Information about the source of the activity
xdm.source.host
The source host that initiated the activity.
xdm.source.host.hostname
Description |
The host name of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.host.os_family
Description |
The operating system of the source host that initiated the activity. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.OS_FAMILY_WINDOWS, XDM_CONST.OS_FAMILY_MACOS, XDM_CONST.OS_FAMILY_LINUX, XDM_CONST.OS_FAMILY_ANDROID, XDM_CONST.OS_FAMILY_IOS |
xdm.source.host.os
Description |
The specific operating system of the source host that initiated the activity, including version. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.host.fqdn
Description |
The fully-qualified domain name (FQDN) of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.host.device_category
Description |
The device category of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Infusion System, ATM Machine, Personal Computer, 3D Printer |
xdm.source.host.device_model
Description |
The device model of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
iPad, PA-3200, ThinkPad E14, e2-highmem-8, t2.micro |
xdm.source.host.device_id
Description |
The unique device ID of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.host.ipv4_addresses
Description |
The IPv4 addresses of the source host that initiated the activity. |
Datatype |
IPv4 |
Dataclass |
Array |
xdm.source.host.ipv6_addresses
Description |
The IPv6 addresses of the source host that initiated the activity. |
Datatype |
IPv6 |
Dataclass |
Array |
xdm.source.host.ipv4_public_addresses
Description |
The IPv4 public addresses of the source host that initiated the activity. |
Datatype |
IPv4 |
Dataclass |
Array |
xdm.source.host.ipv6_public_addresses
Description |
The IPv6 public addresses of the source host that initiated the activity. |
Datatype |
IPv6 |
Dataclass |
Array |
xdm.source.host.mac_addresses
Description |
The MAC addresses of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Array |
xdm.source.host.manufacturer
Description |
The device manufacturer of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.host.hardware_uuid
Description |
The unique hardware manufacturing ID of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.host.boot_time
Description |
The last known start up time of the source host that initiated the activity. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.source.host.image
Description |
The image/runtime name/ID of the source host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
ami-19231, python3.9, nodejs14.x |
xdm.source.host.memory
Description |
The memory capacity size in bytes of the source host that initiated the activity. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.agent
The agent on the host that initiated the activity.
xdm.source.agent.identifier
Description |
The ID of the agent on the host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.agent.type
Description |
The type of the agent on the host that initiated the activity |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.AGENT_TYPE_REGULAR, XDM_CONST.AGENT_TYPE_COLLECTOR, XDM_CONST.AGENT_TYPE_VDI, XDM_CONST.AGENT_TYPE_CLOUD |
xdm.source.agent.version
Description |
The version of the agent on the host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.agent.content_version
Description |
The content version of the agent on the host that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.agent.installation_time
Description |
The installation time of the agent on the host that initiated the activity. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.source.user
The user who initiated the activity.
xdm.source.user.identifier
Description |
The ID of the user, such as GUID, SID or any other ID that uniquely identifies the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.username
Description |
The user name used for identification of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.user_type
Description |
The type of the user who initiated the activity. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.USER_TYPE_REGULAR, XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, XDM_CONST.USER_TYPE_MACHINE_ACCOUNT |
xdm.source.user.first_name
Description |
The first name of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.last_name
Description |
The last name of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.middle_name
Description |
The middle name of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.employee_id
Description |
The employee ID of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.badge_id
Description |
The work badge ID of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.ou
Description |
The organization unit of the user who initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.domain
Description |
The domain to which the user who initiated the activity belongs. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.user.is_password_changeable
Description |
Whether the password of the user who initiated the activity is changeable. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.source.user.is_password_expired
Description |
Whether the password of the user who initiated the activity has expired. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.source.user.is_password_required
Description |
Whether the password of the user who initiated the activity is required. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.source.user.is_disabled
Description |
Whether the user who initiated the activity is disabled. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.source.user.groups
Description |
The groups or roles to which the user who initiated the activity belongs. |
Datatype |
String |
Dataclass |
Array |
xdm.source.user.netbios_domain
Description |
The subdomain of the user who initiated the activity's DNS domain name. See https://docs.microsoft.com/en-us/exchange/disjoint-namespace-scenarios-exchange-2013-help#dns-and-netbios-domain-names (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
mycompany |
Enriched |
True |
xdm.source.user.sam_account_name
Description |
The logon name of the user who initiated the activity. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
jondoe |
Enriched |
True |
xdm.source.user.upn
Description |
The principal name of the user who initiated the activity. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
jon.doe@mycompany.com |
Enriched |
True |
xdm.source.user.identity_type
Description |
The identity type of the user who initiated the activity (auto-enriched field). |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.IDENTITY_TYPE_MACHINE, XDM_CONST.IDENTITY_TYPE_USER, XDM_CONST.IDENTITY_TYPE_BUILTIN, XDM_CONST.IDENTITY_TYPE_VIRTUAL, XDM_CONST.IDENTITY_TYPE_UNKNOWN |
Enriched |
True |
xdm.source.user.scope
Description |
The scope of the user who initiated the activity (auto-enriched field). |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.SCOPE_TYPE_LOCAL, XDM_CONST.SCOPE_TYPE_DOMAIN, XDM_CONST.SCOPE_TYPE_AZURE, XDM_CONST.SCOPE_TYPE_MICROSOFT, XDM_CONST.SCOPE_TYPE_UNKNOWN |
Enriched |
True |
xdm.source.location
The source host.
xdm.source.location.country
Description |
The country of the source host (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Japan |
Enriched |
True |
xdm.source.location.city
Description |
The city of the source host (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Tokyo |
Enriched |
True |
xdm.source.location.continent
Description |
The continent of the source host (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Asia |
Enriched |
True |
xdm.source.location.region
Description |
The region of the source host (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Tokyo |
Enriched |
True |
xdm.source.location.latitude
Description |
Latitude coordinate of the source host's location (auto-enriched field). |
Datatype |
Float |
Dataclass |
Scalar |
Examples |
45.505918 |
Enriched |
True |
xdm.source.location.longitude
Description |
Longitude coordinate of the source host's location (auto-enriched field). |
Datatype |
Float |
Dataclass |
Scalar |
Examples |
-73.61483 |
Enriched |
True |
xdm.source.location.timezone
Description |
Timezone in Continent/City format of the source host (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Asia/Tokyo |
Enriched |
True |
xdm.source.process
The source process.
xdm.source.process.name
Description |
The name of the source process. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.pid
Description |
The ID of the source process, provided by the operating system. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.process.identifier
Description |
The unique ID of the source process, provided by the agent. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.command_line
Description |
The command line that the source process is executing. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.causality_id
Description |
The ID of the root process that triggered the chain that the source process is a part of. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.parent_id
Description |
The ID of the direct parent process that triggered the source process. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.integrity_level
Description |
The mode of operation level in which the source process is running. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.process.executable
The source process.
xdm.source.process.executable.filename
Description |
The file name of the source process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.executable.path
Description |
The file path of the source process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.executable.directory
Description |
The file directory of the source process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.executable.extension
Description |
The file extension of the source process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.executable.file_type
Description |
The file type of the source process executable. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.process.executable.md5
Description |
The MD5 hash signature for the source process executable content. |
Datatype |
MD5 |
Dataclass |
Scalar |
xdm.source.process.executable.sha256
Description |
The SHA256 hash signature for the source process executable content. |
Datatype |
SHA256 |
Dataclass |
Scalar |
xdm.source.process.executable.is_signed
Description |
Whether the loaded module of the source process executable is signed. |
Datatype |
Boolean |
Dataclass |
Scalar |
Examples |
True |
xdm.source.process.executable.signer
Description |
The signer of the source process executable. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
Microsoft Corporation |
xdm.source.process.executable.signature_status
Description |
The signature status of the source process executable. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN |
xdm.source.process.executable.size
Description |
Size in bytes of the source process executable. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.process.thread_id
Description |
The thread ID of the source process. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.process.is_injected
Description |
Whether the source process's thread/activity is executed via process injection. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.source.process.container_id
Description |
ID of the container that is running the source process. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.application
The source application that initiated the activity
xdm.source.application.name
Description |
The name of the source application that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.application.version
Description |
The version of the source application that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.application.publisher
Description |
The publisher (vendor/company) of the source application that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.application.installation_timestamp
Description |
The installation time of the source application that initiated the activity. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.application.from_appstore
Description |
Whether the source application that initiated the activity was installed from an application store. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.source.user_agent
Description |
The source user-agent. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.ipv4
Description |
The source IPv4 address of the activity. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.source.ipv6
Description |
The source IPv6 address of the activity. |
Datatype |
IPv6 |
Dataclass |
Scalar |
xdm.source.asn
The source IP address.
xdm.source.asn.as_number
Description |
The autonomous system number (ASN) of the source IP address (auto-enriched field). |
Datatype |
Number |
Dataclass |
Scalar |
Examples |
54538 |
Enriched |
True |
xdm.source.asn.as_name
Description |
The autonomous system name of the source IP address (auto-enriched field). |
Datatype |
String |
Dataclass |
Scalar |
Examples |
PALO ALTO NETWORKS |
Enriched |
True |
xdm.source.asn.isp
Description |
The autonomous system ISP name of the source IP address. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.asn.domain
Description |
The autonomous system domain name of the source IP address |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.asn.is_proxy
Description |
Indicates whether or not the the autonomous system of the source IP address is a proxy/VPN address (auto-enriched field). |
Datatype |
Boolean |
Dataclass |
Scalar |
Enriched |
True |
xdm.source.is_internal_ip
Description |
Whether the source IP address is internal (auto-enriched field). |
Datatype |
Boolean |
Dataclass |
Scalar |
Enriched |
True |
xdm.source.port
Description |
The source port. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.sent_bytes
Description |
The amount of bytes transmitted by the source host. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.sent_packets
Description |
The amount of packets transmitted by the source host. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.interface
Description |
The source interface address (usually the MAC address). |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.zone
Description |
The region/zone of the source host. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.subnet
Description |
The subnet of the source IP address, in CIDR notation. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
198.51.100.0/22, 2001:db8::/48 |
xdm.source.vlan
Description |
The VLAN of the source host. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.source.cloud
cloud specific information
xdm.source.cloud.provider
Description |
The cloud provider. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.CLOUD_PROVIDER_AWS, XDM_CONST.CLOUD_PROVIDER_GCP, XDM_CONST.CLOUD_PROVIDER_AZURE, XDM_CONST.CLOUD_PROVIDER_ALIBABA, XDM_CONST.CLOUD_PROVIDER_ON_PREM |
xdm.source.cloud.geo_region
Description |
The cloud provider's cloud geo region name. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
APAC, NORTH_AMERICA, EUROPE |
xdm.source.cloud.region
Description |
The cloud provider's cloud region name. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
us-east-2, eu-west-2, me-south-1 |
xdm.source.cloud.zone
Description |
The cloud zone/sub region within a certain region in the cloud provider. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
us-east-1a |
xdm.source.cloud.project
Description |
The project name in which the log was reported. |
Datatype |
String |
Dataclass |
Scalar |
xdm.source.cloud.project_hierarchy
Description |
The project's parent folders / organization unit. |
Datatype |
String |
Dataclass |
Array |
Examples |
['Palo Alto Networks', 'Cortex Analytics', 'dev'] |
xdm.source.cloud.project_id
Description |
The project id in which the log was reported. |
Datatype |
String |
Dataclass |
Scalar |