Fields Descriptions
July 6, 2026 · View on GitHub
This table lists the Common Information Model fields that can be used to build events and to create searches and correlation rules.
| Field | Data Type | Description |
|---|---|---|
| AA | string | The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. |
| access | string | Access permissions given to the user when trying to access an object |
| access_group | string | name of the group in which access is managed in vpn-connection events |
| access_list | string | Access list of permissions associated with a system resource |
| access_mask | string | bitmask that specifies a set of access rights in the access mask of an access control entry. |
| access_type | string | The type of access permissions given to the user when trying to access an object |
| accessor | string | Retrieve the value of the token for which capabilities are being queried. |
| account | string | The account is the actual account that was used in the activity. |
| account_domain | string | The domain of the account the user operated on. |
| account_id | string | the user id associated with the user |
| account_name | string | Name of the account the user operated on |
| account_user_name | string | Enriched field to define a user entity by combining 'account' and 'domain' OR 'account_domain fields. |
| acl_content | string | |
| acs_session_id | string | Unique identifier of a cisco secure access control server session. |
| action | string | An action that was taken against the event (allowed, blocked, quarantined...). |
| activity | string | The activity context element. |
| activity_details | string | details of the activity recorded in the events |
| activity_id | string | A unique identifier of the activity |
| activity_type | string | The activity type context element. |
| added_keys | string | |
| added_member | string | |
| added_member_domain | string | It refers to the domain associated with the email address of a member who has been added to a project or resource within GCP. |
| added_member_type | string | |
| added_permissions | array | |
| added_role | string | |
| added_role_name | string | |
| added_users | array | |
| additional_info | string | Additional descriptive information about the event. |
| admin_id | string | A unique identifier of an admin |
| admin_interface | string | Name of the interface through which the logged system messages can be accessed |
| adopter_id | string | A unique identifier for the adapter instance. |
| agent_id | string | The unique identifier of the agent of the product. |
| agent_name | string | The agent_name attribute specifies the name of an agent. |
| ai_agent_id | string | Unique identifier of an AI agent. |
| ai_agent_name | string | Name of an AI agent. |
| ai_function_name | string | Name of a function called by an AI agent. A function is a defined procedure with a specified input/output schema that can be invoked programmatically by an AI agent. |
| ai_token_count | number | Number of tokens that have been processed by an AI model. |
| ai_token_in_count | number | Number of input tokens consumed in an AI API call for usage monitoring and anomaly detection. |
| ai_token_out_count | number | Number of output tokens generated in an AI API call for usage monitoring and anomaly detection. |
| ai_tool_name | string | Name of a tool called by an AI agent. A tool is a capability an AI agent can deliberately invoke to extend its abilities beyond internal reasoning. |
| aid | string | The unique identifier of the agent |
| aip | string | This stands for Agent IP and represents the external IP address of the endpoint as seen by the Falcon Cloud |
| alert_description | string | Security alert message |
| alert_id | string | A unique identifier of the security alert. |
| alert_name | string | The name of the security alert. |
| alert_reason | string | A description of why this alert was given. |
| alert_severity | string | The severity (level of urgency) of the alert as dictated by the vendor. |
| alert_source | string | The source of the alert, as dictated by the vendor. |
| alert_status | string | The status of the alert, as dictated by the vendor. |
| alert_subject | string | The subject (title) of the alert. |
| alert_type | string | The classification of the alert, as dictated by the vendor. |
| allowed_data_actions | array | |
| allowed_ids | array | |
| allowed_permissions | array | Permissions specify access to AWS resources. |
| allowed_resources | array | Lists all of the available resources that can be used in IAM policies to control access to AWS services |
| allowed_uris | array | |
| allowed_user_types | array | |
| allowed_users | array | They have the permissions to access the AWS resources. |
| analyzers | array | Framework for managing Zeek's protocol details. |
| app | string | The name of the application mentioned in the event. |
| app_code | string | The name of the folder which contains the application framework. |
| app_group | string | It allow multiple apps produced by a single team to access shared containers and communicate using interprocess communication. |
| app_id | string | A unique identifier of the application. |
| app_learntime | string | |
| app_protocol | string | The network protocol the application used. |
| app_type | string | The type of the application. |
| app_version | string | The software version of the web conference application |
| apps | array | |
| area_classification | string | |
| arg | string | An argument, a value passed as a parameter. |
| asset_id | string | A unique identifier of the asset. |
| asset_labels | array | It represents the labels that have been assigned to an asset. |
| assignble_scope | string | |
| assigned_apps | array | The assigned apps shows the apps that are visible to users with the selected permission set. |
| assigned_ip | ipv4/ipv6 | Client's actual assigned IP address. |
| assignment_id | string | |
| attachment | string | The attachments that were added to an email |
| attachment_count | integer | Number of attachments in the email |
| attachment_size | number | Size of attachments in the email |
| attack | string | Name of the vulnerability category in case of a host or network vulnerability. |
| attack_conf | string | Configuration of the vulnerability. |
| attack_info | string | Description of the vulnerability in case of a host or network vulnerability. |
| attribute | string | The attribute of the object which was accessed. |
| attribute_value | string | |
| attributes | array | A list of attributes of the object which was accessed. |
| audit_category | string | The Windows category of the audit policy that was changed. |
| audit_id | string | A unique identifier of the audit. |
| audit_policy_name | string | The name of the audit policy document. |
| audit_subcategory | string | |
| auth | string | The type of authentication that was used in the event. |
| auth_dn | string | The authentication domain name. |
| auth_level | string | The current authentication security level. |
| auth_method | string | The method/protocol package that was used in the authentication process. |
| auth_package | string | The method used to authenticate an account. |
| auth_process | string | The method/process used to authenticate an account. |
| auth_server | string | The server name that was in charge of performing the authentication |
| auth_type | string | The normalized authentication type used in the event. |
| authorization_scope | string | |
| availabilty_zone | string | |
| aws_account | string | An account alias or an account ID for the AWS account. |
| aws_email_address | It refers to the email address of the user that performed the activity in AWS. | |
| aws_user | string | It refers to the user name of the individual or entity that performed the activity in AWS. |
| azure_category | string | It represents the category that belongs to the azure event. |
| azure_resource_type | string | The type of azure resource accessed by the event. |
| badge_id | string | The unique identifier of the physical badge. |
| badge_reader | string | Badge readers record information such as user ID, date and time of entry for each access attempt. |
| badge_status | string | A status badge shows whether a badge is currently valid or invalid. |
| base_risk_score | number | These are the sum of all scores generated by triggered rules during a user session. |
| bitdefender_operation_type | string | |
| block_public_acls | array | |
| block_public_policy | array | |
| block_type | string | The block_type property specifies the block type of a particular memory object. |
| blocked | boolean | It allows users to enhance the security of a router by configuring options to automatically block further login attempts |
| blocking_group_name | string | It specifies the group name of a block that groups other blocks together inside one container. |
| bootup_safeguard_enabled | boolean | This attribute specifically refers to whether or not the feature is enabled on a given endpoint. |
| branch_name | string | |
| browser | string | The browser the user used in this activity. |
| bucket_arn | string | |
| bucket_host | string | |
| bucket_name | string | The name of a cloud storage container (bucket) that holds files/objects, in the cloud. |
| bytes | number | The size in bytes. |
| bytes_in | number | The amount of ingress bytes. |
| bytes_out | number | The amount of egress bytes. |
| bytes_to_client | number | |
| bytes_to_server | number | |
| bytes_unit | string | The measurement unit used to count the bytes. |
| ca_runtime | string | The runtime of a certificate authority (CA) that issues Secure Sockets Layer (SSL) certificates. |
| cabinet_name | string | The Cabinet name is the identities of an organization's Cabinet. |
| calling_station_id | string | The called station identifier allows a RADIUS server to specify the MAC addresses or networks that a client can connect. |
| card_num | string | The lenel card number is your identification at the university and your access to certain areas. |
| card_status | string | Provides the status of the card. Example: Active. |
| case_description | string | Required only when create_case is true. Set by CR. |
| case_name | string | |
| catalog | string | A catalog is a group of identical virtual machines. |
| categories | array | A class or division of things regarded as having particular shared characteristics. |
| category | string | A class or division of things regarded as having particular shared characteristics. |
| category_behavior | string | A class or division of things having particular similar behavior. |
| category_id | string | A unique identifier of the category. |
| category_ids | array | A list of unique identifiers of the categories. |
| category_significance | string | |
| cc | string | It can be commonly understood to mean courtesy copy. |
| channel | string | A channel is an aggregation of multiple physical interfaces that creates a logical interface. |
| channel_name | string | |
| cid | string | Crowdstrike customer identification |
| cipher | string | A secret or disguised way of writing. |
| cipher_algorithm | string | A cipher algorithm is a mathematical formula designed specifically to obscure the value and content of data. |
| cipher_method | string | |
| circumstances | string | The condition connected with or relevant to an event or action. |
| city | string | The name of the city. |
| class_id | string | A unique identifier of the class. |
| class_name | string | It is a globally unique identifier that identifies a COM class object. |
| classification_name | string | The name of the classes on the basis of whether the traffic matches specific criteria. |
| client | string | A desktop computer or workstation that is capable of obtaining information and applications from a server. |
| client_cert_subject | string | It is a comma separated list of distinguished name fields and values. |
| client_id | string | A unique identifier of the client. |
| client_name | string | The name of the client. |
| client_ssh_version | string | The ssh version of the client. |
| client_system | string | The name of the client system. |
| client_system_version | string | The system version of the client. |
| client_token | string | A client token is a signed JWT that includes configuration and authorization information required by the client. |
| client_type | string | The type of web conference application |
| client_version | string | The application/ssh version of the client. |
| cloud_drive_id | string | A unique identifier of the cloud drive. |
| cls_id | string | The class ID of the application component. Used in Windows for COM apps. |
| cluster_name | string | A name that identifies this database cluster (instance) for various purposes. |
| code_size | number | |
| collaborators | array | A collaborator is any person who can access, view, preview, download, comment, or edit a managed asset. |
| command | string | A command is a specific instruction given to an application to perform some kind of task or function. |
| command_invocation | string | A command can apply to one or more managed nodes. |
| command_module | string | It refers to the module or component of the security platform that is responsible for executing a specific command or action. |
| community | string | Community is defined as a knowledge sharing hub; a place to collaborate, share insights and experiences, and get answers to questions. |
| company | string | A company is a legal entity formed by a group of individuals to engage in and operate a business—commercial or industrial—enterprise. |
| compatible_id | string | |
| compauth_result | string | Indicates the combined result of SPF, DKIM, and DMARC (Domain-based Message Authentication, Reporting & Conformance) checks to assess email authentication. |
| compression_algorithm | string | Specifies the compression algorithm to be used when compressing dump file data |
| computer_name | string | A computer name is also called a PC name or device name which is used to help identify or locate a computer on a network. |
| confidence_level | string | The confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic. |
| connection_age | string | The time duration which the connection spanned. |
| connection_counter | string | The number of times the carrier request for a packet in transmission. |
| connection_duration | string | It refers to the amount of time a connection between two devices (e.g. network devices, computers, servers, etc.) has been active. |
| connection_id | string | The unique identifier of the network connection. |
| connection_state | string | The state of the network connection, as dictated by the vendor. |
| connection_status | string | The status of the connection. The expected values for this field are:Open, Close and Active. |
| connection_type | string | It refers to the type of network connection between a device and another device or network. |
| connection_uid | string | Calculation of md5 of the IP and user name as UID. |
| connector_guid | string | Provides a list of all activities associated with a particular computer. |
| connectors | string | Indicates the rules governing how emails are routed between different mail systems or services. |
| contact_id | string | A unique identifier for the contact. |
| container_id | string | It refers to a unique identifier assigned to a container in a container orchestration platform, such as Docker. |
| contivity_session_id | string | A unique identifier of the contivity session. |
| control_panel_item | string | It refers to the name of the control panel item that is being accessed or modified. |
| conversation_id | string | Unique identifier of a conversation or a chat. |
| corp_client | string | It is custom profile attributes which have pre-defined Profile values, an essential element for controlled profiling and management example: Client, Matter, Author, etc. |
| corp_matter | string | It allows users to view all matter-related information (documents, emails, etc.) in a single, logically organized interface. |
| correlation_id | string | The correlation identifier assigned to the event, used to correlate with other events with the same identifier. |
| cost | string | Financial cost or credit consumption associated with any transactional activity. |
| count | number | Its a quantifiable measure metrics, could be used to show a number of objects that were accessed, number of connections. |
| country | string | The location or region of the event. |
| country_code | string | The country code used to represent the event’s country. |
| cpu_percentile | integer | Total CPU usage percentage across all CPU |
| create_case | boolean | Required only for Correlation Rule Engine Events. |
| create_result | string | String of the create/open result. |
| creator | string | |
| credential_type | string | Type of credential an user uses to authenticate against a system. For example - password, API key, fingerprint, etc. |
| creds_name | string | |
| creds_path | string | |
| critical_process_disabled | boolean | It is a security feature that prevents unauthorized changes to key system processes. |
| current_working_dir | string | The directory from which the user executed the process. |
| cve_id | string | The unique identifier of the Common Vulnerabilities and Exposures. |
| cvss_base_score | string | CVSS base score is used to rank the characteristics and severity of a software's exploitable weaknesses. |
| cvss_impact_score | string | |
| d_name | string | A dirent structure contains the character pointer d_name, which points to a string that gives the name of a file in the directory. |
| d_parent | string | A dirent structure contains the character pointer d_parent, which points to a string that gives the name of a parent process in the directory. |
| data | string | A data is an information that has been translated into a form that is efficient for movement or processing. |
| database_user_name | string | Enriched field to define a user entity by combining 'db_user' and 'db_name' fields. |
| datacenter_name | string | |
| datastore_name | string | |
| db_domain | string | The domain that contains the database. |
| db_id | string | The unique identifier of the database. |
| db_name | string | The name of the database. |
| db_object | string | The database object that was referenced in the event. |
| db_operation | string | Type of database query (insert,update,delete etc.) |
| db_query | string | The full query that was sent to the database. |
| db_schema | string | A database schema defines how data is organized within a relational database; this is inclusive of logical constraints such as, table names, fields, data types, and the relationships between these entities. |
| db_user | string | The user name of the local database user in the event. |
| decoder_name | string | Name of the decoder to use. |
| denied_data_actions | array | It attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. |
| denied_permissions | array | The permissions that are explicitly denied by some rule. |
| denied_resources | array | resources that are not available or accessible to a particular user or system. |
| denied_users | array | It refer to users who are not allowed to access certain resources or perform certain actions. |
| department | string | The company department of the user |
| depth | string | It can refer to the number of levels or layers in a data structure, such as a tree or a graph. |
| description | string | A description of the event. |
| desire_access | string | It refer to the desire or request to access a particular resource or service offered by Dell. |
| dest_country | string | The country of the machine the activity operated on. |
| dest_country_code | string | |
| dest_device_entity_id | string | It refers to the unique identifier of the destination device. |
| dest_dns_hostname | string | |
| dest_domain | string | The domain of the destination user |
| dest_domain_user_name | string | Enriched field to define a user entity by combining 'dest_user' and 'domain' OR 'dest_domain' fields. |
| dest_email | ||
| dest_email_address | The full destination email address. | |
| dest_email_domain | string | The domain of the destination email address. |
| dest_email_folder | string | Destination email folder in move/copy operations for detecting suspicious email manipulation or deletion. |
| dest_email_user | string | The user of the destination email address. |
| dest_external_country | string | It refer to the destination external country of a network connection. |
| dest_external_ip | ipv4/ipv6 | It refer to the destination external IP address of a network connection. |
| dest_file_dir | string | |
| dest_group | string | It refer to a group of destinations or recipients for a command or action. |
| dest_host | string | The destination endpoint name. |
| dest_interface | string | It refer to the destination interface of a network connection or packet. |
| dest_ip | ipv4/ipv6 | The destination endpoint IP address. |
| dest_ipv6 | ipv4/ipv6 | |
| dest_local_host | string | It refers to the destination local host that is being accessed or modified. |
| dest_local_user_name | string | Enriched field to define a user entity by combining 'dest_user' and 'src_host' fields. |
| dest_local_zone | string | It refers to the destination local zone or network segment that the asset is located in. |
| dest_login_id | string | The login id of the destination. |
| dest_mac | string | The destination endpoint MAC address. |
| dest_network_type | string | It refers to the type of network. |
| dest_network_zone | string | It refer to the destination network zone of a network connection or traffic flow. |
| dest_port | integer | The destination port used in the network communication. |
| dest_process_command_line | string | The full command line of the targeted process. |
| dest_process_dir | string | The directory that contains the targeted process. |
| dest_process_id | hexadecimal | The process ID of the targeted process. |
| dest_process_name | string | The process name of the targeted process. |
| dest_process_path | string | The full path of the targeted process. |
| dest_role | string | |
| dest_service_name | string | The service name of the targeted service. |
| dest_translated_host | string | It refer to the destination host that has been translated as part of a network translation process. |
| dest_translated_ip | ipv4/ipv6 | The NATed IPv4 or IPv6 address to which a packet has been sent. |
| dest_translated_port | integer | The NATed port to which a packet has been sent. |
| dest_user | string | The user name of the targeted user. |
| dest_user_arn | string | |
| dest_user_dn | string | |
| dest_user_entity_id | string | It refers to the unique identifier of the destination user. |
| dest_user_full_name | string | The destination user full name. |
| dest_user_id | string | The unique identifier of the targeted user. |
| dest_user_ou | string | |
| dest_user_sid | string | A unique identification value that is assigned to dest user account and group in the system. |
| dest_user_type | string | |
| dest_zone | string | It refer to the destination zone of a network connection or traffic flow. |
| detect | string | It refers to the ability of the software to identify and detect potential security threats or malicious activity on a device or network. |
| detection_level | string | |
| detection_method | string | |
| detection_source_alias | string | Indicated the name which has been provided when the cloud data connection was initially configured in the Code42 console. |
| device | string | |
| device_class | string | The class of the peripheral device. |
| device_description | string | The description of the peripheral device. |
| device_id | string | Unique identifier of a device such as a USB |
| device_ip | ipv4/ipv6 | |
| device_model | string | It refer to the model or type of device that is being used or managed by the software. |
| device_name | string | The name of a device such as a USB. |
| device_pid | string | The ID of the product of the peripheral device. |
| device_product | string | The name of the product of the peripheral device, translated from the device’s PID |
| device_size | string | It refer to the size of a storage device such as a hard drive or a cloud storage service. |
| device_type | string | Typically in USB related events, the type of the device that was used. E.g. USB, DVD/CD-ROM |
| device_vendor | string | The vendor of the device. |
| device_version | string | The version of the device. |
| device_vid | string | The ID of the vendor of the peripheral device. |
| devid | string | It refer to a device identifier or a unique identification value that is associated with a particular device. |
| dhcp_ip | ipv4/ipv6 | It refer to the IP address that is assigned to a device by a DHCP server. |
| dhcp_type | string | It refer to the type of dynamic host configuration protocol (DHCP) message or packet that is being sent or received. |
| direction | string | The directionality of the communication. |
| directory_id | string | The unique identifier of the file directory. |
| disk_mode | string | |
| disk_name | string | |
| disk_size | string | |
| disk_state | string | |
| disposition | string | It is used to specify what action to perform for an item that is returned by the customer. |
| dkim_result | string | Indicates if an email is signed with a DKIM (DomainKeys Identified Mail) signature that verifies the sender's domain and message integrity. |
| dlp_dict | string | It refer to a dictionary or list of keywords or phrases that are used by the DLP feature to identify sensitive data. |
| dmarc_result | string | Indicates the result of SPF and DKIM checks and the domain owner's policy for handling authentication failures. |
| dns_domain | string | It refers to a field that holds the domain name information of a DNS (Domain Name System) request or response. |
| dns_ip_flow | string | It refer to a stream of DNS traffic that is being monitored or analyzed by Splunk. |
| dns_query | string | The full DNS query in the packet. |
| dns_query_flags | string | The query flags of the DNS query packet. |
| dns_query_id | string | The identifier of the query in the DNS packet. |
| dns_query_type | string | The DNS query type. |
| dns_record_type | string | It refer to the type of DNS (Domain Name System) record that is being used or configured. |
| dns_response | string | The full DNS response in the packet. |
| dns_response_code | string | The response code given in the DNS packet. |
| dns_response_flags | string | The response flags of the DNS response packet. |
| dns_response_type | string | It refers to the type of response received from a DNS server. |
| doc_id | string | A unique identifier of the document. |
| document_name | string | Displays the full path and filename of the current document. |
| domain | string | The domain of the user |
| domain_controller | string | Domain controller is a server that responds to security authentication requests within a Windows Server domain. |
| domain_join | string | It refers to the process of joining a computer to a domain in a Microsoft Active Directory environment. |
| domain_user_name | string | Enriched field to define a user entity by combining 'user' and 'domain' fields. |
| door_group_name | string | It include a user directory specification or unique identity attribute. |
| door_name | string | It is the last person or method that locked or unlocked the door. |
| door_side_id | string | The unique identifier of the door side. |
| download_source | string | Source code that is being downloaded in this build phase. |
| dproc | string | It is the time that a node spends processing a packet. |
| drive_letter | string | Used to specify the drive letter of the volume. |
| driver_name | string | |
| ds_name | string | The name of the directory service. |
| ds_object_class | string | The directory service object class. |
| ds_object_dn | string | The full distinguished name of the directory service object. |
| ds_object_name | string | The name of the directory service object. |
| ds_object_ou | string | The organizational unit of the directory service object. |
| ds_object_out | string | |
| ds_object_type | string | The directory service object type. |
| ds_type | string | |
| dtz | string | These are file extensions that help computers locate correct application for specific files. |
| duration | string | The time duration which the event spanned. |
| edge_fleet | string | Edge fleet is the system that helps manage and secure devices and applications |
| edge_host | string | Edge host is a miniaturized computer host with compact size |
| edge_response_status | string | Edge response status code is an HTTP response code sent from Cloudflare to the client (end user). |
| egress_security_zone | string | It refer to a security zone that is used to enforce security policies on traffic that is leaving a network. |
| egress_zone | string | It refers to the security zone from which network traffic exits or is transmitted to an external network. |
| elevation_type | string | |
| email_address | The full email address of the user. | |
| email_attachment | string | The name of the file attachment attached to the email. |
| email_attachments | array | A full list of the attachment names in the email. |
| email_attachments_bytes | array | A full list of the attachment sizes in the email. |
| email_dlp_from | string | It is the practice of detecting and preventing data exfiltration. |
| email_dlp_policy_names | array | |
| email_domain | string | The domain of the users’ email address. |
| email_id | string | The unique identifier of the user's email. |
| email_recipients | array | The full list of recipients for an email or a list of recipients to which mail/message could be sent if a rule condition apply. |
| email_subject | string | The subject (title) of the email. |
| email_subject_list | array | The list of email subjects. |
| email_urls | array | A full list of the url in the email. |
| email_user | string | The user name of the users’ email address. |
| employee_id | string | The unique identifier of the employee. |
| employee_status | string | It means the full time, part time, casual and/or temporary capacity that an Employee is employed in. |
| employee_title | string | It is the position a person hold in an organisation. |
| employee_type | string | It refers to different kinds of employees an organization can hire. |
| encrypted | boolean | A form of data security in which information is converted to ciphertext |
| end_time | datetime | The end_time property indicates a data set's lookback cutoff date; data older than this value is not included in the data set's calculation. |
| engine_version | string | The version number of the database engine to upgrade to. |
| entities | json | If the fields required for entity creation are missing in the event, there will be no entity fields created. This is a valid case. |
| entity_key | string | The key used for the given entity type in Entity Manager like user_name, email_address etc for User or ip_address, host_name etc for Endpoint |
| entity_type | string | Entity type. User, Endpoint, File, Process etc |
| environment | string | It is a part of the logical message tree in which you can store information. |
| error_code | string | A number that appears on a computer screen to show that you have made a particular mistake or that something has gone wrong in a program |
| error_info | string | It retrieves error information for operations performed directly on the database handle. |
| event_category | string | If a single log source can provide multiple categories of events, this field should represent the category that belongs to the event. |
| event_code | string | The code of the operation type recorded in the event, not to be confused with event_id. For example - 4624. |
| event_field | string | The field in the event that will provide the value for the entity_key. For example for entity_type:Endpoint and entity_key:ip_address the event_field can have a value like src_ip or dest_ip. |
| event_filter | string | Search query event filter to get all the participating events for this trigger. |
| event_from_time_millis | datetime | search query event filter start time. |
| event_hub_name | string | It refer to the name of an event hub, which is a cloud-based data streaming platform that is used to collect, store, and process large amounts of data from a variety of sources. |
| event_hub_namespace | string | An Event Hubs namespace provides a unique scoping container, in which you create one or more event hubs. |
| event_id | string | the unique identification of a single generated event, not to be confused with event_code. |
| event_locality | string | Determines if the event has been generated on a local workstation or a domain application |
| event_name | string | The name of the operation recorded in the event. |
| event_name_code | string | |
| event_name_hub_name | string | |
| event_name_hub_namespace | string | |
| event_name_name | string | |
| event_subtype | string | The sub category of the event. |
| event_time | datetime | It refer to the time at which a particular event occurred. |
| event_to_time_millis | datetime | search query event filter end time. |
| event_url | string | URL to Search App to query the events associated with this rule trigger |
| execution_status | string | It reflects the current status of the activity instance. ExecutionStatus is set by the runtime tracking infrastructure. |
| expiry_time | datetime | It contains the Date and Time at which the password will expire. |
| exploit_code_maturity | string | This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. |
| exposure_type | string | Different types of file activity occurring across the Code42 environment. |
| extension | string | An extension is a file containing programming that serves to extend the capabilities of or data available to a more basic program. |
| external_address | The email address of the external party in an email. | |
| external_domain | string | It refers to the external domain or network that is being accessed or communicated with. |
| external_id | string | It contains unique record identifiers from a system outside of the current organization. |
| extracted | string | Local filename of extracted file. |
| extracted_cutoff | string | Set to true if the file being extracted was cut off so the whole file was not logged. |
| extracted_size | number | The number of bytes extracted to disk. |
| factor | string | It is a security process that helps verify users' identities before letting them access networks or online applications. |
| failure_code | string | A code indicating the reason of the failure. |
| failure_reason | string | A description of why the operation has failed. |
| falcon_host_link | string | URL to view the detection in Falcon. |
| fallback_user_name | string | |
| field_name | string | It is the short name of your field. |
| field_value | string | This is the value of the event_field in the event that triggered the rule. |
| file_arn | string | |
| file_category | string | The general categories of file type. |
| file_dir | string | The directory of the file, not including the name. |
| file_dir_id | string | |
| file_dir_uri | string | |
| file_exposure_changed_to | string | |
| file_ext | string | The file extension. If the file name is myfile.txt, file_ext will be txt |
| file_hash | string | A unique value that corresponds to the content of the file. |
| file_id | string | The unique identifier of the file the activity operated on. |
| file_name | string | The name of the file, not including the path. |
| file_owner | string | A file's owner is identified by the user ID of the person who created the file. |
| file_path | string | The full path of the file. |
| file_path_at | string | |
| file_permissions | array | File permissions control what user is permitted to perform which actions on a file. |
| file_signature | string | |
| file_signature_status | string | |
| file_signed | string | |
| file_type | string | The type of file accessed by the event. E.g file, folder, link. |
| file_url | string | The full URL of the file’s location. |
| fingerprint | string | It is the initial factor that unlocks the private cryptographic key that authenticates the user. |
| firewall | string | It is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. |
| first_name | string | The first name of the user, without the last name. |
| firstseen | string | |
| flow_end_time | datetime | The flow end time shows time or date when flow was ended. |
| flow_start_time | datetime | The flow start time shows time or date when flow was started. |
| folder_name | string | Name of the email folder, document folder, or directory involved in the activity. |
| framed_addr | string | The address given to the network access server, if present. |
| from_user_at | string | |
| fs_operation_blocked | boolean | It refers to a security feature that blocks a file system operation (e.g., create, delete, modify, etc.) based on predefined security policies. |
| full_name | string | The user full name. |
| function_arn | string | |
| function_name | string | |
| function_role | string | |
| function_runtime | string | |
| gateway_station | string | The IP of the web application machine (PVWA) in cyberark. |
| grandparent_command_line | string | It refers to the command line of the process that started the parent process of a given process. |
| grandparent_image_filename | string | It refers to the file name of the image or executable that started the parent process of the current process being monitored. |
| grandparent_process_path | string | |
| group_arn | string | |
| group_domain | string | The domain of the group identity. |
| group_id | string | It distinguishes duplicate groups resulting from a GROUP BY specification. |
| group_info | string | Metadata about a distribution list, team, or group including members and permissions for access control audit. |
| group_name | string | The name of the group identity. |
| group_ou | string | It is a subdivision of groups within an Active Directory. |
| group_type | string | The type of the group, e.g. local, global, etc |
| handle_id | string | The unique identifier of the handle on an object. |
| hash_md5 | hexadecimal | A md5 hash value. |
| hash_sha1 | hexadecimal | It is a widely used hash function which takes an input and produces a 160-bit hash value known as a message digest - typically rendered as 40 hexadecimal digits. |
| hash_sha256 | hexadecimal | A sha256 hash value. |
| hash_sha256_at | hexadecimal | |
| hash_type | string | Different types of hash algorithms such as RipeMD, Tiger, xxhash and more, but the most common type of hashing used for file integrity checks are MD5, SHA-2 and CRC32. |
| hierarchy_code | string | The hierarchy code governs the order in which entries in a block are printed in the CINDA book, and is used to some extent as a measure of the importance of a particular reference. |
| history | string | Records the state history of connections as a string of letters. |
| host | string | The machine that logged the event. This can be either a hostname or an IP address |
| host_bytes_in | number | |
| host_bytes_out | number | |
| host_ip | ipv4/ipv6 | IP address on which public port is listening |
| host_key | string | A host key is a cryptographic key used for authenticating computers in the SSH protocol. |
| host_key_alg | string | Host key algorithms specify which host key types are allowed to be used for the SSH connection. |
| host_type | string | A host type is a container for variables that are assigned to a particular host. |
| host_zen_code | string | |
| http_response_code | integer | The code returned by the web server after a request was made. |
| identifier | string | An identifier is a token that is used to form a name. |
| identities | string | An identity is an internet capable entity that Umbrella protects through policies and monitors through reports. |
| identity_group | string | It is composed of information elements that identify and describe a specific group of users that belong to the same administrative group. |
| identity_type | string | The type of authentication credential depend upon the configuration of the supplicant software running on the endpoint device. |
| ignore_public_acls | string | |
| image_file_name | string | File name of the associated process for the detection. |
| image_name | string | It specifies the name of the image installed. |
| image_publisher | string | Public image reference with publisher |
| image_release | string | It refer to the process of making a new version of an image file or software program available to users. |
| image_version | string | It refer to the specific version of an image file that is being used or referred to. |
| impact | string | It refers to the potential severity of a security vulnerability or threat. |
| in_reply_to | string | It refers to a relationship between two network communications where one communication is a response to the other. |
| incident_creation_time | datetime | It refers to the time at which an incident was created. |
| incident_status | string | It refers to the current state or phase of a reported security incident within a security management system, indicating whether the incident is new, in progress, resolved, or closed. |
| inddet_mask | string | |
| indicator | string | It refers to a specific attribute or characteristic of an event, activity, or artifact, which can be used to identify or distinguish malicious behavior. |
| ingress_interface | string | It refers to the network interface through which a packet enters a device. |
| ingress_security_zone | string | |
| ingress_zone | string | It refers to the network zone through which data enters a network. |
| initiator_packets | string | It refers to the number of packets sent by the initiator of a network connection. |
| inode | string | The inode number is a unique identifier that is assigned to each file or directory on the file system. |
| instance_id | string | An instance ID is a unique identifier assigned to an instance (i.e., a virtual machine) when it is launched. |
| instance_profile_arn | string | |
| instance_type | string | It is used to specify the hardware configuration of an instance, such as the number of vCPUs and amount of memory. |
| interface | string | An interface is a point of connection between a device and a network. |
| interface_id | string | An interface ID is a unique identifier assigned to a network interface when it is created. |
| interface_in | string | It refers to the network interface on a virtual machine (VM) that is used for incoming traffic. |
| interface_name | string | It refers to the name assigned to a physical or logical network interface on the firewall device. |
| inzone | string | The inzone is used to identify the source of network traffic in security rules, and to apply the appropriate access control policies. |
| ioc | string | An Indicator of Compromise (IOC) is a data point that can be used to identify malicious activity on a system or network. |
| ioc_number | string | An Indicator of Compromise (IOC) number is a unique identifier assigned to each IOC. |
| ip_lease_time | string | This is the length of time that the client can use the IP address it has been assigned. |
| ip_protocl_id | string | |
| ip_reputation | ipv4/ipv6 | It is a feature that allows you to identify and block traffic from known malicious IP addresses. |
| is_archived | boolean | |
| is_consolidated | boolean | It is a field that indicates whether or not an event or message has been consolidated. |
| is_dok | boolean | A flag indicating that the operation took place on a peripheral device. |
| is_executable | boolean | |
| is_incident | string | It refers to a field indicating if an event or log entry represents a security incident or not. |
| is_job_search | boolean | A flag indicating that the operation is a job search. |
| is_net_storage | boolean | A flag indicating that the operation took place on a network storage device. |
| is_orig | boolean | It is a field that is used to identify the direction of a network connection. |
| is_outbound | boolean | It is used to distinguish between connections that were initiated by the host and connections that were established as a result of an incoming request. |
| is_peripheral_storage | boolean | A flag indicating that the operation took place on a peripheral device. |
| issue_time | datetime | It represents the time that an event was generated or issued. |
| item_creator | string | It represents the user or system that created an object. |
| item_name | string | It is a field that represents the name of an object. |
| item_type | string | It represents the type of object that is being used. |
| kerberos_service_name | string | |
| kex_alg | string | It contains the name of the key exchange algorithm that is used in the SSH connection. |
| key_id | string | |
| key_length | integer | It represents the length of a cryptographic key used for encryption or decryption. |
| key_name | string | It is a field that represents the name of a key that is used for encryption or decryption. |
| key_status | string | |
| key_type | string | It specifies the algorithm used to generate the key. |
| kill_parent | boolean | It refers to an action that terminates the parent process of a detected threat. |
| kill_process | boolean | It refers to a feature that allows the user to immediately terminate a malicious or suspicious process that has been detected by the platform. |
| kill_sub_process | boolean | It is a term used to describe the action of terminating a sub-process that is associated with a malicious or suspicious activity. |
| label_id | string | The label ID of the file. |
| landscape | string | Represents the landscape context element. |
| last_blocked_time | datetime | It represents the last time that a threat was blocked by the software. |
| last_known_ip | ipv4/ipv6 | It represents the last known IP address of a resource or virtual machine. |
| last_name | string | The last name of the user, without the first name. |
| lease_time | string | It represents the amount of time a DHCP lease is valid for. |
| link | string | It is a field that represents a hyperlink to a resource or webpage. |
| link_id | string | |
| linked_service_account | string | It represents the service account that is linked to a specific resource or project. |
| llm_request | string | The request a user sent to the ai agent. |
| llm_response | string | The response of an ai agent to a request |
| local_asset | string | It refers to the local asset that is being accessed or modified. |
| local_orig | string | It represents whether or not a network connection was initiated by a host on the local network. |
| local_resp | string | It is used to indicate whether or not the connection was responded to by a host on the local network or from an external network. |
| local_user_id | string | It represents the identifier of a user who is local to the Ping Identity platform. |
| local_user_name | string | Enriched field to define a user entity by combining 'user' and 'src_host' OR 'platform' fields. |
| local_zone | string | It refers to the local zone or network segment that the asset is located in. |
| location | string | The full location of the physical access event. |
| location_area | string | In physical access events, the name of the general area/compound in which the access took place. |
| location_building | string | In physical access events, the name of the building in which the access took place. |
| location_city | string | In physical access events, the name of the city in which the access took place. |
| location_country | string | In physical access events, the name of the country in which the access took place |
| location_door | string | In physical access events, the name of the door in which the access took place |
| location_door_id | string | It is a field or attribute used to track or identify the location. |
| location_full | string | It is a field or attribute that can be used to represent the full location of an object, event, or person. |
| location_information | string | It is an information, obtained by means of a tracking device, concerning the location of an electronic device. |
| location_state | string | In physical access events, the state of the physical location. E.g locked, disabled. |
| log_location | string | It refer to the directory or file path where log files are stored. |
| log_name | string | The name of the logging component that recorded the event. |
| log_path | string | It refers to the file path or directory where log files are stored. |
| log_severity | string | It refers to the level of importance assigned to a log entry or event. |
| log_source | string | The service that provided that data to the logging service. |
| log_time | datetime | It refers to the time when an event or log entry was recorded in the system. |
| log_uid | string | It refers to a unique identifier assigned to a log entry or event. |
| login_id | hexadecimal | The identifier of the depicted login session. |
| login_method | string | It refers to the process used by a client to authenticate to a server. |
| login_type | integer | In login events, used to describe the type of the login operation. E.g remote, local, kerberos… |
| login_type_text | string | It is a field that describes the type of logon that was performed by a user or system account. |
| logon_type | string | |
| mac_alg | string | It refers to the message authentication code (MAC) algorithm used to secure a connection. |
| machine_type | string | It refers to the specific virtual machine (VM) instance type that is used to host a particular workload. |
| mailbox_name | string | |
| mailfrom | It is used to represent the sender of an email message. | |
| malicious_file_count | integer | It is a metric that tracks the number of files detected as malicious by the security system. |
| malware_action | string | It is a field that specifies the action taken by the security system in response to a detected malware event. |
| malware_family | string | It is a field used to identify the specific family or group of malware associated with an event or alert. |
| malware_file_name | string | It is a field that identifies the file name associated with a piece of malware. |
| malware_file_type | string | It refers to the type of file that is determined to contain malicious content. |
| malware_id | string | It refers to a unique identifier assigned to a specific piece of malware. |
| malware_name | string | It contains the name of the malware family, variant, or specific instance of malware. |
| malware_score | string | The malware score assigned in the event by a security vendor. |
| malware_url | string | It refers to the URL or web address associated with a piece of malware that has been detected by the security solution. |
| malware_url_path | string | It refers to the path of a URL that is associated with malicious activity or a threat. |
| manager | string | It refer to an individual or department in charge of a particular area or project. |
| manager_email | ||
| manager_name | string | It is used to identify the name of an individual or entity that is responsible for overseeing a particular resource or asset. |
| mbps | string | It refers to megabits per second, which is a measure of data transfer rate. |
| meeting_duration | string | It is a field that indicates the length of time a Zoom meeting lasted for. |
| meeting_host_id | string | The ID given to the user acting as host of the web conference meeting. |
| meeting_name | string | The name of the web meeting. |
| meeting_number | string | It refers to a unique identifier assigned to each Zoom meeting, which is generated when the meeting is scheduled or started. |
| meeting_timezone | string | It refers to the time zone that is set for a particular Zoom meeting. |
| meeting_topic | string | It refers to the subject or title of a virtual meeting or conference. |
| meeting_type | string | It refers to the type of Zoom meeting being held. |
| member | string | In groups and similar organizational units, the member represents the full name of an identity that’s contained in them. |
| member_id | string | |
| members | array | It refers to the users or groups that are part of an organization or a specific application or resource in Okta. |
| memory_address | string | |
| memory_protection | string | |
| memory_size | string | |
| message_author_type | string | The type of the identity that has created the message. |
| message_id | string | A unique identifier of a communication message. |
| method | string | Used in HTTP to describe the method of the web request. E.g GET, POST… |
| mfa | string | It is a security process that requires a user to provide two or more authentication factors to verify their identity and access a resource. |
| mfa_country | string | It refers to the country from which the user is attempting to access a system. |
| mfa_device | string | The mfa_device field contain information about the specific MFA device being used, such as its type, serial number, and associated user. |
| mime | string | Typically in web-access events, the media type of the content, e.g. text, audio/mpeg |
| miscellaneous | string | It could refer to a category or field in log data that contains information that does not fit into a more specific category. |
| missed_bytes | number | Indicates the number of bytes missed in content gaps, which is representative of packet loss. |
| mitre_labels | array | It refer to the specific MITRE ATT&CK techniques and tactics used in a particular security incident. |
| mobile_version | string | |
| model_name | string | Name of the model used in interaction. In AI activity it is AI/LLM model (e.g., GPT-4, claude-opus-4-7) for security auditing. For other non-AI activities it could be a model name for device events. |
| modified_keys | array | It refer to the modification of keys in a cryptographic context, such as encryption keys or access keys. |
| module_hash_names | array | It refers to a specific configuration or data structure within a Cisco product. |
| monitoring_plan | string | It refer to a plan for monitoring and auditing IT systems and infrastructure for compliance with regulations, best practices, and organizational policies. |
| more_info | string | |
| msg_id | string | It refers to a message identifier used in Inter-Process Communication (IPC) mechanisms such as System V message queues. |
| name_at | string | |
| nap_policy | string | It refer to a policy that specifies the requirements for accessing the network, such as minimum security standards for client computers |
| nas_ip_address | ipv4/ipv6 | It is used in the context of Remote Authentication Dial-In User Service (RADIUS), which is a protocol used to provide centralized authentication. |
| native_file_system | string | It is a custom file system specifically designed for processing and storing large amounts of network data. |
| network | string | The name of the network that was accessed in the event. |
| network_app | string | It is used to refer to an application or service running on a network. |
| new_attribute | string | It refer to a new attribute or field that has been added to a data structure or configuration in a Symantec product. |
| new_enrollment | string | It refer to a new process of enrolling a device or user into a Cisco security solution. |
| new_file_name | string | |
| new_hash | string | It refer to a new hash value, which is a unique digital fingerprint of a file, document, or other digital content. |
| new_host | string | |
| new_ip | ipv4/ipv6 | |
| new_multiattach | string | |
| new_password | string | The new/latest password required to enter a web conference meeting |
| new_size | number | |
| new_user_name | string | It refers to a new username that has been created for a user account. |
| new_value | string | |
| nt_domain | string | It is a type of network authentication service used in computer networks to control access to resources and provide centralized administration. |
| num_external_recipients | integer | The amount of external (out of the organization) recipients that the communication message was sent to. |
| num_internal_recipients | integer | The amount of internal (in the organization) recipients that the communication message was sent to. |
| num_pages | integer | The amount of pages printed. |
| num_recipients | integer | The amount of recipients the communication message was sent to. |
| object | string | When representing a generic/unknown entity, the object is the full path of the entity. |
| object_class | string | It refers to a class of objects that are used to manage system resources. |
| object_dn | string | It is a unique identifier for an object in the Active Directory, and it is used to locate and manage the object. |
| object_handle | string | |
| object_id | string | When representing a generic/unknown entity, this represents the unique identifier of the entity. |
| object_name | string | When representing a generic/unknown entity, this represents the name of the entity. |
| object_ou | string | It is a container object in the Active Directory that is used to organize and manage other objects. |
| object_server | string | An object server is a software component that provides objects for use by other components in the network. |
| object_type | string | When representing a generic/unknown entity, this represents the type of the entity Values could be a user or group. |
| observed_activity | string | Added by UIP. Contains the observed activity type (Engage, Prepare, Presence, Effect, N/A) used to assign risk_score. If observed_activity or UIP is disabled for the subscription, this will not be present. |
| occured_time | datetime | It refers to the time at which a specific event or security incident took place. |
| old_attribute | string | The attribute before it was changed |
| old_file_name | string | The old file name before it was rename |
| old_hash | hexadecimal | It refer to the hash value of a file before it was updated or changed. |
| old_multiattach | string | |
| old_password | string | The old/previous password required to enter a web conference meeting. |
| old_registry_details | string | The details of the old registry object. |
| old_registry_details_type | string | The details type of the old registry object. |
| old_sensitivity_label | string | The old sensitivity label ID of the file. |
| old_size | number | |
| old_user_name | string | It refers to a old username that has been used for a user account. |
| old_value | string | It refers to a previous value or setting of some attribute or configuration in a virtual machine or virtual infrastructure. |
| opcode | string | It refers to a machine-level instruction or operation code that is executed by the processor. |
| operation | string | The activity that was recorded in the event. |
| operation_blocked | boolean | It refers to a security feature that blocks or denies specific security-related operations that are deemed potentially suspicious. |
| operation_details | string | Additional information about the activity that could add context when reviewing the event in the UI. |
| operation_first | string | It refers to a concept in auditing or logging where the first operation performed by a user or process is recorded. |
| operation_id | string | It refers to a unique identifier assigned to a specific operation or request. |
| operation_last | string | It refers to a concept in auditing or logging where the last operation performed by a user or process is recorded. |
| operation_name | string | It refers to the name or description of a specific operation performed within the Azure platform. |
| operation_type | string | The classification/type of the operation. |
| operation_version | string | It refers to a version number or identifier assigned to a specific operation performed within the Azure platform. |
| operator_name | string | It refers to the name of the user who performed an action within the platform. |
| order_num | string | It is used to track and identify specific orders within a system, and can be used for purposes such as tracking, auditing, and reporting. |
| orig_bytes | number | It refers to the number of bytes of data in the original or incoming direction of a network connection or communication. |
| orig_cc | string | It refers to the two-letter country code of the originator of a network connection or communication. |
| orig_filenames | string | It refers to the names of files that are being sent or received in the original or incoming direction of a network connection or communication. |
| orig_pkts | string | It refers to the number of packets in the original or incoming direction of a network connection or communication. |
| origin_ip | ipv4/ipv6 | It refers to the IP address of the originator of a network connection or communication. |
| origin_name | string | It refers to the name of the originator of a network connection or communication. |
| origin_response_status | string | It refers to the status code of the response received from the origin server during a network communication. |
| original_risk_score | number | It refers to an initial assessment of the risk or threat level associated with a particular event, action, or activity. |
| original_user | string | |
| os | string | The operating system of the device taking the action |
| os_admin | string | It refers to the administrator account associated with the operating system (OS) of a virtual machine (VM) or other computing resource in the Azure cloud platform. |
| os_environment | string | It refers to the OS environment of a computer or network device, including information about the version, type, and configuration of the OS and related software. |
| os_revision | string | It refers to the version or revision number of the operating system (OS) being used by a device or computer. |
| os_type | string | The type of the device’s operating system. |
| os_version | string | The version number of the device’s operating system. |
| outcome | string | Represents the outcome context element. |
| outzone | string | It refers to a security zone in a network that is outside of the trusted security perimeter and is considered to be less secure than other zones |
| overflow_bytes | number | It refers to the number of bytes of data that are discarded due to buffer overflow. |
| owned_user | string | |
| owner | string | Username or ID of the resource owner. |
| owner_id | string | |
| packet_rate | string | It refers to the rate at which packets are being transmitted across a network. |
| packets | integer | Number of total packets in a network connection. |
| packets_in | integer | Number of ingress packets in a network connection. |
| packets_out | integer | Number of egress packets in a network connection. |
| page_count | integer | It refers to the number of pages in an electronic document or file. |
| page_fault_count | integer | Page fault is when a computer tries to access a piece of information that is not in the computer memory |
| parent_hash_sha256 | hexadecimal | |
| parent_image_filename | string | It refers to the name of the executable file of the parent process of a detected activity. |
| parent_md5hash | hexadecimal | It refers to a unique identifier used to track the relationship between parent and child processes in a computer system. |
| parent_message_id | string | Unique identifier of the message that preceded the current message. |
| parent_process | string | It refers to the process that spawned or created another process in a computer system. |
| parent_process_command_line | string | The full command line of the parent process. |
| parent_process_dir | string | The directory of the parent process, without the process name. |
| parent_process_guid | string | The unique global identifier assigned to the parent process. |
| parent_process_hash | hexadecimal | It refers to a unique identifier that is assigned to a parent process running on a computer. |
| parent_process_id | string | The process ID of the parent process. |
| parent_process_name | string | The process name of the parent process, without the path. |
| parent_process_path | string | The full path of the parent process. |
| path | string | It refer to the location or file path of a specific configuration or log file within an application. |
| pattern_disposition_description | string | It refers to the human-readable explanation of the outcome of an analysis or detection performed by system. |
| payload_printable | string | It refers to the human-readable representation of the payload in a network communication or a malware file. |
| peer_gateway | string | It is the remote endpoint of a VPN tunnel and is used to securely connect two separate network segments over the internet. |
| permission | string | It refers to the set of rules that govern access to files, directories, and other resources. |
| permissions | string | |
| phishing_score | string | It refers to a score assigned to a detected email based on the likelihood that it is a phishing attempt. |
| pkts_toclient | string | It refers to the number of packets sent from the server to the client in a network. |
| pkts_toserver | string | It is a count of the number of packets from client to server. |
| platform | string | Represents the platform context element. |
| playbook_files | string | |
| policies | string | It refers to a set of rules and configurations that define how resources should be managed within an organization. |
| policy | string | |
| policy_arn | string | It refers to the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) policy. |
| policy_bindings | string | It refers to the set of policies that are associated with a resource in Google Cloud Platform. |
| policy_changes | string | |
| policy_content | string | It contain the JSON text of a policy, which is a set of statements that specify the actions that are allowed or denied for a particular user, group, or role. |
| policy_delta | string | It refers to a change made to a specific policy. |
| policy_disabled | boolean | It refers to a security policy or set of security rules that are temporarily or permanently disabled or inactive. |
| policy_id | string | It refers to a unique identifier assigned to a specific security policy. |
| policy_name | string | The name of the policy document. |
| policy_runtime | string | It refers to the set of security policies that are being enforced at a given time on a particular device or network. |
| policy_version_id | string | It refers to the unique identifier for a specific version of an AWS identity and Access Management (IAM) policy. |
| previous_id | string | Point to previous rule trigger id in case of new rule trigger due to late arriving events. |
| primary_key | string | It is a unique identifier assigned to each process, binary, or file that is captured and analyzed by the platform. |
| principal_id | string | It refers to a unique identifier for an AWS identity, such as an AWS account root user, an IAM user, or a federated user. |
| principal_name | string | It refers to the name associated with a specific user, group or service that is granted access to a computer system, network, or application. |
| principal_type | string | It is a term used to refer to the type of entity that performed an action. |
| printer_id | string | The identifier of the printer device. |
| printer_name | string | The name of the printer device. |
| printer_port | integer | |
| printer_sn | string | Ther serial number of the printer device. |
| printer_type | string | The type of the printer |
| priority | string | level of urgency |
| private_cookie | string | It refers to a cookie that is not shared with third-party domains, and is stored in a user's web browser for a specific website. |
| private_ip | ipv4/ipv6 | It refers to an IP address that is assigned to a device within a private network and is not reachable from the Internet. |
| privileges | array | All the privileges given on an object, e.g. SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege. |
| process | string | The path of executed process |
| process_blocked | boolean | It refers to a security alert generated by the platform, indicating that a process has been blocked by the security software. |
| process_command_line | string | The command line of the event’s process. |
| process_dir | string | The directory (without the name) of the event’s process. |
| process_guid | string | The graphical unique identifier of the event’s process. |
| process_hash | hexadecimal | It refers to a unique identifier that is assigned to a process running on a computer. |
| process_id | hexadecimal | The PID of the event’s process. |
| process_integrity | string | It refers to the level of trust associated with a process. |
| process_name | string | The name of the event’s process. |
| process_owner | string | The user that owned the process. |
| process_path | string | The full path (directory and name) of the event’s process. |
| process_permission | string | |
| process_relative_dir | string | The relative directory to the process the user used to execute the process. |
| process_relative_path | string | The relative path to the process the user used to execute it. |
| process_signed | string | process signed refer to signing off on a process unit |
| process_type | string | It refers to the classification or categorization of a process based on its type, behavior, or characteristics. |
| process_vendor | string | It refers to the company or organization that developed the process that is being monitored. |
| processing_end_time | datetime | It refers to the time when the processing of a particular operation, task, or process within the Azure environment is completed |
| product | string | The product context element. |
| product_category | string | The product category context element. |
| product_name | string | It refers to the name of a specific product offered by the company. |
| profile | string | It refers to a group of configuration settings and policies that are applied to a particular type of network traffic, such as web, email, or VPN traffic. |
| profiles | array | It refers to the configuration settings that specify the behavior of an iOS or macOS app or framework. |
| project_id | string | It is a unique identifier for a project. It is used to organize resources and associate them with a specific project. |
| project_name | string | Name of the project or workspace associated with the activity |
| properties | string | It refers to the specific characteristics, features, or attributes of an object, such as a file, folder, device, or system component. |
| protection_name | string | It refers to the name assigned to a security policy or rule that is implemented to protect the network from specific threats or attacks. |
| protection_type | string | It refers to the type of security protection provided by a particular security solution or feature. |
| protocol | string | The network protocol the event used, e.g. DNS, TCP, HTTP. |
| provider_name | string | It is used to refer to the name of the software or service that provides a specific log event. |
| proxied | string | It refers to network traffic that is being passed through a proxy server. |
| proxy_action | string | In http communication events, the way the proxy identifies the request, e.g. TCP_MISS, TCP_HIT. |
| proxy_ip | ipv4/ipv6 | It indicate the IP address of the proxy server through which the web traffic is flowing. |
| qclass | string | It is a term used to describe a field in the DNS protocol that specifies the class of a query. |
| qclass_name | string | The query class defines the type of data being queried, such as Internet address (IN), Chaosnet (CH), or Hesiod (HS). |
| quarantine_file | boolean | It refers to a file that has been isolated from the rest of the system because it has been identified as potentially harmful. |
| quarantine_machine | boolean | It refers to the process of isolating a potentially compromised device or machine to prevent further spread of malware. |
| query | string | It refer to a request for information, data or content from a network or device. |
| query_id | string | Identifier of a query. |
| query_string | string | It refers to the part of a URL that contains data to be passed to a web application or a resource, after the ? symbol. |
| RA | string | The Recursion Available bit in a response message indicates that the name server supports recursive queries. |
| radius_flow_type | string | It refers to the type of RADIUS flow, which is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for remote access to a network. |
| rarity_percentile | integer | Added by BEAM. Number between 0 to 100. |
| rarity_raw_score | integer | Raw score from BEAM. Value should be between 0 to 100 or more. |
| rarity_score | integer | Normalized rarity score from BEAM. Value should be between 0 to 100. |
| rcptto | string | It refers to the recipient's email address to which the email message is being sent. |
| RD | string | The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. |
| readonly | string | A resource with readonly permission can only be viewed and not modified. |
| realm | string | Name of the VPN realm |
| recipient | It refers to the person or entity who receives an email, file, message, or other information in a service or application. | |
| recipient_count | integer | It refers to the total number of recipients associated with an email, document, or other file. |
| recipients | array | It refers to the individuals or groups that a message or piece of content is addressed to. |
| record_type | string | It refers to the type of record stored in a file system. |
| recorded_time | datetime | |
| recoverability | string | Added by UIP. Contains (Yes, No, N/A). If recoverability or UIP is disabled for the subscription, this will not be present. |
| redirect_url | string | |
| referrer | string | In HTTP communication the url that referred to the current site. |
| region | string | It refers to a geographical area, where one or more data centers are located, that is designed to provide low latency and high throughput network connections. |
| registration_no | string | It refers to a unique identification number assigned to a device or product upon its registration with the system. |
| registry_details | string | The details of the registry object. |
| registry_details_type | string | The details type of the registry object. |
| registry_hive | string | The hive of the registry object. |
| registry_key | string | The registry key in the activity. |
| registry_operation_blocked | boolean | It is a term used to describe when a specific operation in the registry is prevented from executing due to security policy. |
| registry_path | string | The full path to the registry object. |
| registry_value | string | The value of the registry object. |
| relying_party_id | string | It refers to a unique identifier assigned to a relying party in a security token service (STS) system. |
| remediation_steps | string | It refers to the actions that need to be taken to resolve an issue or address a vulnerability. |
| remote_location_city | string | It is a field that represents the city of the remote location in a network connection. |
| remote_location_country_code | string | It refers to the two-letter country code of the remote location of a network communication or activity. |
| remote_location_latitude | string | It is a field that represents the latitude of the remote location from where a network connection was initiated. |
| remote_location_longitude | string | It refers to the longitude coordinate of the remote location. |
| remote_location_region | string | It refers to the region information of a remote host based on its location, as determined by the IP address. |
| removable_media_bus_type | string | It refers to the type of bus interface used by a removable storage device, such as USB, FireWire, or SCSI. |
| removable_media_capacity | string | It refers to the amount of storage space available on a removable media device. |
| removable_media_media_name | string | It refers to the name or label assigned to a removable storage device. |
| removable_media_name | string | It is the name of a removable media device, that has been connected to a computer being monitored by Code42. |
| removable_media_partition_id | string | It refers to a unique identifier assigned to a specific partition on a removable storage device. |
| removable_media_serial_number | string | It is an unique identifier for a removable media device |
| removable_media_vendor | string | It is a term used to describe the manufacturer or vendor of a removable media device. |
| removable_media_volume_name | string | It refers to the name assigned to a specific partition on a removable storage device. |
| removed_member | string | It refers to a user who has been removed from a group or an organization. |
| removed_member_type | string | It refers to the type of a removed member (user, group, etc.) from a specific resource. |
| removed_permissions | array | The permissions that were previously granted to an individual or group have been revoked or removed. |
| removed_role | string | It refers to a role that was previously assigned to a user or group, but has since been removed. |
| removed_role_name | string | It refers to the name of a specific role that has been removed or revoked from a user or group. |
| removed_users | array | |
| reply_to | array | It refers to the IP address or domain name that a server should direct replies to a specific communication to. |
| report | string | |
| reporter | string | It refers to the source of the log or event data that is being analyzed. |
| repository_name | string | |
| reputation | string | It refers to a score assigned to an IP address, URL, or file, indicating the perceived level of risk associated with it. |
| request_binding | string | It is a security concept related to the process of binding authentication data to the request that is sent between a client and a server. |
| request_cookie | string | It refers to a piece of data that is stored on the client side and sent to the server in subsequent requests. |
| request_type | string | It is one of the properties of the event that provides information about the type of request made by the client. |
| requested_app | string | It refers to the application or resource that a user is attempting to access. |
| requested_app_id | string | It refers to a unique identifier assigned to a specific application or resource that the user is trying to access. |
| resource | string | Typically in app-activity activity-type, this is a property of the object the action is taken on. For example, if a user A gives user B permissions on directory C, B would be parsed as object and C as resource. |
| resource_dir | string | The directory of the resource. |
| resource_group | string | It is a logical container for grouping related resources. |
| resource_id | string | It is a unique identifier for a specific resource. |
| resource_name | string | The resource name is typically assigned by the user when the resource is created and it can be used to identify the resource in various services |
| resource_path | string | It refers to the location of a resource within the Azure environment. |
| resource_type | string | It refers to the type or category of a specific resource |
| resp_bytes | number | It is a field that represents the size of a response packet in bytes. |
| resp_cc | string | It is a field that represents the country code of the origin of a response packet. |
| resp_pkts | integer | It is a field that represents the number of response packets sent in response to a network request. |
| responder_packets | integer | It refers to the number of packets sent by the responder in a network communication. |
| response | string | It refers to the information that is returned in response to a request or command. |
| response_size | number | It refers to the size of the response that is sent from a server to a client in bytes. |
| response_time | datetime | |
| response_ttl | string | It refers to the Time-To-Live (TTL) value that is associated with a response packet. |
| response_type | string | It refers to the type of response received from a device or system when performing an action or issuing a command. |
| restrict_public_buckets | string | |
| result | string | Describes the result of an event's occurrence as parsed (succeeded, failed...) |
| result_at | string | |
| result_code | string | A code indicating the outcome of an activity, e.g. 0x0, 0x1F, success. |
| result_reason | string | A description of why this result was given. |
| return_path | string | The return path of an email message. This may or may not be identical to the sender. |
| risk_level | number | It refers to a security risk rating that is assigned to network traffic based on its content and behavior. |
| risk_score | integer | The calculated risk score between 0 and 100. If UIP is disabled for the subscription, the risk_score will not be present. |
| role | string | It refers to a set of permissions and responsibilities assigned to a user or group of users in order to manage and control access to network resources and configurations. |
| role_arn | string | It is the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role. |
| role_definition | string | It is a blueprint that outlines the specific permissions and actions that can be performed by a role. |
| role_definition_id | string | It is a unique identifier for a role definition. |
| role_id | string | |
| role_name | string | |
| role_permissions | array | It refer to the set of actions and operations that can be performed by a user with a specific role. |
| role_type | string | |
| rooting | boolean | It refers to the process of gaining privileged access to a computer system or mobile device. |
| router_ip_flow | string | It is a type of data source used to collect and analyze network flow data. |
| router_subnet | string | It is a segment of a network that is assigned to a specific router. |
| rtt | string | It stands for Round-Trip Time and is a measurement of the time it takes for a packet to travel from its source to its destination and back. |
| rule | string | Name/identifier of the policy, DLP rule, FW rule or workflow rule that was triggered, applied, or violated in the activity. |
| rule_action | string | It is a term used to describe the action that is taken when a specific security rule is triggered. |
| rule_count | number | It refers to the total number of security rules defined in a firewall policy. |
| rule_description | string | It refers to a brief text description of a particular rule that has been configured in a system. |
| rule_id | string | It refers to a unique identifier assigned to each security rule defined in a firewall policy. |
| rule_reason | string | It refers to the reason or justification for why a particular security rule was triggered. |
| rule_severity | string | It refers to the level of importance or criticality assigned to a particular security rule. |
| rule_source | string | BEAM or CR |
| rule_type | string | It refer to a type of security rule or firewall rule that is configured in the security firewall. |
| rule_uid | string | It is a unique identifier assigned to each security rule in the firewall policy. |
| rule_usecases | array | It refers to the specific use cases that a security rule is intended to address. |
| rules | json | Empty rules is a valid case. If BEAM is sending update to fix previous false positive rule trigger event then new rule trigger event will have empty rules and entities with zero risks score. |
| run_level | string | It refers to the state or configuration level at which the operating system operates, and is used to manage the behavior and accessibility of the system. |
| safe_name | string | It is a unique identifier assigned to each Safe (secure repository), which is used to distinguish and organize different Safes within the platform. |
| safe_value | string | The name of the safe in which the password is stored |
| scan_id | string | It refers to a unique identifier assigned to a security scan, such as a vulnerability scan or a web application security scan. |
| scan_type | string | The type of the scan the product did. |
| schema_name | string | It refers to the name given to a particular organization of database objects in a database management system, such as Microsoft SQL Server. |
| schema_version | string | It refers to a version number assigned to a particular organization or structure of database objects in a database management system. |
| script_name | string | It refers to the name of a script file (e.g. a .bat, .vbs, .ps1, etc.) that is being executed. |
| script_type | string | |
| scriptblock_text | string | It refers to the text of a PowerShell script block. |
| secondary_key | string | It refers to a supplementary key or password used in addition to a primary key to provide an additional layer of security. |
| secret | string | |
| secured | string | It refers to a feature or setting within the platform that provides security and protection for stored data. |
| security_criticality | integer | Added by UIP. Contains the security criticality (Tier1, Tier2, Tier3, N/A) used to assign risk_score. If security criticality or UIP is disabled for the subscription, this will not be present. |
| security_group | string | |
| see_also | string | It refers to a feature or functionality in cyber exposure platform that allows users to access additional resources or related information. |
| selected_hash_sha256 | hexadecimal | It is used to identify the specific hash algorithm used to calculate the SHA256 hash value of a file or piece of software. |
| selected_md5hash | hexadecimal | It is used to identify the specific hash algorithm used to calculate the MD5 hash value of a file or piece of software. |
| sender | It is used to identify the source of the email and can be used to filter or categorize incoming email messages. | |
| sense_score | string | It refers to a metric used in the IBM Watson Discovery service to measure the relevance of a document or piece of content to a particular query. |
| sense_value | string | It refers to a value assigned to a specific security event based on the level of risk it poses to the organization. |
| sensitivity_label | string | The current sensitivity label ID of the file. |
| sensor | string | It refers to a software component that is installed on a network to collect and analyze security-related data, such as network traffic and logs, in real-time to detect and prevent cyber-attacks. |
| sensor_id | string | It refers to a unique identifier assigned to each endpoint device that has the agent installed. |
| sensor_name | string | It refers to the unique identifier given to a specific instance of a network security device or system within a network. |
| sensor_only | boolean | It indicate that the detection and response was done locally on the device, rather than relying on the cloud-based components. |
| seq_num | number | It is a numerical identifier of the specific packet within a larger set of data, typically used in network security systems. |
| sequence | string | It refers to the order in which packets are processed by the firewall. |
| serial_num | string | It is a unique identifier assigned to a product by the manufacturer. |
| server | string | A server is a device to centralize resources and provide centralized management, which can make it easier for administrators to manage and maintain their networks. |
| server_group | string | In some database solutions (e.g. MS SQL), a server group is a way to organize connections to servers and databases. |
| server_name | string | The server name the activity operated in |
| server_ssh_version | string | It is a string value that represents the version of the SSH (Secure Shell) protocol that the server is running. |
| server_version | string | It refers to a string that identifies the version of software or operating system that is running on a server. |
| service_command_line | string | It refers to the command line arguments or parameters used to start, stop, or manage Windows services. |
| service_id | string | Service found for the connection (by the destination port). |
| service_name | string | The service name the activity operated on |
| service_start_type | string | It is used by the service installer to indicate whether the new service should be disabled or start automatically or started manually by a user or application. |
| service_state | string | They are used to determine when event handlers are executed and when notifications are initially sent out. |
| service_type | string | It specifies the type of service and determines how the service operates, such as whether it runs in the background or interacts with the user interface. |
| service_type_text | string | It provides a descriptive name for the type of service and determines how the service operates, such as whether it runs in the background or interacts with the user interface. |
| session_arn | string | The Session ARN (Amazon Resource Name) is a unique identifier that represents a session in the AWS Management Console. |
| session_day | string | It refers to a field in a log or report that indicates the day of a network session. |
| session_duration | string | It refers to a field in a log or report that indicates the length of time a network session was active. |
| session_end | string | |
| session_expiration | string | It refers to the time at which a session will expire and be terminated. |
| session_hour | string | It refers to a field in a log or report that indicates the hour of a network session. |
| session_id | string | Unique identifier of any session. |
| session_min | string | It refers to a field in a log or report that indicates the minute of a network session. |
| session_name | string | It refers to an optional parameter that can be provided when creating a session. |
| session_sec | string | It refers to a field in a log or report that indicates the second of a network session. |
| session_start | datetime | |
| session_tag | string | |
| set_as_defualt | string | It refers to an option that can be used to set a specific profile as the default profile for a user. |
| severity | string | It refers to a field in a log or report that indicates the level of importance or criticality of a security event or threat. |
| sha | hexadecimal | It refers to the Secure Hash Algorithm, a family of cryptographic hash functions that are widely used for digital signatures. |
| share_id | string | The id of the sharing link. |
| share_name | string | The name of the accessed network share, e.g. IPC$, SYSVOL |
| share_path | string | The full path of a network share, e.g. D://SYSVOL_DFSR//sysvol |
| share_type | string | Type of a network share or for email logs its a type of a sharing link. |
| shared | string | Indication if the file was shared. |
| shared_conversation_id | string | Unique identifier for a shared conversation thread or chat session |
| shared_with | string | It refers to a field in a log or report that indicates the recipients or users with whom a file or resource has been shared. |
| shared_with_at | string | It refers to a field in a log or report that indicates the date and time when a file or resource was shared with specific recipients. |
| sid_domain | string | It refers to the domain component of a SID, which identifies the domain in which the security principal is defined. |
| sid_history | string | It refers to a feature that allows the SID of a user or group account to be preserved when the account is migrated from one domain to another. |
| site_at | string | It refers to a field in a log or report that indicates the location or site at which a specific security event or activity occurred. |
| site_id | string | A unique identifier used to tag and segregate data from different sources within customer environment. |
| site_name | string | The path of the site an item was stored in cloud or email access events, similar to url path. In physical access events, the name of the physical location. |
| site_state | string | In physical access events, the state of the physical location. E.g NY. |
| smartdefense_profile | string | It refers to a configuration setting in Check Point software that defines the level of protection for a specific security policy or rule. |
| source_connection_id | string | It refers to a log or report entry that provides information about a specific connection, such as the identity of the client device. |
| source_device_entity_id | string | It refers to the unique identifier of the source device. |
| source_user_entity_id | string | It refers to the unique identifier of the source user. |
| spam_score | string | It refers to a numerical value assigned to an email message, indicating the likelihood that the message is spam or unwanted. |
| spf_result | string | Indicates if an email is sent from an IP address authorized by the domain's SPF (Sender Policy Framework) record. |
| sql_count | integer | The number of entries affected by a database operation |
| src_bucket_arn | string | |
| src_country | string | The country of the machine from which the activity originated. |
| src_country_code | string | The country code of the machine from which the activity originated. |
| src_domain | string | It refers to the source domain of a network connection or event. |
| src_ds_object_dn | string | The full distinguished name of the source directory service object. |
| src_ds_object_name | string | The name of the source directory service object |
| src_ds_object_ou | string | The organizational unit of the source directory service object. |
| src_email_address | The full source email address. | |
| src_email_domain | string | The domain of the source email address. |
| src_email_folder | string | Source email folder in move/copy operations (e.g., Inbox, Sent, Archive, custom folder) for data migration tracking. |
| src_external_country | string | It refer to the source external country of a network connection. |
| src_file_arn | string | |
| src_file_dir | string | The directory of the source file, not including the name. |
| src_file_ext | string | The source file extension. If the file name is myfile.txt, src_file_ext will be txt |
| src_file_name | string | The name of the source file, not including the path. |
| src_file_path | string | The full path of the source file. |
| src_fqdn | string | The fully qualified domain name (FQDN) refers to a log or report entry that provides information about the source of a connection, such as the hostname and domain name of the device that initiated the connection. |
| src_group_name | string | |
| src_host | string | The name of the machine from which the activity originated. |
| src_host_type | string | It refers to the type of the source host involved in a network connection or event. |
| src_interface | string | Name of the interface associated with the connection origination |
| src_ip | ipv4/ipv6 | The IP of the machine from which the activity originated. |
| src_ipv6 | ipv4/ipv6 | |
| src_local_host | string | It refers to the source local host that is being accessed or modified. |
| src_local_zone | string | It refers to the source local zone or network segment that the asset is located in. |
| src_location | string | It refers to the location of the source host involved in a network connection or event. |
| src_location_area | string | |
| src_location_door_id | string | |
| src_location_full | string | |
| src_location_id | string | It refers to a unique identifier for the location of the source host involved in a network connection or event. |
| src_mac | string | The source endpoint MAC address. |
| src_net_status | string | It refers to the status of the source network involved in a network connection or event. |
| src_network | string | It refers to a log or report entry that provides information about the source network, such as its IP address range, subnet, or hostname. |
| src_network_type | string | It refers to the type of network. |
| src_network_zone | string | It refers to the network security zone associated with the source network in a network connection. |
| src_password | string | |
| src_port | integer | The source port used in the network communication. |
| src_process_dir | string | The directory of the process that did the activity. |
| src_process_id | string | The identifier of the process that did the activity. |
| src_process_name | string | The name of the process that did the activity. |
| src_process_path | string | The path of the process that did the activity. |
| src_product | string | Original product for 3rd party alerts and regular events. |
| src_resource | string | |
| src_resource_type | string | |
| src_role | string | |
| src_site_name | string | The path of the site this item was stored in |
| src_translated_host | string | It refers to a log that provides information about the translated source host, which may be different from the actual source host. |
| src_translated_ip | ipv4/ipv6 | In NAT situations, the internal assigned IP. This is different from the src_ip which would be the external facing IP. For example, in a VPN connection src_ip is the external, internet routable IP, while src_translated_ip is the internal address assigned to the vpn connection. |
| src_translated_ipnum | string | It refers to a log or report entry that provides information about the translated source IP address, which may be different from the actual source IP address due to NAT or PAT. |
| src_translated_port | integer | It refers to the translated source port in a network connection or event. |
| src_user | string | It refers to the source user or the user who initiated a particular action or event. |
| src_vendor | string | Original vendor for 3rd party alerts and regular events. |
| src_zen_code | string | |
| src_zone | string | It refers to a log or report entry that provides information about the security zone from which a particular network event or traffic flow originated. |
| src_zone_name | string | It provides information about the source security zone associated with a particular network event, such as the name of the security zone. |
| ssid | string | The Service Set Identifier (network name) the activity was on. |
| ssno | string | It refer to the unique 9-digit identification number assigned by the Social Security Administration (SSA) to U.S. citizens and residents for tracking purposes. |
| start_time | datetime | It refers to the time that a process or a job was initiated or started to run. |
| state | string | The name of the State (geographical territory). |
| status_msg | string | It is a message that provides information about the status or outcome of an operation or request. |
| storage_account | string | It is a type of account that provides a scalable and secure data storage solution for unstructured data, such as blobs, files, queues, and tables. |
| stripped_email_subject | string | Stripped email subject |
| sub_category | string | A subcategory of the log. |
| sub_domain | string | It is a field that represents the sub-domain portion of a fully qualified domain name (FQDN). |
| sub_status | string | It refers to the status of a sub-component or sub-process within a larger security system or process. |
| subject | string | |
| subject_sid | string | The SID (Security Identifier) of the subject, should be use subject is not user. |
| subnetwork | string | A subnetwork (also known as a subnet) is a portion of a larger network that is divided for the purposes of network organization and management. |
| subscription_code | string | Subscription code of the customer |
| subscription_id | string | The subscription ID is a unique alphanumeric string that identifies your product subscription. |
| subtype | string | |
| suid | string | SUID (Set User ID) is a Linux permission attribute for executable files that allows a user to execute the file with the permissions of its owner. |
| sync_destination | string | It refers to the location to which data is being synced or backed up. |
| syscall | string | A syscall is a system call, which is a request to the operating system's kernel to provide a specific service, such as allocating memory or creating a process. |
| syscall_name | string | It refers to the name of a syscall file that is being executed. |
| syscall_number | integer | A unique integer used to identify a specific system call. |
| system_architecture | string | System architecture is the conceptual model and formal description that defines a system's structure, behavior, and the relationships between its components to achieve specific goals and satisfy stakeholder needs. |
| system_manufacturer | string | It refers to the manufacturer of a device or computer system. |
| system_type | string | It refers to the classification of a device as a router, switch, firewall, or other network device. |
| tab_title | string | It is a term used in the security platform to refer to the title or label of a tab in a user interface. |
| tab_url | string | It refers to the URL of the web page that was open in a web browser tab during the time a file was being accessed. |
| table | string | It refers to the name of a database table. |
| table_name | string | It refers to the name of a database table. |
| tactic | string | Tactic Name |
| tactic_key | string | Tactic Key |
| tag | string | It refers to a metadata label or keyword assigned to an object or resource to categorize, group, or identify it. |
| tags | array | Tags are a metadata label assigned to a network communication or an event. |
| target | string | The object the activity operated on. |
| target_domain | string | |
| target_hash_sha256 | hexadecimal | It refers to a 256-bit Secure Hash Algorithm (SHA-256) that is used to calculate a digital fingerprint or hash value of a target file or system. |
| target_host | string | The destination endpoint name. |
| target_md5hash | hexadecimal | It is a field that represents the MD5 hash of a target file in the system. |
| target_uri | string | It refers to the uniform resource identifier (URI) of the target system, application, or resource that is being accessed |
| task_id | string | The unique identifier of the schedule task the activity operated on. |
| task_name | string | The name of the schedule task the activity operated on. |
| TC | string | The Truncation bit specifies that the message was truncated. |
| tcp_flags | string | The TCP flags in a tcp communication. |
| technique | string | Technique Name |
| technique_key | string | Technique Key |
| tenant_id | string | It refers to a unique identifier for a tenant in a multi-tenant architecture, such as in Microsoft's cloud platform, Azure Active Directory. |
| terminal | string | It is a text-based interface, or a graphical user interface, and is used to submit SQL commands, view data, and perform various other database-related operations. |
| tgs_service_name | string | A service that issues tickets for admission to other services in its own domain or for admission to the ticket-granting service in another domain. |
| thread_id | string | It refers to a unique identifier assigned to a process or a set of processes running in an operating system. |
| threat_category | string | The category of the threat the product detected, as dictated by the vendor. |
| threat_handled | string | It refers to an event, action or measure taken by a security system to mitigate or eliminate a detected threat. |
| threat_id | string | The identifier of the threat the product detected, as dictated by the vendor. |
| threat_level | string | It refers to a classification of a potential security threat, which determines the severity or urgency of the threat. |
| threat_type | string | It refers to the category of a detected threat. |
| threat_url | string | It refers to the URL or web link that is suspected of hosting malicious content, such as phishing scams or malware downloads. |
| throttled | boolean | In email access logs it indicates if the number of email that were accessed exceeded a maximum number for a period of time |
| ticket_encryption_type | string | It refers to the encryption algorithm used to encrypt the security tickets used in authentication between client and server. |
| ticket_options | string | It refers to specific settings or flags that are associated with a Kerberos ticket. |
| time | datetime | The time in which the activity occurred. |
| time_created | datetime | The time the file was created. |
| time_modified | datetime | The last time the file modified. |
| time_taken | number | It refers to the amount of time required for a process or operation to complete. |
| timedout | string | It refers to whether or not a connection has timed out. |
| token_issuer_type | string | It refers to the type of security token issuer that is used to generate the token. |
| top_domain | string | Represents the top-level domain (TLD) extracted from a full domain name. For example, in www.exabeam.com, the value 'com' would be captured in this field. |
| tracking_id | string | is a unique identifier used to track and associate related events and transactions within the system. |
| traffic_type | string | |
| trans_depth | string | This field allows to track the different layers of protocol encoding used in a network connection. |
| transaction | string | A transaction is a specific set of tasks or operations that are performed in the system to achieve a specific goal, such as creating a new customer or updating an existing one. |
| transaction_id | string | It refers to a unique identifier assigned to a specific transaction or group of related transactions in a system. |
| transistive_tags | array | |
| trigger_entity | string | It refers to an event, alert, or indicator that triggers an investigation or response action within the security information and event management (SIEM) system. |
| trigger_time | datetime | It refers to the time when a particular event or action in the system was triggered or initiated. |
| trigger_type | string | It refers to the type of event or activity that initiates an action or response within the security platform. |
| triggers | string | It refer to a set of rules or conditions that initiate a specific action when met. |
| TTLs | string | The caching intervals of the associated RRs described by the answers field. |
| tunnel_parents | string | It refers to the parent sessions or connections in which the current session is encapsulated within, forming a tunnel. |
| tunnel_protocol | string | It refers to the protocol used to encapsulate the original network traffic, which is often encrypted and transmitted over another network. |
| type | string | In case of security alert, this would be the alert type. in case of correlation rule: use case of the correlation rule |
| uac_status | string | It refers to the status of User Account Control (UAC) in a Windows operating system, which is a security feature that helps prevent unauthorized changes to the system. |
| udid | string | It refers to the Unique Device Identifier, a code that identifies a specific device in the Cisco system. |
| uri | string | The full URI of the web page. |
| uri_path | string | The URI path of the web page. |
| uri_query | string | The query in a URI in of a web page. |
| url | string | The URL of a web page. |
| url_count | integer | Number of urls in the email |
| usb_serial_number | string | It refers to the unique identifier of a USB device connected to a computer. |
| usb_vendor | string | It refers to the identifier of the vendor of a USB device. |
| user | string | The user name of the user that did the activity. |
| user_agent | string | The user-agent in a web activity. |
| user_agent_client | string | It refers to the client software or application that is used to access a web service or resource. |
| user_arn | string | It refers to the Amazon Resource Name (ARN) of a user. |
| user_dn | string | It refers to the distinguished name (DN) of a user. |
| user_group_name | string | The groups the user belongs to. |
| user_id | string | The generic unique identifier of the user. |
| user_info | string | It refers to information about a specific user, such as their name, username, and other relevant details. |
| user_ou | string | The directory service organizational unit of the user. |
| user_privilege_category | string | It refers to the 3rd-party assigned privilege category for the user. |
| user_privilege_level | number | It refers to the 3rd-party assigned privilege level for the user. |
| user_sid | string | The SID (Security Identifier) of the user. |
| user_threat_certainty | number | It refers to the 3rd-party assigned threat certainty for the user. |
| user_threat_level | number | It refers to the 3rd-party assigned threat level for the user. |
| user_type | string | The type of the user. |
| user_uid | string | It refers to a unique identifier assigned to a user account. |
| user_uids | string | It is a field that represents the unique identifier for a user. |
| user_upn | string | UPN (User Principal Name) is a unique identifier for a user in Microsoft's Active Directory. |
| user_url | string | It refers to the URL to the application user page of the user. |
| userdata | string | |
| users | array | It refers to the individuals who have access to the security systems and services provided by them, such as firewalls, VPNs, and other security solutions. |
| vault_entity_id | string | It is a unique identifier for an entity in Vault. |
| vendor | string | The vendor context element. |
| vendor_id | string | It is a unique identifier assigned to a vendor. |
| vendor_name | string | It refers to the name of the manufacturer of the device that is being backed up or monitored. |
| version | string | The version of the monitoring program. |
| virtual_station_name | string | It refers to the name assigned to a virtual station (VSTA) in a wireless LAN (WLAN) network. |
| virus_name | string | It refers to the name assigned to a specific malicious software that has been detected by antivirus software. |
| vm_host_name | string | |
| vm_pool_name | string | |
| vm_size | string | It refers to the size or type of a virtual machine (VM) in terms of the amount of memory, CPU, and storage resources it is allocated. |
| vm_template_name | string | |
| volume_device | string | |
| volume_size | string | |
| volume_type | string | |
| volume_zone | string | |
| vpc | string | It stands for Virtual Private Cloud, it is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network. |
| vpn_client | string | It is a secure VPN connection that allows remote workers or third-party contractors to connect to the company's network securely, using their own device. |
| vpn_client_type | string | It refers to the type of VPN client software that is used to establish a secure connection to a remote network. |
| wazuh_manager | string | It refers to the central manager component responsible for managing agents, rules, and alerts. |
| web_content_type | string | The classification of a file or data transmitted on the web |
| web_domain | string | The full domain with the subdomain. Egs. gmail.google.com. |
| wifiap | string | It refers to a Wireless Access Point, a device that allows wireless devices to connect to a wired network using Wi-Fi. |
| workspace_id | string | Unique identifier of a workspace. A workspace is a shared environment that organizes users, resources, permissions, and activity under a single administrative boundary. |
| workspace_name | string | |
| Z | string | A reserved field that is usually zero in queries and responses. |
| zone | string | It refers to a distinct and isolated environment for running applications, processes, and/or services. |
| zone_id | string | It refers to a unique identifier assigned to a zone in a network. |