_id	string	When representing a generic/unknown entity, this represents the unique identifier of the entity.
object_name	string	When representing a generic/unknown entity, this represents the name of the entity.
object_ou	string	It is a container object in the Active Directory that is used to organize and manage other objects.
object_server	string	An object server is a software component that provides objects for use by other components in the network.
object_type	string	When representing a generic/unknown entity, this represents the type of the entity.
occured_time	datetime	It refers to the time at which a specific event or security incident took place.
old_attribute	string	The attribute before it was changed
old_file_name	string	The old file name before it was rename
old_hash	hexadecimal	It refer to the hash value of a file before it was updated or changed.
old_multiattach	string
old_password	string	The old/previous password required to enter a web conference meeting.
old_size	number
old_user_name	string	It refers to a old username that has been used for a user account.
old_value	string	It refers to a previous value or setting of some attribute or configuration in a virtual machine or virtual infrastructure.
opcode	string	It refers to a machine-level instruction or operation code that is executed by the processor.
operation	string	The activity that was recorded in the event.
operation_details	string	Additional information about the activity that could add context when reviewing the event in the UI.
operation_first	string	It refers to a concept in auditing or logging where the first operation performed by a user or process is recorded.
operation_id	string	It refers to a unique identifier assigned to a specific operation or request.
operation_last	string	It refers to a concept in auditing or logging where the last operation performed by a user or process is recorded.
operation_name	string	It refers to the name or description of a specific operation performed within the Azure platform.
operation_type	string	The classification/type of the operation.
operation_version	string	It refers to a version number or identifier assigned to a specific operation performed within the Azure platform.
operator_name	string	It refers to the name of the user who performed an action within the platform.
order_num	string	It is used to track and identify specific orders within a system, and can be used for purposes such as tracking, auditing, and reporting.
orig_bytes	number	It refers to the number of bytes of data in the original or incoming direction of a network connection or communication.
orig_cc	string	It refers to the two-letter country code of the originator of a network connection or communication.
orig_filenames	string	It refers to the names of files that are being sent or received in the original or incoming direction of a network connection or communication.
orig_pkts	string	It refers to the number of packets in the original or incoming direction of a network connection or communication.
origin_ip	ipv4/ipv6	It refers to the IP address of the originator of a network connection or communication.
origin_name	string	It refers to the name of the originator of a network connection or communication.
origin_response_status	string	It refers to the status code of the response received from the origin server during a network communication.
original_risk_score	number	It refers to an initial assessment of the risk or threat level associated with a particular event, action, or activity.
original_user	string
os	string	The operating system of the device taking the action
os_admin	string	It refers to the administrator account associated with the operating system (OS) of a virtual machine (VM) or other computing resource in the Azure cloud platform.
os_environment	string	It refers to the OS environment of a computer or network device, including information about the version, type, and configuration of the OS and related software.
os_revision	string	It refers to the version or revision number of the operating system (OS) being used by a device or computer.
os_type	string	The type of the device’s operating system.
os_version	string	The version number of the device’s operating system.
outcome	string	Represents the outcome context element.
outzone	string	It refers to a security zone in a network that is outside of the trusted security perimeter and is considered to be less secure than other zones
overflow_bytes	number	It refers to the number of bytes of data that are discarded due to buffer overflow.
owned_user	string
owner_id	string
packet_rate	string	It refers to the rate at which packets are being transmitted across a network.
packets	integer	Number of total packets in a network connection.
packets_in	integer	Number of ingress packets in a network connection.
packets_out	integer	Number of egress packets in a network connection.
page_count	integer	It refers to the number of pages in an electronic document or file.
parent_hash_sha256	hexadecimal
parent_md5hash	hexadecimal	It refers to a unique identifier used to track the relationship between parent and child processes in a computer system.
parent_process	string	It refers to the process that spawned or created another process in a computer system.
parent_process_command_line	string	The full command line of the parent process.
parent_process_dir	string	The directory of the parent process, without the process name.
parent_process_guid	string	The unique global identifier assigned to the parent process.
parent_process_hash	hexadecimal	It refers to a unique identifier that is assigned to a parent process running on a computer.
parent_process_id	string	The process ID of the parent process.
parent_process_name	string	The process name of the parent process, without the path.
parent_process_path	string	The full path of the parent process.
path	string	It refer to the location or file path of a specific configuration or log file within an application.
payload_printable	string	It refers to the human-readable representation of the payload in a network communication or a malware file.
peer_gateway	string	It is the remote endpoint of a VPN tunnel and is used to securely connect two separate network segments over the internet.
permission	string	It refers to the set of rules that govern access to files, directories, and other resources.
permissions	string
phishing_score	string	It refers to a score assigned to a detected email based on the likelihood that it is a phishing attempt.
platform	string	Represents the platform context element.
playbook_files	string
policies	string	It refers to a set of rules and configurations that define how resources should be managed within an organization.
policy	string
policy_arn	string	It refers to the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) policy.
policy_bindings	string	It refers to the set of policies that are associated with a resource in Google Cloud Platform.
policy_changes	string
policy_content	string	It contain the JSON text of a policy, which is a set of statements that specify the actions that are allowed or denied for a particular user, group, or role.
policy_delta	string	It refers to a change made to a specific policy.
policy_id	string	It refers to a unique identifier assigned to a specific security policy.
policy_name	string	The name of the policy document.
policy_runtime	string	It refers to the set of security policies that are being enforced at a given time on a particular device or network.
policy_version_id	string	It refers to the unique identifier for a specific version of an AWS identity and Access Management (IAM) policy.
primary_key	string	It is a unique identifier assigned to each process, binary, or file that is captured and analyzed by the platform.
principal_id	string	It refers to a unique identifier for an AWS identity, such as an AWS account root user, an IAM user, or a federated user.
principal_name	string	It refers to the name associated with a specific user, group or service that is granted access to a computer system, network, or application.
principal_type	string	It is a term used to refer to the type of entity that performed an action.
printer_id	string	The identifier of the printer device.
printer_name	string	The name of the printer device.
printer_port	integer
printer_sn	string	Ther serial number of the printer device.
printer_type	string	The type of the printer
priority	string	level of urgency
private_cookie	string	It refers to a cookie that is not shared with third-party domains, and is stored in a user's web browser for a specific website.
private_ip	ipv4/ipv6	It refers to an IP address that is assigned to a device within a private network and is not reachable from the Internet.
privileges	array	All the privileges given on an object, e.g. SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege.
process	string	The path of executed process
process_command_line	string	The command line of the event’s process.
process_dir	string	The directory (without the name) of the event’s process.
process_guid	string	The graphical unique identifier of the event’s process.
process_hash	hexadecimal	It refers to a unique identifier that is assigned to a process running on a computer.
process_id	hexadecimal	The PID of the event’s process.
process_integrity	string	It refers to the level of trust associated with a process.
process_name	string	The name of the event’s process.
process_owner	string	The user that owned the process.
process_path	string	The full path (directory and name) of the event’s process.
process_permission	string
process_type	string	It refers to the classification or categorization of a process based on its type, behavior, or characteristics.
process_vendor	string	It refers to the company or organization that developed the process that is being monitored.
processing_end_time	datetime	It refers to the time when the processing of a particular operation, task, or process within the Azure environment is completed
product	string	The product context element.
product_category	string	The product category context element.
product_name	string	It refers to the name of a specific product offered by the company.
profile	string	It refers to a group of configuration settings and policies that are applied to a particular type of network traffic, such as web, email, or VPN traffic.
profiles	array	It refers to the configuration settings that specify the behavior of an iOS or macOS app or framework.
project_id	string	It is a unique identifier for a project. It is used to organize resources and associate them with a specific project.
properties	string	It refers to the specific characteristics, features, or attributes of an object, such as a file, folder, device, or system component.
protection_name	string	It refers to the name assigned to a security policy or rule that is implemented to protect the network from specific threats or attacks.
protection_type	string	It refers to the type of security protection provided by a particular security solution or feature.
protocol	string	The network protocol the event used, e.g. DNS, TCP, HTTP.
provider_name	string	It is used to refer to the name of the software or service that provides a specific log event.
proxied	string	It refers to network traffic that is being passed through a proxy server.
proxy_action	string	In http communication events, the way the proxy identifies the request, e.g. TCP_MISS, TCP_HIT.
proxy_ip	ipv4/ipv6	It indicate the IP address of the proxy server through which the web traffic is flowing.
qclass	string	It is a term used to describe a field in the DNS protocol that specifies the class of a query.
qclass_name	string	The query class defines the type of data being queried, such as Internet address (IN), Chaosnet (CH), or Hesiod (HS).
query	string	It refer to a request for information, data or content from a network or device.
query_id	string	Identifier of a query.
query_string	string	It refers to the part of a URL that contains data to be passed to a web application or a resource, after the ? symbol.
radius_flow_type	string	It refers to the type of RADIUS flow, which is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for remote access to a network.
rcptto	string	It refers to the recipient's email address to which the email message is being sent.
readonly	string	A resource with readonly permission can only be viewed and not modified.
realm	string	Name of the VPN realm
recipient	email	It refers to the person or entity who receives an email, file, message, or other information in a service or application.
recipient_count	integer	It refers to the total number of recipients associated with an email, document, or other file.
recipients	array	It refers to the individuals or groups that a message or piece of content is addressed to.
record_type	string	It refers to the type of record stored in a file system.
recorded_time	datetime
redirect_url	string
referrer	string	In HTTP communication the url that referred to the current site.
region	string	It refers to a geographical area, where one or more data centers are located, that is designed to provide low latency and high throughput network connections.
registration_no	string	It refers to a unique identification number assigned to a device or product upon its registration with the system.
registry_details	string	The details of the registry object.
registry_details_type	string	The details type of the registry object.
registry_hive	string	The hive of the registry object.
registry_key	string	The registry key in the activity.
registry_path	string	The full path to the registry object.
registry_value	string	The value of the registry object.
relying_party_id	string	It refers to a unique identifier assigned to a relying party in a security token service (STS) system.
remediation_steps	string	It refers to the actions that need to be taken to resolve an issue or address a vulnerability.
remote_location_city	string	It is a field that represents the city of the remote location in a network connection.
remote_location_country_code	string	It refers to the two-letter country code of the remote location of a network communication or activity.
remote_location_latitude	string	It is a field that represents the latitude of the remote location from where a network connection was initiated.
remote_location_longitude	string	It refers to the longitude coordinate of the remote location.
remote_location_region	string	It refers to the region information of a remote host based on its location, as determined by the IP address.
removable_media_bus_type	string	It refers to the type of bus interface used by a removable storage device, such as USB, FireWire, or SCSI.
removable_media_capacity	string	It refers to the amount of storage space available on a removable media device.
removable_media_media_name	string	It refers to the name or label assigned to a removable storage device.
removable_media_name	string	It is the name of a removable media device, that has been connected to a computer being monitored by Code42.
removable_media_partition_id	string	It refers to a unique identifier assigned to a specific partition on a removable storage device.
removable_media_serial_number	string	It is an unique identifier for a removable media device
removable_media_vendor	string	It is a term used to describe the manufacturer or vendor of a removable media device.
removable_media_volume_name	string	It refers to the name assigned to a specific partition on a removable storage device.
removed_member	string	It refers to a user who has been removed from a group or an organization.
removed_member_type	string	It refers to the type of a removed member (user, group, etc.) from a specific resource.
removed_permissions	array	The permissions that were previously granted to an individual or group have been revoked or removed.
removed_role	string	It refers to a role that was previously assigned to a user or group, but has since been removed.
removed_role_name	string	It refers to the name of a specific role that has been removed or revoked from a user or group.
removed_users	array
reply_to	array	It refers to the IP address or domain name that a server should direct replies to a specific communication to.
report	string
reporter	string	It refers to the source of the log or event data that is being analyzed.
repository_name	string
request_binding	string	It is a security concept related to the process of binding authentication data to the request that is sent between a client and a server.
request_cookie	string	It refers to a piece of data that is stored on the client side and sent to the server in subsequent requests.
request_type	string	It is one of the properties of the event that provides information about the type of request made by the client.
requested_app	string	It refers to the application or resource that a user is attempting to access.
requested_app_id	string	It refers to a unique identifier assigned to a specific application or resource that the user is trying to access.
resource	string	Typically in app-activity activity-type, this is a property of the object the action is taken on. For example, if a user A gives user B permissions on directory C, B would be parsed as object and C as resource.
resource_group	string	It is a logical container for grouping related resources.
resource_id	string	It is a unique identifier for a specific resource.
resource_name	string	The resource name is typically assigned by the user when the resource is created and it can be used to identify the resource in various services
resource_path	string	It refers to the location of a resource within the Azure environment.
resource_dir	string	The directory of the resource.
resource_type	string	It refers to the type or category of a specific resource
resp_bytes	number	It is a field that represents the size of a response packet in bytes.
resp_cc	string	It is a field that represents the country code of the origin of a response packet.
resp_pkts	integer	It is a field that represents the number of response packets sent in response to a network request.
response	string	It refers to the information that is returned in response to a request or command.
response_size	number	It refers to the size of the response that is sent from a server to a client in bytes.
response_time	datetime
response_ttl	string	It refers to the Time-To-Live (TTL) value that is associated with a response packet.
restrict_public_buckets	string
result	string	Describes the result of an event's occurrence as parsed (succeeded, failed...)
result_at	string
result_code	string	A code indicating the outcome of an activity, e.g. 0x0, 0x1F, success.
result_reason	string	A description of why this result was given.
return_path	string	The return path of an email message. This may or may not be identical to the sender.
risk_level	number	It refers to a security risk rating that is assigned to network traffic based on its content and behavior.
role	string	It refers to a set of permissions and responsibilities assigned to a user or group of users in order to manage and control access to network resources and configurations.
role_arn	string	It is the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role.
role_definition	string	It is a blueprint that outlines the specific permissions and actions that can be performed by a role.
role_definition_id	string	It is a unique identifier for a role definition.
role_id	string
role_name	string
role_permissions	array	It refer to the set of actions and operations that can be performed by a user with a specific role.
role_type	string
router_ip_flow	string	It is a type of data source used to collect and analyze network flow data.
router_subnet	string	It is a segment of a network that is assigned to a specific router.
rtt	string	It stands for Round-Trip Time and is a measurement of the time it takes for a packet to travel from its source to its destination and back.
rule	string	It is a set of criteria and actions used to control network traffic.
rule_action	string	It is a term used to describe the action that is taken when a specific security rule is triggered.
rule_count	number	It refers to the total number of security rules defined in a firewall policy.
rule_id	string	It refers to a unique identifier assigned to each security rule defined in a firewall policy.
rule_reason	string	It refers to the reason or justification for why a particular security rule was triggered.
rule_severity	string	It refers to the level of importance or criticality assigned to a particular security rule.
rule_uid	string	It is a unique identifier assigned to each security rule in the firewall policy.
run_level	string	It refers to the state or configuration level at which the operating system operates, and is used to manage the behavior and accessibility of the system.
safe_name	string	It is a unique identifier assigned to each Safe (secure repository), which is used to distinguish and organize different Safes within the platform.
safe_value	string	The name of the safe in which the password is stored
scan_id	string	It refers to a unique identifier assigned to a security scan, such as a vulnerability scan or a web application security scan.
scan_type	string	The type of the scan the product did.
schema_name	string	It refers to the name given to a particular organization of database objects in a database management system, such as Microsoft SQL Server.
schema_version	string	It refers to a version number assigned to a particular organization or structure of database objects in a database management system.
secondary_key	string	It refers to a supplementary key or password used in addition to a primary key to provide an additional layer of security.
secret	string
secured	string	It refers to a feature or setting within the platform that provides security and protection for stored data.
security_group	string
see_also	string	It refers to a feature or functionality in cyber exposure platform that allows users to access additional resources or related information.
selected_hash_sha256	hexadecimal	It is used to identify the specific hash algorithm used to calculate the SHA256 hash value of a file or piece of software.
selected_md5hash	hexadecimal	It is used to identify the specific hash algorithm used to calculate the MD5 hash value of a file or piece of software.
sender	email	It is used to identify the source of the email and can be used to filter or categorize incoming email messages.
sense_score	string	It refers to a metric used in the IBM Watson Discovery service to measure the relevance of a document or piece of content to a particular query.
sense_value	string	It refers to a value assigned to a specific security event based on the level of risk it poses to the organization.
sensor	string	It refers to a software component that is installed on a network to collect and analyze security-related data, such as network traffic and logs, in real-time to detect and prevent cyber-attacks.
sensor_id	string	It refers to a unique identifier assigned to each endpoint device that has the agent installed.
sensor_name	string	It refers to the unique identifier given to a specific instance of a network security device or system within a network.
seq_num	number	It is a numerical identifier of the specific packet within a larger set of data, typically used in network security systems.
sequence	string	It refers to the order in which packets are processed by the firewall.
serial_num	string	It is a unique identifier assigned to a product by the manufacturer.
server	string	A server is a device to centralize resources and provide centralized management, which can make it easier for administrators to manage and maintain their networks.
server_group	string	In some database solutions (e.g. MS SQL), a server group is a way to organize connections to servers and databases.
server_name	string	The server name the activity operated in
server_ssh_version	string	It is a string value that represents the version of the SSH (Secure Shell) protocol that the server is running.
server_version	string	It refers to a string that identifies the version of software or operating system that is running on a server.
service_command_line	string	It refers to the command line arguments or parameters used to start, stop, or manage Windows services.
service_id	string	Service found for the connection (by the destination port).
service_name	string	The service name the activity operated on
service_start_type	string	It is used by the service installer to indicate whether the new service should be disabled or start automatically or started manually by a user or application.
service_state	string	They are used to determine when event handlers are executed and when notifications are initially sent out.
service_type	string	It specifies the type of service and determines how the service operates, such as whether it runs in the background or interacts with the user interface.
session_arn	string	The Session ARN (Amazon Resource Name) is a unique identifier that represents a session in the AWS Management Console.
session_day	string	It refers to a field in a log or report that indicates the day of a network session.
session_duration	string	It refers to a field in a log or report that indicates the length of time a network session was active.
session_end	string
session_expiration	string	It refers to the time at which a session will expire and be terminated.
session_hour	string	It refers to a field in a log or report that indicates the hour of a network session.
session_id	string	Unique identifier of a vpn or network connection session.
session_min	string	It refers to a field in a log or report that indicates the minute of a network session.
session_name	string	It refers to an optional parameter that can be provided when creating a session.
session_sec	string	It refers to a field in a log or report that indicates the second of a network session.
session_start	datetime
session_tag	string
set_as_defualt	string	It refers to an option that can be used to set a specific profile as the default profile for a user.
severity	string	It refers to a field in a log or report that indicates the level of importance or criticality of a security event or threat.
sha	hexadecimal	It refers to the Secure Hash Algorithm, a family of cryptographic hash functions that are widely used for digital signatures.
share_name	string	The name of the accessed network share, e.g. IPC$, SYSVOL
share_path	string	The full path of a network share, e.g. D://SYSVOL_DFSR//sysvol
share_type	string	It refers to a field in a log or report that indicates the type of a network share.
shared	string	Indication if the file was shared.
shared_with	string	It refers to a field in a log or report that indicates the recipients or users with whom a file or resource has been shared.
shared_with_at	string	It refers to a field in a log or report that indicates the date and time when a file or resource was shared with specific recipients.
sid_domain	string	It refers to the domain component of a SID, which identifies the domain in which the security principal is defined.
sid_history	string	It refers to a feature that allows the SID of a user or group account to be preserved when the account is migrated from one domain to another.
site_at	string	It refers to a field in a log or report that indicates the location or site at which a specific security event or activity occurred.
site_id	string	In physical access events, the ID of the physical location.
site_name	string	In physical access events, the name of the physical location.
site_state	string	In physical access events, the state of the physical location. E.g NY.
smartdefense_profile	string	It refers to a configuration setting in Check Point software that defines the level of protection for a specific security policy or rule.
source_connection_id	string	It refers to a log or report entry that provides information about a specific connection, such as the identity of the client device.
spam_score	string	It refers to a numerical value assigned to an email message, indicating the likelihood that the message is spam or unwanted.
sql_count	integer	The number of entries affected by a database operation
src_bucket_arn	string
src_country	string	The country of the machine from which the activity originated.
src_country_code	string	The country code of the machine from which the activity originated.
src_domain	string	It refers to the source domain of a network connection or event.
src_ds_object_dn	string	The full distinguished name of the source directory service object.
src_ds_object_name	string	The name of the source directory service object
src_ds_object_ou	string	The organizational unit of the source directory service object.
src_email_folder	string
src_file_arn	string
src_file_dir	string	The directory of the source file, not including the name.
src_file_ext	string	The source file extension. If the file name is myfile.txt, src_file_ext will be txt
src_file_name	string	The name of the source file, not including the path.
src_file_path	string	The full path of the source file.
src_fqdn	string	The fully qualified domain name (FQDN) refers to a log or report entry that provides information about the source of a connection, such as the hostname and domain name of the device that initiated the connection.
src_group_name	string
src_host	string	The name of the machine from which the activity originated.
src_host_type	string	It refers to the type of the source host involved in a network connection or event.
src_interface	string	Name of the interface associated with the connection origination
src_ip	ipv4/ipv6	The IP of the machine from which the activity originated.
src_ipv6	ipv4/ipv6
src_location	string	It refers to the location of the source host involved in a network connection or event.
src_location_area	string
src_location_door_id	string
src_location_full	string
src_location_id	string	It refers to a unique identifier for the location of the source host involved in a network connection or event.
src_mac	string	The source endpoint MAC address.
src_net_status	string	It refers to the status of the source network involved in a network connection or event.
src_network	string	It refers to a log or report entry that provides information about the source network, such as its IP address range, subnet, or hostname.
src_network_zone	string	It refers to the network security zone associated with the source network in a network connection.
src_password	string
src_port	integer	The source port used in the network communication.
src_process_dir	string	The directory of the process that did the activity.
src_process_id	string	The identifier of the process that did the activity.
src_process_name	string	The name of the process that did the activity.
src_process_path	string	The path of the process that did the activity.
src_resource	string
src_resource_type	string
src_role	string
src_translated_host	string	It refers to a log that provides information about the translated source host, which may be different from the actual source host.
src_translated_ip	ipv4/ipv6	In NAT situations, the internal assigned IP. This is different from the src_ip which would be the external facing IP. For example, in a VPN connection src_ip is the external, internet routable IP, while src_translated_ip is the internal address assigned to the vpn connection.
src_translated_ipnum	string	It refers to a log or report entry that provides information about the translated source IP address, which may be different from the actual source IP address due to NAT or PAT.
src_translated_port	integer	It refers to the translated source port in a network connection or event.
src_user	string	It refers to the source user or the user who initiated a particular action or event.
src_zen_code	string
src_zone	string	It refers to a log or report entry that provides information about the security zone from which a particular network event or traffic flow originated.
src_zone_name	string	It provides information about the source security zone associated with a particular network event, such as the name of the security zone.
ssid	string	The Service Set Identifier (network name) the activity was on.
ssno	string	It refer to the unique 9-digit identification number assigned by the Social Security Administration (SSA) to U.S. citizens and residents for tracking purposes.
state	string	It refer to various aspects of system or program behavior, configuration, or status.
status_msg	string	It is a message that provides information about the status or outcome of an operation or request.
storage_account	string	It is a type of account that provides a scalable and secure data storage solution for unstructured data, such as blobs, files, queues, and tables.
sub_category	string	A subcategory of the log.
sub_domain	string	It is a field that represents the sub-domain portion of a fully qualified domain name (FQDN).
sub_status	string	It refers to the status of a sub-component or sub-process within a larger security system or process.
subject	string
subnetwork	string	A subnetwork (also known as a subnet) is a portion of a larger network that is divided for the purposes of network organization and management.
subscription_id	string	The subscription ID is a unique alphanumeric string that identifies your product subscription.
subtype	string
suid	string	SUID (Set User ID) is a Linux permission attribute for executable files that allows a user to execute the file with the permissions of its owner.
sync_destination	string	It refers to the location to which data is being synced or backed up.
syscall	string	A syscall is a system call, which is a request to the operating system's kernel to provide a specific service, such as allocating memory or creating a process.
system_manufacturer	string	It refers to the manufacturer of a device or computer system.
system_type	string	It refers to the classification of a device as a router, switch, firewall, or other network device.
tab_title	string	It is a term used in the security platform to refer to the title or label of a tab in a user interface.
tab_url	string	It refers to the URL of the web page that was open in a web browser tab during the time a file was being accessed.
table	string	It refers to the name of a database table.
table_name	string	It refers to the name of a database table.
tag	string	It refers to a metadata label or keyword assigned to an object or resource to categorize, group, or identify it.
tags	array	Tags are a metadata label assigned to a network communication or an event.
target	string	The object the activity operated on.
target_domain	string
target_hash_sha256	hexadecimal	It refers to a 256-bit Secure Hash Algorithm (SHA-256) that is used to calculate a digital fingerprint or hash value of a target file or system.
target_host	string	The destination endpoint name.
target_md5hash	hexadecimal	It is a field that represents the MD5 hash of a target file in the system.
target_uri	string	It refers to the uniform resource identifier (URI) of the target system, application, or resource that is being accessed
task_id	string	The unique identifier of the schedule task the activity operated on.
task_name	string	The name of the schedule task the activity operated on.
tcp_flags	string	The TCP flags in a tcp communication.
tenant_id	string	It refers to a unique identifier for a tenant in a multi-tenant architecture, such as in Microsoft's cloud platform, Azure Active Directory.
terminal	string	It is a text-based interface, or a graphical user interface, and is used to submit SQL commands, view data, and perform various other database-related operations.
thread_id	string	It refers to a unique identifier assigned to a process or a set of processes running in an operating system.
threat_category	string	The category of the threat the product detected, as dictated by the vendor.
threat_handled	string	It refers to an event, action or measure taken by a security system to mitigate or eliminate a detected threat.
threat_id	string	The identifier of the threat the product detected, as dictated by the vendor.
threat_level	string	It refers to a classification of a potential security threat, which determines the severity or urgency of the threat.
threat_type	string	It refers to the category of a detected threat.
threat_url	string	It refers to the URL or web link that is suspected of hosting malicious content, such as phishing scams or malware downloads.
ticket_encryption_type	string	It refers to the encryption algorithm used to encrypt the security tickets used in authentication between client and server.
ticket_options	string	It refers to specific settings or flags that are associated with a Kerberos ticket.
time	datetime	The time in which the activity occurred.
time_created	datetime	The time the file was created.
time_modified	datetime	The last time the file modified.
time_taken	number	It refers to the amount of time required for a process or operation to complete.
timedout	string	It refers to whether or not a connection has timed out.
token_issuer_type	string	It refers to the type of security token issuer that is used to generate the token.
top_domain	string	The domain without the subdomain. E.g. in www.exabeam.com, exabeam.com would be parsed in this field
tracking_id	string	is a unique identifier used to track and associate related events and transactions within the system.
traffic_type	string
trans_depth	string	This field allows to track the different layers of protocol encoding used in a network connection.
transaction	string	A transaction is a specific set of tasks or operations that are performed in the system to achieve a specific goal, such as creating a new customer or updating an existing one.
transaction_id	string	It refers to a unique identifier assigned to a specific transaction or group of related transactions in a system.
transistive_tags	array
trigger_entity	string	It refers to an event, alert, or indicator that triggers an investigation or response action within the security information and event management (SIEM) system.
trigger_time	datetime	It refers to the time when a particular event or action in the system was triggered or initiated.
trigger_type	string	It refers to the type of event or activity that initiates an action or response within the security platform.
triggers	string	It refer to a set of rules or conditions that initiate a specific action when met.
tunnel_parents	string	It refers to the parent sessions or connections in which the current session is encapsulated within, forming a tunnel.
tunnel_protocol	string	It refers to the protocol used to encapsulate the original network traffic, which is often encrypted and transmitted over another network.
udid	string	It refers to the Unique Device Identifier, a code that identifies a specific device in the Cisco system.
uri	string	The full URI of the web page.
uri_path	string	The URI path of the web page.
uri_query	string	The query in a URI in of a web page.
url	string	The URL of a web page.
usb_serial_number	string	It refers to the unique identifier of a USB device connected to a computer.
usb_vendor	string	It refers to the identifier of the vendor of a USB device.
rule_usecases	array	It refers to the specific use cases that a security rule is intended to address.
user	string	The user name of the user that did the activity.
user_agent	string	The user-agent in a web activity.
user_agent_client	string	It refers to the client software or application that is used to access a web service or resource.
user_arn	string	It refers to the Amazon Resource Name (ARN) of a user.
user_dn	string	It refers to the distinguished name (DN) of a user.
user_group_name	string	The groups the user belongs to.
user_id	string	The generic unique identifier of the user.
user_info	string	It refers to information about a specific user, such as their name, username, and other relevant details.
user_ou	string	The directory service organizational unit of the user.
user_sid	string	The SID (Security Identifier) of the user.
user_type	string	The type of the user.
user_uid	string	It refers to a unique identifier assigned to a user account.
user_uids	string	It is a field that represents the unique identifier for a user.
user_upn	string	UPN (User Principal Name) is a unique identifier for a user in Microsoft's Active Directory.
userdata	string
users	array	It refers to the individuals who have access to the security systems and services provided by them, such as firewalls, VPNs, and other security solutions.
vault_entity_id	string	It is a unique identifier for an entity in Vault.
vendor	string	The vendor context element.
vendor_id	string	It is a unique identifier assigned to a vendor.
vendor_name	string	It refers to the name of the manufacturer of the device that is being backed up or monitored.
version	string	The version of the monitoring program.
virtual_station_name	string	It refers to the name assigned to a virtual station (VSTA) in a wireless LAN (WLAN) network.
virus_name	string	It refers to the name assigned to a specific malicious software that has been detected by antivirus software.
vm_host_name	string
vm_pool_name	string
vm_size	string	It refers to the size or type of a virtual machine (VM) in terms of the amount of memory, CPU, and storage resources it is allocated.
vm_template_name	string
volume_device	string
volume_size	string
volume_type	string
volume_zone	string
vpc	string	It stands for Virtual Private Cloud, it is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network.
vpn_client	string	It is a secure VPN connection that allows remote workers or third-party contractors to connect to the company's network securely, using their own device.
vpn_client_type	string	It refers to the type of VPN client software that is used to establish a secure connection to a remote network.
wazuh_manager	string	It refers to the central manager component responsible for managing agents, rules, and alerts.
web_domain	string	The full domain with the subdomain. Egs. gmail.google.com.
wifiap	string	It refers to a Wireless Access Point, a device that allows wireless devices to connect to a wired network using Wi-Fi.
workspace_name	string
zone	string	It refers to a distinct and isolated environment for running applications, processes, and/or services.
zone_id	string	It refers to a unique identifier assigned to a zone in a network.
connection_type	string	It refers to the type of network connection between a device and another device or network.
egress_zone	string	It refers to the security zone from which network traffic exits or is transmitted to an external network.
bootup_safeguard_enabled	boolean	This attribute specifically refers to whether or not the feature is enabled on a given endpoint.
detect	string	It refers to the ability of the software to identify and detect potential security threats or malicious activity on a device or network.
dns_domain	string	It refers to a field that holds the domain name information of a DNS (Domain Name System) request or response.
critical_process_disabled	boolean	It is a security feature that prevents unauthorized changes to key system processes.
bytes_to_client	number
bytes_to_server	number
connection_duration	string	It refers to the amount of time a connection between two devices (e.g. network devices, computers, servers, etc.) has been active.
start_time	datetime	It refers to the time that a process or a job was initiated or started to run.
response_type	string	It refers to the type of response received from a device or system when performing an action or issuing a command.
ingress_zone	string	It refers to the network zone through which data enters a network.
grandparent_command_line	string	It refers to the command line of the process that started the parent process of a given process.
grandparent_image_filename	string	It refers to the file name of the image or executable that started the parent process of the current process being monitored.
inddet_mask	string
indicator	string	It refers to a specific attribute or characteristic of an event, activity, or artifact, which can be used to identify or distinguish malicious behavior.
initiator_packets	string	It refers to the number of packets sent by the initiator of a network connection.
is_incident	string	It refers to a field indicating if an event or log entry represents a security incident or not.
kill_parent	boolean	It refers to an action that terminates the parent process of a detected threat.
kill_process	boolean	It refers to a feature that allows the user to immediately terminate a malicious or suspicious process that has been detected by the platform.
kill_sub_process	boolean	It is a term used to describe the action of terminating a sub-process that is associated with a malicious or suspicious activity.
nap_policy	string	It refer to a policy that specifies the requirements for accessing the network, such as minimum security standards for client computers
nt_domain	string	It is a type of network authentication service used in computer networks to control access to resources and provide centralized administration.
operation_blocked	boolean	It refers to a security feature that blocks or denies specific security-related operations that are deemed potentially suspicious.
parent_image_filename	string	It refers to the name of the executable file of the parent process of a detected activity.
pattern_disposition_description	string	It refers to the human-readable explanation of the outcome of an analysis or detection performed by system.
pkts_toclient	string	It refers to the number of packets sent from the server to the client in a network.
pkts_toserver	string	It is a count of the number of packets from client to server.
policy_disabled	boolean	It refers to a security policy or set of security rules that are temporarily or permanently disabled or inactive.
process_blocked	boolean	It refers to a security alert generated by the platform, indicating that a process has been blocked by the security software.
quarantine_file	boolean	It refers to a file that has been isolated from the rest of the system because it has been identified as potentially harmful.
quarantine_machine	boolean	It refers to the process of isolating a potentially compromised device or machine to prevent further spread of malware.
registry_operation_blocked	boolean	It is a term used to describe when a specific operation in the registry is prevented from executing due to security policy.
reputation	string	It refers to a score assigned to an IP address, URL, or file, indicating the perceived level of risk associated with it.
responder_packets	integer	It refers to the number of packets sent by the responder in a network communication.
rooting	boolean	It refers to the process of gaining privileged access to a computer system or mobile device.
sensor_only	boolean	It indicate that the detection and response was done locally on the device, rather than relying on the cloud-based components.
fs_operation_blocked	boolean	It refers to a security feature that blocks a file system operation (e.g., create, delete, modify, etc.) based on predefined security policies.
domain_join	string	It refers to the process of joining a computer to a domain in a Microsoft Active Directory environment.
dns_response_type	string	It refers to the type of response received from a DNS server.
container_id	string	It refers to a unique identifier assigned to a container in a container orchestration platform, such as Docker.
rule_description	string	It refers to a brief text description of a particular rule that has been configured in a system.
incident_creation_time	datetime	It refers to the time at which an incident was created.
rule_type	string	It refer to a type of security rule or firewall rule that is configured in the security firewall.
scriptblock_text	string	It refers to the text of a PowerShell script block.
script_type	string
script_name	string	It refers to the name of a script file (e.g. a .bat, .vbs, .ps1, etc.) that is being executed.
logon_type	string
mfa_device	string	The mfa_device field contain information about the specific MFA device being used, such as its type, serial number, and associated user.
mfa_country	string	It refers to the country from which the user is attempting to access a system.
alert_reason	string	A description of why this alert was given.
command_invocation	string	A command can apply to one or more managed nodes.
domain_user_name	string	Enriched field to define a user entity by combining 'user' and 'domain' fields.
dest_domain_user_name	string	Enriched field to define a user entity by combining 'dest_user' and 'domain' OR 'dest_domain' fields.
account_user_name	string	Enriched field to define a user entity by combining 'account' and 'domain' OR 'account_domain fields.
database_user_name	string	Enriched field to define a user entity by combining 'db_user' and 'db_name' fields.
local_user_name	string	Enriched field to define a user entity by combining 'user' and 'src_host' OR 'platform' fields.
dest_local_user_name	string	Enriched field to define a user entity by combining 'dest_user' and 'src_host' fields.
cid	string	Crowdstrike customer identification
subject_sid	string	The SID (Security Identifier) of the subject, should be use subject is not user.
subscription_code	string	Subscription code of the customer
src_vendor	string	Original vendor for 3rd party alerts and regular events.
src_product	string	Original product for 3rd party alerts and regular events.
rarity_score	integer	Normalized rarity score from BEAM. Value should be between 0 to 100.
rarity_raw_score	integer	Raw score from BEAM. Value should be between 0 to 100 or more.
rarity_percentile	integer	Added by BEAM. Number between 0 to 100.
risk_score	integer	The calculated risk score between 0 and 100. If UP is disabled for the subscription, the risk_score will not be present.
security_criticality	integer	Added by UP. Contains the security criticality (Tier1, Tier2, Tier3, N/A) used to assign risk_score. If security criticality or UP is disabled for the subscription, this will not be present.
observed_activity	string	Added by UP. Contains the observed activity type (Engage, Prepare, Presence, Effect, N/A) used to assign risk_score. If observed_activity or UP is disabled for the subscription, this will not be present.
recoverability	string	Added by UP. Contains (Yes, No, N/A). If recoverability or UP is disabled for the subscription, this will not be present.
event_filter	string	Search query event filter to get all the participating events for this trigger.
event_from_time_millis	datetime	search query event filter start time.
event_to_time_millis	datetime	search query event filter end time.
event_url	string	URL to Search App to query the events associated with this rule trigger
previous_id	string	Point to previous rule trigger id in case of new rule trigger due to late arriving events.
create_case	boolean	Required only for Correlation Rule Engine Events.
case_description	string	Required only when create_case is true. Set by CR.
rule_source	string	BEAM or CR
type	string	In case of security alert, this would be the alert type. in case of correlation rule: use case of the correlation rule
technique_key	string	Technique Key
technique	string	Technique Name
tactic	string	Tactic Name
tactic_key	string	Tactic Key
entity_type	string	Entity type. User, Endpoint, File, Process etc
entity_key	string	The key used for the given entity type in Entity Manager like user_name, email_address etc for User or ip_address, host_name etc for Endpoint
event_field	string	The field in the event that will provide the value for the entity_key. For example for entity_type:Endpoint and entity_key:ip_address the event_field can have a value like src_ip or dest_ip.
field_value	string	This is the value of the event_field in the event that triggered the rule.
rules	json	Empty rules is a valid case. If BEAM is sending update to fix previous false positive rule trigger event then new rule trigger event will have empty rules and entities with zero risks score.
entities	json	If the fields required for entity creation are missing in the event, there will be no entity fields created. This is a valid case.
src_local_zone	string	It refers to the source local zone or network segment that the asset is located in.
dest_local_zone	string	It refers to the destination local zone or network segment that the asset is located in.
src_local_host	string	It refers to the source local host that is being accessed or modified.
dest_local_host	string	It refers to the destination local host that is being accessed or modified.
command_module	string	It refers to the module or component of the security platform that is responsible for executing a specific command or action.
control_panel_item	string	It refers to the name of the control panel item that is being accessed or modified.
external_domain	string	It refers to the external domain or network that is being accessed or communicated with.
added_member_domain	string	It refers to the domain associated with the email address of a member who has been added to a project or resource within GCP.
tgs_service_name	string	A service that issues tickets for admission to other services in its own domain or for admission to the ticket-granting service in another domain.
stripped_email_subject	string	Stripped email subject
is_peripheral_storage	boolean	A flag indicating that the operation took place on a peripheral device.
is_net_storage	boolean	A flag indicating that the operation took place on a network storage device.
is_job_search	boolean	A flag indicating that the operation is a job search.
src_network_type	string	It refers to the type of network.
src_external_country	string	It refer to the source external country of a network connection.
dest_network_type	string	It refers to the type of network.
dest_external_country	string	It refer to the destination external country of a network connection.
local_asset	string	It refers to the local asset that is being accessed or modified.
local_zone	string	It refers to the local zone or network segment that the asset is located in.
dest_device_entity_id	string	It refers to the unique identifier of the destination device.
source_device_entity_id	string	It refers to the unique identifier of the source device.
dest_user_entity_id	string	It refers to the unique identifier of the destination user.
source_user_entity_id	string	It refers to the unique identifier of the source user.
device_description	string	The description of the peripheral device.
device_class	string	The class of the peripheral device.
device_vid	string	The ID of the vendor of the peripheral device.
device_product	string	The name of the product of the peripheral device, translated from the device’s PID
device_pid	string	The ID of the product of the peripheral device.
incident_status	string	It refers to the current state or phase of a reported security incident within a security management system, indicating whether the incident is new, in progress, resolved, or closed.
aws_user	string	It refers to the user name of the individual or entity that performed the activity in AWS.
aws_email_address	email	It refers to the email address of the user that performed the activity in AWS.
spf_result	string	Indicates if an email is sent from an IP address authorized by the domain's SPF (Sender Policy Framework) record.
dkim_result	string	Indicates if an email is signed with a DKIM (DomainKeys Identified Mail) signature that verifies the sender's domain and message integrity.
dmarc_result	string	Indicates the result of SPF and DKIM checks and the domain owner's policy for handling authentication failures.
compauth_result	string	Indicates the combined result of SPF, DKIM, and DMARC (Domain-based Message Authentication, Reporting & Conformance) checks to assess email authentication.
connectors	string	Indicates the rules governing how emails are routed between different mail systems or services.
edge_host	string	Edge host is a miniaturized computer host with compact size
edge_fleet	string	Edge fleet is the system that helps manage and secure devices and applications
cpu_percentile	integer	Total CPU usage percentage across all CPU
page_fault_count	integer	Page fault is when a computer tries to access a piece of information that is not in the computer memory
domain_controller	string	Domain controller is a server that responds to security authentication requests within a Windows Server domain.
fallback_user_name	string
url_count	integer	Number of urls in the email
email_urls	array	A full list of the url in the email.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fields_Descriptions.md

Fields_Descriptions.md

Fields Descriptions

Files

Fields_Descriptions.md

Latest commit

History

Fields_Descriptions.md

File metadata and controls

Fields Descriptions