This core interface defines the subject element. It details the minimum field requirements necessary to identify the subject across possible logs. By design, the subject is maintained as a minimalist interface, including only fields that are fundamental to representing the entity.
| Subject | Description | Fields | Core | Detection | Informational |
|---|---|---|---|---|---|
| alert | Alert represents any security alert, whether anomaly, correlation or third party | alert_name | ✓ | ✓ | |
| app | The app subject represents applications and contains activities directed straightly towards them | No fields defined for this subject | |||
| arp | Address Resolution Protocol (ARP) is a network protocol used to map IP addresses to fixed MAC addresses over a network. This subject represents ARP traffic related activities. | src_ip | ✓ | ||
| src_mac | ✓ | ||||
| dest_mac | ✓ | ||||
| dest_ip | ✓ | ||||
| operation | ✓ | ||||
| audit_policy | An audit policy is a unique configuration given either globally or per service, that defines what type of audit logs will be generated\recorded and be transferred to a log | audit_policy_name | ✓ | ||
| local_user_name | |||||
| src_host | ✓ | ||||
| user | ✓ | ||||
| branch | A git branch represents an instance of a specific commit to a project | branch_name | ✓ | ||
| bucket | A bucket is the storage container which holds files and data in cloud storage solutions | bucket_name | ✓ | ||
| call | A call is a phonecall, any personal call that is not a meeting, general VOIP sessions any other type of personal video chat session that is not a meeting. | dest_user | ✓ | ||
| user | ✓ | ✓ | |||
| case | A security incident represents an open case in security products, which are interacted on and expanded by users. | case_name | ✓ | ✓ | |
| certificate | A digital certificate is an object that is used to prove the authenticity of a device, server, or user through the use of cryptography | No fields defined for this subject | |||
| channel | A channel is a conversation space in communication apps, dedicated to a specific topic of interest. A channel contains multiple people and allows them to share messages and calls. For example - Slack channels, Team teams channels... | channel_name | ✓ | ✓ | |
| domain | ✓ | ||||
| domain_user_name | |||||
| user | ✓ | ✓ | |||
| clipboard | A clipboard is an endpoint object that is used as a buffer that store short-term information in activities such as 'copy' and 'cut'. | No fields defined for this subject | |||
| cluster | A cluster is used in virutalization solutions to represent a group of vm hosts. | cluster_name | ✓ | ✓ | |
| collector | No fields defined for this subject | ||||
| configuration | A configuration is a global setting given to a program or an app, which can define how the system should work, look like or be enforced. | No fields defined for this subject | |||
| context_table | A context table normalizes contextual data collected from external sources, which can then be used to enrich events or provide context in investigations | No fields defined for this subject | |||
| dashboard | A dashboard is a collection of visualizations. Each dashboard brings together multiple insights that can provide a broad perspective about what's happening in a security operations center. | No fields defined for this subject | |||
| database | The database subject represents a database interface and the resources it contains | src_ip | ✓ | ||
| db_name | ✓ | ||||
| local_user_name | |||||
| db_operation | ✓ | ||||
| src_host | ✓ | ||||
| user | ✓ | ✓ | |||
| datacenter | A datacenter is a group of datastores that contain VMs and general storage in virutalization solutions. | datacenter_name | ✓ | ✓ | |
| datastore | A datastore represents the storage space that is used by\to support virtualization resources (VMs). For example - VMWare datastores, OVirt storage domains... | datastore_name | ✓ | ||
| dcom | DCOM (Distributed Component Object Model) objects are Windows endpoint components that allow COM objects to communicate with each other over the network | cls_id | ✓ | ||
| domain | ✓ | ||||
| domain_user_name | |||||
| src_host | ✓ | ||||
| app_id | ✓ | ||||
| user | ✓ | ||||
| detection_group_rule | No fields defined for this subject | ||||
| dhcp | Dynamic Host Configuration Protocol (DHCP) is a network protocol used to automatically assign a client with an IP address. This subject represents DHCP traffic related activities. | src_ip | ✓ | ✓ | |
| src_port | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| assigned_ip | ✓ | ||||
| dest_port | ✓ | ||||
| disk | A disk is a virtual representation of a volume that is attached to a machine and adds new storage space or a new logical drive. | disk_name | ✓ | ||
| dll | A dynamic link library (DLL) is a shared program module containing code and functions that may be dynamically called by a process at run time. A DLL usually has a file extension ending in .dll | process_id | ✓ | ||
| src_process_dir | ✓ | ||||
| file_path | ✓ | ||||
| file_name | ✓ | ✓ | |||
| file_dir | ✓ | ||||
| process_dir | ✓ | ||||
| src_host | ✓ | ✓ | |||
| src_process_id | ✓ | ||||
| file_ext | ✓ | ||||
| process_name | ✓ | ✓ | |||
| src_process_name | ✓ | ✓ | |||
| process_path | ✓ | ||||
| src_process_path | ✓ | ||||
| dns | Domain Name System (DNS) protocol is a network protocol used to translate hostnames to IP addresses. This subject represents DNS traffic related activities. | src_ip | ✓ | ||
| src_port | ✓ | ||||
| dns_query_type | ✓ | ||||
| dns_query | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| dns_query_flags | ✓ | ||||
| dns_domain | ✓ | ||||
| dest_port | ✓ | ||||
| dns_record | A DNS record is an object used in DNS servers or configurations to store\cache the results of a DNS translation. | dns_record_type | ✓ | ||
| driver | A driver is a software component that lets the operating system and a device communicate with each other by running code in the kernel. A driver usually has a file extension ending in .sys | driver_name | ✓ | ||
| ds | The directory service (DS) subject represents a directory service interface and contains activities that are unique to the DS system | No fields defined for this subject | |||
| ds_object | A directory service object represents every entity that can exist in a directory service configuration, such as OUs or even groups and users. This subject is only used in cases where we aren't sure what was the original subject. | ds_object_type | ✓ | ||
| ds_name | ✓ | ||||
| ds_object_dn | ✓ | ||||
| object_type | ✓ | ||||
| local_user_name | |||||
| access_list | ✓ | ||||
| src_host | ✓ | ||||
| dest_zone | |||||
| ds_object_ou | ✓ | ||||
| ds_object_class | ✓ | ||||
| src_zone | |||||
| ds_type | ✓ | ||||
| attribute | ✓ | ||||
| ds_object_name | ✓ | ||||
| user | ✓ | ||||
| properties | ✓ | ||||
| An email is a mail message that is sent or received over a computer network | domain | ✓ | |||
| domain_user_name | |||||
| user | ✓ | ||||
| email_rule | An email rule is used to automatically perform specific actions on emails that are being received by a user. | rule_id | ✓ | ||
| rule | ✓ | ||||
| endpoint | The endpoint subject represents an endpoint machine and the objects that can represent said machine inside different applications. | dest_host | ✓ | ||
| file | A file is a storage object on endpoints and applications, that contains content, data or settings that can be written into it or read from it. | file_path | ✓ | ||
| file_ext | ✓ | ||||
| access | ✓ | ||||
| file_name | ✓ | ||||
| bytes | ✓ | ||||
| src_zone | |||||
| file_dir | ✓ | ||||
| local_user_name | |||||
| dest_host | ✓ | ||||
| src_host | ✓ | ||||
| user | ✓ | ||||
| dest_zone | |||||
| folder | A folder is a logical object used to store or contain other types of objects beneath in. Note that this subject is not used for file folders. | folder_name | ✓ | ✓ | |
| ftp | File transfer protocel (FTP) is a network protocol used to transmitting files over the network. This subject represents FTP traffic related activities. | src_ip | ✓ | ||
| function | An automation function is a cloud object, allowing for automated resource management with cloud commands in the form of a function code | No fields defined for this subject | |||
| group | A group is a collection of user accounts or any other type of member, which can globally define their configuration, settings or role in the system. | group_domain | ✓ | ||
| group_name | ✓ | ✓ | |||
| handle | A Windows handle is an object that represnets the access point to a single object in memory. Processes in Windows must request a handle before they can directly access resources such as files or other processes; | handle_id | ✓ | ||
| hook | A hook\webhook represents a function that is subscribed to an event and triggers once it occurs. Multiple platforms allow the creation of hooks such as GitHub webhooks or Windows SetWindowsHook... | No fields defined for this subject | |||
| http | Hyper Text Transfer Protocol (HTTP) is a network protocol used for web requests and communications. This subject represents HTTP (and built upon protocols like HTTPS) traffic related activities. | bytes_in | ✓ | ||
| local_user_name | |||||
| dest_external_country | ✓ | ||||
| src_ip | ✓ | ||||
| protocol | ✓ | ||||
| uri_path | ✓ | ||||
| process_name | ✓ | ||||
| browser | ✓ | ||||
| categories | ✓ | ||||
| dest_port | ✓ | ✓ | |||
| direction | ✓ | ||||
| os | ✓ | ||||
| method | ✓ | ||||
| src_host | ✓ | ||||
| url | ✓ | ||||
| src_port | ✓ | ||||
| uri_query | ✓ | ||||
| top_domain | ✓ | ||||
| bytes_out | ✓ | ||||
| web_domain | ✓ | ||||
| dest_ip | ✓ | ||||
| dest_host | ✓ | ||||
| category | ✓ | ||||
| user | ✓ | ||||
| http_response_code | ✓ | ||||
| image | A machine image is a virtualization resource that stores all the properties and data from a VM and is used to launch new instances. | image_name | ✓ | ||
| ip | The IP subject represents an IP record\object used by assignment servers to manage IP assignments and dispensation. | No fields defined for this subject | |||
| key | A key represents a global credential key object that is not necessarily associated with a user. These objects are usually stored in vaults. | No fields defined for this subject | |||
| link | A link (shell link\hard link\soft link...) is an endpoint object used to redirect to another endpoint object whenever accessed. For example - a file shortcut. | No fields defined for this subject | |||
| log | A log (audit log) is a program or a service that collects audit data from an environment and keeps record of it. | log_name | ✓ | ||
| log_account | A log account represents a container of resources within a cloud vendor, and is used to connect and transfer logs into an application | No fields defined for this subject | |||
| log_source | A log source is the representation of a connection between an audit log and an application, as represented by the application. | log_source | ✓ | ||
| mailbox | A mailbox is the destination to which email messages are delivered. | mailbox_name | ✓ | ✓ | |
| meeting | A meeting represents an instance of a web conference meeting, which allows a group of users to video chat and share screens. | meeting_host_id | ✓ | ||
| domain | ✓ | ||||
| domain_user_name | |||||
| meeting_name | ✓ | ✓ | |||
| user | ✓ | ✓ | |||
| message | A message represents a single text message or a post in in-person communication channels, like Teams or Whatsapp. | domain | ✓ | ||
| domain_user_name | |||||
| user | ✓ | ✓ | |||
| network | The network subject represents all unclassified network traffic and protocols | src_mac | ✓ | ||
| dest_mac | ✓ | ||||
| src_host | ✓ | ||||
| dest_zone | |||||
| src_ip | ✓ | ||||
| src_port | ✓ | ||||
| protocol | ✓ | ||||
| bytes_out | ✓ | ||||
| bytes | ✓ | ||||
| process_name | ✓ | ||||
| src_zone | |||||
| dest_ip | ✓ | ||||
| dest_host | ✓ | ||||
| action | ✓ | ||||
| dest_port | ✓ | ||||
| direction | ✓ | ||||
| parser | A parser is an Exabeam configuration that defines log value extractions and mappings. | No fields defined for this subject | |||
| password | A password represents a global password object that is not necessarily associated with a user. These objects are usually stored in vaults. | user | ✓ | ||
| peripheral_device | A peripheral device is an external hardware device used for storing data and other media such as USB, Keyboards, Headphones, Netsticks, CD/DVD, or a HD. | device_id | ✓ | ||
| local_user_name | |||||
| device_class | ✓ | ||||
| src_host | ✓ | ✓ | |||
| user | ✓ | ✓ | |||
| peripheral_storage | A peripheral storage device is an external hardware device used for storing files and data such as USB, CD/DVD, or a HD. | device_id | ✓ | ||
| local_user_name | |||||
| device_class | ✓ | ||||
| src_host | ✓ | ✓ | |||
| user | ✓ | ✓ | |||
| physical_location | A physical location represents a location in a building or a workplace like a door, a gate, or a room. | location_building | ✓ | ✓ | |
| location_city | ✓ | ✓ | |||
| employee_id | ✓ | ||||
| badge_id | ✓ | ||||
| location_door | ✓ | ✓ | |||
| direction | ✓ | ||||
| playbook | No fields defined for this subject | ||||
| policy | A security policy is an independent configuration document given to a resource\identity, that defines what type of permissions, privileges or roles this identity\resource should be assigned. | policy_name | ✓ | ✓ | |
| port | The physical port (or network device port) subject describes a port outlet on network devices and their digital representation on apps such as switches or NACs. | No fields defined for this subject | |||
| printer | A printer is an external device which performs the functions of printing\copying\faxing\etc.. on files and documents. | No fields defined for this subject | |||
| process | A process is an endpoint structure that represents an instance of a program that was executed and is now running. | process_id | ✓ | ||
| dest_process_id | ✓ | ||||
| process_name | ✓ | ✓ | |||
| dest_process_path | ✓ | ||||
| dest_process_command_line | ✓ | ||||
| process_dir | ✓ | ||||
| process_path | ✓ | ||||
| process_command_line | ✓ | ||||
| src_host | ✓ | ||||
| dest_process_name | ✓ | ||||
| dest_process_dir | ✓ | ||||
| radius | Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. | src_ip | ✓ | ✓ | |
| src_port | ✓ | ||||
| protocol | ✓ | ||||
| bytes_out | ✓ | ||||
| process_name | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| dest_host | ✓ | ||||
| src_host | ✓ | ||||
| dest_port | ✓ | ||||
| direction | ✓ | ||||
| rdp | Remote Desktop Protocol (RDP) is a network protocol which provides a user with a graphical interface to connect to another computer over a network connection. This subject represents RDP traffic related activities. | src_ip | ✓ | ✓ | |
| src_port | ✓ | ||||
| protocol | ✓ | ||||
| bytes_out | ✓ | ||||
| process_name | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| dest_host | ✓ | ||||
| src_host | ✓ | ||||
| dest_port | ✓ | ||||
| direction | ✓ | ||||
| registry | The registry contains all objects under the Windows registry, such as keys and values. This activity records all operation on registry objects such as setting a registry value or creating a new key. | registry_details_type | ✓ | ||
| registry_key | ✓ | ✓ | |||
| registry_value | ✓ | ||||
| registry_details | ✓ | ||||
| registry_hive | ✓ | ||||
| src_host | ✓ | ✓ | |||
| registry_path | ✓ | ||||
| report | A report is a document containing conclusions and information gathered from aggregated data in the system. | report | ✓ | ✓ | |
| repository | A git repository is a folder containing all the changes to versions, commits and instances of a git project | repository_name | ✓ | ✓ | |
| role | A security role is an independent object representing a group of permissions or privileges that can be assigned to an identity. | role_name | ✓ | ||
| role_id | ✓ | ||||
| rule | A security rule represents an instance of a detection condition stored in an object on a security product, meant to trigger once the conditions are met. | rule | ✓ | ✓ | |
| scheduled_task | A scheduled task is an object that is scheduled to trigger and execute a program or run certain commands. | task_name | ✓ | ✓ | |
| src_host | ✓ | ✓ | |||
| script | A script is a human readable representation of a coding langauge, which is executed by interpretes or compilers rather the directly by a machine. | script_type | ✓ | ||
| script_name | ✓ | ||||
| secret | Secrets are a type of digital authentication credentials used by accounts to identify against resources and applicatons. | secret | ✓ | ✓ | |
| service | A service is an endpoint object that represents a program or a process that runs in the background and quitely performs automated tasks. For example - Windows services or Unix daemon. | service_name | ✓ | ✓ | |
| src_host | ✓ | ✓ | |||
| share | A network share is an endpoint object that allows resources and files to be shared over a computer network as if they were local. | share_name | ✓ | ✓ | |
| file_path | ✓ | ||||
| file_name | ✓ | ||||
| share_path | ✓ | ||||
| share_link | A share link represents the sharing access and location that was given to a user against a resource, usually a file in cloud file sharing applications. | link | ✓ | ||
| link_id | ✓ | ||||
| site_collector | No fields defined for this subject | ||||
| smtp | Simple Mail Transfer Protocol (SMTP) is a network protocol used for email transmission. This subject represents SMTP traffic related activities. | src_ip | ✓ | ✓ | |
| src_port | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| dest_port | ✓ | ||||
| snapshot | A snapshot is a copy of a virtual machine's state and content at a given point in time. | No fields defined for this subject | |||
| ssh | Secure Shell (SSH) is a network protocol used for secure remote login from one computer to another other a network. This subject represents SSH traffic related activities. | src_ip | ✓ | ✓ | |
| src_port | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| dest_port | ✓ | ||||
| ssl | Secure Socket Layer (SSL) is a network protocol used to provide encryption security over a computer network (now replaced with TLS). This subject represents SSL traffic related activities. | src_ip | ✓ | ✓ | |
| src_port | ✓ | ||||
| dest_ip | ✓ | ✓ | |||
| dest_port | ✓ | ||||
| template | No fields defined for this subject | ||||
| user | A user account is the identity given to a person or a machine with which they can interact with the environment. | dest_domain_user_name | |||
| dest_domain | ✓ | ✓ | |||
| dest_user | ✓ | ✓ | |||
| user | ✓ | ||||
| visualization | A visualization is an individual chart or table that provides statistics and detailed information about specific aspects of the security operations center | No fields defined for this subject | |||
| vm_host | A virtual machine host is the server that runs the virtual machines' hypervisors. | vm_host_name | ✓ | ✓ | |
| vm_pool | A virtual machine pool is a group of vm objects that share a common source. The VM pool contains the configuration of the VMs inside it. | vm_pool_name | ✓ | ||
| vm_template | A virtual machine template is used in virtualization solutions to create a common structure from which VMs can be created | vm_template_name | ✓ | ✓ | |
| vpn | The VPN subject represents a VPN interface and contains activities directed towards the VPN app | src_ip | ✓ | ||
| workspace | All operations on a workspace. A workspace is a collaboration environment that represents an instance of an application and allows multiple users to work together and share information | workspace_name | ✓ | ✓ |