xdm.observer

Cortex Data Model Schema Guide

Product
Cortex XSIAM
Last date published
2024-11-27
Category
XSIAM Data Model Schema

The device, agent, or data provider that observed and reported the event.

xdm.observer.vendor

Description

The vendor of the observing device/agent (auto-enriched field).

Datatype

String

Dataclass

Scalar

Enriched

True

xdm.observer.product

Description

The product name of the observing device/agent (auto-enriched field).

Datatype

String

Dataclass

Scalar

Enriched

True

xdm.observer.type

Description

The type of the observing device/agent.

Datatype

String

Dataclass

Scalar

xdm.observer.version

Description

The version of the observing device/agent.

Datatype

String

Dataclass

Scalar

xdm.observer.content_version

Description

The content version of the observing device/agent.

Datatype

String

Dataclass

Scalar

xdm.observer.unique_identifier

Description

The unique identifier of the observing device/agent.

Datatype

String

Dataclass

Scalar

xdm.observer.name

Description

The name of the observing device. Can be a host name, domain name, etc.

Datatype

String

Dataclass

Scalar

xdm.observer.action

Description

The action that the observer performed related to the activity.

Datatype

String

Dataclass

Scalar