XDR_DATA Fields

Cortex XQL Schema Reference Guide

Last date published
2024-02-06
This section lists all of the xdr_data dataset fields in alphabetical order.

Field Name

Mode

Data Type

Fields mode

Fields name

DATA TYPE

Description

Suffix

Guid

_insert_time

INTEGER

System field: The time the data entry was added to the system.

_product

STRING

System field: The data product as ingested from the data collector.

_raw_json

RECORD

System field: All raw data as ingested from the data collector in a JSON format.

_raw_log

STRING

System field: All raw data as ingested from the data collector in a text format.

_time

INTEGER

System field: Data entry's timestamp. If unknown, then the time the data entry was added to the database.

_vendor

STRING

System field: The data vendor as ingested from the data collector.

action_threat_ids

NULLABLE

STRING

Threat IDs

additional_info

STRING

Additional information for any event that occurred (GlobalProtect).

agent_content_version

NULLABLE

STRING

The agent content version.

84e69d7f-1bb1-440e-96ef-e33a226b1bc6

agent_external_ip

STRING

External IP of the agent reporting this event.

agent_host_boot_time

NULLABLE

INTEGER

Last time this host was started in epoch time.

57f0073a-5d70-4687-8c2d-639a624fb83e

agent_hostname

NULLABLE

STRING

Hostname of the agent.

06f5c068-783e-4de4-a663-8a6269cc810b

agent_id

NULLABLE

STRING

A unique identifier per agent.

aa54fbd3-0f87-41f2-8085-e11ab5744a45

agent_install_type

NULLABLE

INTEGER

Agent installation type with the following possible values:
0 - Standard agent
1 - Virtual Desktop Infrastructure (VDI) instance
2 - Virtual Desktop Infrastructure (VDI) golden image
4 - Temporary session
5 - Light agent

d6cf4039-88f9-4c55-b9fc-b3c876eb9e8e

agent_interface_map

REPEATED

RECORD

NULLABLE

mac

STRING

Agent interface maps (IPs and Mac).

use to_json_string prior to filtering/altering this field

2abe69eb-c3a2-4179-a270-d901502fbcc5

agent_ip_addresses

NULLABLE

STRING

All IPv4 interface addresses.

f93f5ac1-4e96-4528-988e-668e11c8977b

agent_ip_addresses_v6

NULLABLE

STRING

All IPv6 interface addresses.

82703e92-dac3-4fb9-9d3c-9d30028ea482

agent_is_vdi

NULLABLE

BOOLEAN

Indicates whether or not the agent is a VDI agent.

bf3a4fa6-0733-4bc9-b5fd-7dc3eb10cd78

agent_mac_addresses

RECORD

Mac addresses assigned to all interfaces for this agent.

agent_os_sub_type

NULLABLE

STRING

A lengthier description of the operating system (OS) type.

a729cc70-7828-4d93-8291-1e1ad5d7a102

agent_os_type

NULLABLE

INTEGER

Windows = 1
MacOS = 2
Linux = 4

014a02d1-6dd3-4012-9648-901c03a46041

agent_request_time

agent_session_start_time

NULLABLE

INTEGER

Indicates when the agent was started.

a6bb9811-51d4-4c8d-a919-0244f7df1e64

agent_status_component

NULLABLE

STRING

Gives the name of the endpoint detection and response (EDR) filter that was updated.

a39f15b9-19dc-4e6e-8512-d46349816987

agent_version

NULLABLE

STRING

The agent version.

d444eb9e-2e68-4d16-8f94-9d361da4478d

associated_event_ids

REPEATED

STRING

47370d98-8d77-40c7-9d8a-9254cb9470f1

associated_mac

NULLABLE

STRING

Associated mac addresses.

fbdb1c35-7078-4a95-91ea-2b14f8080ee0

association_strength

NULLABLE

INTEGER

Indicates whether an agent_id includes an associated value using this enum mapping:
10 IP Address
20 MAC
30 Hardware ID
35 Collector ID
40 Agent ID
45 Collector Event Data
50 Event Data

61b8698c-29fb-4397-93fb-3af22b50785b

auth_client

NULLABLE

STRING

The client-side host.

aa25959d-60b4-4d80-bffa-c0b0f79a585c

auth_client_type

NULLABLE

STRING

Type of device that the client operated from, such as a computer.

0a3bf15b-64be-41f2-9186-0ba206b78710

auth_correlation_id

NULLABLE

STRING

Identifies events from seperate sessions that occurred together as part of an operation.

819ac500-707e-4e86-ac02-1975f45a1d53

auth_domain

NULLABLE

STRING

User-side domain name.

bec98d47-bb6b-4d90-9c8f-a104bf1cd2e0

auth_identity

NULLABLE

STRING

Client-side identification.

1c754044-663e-49fe-8f93-d961ed83e035

auth_identity_display_name

NULLABLE

STRING

Display name of the authentication actor.

63c64e85-6d21-4d6c-9574-454a638eb298

auth_identity_id

STRING

Identity \ Principal ID

auth_identity_sid

STRING

Identity SID

auth_is_interactive

NULLABLE

BOOLEAN

True: Interactive sign-ins, where a user manually signs in using their username and password.
False: Non-interactive sign-ins, such as a service-to-service authentication.

993192ae-62f0-4066-a9e5-22ae4ccba96f

auth_method

STRING

Auth method, such as a publickey and password.

auth_mfa_needed

BOOLEAN

Indicates whether or not a Multi-factor authentication (MFA) is required.

auth_normalized_user

RECORD

Normalized user information.

auth_outcome

NULLABLE

STRING

Authenticaion attempt outcome as either "sucess", "fail", "unknown", "SKIPPED", "ALLOW", "DENY", or "CHALLENGE".

33bd427b-62f4-49bf-8c4d-cdd71aacbe65

auth_outcome_reason

NULLABLE

STRING

Event success status description.

feaa721d-4652-49e0-b112-a5062da5d681

auth_server

NULLABLE

STRING

Server-side host.

6cb27380-2f52-47bd-8d6f-82f728a8d868

auth_service

NULLABLE

STRING

Authentication service name.

28fd922d-32be-4263-82d6-eedf48ec558a

auth_service_sid

STRING

Service SID

auth_target

NULLABLE

STRING

Authentication target host.

b2ce7290-c880-419e-a2c3-9a3721ab1729

auth_target_id

STRING

Target \ Resource ID

azure_ad_resource_display_name

NULLABLE

STRING

Display name of the Azure AD resource (authentication server).

c28136f0-9a60-49b3-8522-ac4b52c48af9

azure_ad_resource_id

STRING

Resource ID

azure_ad_resource_tenant_id

STRING

Resource tenant ID.

azure_authentication_info

azure_authentication_risk_info

backtrace_identities

RECORD

NULLABLE

start_time

INTEGER

use to_json_string prior to filtering/altering this field

85673276-4567-4548-adb9-efd2f7329e79

cef_device_product

NULLABLE

STRING

Extracted CEF product.

d30c714b-9038-4680-af2e-281da2661573

cef_device_vendor

NULLABLE

STRING

Extracted CEF vendor.

27c48749-714b-4f8e-9ef0-807bd3619559

cef_device_version

NULLABLE

STRING

Extracted CEF device version.

8262db39-e5b2-40b0-a8e4-45b2807e2d47

cef_extension

NULLABLE

STRING

Extracted CEF extension.

bbb20bfa-3f1f-4725-86d8-0557b1d815c2

cef_severity

NULLABLE

STRING

Extracted CEF severity.

07fe935e-c18b-4211-a2c1-4946259d4383

cef_signature_id

NULLABLE

STRING

Extracted CEF signature ID.

2cb85a37-4bff-4950-914c-eaaee546299c

cef_version

NULLABLE

INTEGER

Extracted CEF version.

794493be-e4ac-4bd8-8011-537839243673

checkpoint_vpn_data

cisco_vpn_data

client_version

INTEGER

The endpoints GlobalProtect version.

client_version_str

clipboard_data_size

INTEGER

Size of data.

clipboard_data_type

INTEGER

CF_UNICODETEXT, CF_BITMAP

clipboard_source_iid

STRING

IID of the source process of the copied data.

cloud_entity

RECORD

Cloud provider information on the source IP of the activity.

customerId

NULLABLE

STRING

Extracted customer ID.

75676967-8a5b-4e27-80dc-18769d30ed75

device_id

RECORD

device_name

dfe_labels

REPEATED

STRING

Story label

1598c0b5-f9e7-47af-a5f5-670cb84ca851

directionality_strength

dns_query_items

RECORD

List of all the request items (name and type).

dns_query_name

NULLABLE

STRING

DNS request name.

44b0738c-3fce-4e2f-8630-5096296df90e

dns_query_name_domain_randomness

RECORD

Domain randomness score.

dns_query_type

NULLABLE

STRING

DNS query type.

3efbc655-b258-4ba9-94ad-13082cee69bd

dns_reply_code

NULLABLE

STRING

0 -> No error
1 -> Format Error
2 -> Server Failure
3 -> Non-Existent Domain
4 -> Not Implemented
5 -> Query Refused
6 -> Name Exists when it should not
7 -> RR Set Exists when it should not
8 -> RR Set that should exist does not
9 -> Server Not Authoritative for zone
10 -> Name not contained in zone
16 -> Bad OPT Version
16 -> TSIG Signature Failure
17 -> Key not recognized
18 -> Signature out of time window
19 -> Bad TKEY Mode
20 -> Duplicate key name
21 -> Algorithm not supported
22 -> Bad Truncation

65f66d8e-043f-4eee-8aff-43c114e43b10

dns_reply_codes

RECORD

DNS reply codes for the DNS query.

dns_resolutions

REPEATED

RECORD

NULLABLE

name

STRING

DNS resolutions for query. Comprised of the Resource Record name, type, and value for each resolution item.

use to_json_string prior to filtering/altering this field

107b2bbc-6fa1-4a3d-8cd5-4434ed5229fc

dst_action_as_data

RECORD

ASN data from the destination of the network activity.

dst_action_boot_time

NULLABLE

INTEGER

Destination computer boot time in ms since the last epoch time.

27b81411-87fc-4376-a9cb-59f4eebc496f

dst_action_country

NULLABLE

STRING

Destination country of the action.

ca5d020d-db48-448d-9612-ccbe2dcf4510

dst_action_external_hostname

NULLABLE

STRING

The hostname Cortex XDR/XSIAM connect to. For a proxy connection, this value differs from the action_remote_ip.

4b63a3e1-d3a5-4694-8e35-25725f597438

dst_action_external_hostname_domain_randomness

RECORD

Domain randomness score.

dst_action_external_port

NULLABLE

INTEGER

The port Cortex XDR/XSIAM connects to.
For a proxy connection, this value can differ from the action_remote_port.

9661aaef-f630-4344-9dfb-616659d34a1d

dst_action_location

RECORD

Geolocation information of the destination IP.

dst_action_powered_off

NULLABLE

BOOLEAN

True, if the computer is powered off, such as suspend or hibernate.
False, otherwise.

3ea7a599-dbf3-458a-abb0-58a9827c147f

dst_action_url_category

STRING

Next-Generation Firewall (NGFW) URL category.

dst_action_user_agent

NULLABLE

STRING

The user agent used by an actor to perform an action.

8e7017d3-3d11-4cd7-b4c8-556052feead5

dst_action_user_is_local_session

NULLABLE

BOOLEAN

Indicates whether or not the user login from a remote computer or locally.

78e615ed-61be-4d28-bef3-94945abd3850

dst_action_user_session_id

INTEGER

Session ID of the action.

dst_action_user_status

NULLABLE

INTEGER

Same as the event sub-type.

0a34e458-323c-447b-a817-bb76a7f045fb

dst_action_user_status_sid

NULLABLE

STRING

Security identifier (SID) of the user.

d5f719b0-9e0e-4f65-98d3-d311105c2681

dst_action_username

NULLABLE

STRING

Name of the destination user.

77b2b962-b100-4db2-a288-90144851e036

dst_agent_content_version

NULLABLE

STRING

Agent content version.

665bd9d6-3597-411e-815d-254fa91d3186

dst_agent_external_ip

STRING

The IP that the destination agent reported this data.

dst_agent_host_boot_time

NULLABLE

INTEGER

Host boot time in epoch time.

6733a2d3-0f82-4ac0-b708-4067f3981c46

dst_agent_hostname

NULLABLE

STRING

Agent hostname

e82b370b-04e5-49e8-8858-64dfa86b8b7f

dst_agent_id

NULLABLE

STRING

Agent ID

d0d3ad41-c5a9-445a-9e31-f758be7ee7a2

dst_agent_install_type

NULLABLE

INTEGER

Type of agent installation: 0 - Standard agent
1 - VDI instance
2 - VDI golden image
4 - Temporary session
5 - Light agent

c7818623-9d74-43cc-8d88-1f6df580c4ae

dst_agent_interface_map

REPEATED

RECORD

NULLABLE

mac

STRING

Agent interface maps (IPs and Mac)

use to_json_string prior to filtering/altering this field

2c58fa1c-3bba-4261-8bd9-e04b11f4e038

dst_agent_ip_addresses

NULLABLE

STRING

Agent IPv4 addresses.

bf352b71-c062-417e-9914-45816b5f9516

dst_agent_ip_addresses_v6

NULLABLE

STRING

Agent IPv6 addresses.

6c6b15e9-712d-476d-baab-2aea8ff40e1e

dst_agent_is_vdi

NULLABLE

BOOLEAN

Indicates whether or not the agent is a VDI installation.

3a86b3fb-e087-4663-a074-aca4929a01b6

dst_agent_os_sub_type

NULLABLE

STRING

A lengthier description of the Operating System (OS) type.

31d97851-265e-4d77-b2aa-95ba1f98ce0d

dst_agent_os_type

NULLABLE

INTEGER

Agent Operating System types: Windows = 1
MacOS = 2
Linux = 4

9a5c87a2-9717-4a91-8ccb-d0ce2ea9abf9

dst_agent_request_time

dst_agent_session_start_time

NULLABLE

INTEGER

When the agent was started.

31dbccdb-1f0b-4ed6-afa1-21b7d5db1479

dst_agent_status_component

NULLABLE

STRING

8aa4a148-9322-454f-b0c2-a4eb390e4d43

dst_agent_version

NULLABLE

STRING

Agent version

f5243c1d-d146-4169-a8eb-28dba67eeca4

dst_associated_mac

NULLABLE

STRING

Associated MAC address.

940cbc1a-428b-4c7b-9c64-2f143505665a

dst_association_strength

NULLABLE

INTEGER

Specifies whether an agent_id includes an associated value, using this enum mapping:
0 = No association
10 = IP Address
15 = Kerberos
20 = MAC
30 = Hardware ID
35 = Collector ID
40 = Agent ID
45 = Collector Event Data
50 = Event Data

b1c8f3ce-0bed-41fa-b85d-46b13ea5960e

dst_causality_actor_primary_normalized_user

RECORD

A normalized user for the causality chain.

dst_cloud_entity

RECORD

Cloud provider information on the destination IP of the activity.

dst_device_id

dst_event_utc_diff_minutes

NULLABLE

INTEGER

The difference in minutes of the original timestamp from UTC, which identifies the agent's original time zone.

d2863e23-0369-448e-b9ff-330703a9886f

dst_host_metadata_domain

NULLABLE

STRING

Domain of the host.

01381981-fd2f-47ab-9237-412f37ed3e18

dst_host_metadata_hostname

NULLABLE

STRING

Hostname

d6b76dc4-4127-45af-968d-56be4eae2ead

dst_host_metadata_interface_map

RECORD

NULLABLE

is_ipv6

BOOLEAN

Agent interface maps (IPs and Mac)

0ebfd96b-f635-42f0-a16b-f38c5e5c3185

dst_is_internal_ip

NULLABLE

BOOLEAN

Indicates whether or not the source IP is outside the private range.

635fde57-e894-41d7-8807-15dbd12c6c7f

dst_mac

NULLABLE

STRING

MAC address

9141a415-7a17-4fb2-a796-5bc50209b34b

dst_manifest_file_version

NULLABLE

INTEGER

de18a0e4-9457-4160-8385-b4754b2ad026

dst_tcp_flags

NULLABLE

INTEGER

TCP flags

00c50d66-1ee4-4cbb-bea9-4e91f7564a38

dst_trapsId

NULLABLE

STRING

DEPRECATED

0416e5bd-5154-4276-b7c6-d6c1c8ea9a0c

dst_ttl

NULLABLE

INTEGER

The closest time-to-live (TTL) preceding / following the sensor.

62e1e4e1-83b8-4232-aa94-acab6c037468

dst_user_id

NULLABLE

STRING

Windows: Primary user token of the executed binary.
Unix: Effective UID of the executed binary.

9edb01a3-3430-46ec-bed9-dacf62084062

dst_xdr_pro_lite

BOOLEAN

Indicates whether or not the destination agent is running XDR Pro (not XTH).

dynamic_event_int_map

RECORD

DEPRECATED

dynamic_event_string_map

RECORD

Same as dynamic_event_int_map, only those are string values.

event_address_code_symbol

NULLABLE

STRING

1e971731-79f4-4957-93f4-7c317d7e1fd8

event_address_mapped_image_path

NULLABLE

STRING

Windows: DLL path for the address (in process address-space) this event refers to. For example, in thread-start events, this is the path of the DLL the thread was started in.

bb03b48c-3fc6-4661-9921-f6e5b7c9ca24

event_allocation_base_shellcode_buffer

STRING

Hexlified buffer of shellcode at the base of the allocation of the event associated buffer.

event_call_region_base_address

INTEGER

Call region base address related to the event.

event_call_region_shellcode_buffer

STRING

Hexlified buffer of shellcode at the call region.

event_causality_mark_of_cain

INTEGER

Indicates whether a security event, such as BTP and static analysis, was raised in this causality.
kNotification (1) - A security event has occurred and has NOT been prevented.
kPrevention (2) - A security event has occurred but was (partially or fully) prevented.

event_direct_syscall_ip_mapped_file_path

STRING

When the event is a direct syscall, this field contains the DLL that the syscall originated from.

event_id

NULLABLE

STRING

Event identifier

ea767a96-53d5-4657-9d64-5ed5d4abab2a

event_impersonation_status

NULLABLE

INTEGER

This is equivalent to the event_is_impersonated field, but sometimes the status is unknown. The other field can't account for this as it's a boolean field.
Unknown = 0
Impersonated = 1
Not-Impersonated = 2

3ccdc67d-4b78-46ff-82a2-318c271f6df3

event_invalidity_field

NULLABLE

STRING

Set by the preprocessor when detecting that an event is invalid. The name of the field which caused the event to be invalid.

3e381793-f8a0-4d1f-be96-7911c2cbb9ea

event_is_boot_replay

BOOLEAN

A boolean value that is true during the the first replay.

event_is_duplicated_replay

BOOLEAN

A boolean value that is true if the event was already sent before and another replay sends this event again.

event_is_impersonated

NULLABLE

BOOLEAN

Windows: Indicates whether or not the thread performing the event is impersonating.

921da9e2-83de-401c-9238-a2138c8d9251

event_is_replay

NULLABLE

BOOLEAN

Indicates whether or not the event is part of the system state replay sent when the agent is started.

a1678455-14d9-46c0-af8e-65f83520a396

event_is_simulated

NULLABLE

BOOLEAN

Indicates whether or not this event was simulated by the TMS.

9ada670f-82f0-43b0-b369-041d73b33060

event_page_base_shellcode_buffer

STRING

Hexlified buffer of shellcode at the base of the page of the event associated buffer.

event_resolved_stack_trace

STRING

Stack trace related to the event.

event_rpc_func_opnum

NULLABLE

INTEGER

Integer identifying the function being called.

6e5400cb-9047-4a5e-a685-ad6cd9953406

event_rpc_interface_uuid

NULLABLE

STRING

UUID identifying the interface.

7ea24ed3-5290-4381-ade9-8ad1c495aadb

event_rpc_interface_version_major

NULLABLE

INTEGER

Major version of the remote procedure call (RPC) interface.

cf2de39a-7fa7-4360-a2d0-42d2aec41115

event_rpc_interface_version_minor

NULLABLE

INTEGER

minor version of the remote procedure call (RPC) interface.

ce1de143-d88d-4924-a0b0-3da877d9dc2c

event_rpc_protocol

NULLABLE

INTEGER

Enum representing the remote procedure call (RPC) protocol:
LocalRpc (ALPC port) = 0
Tcp = 1
NamedPipes = 2
Http = 3

aa49eedb-eca8-4fc6-82ff-5450e64a325f

event_shellcode_address

INTEGER

The address of the shellcode in the usermode callstack.

event_source_bitmask

INTEGER

Bitmask of the sources involved in producing the event:
Simulated - 0x01
Kernel-Module - 0x02
EBPF - 0x04
Fanotify - 0x08
Path-Resolved - 0x10

event_sub_type

NULLABLE

INTEGER

This field is updated based on the event type defined in the event_type field. For each event type, there are multiple event sub types.
To see the possible values for the event_type and event_sub_type, create an XQL query with a filter stage, which autocompletes the values.

8a7bc09b-680c-4800-b85a-318698dc5ab3

event_thread_context

STRING

A string representing a JSON array containing thread specific context.
Note: From XDR agent 8.2, this field is only relevant for office macros.

event_timestamp

NULLABLE

INTEGER

Integer indicating when the event occurred.

1e2ba17f-79e6-4395-be65-d5e0aa2df5a7

event_timestamp_original

INTEGER

Event timestamp in epoch time.

event_type

NULLABLE

INTEGER

A unique identifier of the event type:
Process = 1
Network = 2
File = 3
Registry = 4
Injection = 5
LoadImage = 6
UserStatusChange = 7
TimeChange = 8
Thread = 9
Causality = 10
HostStatusChange = 11
AgentStatusChange = 12
InternalStatistics = 13
ProcessHandle = 14
WindowsEventLog = 15
EpmStatus = 16
MetadataChange = 17
SystemCall = 18
Device = 19
HostFirewall = 23

3b706262-e30b-46eb-9dbc-11ba0371cdbf

event_user_presence

NULLABLE

BOOLEAN

Indicates whether or not there was a physical user presence on the machine.
Windows: The value is"true" if the user session was unlocked during the event.

e4924379-32c9-465a-a6fc-1486250eb5d6

event_user_presence_status

NULLABLE

INTEGER

This is equivalent to the event_user_presence field, but sometimes the status is unknown. The other field can't account for this as it's a boolean field.
Unknown = 0
User not present = 1
User present = 2

eb9db90b-4935-43ce-b290-5ee9c59dcc55

event_user_thread_context_ip

INTEGER

The instruction pointer at the moment the syscall was made.

event_user_thread_context_ip_in_native_ntdll

BOOLEAN

Indicates whether or not the IP in the trapframe when in the middle of a syscall was pointing to ntdll.

event_user_thread_context_is_heavens_gate

BOOLEAN

Indicates whether or not the user stack pointer is not inside the x64 stack limits, but was inside the x86 stack limits for a wow64 process.

event_user_thread_context_is_stack_pivot

BOOLEAN

Indicates whether or not the RSP in the trapframe was not inside the thread stack limits.

event_user_thread_context_sp

INTEGER

The stack pointer at the moment the syscall was made.

event_utc_diff_minutes

NULLABLE

INTEGER

The difference in minutes of the original timestamp from UTC.

43ae2b36-e93a-43b5-9aac-51d5441aa8a9

event_validity_enum

NULLABLE

INTEGER

An enum set by the preprocessor when detecting that an event is invalid:
1 - valid
2 - invalid due to future timestamp field.
3 - invalid due to an "old" timestamp field that exceeds the host's boot time.

be0c40a5-1bcb-4d1a-a5d9-28897e93f822

event_version

NULLABLE

INTEGER

Version of the event structure, where each change increases the version.

475f2528-ef0d-48c3-ac87-708265f64fac

event_versions

REPEATED

INTEGER

Event version for this event.

40c5cc76-fc74-4f00-a38f-417c093ef90f

execution_actor_causality_id

NULLABLE

STRING

Causality ID of the parent which executed the terminated process instance.

618b8719-3b86-4666-a187-b9774eac4379

execution_actor_instance_id

NULLABLE

STRING

Instance ID of the parent which executed the terminated process instance.

858cb465-8a7a-41e5-9093-850801aa9b52

facility

NULLABLE

STRING

21034dd8-b730-4b78-909e-2eaea50aa22f

file_data

fw_dst_normalized_user

RECORD

Normalized user information.

fw_identities

NULLABLE

RECORD

DEPRECATED

fw_is_dup_log

NULLABLE

INTEGER

1ed87b45-1a1b-413f-910f-0362366cd321

fw_log_subtypes

REPEATED

STRING

1850d124-f9f4-40fa-9f79-61abdad63e25

fw_log_types

REPEATED

STRING

02941d17-b966-45df-a07a-af71c73d8492

fw_src_normalized_user

RECORD

Normalized user information.

fw_time_generated

NULLABLE

INTEGER

Equivalent to the event_timestamp.

8d06f26d-16c2-4b2e-897e-e4f478e237f0

fw_traffic_flags

NULLABLE

INTEGER

Protocol traffic flags as seen on the Next-Generation Firewall (NGFW).

489aa696-0435-4559-8621-d23b735df90b

generatedTime

NULLABLE

TIMESTAMP

Equivalent to the event_timestamp.

17676554-e72a-4c95-88d8-511c675d7aa5

global_protect_data

hardware_id

STRING

Unique identifier GlobalProtect assigned to the host.

host_metadata_domain

NULLABLE

STRING

Domain of the host.

23348651-0285-40ce-aa2c-013f452d84e9

host_metadata_hostname

NULLABLE

STRING

Hostname

37744e13-7d69-4407-9b32-cdb61541f176

host_metadata_interface_map

RECORD

NULLABLE

is_ipv6

BOOLEAN

Agent interface maps (IPs and Mac).

7f6a3cb5-c2e6-46c4-ac48-6fcf771b6b8e

http_content_type

NULLABLE

STRING

Content-type header of the HTTP traffic.

b5eb84ba-76d6-47f5-af80-6960bfdc1e36

http_data

RECORD

HTTP log data.

http_data_is_trimmed

BOOLEAN

Indicates whether the HTTP data was too long that it was trimmed by the Next-Generation Firewall (NGFW).

http_method

NULLABLE

STRING

0 = UNKNOWN_METHOD
1 = GET
2 = POST
3 = CONNECT
4 = HEAD
5 = PUT
6 = DELETE
7 = OPTIONS

d2781d6a-eae5-47e6-b829-cb0951f24c21

http_referer

NULLABLE

STRING

HTTP Referer header.

fad9141f-0977-461a-ac60-9de81954b0ff

http_req_before_method

NULLABLE

STRING

2585c9a5-5468-45bc-aff4-d8c14a6a6431

http_req_content_type_header

NULLABLE

STRING

HTTP content type header.

92ba7c0c-0883-4078-aaf6-b56ea673e307

http_req_host_header

NULLABLE

STRING

HTTP host header.

ec782f74-8811-4ac3-8f95-c3975e6f1b8b

http_req_referer_header

NULLABLE

STRING

HTTP Referer header.

9a1e92eb-df3f-4370-a46f-91cae4ba9dd7

http_req_uri

NULLABLE

STRING

HTTP request URI.

d55a0eed-f238-4877-b465-0c9f66663153

http_req_user_agent_header

NULLABLE

STRING

HTTP user agent header.

14900f01-5306-4f9a-aee0-d2405f268a7f

http_rsp_code

NULLABLE

INTEGER

HTTP response code.

28dbff3c-c130-418f-8988-b39e24a57732

http_rsp_content_type_header

NULLABLE

STRING

HTTP response content type header.

fcee5d48-7a23-4e46-9528-96c71005c0ba

http_rsp_filename

NULLABLE

STRING

HTTP response filename.

81b44acf-d43d-450b-b777-8e1ec169e60c

http_server

NULLABLE

STRING

HTTP server

085ebba5-ff0b-4bdb-b7be-0a2d80fbc9df

http_status_code

NULLABLE

INTEGER

HTTP status code.

4d35a17a-6756-4ad5-8dd2-210392780001

hwnd

INTEGER

The foreground window.

icmp_code

NULLABLE

INTEGER

ICMP protocol request code.

24a88ede-ca0a-46dd-81b4-2c53d2b78e35

icmp_original_length

NULLABLE

INTEGER

Internet Control Message Protocol (ICMP) payload length.

icmp_type

NULLABLE

INTEGER

ICMP protocol request type.

12e0300f-cfd1-4927-aef6-59b3c7d395bd

insert_timestamp

NULLABLE

TIMESTAMP

Ingestion timestamp

system field: time entry was inserted to the system

304a1166-cded-4bb9-83f1-3dbf18f4fe3c

is_disintegrated

NULLABLE

BOOLEAN

Indicates whether or not the story was disintegrated.

e45ebf75-3b28-4e56-a133-11e46973fac4

is_internal_ip

NULLABLE

BOOLEAN

Indicates whether or not the source IP is outside the private range.

46a590ab-416e-4107-b85b-59e5a4d5fc0c

krb_tgs_data

NULLABLE

RECORD

NULLABLE

is_machine_account

BOOLEAN

Kerberos Ticket Granting Service (TGS) log data.

use to_json_string prior to filtering/altering this field

e1873ca8-d1cf-4ce3-b6f8-8a20ac82e8ea

krb_tgt_data

NULLABLE

RECORD

NULLABLE

is_machine_account

BOOLEAN

Kerberos Ticket Granting Service (TGS) log data.

use to_json_string prior to filtering/altering this field

5d8a14b3-0cc2-43aa-9b71-e1d49a3c6a8d

ldap_data

RECORD

LDAP log data.

login_data

RECORD

Windows Event Log login data.

login_data_dst_normalized_user

RECORD

Destination user CIE resolution information.

login_data_dst_outbound_normalized_user

RECORD

Destination outbound user DSS resolution information.

login_data_src_normalized_user

RECORD

Source user CIE resolution information.

non_standard_dport

NULLABLE

INTEGER

This field is a boolean represented as an Integer. Indicates whether or not the destination port is a non-standard port based on Next-Generation Firewall (NGFW) logic

b87ba8cf-dd16-424f-80b2-abf5cdeb58b6

ntlm_auth_data

RECORD

NTLM log data.

one_login_data

other_json

DEPRECATED

packet

STRING

Packet payload excluding TCP/IP header.
Only valid for event_sub_type = 17 (raw_data)

related_alerts

serverTime

NULLABLE

TIMESTAMP

Timestamp of the event displayed on the server side.

87c97c1c-7cdb-46f9-8842-bb1efa5d2380

ssl_data

RECORD

SSL log data.

ssl_req_chello_sni_sample

NULLABLE

STRING

SNI domain obtained from SSL protocol parsing.

38537c19-8818-4d65-bb74-5400f7ce9178

sso_debug_data

NULLABLE

STRING

Okta debug info, which includes protocol informaiton, URIs, and more.

c6c5d07f-edcf-48aa-bd2d-83f5c10fbac3

sso_display_message

NULLABLE

STRING

Single Sign-on (SSO) event description.

63c08dca-1956-4118-a70b-0db1dbf940e6

sso_event_type

INTEGER

Single Sign-On (SSO) event type as obtained by the original SSO provider.

sso_severity

NULLABLE

STRING

Severity as reported: DEBUG, INFO, WARN, ERROR

16239d41-6e8b-4302-9ddf-fe24b14d46b6

story_id

NULLABLE

STRING

ID of the story.

26e90e20-3313-4847-a47d-240351515f1a

story_id_original

DEPRECATED

story_publish_timestamp

NULLABLE

INTEGER

Story publishing timestamp in epoch time.

1657404e-1526-4230-b79c-98eabcc99cd8

story_version

NULLABLE

FLOAT

Story version

a46672eb-074c-47ee-a277-e2c90cf58ed9

syscall_action_etw_based

NULLABLE

BOOLEAN

Indicates whether or not the syscall collected is from Windows ETW.

04fea6c7-f5fb-4d68-aaee-e237c817709b

syscall_action_int_params

NULLABLE

STRING

Integer parameters from syscalls in a JSON format.

afb916cf-9023-4322-beb2-cc594acb5272

syscall_action_stack_ptr

NULLABLE

STRING

2b61094c-29bd-4f4e-91ad-2e469548e077

syscall_action_string_params

NULLABLE

STRING

String parameters from syscalls in a JSON format.

372b4a9e-be86-482b-b4fc-00c3fb3f2c12

tcp_flags

NULLABLE

INTEGER

TCP Flags

cc39832e-8eca-4800-922f-b4b239e7c34f

title

STRING

Title of top_level_hwnd.

top_level_hwnd

INTEGER

The top level window of the foreground window.

trapsId

NULLABLE

STRING

DEPRECATED

1f4198d4-c20b-40f9-9362-11aa667300f9

ttl

NULLABLE

INTEGER

IP Protocol time-to-live (TTL) obtained from the source.

c7484032-350b-4b66-9afc-68c9796dbe72

tunnel_type

STRING

The type of tunnel.

uri

NULLABLE

STRING

Threat URI

cc9bfa66-b8f6-4859-b8cd-2f7c785be0d7

user_generic_value1

INTEGER

A bitmap that can be set in the YAML.
The first bit indicates whether an operation is in the GUI or not.

user_generic_value2

INTEGER

An integer that can be set in the YAML.
It is used to indicate Yara rule IDs for windows web shells.

user_id

NULLABLE

STRING

Windows: User SID
Unix: UID

3e1fd7ed-06bf-4934-a189-9b877125418b

uuid

NULLABLE

STRING

Equivalent to the 'event_id'.

e467d039-de98-4c13-9f9b-54a26c6f02b0

vendor

NULLABLE

STRING

Log vendor

vpn_event_description

STRING

The name of the GlobalProtect event.

vpn_server

STRING

VPN server name or IP.

vpn_service

STRING

VPN service name.

xdr_pro_lite

BOOLEAN

Indicates whether or not the agent is XDRProNG and sends fewer events.

zip_id

NULLABLE

STRING

DEPRECATED

bca4c5a2-a640-49bc-bbbe-b327008c7988

zscaler_vpn_data