General search data sources

Views:

General Field	Corresponding Fields			Example
General Field	Endpoint Activity Data	Network Activity Data	Detection Data	Example
AccountDomain	-	userDomain	userDomain	-
CLICommand	objectCmd parentCmd processCmd	-	processCmd objectCmd parentCmd botCmd	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox
DomainName	hostName objectHostName	requestBase userDomain hostName sslCertCommonName shost dhost	hostName interestedHost userDomain shost dhost denyListHost domainName peerHost requestBase sslCertCommonName netBiosDomainName	self.events.data.microsoft.com
EmailMessageID	-	msgId	msgId	<rRzmIhBrXbgjvr4uhIwCcbtE6BnmgNTtAU51qWmqY@example.online>
EmailRecipient	-	duser	duser	john_doe@example.com
EmailSender	-	suser	suser	john_doe@example.com
EmailSubject	-	mailMsgSubject	mailMsgSubject	Subject: From the desk of the Nigerian Prince
EndpointID	endpointGuid	endpointGUID	endpointGUID	e3c49595-09b9-47a3-a43f-6c21aa52e54f
EndpointName	endpointHostName	endpointHostName	endpointHostName userDomain	hr-johndoe1
FileFullPath	objectFilePath parentFilePath processFilePath srcFilePath	fileName	filePath filePathName objectFilePath processFilePath fullPath parentFilePath malSrc targetShare srcFilePath	C:\Program Files (x86)\temp\Application\test.exe
FileMd5	objectFileHashMd5 parentFileHashMd5 processFileHashMd5 srcFileHashMd5	-	attachmentFileHashMd5 objectFileHashMd5 parentFileHashMd5 processFileHashMd5 srcFileHashMd5 fileHashMd5	46CFB4E38C6299983048DE39012FD08F
FileName	objectFilePath parentFilePath processFilePath srcFilePath	fileName	fileName objectFileName compressedFileName attachmentFileName processFilePath	example.exe
FileSHA1	objectFileHashSha1 parentFileHashSha1 processFileHashSha1 srcFileHashSha1	fileHash respFileHash	fileHash attachmentFileHash attachmentFileHashSha1 compressedFileHash denyListFileHash objectFileHashSha1 oldFileHash parentFileHashSha1 processFileHashSha1 appPublicKeySha1 highlightedFileHashes objectPayloadFileHashSha1 srcFileHashSha1	98A9A1C8F69373B211E5F1E303BA8762F44BC898
FileSHA2	objectFileHashSha256 parentFileHashSha256 processFileHashSha256 srcFileHashSha256	fileHashSha256 respFileHashSha256	fileHashSha256 attachmentFileHashSha256 compressedFileHashSha256 objectFileHashSha256 parentFileHashSha256 processFileHashSha256 appDexSha256 srcFileHashSha256	16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a
HostDomain	hostName	hostName requestBase sslCertCommonName	hostName requestBase sslCertCommonName	-
IPv4	endpointIp objectIp objectIps dst src publicSrc	dst src clientIp serverIp httpXForwardedForIp resolvedUrlIp ObjectIps pktSrcAddr pktDstAddr	src dst interestedIp endpointIp peerIp denyListIp objectIp rawSrcIp rawDstIp	192.0.2.0
IPv6	endpointIp objectIp objectIps dst src publicSrc	dst src clientIp serverIp httpXForwardedForIp resolvedUrlIp ObjectIps pktSrcAddr pktDstAddr	src dst interestedIp endpointIp peerIp denyListIp objectIp rawSrcIp rawDstIp	2001:0db8:85a3:0000:0000:8a2e:0370:7334
Port	objectPort spt dpt publicSpt	spt dpt clientPort serverPort resolvedUrlPort	dpt spt rawSrcPort rawDstPort	8080
ProcessFullPath	processFilePath	-	processFilePath	C:\Program Files (x86)\temp\Application\test.exe
ProcessName	processFilePath processName	-	processName	-
RegistryKey	objectRegistryKeyHandle	-	objectRegistryKeyHandle	hklm\software\wow6432node\microsoft\windows\currentversion\run
RegistryValue	objectRegistryValue	-	objectRegistryValue	its_ie_settings
RegistryValueData	objectRegistryData	-	objectRegistryData	wscript "C:\Program Files (x86)\JNJ\ITS_IE_PREF\IE_Preferences.vbs"
Tactic	-	-	tacticId tags	TA0008
Technique	tags	tags	techniqueId tags	T1210
URL	request	request httpReferer httpLocation requests	request botUrl cccaDestination httpReferer	https://www.example.com
UserAccount	logonUser objectUser processUser	principalName suid sUser1 dUser1	suid dUser1 processUser sUser1 objectUser	john_doe