Information about intermediate entity, such as NAT/VPN/PROXY
xdm.intermediate.host
The intermediate device that handled the activity.
xdm.intermediate.host.hostname
Description |
The host name of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.host.os_family
Description |
The operating system of the intermediate device that handled the activity. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.OS_FAMILY_WINDOWS, XDM_CONST.OS_FAMILY_MACOS, XDM_CONST.OS_FAMILY_LINUX, XDM_CONST.OS_FAMILY_ANDROID, XDM_CONST.OS_FAMILY_IOS |
xdm.intermediate.host.os
Description |
The specific operating system of the intermediate device that handled the activity, including version. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.host.fqdn
Description |
The fully-qualified domain name (FQDN) of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.host.device_category
Description |
The device category of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Infusion System, ATM Machine, Personal Computer, 3D Printer |
xdm.intermediate.host.device_model
Description |
The device model of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
iPad, PA-3200, ThinkPad E14, e2-highmem-8, t2.micro |
xdm.intermediate.host.device_id
Description |
The unique device ID of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.host.ipv4_addresses
Description |
The IPv4 addresses of the intermediate device that handled the activity. |
Datatype |
IPv4 |
Dataclass |
Array |
xdm.intermediate.host.ipv6_addresses
Description |
The IPv6 addresses of the intermediate device that handled the activity. |
Datatype |
IPv6 |
Dataclass |
Array |
xdm.intermediate.host.ipv4_public_addresses
Description |
The IPv4 public addresses of the intermediate device that handled the activity. |
Datatype |
IPv4 |
Dataclass |
Array |
xdm.intermediate.host.ipv6_public_addresses
Description |
The IPv6 public addresses of the intermediate device that handled the activity. |
Datatype |
IPv6 |
Dataclass |
Array |
xdm.intermediate.host.mac_addresses
Description |
The MAC addresses of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Array |
xdm.intermediate.host.manufacturer
Description |
The device manufacturer of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.host.hardware_uuid
Description |
The unique hardware manufacturing ID of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.host.boot_time
Description |
The last known start up time of the intermediate device that handled the activity. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.intermediate.host.image
Description |
The image/runtime name/ID of the intermediate device that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
ami-19231, python3.9, nodejs14.x |
xdm.intermediate.host.memory
Description |
The memory capacity size in bytes of the intermediate device that handled the activity. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.intermediate.location
The intermediate device.
xdm.intermediate.location.country
Description |
The country of the intermediate device (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Japan |
Enriched |
True |
xdm.intermediate.location.city
Description |
The city of the intermediate device (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Tokyo |
Enriched |
True |
xdm.intermediate.location.continent
Description |
The continent of the intermediate device (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Asia |
Enriched |
True |
xdm.intermediate.location.region
Description |
The region of the intermediate device (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Tokyo |
Enriched |
True |
xdm.intermediate.location.latitude
Description |
Latitude coordinate of the intermediate device's location (auto-enriched field). |
Datatype |
Float |
Dataclass |
Scalar |
Examples |
45.505918 |
Enriched |
True |
xdm.intermediate.location.longitude
Description |
Longitude coordinate of the intermediate device's location (auto-enriched field). |
Datatype |
Float |
Dataclass |
Scalar |
Examples |
-73.61483 |
Enriched |
True |
xdm.intermediate.location.timezone
Description |
Timezone in Continent/City format of the intermediate device (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Asia/Tokyo |
Enriched |
True |
xdm.intermediate.agent
The agent on the intermediate device.
xdm.intermediate.agent.identifier
Description |
The ID of the agent on the intermediate device. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.agent.type
Description |
The type of the agent on the intermediate device |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.AGENT_TYPE_REGULAR, XDM_CONST.AGENT_TYPE_COLLECTOR, XDM_CONST.AGENT_TYPE_VDI, XDM_CONST.AGENT_TYPE_CLOUD |
xdm.intermediate.agent.version
Description |
The version of the agent on the intermediate device. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.agent.content_version
Description |
The content version of the agent on the intermediate device. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.agent.installation_time
Description |
The installation time of the agent on the intermediate device. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.intermediate.user
The intermediate user.
xdm.intermediate.user.identifier
Description |
The ID of the user, such as GUID, SID or any other ID that uniquely identifies the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.username
Description |
The user name used for identification of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.user_type
Description |
The type of the intermediate user. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.USER_TYPE_REGULAR, XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, XDM_CONST.USER_TYPE_MACHINE_ACCOUNT |
xdm.intermediate.user.first_name
Description |
The first name of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.last_name
Description |
The last name of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.middle_name
Description |
The middle name of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.employee_id
Description |
The employee ID of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.badge_id
Description |
The work badge ID of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.ou
Description |
The organization unit of the intermediate user. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.domain
Description |
The domain to which the intermediate user belongs. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user.is_password_changeable
Description |
Whether the password of the intermediate user is changeable. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.user.is_password_expired
Description |
Whether the password of the intermediate user has expired. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.user.is_password_required
Description |
Whether the password of the intermediate user is required. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.user.is_disabled
Description |
Whether the intermediate user is disabled. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.user.groups
Description |
The groups or roles to which the intermediate user belongs. |
Datatype |
String |
Dataclass |
Array |
xdm.intermediate.user.netbios_domain
Description |
The subdomain of the intermediate user's DNS domain name. See https://docs.microsoft.com/en-us/exchange/disjoint-namespace-scenarios-exchange-2013-help#dns-and-netbios-domain-names (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
mycompany |
Enriched |
True |
xdm.intermediate.user.sam_account_name
Description |
The logon name of the intermediate user. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
jondoe |
Enriched |
True |
xdm.intermediate.user.upn
Description |
The principal name of the intermediate user. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
jon.doe@mycompany.com |
Enriched |
True |
xdm.intermediate.user.identity_type
Description |
The identity type of the intermediate user (auto-enriched field). |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.IDENTITY_TYPE_MACHINE, XDM_CONST.IDENTITY_TYPE_USER, XDM_CONST.IDENTITY_TYPE_BUILTIN, XDM_CONST.IDENTITY_TYPE_VIRTUAL, XDM_CONST.IDENTITY_TYPE_UNKNOWN |
Enriched |
True |
xdm.intermediate.user.scope
Description |
The scope of the intermediate user (auto-enriched field). |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.SCOPE_TYPE_LOCAL, XDM_CONST.SCOPE_TYPE_DOMAIN, XDM_CONST.SCOPE_TYPE_AZURE, XDM_CONST.SCOPE_TYPE_MICROSOFT, XDM_CONST.SCOPE_TYPE_UNKNOWN |
Enriched |
True |
xdm.intermediate.process
The intermediate process.
xdm.intermediate.process.name
Description |
The name of the intermediate process. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.pid
Description |
The ID of the intermediate process, provided by the operating system. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.intermediate.process.identifier
Description |
The unique ID of the intermediate process, provided by the agent. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.command_line
Description |
The command line that the intermediate process is executing. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.causality_id
Description |
The ID of the root process that triggered the chain that the intermediate process is a part of. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.parent_id
Description |
The ID of the direct parent process that triggered the intermediate process. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.integrity_level
Description |
The mode of operation level in which the intermediate process is running. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.intermediate.process.executable
The intermediate process.
xdm.intermediate.process.executable.filename
Description |
The file name of the intermediate process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.executable.path
Description |
The file path of the intermediate process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.executable.directory
Description |
The file directory of the intermediate process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.executable.extension
Description |
The file extension of the intermediate process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.executable.file_type
Description |
The file type of the intermediate process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.process.executable.md5
Description |
The MD5 hash signature for the intermediate process executable content. |
Datatype |
MD5 |
Dataclass |
Scalar |
xdm.intermediate.process.executable.sha256
Description |
The SHA256 hash signature for the intermediate process executable content. |
Datatype |
SHA256 |
Dataclass |
Scalar |
xdm.intermediate.process.executable.is_signed
Description |
Whether the loaded module of the intermediate process executable is signed. |
Datatype |
Boolean |
Dataclass |
Scalar |
Examples |
True |
xdm.intermediate.process.executable.signer
Description |
The signer of the intermediate process executable. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Microsoft Corporation |
xdm.intermediate.process.executable.signature_status
Description |
The signature status of the intermediate process executable. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN |
xdm.intermediate.process.executable.size
Description |
Size in bytes of the intermediate process executable. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.intermediate.process.thread_id
Description |
The thread ID of the intermediate process. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.intermediate.process.is_injected
Description |
Whether the intermediate process's thread/activity is executed via process injection. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.process.container_id
Description |
ID of the container that is running the intermediate process. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.user_agent
Description |
The user-agent of the intermediate device. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.application
The intermediate application that handled the activity.
xdm.intermediate.application.name
Description |
The name of the intermediate application that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.application.version
Description |
The version of the intermediate application that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.application.publisher
Description |
The publisher (vendor/company) of the intermediate application that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.application.installation_timestamp
Description |
The installation time of the intermediate application that handled the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.application.from_appstore
Description |
Whether the intermediate application that handled the activity was installed from an application store. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.ipv4
Description |
The intermediate IPv4 address of the activity. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.intermediate.ipv6
Description |
The intermediate IPv6 address of the activity. |
Datatype |
IPv6 |
Dataclass |
Scalar |
xdm.intermediate.asn
The intermediate IP address.
xdm.intermediate.asn.as_number
Description |
The autonomous system number (ASN) of the intermediate IP address (auto-enriched field). |
Datatype |
Number |
Dataclass |
Scalar |
Examples |
54538 |
Enriched |
True |
xdm.intermediate.asn.as_name
Description |
The autonomous system name of the intermediate IP address (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
PALO ALTO NETWORKS |
Enriched |
True |
xdm.intermediate.asn.isp
Description |
The autonomous system ISP name of the intermediate IP address. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.asn.domain
Description |
The autonomous system domain name of the intermediate IP address |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.asn.is_proxy
Description |
Indicates whether or not the the autonomous system of the intermediate IP address is a proxy/VPN address (auto-enriched field). |
Datatype |
Boolean |
Dataclass |
Scalar |
Enriched |
True |
xdm.intermediate.is_internal_ip
Description |
Whether the intermediate IP address is internal (auto-enriched field). |
Datatype |
Boolean |
Dataclass |
Scalar |
Enriched |
True |
xdm.intermediate.port
Description |
The intermediate port. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.intermediate.cloud
cloud specific information
xdm.intermediate.cloud.provider
Description |
The cloud provider. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.CLOUD_PROVIDER_AWS, XDM_CONST.CLOUD_PROVIDER_GCP, XDM_CONST.CLOUD_PROVIDER_AZURE, XDM_CONST.CLOUD_PROVIDER_ALIBABA, XDM_CONST.CLOUD_PROVIDER_ON_PREM |
xdm.intermediate.cloud.geo_region
Description |
The cloud provider's cloud geo region name. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
APAC, NORTH_AMERICA, EUROPE |
xdm.intermediate.cloud.region
Description |
The cloud provider's cloud region name. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
us-east-2, eu-west-2, me-south-1 |
xdm.intermediate.cloud.zone
Description |
The cloud zone/sub region within a certain region in the cloud provider. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
us-east-1a |
xdm.intermediate.cloud.project
Description |
The project name in which the log was reported. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.cloud.project_hierarchy
Description |
The project's parent folders / organization unit. |
Datatype |
String |
Dataclass |
Array |
Examples |
['Palo Alto Networks', 'Cortex Analytics', 'dev'] |
xdm.intermediate.cloud.project_id
Description |
The project id in which the log was reported. |
Datatype |
String |
Dataclass |
Scalar |
xdm.intermediate.is_proxy
Description |
Whether the intermediate device is a proxy. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.intermediate.is_nat
Description |
Whether the intermediate device is applying NAT. |
Datatype |
Boolean |
Dataclass |
Scalar |