xdm.source

Cortex Data Model Schema Guide

Product
Cortex XSIAM
Last date published
2024-06-30
Category
XSIAM Data Model Schema

Information about the source of the activity

xdm.source.host

The source host that initiated the activity.

xdm.source.host.hostname

Description

The host name of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.host.os_family

Description

The operating system of the source host that initiated the activity.

Datatype

XDM_CONST.OS_FAMILY

Dataclass

Scalar

Examples

XDM_CONST.OS_FAMILY_WINDOWS, XDM_CONST.OS_FAMILY_MACOS, XDM_CONST.OS_FAMILY_LINUX, XDM_CONST.OS_FAMILY_ANDROID, XDM_CONST.OS_FAMILY_IOS

xdm.source.host.os

Description

The specific operating system of the source host that initiated the activity, including version.

Datatype

String

Dataclass

Scalar

xdm.source.host.fqdn

Description

The fully-qualified domain name (FQDN) of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.host.device_category

Description

The device category of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

Examples

Infusion System, ATM Machine, Personal Computer, 3D Printer

xdm.source.host.device_model

Description

The device model of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

Examples

iPad, PA-3200, ThinkPad E14, e2-highmem-8, t2.micro

xdm.source.host.device_id

Description

The unique device ID of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.host.ipv4_addresses

Description

The IPv4 addresses of the source host that initiated the activity.

Datatype

IPv4

Dataclass

Array

xdm.source.host.ipv6_addresses

Description

The IPv6 addresses of the source host that initiated the activity.

Datatype

IPv6

Dataclass

Array

xdm.source.host.ipv4_public_addresses

Description

The IPv4 public addresses of the source host that initiated the activity.

Datatype

IPv4

Dataclass

Array

xdm.source.host.ipv6_public_addresses

Description

The IPv6 public addresses of the source host that initiated the activity.

Datatype

IPv6

Dataclass

Array

xdm.source.host.mac_addresses

Description

The MAC addresses of the source host that initiated the activity.

Datatype

String

Dataclass

Array

xdm.source.host.manufacturer

Description

The device manufacturer of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.host.hardware_uuid

Description

The unique hardware manufacturing ID of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.host.boot_time

Description

The last known start up time of the source host that initiated the activity.

Datatype

Timestamp

Dataclass

Scalar

xdm.source.host.image

Description

The image/runtime name/ID of the source host that initiated the activity.

Datatype

String

Dataclass

Scalar

Examples

ami-19231, python3.9, nodejs14.x

xdm.source.host.memory

Description

The memory capacity size in bytes of the source host that initiated the activity.

Datatype

Number

Dataclass

Scalar

xdm.source.agent

The agent on the host that initiated the activity.

xdm.source.agent.identifier

Description

The ID of the agent on the host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.agent.type

Description

The type of the agent on the host that initiated the activity

Datatype

XDM_CONST.AGENT_TYPE

Dataclass

Scalar

Examples

XDM_CONST.AGENT_TYPE_REGULAR, XDM_CONST.AGENT_TYPE_COLLECTOR, XDM_CONST.AGENT_TYPE_VDI, XDM_CONST.AGENT_TYPE_CLOUD

xdm.source.agent.version

Description

The version of the agent on the host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.agent.content_version

Description

The content version of the agent on the host that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.agent.installation_time

Description

The installation time of the agent on the host that initiated the activity.

Datatype

Timestamp

Dataclass

Scalar

xdm.source.user

The user who initiated the activity.

xdm.source.user.identifier

Description

The ID of the user, such as GUID, SID or any other ID that uniquely identifies the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.username

Description

The user name used for identification of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.user_type

Description

The type of the user who initiated the activity.

Datatype

XDM_CONST.USER_TYPE

Dataclass

Scalar

Examples

XDM_CONST.USER_TYPE_REGULAR, XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, XDM_CONST.USER_TYPE_MACHINE_ACCOUNT

xdm.source.user.first_name

Description

The first name of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.last_name

Description

The last name of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.middle_name

Description

The middle name of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.employee_id

Description

The employee ID of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.badge_id

Description

The work badge ID of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.ou

Description

The organization unit of the user who initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.user.domain

Description

The domain to which the user who initiated the activity belongs.

Datatype

String

Dataclass

Scalar

xdm.source.user.is_password_changeable

Description

Whether the password of the user who initiated the activity is changeable.

Datatype

Boolean

Dataclass

Scalar

xdm.source.user.is_password_expired

Description

Whether the password of the user who initiated the activity has expired.

Datatype

Boolean

Dataclass

Scalar

xdm.source.user.is_password_required

Description

Whether the password of the user who initiated the activity is required.

Datatype

Boolean

Dataclass

Scalar

xdm.source.user.is_disabled

Description

Whether the user who initiated the activity is disabled.

Datatype

Boolean

Dataclass

Scalar

xdm.source.user.groups

Description

The groups or roles to which the user who initiated the activity belongs.

Datatype

String

Dataclass

Array

xdm.source.user.netbios_domain

Description

The subdomain of the user who initiated the activity's DNS domain name. See https://docs.microsoft.com/en-us/exchange/disjoint-namespace-scenarios-exchange-2013-help#dns-and-netbios-domain-names (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

mycompany

Enriched

True

xdm.source.user.sam_account_name

Description

The logon name of the user who initiated the activity. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

jondoe

Enriched

True

xdm.source.user.upn

Description

The principal name of the user who initiated the activity. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

jon.doe@mycompany.com

Enriched

True

xdm.source.user.identity_type

Description

The identity type of the user who initiated the activity (auto-enriched field).

Datatype

XDM_CONST.IDENTITY_TYPE

Dataclass

Scalar

Examples

XDM_CONST.IDENTITY_TYPE_MACHINE, XDM_CONST.IDENTITY_TYPE_USER, XDM_CONST.IDENTITY_TYPE_BUILTIN, XDM_CONST.IDENTITY_TYPE_VIRTUAL, XDM_CONST.IDENTITY_TYPE_UNKNOWN

Enriched

True

xdm.source.user.scope

Description

The scope of the user who initiated the activity (auto-enriched field).

Datatype

XDM_CONST.SCOPE_TYPE

Dataclass

Scalar

Examples

XDM_CONST.SCOPE_TYPE_LOCAL, XDM_CONST.SCOPE_TYPE_DOMAIN, XDM_CONST.SCOPE_TYPE_AZURE, XDM_CONST.SCOPE_TYPE_MICROSOFT, XDM_CONST.SCOPE_TYPE_UNKNOWN

Enriched

True

xdm.source.location

The source host.

xdm.source.location.country

Description

The country of the source host (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

Japan

Enriched

True

xdm.source.location.city

Description

The city of the source host (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

Tokyo

Enriched

True

xdm.source.location.continent

Description

The continent of the source host (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

Asia

Enriched

True

xdm.source.location.region

Description

The region of the source host (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

Tokyo

Enriched

True

xdm.source.location.latitude

Description

Latitude coordinate of the source host's location (auto-enriched field).

Datatype

Float

Dataclass

Scalar

Examples

45.505918

Enriched

True

xdm.source.location.longitude

Description

Longitude coordinate of the source host's location (auto-enriched field).

Datatype

Float

Dataclass

Scalar

Examples

-73.61483

Enriched

True

xdm.source.location.timezone

Description

Timezone in Continent/City format of the source host (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

Asia/Tokyo

Enriched

True

xdm.source.process

The source process.

xdm.source.process.name

Description

The name of the source process.

Datatype

String

Dataclass

Scalar

xdm.source.process.pid

Description

The ID of the source process, provided by the operating system.

Datatype

Number

Dataclass

Scalar

xdm.source.process.identifier

Description

The unique ID of the source process, provided by the agent.

Datatype

String

Dataclass

Scalar

xdm.source.process.command_line

Description

The command line that the source process is executing.

Datatype

String

Dataclass

Scalar

xdm.source.process.causality_id

Description

The ID of the root process that triggered the chain that the source process is a part of.

Datatype

String

Dataclass

Scalar

xdm.source.process.parent_id

Description

The ID of the direct parent process that triggered the source process.

Datatype

String

Dataclass

Scalar

xdm.source.process.integrity_level

Description

The mode of operation level in which the source process is running.

Datatype

Number

Dataclass

Scalar

xdm.source.process.executable

The source process.

xdm.source.process.executable.filename

Description

The file name of the source process executable.

Datatype

String

Dataclass

Scalar

xdm.source.process.executable.path

Description

The file path of the source process executable.

Datatype

String

Dataclass

Scalar

xdm.source.process.executable.directory

Description

The file directory of the source process executable.

Datatype

String

Dataclass

Scalar

xdm.source.process.executable.extension

Description

The file extension of the source process executable.

Datatype

String

Dataclass

Scalar

xdm.source.process.executable.file_type

Description

The file type of the source process executable.

Datatype

String

Dataclass

Scalar

xdm.source.process.executable.md5

Description

The MD5 hash signature for the source process executable content.

Datatype

MD5

Dataclass

Scalar

xdm.source.process.executable.sha256

Description

The SHA256 hash signature for the source process executable content.

Datatype

SHA256

Dataclass

Scalar

xdm.source.process.executable.is_signed

Description

Whether the loaded module of the source process executable is signed.

Datatype

Boolean

Dataclass

Scalar

Examples

True

xdm.source.process.executable.signer

Description

The signer of the source process executable.

Datatype

String

Dataclass

Scalar

Examples

Microsoft Corporation

xdm.source.process.executable.signature_status

Description

The signature status of the source process executable.

Datatype

XDM_CONST.SIGNATURE_STATUS

Dataclass

Scalar

Examples

XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.source.process.executable.size

Description

Size in bytes of the source process executable.

Datatype

Number

Dataclass

Scalar

xdm.source.process.thread_id

Description

The thread ID of the source process.

Datatype

Number

Dataclass

Scalar

xdm.source.process.is_injected

Description

Whether the source process's thread/activity is executed via process injection.

Datatype

Boolean

Dataclass

Scalar

xdm.source.process.container_id

Description

ID of the container that is running the source process.

Datatype

String

Dataclass

Scalar

xdm.source.application

The source application that initiated the activity

xdm.source.application.name

Description

The name of the source application that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.application.version

Description

The version of the source application that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.application.publisher

Description

The publisher (vendor/company) of the source application that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.application.installation_timestamp

Description

The installation time of the source application that initiated the activity.

Datatype

String

Dataclass

Scalar

xdm.source.application.from_appstore

Description

Whether the source application that initiated the activity was installed from an application store.

Datatype

Boolean

Dataclass

Scalar

xdm.source.user_agent

Description

The source user-agent.

Datatype

String

Dataclass

Scalar

xdm.source.ipv4

Description

The source IPv4 address of the activity.

Datatype

IPv4

Dataclass

Scalar

xdm.source.ipv6

Description

The source IPv6 address of the activity.

Datatype

IPv6

Dataclass

Scalar

xdm.source.asn

The source IP address.

xdm.source.asn.as_number

Description

The autonomous system number (ASN) of the source IP address (auto-enriched field).

Datatype

Number

Dataclass

Scalar

Examples

54538

Enriched

True

xdm.source.asn.as_name

Description

The autonomous system name of the source IP address (auto-enriched field).

Datatype

String

Dataclass

Scalar

Examples

PALO ALTO NETWORKS

Enriched

True

xdm.source.asn.isp

Description

The autonomous system ISP name of the source IP address.

Datatype

String

Dataclass

Scalar

xdm.source.asn.domain

Description

The autonomous system domain name of the source IP address

Datatype

String

Dataclass

Scalar

xdm.source.asn.is_proxy

Description

Indicates whether or not the the autonomous system of the source IP address is a proxy/VPN address (auto-enriched field).

Datatype

Boolean

Dataclass

Scalar

Enriched

True

xdm.source.is_internal_ip

Description

Whether the source IP address is internal (auto-enriched field).

Datatype

Boolean

Dataclass

Scalar

Enriched

True

xdm.source.port

Description

The source port.

Datatype

Number

Dataclass

Scalar

xdm.source.sent_bytes

Description

The amount of bytes transmitted by the source host.

Datatype

Number

Dataclass

Scalar

xdm.source.sent_packets

Description

The amount of packets transmitted by the source host.

Datatype

Number

Dataclass

Scalar

xdm.source.interface

Description

The source interface address (usually the MAC address).

Datatype

String

Dataclass

Scalar

xdm.source.zone

Description

The region/zone of the source host.

Datatype

String

Dataclass

Scalar

xdm.source.subnet

Description

The subnet of the source IP address, in CIDR notation.

Datatype

String

Dataclass

Scalar

Examples

198.51.100.0/22, 2001:db8::/48

xdm.source.vlan

Description

The VLAN of the source host.

Datatype

Number

Dataclass

Scalar

xdm.source.cloud

cloud specific information

xdm.source.cloud.provider

Description

The cloud provider.

Datatype

XDM_CONST.CLOUD_PROVIDER

Dataclass

Scalar

Examples

XDM_CONST.CLOUD_PROVIDER_AWS, XDM_CONST.CLOUD_PROVIDER_GCP, XDM_CONST.CLOUD_PROVIDER_AZURE, XDM_CONST.CLOUD_PROVIDER_ALIBABA, XDM_CONST.CLOUD_PROVIDER_ON_PREM

xdm.source.cloud.geo_region

Description

The cloud provider's cloud geo region name.

Datatype

String

Dataclass

Scalar

Examples

APAC, NORTH_AMERICA, EUROPE

xdm.source.cloud.region

Description

The cloud provider's cloud region name.

Datatype

String

Dataclass

Scalar

Examples

us-east-2, eu-west-2, me-south-1

xdm.source.cloud.zone

Description

The cloud zone/sub region within a certain region in the cloud provider.

Datatype

String

Dataclass

Scalar

Examples

us-east-1a

xdm.source.cloud.project

Description

The project name in which the log was reported.

Datatype

String

Dataclass

Scalar

xdm.source.cloud.project_hierarchy

Description

The project's parent folders / organization unit.

Datatype

String

Dataclass

Array

Examples

['Palo Alto Networks', 'Cortex Analytics', 'dev']

xdm.source.cloud.project_id

Description

The project id in which the log was reported.

Datatype

String

Dataclass

Scalar