Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
app
|
-
|
-
|
The Layer 7 network protocol being exploited
|
|
|
authId
|
-
|
-
|
The authorization ID
|
|
|
azId
|
-
|
-
|
The Availability Zone ID of the virtual machine that made the request
|
|
|
channel
|
-
|
-
|
The Windows Event channel
|
|
|
cloudIdentityAccountId
|
-
|
-
|
The Cloud Identity account ID used for authorization
|
|
|
cloudIdentityId
|
-
|
-
|
The Cloud Identity ID used for authorization
|
|
|
cloudIdentityName
|
-
|
-
|
The Cloud Identity name used for authorization
|
|
|
cloudProvider
|
-
|
-
|
The service provider of the cloud asset
|
|
|
cloudServiceApiName
|
-
|
-
|
The cloud service API
|
|
|
cloudServiceName
|
-
|
-
|
The cloud service
|
|
|
codeIntegrityOptionEnabled
|
-
|
-
|
Whether the system enforced signed kernel loading according to driver signature enforcement
|
|
|
codeIntegrityOptionTestsign
|
-
|
-
|
Whether the system bypassed driver signature enforcement checks and permitted loading
of
test-signed drivers
|
|
|
correlationData
|
-
|
-
|
The data for correlation
|
-
|
|
deviceType
|
-
|
-
|
The disk drive type
|
|
|
dpt
|
-
|
|
The destination port
|
-
|
|
dst
|
-
|
|
The destination IP
|
|
|
endpointGuid
|
-
|
|
The host GUID of the endpoint on which the event was detected
|
|
|
endpointHostName
|
-
|
|
The hostname of the endpoint on which the event was detected
|
|
|
endpointIp
|
-
|
|
The IP of the endpoint on which the event was detected
|
|
|
endpointMacAddress
|
-
|
-
|
The host MAC address
|
|
|
eventDataActionName
|
-
|
-
|
The action performed
|
|
|
eventDataAuthenticationPackageName
|
-
|
-
|
The authentication package name of the Windows Event data
|
|
|
eventDataConsumer
|
-
|
-
|
The recipient of the reported event
|
|
|
eventDataIpAddress
|
-
|
-
|
The IP address of Windows Event 4624 (successful sign-in attempt)
|
|
|
eventDataJobOwner
|
-
|
-
|
The name of the account that initiated the event
|
|
|
eventDataLogonProcessName
|
-
|
-
|
The Windows Event sign-in process name
|
|
|
eventDataLogonType
|
-
|
-
|
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
eventDataOperation
|
-
|
-
|
The Windows Event 11 (a file is created or overwritten)
|
|
|
eventDataPath
|
-
|
-
|
The path of the Windows Event data
|
|
|
eventDataProcessPath
|
-
|
-
|
The process path that initiated the event
|
|
|
eventDataProviderName
|
-
|
-
|
The name of the Windows Event data provider
|
|
|
eventDataProviderPath
|
-
|
-
|
The file path of the Windows Event data provider
|
|
|
eventDataScriptBlockText
|
-
|
-
|
The Windows Event 4104 (the execution of a remote command using PowerShell)
|
|
|
eventDataServiceFileName
|
-
|
-
|
The full file path of the service executable file
|
|
|
eventDataServiceName
|
-
|
-
|
The service name
|
|
|
eventDataStatus
|
-
|
-
|
The Windows Event data status
|
|
|
eventDataSubStatus
|
-
|
-
|
The Windows Event data sub-status
|
|
|
eventDataTargetUserName
|
-
|
-
|
The user name of the Windows Event data target
|
|
|
eventDataTaskName
|
-
|
-
|
The task name logged by the Windows Event
|
|
|
eventDataUserContext
|
-
|
-
|
The user context of the Windows Event data
|
|
|
eventHashId
|
-
|
-
|
The event hash ID
|
|
|
eventId
|
-
|
-
|
The event type
|
-
|
|
eventSubId
|
-
|
-
|
The access type
|
|
|
eventTime
|
-
|
-
|
The time the agent detected the event
|
|
|
filterRiskLevel
|
-
|
-
|
The top-level risk level of the event
|
|
|
hookId
|
-
|
-
|
The hook ID
|
|
|
hostName
|
-
|
|
The domain name
|
|
|
importTable
|
-
|
-
|
The imported table information
|
-
|
|
importTableFileName
|
-
|
-
|
The library file name which has imported functions
|
|
|
importTableFunctionName
|
-
|
-
|
The imported function file name
|
|
|
instanceAccountId
|
-
|
-
|
The cloud account ID of the virtual machine that made the request
|
|
|
instanceId
|
-
|
-
|
The virtual machine instance ID on the cloud platform
|
|
|
instanceName
|
-
|
-
|
The virtual machine that made the request
|
|
|
integrityLevel
|
-
|
-
|
The integrity level of a process
|
-
|
|
logonUser
|
-
|
|
The sign-in user name
|
|
|
networkInterfaceId
|
-
|
-
|
The network interface of the virtual machine that made the request
|
|
|
objectApiName
|
-
|
-
|
The name of the executed API
|
|
|
objectApiRvInNum
|
-
|
-
|
The API telemetry return value
|
|
|
objectAppName
|
-
|
-
|
The app involved in the AMSI event
|
|
|
objectAuthId
|
-
|
-
|
The object authorization ID
|
|
|
objectBmData
|
-
|
-
|
The BM event data
|
|
|
objectCmd
|
-
|
|
The command line entry of the target process
|
|
|
objectContentName
|
-
|
-
|
The AMSI object content name
|
|
|
objectCurrentPosixPermission
|
-
|
-
|
The new POSIX permission file used in file events and CHMOD events
|
|
|
objectFileAttributesHashId
|
-
|
-
|
The hash ID of the file attribute meta information
|
|
|
objectFileCreation
|
-
|
-
|
The time the object file was created
|
|
|
objectFileCurrentOwnerName
|
-
|
-
|
The current owner name of the object file
|
|
|
objectFileCurrentOwnerSid
|
-
|
-
|
The current security identifier owner of the object file
|
|
|
objectFileDaclString
|
-
|
-
|
The discretionary access control list of the object file
|
|
|
objectFileGroupName
|
-
|
-
|
The object file user group name
|
|
|
objectFileGroupSid
|
-
|
-
|
The security identifier of the object file group
|
|
|
objectFileHashId
|
-
|
-
|
The object file hash ID
|
|
|
objectFileHashMD5
|
-
|
|
The MD5 hash of the target process image or target file
|
|
|
objectFileHashSha1
|
-
|
|
The SHA-1 hash of the target process image or target file
|
|
|
objectFileHashSha256
|
-
|
|
The SHA-256 hash of the target process image or target file
|
|
|
objectFileIsRemoteAccess
|
-
|
-
|
Whether there is remote access to the object file
|
-
|
|
objectFileModifiedTime
|
-
|
-
|
The time the object file was modified
|
|
|
objectFileOwnerName
|
-
|
-
|
The object file owner name
|
|
|
objectFileOwnerSid
|
-
|
-
|
The security identifier of the object file owner
|
|
|
objectFilePath
|
-
|
|
The file path of the target process image or target file
|
|
|
objectFileRemoteAccess
|
-
|
-
|
Whether there is remote access to the object file
|
-
|
|
objectFileSaclString
|
-
|
-
|
The system access control list of the object file
|
|
|
objectFileSize
|
-
|
-
|
The file size of the object file
|
|
|
objectFirstSeen
|
-
|
-
|
The first time the object was seen
|
|
|
objectHostName
|
-
|
|
The server name where the event was detected
|
|
|
objectIntegrityLevel
|
-
|
-
|
The integrity level of the target process
|
-
|
|
objectIp
|
-
|
|
The event IP
|
|
|
objectIps
|
-
|
|
The IP address list of the internet event
|
|
|
objectLastSeen
|
-
|
-
|
The last time the object was seen
|
|
|
objectLaunchTime
|
-
|
-
|
The object launch time of the Windows Event
|
|
|
objectName
|
-
|
-
|
The object name
|
|
|
objectPid
|
-
|
-
|
The PID of target process
|
-
|
|
objectPipeName
|
-
|
-
|
The named pipe of the event
|
|
|
objectPort
|
-
|
|
The port used by the internet event
|
-
|
|
objectPosixPermission
|
-
|
-
|
The current POSIX permission for the file
|
|
|
objectPosixPermissionHashId
|
-
|
-
|
The POSIX permission hash ID
|
|
|
objectProcessHashId
|
-
|
-
|
The FNV of the target process
|
|
|
objectRawDataSize
|
-
|
-
|
The raw data size of the Windows Event object
|
|
|
objectRawDataStr
|
-
|
-
|
The data contents of the AMSI event
|
|
|
objectRegistryData
|
-
|
|
The registry value data
|
|
|
objectRegistryKeyHandle
|
-
|
|
The registry key
|
|
|
objectRegistryValue
|
-
|
|
The registry value name
|
|
|
objectRunAsLocalAccount
|
-
|
-
|
Whether the "runas" command uses a local account
|
|
|
objectSessionId
|
-
|
-
|
The object session ID
|
|
|
objectSigner
|
-
|
-
|
The certificate signer of the object process or file
|
|
|
objectSignerValid
|
-
|
-
|
The validity of the certificate signer
|
|
|
objectSubTrueType
|
-
|
-
|
The file object true sub-type
|
|
|
objectThreadId
|
-
|
-
|
The object process thread ID
|
|
|
objectTrueType
|
-
|
-
|
The file object true major type
|
|
|
objectUser
|
-
|
|
The owner name of the target process or the sign-in user name
|
|
|
objectUserGroup
|
-
|
-
|
The user group name
|
|
|
objectUserGroupSids
|
-
|
-
|
The user group SIDs of the object
|
|
|
osDescription
|
-
|
-
|
The OS version
|
|
|
osName
|
-
|
-
|
The host OS
|
|
|
osType
|
-
|
-
|
The host OS type
|
|
|
osVer
|
-
|
-
|
The host OS version
|
|
|
parentAuthId
|
-
|
-
|
The parent authorization ID
|
|
|
parentCmd
|
-
|
|
The command line entry of the parent process
|
|
|
parentFileCreation
|
-
|
-
|
The time the parent file was created
|
|
|
parentFileCurrentOwnerName
|
-
|
-
|
The current owner name of the parent file
|
|
|
parentFileCurrentOwnerSid
|
-
|
-
|
The current security identifier owner of the parent file
|
|
|
parentFileDaclString
|
-
|
-
|
The discretionary access control list of the parent file
|
|
|
parentFileGroupName
|
-
|
-
|
The name of the parent file user group
|
|
|
parentFileGroupSid
|
-
|
-
|
The security identifier of the parent process file group
|
|
|
parentFileHashId
|
-
|
-
|
The parent file hash ID
|
|
|
parentFileHashMD5
|
-
|
|
The MD5 hash of parent process
|
|
|
parentFileHashSha1
|
-
|
|
The SHA1 hash of parent process
|
|
|
parentFileHashSha256
|
-
|
|
The SHA256 hash of parent process
|
|
|
parentFileModifiedTime
|
-
|
-
|
The time the parent file was modified
|
|
|
parentFileOwnerName
|
-
|
-
|
The owner name of the parent file
|
|
|
parentFileOwnerSid
|
-
|
-
|
The security identifier of the parent file owner
|
|
|
parentFilePath
|
-
|
|
The file path of the parent process
|
|
|
parentFileRemoteAccess
|
-
|
-
|
The remote access to the parent file
|
-
|
|
parentFileSaclString
|
-
|
-
|
The system access control list of the parent file
|
|
|
parentFileSize
|
-
|
-
|
The file size of the parent file
|
|
|
parentHashId
|
-
|
-
|
The parent hash ID
|
|
|
parentIntegrityLevel
|
-
|
-
|
The integrity level of a parent
|
-
|
|
parentLaunchTime
|
-
|
-
|
The time when the parent process was launched
|
|
|
parentName
|
-
|
-
|
The image name of the parent process
|
|
|
parentPid
|
-
|
-
|
The PID of the parent process
|
|
|
parentSigner
|
-
|
-
|
The signer of the parent file
|
|
|
parentSignerValid
|
-
|
-
|
The validity of the parent signer
|
-
|
|
parentSubTrueType
|
-
|
-
|
The true file subtype of the parent file
|
-
|
|
parentTrueType
|
-
|
-
|
The true file type of the parent file
|
-
|
|
parentUser
|
-
|
-
|
The type of user that executed the parent process
|
|
|
parentUserDomain
|
-
|
-
|
The user domain of the parent process
|
|
|
parentUserGroupSids
|
-
|
-
|
The SIDs of the parent user group
|
|
|
pname
|
-
|
-
|
Internal product ID (Deprecated, use productCode)
|
|
|
policyTreePath
|
-
|
-
|
The policy tree path
|
|
|
processCmd
|
-
|
|
The command line entry of the subject process
|
|
|
processFileCreation
|
-
|
-
|
The time the process file was created
|
|
|
processFileCurrentOwnerName
|
-
|
-
|
The current owner name of the process file
|
|
|
processFileCurrentOwnerSid
|
-
|
-
|
The owner of the process file current security identifier
|
|
|
processFileDaclString
|
-
|
-
|
The discretionary access control list of the process file
|
|
|
processFileGroupName
|
-
|
-
|
The name of the process file user group
|
|
|
processFileGroupSid
|
-
|
-
|
The security identifier of the process file group
|
|
|
processFileHashId
|
-
|
-
|
The file hash of the process
|
|
|
processFileHashMD5
|
-
|
|
The MD5 hash of subject process image
|
|
|
processFileHashSha1
|
-
|
|
The SHA1 hash of subject process image
|
|
|
processFileHashSha256
|
-
|
|
The SHA256 hash of subject process image
|
|
|
processFileModifiedTime
|
-
|
-
|
The time the process file was modified
|
|
|
processFileOwnerName
|
-
|
-
|
The process file owner name
|
|
|
processFileOwnerSid
|
-
|
-
|
The security identifier of the process file owner
|
|
|
processFilePath
|
-
|
|
The file path of the subject process
|
|
|
processFileRemoteAccess
|
-
|
-
|
The remote access to the process file
|
-
|
|
processFileSaclString
|
-
|
-
|
The system access control list of the process file
|
|
|
processFileSize
|
-
|
-
|
The file size of the process file
|
|
|
processHashId
|
-
|
-
|
The FNV of subject process
|
|
|
processLaunchTime
|
-
|
-
|
The time the subject process was launched
|
|
|
processName
|
-
|
|
The image name of the process that triggered the event
|
|
|
processPid
|
-
|
-
|
The PID of the subject process
|
|
|
processSigner
|
-
|
-
|
The process file signer
|
|
|
processSignerValid
|
-
|
-
|
The validity of the process signer
|
|
|
processSubTrueType
|
-
|
-
|
The true file subtype of the process
|
-
|
|
processTrueType
|
-
|
-
|
The true file type of the process
|
-
|
|
processUser
|
-
|
|
The owner name of subject process image
|
|
|
processUserDomain
|
-
|
-
|
The process user domain
|
|
|
processUserGroupSids
|
-
|
-
|
The user group SIDs of the process
|
|
|
productCode
|
-
|
-
|
The internal product code
|
|
|
providerGUID
|
-
|
-
|
The GUID of the Windows Eventprovider
|
|
|
providerName
|
-
|
-
|
The name of the Windows Eventprovider
|
|
|
proxy
|
-
|
-
|
The proxy address
|
|
|
publicSpt
|
-
|
|
The public port of the endpoint making the request
|
|
|
publicSrc
|
-
|
|
The public ip of the endpoint making the request
|
|
|
pver
|
-
|
-
|
The product version
|
|
|
rawDataSize
|
-
|
-
|
The size of the Windows Event log
|
|
|
rawDataStr
|
-
|
-
|
Windows Event raw contents
|
|
|
regionId
|
-
|
-
|
The cloud asset region
|
|
|
request
|
-
|
|
Request URL
|
|
|
smbSharedName
|
-
|
-
|
The shared folder name for the server that contains the files
|
|
|
spt
|
-
|
|
The source port number
|
|
|
src
|
-
|
|
The source address
|
|
|
srcFileCreation
|
-
|
-
|
The time the source file was created
|
|
|
srcFileCurrentOwnerName
|
-
|
-
|
The current owner name of the source file
|
|
|
srcFileCurrentOwnerSid
|
-
|
-
|
The current security identifier owner of the source file
|
|
|
srcFileDaclString
|
-
|
-
|
The discretionary access control list of the source file
|
|
|
srcFileGroupName
|
-
|
-
|
The source file user group name
|
|
|
srcFileGroupSid
|
-
|
-
|
The security identifier of the source file group
|
|
|
srcFileHashMD5
|
-
|
|
The MD5 hash of the source file
|
|
|
srcFileHashSha1
|
-
|
|
The SHA-1 hash of the source file
|
|
|
srcFileHashSha256
|
-
|
|
The SHA-256 hash of the source file
|
|
|
srcFileIsRemoteAccess
|
-
|
-
|
Whether there is remote access to the source file
|
-
|
|
srcFileModifiedTime
|
-
|
-
|
The time the source file was modified
|
|
|
srcFileOwnerName
|
-
|
-
|
The source file owner name
|
|
|
srcFileOwnerSid
|
-
|
-
|
The security identifier of the source file owner
|
|
|
srcFilePath
|
-
|
|
The source file path
|
|
|
srcFileSaclString
|
-
|
-
|
The system access control list of the source file
|
|
|
srcFileSize
|
-
|
-
|
The file size of the source file
|
|
|
srcFirstSeen
|
-
|
-
|
The first time the source file was seen
|
|
|
srcLastSeen
|
-
|
-
|
The last time the source file was seen
|
|
|
srcSigner
|
-
|
-
|
The signer of the source process file
|
|
|
srcSignerValid
|
-
|
-
|
The validity of the source process signer
|
-
|
|
subnetId
|
-
|
-
|
The subnet ID of the virtual machine that made the request
|
|
|
tags
|
-
|
|
The detected technique ID based on the alert filter
|
|
|
timezone
|
-
|
-
|
The host time zone
|
|
|
userDomain
|
-
|
-
|
The user domain name
|
|
|
uuid
|
-
|
-
|
The unique key of the log
|
|
|
vpcId
|
-
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
winEventId
|
-
|
-
|
The Windows Event ID
|
|
|
Views: