Fields Descriptions

July 6, 2026 · View on GitHub

This table lists the Common Information Model fields that can be used to build events and to create searches and correlation rules.

FieldData TypeDescription
AAstringThe Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
accessstringAccess permissions given to the user when trying to access an object
access_groupstringname of the group in which access is managed in vpn-connection events
access_liststringAccess list of permissions associated with a system resource
access_maskstringbitmask that specifies a set of access rights in the access mask of an access control entry.
access_typestringThe type of access permissions given to the user when trying to access an object
accessorstringRetrieve the value of the token for which capabilities are being queried.
accountstringThe account is the actual account that was used in the activity.
account_domainstringThe domain of the account the user operated on.
account_idstringthe user id associated with the user
account_namestringName of the account the user operated on
account_user_namestringEnriched field to define a user entity by combining 'account' and 'domain' OR 'account_domain fields.
acl_contentstring
acs_session_idstringUnique identifier of a cisco secure access control server session.
actionstringAn action that was taken against the event (allowed, blocked, quarantined...).
activitystringThe activity context element.
activity_detailsstringdetails of the activity recorded in the events
activity_idstringA unique identifier of the activity
activity_typestringThe activity type context element.
added_keysstring
added_memberstring
added_member_domainstringIt refers to the domain associated with the email address of a member who has been added to a project or resource within GCP.
added_member_typestring
added_permissionsarray
added_rolestring
added_role_namestring
added_usersarray
additional_infostringAdditional descriptive information about the event.
admin_idstringA unique identifier of an admin
admin_interfacestringName of the interface through which the logged system messages can be accessed
adopter_idstringA unique identifier for the adapter instance.
agent_idstringThe unique identifier of the agent of the product.
agent_namestringThe agent_name attribute specifies the name of an agent.
ai_agent_idstringUnique identifier of an AI agent.
ai_agent_namestringName of an AI agent.
ai_function_namestringName of a function called by an AI agent. A function is a defined procedure with a specified input/output schema that can be invoked programmatically by an AI agent.
ai_token_countnumberNumber of tokens that have been processed by an AI model.
ai_token_in_countnumberNumber of input tokens consumed in an AI API call for usage monitoring and anomaly detection.
ai_token_out_countnumberNumber of output tokens generated in an AI API call for usage monitoring and anomaly detection.
ai_tool_namestringName of a tool called by an AI agent. A tool is a capability an AI agent can deliberately invoke to extend its abilities beyond internal reasoning.
aidstringThe unique identifier of the agent
aipstringThis stands for Agent IP and represents the external IP address of the endpoint as seen by the Falcon Cloud
alert_descriptionstringSecurity alert message
alert_idstringA unique identifier of the security alert.
alert_namestringThe name of the security alert.
alert_reasonstringA description of why this alert was given.
alert_severitystringThe severity (level of urgency) of the alert as dictated by the vendor.
alert_sourcestringThe source of the alert, as dictated by the vendor.
alert_statusstringThe status of the alert, as dictated by the vendor.
alert_subjectstringThe subject (title) of the alert.
alert_typestringThe classification of the alert, as dictated by the vendor.
allowed_data_actionsarray
allowed_idsarray
allowed_permissionsarrayPermissions specify access to AWS resources.
allowed_resourcesarrayLists all of the available resources that can be used in IAM policies to control access to AWS services
allowed_urisarray
allowed_user_typesarray
allowed_usersarrayThey have the permissions to access the AWS resources.
analyzersarrayFramework for managing Zeek's protocol details.
appstringThe name of the application mentioned in the event.
app_codestringThe name of the folder which contains the application framework.
app_groupstringIt allow multiple apps produced by a single team to access shared containers and communicate using interprocess communication.
app_idstringA unique identifier of the application.
app_learntimestring
app_protocolstringThe network protocol the application used.
app_typestringThe type of the application.
app_versionstringThe software version of the web conference application
appsarray
area_classificationstring
argstringAn argument, a value passed as a parameter.
asset_idstringA unique identifier of the asset.
asset_labelsarrayIt represents the labels that have been assigned to an asset.
assignble_scopestring
assigned_appsarrayThe assigned apps shows the apps that are visible to users with the selected permission set.
assigned_ipipv4/ipv6Client's actual assigned IP address.
assignment_idstring
attachmentstringThe attachments that were added to an email
attachment_countintegerNumber of attachments in the email
attachment_sizenumberSize of attachments in the email
attackstringName of the vulnerability category in case of a host or network vulnerability.
attack_confstringConfiguration of the vulnerability.
attack_infostringDescription of the vulnerability in case of a host or network vulnerability.
attributestringThe attribute of the object which was accessed.
attribute_valuestring
attributesarrayA list of attributes of the object which was accessed.
audit_categorystringThe Windows category of the audit policy that was changed.
audit_idstringA unique identifier of the audit.
audit_policy_namestringThe name of the audit policy document.
audit_subcategorystring
authstringThe type of authentication that was used in the event.
auth_dnstringThe authentication domain name.
auth_levelstringThe current authentication security level.
auth_methodstringThe method/protocol package that was used in the authentication process.
auth_packagestringThe method used to authenticate an account.
auth_processstringThe method/process used to authenticate an account.
auth_serverstringThe server name that was in charge of performing the authentication
auth_typestringThe normalized authentication type used in the event.
authorization_scopestring
availabilty_zonestring
aws_accountstringAn account alias or an account ID for the AWS account.
aws_email_addressemailIt refers to the email address of the user that performed the activity in AWS.
aws_userstringIt refers to the user name of the individual or entity that performed the activity in AWS.
azure_categorystringIt represents the category that belongs to the azure event.
azure_resource_typestringThe type of azure resource accessed by the event.
badge_idstringThe unique identifier of the physical badge.
badge_readerstringBadge readers record information such as user ID, date and time of entry for each access attempt.
badge_statusstringA status badge shows whether a badge is currently valid or invalid.
base_risk_scorenumberThese are the sum of all scores generated by triggered rules during a user session.
bitdefender_operation_typestring
block_public_aclsarray
block_public_policyarray
block_typestringThe block_type property specifies the block type of a particular memory object.
blockedbooleanIt allows users to enhance the security of a router by configuring options to automatically block further login attempts
blocking_group_namestringIt specifies the group name of a block that groups other blocks together inside one container.
bootup_safeguard_enabledbooleanThis attribute specifically refers to whether or not the feature is enabled on a given endpoint.
branch_namestring
browserstringThe browser the user used in this activity.
bucket_arnstring
bucket_hoststring
bucket_namestringThe name of a cloud storage container (bucket) that holds files/objects, in the cloud.
bytesnumberThe size in bytes.
bytes_innumberThe amount of ingress bytes.
bytes_outnumberThe amount of egress bytes.
bytes_to_clientnumber
bytes_to_servernumber
bytes_unitstringThe measurement unit used to count the bytes.
ca_runtimestringThe runtime of a certificate authority (CA) that issues Secure Sockets Layer (SSL) certificates.
cabinet_namestringThe Cabinet name is the identities of an organization's Cabinet.
calling_station_idstringThe called station identifier allows a RADIUS server to specify the MAC addresses or networks that a client can connect.
card_numstringThe lenel card number is your identification at the university and your access to certain areas.
card_statusstringProvides the status of the card. Example: Active.
case_descriptionstringRequired only when create_case is true. Set by CR.
case_namestring
catalogstringA catalog is a group of identical virtual machines.
categoriesarrayA class or division of things regarded as having particular shared characteristics.
categorystringA class or division of things regarded as having particular shared characteristics.
category_behaviorstringA class or division of things having particular similar behavior.
category_idstringA unique identifier of the category.
category_idsarrayA list of unique identifiers of the categories.
category_significancestring
ccstringIt can be commonly understood to mean courtesy copy.
channelstringA channel is an aggregation of multiple physical interfaces that creates a logical interface.
channel_namestring
cidstringCrowdstrike customer identification
cipherstringA secret or disguised way of writing.
cipher_algorithmstringA cipher algorithm is a mathematical formula designed specifically to obscure the value and content of data.
cipher_methodstring
circumstancesstringThe condition connected with or relevant to an event or action.
citystringThe name of the city.
class_idstringA unique identifier of the class.
class_namestringIt is a globally unique identifier that identifies a COM class object.
classification_namestringThe name of the classes on the basis of whether the traffic matches specific criteria.
clientstringA desktop computer or workstation that is capable of obtaining information and applications from a server.
client_cert_subjectstringIt is a comma separated list of distinguished name fields and values.
client_idstringA unique identifier of the client.
client_namestringThe name of the client.
client_ssh_versionstringThe ssh version of the client.
client_systemstringThe name of the client system.
client_system_versionstringThe system version of the client.
client_tokenstringA client token is a signed JWT that includes configuration and authorization information required by the client.
client_typestringThe type of web conference application
client_versionstringThe application/ssh version of the client.
cloud_drive_idstringA unique identifier of the cloud drive.
cls_idstringThe class ID of the application component. Used in Windows for COM apps.
cluster_namestringA name that identifies this database cluster (instance) for various purposes.
code_sizenumber
collaboratorsarrayA collaborator is any person who can access, view, preview, download, comment, or edit a managed asset.
commandstringA command is a specific instruction given to an application to perform some kind of task or function.
command_invocationstringA command can apply to one or more managed nodes.
command_modulestringIt refers to the module or component of the security platform that is responsible for executing a specific command or action.
communitystringCommunity is defined as a knowledge sharing hub; a place to collaborate, share insights and experiences, and get answers to questions.
companystringA company is a legal entity formed by a group of individuals to engage in and operate a business—commercial or industrial—enterprise.
compatible_idstring
compauth_resultstringIndicates the combined result of SPF, DKIM, and DMARC (Domain-based Message Authentication, Reporting & Conformance) checks to assess email authentication.
compression_algorithmstringSpecifies the compression algorithm to be used when compressing dump file data
computer_namestringA computer name is also called a PC name or device name which is used to help identify or locate a computer on a network.
confidence_levelstringThe confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic.
connection_agestringThe time duration which the connection spanned.
connection_counterstringThe number of times the carrier request for a packet in transmission.
connection_durationstringIt refers to the amount of time a connection between two devices (e.g. network devices, computers, servers, etc.) has been active.
connection_idstringThe unique identifier of the network connection.
connection_statestringThe state of the network connection, as dictated by the vendor.
connection_statusstringThe status of the connection. The expected values for this field are:Open, Close and Active.
connection_typestringIt refers to the type of network connection between a device and another device or network.
connection_uidstringCalculation of md5 of the IP and user name as UID.
connector_guidstringProvides a list of all activities associated with a particular computer.
connectorsstringIndicates the rules governing how emails are routed between different mail systems or services.
contact_idstringA unique identifier for the contact.
container_idstringIt refers to a unique identifier assigned to a container in a container orchestration platform, such as Docker.
contivity_session_idstringA unique identifier of the contivity session.
control_panel_itemstringIt refers to the name of the control panel item that is being accessed or modified.
conversation_idstringUnique identifier of a conversation or a chat.
corp_clientstringIt is custom profile attributes which have pre-defined Profile values, an essential element for controlled profiling and management example: Client, Matter, Author, etc.
corp_matterstringIt allows users to view all matter-related information (documents, emails, etc.) in a single, logically organized interface.
correlation_idstringThe correlation identifier assigned to the event, used to correlate with other events with the same identifier.
coststringFinancial cost or credit consumption associated with any transactional activity.
countnumberIts a quantifiable measure metrics, could be used to show a number of objects that were accessed, number of connections.
countrystringThe location or region of the event.
country_codestringThe country code used to represent the event’s country.
cpu_percentileintegerTotal CPU usage percentage across all CPU
create_casebooleanRequired only for Correlation Rule Engine Events.
create_resultstringString of the create/open result.
creatorstring
credential_typestringType of credential an user uses to authenticate against a system. For example - password, API key, fingerprint, etc.
creds_namestring
creds_pathstring
critical_process_disabledbooleanIt is a security feature that prevents unauthorized changes to key system processes.
current_working_dirstringThe directory from which the user executed the process.
cve_idstringThe unique identifier of the Common Vulnerabilities and Exposures.
cvss_base_scorestringCVSS base score is used to rank the characteristics and severity of a software's exploitable weaknesses.
cvss_impact_scorestring
d_namestringA dirent structure contains the character pointer d_name, which points to a string that gives the name of a file in the directory.
d_parentstringA dirent structure contains the character pointer d_parent, which points to a string that gives the name of a parent process in the directory.
datastringA data is an information that has been translated into a form that is efficient for movement or processing.
database_user_namestringEnriched field to define a user entity by combining 'db_user' and 'db_name' fields.
datacenter_namestring
datastore_namestring
db_domainstringThe domain that contains the database.
db_idstringThe unique identifier of the database.
db_namestringThe name of the database.
db_objectstringThe database object that was referenced in the event.
db_operationstringType of database query (insert,update,delete etc.)
db_querystringThe full query that was sent to the database.
db_schemastringA database schema defines how data is organized within a relational database; this is inclusive of logical constraints such as, table names, fields, data types, and the relationships between these entities.
db_userstringThe user name of the local database user in the event.
decoder_namestringName of the decoder to use.
denied_data_actionsarrayIt attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access.
denied_permissionsarrayThe permissions that are explicitly denied by some rule.
denied_resourcesarrayresources that are not available or accessible to a particular user or system.
denied_usersarrayIt refer to users who are not allowed to access certain resources or perform certain actions.
departmentstringThe company department of the user
depthstringIt can refer to the number of levels or layers in a data structure, such as a tree or a graph.
descriptionstringA description of the event.
desire_accessstringIt refer to the desire or request to access a particular resource or service offered by Dell.
dest_countrystringThe country of the machine the activity operated on.
dest_country_codestring
dest_device_entity_idstringIt refers to the unique identifier of the destination device.
dest_dns_hostnamestring
dest_domainstringThe domain of the destination user
dest_domain_user_namestringEnriched field to define a user entity by combining 'dest_user' and 'domain' OR 'dest_domain' fields.
dest_emailemail
dest_email_addressemailThe full destination email address.
dest_email_domainstringThe domain of the destination email address.
dest_email_folderstringDestination email folder in move/copy operations for detecting suspicious email manipulation or deletion.
dest_email_userstringThe user of the destination email address.
dest_external_countrystringIt refer to the destination external country of a network connection.
dest_external_ipipv4/ipv6It refer to the destination external IP address of a network connection.
dest_file_dirstring
dest_groupstringIt refer to a group of destinations or recipients for a command or action.
dest_hoststringThe destination endpoint name.
dest_interfacestringIt refer to the destination interface of a network connection or packet.
dest_ipipv4/ipv6The destination endpoint IP address.
dest_ipv6ipv4/ipv6
dest_local_hoststringIt refers to the destination local host that is being accessed or modified.
dest_local_user_namestringEnriched field to define a user entity by combining 'dest_user' and 'src_host' fields.
dest_local_zonestringIt refers to the destination local zone or network segment that the asset is located in.
dest_login_idstringThe login id of the destination.
dest_macstringThe destination endpoint MAC address.
dest_network_typestringIt refers to the type of network.
dest_network_zonestringIt refer to the destination network zone of a network connection or traffic flow.
dest_portintegerThe destination port used in the network communication.
dest_process_command_linestringThe full command line of the targeted process.
dest_process_dirstringThe directory that contains the targeted process.
dest_process_idhexadecimalThe process ID of the targeted process.
dest_process_namestringThe process name of the targeted process.
dest_process_pathstringThe full path of the targeted process.
dest_rolestring
dest_service_namestringThe service name of the targeted service.
dest_translated_hoststringIt refer to the destination host that has been translated as part of a network translation process.
dest_translated_ipipv4/ipv6The NATed IPv4 or IPv6 address to which a packet has been sent.
dest_translated_portintegerThe NATed port to which a packet has been sent.
dest_userstringThe user name of the targeted user.
dest_user_arnstring
dest_user_dnstring
dest_user_entity_idstringIt refers to the unique identifier of the destination user.
dest_user_full_namestringThe destination user full name.
dest_user_idstringThe unique identifier of the targeted user.
dest_user_oustring
dest_user_sidstringA unique identification value that is assigned to dest user account and group in the system.
dest_user_typestring
dest_zonestringIt refer to the destination zone of a network connection or traffic flow.
detectstringIt refers to the ability of the software to identify and detect potential security threats or malicious activity on a device or network.
detection_levelstring
detection_methodstring
detection_source_aliasstringIndicated the name which has been provided when the cloud data connection was initially configured in the Code42 console.
devicestring
device_classstringThe class of the peripheral device.
device_descriptionstringThe description of the peripheral device.
device_idstringUnique identifier of a device such as a USB
device_ipipv4/ipv6
device_modelstringIt refer to the model or type of device that is being used or managed by the software.
device_namestringThe name of a device such as a USB.
device_pidstringThe ID of the product of the peripheral device.
device_productstringThe name of the product of the peripheral device, translated from the device’s PID
device_sizestringIt refer to the size of a storage device such as a hard drive or a cloud storage service.
device_typestringTypically in USB related events, the type of the device that was used. E.g. USB, DVD/CD-ROM
device_vendorstringThe vendor of the device.
device_versionstringThe version of the device.
device_vidstringThe ID of the vendor of the peripheral device.
devidstringIt refer to a device identifier or a unique identification value that is associated with a particular device.
dhcp_ipipv4/ipv6It refer to the IP address that is assigned to a device by a DHCP server.
dhcp_typestringIt refer to the type of dynamic host configuration protocol (DHCP) message or packet that is being sent or received.
directionstringThe directionality of the communication.
directory_idstringThe unique identifier of the file directory.
disk_modestring
disk_namestring
disk_sizestring
disk_statestring
dispositionstringIt is used to specify what action to perform for an item that is returned by the customer.
dkim_resultstringIndicates if an email is signed with a DKIM (DomainKeys Identified Mail) signature that verifies the sender's domain and message integrity.
dlp_dictstringIt refer to a dictionary or list of keywords or phrases that are used by the DLP feature to identify sensitive data.
dmarc_resultstringIndicates the result of SPF and DKIM checks and the domain owner's policy for handling authentication failures.
dns_domainstringIt refers to a field that holds the domain name information of a DNS (Domain Name System) request or response.
dns_ip_flowstringIt refer to a stream of DNS traffic that is being monitored or analyzed by Splunk.
dns_querystringThe full DNS query in the packet.
dns_query_flagsstringThe query flags of the DNS query packet.
dns_query_idstringThe identifier of the query in the DNS packet.
dns_query_typestringThe DNS query type.
dns_record_typestringIt refer to the type of DNS (Domain Name System) record that is being used or configured.
dns_responsestringThe full DNS response in the packet.
dns_response_codestringThe response code given in the DNS packet.
dns_response_flagsstringThe response flags of the DNS response packet.
dns_response_typestringIt refers to the type of response received from a DNS server.
doc_idstringA unique identifier of the document.
document_namestringDisplays the full path and filename of the current document.
domainstringThe domain of the user
domain_controllerstringDomain controller is a server that responds to security authentication requests within a Windows Server domain.
domain_joinstringIt refers to the process of joining a computer to a domain in a Microsoft Active Directory environment.
domain_user_namestringEnriched field to define a user entity by combining 'user' and 'domain' fields.
door_group_namestringIt include a user directory specification or unique identity attribute.
door_namestringIt is the last person or method that locked or unlocked the door.
door_side_idstringThe unique identifier of the door side.
download_sourcestringSource code that is being downloaded in this build phase.
dprocstringIt is the time that a node spends processing a packet.
drive_letterstringUsed to specify the drive letter of the volume.
driver_namestring
ds_namestringThe name of the directory service.
ds_object_classstringThe directory service object class.
ds_object_dnstringThe full distinguished name of the directory service object.
ds_object_namestringThe name of the directory service object.
ds_object_oustringThe organizational unit of the directory service object.
ds_object_outstring
ds_object_typestringThe directory service object type.
ds_typestring
dtzstringThese are file extensions that help computers locate correct application for specific files.
durationstringThe time duration which the event spanned.
edge_fleetstringEdge fleet is the system that helps manage and secure devices and applications
edge_hoststringEdge host is a miniaturized computer host with compact size
edge_response_statusstringEdge response status code is an HTTP response code sent from Cloudflare to the client (end user).
egress_security_zonestringIt refer to a security zone that is used to enforce security policies on traffic that is leaving a network.
egress_zonestringIt refers to the security zone from which network traffic exits or is transmitted to an external network.
elevation_typestring
email_addressemailThe full email address of the user.
email_attachmentstringThe name of the file attachment attached to the email.
email_attachmentsarrayA full list of the attachment names in the email.
email_attachments_bytesarrayA full list of the attachment sizes in the email.
email_dlp_fromstringIt is the practice of detecting and preventing data exfiltration.
email_dlp_policy_namesarray
email_domainstringThe domain of the users’ email address.
email_idstringThe unique identifier of the user's email.
email_recipientsarrayThe full list of recipients for an email or a list of recipients to which mail/message could be sent if a rule condition apply.
email_subjectstringThe subject (title) of the email.
email_subject_listarrayThe list of email subjects.
email_urlsarrayA full list of the url in the email.
email_userstringThe user name of the users’ email address.
employee_idstringThe unique identifier of the employee.
employee_statusstringIt means the full time, part time, casual and/or temporary capacity that an Employee is employed in.
employee_titlestringIt is the position a person hold in an organisation.
employee_typestringIt refers to different kinds of employees an organization can hire.
encryptedbooleanA form of data security in which information is converted to ciphertext
end_timedatetimeThe end_time property indicates a data set's lookback cutoff date; data older than this value is not included in the data set's calculation.
engine_versionstringThe version number of the database engine to upgrade to.
entitiesjsonIf the fields required for entity creation are missing in the event, there will be no entity fields created. This is a valid case.
entity_keystringThe key used for the given entity type in Entity Manager like user_name, email_address etc for User or ip_address, host_name etc for Endpoint
entity_typestringEntity type. User, Endpoint, File, Process etc
environmentstringIt is a part of the logical message tree in which you can store information.
error_codestringA number that appears on a computer screen to show that you have made a particular mistake or that something has gone wrong in a program
error_infostringIt retrieves error information for operations performed directly on the database handle.
event_categorystringIf a single log source can provide multiple categories of events, this field should represent the category that belongs to the event.
event_codestringThe code of the operation type recorded in the event, not to be confused with event_id. For example - 4624.
event_fieldstringThe field in the event that will provide the value for the entity_key. For example for entity_type:Endpoint and entity_key:ip_address the event_field can have a value like src_ip or dest_ip.
event_filterstringSearch query event filter to get all the participating events for this trigger.
event_from_time_millisdatetimesearch query event filter start time.
event_hub_namestringIt refer to the name of an event hub, which is a cloud-based data streaming platform that is used to collect, store, and process large amounts of data from a variety of sources.
event_hub_namespacestringAn Event Hubs namespace provides a unique scoping container, in which you create one or more event hubs.
event_idstringthe unique identification of a single generated event, not to be confused with event_code.
event_localitystringDetermines if the event has been generated on a local workstation or a domain application
event_namestringThe name of the operation recorded in the event.
event_name_codestring
event_name_hub_namestring
event_name_hub_namespacestring
event_name_namestring
event_subtypestringThe sub category of the event.
event_timedatetimeIt refer to the time at which a particular event occurred.
event_to_time_millisdatetimesearch query event filter end time.
event_urlstringURL to Search App to query the events associated with this rule trigger
execution_statusstringIt reflects the current status of the activity instance. ExecutionStatus is set by the runtime tracking infrastructure.
expiry_timedatetimeIt contains the Date and Time at which the password will expire.
exploit_code_maturitystringThis metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.
exposure_typestringDifferent types of file activity occurring across the Code42 environment.
extensionstringAn extension is a file containing programming that serves to extend the capabilities of or data available to a more basic program.
external_addressemailThe email address of the external party in an email.
external_domainstringIt refers to the external domain or network that is being accessed or communicated with.
external_idstringIt contains unique record identifiers from a system outside of the current organization.
extractedstringLocal filename of extracted file.
extracted_cutoffstringSet to true if the file being extracted was cut off so the whole file was not logged.
extracted_sizenumberThe number of bytes extracted to disk.
factorstringIt is a security process that helps verify users' identities before letting them access networks or online applications.
failure_codestringA code indicating the reason of the failure.
failure_reasonstringA description of why the operation has failed.
falcon_host_linkstringURL to view the detection in Falcon.
fallback_user_namestring
field_namestringIt is the short name of your field.
field_valuestringThis is the value of the event_field in the event that triggered the rule.
file_arnstring
file_categorystringThe general categories of file type.
file_dirstringThe directory of the file, not including the name.
file_dir_idstring
file_dir_uristring
file_exposure_changed_tostring
file_extstringThe file extension. If the file name is myfile.txt, file_ext will be txt
file_hashstringA unique value that corresponds to the content of the file.
file_idstringThe unique identifier of the file the activity operated on.
file_namestringThe name of the file, not including the path.
file_ownerstringA file's owner is identified by the user ID of the person who created the file.
file_pathstringThe full path of the file.
file_path_atstring
file_permissionsarrayFile permissions control what user is permitted to perform which actions on a file.
file_signaturestring
file_signature_statusstring
file_signedstring
file_typestringThe type of file accessed by the event. E.g file, folder, link.
file_urlstringThe full URL of the file’s location.
fingerprintstringIt is the initial factor that unlocks the private cryptographic key that authenticates the user.
firewallstringIt is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies.
first_namestringThe first name of the user, without the last name.
firstseenstring
flow_end_timedatetimeThe flow end time shows time or date when flow was ended.
flow_start_timedatetimeThe flow start time shows time or date when flow was started.
folder_namestringName of the email folder, document folder, or directory involved in the activity.
framed_addrstringThe address given to the network access server, if present.
from_user_atstring
fs_operation_blockedbooleanIt refers to a security feature that blocks a file system operation (e.g., create, delete, modify, etc.) based on predefined security policies.
full_namestringThe user full name.
function_arnstring
function_namestring
function_rolestring
function_runtimestring
gateway_stationstringThe IP of the web application machine (PVWA) in cyberark.
grandparent_command_linestringIt refers to the command line of the process that started the parent process of a given process.
grandparent_image_filenamestringIt refers to the file name of the image or executable that started the parent process of the current process being monitored.
grandparent_process_pathstring
group_arnstring
group_domainstringThe domain of the group identity.
group_idstringIt distinguishes duplicate groups resulting from a GROUP BY specification.
group_infostringMetadata about a distribution list, team, or group including members and permissions for access control audit.
group_namestringThe name of the group identity.
group_oustringIt is a subdivision of groups within an Active Directory.
group_typestringThe type of the group, e.g. local, global, etc
handle_idstringThe unique identifier of the handle on an object.
hash_md5hexadecimalA md5 hash value.
hash_sha1hexadecimalIt is a widely used hash function which takes an input and produces a 160-bit hash value known as a message digest - typically rendered as 40 hexadecimal digits.
hash_sha256hexadecimalA sha256 hash value.
hash_sha256_athexadecimal
hash_typestringDifferent types of hash algorithms such as RipeMD, Tiger, xxhash and more, but the most common type of hashing used for file integrity checks are MD5, SHA-2 and CRC32.
hierarchy_codestringThe hierarchy code governs the order in which entries in a block are printed in the CINDA book, and is used to some extent as a measure of the importance of a particular reference.
historystringRecords the state history of connections as a string of letters.
hoststringThe machine that logged the event. This can be either a hostname or an IP address
host_bytes_innumber
host_bytes_outnumber
host_ipipv4/ipv6IP address on which public port is listening
host_keystringA host key is a cryptographic key used for authenticating computers in the SSH protocol.
host_key_algstringHost key algorithms specify which host key types are allowed to be used for the SSH connection.
host_typestringA host type is a container for variables that are assigned to a particular host.
host_zen_codestring
http_response_codeintegerThe code returned by the web server after a request was made.
identifierstringAn identifier is a token that is used to form a name.
identitiesstringAn identity is an internet capable entity that Umbrella protects through policies and monitors through reports.
identity_groupstringIt is composed of information elements that identify and describe a specific group of users that belong to the same administrative group.
identity_typestringThe type of authentication credential depend upon the configuration of the supplicant software running on the endpoint device.
ignore_public_aclsstring
image_file_namestringFile name of the associated process for the detection.
image_namestringIt specifies the name of the image installed.
image_publisherstringPublic image reference with publisher
image_releasestringIt refer to the process of making a new version of an image file or software program available to users.
image_versionstringIt refer to the specific version of an image file that is being used or referred to.
impactstringIt refers to the potential severity of a security vulnerability or threat.
in_reply_tostringIt refers to a relationship between two network communications where one communication is a response to the other.
incident_creation_timedatetimeIt refers to the time at which an incident was created.
incident_statusstringIt refers to the current state or phase of a reported security incident within a security management system, indicating whether the incident is new, in progress, resolved, or closed.
inddet_maskstring
indicatorstringIt refers to a specific attribute or characteristic of an event, activity, or artifact, which can be used to identify or distinguish malicious behavior.
ingress_interfacestringIt refers to the network interface through which a packet enters a device.
ingress_security_zonestring
ingress_zonestringIt refers to the network zone through which data enters a network.
initiator_packetsstringIt refers to the number of packets sent by the initiator of a network connection.
inodestringThe inode number is a unique identifier that is assigned to each file or directory on the file system.
instance_idstringAn instance ID is a unique identifier assigned to an instance (i.e., a virtual machine) when it is launched.
instance_profile_arnstring
instance_typestringIt is used to specify the hardware configuration of an instance, such as the number of vCPUs and amount of memory.
interfacestringAn interface is a point of connection between a device and a network.
interface_idstringAn interface ID is a unique identifier assigned to a network interface when it is created.
interface_instringIt refers to the network interface on a virtual machine (VM) that is used for incoming traffic.
interface_namestringIt refers to the name assigned to a physical or logical network interface on the firewall device.
inzonestringThe inzone is used to identify the source of network traffic in security rules, and to apply the appropriate access control policies.
iocstringAn Indicator of Compromise (IOC) is a data point that can be used to identify malicious activity on a system or network.
ioc_numberstringAn Indicator of Compromise (IOC) number is a unique identifier assigned to each IOC.
ip_lease_timestringThis is the length of time that the client can use the IP address it has been assigned.
ip_protocl_idstring
ip_reputationipv4/ipv6It is a feature that allows you to identify and block traffic from known malicious IP addresses.
is_archivedboolean
is_consolidatedbooleanIt is a field that indicates whether or not an event or message has been consolidated.
is_dokbooleanA flag indicating that the operation took place on a peripheral device.
is_executableboolean
is_incidentstringIt refers to a field indicating if an event or log entry represents a security incident or not.
is_job_searchbooleanA flag indicating that the operation is a job search.
is_net_storagebooleanA flag indicating that the operation took place on a network storage device.
is_origbooleanIt is a field that is used to identify the direction of a network connection.
is_outboundbooleanIt is used to distinguish between connections that were initiated by the host and connections that were established as a result of an incoming request.
is_peripheral_storagebooleanA flag indicating that the operation took place on a peripheral device.
issue_timedatetimeIt represents the time that an event was generated or issued.
item_creatorstringIt represents the user or system that created an object.
item_namestringIt is a field that represents the name of an object.
item_typestringIt represents the type of object that is being used.
kerberos_service_namestring
kex_algstringIt contains the name of the key exchange algorithm that is used in the SSH connection.
key_idstring
key_lengthintegerIt represents the length of a cryptographic key used for encryption or decryption.
key_namestringIt is a field that represents the name of a key that is used for encryption or decryption.
key_statusstring
key_typestringIt specifies the algorithm used to generate the key.
kill_parentbooleanIt refers to an action that terminates the parent process of a detected threat.
kill_processbooleanIt refers to a feature that allows the user to immediately terminate a malicious or suspicious process that has been detected by the platform.
kill_sub_processbooleanIt is a term used to describe the action of terminating a sub-process that is associated with a malicious or suspicious activity.
label_idstringThe label ID of the file.
landscapestringRepresents the landscape context element.
last_blocked_timedatetimeIt represents the last time that a threat was blocked by the software.
last_known_ipipv4/ipv6It represents the last known IP address of a resource or virtual machine.
last_namestringThe last name of the user, without the first name.
lease_timestringIt represents the amount of time a DHCP lease is valid for.
linkstringIt is a field that represents a hyperlink to a resource or webpage.
link_idstring
linked_service_accountstringIt represents the service account that is linked to a specific resource or project.
llm_requeststringThe request a user sent to the ai agent.
llm_responsestringThe response of an ai agent to a request
local_assetstringIt refers to the local asset that is being accessed or modified.
local_origstringIt represents whether or not a network connection was initiated by a host on the local network.
local_respstringIt is used to indicate whether or not the connection was responded to by a host on the local network or from an external network.
local_user_idstringIt represents the identifier of a user who is local to the Ping Identity platform.
local_user_namestringEnriched field to define a user entity by combining 'user' and 'src_host' OR 'platform' fields.
local_zonestringIt refers to the local zone or network segment that the asset is located in.
locationstringThe full location of the physical access event.
location_areastringIn physical access events, the name of the general area/compound in which the access took place.
location_buildingstringIn physical access events, the name of the building in which the access took place.
location_citystringIn physical access events, the name of the city in which the access took place.
location_countrystringIn physical access events, the name of the country in which the access took place
location_doorstringIn physical access events, the name of the door in which the access took place
location_door_idstringIt is a field or attribute used to track or identify the location.
location_fullstringIt is a field or attribute that can be used to represent the full location of an object, event, or person.
location_informationstringIt is an information, obtained by means of a tracking device, concerning the location of an electronic device.
location_statestringIn physical access events, the state of the physical location. E.g locked, disabled.
log_locationstringIt refer to the directory or file path where log files are stored.
log_namestringThe name of the logging component that recorded the event.
log_pathstringIt refers to the file path or directory where log files are stored.
log_severitystringIt refers to the level of importance assigned to a log entry or event.
log_sourcestringThe service that provided that data to the logging service.
log_timedatetimeIt refers to the time when an event or log entry was recorded in the system.
log_uidstringIt refers to a unique identifier assigned to a log entry or event.
login_idhexadecimalThe identifier of the depicted login session.
login_methodstringIt refers to the process used by a client to authenticate to a server.
login_typeintegerIn login events, used to describe the type of the login operation. E.g remote, local, kerberos…
login_type_textstringIt is a field that describes the type of logon that was performed by a user or system account.
logon_typestring
mac_algstringIt refers to the message authentication code (MAC) algorithm used to secure a connection.
machine_typestringIt refers to the specific virtual machine (VM) instance type that is used to host a particular workload.
mailbox_namestring
mailfromemailIt is used to represent the sender of an email message.
malicious_file_countintegerIt is a metric that tracks the number of files detected as malicious by the security system.
malware_actionstringIt is a field that specifies the action taken by the security system in response to a detected malware event.
malware_familystringIt is a field used to identify the specific family or group of malware associated with an event or alert.
malware_file_namestringIt is a field that identifies the file name associated with a piece of malware.
malware_file_typestringIt refers to the type of file that is determined to contain malicious content.
malware_idstringIt refers to a unique identifier assigned to a specific piece of malware.
malware_namestringIt contains the name of the malware family, variant, or specific instance of malware.
malware_scorestringThe malware score assigned in the event by a security vendor.
malware_urlstringIt refers to the URL or web address associated with a piece of malware that has been detected by the security solution.
malware_url_pathstringIt refers to the path of a URL that is associated with malicious activity or a threat.
managerstringIt refer to an individual or department in charge of a particular area or project.
manager_emailemail
manager_namestringIt is used to identify the name of an individual or entity that is responsible for overseeing a particular resource or asset.
mbpsstringIt refers to megabits per second, which is a measure of data transfer rate.
meeting_durationstringIt is a field that indicates the length of time a Zoom meeting lasted for.
meeting_host_idstringThe ID given to the user acting as host of the web conference meeting.
meeting_namestringThe name of the web meeting.
meeting_numberstringIt refers to a unique identifier assigned to each Zoom meeting, which is generated when the meeting is scheduled or started.
meeting_timezonestringIt refers to the time zone that is set for a particular Zoom meeting.
meeting_topicstringIt refers to the subject or title of a virtual meeting or conference.
meeting_typestringIt refers to the type of Zoom meeting being held.
memberstringIn groups and similar organizational units, the member represents the full name of an identity that’s contained in them.
member_idstring
membersarrayIt refers to the users or groups that are part of an organization or a specific application or resource in Okta.
memory_addressstring
memory_protectionstring
memory_sizestring
message_author_typestringThe type of the identity that has created the message.
message_idstringA unique identifier of a communication message.
methodstringUsed in HTTP to describe the method of the web request. E.g GET, POST…
mfastringIt is a security process that requires a user to provide two or more authentication factors to verify their identity and access a resource.
mfa_countrystringIt refers to the country from which the user is attempting to access a system.
mfa_devicestringThe mfa_device field contain information about the specific MFA device being used, such as its type, serial number, and associated user.
mimestringTypically in web-access events, the media type of the content, e.g. text, audio/mpeg
miscellaneousstringIt could refer to a category or field in log data that contains information that does not fit into a more specific category.
missed_bytesnumberIndicates the number of bytes missed in content gaps, which is representative of packet loss.
mitre_labelsarrayIt refer to the specific MITRE ATT&CK techniques and tactics used in a particular security incident.
mobile_versionstring
model_namestringName of the model used in interaction. In AI activity it is AI/LLM model (e.g., GPT-4, claude-opus-4-7) for security auditing. For other non-AI activities it could be a model name for device events.
modified_keysarrayIt refer to the modification of keys in a cryptographic context, such as encryption keys or access keys.
module_hash_namesarrayIt refers to a specific configuration or data structure within a Cisco product.
monitoring_planstringIt refer to a plan for monitoring and auditing IT systems and infrastructure for compliance with regulations, best practices, and organizational policies.
more_infostring
msg_idstringIt refers to a message identifier used in Inter-Process Communication (IPC) mechanisms such as System V message queues.
name_atstring
nap_policystringIt refer to a policy that specifies the requirements for accessing the network, such as minimum security standards for client computers
nas_ip_addressipv4/ipv6It is used in the context of Remote Authentication Dial-In User Service (RADIUS), which is a protocol used to provide centralized authentication.
native_file_systemstringIt is a custom file system specifically designed for processing and storing large amounts of network data.
networkstringThe name of the network that was accessed in the event.
network_appstringIt is used to refer to an application or service running on a network.
new_attributestringIt refer to a new attribute or field that has been added to a data structure or configuration in a Symantec product.
new_enrollmentstringIt refer to a new process of enrolling a device or user into a Cisco security solution.
new_file_namestring
new_hashstringIt refer to a new hash value, which is a unique digital fingerprint of a file, document, or other digital content.
new_hoststring
new_ipipv4/ipv6
new_multiattachstring
new_passwordstringThe new/latest password required to enter a web conference meeting
new_sizenumber
new_user_namestringIt refers to a new username that has been created for a user account.
new_valuestring
nt_domainstringIt is a type of network authentication service used in computer networks to control access to resources and provide centralized administration.
num_external_recipientsintegerThe amount of external (out of the organization) recipients that the communication message was sent to.
num_internal_recipientsintegerThe amount of internal (in the organization) recipients that the communication message was sent to.
num_pagesintegerThe amount of pages printed.
num_recipientsintegerThe amount of recipients the communication message was sent to.
objectstringWhen representing a generic/unknown entity, the object is the full path of the entity.
object_classstringIt refers to a class of objects that are used to manage system resources.
object_dnstringIt is a unique identifier for an object in the Active Directory, and it is used to locate and manage the object.
object_handlestring
object_idstringWhen representing a generic/unknown entity, this represents the unique identifier of the entity.
object_namestringWhen representing a generic/unknown entity, this represents the name of the entity.
object_oustringIt is a container object in the Active Directory that is used to organize and manage other objects.
object_serverstringAn object server is a software component that provides objects for use by other components in the network.
object_typestringWhen representing a generic/unknown entity, this represents the type of the entity Values could be a user or group.
observed_activitystringAdded by UIP. Contains the observed activity type (Engage, Prepare, Presence, Effect, N/A) used to assign risk_score. If observed_activity or UIP is disabled for the subscription, this will not be present.
occured_timedatetimeIt refers to the time at which a specific event or security incident took place.
old_attributestringThe attribute before it was changed
old_file_namestringThe old file name before it was rename
old_hashhexadecimalIt refer to the hash value of a file before it was updated or changed.
old_multiattachstring
old_passwordstringThe old/previous password required to enter a web conference meeting.
old_registry_detailsstringThe details of the old registry object.
old_registry_details_typestringThe details type of the old registry object.
old_sensitivity_labelstringThe old sensitivity label ID of the file.
old_sizenumber
old_user_namestringIt refers to a old username that has been used for a user account.
old_valuestringIt refers to a previous value or setting of some attribute or configuration in a virtual machine or virtual infrastructure.
opcodestringIt refers to a machine-level instruction or operation code that is executed by the processor.
operationstringThe activity that was recorded in the event.
operation_blockedbooleanIt refers to a security feature that blocks or denies specific security-related operations that are deemed potentially suspicious.
operation_detailsstringAdditional information about the activity that could add context when reviewing the event in the UI.
operation_firststringIt refers to a concept in auditing or logging where the first operation performed by a user or process is recorded.
operation_idstringIt refers to a unique identifier assigned to a specific operation or request.
operation_laststringIt refers to a concept in auditing or logging where the last operation performed by a user or process is recorded.
operation_namestringIt refers to the name or description of a specific operation performed within the Azure platform.
operation_typestringThe classification/type of the operation.
operation_versionstringIt refers to a version number or identifier assigned to a specific operation performed within the Azure platform.
operator_namestringIt refers to the name of the user who performed an action within the platform.
order_numstringIt is used to track and identify specific orders within a system, and can be used for purposes such as tracking, auditing, and reporting.
orig_bytesnumberIt refers to the number of bytes of data in the original or incoming direction of a network connection or communication.
orig_ccstringIt refers to the two-letter country code of the originator of a network connection or communication.
orig_filenamesstringIt refers to the names of files that are being sent or received in the original or incoming direction of a network connection or communication.
orig_pktsstringIt refers to the number of packets in the original or incoming direction of a network connection or communication.
origin_ipipv4/ipv6It refers to the IP address of the originator of a network connection or communication.
origin_namestringIt refers to the name of the originator of a network connection or communication.
origin_response_statusstringIt refers to the status code of the response received from the origin server during a network communication.
original_risk_scorenumberIt refers to an initial assessment of the risk or threat level associated with a particular event, action, or activity.
original_userstring
osstringThe operating system of the device taking the action
os_adminstringIt refers to the administrator account associated with the operating system (OS) of a virtual machine (VM) or other computing resource in the Azure cloud platform.
os_environmentstringIt refers to the OS environment of a computer or network device, including information about the version, type, and configuration of the OS and related software.
os_revisionstringIt refers to the version or revision number of the operating system (OS) being used by a device or computer.
os_typestringThe type of the device’s operating system.
os_versionstringThe version number of the device’s operating system.
outcomestringRepresents the outcome context element.
outzonestringIt refers to a security zone in a network that is outside of the trusted security perimeter and is considered to be less secure than other zones
overflow_bytesnumberIt refers to the number of bytes of data that are discarded due to buffer overflow.
owned_userstring
ownerstringUsername or ID of the resource owner.
owner_idstring
packet_ratestringIt refers to the rate at which packets are being transmitted across a network.
packetsintegerNumber of total packets in a network connection.
packets_inintegerNumber of ingress packets in a network connection.
packets_outintegerNumber of egress packets in a network connection.
page_countintegerIt refers to the number of pages in an electronic document or file.
page_fault_countintegerPage fault is when a computer tries to access a piece of information that is not in the computer memory
parent_hash_sha256hexadecimal
parent_image_filenamestringIt refers to the name of the executable file of the parent process of a detected activity.
parent_md5hashhexadecimalIt refers to a unique identifier used to track the relationship between parent and child processes in a computer system.
parent_message_idstringUnique identifier of the message that preceded the current message.
parent_processstringIt refers to the process that spawned or created another process in a computer system.
parent_process_command_linestringThe full command line of the parent process.
parent_process_dirstringThe directory of the parent process, without the process name.
parent_process_guidstringThe unique global identifier assigned to the parent process.
parent_process_hashhexadecimalIt refers to a unique identifier that is assigned to a parent process running on a computer.
parent_process_idstringThe process ID of the parent process.
parent_process_namestringThe process name of the parent process, without the path.
parent_process_pathstringThe full path of the parent process.
pathstringIt refer to the location or file path of a specific configuration or log file within an application.
pattern_disposition_descriptionstringIt refers to the human-readable explanation of the outcome of an analysis or detection performed by system.
payload_printablestringIt refers to the human-readable representation of the payload in a network communication or a malware file.
peer_gatewaystringIt is the remote endpoint of a VPN tunnel and is used to securely connect two separate network segments over the internet.
permissionstringIt refers to the set of rules that govern access to files, directories, and other resources.
permissionsstring
phishing_scorestringIt refers to a score assigned to a detected email based on the likelihood that it is a phishing attempt.
pkts_toclientstringIt refers to the number of packets sent from the server to the client in a network.
pkts_toserverstringIt is a count of the number of packets from client to server.
platformstringRepresents the platform context element.
playbook_filesstring
policiesstringIt refers to a set of rules and configurations that define how resources should be managed within an organization.
policystring
policy_arnstringIt refers to the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) policy.
policy_bindingsstringIt refers to the set of policies that are associated with a resource in Google Cloud Platform.
policy_changesstring
policy_contentstringIt contain the JSON text of a policy, which is a set of statements that specify the actions that are allowed or denied for a particular user, group, or role.
policy_deltastringIt refers to a change made to a specific policy.
policy_disabledbooleanIt refers to a security policy or set of security rules that are temporarily or permanently disabled or inactive.
policy_idstringIt refers to a unique identifier assigned to a specific security policy.
policy_namestringThe name of the policy document.
policy_runtimestringIt refers to the set of security policies that are being enforced at a given time on a particular device or network.
policy_version_idstringIt refers to the unique identifier for a specific version of an AWS identity and Access Management (IAM) policy.
previous_idstringPoint to previous rule trigger id in case of new rule trigger due to late arriving events.
primary_keystringIt is a unique identifier assigned to each process, binary, or file that is captured and analyzed by the platform.
principal_idstringIt refers to a unique identifier for an AWS identity, such as an AWS account root user, an IAM user, or a federated user.
principal_namestringIt refers to the name associated with a specific user, group or service that is granted access to a computer system, network, or application.
principal_typestringIt is a term used to refer to the type of entity that performed an action.
printer_idstringThe identifier of the printer device.
printer_namestringThe name of the printer device.
printer_portinteger
printer_snstringTher serial number of the printer device.
printer_typestringThe type of the printer
prioritystringlevel of urgency
private_cookiestringIt refers to a cookie that is not shared with third-party domains, and is stored in a user's web browser for a specific website.
private_ipipv4/ipv6It refers to an IP address that is assigned to a device within a private network and is not reachable from the Internet.
privilegesarrayAll the privileges given on an object, e.g. SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege.
processstringThe path of executed process
process_blockedbooleanIt refers to a security alert generated by the platform, indicating that a process has been blocked by the security software.
process_command_linestringThe command line of the event’s process.
process_dirstringThe directory (without the name) of the event’s process.
process_guidstringThe graphical unique identifier of the event’s process.
process_hashhexadecimalIt refers to a unique identifier that is assigned to a process running on a computer.
process_idhexadecimalThe PID of the event’s process.
process_integritystringIt refers to the level of trust associated with a process.
process_namestringThe name of the event’s process.
process_ownerstringThe user that owned the process.
process_pathstringThe full path (directory and name) of the event’s process.
process_permissionstring
process_relative_dirstringThe relative directory to the process the user used to execute the process.
process_relative_pathstringThe relative path to the process the user used to execute it.
process_signedstringprocess signed refer to signing off on a process unit
process_typestringIt refers to the classification or categorization of a process based on its type, behavior, or characteristics.
process_vendorstringIt refers to the company or organization that developed the process that is being monitored.
processing_end_timedatetimeIt refers to the time when the processing of a particular operation, task, or process within the Azure environment is completed
productstringThe product context element.
product_categorystringThe product category context element.
product_namestringIt refers to the name of a specific product offered by the company.
profilestringIt refers to a group of configuration settings and policies that are applied to a particular type of network traffic, such as web, email, or VPN traffic.
profilesarrayIt refers to the configuration settings that specify the behavior of an iOS or macOS app or framework.
project_idstringIt is a unique identifier for a project. It is used to organize resources and associate them with a specific project.
project_namestringName of the project or workspace associated with the activity
propertiesstringIt refers to the specific characteristics, features, or attributes of an object, such as a file, folder, device, or system component.
protection_namestringIt refers to the name assigned to a security policy or rule that is implemented to protect the network from specific threats or attacks.
protection_typestringIt refers to the type of security protection provided by a particular security solution or feature.
protocolstringThe network protocol the event used, e.g. DNS, TCP, HTTP.
provider_namestringIt is used to refer to the name of the software or service that provides a specific log event.
proxiedstringIt refers to network traffic that is being passed through a proxy server.
proxy_actionstringIn http communication events, the way the proxy identifies the request, e.g. TCP_MISS, TCP_HIT.
proxy_ipipv4/ipv6It indicate the IP address of the proxy server through which the web traffic is flowing.
qclassstringIt is a term used to describe a field in the DNS protocol that specifies the class of a query.
qclass_namestringThe query class defines the type of data being queried, such as Internet address (IN), Chaosnet (CH), or Hesiod (HS).
quarantine_filebooleanIt refers to a file that has been isolated from the rest of the system because it has been identified as potentially harmful.
quarantine_machinebooleanIt refers to the process of isolating a potentially compromised device or machine to prevent further spread of malware.
querystringIt refer to a request for information, data or content from a network or device.
query_idstringIdentifier of a query.
query_stringstringIt refers to the part of a URL that contains data to be passed to a web application or a resource, after the ? symbol.
RAstringThe Recursion Available bit in a response message indicates that the name server supports recursive queries.
radius_flow_typestringIt refers to the type of RADIUS flow, which is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for remote access to a network.
rarity_percentileintegerAdded by BEAM. Number between 0 to 100.
rarity_raw_scoreintegerRaw score from BEAM. Value should be between 0 to 100 or more.
rarity_scoreintegerNormalized rarity score from BEAM. Value should be between 0 to 100.
rcpttostringIt refers to the recipient's email address to which the email message is being sent.
RDstringThe Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
readonlystringA resource with readonly permission can only be viewed and not modified.
realmstringName of the VPN realm
recipientemailIt refers to the person or entity who receives an email, file, message, or other information in a service or application.
recipient_countintegerIt refers to the total number of recipients associated with an email, document, or other file.
recipientsarrayIt refers to the individuals or groups that a message or piece of content is addressed to.
record_typestringIt refers to the type of record stored in a file system.
recorded_timedatetime
recoverabilitystringAdded by UIP. Contains (Yes, No, N/A). If recoverability or UIP is disabled for the subscription, this will not be present.
redirect_urlstring
referrerstringIn HTTP communication the url that referred to the current site.
regionstringIt refers to a geographical area, where one or more data centers are located, that is designed to provide low latency and high throughput network connections.
registration_nostringIt refers to a unique identification number assigned to a device or product upon its registration with the system.
registry_detailsstringThe details of the registry object.
registry_details_typestringThe details type of the registry object.
registry_hivestringThe hive of the registry object.
registry_keystringThe registry key in the activity.
registry_operation_blockedbooleanIt is a term used to describe when a specific operation in the registry is prevented from executing due to security policy.
registry_pathstringThe full path to the registry object.
registry_valuestringThe value of the registry object.
relying_party_idstringIt refers to a unique identifier assigned to a relying party in a security token service (STS) system.
remediation_stepsstringIt refers to the actions that need to be taken to resolve an issue or address a vulnerability.
remote_location_citystringIt is a field that represents the city of the remote location in a network connection.
remote_location_country_codestringIt refers to the two-letter country code of the remote location of a network communication or activity.
remote_location_latitudestringIt is a field that represents the latitude of the remote location from where a network connection was initiated.
remote_location_longitudestringIt refers to the longitude coordinate of the remote location.
remote_location_regionstringIt refers to the region information of a remote host based on its location, as determined by the IP address.
removable_media_bus_typestringIt refers to the type of bus interface used by a removable storage device, such as USB, FireWire, or SCSI.
removable_media_capacitystringIt refers to the amount of storage space available on a removable media device.
removable_media_media_namestringIt refers to the name or label assigned to a removable storage device.
removable_media_namestringIt is the name of a removable media device, that has been connected to a computer being monitored by Code42.
removable_media_partition_idstringIt refers to a unique identifier assigned to a specific partition on a removable storage device.
removable_media_serial_numberstringIt is an unique identifier for a removable media device
removable_media_vendorstringIt is a term used to describe the manufacturer or vendor of a removable media device.
removable_media_volume_namestringIt refers to the name assigned to a specific partition on a removable storage device.
removed_memberstringIt refers to a user who has been removed from a group or an organization.
removed_member_typestringIt refers to the type of a removed member (user, group, etc.) from a specific resource.
removed_permissionsarrayThe permissions that were previously granted to an individual or group have been revoked or removed.
removed_rolestringIt refers to a role that was previously assigned to a user or group, but has since been removed.
removed_role_namestringIt refers to the name of a specific role that has been removed or revoked from a user or group.
removed_usersarray
reply_toarrayIt refers to the IP address or domain name that a server should direct replies to a specific communication to.
reportstring
reporterstringIt refers to the source of the log or event data that is being analyzed.
repository_namestring
reputationstringIt refers to a score assigned to an IP address, URL, or file, indicating the perceived level of risk associated with it.
request_bindingstringIt is a security concept related to the process of binding authentication data to the request that is sent between a client and a server.
request_cookiestringIt refers to a piece of data that is stored on the client side and sent to the server in subsequent requests.
request_typestringIt is one of the properties of the event that provides information about the type of request made by the client.
requested_appstringIt refers to the application or resource that a user is attempting to access.
requested_app_idstringIt refers to a unique identifier assigned to a specific application or resource that the user is trying to access.
resourcestringTypically in app-activity activity-type, this is a property of the object the action is taken on. For example, if a user A gives user B permissions on directory C, B would be parsed as object and C as resource.
resource_dirstringThe directory of the resource.
resource_groupstringIt is a logical container for grouping related resources.
resource_idstringIt is a unique identifier for a specific resource.
resource_namestringThe resource name is typically assigned by the user when the resource is created and it can be used to identify the resource in various services
resource_pathstringIt refers to the location of a resource within the Azure environment.
resource_typestringIt refers to the type or category of a specific resource
resp_bytesnumberIt is a field that represents the size of a response packet in bytes.
resp_ccstringIt is a field that represents the country code of the origin of a response packet.
resp_pktsintegerIt is a field that represents the number of response packets sent in response to a network request.
responder_packetsintegerIt refers to the number of packets sent by the responder in a network communication.
responsestringIt refers to the information that is returned in response to a request or command.
response_sizenumberIt refers to the size of the response that is sent from a server to a client in bytes.
response_timedatetime
response_ttlstringIt refers to the Time-To-Live (TTL) value that is associated with a response packet.
response_typestringIt refers to the type of response received from a device or system when performing an action or issuing a command.
restrict_public_bucketsstring
resultstringDescribes the result of an event's occurrence as parsed (succeeded, failed...)
result_atstring
result_codestringA code indicating the outcome of an activity, e.g. 0x0, 0x1F, success.
result_reasonstringA description of why this result was given.
return_pathstringThe return path of an email message. This may or may not be identical to the sender.
risk_levelnumberIt refers to a security risk rating that is assigned to network traffic based on its content and behavior.
risk_scoreintegerThe calculated risk score between 0 and 100. If UIP is disabled for the subscription, the risk_score will not be present.
rolestringIt refers to a set of permissions and responsibilities assigned to a user or group of users in order to manage and control access to network resources and configurations.
role_arnstringIt is the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role.
role_definitionstringIt is a blueprint that outlines the specific permissions and actions that can be performed by a role.
role_definition_idstringIt is a unique identifier for a role definition.
role_idstring
role_namestring
role_permissionsarrayIt refer to the set of actions and operations that can be performed by a user with a specific role.
role_typestring
rootingbooleanIt refers to the process of gaining privileged access to a computer system or mobile device.
router_ip_flowstringIt is a type of data source used to collect and analyze network flow data.
router_subnetstringIt is a segment of a network that is assigned to a specific router.
rttstringIt stands for Round-Trip Time and is a measurement of the time it takes for a packet to travel from its source to its destination and back.
rulestringName/identifier of the policy, DLP rule, FW rule or workflow rule that was triggered, applied, or violated in the activity.
rule_actionstringIt is a term used to describe the action that is taken when a specific security rule is triggered.
rule_countnumberIt refers to the total number of security rules defined in a firewall policy.
rule_descriptionstringIt refers to a brief text description of a particular rule that has been configured in a system.
rule_idstringIt refers to a unique identifier assigned to each security rule defined in a firewall policy.
rule_reasonstringIt refers to the reason or justification for why a particular security rule was triggered.
rule_severitystringIt refers to the level of importance or criticality assigned to a particular security rule.
rule_sourcestringBEAM or CR
rule_typestringIt refer to a type of security rule or firewall rule that is configured in the security firewall.
rule_uidstringIt is a unique identifier assigned to each security rule in the firewall policy.
rule_usecasesarrayIt refers to the specific use cases that a security rule is intended to address.
rulesjsonEmpty rules is a valid case. If BEAM is sending update to fix previous false positive rule trigger event then new rule trigger event will have empty rules and entities with zero risks score.
run_levelstringIt refers to the state or configuration level at which the operating system operates, and is used to manage the behavior and accessibility of the system.
safe_namestringIt is a unique identifier assigned to each Safe (secure repository), which is used to distinguish and organize different Safes within the platform.
safe_valuestringThe name of the safe in which the password is stored
scan_idstringIt refers to a unique identifier assigned to a security scan, such as a vulnerability scan or a web application security scan.
scan_typestringThe type of the scan the product did.
schema_namestringIt refers to the name given to a particular organization of database objects in a database management system, such as Microsoft SQL Server.
schema_versionstringIt refers to a version number assigned to a particular organization or structure of database objects in a database management system.
script_namestringIt refers to the name of a script file (e.g. a .bat, .vbs, .ps1, etc.) that is being executed.
script_typestring
scriptblock_textstringIt refers to the text of a PowerShell script block.
secondary_keystringIt refers to a supplementary key or password used in addition to a primary key to provide an additional layer of security.
secretstring
securedstringIt refers to a feature or setting within the platform that provides security and protection for stored data.
security_criticalityintegerAdded by UIP. Contains the security criticality (Tier1, Tier2, Tier3, N/A) used to assign risk_score. If security criticality or UIP is disabled for the subscription, this will not be present.
security_groupstring
see_alsostringIt refers to a feature or functionality in cyber exposure platform that allows users to access additional resources or related information.
selected_hash_sha256hexadecimalIt is used to identify the specific hash algorithm used to calculate the SHA256 hash value of a file or piece of software.
selected_md5hashhexadecimalIt is used to identify the specific hash algorithm used to calculate the MD5 hash value of a file or piece of software.
senderemailIt is used to identify the source of the email and can be used to filter or categorize incoming email messages.
sense_scorestringIt refers to a metric used in the IBM Watson Discovery service to measure the relevance of a document or piece of content to a particular query.
sense_valuestringIt refers to a value assigned to a specific security event based on the level of risk it poses to the organization.
sensitivity_labelstringThe current sensitivity label ID of the file.
sensorstringIt refers to a software component that is installed on a network to collect and analyze security-related data, such as network traffic and logs, in real-time to detect and prevent cyber-attacks.
sensor_idstringIt refers to a unique identifier assigned to each endpoint device that has the agent installed.
sensor_namestringIt refers to the unique identifier given to a specific instance of a network security device or system within a network.
sensor_onlybooleanIt indicate that the detection and response was done locally on the device, rather than relying on the cloud-based components.
seq_numnumberIt is a numerical identifier of the specific packet within a larger set of data, typically used in network security systems.
sequencestringIt refers to the order in which packets are processed by the firewall.
serial_numstringIt is a unique identifier assigned to a product by the manufacturer.
serverstringA server is a device to centralize resources and provide centralized management, which can make it easier for administrators to manage and maintain their networks.
server_groupstringIn some database solutions (e.g. MS SQL), a server group is a way to organize connections to servers and databases.
server_namestringThe server name the activity operated in
server_ssh_versionstringIt is a string value that represents the version of the SSH (Secure Shell) protocol that the server is running.
server_versionstringIt refers to a string that identifies the version of software or operating system that is running on a server.
service_command_linestringIt refers to the command line arguments or parameters used to start, stop, or manage Windows services.
service_idstringService found for the connection (by the destination port).
service_namestringThe service name the activity operated on
service_start_typestringIt is used by the service installer to indicate whether the new service should be disabled or start automatically or started manually by a user or application.
service_statestringThey are used to determine when event handlers are executed and when notifications are initially sent out.
service_typestringIt specifies the type of service and determines how the service operates, such as whether it runs in the background or interacts with the user interface.
service_type_textstringIt provides a descriptive name for the type of service and determines how the service operates, such as whether it runs in the background or interacts with the user interface.
session_arnstringThe Session ARN (Amazon Resource Name) is a unique identifier that represents a session in the AWS Management Console.
session_daystringIt refers to a field in a log or report that indicates the day of a network session.
session_durationstringIt refers to a field in a log or report that indicates the length of time a network session was active.
session_endstring
session_expirationstringIt refers to the time at which a session will expire and be terminated.
session_hourstringIt refers to a field in a log or report that indicates the hour of a network session.
session_idstringUnique identifier of any session.
session_minstringIt refers to a field in a log or report that indicates the minute of a network session.
session_namestringIt refers to an optional parameter that can be provided when creating a session.
session_secstringIt refers to a field in a log or report that indicates the second of a network session.
session_startdatetime
session_tagstring
set_as_defualtstringIt refers to an option that can be used to set a specific profile as the default profile for a user.
severitystringIt refers to a field in a log or report that indicates the level of importance or criticality of a security event or threat.
shahexadecimalIt refers to the Secure Hash Algorithm, a family of cryptographic hash functions that are widely used for digital signatures.
share_idstringThe id of the sharing link.
share_namestringThe name of the accessed network share, e.g. IPC$, SYSVOL
share_pathstringThe full path of a network share, e.g. D://SYSVOL_DFSR//sysvol
share_typestringType of a network share or for email logs its a type of a sharing link.
sharedstringIndication if the file was shared.
shared_conversation_idstringUnique identifier for a shared conversation thread or chat session
shared_withstringIt refers to a field in a log or report that indicates the recipients or users with whom a file or resource has been shared.
shared_with_atstringIt refers to a field in a log or report that indicates the date and time when a file or resource was shared with specific recipients.
sid_domainstringIt refers to the domain component of a SID, which identifies the domain in which the security principal is defined.
sid_historystringIt refers to a feature that allows the SID of a user or group account to be preserved when the account is migrated from one domain to another.
site_atstringIt refers to a field in a log or report that indicates the location or site at which a specific security event or activity occurred.
site_idstringA unique identifier used to tag and segregate data from different sources within customer environment.
site_namestringThe path of the site an item was stored in cloud or email access events, similar to url path. In physical access events, the name of the physical location.
site_statestringIn physical access events, the state of the physical location. E.g NY.
smartdefense_profilestringIt refers to a configuration setting in Check Point software that defines the level of protection for a specific security policy or rule.
source_connection_idstringIt refers to a log or report entry that provides information about a specific connection, such as the identity of the client device.
source_device_entity_idstringIt refers to the unique identifier of the source device.
source_user_entity_idstringIt refers to the unique identifier of the source user.
spam_scorestringIt refers to a numerical value assigned to an email message, indicating the likelihood that the message is spam or unwanted.
spf_resultstringIndicates if an email is sent from an IP address authorized by the domain's SPF (Sender Policy Framework) record.
sql_countintegerThe number of entries affected by a database operation
src_bucket_arnstring
src_countrystringThe country of the machine from which the activity originated.
src_country_codestringThe country code of the machine from which the activity originated.
src_domainstringIt refers to the source domain of a network connection or event.
src_ds_object_dnstringThe full distinguished name of the source directory service object.
src_ds_object_namestringThe name of the source directory service object
src_ds_object_oustringThe organizational unit of the source directory service object.
src_email_addressemailThe full source email address.
src_email_domainstringThe domain of the source email address.
src_email_folderstringSource email folder in move/copy operations (e.g., Inbox, Sent, Archive, custom folder) for data migration tracking.
src_external_countrystringIt refer to the source external country of a network connection.
src_file_arnstring
src_file_dirstringThe directory of the source file, not including the name.
src_file_extstringThe source file extension. If the file name is myfile.txt, src_file_ext will be txt
src_file_namestringThe name of the source file, not including the path.
src_file_pathstringThe full path of the source file.
src_fqdnstringThe fully qualified domain name (FQDN) refers to a log or report entry that provides information about the source of a connection, such as the hostname and domain name of the device that initiated the connection.
src_group_namestring
src_hoststringThe name of the machine from which the activity originated.
src_host_typestringIt refers to the type of the source host involved in a network connection or event.
src_interfacestringName of the interface associated with the connection origination
src_ipipv4/ipv6The IP of the machine from which the activity originated.
src_ipv6ipv4/ipv6
src_local_hoststringIt refers to the source local host that is being accessed or modified.
src_local_zonestringIt refers to the source local zone or network segment that the asset is located in.
src_locationstringIt refers to the location of the source host involved in a network connection or event.
src_location_areastring
src_location_door_idstring
src_location_fullstring
src_location_idstringIt refers to a unique identifier for the location of the source host involved in a network connection or event.
src_macstringThe source endpoint MAC address.
src_net_statusstringIt refers to the status of the source network involved in a network connection or event.
src_networkstringIt refers to a log or report entry that provides information about the source network, such as its IP address range, subnet, or hostname.
src_network_typestringIt refers to the type of network.
src_network_zonestringIt refers to the network security zone associated with the source network in a network connection.
src_passwordstring
src_portintegerThe source port used in the network communication.
src_process_dirstringThe directory of the process that did the activity.
src_process_idstringThe identifier of the process that did the activity.
src_process_namestringThe name of the process that did the activity.
src_process_pathstringThe path of the process that did the activity.
src_productstringOriginal product for 3rd party alerts and regular events.
src_resourcestring
src_resource_typestring
src_rolestring
src_site_namestringThe path of the site this item was stored in
src_translated_hoststringIt refers to a log that provides information about the translated source host, which may be different from the actual source host.
src_translated_ipipv4/ipv6In NAT situations, the internal assigned IP. This is different from the src_ip which would be the external facing IP. For example, in a VPN connection src_ip is the external, internet routable IP, while src_translated_ip is the internal address assigned to the vpn connection.
src_translated_ipnumstringIt refers to a log or report entry that provides information about the translated source IP address, which may be different from the actual source IP address due to NAT or PAT.
src_translated_portintegerIt refers to the translated source port in a network connection or event.
src_userstringIt refers to the source user or the user who initiated a particular action or event.
src_vendorstringOriginal vendor for 3rd party alerts and regular events.
src_zen_codestring
src_zonestringIt refers to a log or report entry that provides information about the security zone from which a particular network event or traffic flow originated.
src_zone_namestringIt provides information about the source security zone associated with a particular network event, such as the name of the security zone.
ssidstringThe Service Set Identifier (network name) the activity was on.
ssnostringIt refer to the unique 9-digit identification number assigned by the Social Security Administration (SSA) to U.S. citizens and residents for tracking purposes.
start_timedatetimeIt refers to the time that a process or a job was initiated or started to run.
statestringThe name of the State (geographical territory).
status_msgstringIt is a message that provides information about the status or outcome of an operation or request.
storage_accountstringIt is a type of account that provides a scalable and secure data storage solution for unstructured data, such as blobs, files, queues, and tables.
stripped_email_subjectstringStripped email subject
sub_categorystringA subcategory of the log.
sub_domainstringIt is a field that represents the sub-domain portion of a fully qualified domain name (FQDN).
sub_statusstringIt refers to the status of a sub-component or sub-process within a larger security system or process.
subjectstring
subject_sidstringThe SID (Security Identifier) of the subject, should be use subject is not user.
subnetworkstringA subnetwork (also known as a subnet) is a portion of a larger network that is divided for the purposes of network organization and management.
subscription_codestringSubscription code of the customer
subscription_idstringThe subscription ID is a unique alphanumeric string that identifies your product subscription.
subtypestring
suidstringSUID (Set User ID) is a Linux permission attribute for executable files that allows a user to execute the file with the permissions of its owner.
sync_destinationstringIt refers to the location to which data is being synced or backed up.
syscallstringA syscall is a system call, which is a request to the operating system's kernel to provide a specific service, such as allocating memory or creating a process.
syscall_namestringIt refers to the name of a syscall file that is being executed.
syscall_numberintegerA unique integer used to identify a specific system call.
system_architecturestringSystem architecture is the conceptual model and formal description that defines a system's structure, behavior, and the relationships between its components to achieve specific goals and satisfy stakeholder needs.
system_manufacturerstringIt refers to the manufacturer of a device or computer system.
system_typestringIt refers to the classification of a device as a router, switch, firewall, or other network device.
tab_titlestringIt is a term used in the security platform to refer to the title or label of a tab in a user interface.
tab_urlstringIt refers to the URL of the web page that was open in a web browser tab during the time a file was being accessed.
tablestringIt refers to the name of a database table.
table_namestringIt refers to the name of a database table.
tacticstringTactic Name
tactic_keystringTactic Key
tagstringIt refers to a metadata label or keyword assigned to an object or resource to categorize, group, or identify it.
tagsarrayTags are a metadata label assigned to a network communication or an event.
targetstringThe object the activity operated on.
target_domainstring
target_hash_sha256hexadecimalIt refers to a 256-bit Secure Hash Algorithm (SHA-256) that is used to calculate a digital fingerprint or hash value of a target file or system.
target_hoststringThe destination endpoint name.
target_md5hashhexadecimalIt is a field that represents the MD5 hash of a target file in the system.
target_uristringIt refers to the uniform resource identifier (URI) of the target system, application, or resource that is being accessed
task_idstringThe unique identifier of the schedule task the activity operated on.
task_namestringThe name of the schedule task the activity operated on.
TCstringThe Truncation bit specifies that the message was truncated.
tcp_flagsstringThe TCP flags in a tcp communication.
techniquestringTechnique Name
technique_keystringTechnique Key
tenant_idstringIt refers to a unique identifier for a tenant in a multi-tenant architecture, such as in Microsoft's cloud platform, Azure Active Directory.
terminalstringIt is a text-based interface, or a graphical user interface, and is used to submit SQL commands, view data, and perform various other database-related operations.
tgs_service_namestringA service that issues tickets for admission to other services in its own domain or for admission to the ticket-granting service in another domain.
thread_idstringIt refers to a unique identifier assigned to a process or a set of processes running in an operating system.
threat_categorystringThe category of the threat the product detected, as dictated by the vendor.
threat_handledstringIt refers to an event, action or measure taken by a security system to mitigate or eliminate a detected threat.
threat_idstringThe identifier of the threat the product detected, as dictated by the vendor.
threat_levelstringIt refers to a classification of a potential security threat, which determines the severity or urgency of the threat.
threat_typestringIt refers to the category of a detected threat.
threat_urlstringIt refers to the URL or web link that is suspected of hosting malicious content, such as phishing scams or malware downloads.
throttledbooleanIn email access logs it indicates if the number of email that were accessed exceeded a maximum number for a period of time
ticket_encryption_typestringIt refers to the encryption algorithm used to encrypt the security tickets used in authentication between client and server.
ticket_optionsstringIt refers to specific settings or flags that are associated with a Kerberos ticket.
timedatetimeThe time in which the activity occurred.
time_createddatetimeThe time the file was created.
time_modifieddatetimeThe last time the file modified.
time_takennumberIt refers to the amount of time required for a process or operation to complete.
timedoutstringIt refers to whether or not a connection has timed out.
token_issuer_typestringIt refers to the type of security token issuer that is used to generate the token.
top_domainstringRepresents the top-level domain (TLD) extracted from a full domain name. For example, in www.exabeam.com, the value 'com' would be captured in this field.
tracking_idstringis a unique identifier used to track and associate related events and transactions within the system.
traffic_typestring
trans_depthstringThis field allows to track the different layers of protocol encoding used in a network connection.
transactionstringA transaction is a specific set of tasks or operations that are performed in the system to achieve a specific goal, such as creating a new customer or updating an existing one.
transaction_idstringIt refers to a unique identifier assigned to a specific transaction or group of related transactions in a system.
transistive_tagsarray
trigger_entitystringIt refers to an event, alert, or indicator that triggers an investigation or response action within the security information and event management (SIEM) system.
trigger_timedatetimeIt refers to the time when a particular event or action in the system was triggered or initiated.
trigger_typestringIt refers to the type of event or activity that initiates an action or response within the security platform.
triggersstringIt refer to a set of rules or conditions that initiate a specific action when met.
TTLsstringThe caching intervals of the associated RRs described by the answers field.
tunnel_parentsstringIt refers to the parent sessions or connections in which the current session is encapsulated within, forming a tunnel.
tunnel_protocolstringIt refers to the protocol used to encapsulate the original network traffic, which is often encrypted and transmitted over another network.
typestringIn case of security alert, this would be the alert type. in case of correlation rule: use case of the correlation rule
uac_statusstringIt refers to the status of User Account Control (UAC) in a Windows operating system, which is a security feature that helps prevent unauthorized changes to the system.
udidstringIt refers to the Unique Device Identifier, a code that identifies a specific device in the Cisco system.
uristringThe full URI of the web page.
uri_pathstringThe URI path of the web page.
uri_querystringThe query in a URI in of a web page.
urlstringThe URL of a web page.
url_countintegerNumber of urls in the email
usb_serial_numberstringIt refers to the unique identifier of a USB device connected to a computer.
usb_vendorstringIt refers to the identifier of the vendor of a USB device.
userstringThe user name of the user that did the activity.
user_agentstringThe user-agent in a web activity.
user_agent_clientstringIt refers to the client software or application that is used to access a web service or resource.
user_arnstringIt refers to the Amazon Resource Name (ARN) of a user.
user_dnstringIt refers to the distinguished name (DN) of a user.
user_group_namestringThe groups the user belongs to.
user_idstringThe generic unique identifier of the user.
user_infostringIt refers to information about a specific user, such as their name, username, and other relevant details.
user_oustringThe directory service organizational unit of the user.
user_privilege_categorystringIt refers to the 3rd-party assigned privilege category for the user.
user_privilege_levelnumberIt refers to the 3rd-party assigned privilege level for the user.
user_sidstringThe SID (Security Identifier) of the user.
user_threat_certaintynumberIt refers to the 3rd-party assigned threat certainty for the user.
user_threat_levelnumberIt refers to the 3rd-party assigned threat level for the user.
user_typestringThe type of the user.
user_uidstringIt refers to a unique identifier assigned to a user account.
user_uidsstringIt is a field that represents the unique identifier for a user.
user_upnstringUPN (User Principal Name) is a unique identifier for a user in Microsoft's Active Directory.
user_urlstringIt refers to the URL to the application user page of the user.
userdatastring
usersarrayIt refers to the individuals who have access to the security systems and services provided by them, such as firewalls, VPNs, and other security solutions.
vault_entity_idstringIt is a unique identifier for an entity in Vault.
vendorstringThe vendor context element.
vendor_idstringIt is a unique identifier assigned to a vendor.
vendor_namestringIt refers to the name of the manufacturer of the device that is being backed up or monitored.
versionstringThe version of the monitoring program.
virtual_station_namestringIt refers to the name assigned to a virtual station (VSTA) in a wireless LAN (WLAN) network.
virus_namestringIt refers to the name assigned to a specific malicious software that has been detected by antivirus software.
vm_host_namestring
vm_pool_namestring
vm_sizestringIt refers to the size or type of a virtual machine (VM) in terms of the amount of memory, CPU, and storage resources it is allocated.
vm_template_namestring
volume_devicestring
volume_sizestring
volume_typestring
volume_zonestring
vpcstringIt stands for Virtual Private Cloud, it is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network.
vpn_clientstringIt is a secure VPN connection that allows remote workers or third-party contractors to connect to the company's network securely, using their own device.
vpn_client_typestringIt refers to the type of VPN client software that is used to establish a secure connection to a remote network.
wazuh_managerstringIt refers to the central manager component responsible for managing agents, rules, and alerts.
web_content_typestringThe classification of a file or data transmitted on the web
web_domainstringThe full domain with the subdomain. Egs. gmail.google.com.
wifiapstringIt refers to a Wireless Access Point, a device that allows wireless devices to connect to a wired network using Wi-Fi.
workspace_idstringUnique identifier of a workspace. A workspace is a shared environment that organizes users, resources, permissions, and activity under a single administrative boundary.
workspace_namestring
ZstringA reserved field that is usually zero in queries and responses.
zonestringIt refers to a distinct and isolated environment for running applications, processes, and/or services.
zone_idstringIt refers to a unique identifier assigned to a zone in a network.