Data Mapping: General Search

General Field

Corresponding Fields

Example

Endpoint Activity Data

Message Activity Data

Network Activity Data

Web Activity Data

Detection Data

EndpointID

  • endpointGuid

  • -

  • -

  • -

  • endpointGUID

e3c49595-09b9-47a3-a43f-6c21aa52e54f

EndpointName

  • endpointHostName

  • -

  • -

  • -

  • endpointHostName

  • userDomain

hr-johndoe1

DomainName

  • hostName

  • source_domain

  • domain

  • requestBase

  • hostName

  • interestedHost

  • objectDomain

  • shost

  • dhost

  • denyListHost

self.events.data.microsoft.com

IPv4

  • endpointIp

  • objectIp

  • dst

  • src

  • source_ip

  • ip

  • dst

  • src

  • src

  • dst

  • interestedIp

  • endpointIp

  • peerIp

  • denyListIp

192.0.2.0

IPv6

  • endpointIp

  • objectIp

  • dst

  • src

  • source_ip

  • ip

  • -

  • src

  • dst

  • interestedIp

  • endpointIp

  • peerIp

  • denyListIp

2001:0db8:85a3:0000:0000:8a2e:0370:7334

URL

  • request

  • mail_urls

  • url

  • -

  • request

  • botUrl

  • cccaDestination

https://www.example.com

Port

  • objectPort

  • spt

  • dpt

  • -

  • -

  • -

  • dpt

  • spt

8080

UserAccount

  • logonUser

  • objectUser

  • -

  • user_account

  • suid

  • suid

john_doe

FileName

  • -

  • mail_attachments

  • filename

  • -

  • fileName

  • objectFileName

  • compressedFileName

  • attachmentFileName

example.exe

FileFullPath

  • objectFilePath

  • parentFilePath

  • srcFilePath

  • -

  • -

  • -

  • filePath

  • filePathName

  • objectFilePath

  • quarantineFilePath

  • forensicFilePath

C:\Program Files (x86)\temp\Application\test.exe

FileSHA1

  • objectFileHashSha1

  • parentFileHashSha1

  • processFileHashSha1

  • srcFileHashSha1

  • mail_attachments

  • file_sha1

  • fileHash

  • fileHash

  • attachmentFileHash

  • attachmentFileHashSha1

  • compressedFileHash

  • denyListFileHash

  • objectFileHashSha1

  • oldFileHash

98A9A1C8F69373B211E5F1E303BA8762F44BC898

FileSHA2

  • -

  • -

  • file_sha256

  • -

  • fileHashSha256

  • attachmentFileHashSha256

  • compressedFileHashSha256

  • objectFileHashSha256

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

FileMD5

  • -

  • -

  • -

  • -

  • attachmentFileHashMd5

  • objectFileHashMd5

46CFB4E38C6299983048DE39012FD08F

ProcessFullPath

  • processFilePath

  • -

  • -

  • -

  • processFilePath

C:\Program Files (x86)\temp\Application\test.exe

CLICommand

  • objectCmd

  • parentCmd

  • processCmd

  • -

  • -

  • -

  • processCmd

  • objectCmd

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox

RegistryKey

  • objectRegistryKeyHandle

  • -

  • -

  • -

  • objectRegistryKeyHandle

hklm\software\wow6432node\microsoft\windows\currentversion\run

RegistryValue

  • objectRegistryValue

  • -

  • -

  • -

  • objectRegistryValue

its_ie_settings

RegistryValueData

  • objectRegistryData

  • -

  • -

  • -

  • objectRegistryData

wscript "C:\Program Files (x86)\JNJ\ITS_IE_PREF\IE_Preferences.vbs"

EmailSender

  • -

  • mail_message_sender

  • -

  • -

  • suser

john_doe@example.com

EmailRecipient

  • -

  • mail_message_recipient

  • -

  • -

  • duser

john_doe@example.com

EmailSubject

  • -

  • mail_message_subject

  • -

  • -

  • mailMsgSubject

Subject: From the desk of the Nigerian Prince

EmailMessageID

  • -

  • mail_message_id

  • -

  • -

  • msgId

<rRzmIhBrXbgjvr4uhIwCcbtE6BnmgNTtAU51qWmqY@example.online>

Technique

  • -

  • -

  • -

  • -

  • techniqueId

  • tags

T1210

Tactic

  • -

  • -

  • -

  • -

  • tacticId

  • tags

TA0008