All XDR_DATA Fields

All XDR_DATA fields, in alphabetical order:
Field Name
(Datatype)
Description
action_​app_​id_​transitions
(string)
List of application ids
action_​boot_​instance_​cleanup_​required
(boolean)
None Available
action_​boot_​time
(integer)
None Available
action_​country
(string)
None Available
action_​device_​bus_​type
(integer)
None Available
action_​device_​class_​guid
(string)
None Available
action_​device_​class_​name
(string)
None Available
action_​device_​usb_​port_​connectable
(boolean)
None Available
action_​device_​usb_​product_​id
(integer)
None Available
action_​device_​usb_​serial_​number
(string)
None Available
action_​device_​usb_​vendor_​id
(integer)
None Available
action_​download
(integer)
None Available
action_​evtlog_​data_​fields
(string)
None Available
action_​evtlog_​description
(string)
None Available
action_​evtlog_​event_​id
(integer)
None Available
action_​evtlog_​level
(integer)
None Available
action_​evtlog_​message
(string)
None Available
action_​evtlog_​opcode
(integer)
None Available
action_​evtlog_​pid
(integer)
None Available
action_​evtlog_​provider_​guid
(string)
None Available
action_​evtlog_​provider_​name
(string)
None Available
action_​evtlog_​raw_​params
(string)
None Available
action_​evtlog_​record_​id
(string)
None Available
action_​evtlog_​source
(integer)
None Available
action_​evtlog_​tid
(integer)
None Available
action_​evtlog_​uid
(string)
None Available
action_​evtlog_​username
(string)
None Available
action_​evtlog_​version
(integer)
None Available
action_​external_​hostname
(string)
None Available
action_​external_​port
(integer)
None Available
action_​file_​access_​time
(integer)
None Available
action_​file_​archive_​list
()
Only valid if the file is a ZIP file and according to event collection policy
action_​file_​attributes
(integer)
Windows: Bitmask of FILE_ATTRIBUTE_* attributes, Only for some subtypes Unix: Always 'null'
action_​file_​authenticode_​sha1
(string)
None Available
action_​file_​authenticode_​sha2
(string)
None Available
action_​file_​create_​time
(integer)
None Available
action_​file_​device_​info
(record)
None Available
action_​file_​device_​info.​storage_​device_​drive_​type
()
PE metadata collection from the image itself
action_​file_​device_​type
(integer)
None Available
action_​file_​dir_​query
(string)
None Available
action_​file_​dirty_​reason
(integer)
None Available
action_​file_​entropy
(string)
None Available
action_​file_​extension
(string)
File extension of 'action_file_path'
action_​file_​group
(string)
None Available
action_​file_​group_​name
(string)
None Available
action_​file_​hash_​control_​verdict
(string)
None Available
action_​file_​id
(string)
None Available
action_​file_​info_​company
(string)
None Available
action_​file_​info_​description
(string)
None Available
action_​file_​info_​file_​version
(string)
None Available
action_​file_​info_​product_​name
(string)
None Available
action_​file_​info_​product_​version
(string)
None Available
action_​file_​internal_​meta_​data
(string)
None Available
action_​file_​internal_​zipped_​files
(string)
None Available
action_​file_​md5
(string)
None Available
action_​file_​mod_​time
(integer)
None Available
action_​file_​mode
(record)
None Available
action_​file_​name
(string)
File name of 'action_file_path'. This will be an empty string for directory operations.
action_​file_​new_​file_​for_​loaded_​dll
(string)
None Available
action_​file_​original_​event_​id
(string)
None Available
action_​file_​owner
(string)
None Available
action_​file_​owner_​name
(string)
None Available
action_​file_​path
(string)
None Available
action_​file_​prev_​type
()
None Available
action_​file_​previous_​device_​info
(record)
None Available
action_​file_​previous_​file_​extension
(string)
File extension of 'action_file_previous_file_path'
action_​file_​previous_​file_​name
(string)
File name of 'action_file_previous_file_path'. This will be an empty string for directory operations.
action_​file_​previous_​file_​path
(string)
None Available
action_​file_​remote_​file_​host
(string)
Will be valid when we access a file on a remote computer. This means we are the client.
action_​file_​remote_​file_​ip
(string)
Will be valid when a remote computer accesses a file on this endpoint. This means we are the client. Remote IP can also be loopback (127.0.0.1 or ::1)
action_​file_​remote_​ip
(string)
Will be valid when a remote computer accesses a file on this endpoint. This means we are the server. Remote IP can also be loopback (127.0.0.1 or ::1)
action_​file_​remote_​port
(integer)
Port number for the connection accessing us as as server (see action_file_remote_ip)
action_​file_​reparse_​path
()
None Available
action_​file_​sec_​desc
(string)
None Available
action_​file_​sha256
(string)
None Available
action_​file_​signature_​product
(string)
None Available
action_​file_​signature_​status
(integer)
None Available
action_​file_​signature_​vendor
(string)
None Available
action_​file_​size
(integer)
File size in bytes Windows: When an existing file is opened On a final write event (Same event that will sometimes contain the file hash) Unix: Reported only when 'action_file_md5/sha256' exists
action_​file_​suspicious_​strings_​bitmap
(integer)
None Available
action_​file_​type
(integer)
None Available
action_​file_​type_​changedaction_​file_​id
(integer)
None Available
action_​file_​type_​prev
(integer)
None Available
action_​file_​wildfire_​verdict
(string)
None Available
action_​firewall_​direction
(string)
None Available
action_​firewall_​local_​ip
(string)
None Available
action_​firewall_​local_​port
(integer)
None Available
action_​firewall_​protocol
(integer)
None Available
action_​firewall_​remote_​ip
(string)
None Available
action_​firewall_​remote_​port
(integer)
None Available
action_​firewall_​rule_​guid
(string)
None Available
action_​is_​dll_​injection
(boolean)
None Available
action_​is_​injected_​thread
(boolean)
None Available
action_​local_​ip
(string)
Source IP address
action_​local_​ip_​int
(integer)
None Available
action_​local_​port
(integer)
Source port
action_​module_​base_​address
(string)
None Available
action_​module_​device_​info
(record)
None Available
action_​module_​file_​access_​time
(integer)
PE metadata collection from the image itself
action_​module_​file_​create_​time
(integer)
PE metadata collection from the image itself
action_​module_​file_​info
(string)
PE metadata collection from the image itself
action_​module_​file_​info.​company
()
PE metadata collection from the image itself
action_​module_​file_​info.​description
()
PE metadata collection from the image itself
action_​module_​file_​info.​file_​version
()
PE metadata collection from the image itself
action_​module_​file_​info.​product_​name
()
PE metadata collection from the image itself
action_​module_​file_​info.​product_​version
()
PE metadata collection from the image itself
action_​module_​file_​mod_​time
(integer)
None Available
action_​module_​file_​size
(integer)
None Available
action_​module_​image_​size
(integer)
None Available
action_​module_​is_​remote
(boolean)
None Available
action_​module_​is_​replay
(boolean)
None Available
action_​module_​md5
(string)
None Available
action_​module_​other_​load_​location
(string)
None Available
action_​module_​path
(string)
None Available
action_​module_​process_​instance_​id
(string)
None Available
action_​module_​process_​os_​pid
(integer)
None Available
action_​module_​sha256
(string)
None Available
action_​module_​signature_​product
(string)
None Available
action_​module_​signature_​status
(integer)
None Available
action_​module_​signature_​vendor
(string)
None Available
action_​network_​connection_​id
(string)
None Available
action_​network_​creation_​time
(integer)
The start time of the network session
action_​network_​http
(string)
None Available
action_​network_​is_​ipv6
(boolean)
None Available
action_​network_​is_​npcap
(boolean)
None Available
action_​network_​is_​server
(boolean)
None Available
action_​network_​packet_​data
(string)
None Available
action_​network_​protocol
(integer)
Internet protocol number based on IPPROTO or normalised to IPPROTO (same as java)
action_​network_​stats_​is_​last
(boolean)
None Available
action_​network_​stats_​seq
(integer)
None Available
action_​network_​success
(boolean)
None Available
action_​pkts_​received
(integer)
None Available
action_​pkts_​sent
(integer)
None Available
action_​powered_​off
(boolean)
None Available
action_​process_​causality_​id
(string)
Of the terminated process
action_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
action_​process_​file_​create_​time
(integer)
Creation time of the file that created the process
action_​process_​file_​info
(string)
Metadata from the exe file of the process
action_​process_​file_​info.​internal_​name
()
None Available
action_​process_​file_​info.​original_​name
()
Metadata from the exe file of the process
action_​process_​file_​mod_​time
(integer)
Modification time of the file that created the process
action_​process_​file_​size
(integer)
Size of the file of the process in bytes
action_​process_​image_​command_​line
(string)
None Available
action_​process_​image_​command_​line_​indices
(string)
None Available
action_​process_​image_​extension
(string)
File extension of 'action_process_image_path'
action_​process_​image_​md5
(string)
None Available
action_​process_​image_​name
(string)
File name of 'action_process_image_path'
action_​process_​image_​path
(string)
None Available
action_​process_​image_​sha256
(string)
None Available
action_​process_​instance_​execution_​time
(integer)
Instance execution time
action_​process_​instance_​id
(string)
None Available
action_​process_​integrity_​level
(integer)
None Available
action_​process_​is_​causality_​root
(boolean)
None Available
action_​process_​is_​replay
(boolean)
Windows: The following events are replayed: Processes started before the agent is started Module load events for modules loaded in replayed processes Drivers loaded using module load before the agent is started (Why is this not simulated using Module events (question)) For loaded drivers, the process is always a special KernelProcess.
action_​process_​is_​special
(integer)
None Available
action_​process_​is_​txn
()
Windows: Was the process created as part of a transaction
action_​process_​os_​pid
(integer)
The OS PID of the new process
action_​process_​remote_​session_​ip
(string)
Windows: In case the process was started from a remote Terminal Services session, the IP address of the remote client connected to the session
action_​process_​requested_​parent_​iid
(string)
Windows: Same as "action_process_requested_parent_pid" but the instance id
action_​process_​requested_​parent_​pid
(integer)
Windows: A parent process can request to set the parent-pid of the child process to something other than their own. This is used for a "runas" scenario where the os_actor is different from the actor. But it can also be used by malware to fake the parent pid. This fields gives the requested parent pid while giving the true actor/os_actor for the operation.
action_​process_​signature_​product
(string)
None Available
action_​process_​signature_​status
(integer)
None Available
action_​process_​signature_​vendor
(string)
None Available
action_​process_​termination_​code
(integer)
Process exit code
action_​process_​termination_​date
(integer)
Instance termination time
action_​process_​user_​sid
(string)
Windows: Primary user token of the executed binary Unix: Effective UID of the executed binary
action_​process_​username
(string)
Name assigned to 'action_process_user_sid'
action_​proxy
(boolean)
None Available
action_​registry_​data
(string)
None Available
action_​registry_​file_​path
(string)
None Available
action_​registry_​key_​name
(string)
None Available
action_​registry_​old_​data
(string)
None Available
action_​registry_​old_​key_​name
(string)
None Available
action_​registry_​return_​val
(integer)
None Available
action_​registry_​value_​name
(string)
None Available
action_​registry_​value_​type
(integer)
None Available
action_​remote_​ip
(string)
Destination IP address
action_​remote_​ip_​int
(integer)
None Available
action_​remote_​port
(integer)
Destination port
action_​remote_​process_​causality_​id
(string)
None Available
action_​remote_​process_​file_​access_​time
()
None Available
action_​remote_​process_​image_​command_​line
(string)
None Available
action_​remote_​process_​image_​extension
(string)
None Available
action_​remote_​process_​image_​md5
(string)
None Available
action_​remote_​process_​image_​name
(string)
None Available
action_​remote_​process_​image_​path
(string)
None Available
action_​remote_​process_​image_​sha256
(string)
None Available
action_​remote_​process_​instance_​id
(string)
None Available
action_​remote_​process_​integrity_​level
()
None Available
action_​remote_​process_​is_​causality_​root
(boolean)
None Available
action_​remote_​process_​os_​pid
(integer)
None Available
action_​remote_​process_​signature_​product
(string)
None Available
action_​remote_​process_​signature_​status
(integer)
None Available
action_​remote_​process_​signature_​vendor
(string)
None Available
action_​remote_​process_​thread_​id
(integer)
None Available
action_​remote_​process_​thread_​start_​address
(string)
None Available
action_​remote_​process_​user_​sid
()
None Available
action_​remote_​process_​username
()
None Available
action_​rpc_​func_​opnum
(integer)
None Available
action_​rpc_​interface_​uuid
(string)
None Available
action_​rpc_​interface_​version_​major
(integer)
None Available
action_​rpc_​interface_​version_​minor
(integer)
None Available
action_​session_​duration
(integer)
Number of ms since session start
action_​syscall_​etw_​based
(boolean)
None Available
action_​syscall_​int_​params
(string)
None Available
action_​syscall_​stack_​ptr
(string)
None Available
action_​syscall_​string_​params
(string)
None Available
action_​syscall_​target_​image_​name
(string)
None Available
action_​syscall_​target_​image_​path
(string)
None Available
action_​syscall_​target_​instance_​id
(string)
None Available
action_​syscall_​target_​os_​pid
(integer)
None Available
action_​syscall_​target_​thread_​id
(integer)
None Available
action_​thread_​thread_​id
(integer)
None Available
action_​total_​download
(integer)
Total number of payload bytes from the destination to the source so far
action_​total_​upload
(integer)
Total number of payload bytes from the source to the destination so far
action_​upload
(integer)
None Available
action_​user_​agent
(string)
None Available
action_​user_​is_​local_​session
(boolean)
None Available
action_​user_​status
(integer)
None Available
action_​user_​status_​sid
(string)
None Available
action_​username
(string)
None Available
actor_​causality_​id
(string)
Will match 'causality_actor_causality_id' in the causality owner actor fields
actor_​effective_​user_​sid
(string)
Windows: The SID of the user used for impersonation token. Starting from agent version 7.0 this is the same as actor_primary_user_sid. Unix: EUID
actor_​effective_​username
(string)
Name assigned to 'actor_effective_user_sid' Win: Including domain
actor_​is_​injected_​thread
(boolean)
Indicates whether or not this actor's thread is an injected thread
actor_​os_​process_​instance_​id
(string)
None Available
actor_​primary_​user_​sid
(string)
None Available
actor_​primary_​username
(string)
None Available
actor_​process_​auth_​id
(string)
None Available
actor_​process_​causality_​id
(string)
None Available
actor_​process_​command_​line
(string)
None Available
actor_​process_​command_​line_​indices
(string)
None Available
actor_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
actor_​process_​execution_​time
(integer)
None Available
actor_​process_​file_​access_​time
(integer)
None Available
actor_​process_​file_​create_​time
(integer)
None Available
actor_​process_​file_​mod_​time
(integer)
None Available
actor_​process_​file_​size
(integer)
None Available
actor_​process_​image_​command_​line
(string)
None Available
actor_​process_​image_​extension
(string)
None Available
actor_​process_​image_​md5
(string)
None Available
actor_​process_​image_​name
(string)
None Available
actor_​process_​image_​path
(string)
None Available
actor_​process_​image_​sha256
(string)
None Available
actor_​process_​instance_​id
(string)
None Available
actor_​process_​integrity_​level
(integer)
None Available
actor_​process_​is_​64bit
(boolean)
None Available
actor_​process_​is_​native
(boolean)
None Available
actor_​process_​is_​replay
(boolean)
None Available
actor_​process_​is_​special
(integer)
None Available
actor_​process_​logon_​id
(string)
None Available
actor_​process_​os_​pid
(integer)
None Available
actor_​process_​session_​id
(integer)
None Available
actor_​process_​signature_​is_​embedded
(boolean)
Is the signature embedded inside the PE or part of an external catalog file
actor_​process_​signature_​product
(string)
None Available
actor_​process_​signature_​status
(integer)
None Available
actor_​process_​signature_​vendor
(string)
None Available
actor_​remote_​host
(string)
None Available
actor_​remote_​ip
(string)
None Available
actor_​remote_​pipe_​name
(string)
None Available
actor_​remote_​port
(integer)
None Available
actor_​thread_​thread_​id
(integer)
An identifier of the OS thread which is responsible for the event
actor_​thread_​thread_​iid
(string)
None Available
actor_​type
(integer)
None Available
agent_​content_​version
(string)
None Available
agent_​host_​boot_​time
(integer)
None Available
agent_​hostname
(string)
Hostname of the agent
agent_​id
(string)
A unique identifier per agent
agent_​install_​type
(integer)
None Available
agent_​interface_​map
(record)
None Available
agent_​ip_​addresses
(string)
All IPv4 interface addresses
agent_​ip_​addresses_​v6
(string)
All IPv6 interface addresses
agent_​is_​vdi
(boolean)
VDI agent or not
agent_​os_​sub_​type
(string)
None Available
agent_​os_​type
(integer)
None Available
agent_​session_​start_​time
(integer)
None Available
agent_​status_​component
(string)
None Available
agent_​version
(string)
None Available
associated_​event_​ids
(string)
None Available
associated_​mac
(string)
None Available
association_​strength
(integer)
None Available
auth_​client
(string)
None Available
auth_​client_​type
(string)
None Available
auth_​correlation_​id
(string)
None Available
auth_​domain
(string)
None Available
auth_​identity
(string)
None Available
auth_​identity_​display_​name
(string)
None Available
auth_​is_​interactive
(boolean)
None Available
auth_​outcome
(string)
None Available
auth_​outcome_​reason
(string)
None Available
auth_​server
(string)
None Available
auth_​service
(string)
None Available
auth_​target
(string)
None Available
azure_​ad_​resource_​display_​name
(string)
None Available
backtrace_​identities
(record)
None Available
causality_​actor_​causality_​id
(string)
None Available
causality_​actor_​effective_​user_​sid
(string)
None Available
causality_​actor_​effective_​username
(string)
None Available
causality_​actor_​primary_​user_​sid
(string)
None Available
causality_​actor_​primary_​username
(string)
None Available
causality_​actor_​process_​auth_​id
(string)
None Available
causality_​actor_​process_​causality_​id
(string)
None Available
causality_​actor_​process_​command_​line
(string)
None Available
causality_​actor_​process_​command_​line_​indices
(string)
None Available
causality_​actor_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
causality_​actor_​process_​execution_​time
(integer)
None Available
causality_​actor_​process_​file_​access_​time
(integer)
None Available
causality_​actor_​process_​file_​create_​time
(integer)
None Available
causality_​actor_​process_​file_​mod_​time
(integer)
None Available
causality_​actor_​process_​file_​size
(integer)
None Available
causality_​actor_​process_​image_​extension
(string)
None Available
causality_​actor_​process_​image_​md5
(string)
None Available
causality_​actor_​process_​image_​name
(string)
None Available
causality_​actor_​process_​image_​path
(string)
None Available
causality_​actor_​process_​image_​sha256
(string)
None Available
causality_​actor_​process_​instance_​id
(string)
None Available
causality_​actor_​process_​integrity_​level
(integer)
None Available
causality_​actor_​process_​is_​64bit
(boolean)
None Available
causality_​actor_​process_​is_​native
(boolean)
None Available
causality_​actor_​process_​is_​replay
(boolean)
None Available
causality_​actor_​process_​is_​special
(integer)
None Available
causality_​actor_​process_​logon_​id
(string)
None Available
causality_​actor_​process_​os_​pid
(integer)
None Available
causality_​actor_​process_​session_​id
(integer)
None Available
causality_​actor_​process_​signature_​is_​embedded
(boolean)
None Available
causality_​actor_​process_​signature_​product
(string)
None Available
causality_​actor_​process_​signature_​status
(integer)
None Available
causality_​actor_​process_​signature_​vendor
(string)
None Available
causality_​actor_​remote_​host
(string)
None Available
causality_​actor_​remote_​ip
(string)
None Available
causality_​actor_​remote_​pipe_​name
(string)
None Available
causality_​actor_​remote_​port
(integer)
None Available
causality_​actor_​remote_​port_​pipe_​name
(string)
None Available
causality_​actor_​session_​id
(integer)
None Available
causality_​actor_​type
(integer)
None Available
cef_​device_​product
(string)
None Available
cef_​device_​vendor
(string)
None Available
cef_​device_​version
(string)
None Available
cef_​extension
(string)
None Available
cef_​severity
(string)
None Available
cef_​signature_​id
(string)
None Available
cef_​version
(integer)
None Available
customerId
(string)
customerId
dfe_​labels
(string)
Story label
dns_​query_​name
(string)
None Available
dns_​query_​type
(string)
None Available
dns_​reply_​code
(string)
None Available
dns_​resolutions
(record)
None Available
dst_​action_​boot_​time
(integer)
None Available
dst_​action_​country
(string)
None Available
dst_​action_​external_​hostname
(string)
None Available
dst_​action_​external_​port
(integer)
None Available
dst_​action_​powered_​off
(boolean)
None Available
dst_​action_​user_​agent
(string)
None Available
dst_​action_​user_​is_​local_​session
(boolean)
None Available
dst_​action_​user_​status
(integer)
None Available
dst_​action_​user_​status_​sid
(string)
None Available
dst_​action_​username
(string)
None Available
dst_​actor_​causality_​id
(string)
None Available
dst_​actor_​effective_​user_​sid
(string)
None Available
dst_​actor_​effective_​username
(string)
None Available
dst_​actor_​is_​injected_​thread
(boolean)
None Available
dst_​actor_​os_​process_​instance_​id
(string)
None Available
dst_​actor_​primary_​user_​sid
(string)
None Available
dst_​actor_​primary_​username
(string)
None Available
dst_​actor_​process_​auth_​id
(string)
None Available
dst_​actor_​process_​causality_​id
(string)
None Available
dst_​actor_​process_​command_​line
(string)
None Available
dst_​actor_​process_​command_​line_​indices
(string)
None Available
dst_​actor_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
dst_​actor_​process_​execution_​time
(integer)
None Available
dst_​actor_​process_​file_​access_​time
(integer)
None Available
dst_​actor_​process_​file_​create_​time
(integer)
None Available
dst_​actor_​process_​file_​mod_​time
(integer)
None Available
dst_​actor_​process_​file_​size
(integer)
None Available
dst_​actor_​process_​image_​command_​line
(string)
None Available
dst_​actor_​process_​image_​extension
(string)
None Available
dst_​actor_​process_​image_​md5
(string)
None Available
dst_​actor_​process_​image_​name
(string)
None Available
dst_​actor_​process_​image_​path
(string)
None Available
dst_​actor_​process_​image_​sha256
(string)
None Available
dst_​actor_​process_​instance_​id
(string)
None Available
dst_​actor_​process_​integrity_​level
(integer)
None Available
dst_​actor_​process_​is_​64bit
(boolean)
None Available
dst_​actor_​process_​is_​native
(boolean)
None Available
dst_​actor_​process_​is_​replay
(boolean)
None Available
dst_​actor_​process_​is_​special
(integer)
None Available
dst_​actor_​process_​logon_​id
(string)
None Available
dst_​actor_​process_​os_​pid
(integer)
None Available
dst_​actor_​process_​session_​id
(integer)
None Available
dst_​actor_​process_​signature_​is_​embedded
(boolean)
None Available
dst_​actor_​process_​signature_​product
(string)
None Available
dst_​actor_​process_​signature_​status
(integer)
None Available
dst_​actor_​process_​signature_​vendor
(string)
None Available
dst_​actor_​remote_​host
(string)
None Available
dst_​actor_​remote_​ip
(string)
None Available
dst_​actor_​remote_​pipe_​name
(string)
None Available
dst_​actor_​remote_​port
(integer)
None Available
dst_​actor_​thread_​thread_​id
(integer)
None Available
dst_​actor_​thread_​thread_​iid
(string)
None Available
dst_​actor_​type
(integer)
None Available
dst_​agent_​content_​version
(string)
None Available
dst_​agent_​host_​boot_​time
(integer)
None Available
dst_​agent_​hostname
(string)
None Available
dst_​agent_​id
(string)
None Available
dst_​agent_​install_​type
(integer)
None Available
dst_​agent_​interface_​map
(record)
None Available
dst_​agent_​ip_​addresses
(string)
None Available
dst_​agent_​ip_​addresses_​v6
(string)
None Available
dst_​agent_​is_​vdi
(boolean)
None Available
dst_​agent_​os_​sub_​type
(string)
None Available
dst_​agent_​os_​type
(integer)
None Available
dst_​agent_​session_​start_​time
(integer)
None Available
dst_​agent_​status_​component
(string)
None Available
dst_​agent_​version
(string)
None Available
dst_​associated_​mac
(string)
None Available
dst_​association_​strength
(integer)
None Available
dst_​causality_​actor_​causality_​id
(string)
None Available
dst_​causality_​actor_​effective_​user_​sid
(string)
None Available
dst_​causality_​actor_​effective_​username
(string)
None Available
dst_​causality_​actor_​primary_​user_​sid
(string)
None Available
dst_​causality_​actor_​primary_​username
(string)
None Available
dst_​causality_​actor_​process_​auth_​id
(string)
None Available
dst_​causality_​actor_​process_​causality_​id
(string)
None Available
dst_​causality_​actor_​process_​command_​line
(string)
None Available
dst_​causality_​actor_​process_​command_​line_​indices
(string)
None Available
dst_​causality_​actor_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
dst_​causality_​actor_​process_​execution_​time
(integer)
None Available
dst_​causality_​actor_​process_​file_​access_​time
(integer)
None Available
dst_​causality_​actor_​process_​file_​create_​time
(integer)
None Available
dst_​causality_​actor_​process_​file_​mod_​time
(integer)
None Available
dst_​causality_​actor_​process_​file_​size
(integer)
None Available
dst_​causality_​actor_​process_​image_​extension
(string)
None Available
dst_​causality_​actor_​process_​image_​md5
(string)
None Available
dst_​causality_​actor_​process_​image_​name
(string)
None Available
dst_​causality_​actor_​process_​image_​path
(string)
None Available
dst_​causality_​actor_​process_​image_​sha256
(string)
None Available
dst_​causality_​actor_​process_​instance_​id
(string)
None Available
dst_​causality_​actor_​process_​integrity_​level
(integer)
None Available
dst_​causality_​actor_​process_​is_​64bit
(boolean)
None Available
dst_​causality_​actor_​process_​is_​native
(boolean)
None Available
dst_​causality_​actor_​process_​is_​replay
(boolean)
None Available
dst_​causality_​actor_​process_​is_​special
(integer)
None Available
dst_​causality_​actor_​process_​logon_​id
(string)
None Available
dst_​causality_​actor_​process_​os_​pid
(integer)
None Available
dst_​causality_​actor_​process_​session_​id
(integer)
None Available
dst_​causality_​actor_​process_​signature_​is_​embedded
(boolean)
None Available
dst_​causality_​actor_​process_​signature_​product
(string)
None Available
dst_​causality_​actor_​process_​signature_​status
(integer)
None Available
dst_​causality_​actor_​process_​signature_​vendor
(string)
None Available
dst_​causality_​actor_​remote_​host
(string)
None Available
dst_​causality_​actor_​remote_​ip
(string)
None Available
dst_​causality_​actor_​remote_​pipe_​name
(string)
None Available
dst_​causality_​actor_​remote_​port
(integer)
None Available
dst_​causality_​actor_​remote_​port_​pipe_​name
(string)
None Available
dst_​causality_​actor_​session_​id
(integer)
None Available
dst_​causality_​actor_​type
(integer)
None Available
dst_​event_​utc_​diff_​minutes
(integer)
The difference in minutes of original timestamp from UTC. We use this to identify the agent's original timezone.
dst_​host_​metadata_​domain
(string)
None Available
dst_​host_​metadata_​hostname
(string)
None Available
dst_​host_​metadata_​interface_​map
(record)
None Available
dst_​is_​internal_​ip
(boolean)
None Available
dst_​mac
(string)
None Available
dst_​manifest_​file_​version
(integer)
None Available
dst_​os_​actor_​causality_​id
(string)
None Available
dst_​os_​actor_​effective_​user_​sid
(string)
None Available
dst_​os_​actor_​effective_​username
(string)
None Available
dst_​os_​actor_​is_​injected_​thread
(boolean)
None Available
dst_​os_​actor_​primary_​user_​sid
(string)
None Available
dst_​os_​actor_​primary_​username
(string)
None Available
dst_​os_​actor_​process_​auth_​id
(string)
None Available
dst_​os_​actor_​process_​causality_​id
(string)
None Available
dst_​os_​actor_​process_​command_​line
(string)
None Available
dst_​os_​actor_​process_​command_​line_​indices
(string)
None Available
dst_​os_​actor_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
dst_​os_​actor_​process_​execution_​time
(integer)
None Available
dst_​os_​actor_​process_​file_​access_​time
(integer)
None Available
dst_​os_​actor_​process_​file_​create_​time
(integer)
None Available
dst_​os_​actor_​process_​file_​mod_​time
(integer)
None Available
dst_​os_​actor_​process_​file_​size
(integer)
None Available
dst_​os_​actor_​process_​image_​command_​line
(string)
None Available
dst_​os_​actor_​process_​image_​extension
(string)
None Available
dst_​os_​actor_​process_​image_​md5
(string)
None Available
dst_​os_​actor_​process_​image_​name
(string)
None Available
dst_​os_​actor_​process_​image_​path
(string)
None Available
dst_​os_​actor_​process_​image_​sha256
(string)
None Available
dst_​os_​actor_​process_​instance_​id
(string)
None Available
dst_​os_​actor_​process_​integrity_​level
(integer)
None Available
dst_​os_​actor_​process_​is_​64bit
(boolean)
None Available
dst_​os_​actor_​process_​is_​native
(boolean)
None Available
dst_​os_​actor_​process_​is_​replay
(boolean)
None Available
dst_​os_​actor_​process_​is_​special
(integer)
None Available
dst_​os_​actor_​process_​logon_​id
(string)
None Available
dst_​os_​actor_​process_​os_​pid
(integer)
None Available
dst_​os_​actor_​process_​session_​id
(integer)
None Available
dst_​os_​actor_​process_​signature_​is_​embedded
(boolean)
None Available
dst_​os_​actor_​process_​signature_​product
(string)
None Available
dst_​os_​actor_​process_​signature_​status
(integer)
None Available
dst_​os_​actor_​process_​signature_​vendor
(string)
None Available
dst_​os_​actor_​remote_​host
(string)
None Available
dst_​os_​actor_​remote_​ip
(string)
None Available
dst_​os_​actor_​remote_​port
(integer)
None Available
dst_​os_​actor_​session_​id
(integer)
None Available
dst_​os_​actor_​thread_​thread_​id
(integer)
None Available
dst_​os_​actor_​thread_​thread_​iid
(string)
None Available
dst_​os_​actor_​type
(integer)
None Available
dst_​tcp_​flags
(integer)
None Available
dst_​trapsId
(string)
dst_trapsId
dst_​ttl
(integer)
None Available
dst_​user_​id
(string)
None Available
event_​address_​code_​symbol
(string)
None Available
event_​address_​mapped_​image_​path
(string)
None Available
event_​id
(string)
None Available
event_​impersonation_​status
(integer)
None Available
event_​invalidity_​field
(string)
None Available
event_​is_​impersonated
(boolean)
None Available
event_​is_​replay
(boolean)
None Available
event_​is_​simulated
(boolean)
None Available
event_​rpc_​func_​opnum
(integer)
None Available
event_​rpc_​interface_​uuid
(string)
None Available
event_​rpc_​interface_​version_​major
(integer)
None Available
event_​rpc_​interface_​version_​minor
(integer)
None Available
event_​rpc_​protocol
(integer)
None Available
event_​sub_​type
(integer)
None Available
event_​timestamp
(integer)
None Available
event_​type
(integer)
None Available
event_​user_​presence
(boolean)
None Available
event_​user_​presence_​status
(integer)
None Available
event_​utc_​diff_​minutes
(integer)
None Available
event_​validity_​enum
(integer)
None Available
event_​version
(integer)
None Available
event_​versions
(integer)
None Available
execution_​actor_​causality_​id
(string)
Of the parent which executed the terminated process instance
execution_​actor_​instance_​id
(string)
Of the parent which executed the terminated process instance
facility
(string)
None Available
fw_​identities
(record)
None Available
fw_​is_​dup_​log
(integer)
None Available
fw_​log_​subtypes
(string)
None Available
fw_​log_​types
(string)
None Available
fw_​time_​generated
(integer)
None Available
fw_​traffic_​flags
(integer)
None Available
generatedTime
(timestamp)
generatedTime
host_​metadata_​domain
(string)
None Available
host_​metadata_​hostname
(string)
None Available
host_​metadata_​interface_​map
(record)
None Available
http_​content_​type
(string)
None Available
http_​method
(string)
None Available
http_​referer
(string)
None Available
http_​req_​before_​method
(string)
None Available
http_​req_​content_​type_​header
(string)
None Available
http_​req_​host_​header
(string)
None Available
http_​req_​referer_​header
(string)
None Available
http_​req_​uri
(string)
None Available
http_​req_​user_​agent_​header
(string)
None Available
http_​rsp_​code
(integer)
None Available
http_​rsp_​content_​type_​header
(string)
None Available
http_​rsp_​filename
(string)
None Available
http_​server
(string)
None Available
http_​status_​code
(integer)
None Available
icmp_​code
(integer)
None Available
icmp_​type
(integer)
None Available
insert_​timestamp
(timestamp)
None Available
is_​disintegrated
(boolean)
None Available
is_​internal_​ip
(boolean)
None Available
krb_​error_​code
(integer)
None Available
krb_​is_​machine_​account
(boolean)
None Available
krb_​logon_​guid
(string)
None Available
krb_​renew_​ticket_​expiration_​time
(integer)
None Available
krb_​req_​kdc_​options
(integer)
None Available
krb_​req_​msg_​type
(integer)
None Available
krb_​req_​padata_​prefix
(string)
None Available
krb_​req_​ticket_​enc_​types
(integer)
None Available
krb_​rsp_​msg_​type
(integer)
None Available
krb_​rsp_​ticket_​enc_​type
(integer)
None Available
krb_​rsp_​ticket_​prefix
(string)
None Available
krb_​spn_​type
(integer)
None Available
krb_​tgs_​data
(record)
None Available
krb_​tgt_​data
(record)
None Available
krb_​ticket_​expiration_​time
(integer)
None Available
krb_​user_​type
(integer)
None Available
mac
(string)
None Available
manifest_​file_​version
(integer)
None Available
non_​standard_​dport
(integer)
None Available
os_​actor_​causality_​id
(string)
None Available
os_​actor_​effective_​user_​sid
(string)
None Available
os_​actor_​effective_​username
(string)
None Available
os_​actor_​is_​injected_​thread
(boolean)
None Available
os_​actor_​primary_​user_​sid
(string)
None Available
os_​actor_​primary_​username
(string)
None Available
os_​actor_​process_​auth_​id
(string)
None Available
os_​actor_​process_​causality_​id
(string)
None Available
os_​actor_​process_​command_​line
(string)
None Available
os_​actor_​process_​command_​line_​indices
(string)
None Available
os_​actor_​process_​device_​info
(record)
Info about the device (volume + HW) from which this process started - these fields represent HW info and will be populated only for USB devices
os_​actor_​process_​execution_​time
(integer)
None Available
os_​actor_​process_​file_​access_​time
(integer)
None Available
os_​actor_​process_​file_​create_​time
(integer)
None Available
os_​actor_​process_​file_​mod_​time
(integer)
None Available
os_​actor_​process_​file_​size
(integer)
None Available
os_​actor_​process_​image_​command_​line
(string)
None Available
os_​actor_​process_​image_​extension
(string)
None Available
os_​actor_​process_​image_​md5
(string)
None Available
os_​actor_​process_​image_​name
(string)
None Available
os_​actor_​process_​image_​path
(string)
None Available
os_​actor_​process_​image_​sha256
(string)
None Available
os_​actor_​process_​instance_​id
(string)
None Available
os_​actor_​process_​integrity_​level
(integer)
None Available
os_​actor_​process_​is_​64bit
(boolean)
None Available
os_​actor_​process_​is_​native
(boolean)
None Available
os_​actor_​process_​is_​replay
(boolean)
None Available
os_​actor_​process_​is_​special
(integer)
None Available
os_​actor_​process_​logon_​id
(string)
None Available
os_​actor_​process_​os_​pid
(integer)
None Available
os_​actor_​process_​session_​id
(integer)
None Available
os_​actor_​process_​signature_​is_​embedded
(boolean)
None Available
os_​actor_​process_​signature_​product
(string)
None Available
os_​actor_​process_​signature_​status
(integer)
None Available
os_​actor_​process_​signature_​vendor
(string)
None Available
os_​actor_​remote_​host
(string)
None Available
os_​actor_​remote_​ip
(string)
None Available
os_​actor_​remote_​port
(integer)
None Available
os_​actor_​session_​id
(integer)
None Available
os_​actor_​thread_​thread_​id
(integer)
None Available
os_​actor_​thread_​thread_​iid
(string)
None Available
os_​actor_​type
(integer)
None Available
other
(string)
None Available
proxy
(integer)
None Available
recordType
(string)
recordType
serverTime
(timestamp)
serverTime
ssl_​req_​chello_​sni_​sample
(string)
None Available
sso_​debug_​data
(string)
None Available
sso_​display_​message
(string)
None Available
sso_​severity
(string)
None Available
story_​id
(string)
ID of the story
story_​publish_​timestamp
(integer)
None Available
story_​version
(float)
None Available
syscall_​action_​etw_​based
(boolean)
None Available
syscall_​action_​int_​params
(string)
None Available
syscall_​action_​stack_​ptr
(string)
None Available
syscall_​action_​string_​params
(string)
None Available
tcp_​flags
(integer)
None Available
trapsId
(string)
trapsId
ttl
(integer)
None Available
uri
(string)
None Available
user_​id
(string)
None Available
uuid
(string)
None Available
zip_​id
(string)
None Available

Recommended For You