|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
additionalInfo
|
|
-
|
The filter rule information
|
|
|
|
app
|
|
-
|
The Layer 7 network protocol being exploited
|
|
|
|
authId
|
|
-
|
The authorization ID
|
|
|
|
azId
|
|
-
|
The Availability Zone ID of the virtual machine that made the request
|
|
|
|
channel
|
|
-
|
The Windows Event channel
|
|
|
|
cloudIdentityAccountId
|
|
-
|
The Cloud Identity account ID used for authorization
|
|
|
|
cloudIdentityId
|
|
-
|
The Cloud Identity ID used for authorization
|
|
|
|
cloudIdentityName
|
|
-
|
The Cloud Identity name used for authorization
|
|
|
|
cloudProvider
|
|
-
|
The service provider of the cloud asset
|
|
|
|
cloudServiceApiName
|
|
-
|
The cloud service API
|
|
|
|
cloudServiceName
|
|
-
|
The cloud service
|
|
|
|
codeIntegrityOptionEnabled
|
|
-
|
Whether the system enforced signed kernel loading according to driver signature enforcement
|
|
|
|
codeIntegrityOptionTestsign
|
|
-
|
Whether the system bypassed driver signature enforcement checks and permitted loading
of test-signed drivers
|
|
|
|
correlationData
|
|
-
|
The data for correlation
|
-
|
|
|
customAssetTags
|
|
-
|
The list of custom asset tags
|
|
|
|
deviceType
|
|
-
|
The disk drive type
|
|
|
|
dpt
|
|
|
The destination port
|
-
|
|
|
dst
|
|
|
The destination IP
|
|
|
|
endpointGuid
|
|
|
The host GUID of the endpoint on which the event was detected
|
|
|
|
endpointHostName
|
|
|
The hostname of the endpoint on which the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
endpointMacAddress
|
|
-
|
The host MAC address
|
|
|
|
eventDataAccessList
|
|
-
|
The list of requested access rights
|
|
|
|
eventDataAccessMask
|
|
-
|
The hexadecimal value of the requested or used permissions during an access attempt
|
|
|
|
eventDataActionName
|
|
-
|
The action performed
|
|
|
|
eventDataAuthenticationPackageName
|
|
-
|
The authentication package name of the Windows Event data
|
|
|
|
eventDataConsumer
|
|
-
|
The recipient of the reported event
|
|
|
|
eventDataElevatedToken
|
|
-
|
Whether the session is elevated and has administrator privileges
|
|
|
|
eventDataFullyQualifiedAssemblyName
|
|
-
|
The fully qualified .NET assembly name
|
|
|
|
eventDataImpersonationLevel
|
|
-
|
The sign-in session impersonation level
|
|
|
|
eventDataIpAddress
|
|
-
|
The IP address of Windows Event 4624 (successful sign-in attempt)
|
|
|
|
eventDataJobOwner
|
|
-
|
The name of the account that initiated the event
|
|
|
|
eventDataLogonProcessName
|
|
-
|
The name of the Windows Event sign-in process name
|
|
|
|
eventDataLogonType
|
|
-
|
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
|
eventDataModuleILPath
|
|
-
|
The CIL image path of the module or the dynamic module name
|
|
|
|
eventDataObjectName
|
|
-
|
The identifying information about the object for which access was requested
|
|
|
|
eventDataObjectType
|
|
-
|
The object type
|
|
|
|
eventDataOperation
|
|
-
|
Windows Event 11
|
|
|
|
eventDataPath
|
|
-
|
The path of the Windows Event data
|
|
|
|
eventDataProcessPath
|
|
-
|
The process path that initiated the event
|
|
|
|
eventDataProviderName
|
|
-
|
The name of the Windows Event data provider
|
|
|
|
eventDataProviderPath
|
|
-
|
The file path of the Windows Event data provider
|
|
|
|
eventDataScriptBlockText
|
|
-
|
Windows Event 4104 (the execution of a remote command using PowerShell)
|
|
|
|
eventDataServiceFileName
|
|
-
|
The full file path of the service executable file
|
|
|
|
eventDataServiceName
|
|
-
|
The service name
|
|
|
|
eventDataStatus
|
|
-
|
The Windows Event data status
|
|
|
|
eventDataSubStatus
|
|
-
|
The Windows Event data sub-status
|
|
|
|
eventDataSubjectUserName
|
|
-
|
The account name
|
|
|
|
eventDataTargetDomainName
|
|
-
|
The target sign-in account domain or computer name
|
|
|
|
eventDataTargetName
|
|
-
|
The service, application, or network resource name
|
|
|
|
eventDataTargetUserName
|
|
-
|
The user name of the Windows Event data target
|
|
|
|
eventDataTaskName
|
|
-
|
The task name logged by the Windows Event
|
|
|
|
eventDataTicketEncryptionType
|
|
-
|
The cryptographic suite used for the Kerberos TGS
|
|
|
|
eventDataTicketOptions
|
|
-
|
The authentication request Kerberos ticket behavior and permissions flags
|
|
|
|
eventDataUserContext
|
|
-
|
The user context of the Windows Event data
|
|
|
|
eventDataWorkstationName
|
|
-
|
The name of the computer used in the sign-in attempt
|
|
|
|
eventHashId
|
|
-
|
The event hash ID
|
|
|
|
eventId
|
|
-
|
The event type
|
-
|
|
|
eventMessage
|
|
-
|
The event message
|
|
|
|
eventSubId
|
|
-
|
The access type
|
|
|
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
hookId
|
|
-
|
The hook ID
|
|
|
|
hostName
|
|
|
The domain name
|
|
|
|
httpReferer
|
|
|
The HTTP header referer
|
|
|
|
importTable
|
|
-
|
The imported table information
|
-
|
|
|
importTableFileName
|
|
-
|
The library file name which has imported functions
|
|
|
|
importTableFunctionName
|
|
-
|
The imported function file name
|
|
|
|
instanceAccountId
|
|
-
|
The cloud account ID of the virtual machine that made the request
|
|
|
|
instanceId
|
|
-
|
The virtual machine instance ID on the cloud platform
|
|
|
|
instanceName
|
|
-
|
The virtual machine that made the request
|
|
|
|
integrityLevel
|
|
-
|
The integrity level of a process
|
-
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logonUser
|
|
|
The sign-in user name
|
|
|
|
messageType
|
|
-
|
The message type
|
|
|
|
metaSrcExtra
|
|
-
|
The meta for identifying the source of events
|
|
|
|
networkInterfaceId
|
|
-
|
The network interface of the virtual machine that made the request
|
|
|
|
objectApiName
|
|
-
|
The name of the executed API
|
|
|
|
objectApiRvInNum
|
|
-
|
The API telemetry return value
|
|
|
|
objectAppName
|
|
-
|
The app involved in the AMSI event
|
|
|
|
objectAuthId
|
|
-
|
The object authorization ID
|
|
|
|
objectBmData
|
|
-
|
The data of the BM event
|
|
|
|
objectCmd
|
|
|
The command line entry of the target process
|
|
|
|
objectContentName
|
|
-
|
The AMSI object content name
|
|
|
|
objectCurrentFileSize
|
|
-
|
The previous size of modified object file
|
|
|
|
objectCurrentPosixPermission
|
|
-
|
The new POSIX permission file used in file events and CHMOD events
|
|
|
|
objectFileAttributesHashId
|
|
-
|
The hash ID of the file attribute meta information
|
|
|
|
objectFileCreation
|
|
-
|
The time the object file was created
|
|
|
|
objectFileCurrentOwnerName
|
|
-
|
The current owner name of the object file
|
|
|
|
objectFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the object file
|
|
|
|
objectFileDaclString
|
|
-
|
The discretionary access control list of the object file
|
|
|
|
objectFileExtendedAttribute
|
|
-
|
The extended attributes of the file
|
|
|
|
objectFileGroupName
|
|
-
|
The object file user group name
|
|
|
|
objectFileGroupSid
|
|
-
|
The security identifier of the object file group
|
|
|
|
objectFileHash
|
|
-
|
The cryptographic hash of the target process image or file
|
|
|
|
objectFileHashId
|
|
-
|
The object file hash ID
|
|
|
|
objectFileHashMD5
|
|
|
The MD5 hash of the target process image or target file
|
|
|
|
objectFileHashSHA-1
|
|
|
The SHA-1 hash of the target process image or target file
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 hash of the target process image or target file
|
|
|
|
objectFileIsRemoteAccess
|
|
-
|
Whether there was remote access to the object file
|
-
|
|
|
objectFileModifiedTime
|
|
-
|
The time the object file was modified
|
|
|
|
objectFileOriginalName
|
|
|
The original file name of the object image
|
|
|
|
objectFileOwnerName
|
|
-
|
The object file owner name
|
|
|
|
objectFileOwnerSid
|
|
-
|
The security identifier of the object file owner
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectFileRemoteAccess
|
|
-
|
Whether there was remote access to the object file
|
-
|
|
|
objectFileSaclString
|
|
-
|
The system access control list of the object file
|
|
|
|
objectFileSize
|
|
-
|
The file size of the object file
|
|
|
|
objectFirstSeen
|
|
-
|
The first time the object was seen
|
|
|
|
objectHostName
|
|
|
The server name where the event was detected
|
|
|
|
objectIntegrityLevel
|
|
-
|
The integrity level of the target process
|
-
|
|
|
objectIp
|
|
|
The IP address of the event
|
|
|
|
objectIps
|
|
|
The list of IP addresses in the event
|
|
|
|
objectLastSeen
|
|
-
|
The last time the object was seen
|
|
|
|
objectLaunchTime
|
|
-
|
The object launch time of the Windows Event
|
|
|
|
objectLoginOutFailureMessage
|
|
-
|
The sign-in/sign-out error message
|
|
|
|
objectLoginOutFirstSeen
|
|
-
|
The first time the object sign-in/sign-out was seen
|
|
|
|
objectLoginOutHashId
|
|
-
|
The FNV of the object sign-in/sign-out meta
|
|
|
|
objectLoginOutLastSeen
|
|
-
|
The last time the object sign-in/sign-out was seen
|
|
|
|
objectLoginOutMetaType
|
|
-
|
The sign-in/sign-out meta
|
|
|
|
objectLoginOutSessionId
|
|
-
|
The sign-in/sign-out session ID
|
|
|
|
objectLoginOutSourceAddress
|
|
-
|
The sign-in/sign-out source IP
|
|
|
|
objectLoginOutStatus
|
|
-
|
The sign-in/sign-out status
|
|
|
|
objectName
|
|
-
|
The object name
|
|
|
|
objectPid
|
|
-
|
The PID of target process
|
-
|
|
|
objectPipeName
|
|
-
|
The named pipe of the event
|
|
|
|
objectPort
|
|
|
The port used by the event
|
-
|
|
|
objectPosixPermission
|
|
-
|
The current POSIX permission for the file
|
|
|
|
objectPosixPermissionHashId
|
|
-
|
The POSIX permission hash ID
|
|
|
|
objectProcessHashId
|
|
-
|
The target process FNV
|
|
|
|
objectRawDataSize
|
|
-
|
The raw data size of the Windows Event object
|
|
|
|
objectRawDataStr
|
|
-
|
The data contents of the AMSI event
|
|
|
|
objectRegistryData
|
|
|
The registry value data
|
|
|
|
objectRegistryKeyHandle
|
|
|
The registry key
|
|
|
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
|
objectRunAsLocalAccount
|
|
-
|
Whether the "runas" command uses a local account
|
|
|
|
objectServiceType
|
|
-
|
The target file type
|
|
|
|
objectSessionId
|
|
-
|
The object session ID
|
|
|
|
objectSigner
|
|
-
|
The certificate signer of the object process or file
|
|
|
|
objectSignerFlagsAdhoc
|
|
-
|
The list of object process or file signature adhoc flags
|
-
|
|
|
objectSignerFlagsLibValid
|
|
-
|
The list of object process or file signature library validation flags
|
-
|
|
|
objectSignerFlagsRuntime
|
|
-
|
The list of object process or file signature runtime flags
|
-
|
|
|
objectSignerValid
|
|
-
|
The certificate signer validity |
|
|
|
objectSubTrueType
|
|
-
|
The file object true sub-type
|
|
|
|
objectThreadId
|
|
-
|
The object process thread ID
|
|
|
|
objectTrueType
|
|
-
|
The file object true major type
|
|
|
|
objectUri
|
|
-
|
The target file path |
|
|
|
objectUser
|
|
|
The owner name of the target process or the sign-in user name
|
|
|
|
objectUserGroup
|
|
-
|
The user group name
|
|
|
|
objectUserGroupSids
|
|
-
|
The user group SIDs of the object
|
|
|
|
osDescription
|
|
-
|
The OS version
|
|
|
|
osName
|
|
-
|
The host OS
|
|
|
|
osType
|
|
-
|
The host OS type
|
|
|
|
osVer
|
|
-
|
The version of the host OS
|
|
|
|
parentAuthId
|
|
-
|
The parent authorization ID
|
|
|
|
parentCmd
|
|
|
The command line entry of the parent process
|
|
|
|
parentFileCreation
|
|
-
|
The time the parent file was created
|
|
|
|
parentFileCurrentOwnerName
|
|
-
|
The current owner name of the parent file
|
|
|
|
parentFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the parent file
|
|
|
|
parentFileDaclString
|
|
-
|
The discretionary access control list of the parent file
|
|
|
|
parentFileGroupName
|
|
-
|
The name of the parent file user group
|
|
|
|
parentFileGroupSid
|
|
-
|
The security identifier of the parent process file group
|
|
|
|
parentFileHashId
|
|
-
|
The parent file hash ID
|
|
|
|
parentFileHashMD5
|
|
|
The MD5 hash of the parent process
|
|
|
|
parentFileHashSHA-1
|
|
|
The SHA-1 hash of the parent process
|
|
|
|
parentFileHashSHA-256
|
|
|
The SHA-256 hash of the parent process
|
|
|
|
parentFileModifiedTime
|
|
-
|
The time the parent file was modified
|
|
|
|
parentFileOriginalName
|
|
|
The original file name of the parent image
|
|
|
|
parentFileOwnerName
|
|
-
|
The owner name of the parent file
|
|
|
|
parentFileOwnerSid
|
|
-
|
The security identifier of the parent file owner
|
|
|
|
parentFilePath
|
|
|
The file path of the parent process
|
|
|
|
parentFileRemoteAccess
|
|
-
|
Whether there was remote access to the parent file
|
-
|
|
|
parentFileSaclString
|
|
-
|
The system access control list of the parent file
|
|
|
|
parentFileSize
|
|
-
|
The file size of the parent file
|
|
|
|
parentHashId
|
|
-
|
The parent hash ID
|
|
|
|
parentIntegrityLevel
|
|
-
|
The integrity level of a parent
|
-
|
|
|
parentLaunchTime
|
|
-
|
The time when the parent process was launched
|
|
|
|
parentName
|
|
-
|
The image name of the parent process
|
|
|
|
parentPid
|
|
-
|
The PID of the parent process
|
|
|
|
parentSigner
|
|
-
|
The signer of the parent file
|
|
|
|
parentSignerFlagsAdhoc
|
|
-
|
The list of parent process signature adhoc flags
|
-
|
|
|
parentSignerFlagsLibValid
|
|
-
|
The list of parent process signature library validation flags
|
-
|
|
|
parentSignerFlagsRuntime
|
|
-
|
The list of parent process signature runtime flags
|
-
|
|
|
parentSignerValid
|
|
-
|
The validity of the parent signer
|
-
|
|
|
parentSubTrueType
|
|
-
|
The true file sub-type of the parent file
|
-
|
|
|
parentTrueType
|
|
-
|
The true file type of the parent file
|
-
|
|
|
parentUser
|
|
-
|
The type of user that executed the parent process
|
|
|
|
parentUserDomain
|
|
-
|
The user domain of the parent process
|
|
|
|
parentUserGroupSids
|
|
-
|
The SIDs of the parent user group
|
|
|
|
platformAssetTags
|
|
-
|
The list of platform custom asset tags
|
|
|
|
pname
|
|
-
|
The internal product ID (Deprecated, use productCode)
|
|
|
|
policyIds
|
|
-
|
The Data Detection and Response data policy IDs
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
|
processCmd
|
|
|
The command line entry of the subject process
|
|
|
|
processFileCreation
|
|
-
|
The time the process file was created
|
|
|
|
processFileCurrentOwnerName
|
|
-
|
The current owner name of the process file
|
|
|
|
processFileCurrentOwnerSid
|
|
-
|
The owner of the process file current security identifier
|
|
|
|
processFileDaclString
|
|
-
|
The discretionary access control list of the process file
|
|
|
|
processFileGroupName
|
|
-
|
The name of the process file user group
|
|
|
|
processFileGroupSid
|
|
-
|
The security identifier of the process file group
|
|
|
|
processFileHashId
|
|
-
|
The file hash of the process
|
|
|
|
processFileHashMD5
|
|
|
The MD5 hash of the subject process image
|
|
|
|
processFileHashSHA-1
|
|
|
The SHA-1 hash of the subject process image
|
|
|
|
processFileHashSHA-256
|
|
|
The SHA-256 hash of the subject process image
|
|
|
|
processFileModifiedTime
|
|
-
|
The time the process file was modified
|
|
|
|
processFileOriginalName
|
|
|
The original file name of the process image
|
|
|
|
processFileOwnerName
|
|
-
|
The process file owner name
|
|
|
|
processFileOwnerSid
|
|
-
|
The security identifier of the process file owner
|
|
|
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
|
processFileRemoteAccess
|
|
-
|
Whether there was remote access to the process file
|
-
|
|
|
processFileSaclString
|
|
-
|
The system access control list of the process file
|
|
|
|
processFileSize
|
|
-
|
The file size of the process file
|
|
|
|
processHashId
|
|
-
|
The FNV of subject process
|
|
|
|
processLaunchTime
|
|
-
|
The time the subject process was launched
|
|
|
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
|
processPid
|
|
-
|
The PID of the subject process
|
|
|
|
processSigner
|
|
-
|
The process file signer
|
|
|
|
processSignerFlagsAdhoc
|
|
-
|
The list of process signature adhoc flags
|
-
|
|
|
processSignerFlagsLibValid
|
|
-
|
The list of process signature library validation flags
|
-
|
|
|
processSignerFlagsRuntime
|
|
-
|
The list of process signature runtime flags
|
-
|
|
|
processSignerValid
|
|
-
|
The validity of the process signer
|
|
|
|
processStackTrace
|
|
-
|
The process stack trace of the telemetry event
|
|
|
|
processSubTrueType
|
|
-
|
The true file sub-type of the process
|
-
|
|
|
processTrueType
|
|
-
|
The true file type of the process
|
-
|
|
|
processUser
|
|
|
The owner name of the subject process image
|
|
|
|
processUserDomain
|
|
-
|
The process user domain
|
|
|
|
processUserGroupSids
|
|
-
|
The user group SIDs of the process
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
providerGUID
|
|
-
|
The GUID of the Windows Event provider
|
|
|
|
providerName
|
|
-
|
The name of the Windows Event provider
|
|
|
|
proxy
|
|
-
|
The proxy IP
|
|
|
|
publicSpt
|
|
|
The public port of the endpoint making the request
|
|
|
|
publicSrc
|
|
|
The public IP of the endpoint making the request
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
rawDataSize
|
|
-
|
The size of the Windows Event log
|
|
|
|
rawDataStr
|
|
-
|
The Windows Event raw contents
|
|
|
|
regionId
|
|
-
|
The cloud asset region
|
|
|
|
request
|
|
|
The request URL
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
ruleId
|
|
-
|
The rule ID
|
|
|
|
ruleIdStr
|
|
-
|
The rule ID
|
|
|
|
smbSharedName
|
|
-
|
The shared folder name for the server that contains the files
|
|
|
|
spt
|
|
|
The source port
|
|
|
|
src
|
|
|
The source IP
|
|
|
|
srcFileCreation
|
|
-
|
The time the source file was created
|
|
|
|
srcFileCurrentOwnerName
|
|
-
|
The current owner name of the source file
|
|
|
|
srcFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the source file
|
|
|
|
srcFileDaclString
|
|
-
|
The discretionary access control list of the source file
|
|
|
|
srcFileGroupName
|
|
-
|
The source file user group name
|
|
|
|
srcFileGroupSid
|
|
-
|
The security identifier of the source file group
|
|
|
|
srcFileHash
|
|
-
|
The cryptographic hash of the source process image or file
|
|
|
|
srcFileHashMD5
|
|
|
The MD5 hash of the source file
|
|
|
|
srcFileHashSHA-1
|
|
|
The SHA-1 hash of the source file
|
|
|
|
srcFileHashSHA-256
|
|
|
The SHA-256 hash of the source file
|
|
|
|
srcFileIsRemoteAccess
|
|
-
|
Whether there was remote access to the source file
|
-
|
|
|
srcFileModifiedTime
|
|
-
|
The time the source file was modified
|
|
|
|
srcFileOwnerName
|
|
-
|
The source file owner name
|
|
|
|
srcFileOwnerSid
|
|
-
|
The security identifier of the source file owner
|
|
|
|
srcFilePath
|
|
|
The source file path
|
|
|
|
srcFileSaclString
|
|
-
|
The system access control list of the source file
|
|
|
|
srcFileSize
|
|
-
|
The file size of the source file
|
|
|
|
srcFirstSeen
|
|
-
|
The first time the source file was seen
|
|
|
|
srcLastSeen
|
|
-
|
The last time the source file was seen
|
|
|
|
srcServiceType
|
|
-
|
The source file type
|
|
|
|
srcSigner
|
|
-
|
The signer of the source file
|
|
|
|
srcSignerFlagsAdhoc
|
|
-
|
The list of source file signature adhoc flags
|
-
|
|
|
srcSignerFlagsLibValid
|
|
-
|
The list of source file signature library validation flags
|
-
|
|
|
srcSignerFlagsRuntime
|
|
-
|
The list of source file signature runtime flags
|
-
|
|
|
srcSignerValid
|
|
-
|
The validity of the source file signer
|
-
|
|
|
srcUri
|
|
-
|
The source file path
|
|
|
|
srcUser
|
|
-
|
The owner name of the source process or the sign-in user name
|
|
|
|
status
|
|
-
|
The HTTP response status code
|
|
|
|
subSystem
|
|
-
|
The sub-system information
|
|
|
|
subnetId
|
|
-
|
The subnet ID of the virtual machine that made the request
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
timezone
|
|
-
|
The host time zone
|
|
|
|
userDomain
|
|
-
|
The user domain name
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
|
vpcId
|
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|
Views: