Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Suffix |
Guid |
---|---|---|---|---|---|---|---|---|
_insert_time |
INTEGER |
System field: The time the data entry was added to the system. |
||||||
_product |
STRING |
System field: The data product as ingested from the data collector. |
||||||
_raw_json |
RECORD |
System field: All raw data as ingested from the data collector in a JSON format. |
||||||
_raw_log |
STRING |
System field: All raw data as ingested from the data collector in a text format. |
||||||
_time |
INTEGER |
System field: Data entry's timestamp. If unknown, then the time the data entry was added to the database. |
||||||
_vendor |
STRING |
System field: The data vendor as ingested from the data collector. |
||||||
action_threat_ids |
NULLABLE |
STRING |
Threat IDs |
|||||
additional_info |
STRING |
Additional information for any event that occurred (GlobalProtect). |
||||||
agent_content_version |
NULLABLE |
STRING |
The agent content version. |
84e69d7f-1bb1-440e-96ef-e33a226b1bc6 |
||||
agent_external_ip |
STRING |
External IP of the agent reporting this event. |
||||||
agent_host_boot_time |
NULLABLE |
INTEGER |
Last time this host was started in epoch time. |
57f0073a-5d70-4687-8c2d-639a624fb83e |
||||
agent_hostname |
NULLABLE |
STRING |
Hostname of the agent. |
06f5c068-783e-4de4-a663-8a6269cc810b |
||||
agent_id |
NULLABLE |
STRING |
A unique identifier per agent. |
aa54fbd3-0f87-41f2-8085-e11ab5744a45 |
||||
agent_install_type |
NULLABLE |
INTEGER |
Agent installation type with the following possible values: |
d6cf4039-88f9-4c55-b9fc-b3c876eb9e8e |
||||
agent_interface_map |
REPEATED |
RECORD |
NULLABLE |
mac |
STRING |
Agent interface maps (IPs and Mac). |
use to_json_string prior to filtering/altering this field |
2abe69eb-c3a2-4179-a270-d901502fbcc5 |
agent_ip_addresses |
NULLABLE |
STRING |
All IPv4 interface addresses. |
f93f5ac1-4e96-4528-988e-668e11c8977b |
||||
agent_ip_addresses_v6 |
NULLABLE |
STRING |
All IPv6 interface addresses. |
82703e92-dac3-4fb9-9d3c-9d30028ea482 |
||||
agent_is_vdi |
NULLABLE |
BOOLEAN |
Indicates whether or not the agent is a VDI agent. |
bf3a4fa6-0733-4bc9-b5fd-7dc3eb10cd78 |
||||
agent_mac_addresses |
RECORD |
Mac addresses assigned to all interfaces for this agent. |
||||||
agent_os_sub_type |
NULLABLE |
STRING |
A lengthier description of the operating system (OS) type. |
a729cc70-7828-4d93-8291-1e1ad5d7a102 |
||||
agent_os_type |
NULLABLE |
INTEGER |
Windows = 1 |
014a02d1-6dd3-4012-9648-901c03a46041 |
||||
agent_request_time |
||||||||
agent_session_start_time |
NULLABLE |
INTEGER |
Indicates when the agent was started. |
a6bb9811-51d4-4c8d-a919-0244f7df1e64 |
||||
agent_status_component |
NULLABLE |
STRING |
Gives the name of the endpoint detection and response (EDR) filter that was updated. |
a39f15b9-19dc-4e6e-8512-d46349816987 |
||||
agent_version |
NULLABLE |
STRING |
The agent version. |
d444eb9e-2e68-4d16-8f94-9d361da4478d |
||||
associated_event_ids |
REPEATED |
STRING |
47370d98-8d77-40c7-9d8a-9254cb9470f1 |
|||||
associated_mac |
NULLABLE |
STRING |
Associated mac addresses. |
fbdb1c35-7078-4a95-91ea-2b14f8080ee0 |
||||
association_strength |
NULLABLE |
INTEGER |
Indicates whether an agent_id includes an associated value using this enum mapping: |
61b8698c-29fb-4397-93fb-3af22b50785b |
||||
auth_client |
NULLABLE |
STRING |
The client-side host. |
aa25959d-60b4-4d80-bffa-c0b0f79a585c |
||||
auth_client_type |
NULLABLE |
STRING |
Type of device that the client operated from, such as a computer. |
0a3bf15b-64be-41f2-9186-0ba206b78710 |
||||
auth_correlation_id |
NULLABLE |
STRING |
Identifies events from seperate sessions that occurred together as part of an operation. |
819ac500-707e-4e86-ac02-1975f45a1d53 |
||||
auth_domain |
NULLABLE |
STRING |
User-side domain name. |
bec98d47-bb6b-4d90-9c8f-a104bf1cd2e0 |
||||
auth_identity |
NULLABLE |
STRING |
Client-side identification. |
1c754044-663e-49fe-8f93-d961ed83e035 |
||||
auth_identity_display_name |
NULLABLE |
STRING |
Display name of the authentication actor. |
63c64e85-6d21-4d6c-9574-454a638eb298 |
||||
auth_identity_id |
STRING |
Identity \ Principal ID |
||||||
auth_identity_sid |
STRING |
Identity SID |
||||||
auth_is_interactive |
NULLABLE |
BOOLEAN |
True: Interactive sign-ins, where a user manually signs in using their username and password. |
993192ae-62f0-4066-a9e5-22ae4ccba96f |
||||
auth_method |
STRING |
Auth method, such as a publickey and password. |
||||||
auth_mfa_needed |
BOOLEAN |
Indicates whether or not a Multi-factor authentication (MFA) is required. |
||||||
auth_normalized_user |
RECORD |
Normalized user information. |
||||||
auth_outcome |
NULLABLE |
STRING |
Authenticaion attempt outcome as either "sucess", "fail", "unknown", "SKIPPED", "ALLOW", "DENY", or "CHALLENGE". |
33bd427b-62f4-49bf-8c4d-cdd71aacbe65 |
||||
auth_outcome_reason |
NULLABLE |
STRING |
Event success status description. |
feaa721d-4652-49e0-b112-a5062da5d681 |
||||
auth_server |
NULLABLE |
STRING |
Server-side host. |
6cb27380-2f52-47bd-8d6f-82f728a8d868 |
||||
auth_service |
NULLABLE |
STRING |
Authentication service name. |
28fd922d-32be-4263-82d6-eedf48ec558a |
||||
auth_service_sid |
STRING |
Service SID |
||||||
auth_target |
NULLABLE |
STRING |
Authentication target host. |
b2ce7290-c880-419e-a2c3-9a3721ab1729 |
||||
auth_target_id |
STRING |
Target \ Resource ID |
||||||
azure_ad_resource_display_name |
NULLABLE |
STRING |
Display name of the Azure AD resource (authentication server). |
c28136f0-9a60-49b3-8522-ac4b52c48af9 |
||||
azure_ad_resource_id |
STRING |
Resource ID |
||||||
azure_ad_resource_tenant_id |
STRING |
Resource tenant ID. |
||||||
azure_authentication_info |
||||||||
azure_authentication_risk_info |
||||||||
backtrace_identities |
RECORD |
NULLABLE |
start_time |
INTEGER |
use to_json_string prior to filtering/altering this field |
85673276-4567-4548-adb9-efd2f7329e79 |
||
cef_device_product |
NULLABLE |
STRING |
Extracted CEF product. |
d30c714b-9038-4680-af2e-281da2661573 |
||||
cef_device_vendor |
NULLABLE |
STRING |
Extracted CEF vendor. |
27c48749-714b-4f8e-9ef0-807bd3619559 |
||||
cef_device_version |
NULLABLE |
STRING |
Extracted CEF device version. |
8262db39-e5b2-40b0-a8e4-45b2807e2d47 |
||||
cef_extension |
NULLABLE |
STRING |
Extracted CEF extension. |
bbb20bfa-3f1f-4725-86d8-0557b1d815c2 |
||||
cef_severity |
NULLABLE |
STRING |
Extracted CEF severity. |
07fe935e-c18b-4211-a2c1-4946259d4383 |
||||
cef_signature_id |
NULLABLE |
STRING |
Extracted CEF signature ID. |
2cb85a37-4bff-4950-914c-eaaee546299c |
||||
cef_version |
NULLABLE |
INTEGER |
Extracted CEF version. |
794493be-e4ac-4bd8-8011-537839243673 |
||||
checkpoint_vpn_data |
||||||||
cisco_vpn_data |
||||||||
client_version |
INTEGER |
The endpoints GlobalProtect version. |
||||||
client_version_str |
||||||||
clipboard_data_size |
INTEGER |
Size of data. |
||||||
clipboard_data_type |
INTEGER |
CF_UNICODETEXT, CF_BITMAP |
||||||
clipboard_source_iid |
STRING |
IID of the source process of the copied data. |
||||||
cloud_entity |
RECORD |
Cloud provider information on the source IP of the activity. |
||||||
customerId |
NULLABLE |
STRING |
Extracted customer ID. |
75676967-8a5b-4e27-80dc-18769d30ed75 |
||||
device_id |
RECORD |
|||||||
device_name |
||||||||
dfe_labels |
REPEATED |
STRING |
Story label |
1598c0b5-f9e7-47af-a5f5-670cb84ca851 |
||||
directionality_strength |
||||||||
dns_query_items |
RECORD |
List of all the request items (name and type). |
||||||
dns_query_name |
NULLABLE |
STRING |
DNS request name. |
44b0738c-3fce-4e2f-8630-5096296df90e |
||||
dns_query_name_domain_randomness |
RECORD |
Domain randomness score. |
||||||
dns_query_type |
NULLABLE |
STRING |
DNS query type. |
3efbc655-b258-4ba9-94ad-13082cee69bd |
||||
dns_reply_code |
NULLABLE |
STRING |
0 -> No error |
65f66d8e-043f-4eee-8aff-43c114e43b10 |
||||
dns_reply_codes |
RECORD |
DNS reply codes for the DNS query. |
||||||
dns_resolutions |
REPEATED |
RECORD |
NULLABLE |
name |
STRING |
DNS resolutions for query. Comprised of the Resource Record name, type, and value for each resolution item. |
use to_json_string prior to filtering/altering this field |
107b2bbc-6fa1-4a3d-8cd5-4434ed5229fc |
dst_action_as_data |
RECORD |
ASN data from the destination of the network activity. |
||||||
dst_action_boot_time |
NULLABLE |
INTEGER |
Destination computer boot time in ms since the last epoch time. |
27b81411-87fc-4376-a9cb-59f4eebc496f |
||||
dst_action_country |
NULLABLE |
STRING |
Destination country of the action. |
ca5d020d-db48-448d-9612-ccbe2dcf4510 |
||||
dst_action_external_hostname |
NULLABLE |
STRING |
The hostname Cortex XDR/XSIAM connect to. For a proxy connection, this value differs from the action_remote_ip. |
4b63a3e1-d3a5-4694-8e35-25725f597438 |
||||
dst_action_external_hostname_domain_randomness |
RECORD |
Domain randomness score. |
||||||
dst_action_external_port |
NULLABLE |
INTEGER |
The port Cortex XDR/XSIAM connects to. |
9661aaef-f630-4344-9dfb-616659d34a1d |
||||
dst_action_location |
RECORD |
Geolocation information of the destination IP. |
||||||
dst_action_powered_off |
NULLABLE |
BOOLEAN |
True, if the computer is powered off, such as suspend or hibernate. |
3ea7a599-dbf3-458a-abb0-58a9827c147f |
||||
dst_action_url_category |
STRING |
Next-Generation Firewall (NGFW) URL category. |
||||||
dst_action_user_agent |
NULLABLE |
STRING |
The user agent used by an actor to perform an action. |
8e7017d3-3d11-4cd7-b4c8-556052feead5 |
||||
dst_action_user_is_local_session |
NULLABLE |
BOOLEAN |
Indicates whether or not the user login from a remote computer or locally. |
78e615ed-61be-4d28-bef3-94945abd3850 |
||||
dst_action_user_session_id |
INTEGER |
Session ID of the action. |
||||||
dst_action_user_status |
NULLABLE |
INTEGER |
Same as the event sub-type. |
0a34e458-323c-447b-a817-bb76a7f045fb |
||||
dst_action_user_status_sid |
NULLABLE |
STRING |
Security identifier (SID) of the user. |
d5f719b0-9e0e-4f65-98d3-d311105c2681 |
||||
dst_action_username |
NULLABLE |
STRING |
Name of the destination user. |
77b2b962-b100-4db2-a288-90144851e036 |
||||
dst_agent_content_version |
NULLABLE |
STRING |
Agent content version. |
665bd9d6-3597-411e-815d-254fa91d3186 |
||||
dst_agent_external_ip |
STRING |
The IP that the destination agent reported this data. |
||||||
dst_agent_host_boot_time |
NULLABLE |
INTEGER |
Host boot time in epoch time. |
6733a2d3-0f82-4ac0-b708-4067f3981c46 |
||||
dst_agent_hostname |
NULLABLE |
STRING |
Agent hostname |
e82b370b-04e5-49e8-8858-64dfa86b8b7f |
||||
dst_agent_id |
NULLABLE |
STRING |
Agent ID |
d0d3ad41-c5a9-445a-9e31-f758be7ee7a2 |
||||
dst_agent_install_type |
NULLABLE |
INTEGER |
Type of agent installation: 0 - Standard agent |
c7818623-9d74-43cc-8d88-1f6df580c4ae |
||||
dst_agent_interface_map |
REPEATED |
RECORD |
NULLABLE |
mac |
STRING |
Agent interface maps (IPs and Mac) |
use to_json_string prior to filtering/altering this field |
2c58fa1c-3bba-4261-8bd9-e04b11f4e038 |
dst_agent_ip_addresses |
NULLABLE |
STRING |
Agent IPv4 addresses. |
bf352b71-c062-417e-9914-45816b5f9516 |
||||
dst_agent_ip_addresses_v6 |
NULLABLE |
STRING |
Agent IPv6 addresses. |
6c6b15e9-712d-476d-baab-2aea8ff40e1e |
||||
dst_agent_is_vdi |
NULLABLE |
BOOLEAN |
Indicates whether or not the agent is a VDI installation. |
3a86b3fb-e087-4663-a074-aca4929a01b6 |
||||
dst_agent_os_sub_type |
NULLABLE |
STRING |
A lengthier description of the Operating System (OS) type. |
31d97851-265e-4d77-b2aa-95ba1f98ce0d |
||||
dst_agent_os_type |
NULLABLE |
INTEGER |
Agent Operating System types: Windows = 1 |
9a5c87a2-9717-4a91-8ccb-d0ce2ea9abf9 |
||||
dst_agent_request_time |
||||||||
dst_agent_session_start_time |
NULLABLE |
INTEGER |
When the agent was started. |
31dbccdb-1f0b-4ed6-afa1-21b7d5db1479 |
||||
dst_agent_status_component |
NULLABLE |
STRING |
8aa4a148-9322-454f-b0c2-a4eb390e4d43 |
|||||
dst_agent_version |
NULLABLE |
STRING |
Agent version |
f5243c1d-d146-4169-a8eb-28dba67eeca4 |
||||
dst_associated_mac |
NULLABLE |
STRING |
Associated MAC address. |
940cbc1a-428b-4c7b-9c64-2f143505665a |
||||
dst_association_strength |
NULLABLE |
INTEGER |
Specifies whether an agent_id includes an associated value, using this enum mapping: |
b1c8f3ce-0bed-41fa-b85d-46b13ea5960e |
||||
dst_causality_actor_primary_normalized_user |
RECORD |
A normalized user for the causality chain. |
||||||
dst_cloud_entity |
RECORD |
Cloud provider information on the destination IP of the activity. |
||||||
dst_device_id |
||||||||
dst_event_utc_diff_minutes |
NULLABLE |
INTEGER |
The difference in minutes of the original timestamp from UTC, which identifies the agent's original time zone. |
d2863e23-0369-448e-b9ff-330703a9886f |
||||
dst_host_metadata_domain |
NULLABLE |
STRING |
Domain of the host. |
01381981-fd2f-47ab-9237-412f37ed3e18 |
||||
dst_host_metadata_hostname |
NULLABLE |
STRING |
Hostname |
d6b76dc4-4127-45af-968d-56be4eae2ead |
||||
dst_host_metadata_interface_map |
RECORD |
NULLABLE |
is_ipv6 |
BOOLEAN |
Agent interface maps (IPs and Mac) |
0ebfd96b-f635-42f0-a16b-f38c5e5c3185 |
||
dst_is_internal_ip |
NULLABLE |
BOOLEAN |
Indicates whether or not the source IP is outside the private range. |
635fde57-e894-41d7-8807-15dbd12c6c7f |
||||
dst_mac |
NULLABLE |
STRING |
MAC address |
9141a415-7a17-4fb2-a796-5bc50209b34b |
||||
dst_manifest_file_version |
NULLABLE |
INTEGER |
de18a0e4-9457-4160-8385-b4754b2ad026 |
|||||
dst_tcp_flags |
NULLABLE |
INTEGER |
TCP flags |
00c50d66-1ee4-4cbb-bea9-4e91f7564a38 |
||||
dst_trapsId |
NULLABLE |
STRING |
DEPRECATED |
0416e5bd-5154-4276-b7c6-d6c1c8ea9a0c |
||||
dst_ttl |
NULLABLE |
INTEGER |
The closest time-to-live (TTL) preceding / following the sensor. |
62e1e4e1-83b8-4232-aa94-acab6c037468 |
||||
dst_user_id |
NULLABLE |
STRING |
Windows: Primary user token of the executed binary. |
9edb01a3-3430-46ec-bed9-dacf62084062 |
||||
dst_xdr_pro_lite |
BOOLEAN |
Indicates whether or not the destination agent is running XDR Pro (not XTH). |
||||||
dynamic_event_int_map |
RECORD |
DEPRECATED |
||||||
dynamic_event_string_map |
RECORD |
Same as dynamic_event_int_map, only those are string values. |
||||||
event_address_code_symbol |
NULLABLE |
STRING |
1e971731-79f4-4957-93f4-7c317d7e1fd8 |
|||||
event_address_mapped_image_path |
NULLABLE |
STRING |
Windows: DLL path for the address (in process address-space) this event refers to. For example, in thread-start events, this is the path of the DLL the thread was started in. |
bb03b48c-3fc6-4661-9921-f6e5b7c9ca24 |
||||
event_allocation_base_shellcode_buffer |
STRING |
Hexlified buffer of shellcode at the base of the allocation of the event associated buffer. |
||||||
event_call_region_base_address |
INTEGER |
Call region base address related to the event. |
||||||
event_call_region_shellcode_buffer |
STRING |
Hexlified buffer of shellcode at the call region. |
||||||
event_causality_mark_of_cain |
INTEGER |
Indicates whether a security event, such as BTP and static analysis, was raised in this causality. |
||||||
event_direct_syscall_ip_mapped_file_path |
STRING |
When the event is a direct syscall, this field contains the DLL that the syscall originated from. |
||||||
event_id |
NULLABLE |
STRING |
Event identifier |
ea767a96-53d5-4657-9d64-5ed5d4abab2a |
||||
event_impersonation_status |
NULLABLE |
INTEGER |
This is equivalent to the event_is_impersonated field, but sometimes the status is unknown. The other field can't account for this as it's a boolean field. |
3ccdc67d-4b78-46ff-82a2-318c271f6df3 |
||||
event_invalidity_field |
NULLABLE |
STRING |
Set by the preprocessor when detecting that an event is invalid. The name of the field which caused the event to be invalid. |
3e381793-f8a0-4d1f-be96-7911c2cbb9ea |
||||
event_is_boot_replay |
BOOLEAN |
A boolean value that is true during the the first replay. |
||||||
event_is_duplicated_replay |
BOOLEAN |
A boolean value that is true if the event was already sent before and another replay sends this event again. |
||||||
event_is_impersonated |
NULLABLE |
BOOLEAN |
Windows: Indicates whether or not the thread performing the event is impersonating. |
921da9e2-83de-401c-9238-a2138c8d9251 |
||||
event_is_replay |
NULLABLE |
BOOLEAN |
Indicates whether or not the event is part of the system state replay sent when the agent is started. |
a1678455-14d9-46c0-af8e-65f83520a396 |
||||
event_is_simulated |
NULLABLE |
BOOLEAN |
Indicates whether or not this event was simulated by the TMS. |
9ada670f-82f0-43b0-b369-041d73b33060 |
||||
event_page_base_shellcode_buffer |
STRING |
Hexlified buffer of shellcode at the base of the page of the event associated buffer. |
||||||
event_resolved_stack_trace |
STRING |
Stack trace related to the event. |
||||||
event_rpc_func_opnum |
NULLABLE |
INTEGER |
Integer identifying the function being called. |
6e5400cb-9047-4a5e-a685-ad6cd9953406 |
||||
event_rpc_interface_uuid |
NULLABLE |
STRING |
UUID identifying the interface. |
7ea24ed3-5290-4381-ade9-8ad1c495aadb |
||||
event_rpc_interface_version_major |
NULLABLE |
INTEGER |
Major version of the remote procedure call (RPC) interface. |
cf2de39a-7fa7-4360-a2d0-42d2aec41115 |
||||
event_rpc_interface_version_minor |
NULLABLE |
INTEGER |
minor version of the remote procedure call (RPC) interface. |
ce1de143-d88d-4924-a0b0-3da877d9dc2c |
||||
event_rpc_protocol |
NULLABLE |
INTEGER |
Enum representing the remote procedure call (RPC) protocol: |
aa49eedb-eca8-4fc6-82ff-5450e64a325f |
||||
event_shellcode_address |
INTEGER |
The address of the shellcode in the usermode callstack. |
||||||
event_source_bitmask |
INTEGER |
Bitmask of the sources involved in producing the event: |
||||||
event_sub_type |
NULLABLE |
INTEGER |
This field is updated based on the event type defined in the event_type field. For each event type, there are multiple event sub types. |
8a7bc09b-680c-4800-b85a-318698dc5ab3 |
||||
event_thread_context |
STRING |
A string representing a JSON array containing thread specific context. |
||||||
event_timestamp |
NULLABLE |
INTEGER |
Integer indicating when the event occurred. |
1e2ba17f-79e6-4395-be65-d5e0aa2df5a7 |
||||
event_timestamp_original |
INTEGER |
Event timestamp in epoch time. |
||||||
event_type |
NULLABLE |
INTEGER |
A unique identifier of the event type: |
3b706262-e30b-46eb-9dbc-11ba0371cdbf |
||||
event_user_presence |
NULLABLE |
BOOLEAN |
Indicates whether or not there was a physical user presence on the machine. |
e4924379-32c9-465a-a6fc-1486250eb5d6 |
||||
event_user_presence_status |
NULLABLE |
INTEGER |
This is equivalent to the event_user_presence field, but sometimes the status is unknown. The other field can't account for this as it's a boolean field. |
eb9db90b-4935-43ce-b290-5ee9c59dcc55 |
||||
event_user_thread_context_ip |
INTEGER |
The instruction pointer at the moment the syscall was made. |
||||||
event_user_thread_context_ip_in_native_ntdll |
BOOLEAN |
Indicates whether or not the IP in the trapframe when in the middle of a syscall was pointing to ntdll. |
||||||
event_user_thread_context_is_heavens_gate |
BOOLEAN |
Indicates whether or not the user stack pointer is not inside the x64 stack limits, but was inside the x86 stack limits for a wow64 process. |
||||||
event_user_thread_context_is_stack_pivot |
BOOLEAN |
Indicates whether or not the RSP in the trapframe was not inside the thread stack limits. |
||||||
event_user_thread_context_sp |
INTEGER |
The stack pointer at the moment the syscall was made. |
||||||
event_utc_diff_minutes |
NULLABLE |
INTEGER |
The difference in minutes of the original timestamp from UTC. |
43ae2b36-e93a-43b5-9aac-51d5441aa8a9 |
||||
event_validity_enum |
NULLABLE |
INTEGER |
An enum set by the preprocessor when detecting that an event is invalid: |
be0c40a5-1bcb-4d1a-a5d9-28897e93f822 |
||||
event_version |
NULLABLE |
INTEGER |
Version of the event structure, where each change increases the version. |
475f2528-ef0d-48c3-ac87-708265f64fac |
||||
event_versions |
REPEATED |
INTEGER |
Event version for this event. |
40c5cc76-fc74-4f00-a38f-417c093ef90f |
||||
execution_actor_causality_id |
NULLABLE |
STRING |
Causality ID of the parent which executed the terminated process instance. |
618b8719-3b86-4666-a187-b9774eac4379 |
||||
execution_actor_instance_id |
NULLABLE |
STRING |
Instance ID of the parent which executed the terminated process instance. |
858cb465-8a7a-41e5-9093-850801aa9b52 |
||||
facility |
NULLABLE |
STRING |
21034dd8-b730-4b78-909e-2eaea50aa22f |
|||||
file_data |
||||||||
fw_dst_normalized_user |
RECORD |
Normalized user information. |
||||||
fw_identities |
NULLABLE |
RECORD |
DEPRECATED |
|||||
fw_is_dup_log |
NULLABLE |
INTEGER |
1ed87b45-1a1b-413f-910f-0362366cd321 |
|||||
fw_log_subtypes |
REPEATED |
STRING |
1850d124-f9f4-40fa-9f79-61abdad63e25 |
|||||
fw_log_types |
REPEATED |
STRING |
02941d17-b966-45df-a07a-af71c73d8492 |
|||||
fw_src_normalized_user |
RECORD |
Normalized user information. |
||||||
fw_time_generated |
NULLABLE |
INTEGER |
Equivalent to the event_timestamp. |
8d06f26d-16c2-4b2e-897e-e4f478e237f0 |
||||
fw_traffic_flags |
NULLABLE |
INTEGER |
Protocol traffic flags as seen on the Next-Generation Firewall (NGFW). |
489aa696-0435-4559-8621-d23b735df90b |
||||
generatedTime |
NULLABLE |
TIMESTAMP |
Equivalent to the event_timestamp. |
17676554-e72a-4c95-88d8-511c675d7aa5 |
||||
global_protect_data |
||||||||
hardware_id |
STRING |
Unique identifier GlobalProtect assigned to the host. |
||||||
host_metadata_domain |
NULLABLE |
STRING |
Domain of the host. |
23348651-0285-40ce-aa2c-013f452d84e9 |
||||
host_metadata_hostname |
NULLABLE |
STRING |
Hostname |
37744e13-7d69-4407-9b32-cdb61541f176 |
||||
host_metadata_interface_map |
RECORD |
NULLABLE |
is_ipv6 |
BOOLEAN |
Agent interface maps (IPs and Mac). |
7f6a3cb5-c2e6-46c4-ac48-6fcf771b6b8e |
||
http_content_type |
NULLABLE |
STRING |
Content-type header of the HTTP traffic. |
b5eb84ba-76d6-47f5-af80-6960bfdc1e36 |
||||
http_data |
RECORD |
HTTP log data. |
||||||
http_data_is_trimmed |
BOOLEAN |
Indicates whether the HTTP data was too long that it was trimmed by the Next-Generation Firewall (NGFW). |
||||||
http_method |
NULLABLE |
STRING |
0 = UNKNOWN_METHOD |
d2781d6a-eae5-47e6-b829-cb0951f24c21 |
||||
http_referer |
NULLABLE |
STRING |
HTTP Referer header. |
fad9141f-0977-461a-ac60-9de81954b0ff |
||||
http_req_before_method |
NULLABLE |
STRING |
2585c9a5-5468-45bc-aff4-d8c14a6a6431 |
|||||
http_req_content_type_header |
NULLABLE |
STRING |
HTTP content type header. |
92ba7c0c-0883-4078-aaf6-b56ea673e307 |
||||
http_req_host_header |
NULLABLE |
STRING |
HTTP host header. |
ec782f74-8811-4ac3-8f95-c3975e6f1b8b |
||||
http_req_referer_header |
NULLABLE |
STRING |
HTTP Referer header. |
9a1e92eb-df3f-4370-a46f-91cae4ba9dd7 |
||||
http_req_uri |
NULLABLE |
STRING |
HTTP request URI. |
d55a0eed-f238-4877-b465-0c9f66663153 |
||||
http_req_user_agent_header |
NULLABLE |
STRING |
HTTP user agent header. |
14900f01-5306-4f9a-aee0-d2405f268a7f |
||||
http_rsp_code |
NULLABLE |
INTEGER |
HTTP response code. |
28dbff3c-c130-418f-8988-b39e24a57732 |
||||
http_rsp_content_type_header |
NULLABLE |
STRING |
HTTP response content type header. |
fcee5d48-7a23-4e46-9528-96c71005c0ba |
||||
http_rsp_filename |
NULLABLE |
STRING |
HTTP response filename. |
81b44acf-d43d-450b-b777-8e1ec169e60c |
||||
http_server |
NULLABLE |
STRING |
HTTP server |
085ebba5-ff0b-4bdb-b7be-0a2d80fbc9df |
||||
http_status_code |
NULLABLE |
INTEGER |
HTTP status code. |
4d35a17a-6756-4ad5-8dd2-210392780001 |
||||
hwnd |
INTEGER |
The foreground window. |
||||||
icmp_code |
NULLABLE |
INTEGER |
ICMP protocol request code. |
24a88ede-ca0a-46dd-81b4-2c53d2b78e35 |
||||
icmp_original_length |
NULLABLE |
INTEGER |
Internet Control Message Protocol (ICMP) payload length. |
|||||
icmp_type |
NULLABLE |
INTEGER |
ICMP protocol request type. |
12e0300f-cfd1-4927-aef6-59b3c7d395bd |
||||
insert_timestamp |
NULLABLE |
TIMESTAMP |
Ingestion timestamp |
system field: time entry was inserted to the system |
304a1166-cded-4bb9-83f1-3dbf18f4fe3c |
|||
is_disintegrated |
NULLABLE |
BOOLEAN |
Indicates whether or not the story was disintegrated. |
e45ebf75-3b28-4e56-a133-11e46973fac4 |
||||
is_internal_ip |
NULLABLE |
BOOLEAN |
Indicates whether or not the source IP is outside the private range. |
46a590ab-416e-4107-b85b-59e5a4d5fc0c |
||||
krb_tgs_data |
NULLABLE |
RECORD |
NULLABLE |
is_machine_account |
BOOLEAN |
Kerberos Ticket Granting Service (TGS) log data. |
use to_json_string prior to filtering/altering this field |
e1873ca8-d1cf-4ce3-b6f8-8a20ac82e8ea |
krb_tgt_data |
NULLABLE |
RECORD |
NULLABLE |
is_machine_account |
BOOLEAN |
Kerberos Ticket Granting Service (TGS) log data. |
use to_json_string prior to filtering/altering this field |
5d8a14b3-0cc2-43aa-9b71-e1d49a3c6a8d |
ldap_data |
RECORD |
LDAP log data. |
||||||
login_data |
RECORD |
Windows Event Log login data. |
||||||
login_data_dst_normalized_user |
RECORD |
Destination user CIE resolution information. |
||||||
login_data_dst_outbound_normalized_user |
RECORD |
Destination outbound user DSS resolution information. |
||||||
login_data_src_normalized_user |
RECORD |
Source user CIE resolution information. |
||||||
non_standard_dport |
NULLABLE |
INTEGER |
This field is a boolean represented as an Integer. Indicates whether or not the destination port is a non-standard port based on Next-Generation Firewall (NGFW) logic |
b87ba8cf-dd16-424f-80b2-abf5cdeb58b6 |
||||
ntlm_auth_data |
RECORD |
NTLM log data. |
||||||
one_login_data |
||||||||
other_json |
DEPRECATED |
|||||||
packet |
STRING |
Packet payload excluding TCP/IP header. |
||||||
related_alerts |
||||||||
serverTime |
NULLABLE |
TIMESTAMP |
Timestamp of the event displayed on the server side. |
87c97c1c-7cdb-46f9-8842-bb1efa5d2380 |
||||
ssl_data |
RECORD |
SSL log data. |
||||||
ssl_req_chello_sni_sample |
NULLABLE |
STRING |
SNI domain obtained from SSL protocol parsing. |
38537c19-8818-4d65-bb74-5400f7ce9178 |
||||
sso_debug_data |
NULLABLE |
STRING |
Okta debug info, which includes protocol informaiton, URIs, and more. |
c6c5d07f-edcf-48aa-bd2d-83f5c10fbac3 |
||||
sso_display_message |
NULLABLE |
STRING |
Single Sign-on (SSO) event description. |
63c08dca-1956-4118-a70b-0db1dbf940e6 |
||||
sso_event_type |
INTEGER |
Single Sign-On (SSO) event type as obtained by the original SSO provider. |
||||||
sso_severity |
NULLABLE |
STRING |
Severity as reported: DEBUG, INFO, WARN, ERROR |
16239d41-6e8b-4302-9ddf-fe24b14d46b6 |
||||
story_id |
NULLABLE |
STRING |
ID of the story. |
26e90e20-3313-4847-a47d-240351515f1a |
||||
story_id_original |
DEPRECATED |
|||||||
story_publish_timestamp |
NULLABLE |
INTEGER |
Story publishing timestamp in epoch time. |
1657404e-1526-4230-b79c-98eabcc99cd8 |
||||
story_version |
NULLABLE |
FLOAT |
Story version |
a46672eb-074c-47ee-a277-e2c90cf58ed9 |
||||
syscall_action_etw_based |
NULLABLE |
BOOLEAN |
Indicates whether or not the syscall collected is from Windows ETW. |
04fea6c7-f5fb-4d68-aaee-e237c817709b |
||||
syscall_action_int_params |
NULLABLE |
STRING |
Integer parameters from syscalls in a JSON format. |
afb916cf-9023-4322-beb2-cc594acb5272 |
||||
syscall_action_stack_ptr |
NULLABLE |
STRING |
2b61094c-29bd-4f4e-91ad-2e469548e077 |
|||||
syscall_action_string_params |
NULLABLE |
STRING |
String parameters from syscalls in a JSON format. |
372b4a9e-be86-482b-b4fc-00c3fb3f2c12 |
||||
tcp_flags |
NULLABLE |
INTEGER |
TCP Flags |
cc39832e-8eca-4800-922f-b4b239e7c34f |
||||
title |
STRING |
Title of top_level_hwnd. |
||||||
top_level_hwnd |
INTEGER |
The top level window of the foreground window. |
||||||
trapsId |
NULLABLE |
STRING |
DEPRECATED |
1f4198d4-c20b-40f9-9362-11aa667300f9 |
||||
ttl |
NULLABLE |
INTEGER |
IP Protocol time-to-live (TTL) obtained from the source. |
c7484032-350b-4b66-9afc-68c9796dbe72 |
||||
tunnel_type |
STRING |
The type of tunnel. |
||||||
uri |
NULLABLE |
STRING |
Threat URI |
cc9bfa66-b8f6-4859-b8cd-2f7c785be0d7 |
||||
user_generic_value1 |
INTEGER |
A bitmap that can be set in the YAML. |
||||||
user_generic_value2 |
INTEGER |
An integer that can be set in the YAML. |
||||||
user_id |
NULLABLE |
STRING |
Windows: User SID |
3e1fd7ed-06bf-4934-a189-9b877125418b |
||||
uuid |
NULLABLE |
STRING |
Equivalent to the 'event_id'. |
e467d039-de98-4c13-9f9b-54a26c6f02b0 |
||||
vendor |
NULLABLE |
STRING |
Log vendor |
|||||
vpn_event_description |
STRING |
The name of the GlobalProtect event. |
||||||
vpn_server |
STRING |
VPN server name or IP. |
||||||
vpn_service |
STRING |
VPN service name. |
||||||
xdr_pro_lite |
BOOLEAN |
Indicates whether or not the agent is XDRProNG and sends fewer events. |
||||||
zip_id |
NULLABLE |
STRING |
DEPRECATED |
bca4c5a2-a640-49bc-bbbe-b327008c7988 |
||||
zscaler_vpn_data |
This section lists all of the xdr_data dataset fields in alphabetical order.