Views:
General Field
Corresponding Fields
Example
Endpoint Activity Data
Network Activity Data
Detection Data
AccountDomain
  • -
  • userDomain
  • userDomain
-
CLICommand
  • objectCmd
  • parentCmd
  • processCmd
  • -
  • processCmd
  • objectCmd
  • parentCmd
  • botCmd
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox
DomainName
  • hostName
  • objectHostName
  • requestBase
  • userDomain
  • hostName
  • sslCertCommonName
  • shost
  • dhost
  • hostName
  • interestedHost
  • userDomain
  • shost
  • dhost
  • denyListHost
  • domainName
  • peerHost
  • requestBase
  • sslCertCommonName
  • netBiosDomainName
self.events.data.microsoft.com
EmailMessageID
  • -
  • msgId
  • msgId
<rRzmIhBrXbgjvr4uhIwCcbtE6BnmgNTtAU51qWmqY@example.online>
EmailRecipient
  • -
  • duser
  • duser
john_doe@example.com
EmailSender
  • -
  • suser
  • suser
john_doe@example.com
EmailSubject
  • -
  • mailMsgSubject
  • mailMsgSubject
Subject: From the desk of the Nigerian Prince
EndpointID
  • endpointGuid
  • endpointGUID
  • endpointGUID
e3c49595-09b9-47a3-a43f-6c21aa52e54f
EndpointName
  • endpointHostName
  • endpointHostName
  • endpointHostName
  • userDomain
hr-johndoe1
FileFullPath
  • objectFilePath
  • parentFilePath
  • processFilePath
  • srcFilePath
  • fileName
  • filePath
  • filePathName
  • objectFilePath
  • processFilePath
  • fullPath
  • parentFilePath
  • malSrc
  • targetShare
  • srcFilePath
C:\Program Files (x86)\temp\Application\test.exe
FileMd5
  • objectFileHashMd5
  • parentFileHashMd5
  • processFileHashMd5
  • srcFileHashMd5
  • -
  • attachmentFileHashMd5
  • objectFileHashMd5
  • parentFileHashMd5
  • processFileHashMd5
  • srcFileHashMd5
  • fileHashMd5
46CFB4E38C6299983048DE39012FD08F
FileName
  • objectFilePath
  • parentFilePath
  • processFilePath
  • srcFilePath
  • fileName
  • fileName
  • objectFileName
  • compressedFileName
  • attachmentFileName
  • processFilePath
example.exe
FileSHA1
  • objectFileHashSha1
  • parentFileHashSha1
  • processFileHashSha1
  • srcFileHashSha1
  • fileHash
  • respFileHash
  • fileHash
  • attachmentFileHash
  • attachmentFileHashSha1
  • compressedFileHash
  • denyListFileHash
  • objectFileHashSha1
  • oldFileHash
  • parentFileHashSha1
  • processFileHashSha1
  • appPublicKeySha1
  • highlightedFileHashes
  • objectPayloadFileHashSha1
  • srcFileHashSha1
98A9A1C8F69373B211E5F1E303BA8762F44BC898
FileSHA2
  • objectFileHashSha256
  • parentFileHashSha256
  • processFileHashSha256
  • srcFileHashSha256
  • fileHashSha256
  • respFileHashSha256
  • fileHashSha256
  • attachmentFileHashSha256
  • compressedFileHashSha256
  • objectFileHashSha256
  • parentFileHashSha256
  • processFileHashSha256
  • appDexSha256
  • srcFileHashSha256
16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a
HostDomain
  • hostName
  • hostName
  • requestBase
  • sslCertCommonName
  • hostName
  • requestBase
  • sslCertCommonName
-
IPv4
  • endpointIp
  • objectIp
  • objectIps
  • dst
  • src
  • publicSrc
  • dst
  • src
  • clientIp
  • serverIp
  • httpXForwardedForIp
  • resolvedUrlIp
  • ObjectIps
  • pktSrcAddr
  • pktDstAddr
  • src
  • dst
  • interestedIp
  • endpointIp
  • peerIp
  • denyListIp
  • objectIp
  • rawSrcIp
  • rawDstIp
192.0.2.0
IPv6
  • endpointIp
  • objectIp
  • objectIps
  • dst
  • src
  • publicSrc
  • dst
  • src
  • clientIp
  • serverIp
  • httpXForwardedForIp
  • resolvedUrlIp
  • ObjectIps
  • pktSrcAddr
  • pktDstAddr
  • src
  • dst
  • interestedIp
  • endpointIp
  • peerIp
  • denyListIp
  • objectIp
  • rawSrcIp
  • rawDstIp
2001:0db8:85a3:0000:0000:8a2e:0370:7334
Port
  • objectPort
  • spt
  • dpt
  • publicSpt
  • spt
  • dpt
  • clientPort
  • serverPort
  • resolvedUrlPort
  • dpt
  • spt
  • rawSrcPort
  • rawDstPort
8080
ProcessFullPath
  • processFilePath
  • -
  • processFilePath
C:\Program Files (x86)\temp\Application\test.exe
ProcessName
  • processFilePath
  • processName
  • -
  • processName
-
RegistryKey
  • objectRegistryKeyHandle
  • -
  • objectRegistryKeyHandle
hklm\software\wow6432node\microsoft\windows\currentversion\run
RegistryValue
  • objectRegistryValue
  • -
  • objectRegistryValue
its_ie_settings
RegistryValueData
  • objectRegistryData
  • -
  • objectRegistryData
wscript "C:\Program Files (x86)\JNJ\ITS_IE_PREF\IE_Preferences.vbs"
Tactic
  • -
  • -
  • tacticId
  • tags
TA0008
Technique
  • tags
  • tags
  • techniqueId
  • tags
T1210
URL
  • request
  • request
  • httpReferer
  • httpLocation
  • requests
  • request
  • botUrl
  • cccaDestination
  • httpReferer
https://www.example.com
UserAccount
  • logonUser
  • objectUser
  • processUser
  • principalName
  • suid
  • sUser1
  • dUser1
  • suid
  • dUser1
  • processUser
  • sUser1
  • objectUser
john_doe