|
Abnormal Security
(abnormal_security_threat)
|
| email.message_id |
Message ID |
Unique identifier of the email |
| srcip |
Source IP |
Source IP address |
| email.recipient.addresses |
Recipient Address(es) |
All recipients of the email, including those in the 'To', 'CC' (carbon copy), and 'BCC' (blind carbon copy) fields. |
| email.to.addresses |
To Address(es) |
Primary intended recipients of the email. These are the email addresses explicitly listed in the 'To' field of the email. |
| email.from.address |
From Address |
Email address that appears in the 'From' field of the email. It is the address that the recipient sees as the sender of the email. |
| email.subject |
Email Subject |
Subject line of the email |
| abnormal_security.sentTime |
Sent Time |
Time the email was sent |
| abnormal_security.receivedTime |
Received Time |
Time the email was received |
| abnormal_security.attackStrategy |
Attack Strategy |
Strategy used in the attack |
| abnormal_security.attackType |
Attack Type |
Type of attack |
| abnormal_security.attackVector |
Attack Vector |
Vector used in the attack |
| abnormal_security.remediationStatus |
Remediation Status |
Status of the remediation |
| abnormal_security.autoRemediated |
Auto-Remediated |
Whether the email was auto-remediated or not |
| abnormal_security.summaryInsights |
Summary Insights |
Summary insights about the email |
| abnormal_security.urlCount |
URL Count |
Number of URLs in the email |
| abnormal_security.attachmentCount |
Attachment Count |
Number of attachments in the email |
| abnormal_security.abxPortalUrl |
ABX Portal URL |
URL to the ABX portal for more details |
| url_list |
URL List |
List of URLs in the email |
|
|
Acronis (Antimalware protection)
(acronis_cyber_protect)
|
| event.threat.name |
Alert Type |
Alert type |
| acronis_cyber_protect.details.threatName |
Acronis Threat Name |
Acronis threat name |
| event.category |
Alert Category |
Alert category |
| host.name |
Host Name |
Host name |
| event.severity_str |
Acronis Severity Level |
Acronis severity level |
| file.name |
File Name |
File name |
| file.path |
File Path |
File path |
| file.hash.sha1 |
File SHA1 |
File SHA1 |
| file.hash.md5 |
File MD5 |
File MD5 |
| file.hash.sha256 |
File SHA256 |
File SHA256 |
|
|
Acronis (EDR)
(acronis_cyber_protect)
|
| event.threat.name |
Alert Type |
Alert type |
| event.category |
Alert Category |
Alert category |
| host.name |
Host Name |
Host name |
| event.severity_str |
Acronis Severity Level |
Acronis severity level |
| acronis_cyber_protect.details.redirectLink |
Acronis Alert Redirect Link |
Acronis alert redirect link |
| acronis_cyber_protect.details.verdict |
Acronis Alert Verdict |
Acronis alert verdict |
|
|
Acronis (Email security)
(acronis_cyber_protect)
|
| event.threat.name |
Alert Type |
Alert type |
| event.category |
Alert Category |
Alert category |
| event.severity_str |
Acronis Severity Level |
Acronis severity level |
| email.from.address |
Email From Address |
Email from address |
| email.subject |
Email Subject |
Email Subject |
|
|
Acronis (URL filtering)
(acronis_cyber_protect)
|
| event.threat.name |
Alert Type |
Alert type |
| acronis_cyber_protect.details.threatName |
Acronis Threat Name |
Acronis threat name |
| event.category |
Alert Category |
Alert category |
| host.name |
Host Name |
Host name |
| event.severity_str |
Acronis Severity Level |
Acronis severity level |
| url |
URL |
URL |
| process.pid |
Process ID |
Process ID |
| process.executable |
Process Path |
Process path |
|
|
Armis
(armis)
|
| armis.alertId |
Alert ID |
Alert ID assigned by Armis |
| armis.severity |
Armis Severity |
Original severity from Armis |
| armis.title |
Alert Title |
Title of the alert |
| armis.policyTitle |
Policy Title |
Title of the policy that triggered the alert |
| armis.affectedDevicesCount |
Affected Devices Count |
Number of devices affected by the alert |
| armis.deviceIds |
Affected Device IDs |
IDs of the affected devices |
| host_list |
Affected Devices |
List of affected devices |
| ip |
Host IP |
Host IP address |
| mac |
Host MAC |
Host MAC address |
| armis.status |
Armis Alert Status |
Current status of the alert from Armis |
|
|
Avanan (Delivered)
(avanan) 
|
| email.from.address |
From Address |
Who the email is from |
| email.to.addresses |
To Address(es) |
Primary intended recipient of the email |
| email.sender.address |
Sender Address |
Who actually sent the email on behalf of the primary sender |
| email.recipient.addresses |
Recipient Address(es) |
Who received the email (including CC and BCC) |
| email.subject |
Email Subject |
Email subject |
| url_list |
URL List |
URL(s) in the email |
| domain_list |
Email Links Domain(s) |
Email links domain(s) |
| file_list |
File List |
File name of the malicious file |
| name |
File Name |
File name |
| hash.md5 |
Host Hash |
File hash |
| threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
Avanan (Quarantined)
(avanan)
|
| email.from.address |
From Address |
Who the email is from |
| email.to.addresses |
To Address(es) |
Primary intended recipient of the email |
| email.sender.address |
Sender Address |
Who actually sent the email on behalf of the primary sender |
| email.recipient.addresses |
Recipient Address(es) |
Who received the email (including CC and BCC) |
| email.subject |
Email Subject |
Email subject |
| url_list |
URL List |
URL(s) in the email |
| domain_list |
Email Links Domain(s) |
Email links domain(s) |
| file_list |
File List |
File name of the malicious file |
| name |
File Name |
File name |
| hash.md5 |
Host Hash |
File hash |
| threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
AWS GuardDuty
(aws_guardduty)
|
| aws_guardduty.Title |
Alert Title |
AWS GuardDuty alert title |
| host_list |
Host IP Address(es) |
Private IP addresses of the network interfaces of the resource instance |
| user.name |
User Name |
User name associated with the access key details of the resource |
| event.threat.name |
Threat Name |
Threat name |
| event.severity |
AWS GuardDuty Severity Score |
AWS GuardDuty severity score |
| cloud.resource.type |
Cloud Resource Type |
Cloud resource type |
| cloud.resource.id |
Cloud Resource ID |
Cloud resource ID |
| cloud.resource.name |
Cloud Resource Name |
Cloud resource name |
|
|
Bitdefender IP
(bitdefender_ip)
|
| host.name |
Host Name |
Host name |
| host.ip |
Host IP Address |
Host IP address |
| srcip |
Source IP |
Source IP address |
|
|
Bitdefender Threat
(bitdefender_threat)
|
| host.name |
Host Name |
Host name |
| host.ip |
Host IP Address |
Host IP address |
| event.threat.name |
Threat Type |
Threat type |
|
|
Bitdefender URL
(bitdefender_url)
|
| host.name |
Host Name |
Host name |
| host.ip |
Host IP Address |
Host IP address |
| url |
URL |
URL |
|
|
Blackberry CylancePROTECT
(cylance_protect)
|
| host.name |
Host Name |
Computer name |
| host.ip |
Host IP Address |
Host IP address |
| file_name |
File Name |
File name |
| file_path |
File Path |
File path |
| process_name |
Process Name |
Process name |
|
|
CrowdStrike
(crowdstrike)
|
| host.name |
Computer Name |
Computer name |
| hostip |
Host IP Address |
Host IP address |
| user.name |
User Name |
User name |
| file.name |
File Name |
File name |
| file.path |
File Path |
File path |
| process.command_line |
Command Line |
Command line |
|
|
Cybereason
(cybereason)
|
| user_list |
User Names |
User names |
| file.name |
File Name |
File name |
| process.name |
Process Name |
Process name |
| host_list |
Host IP Address(es) |
Host IP address(es) |
|
|
Cynet
(cynet)
|
| host.ip |
Host IP Address |
Host IP address |
| event.threat.name |
Threat Name |
Event threat name |
| file.name |
File Name |
File name |
|
|
Deep Instinct
(deepinstinct)
|
| deep_instinct.msp_name |
MSP Name |
MSP name |
| event.id |
Event ID |
Event ID |
| deep_instinct.type |
Type |
Deep Instinct event type |
| host.name |
Host Name |
Host name |
| host.ip |
Host IP Address |
Host IP address |
| file.path |
File Path |
File path |
| file.file_hash |
File Hash |
File hash |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
| deep_instinct.action |
Event Action |
Deep Instinct event action |
| deep_instinct.threat_type |
Deep Instinct Threat Type |
Deep Instinct threat type |
| event.severity_str |
Original Deep Instinct Severity |
Original Deep Instinct severity |
|
|
ESET Cloud Office Security
(eset_cloud_office_security)
|
| eset.Tenant |
ESET Tenant |
ESET Cloud Office Security tenant name |
| eset.OperationId |
ESET Operation ID |
ESET Cloud Office Security operation ID |
| eset.ScanResult |
ESET Threat Type |
ESET Cloud Office Security threat type |
| eset.Action |
ESET Event Action |
ESET Cloud Office Security event action |
| file.name |
File Name |
File name |
| file.hash.sha1 |
File SHA1 Hash |
SHA1 hash of the malicious file |
| srcip |
Source IP |
Email sender source IP address |
| email.from.address |
Sender Address |
Sender IP address |
| email.to.addresses |
Recipient Address(es) |
Recipient IP address(es) |
| email.subject |
Email Subject |
Email subject |
|
|
ESET Protect
(eset_protect_filtered_websites_event)
|
| srcip |
Source IP |
Source IP address |
| dstip |
Destination IP |
Destination IP address |
| eset.rule_id |
ESET Protect Rule ID |
ESET Protect rule ID |
| eset.event_type |
ESET Protect Event Type |
ESET Protect event type |
| event.severity_str |
ESET Protect Event Severity |
ESET Protect event severity |
| event.threat.name |
ESET Protect Threat Name |
ESET Protect threat name |
| process.executable |
Process Path |
Process path |
| user.name |
User Name |
User name |
| host.name |
Host Name |
Host name |
| file.hash.sha1 |
File SHA1 Hash |
File SHA1 hash |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
ESET Protect
(eset_protect_firewall_aggregated_event)
|
| srcip |
Source IP |
Source IP address |
| dstip |
Destination IP |
Destination IP address |
| eset.event_type |
ESET Protect Event Type |
ESET Protect event type |
| event.severity_str |
ESET Protect Event Severity |
ESET Protect event severity |
| event.threat.name |
ESET Protect Threat Name |
ESET Protect threat name |
| process.executable |
Process Path |
Process path |
| user.name |
User Name |
User name |
|
|
ESET Protect
(eset_protect_inspect_alert)
|
| host.ip |
Host IP |
Host IP address |
| host.name |
Host Name |
Host name |
| eset.event_type |
ESET Protect Event Type |
ESET Protect event type |
| eset.rulename |
ESET Protect Rule Name |
ESET Protect rule name |
| process.executable |
Process Path |
Process path |
| user.name |
User Name |
User name |
| event.severity_str |
ESET Protect Event Severity |
ESET Protect event severity |
| eset.eiconsolelink |
ESET Protect Console Link |
ESET Protect console link |
| eset.source_uuid |
ESET Protect Source UUID |
ESET Protect source UUID |
| file.hash.sha1 |
File SHA1 Hash |
File SHA1 hash |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File Hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File Hash reputation source(s) |
|
|
ESET Protect
(eset_protect_threat_event)
|
| host.ip |
Host IP |
Host IP address |
| host.name |
Host Name |
Host name |
| eset.event_type |
ESET Protect Event Type |
ESET Protect event type |
| process.executable |
Process Path |
Process path |
| user.name |
User Name |
User name |
| event.severity_str |
ESET Protect Event Severity |
ESET Protect event severity |
| eset.source_uuid |
ESET Protect Source UUID |
ESET Protect source UUID |
| file.hash.sha1 |
File SHA1 Hash |
File SHA1 hash |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File Hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File Hash reputation source(s) |
|
|
Fortinet Lacework
(laceworkt)
|
| fortinet_lacework.START_TIME |
Start Time |
Time and date when the hourly aggregation time period starts |
| fortinet_lacework.END_TIME |
End Time |
Time and date when the hourly aggregation time period ends |
| event.threat.name |
Alert Type |
Type of the alert |
| fortinet_lacework.EVENT_ID |
Event ID |
Unique identifier generated for this event by Lacework FortiCNAPP |
| fortinet_lacework.EVENT_MODEL |
Event Model |
Data model used for generating the alert |
| fortinet_lacework.EVENT_ACTOR |
Event Actor |
Event actor that categorizes the type of an alert such as application, process, files, etc |
| fortinet_lacework.ENTITY_MAP.User |
User(s) |
User(s) |
| KEY.username |
User Name |
User's name |
| PROPS.hostname |
Host Name |
User's host name |
| fortinet_lacework.ENTITY_MAP.CT_User |
CloudTrail User(s) |
CloudTrail user(s) |
| KEY.username |
User Name |
User's name |
| PROPS.account |
User Account |
User's account |
| fortinet_lacework.ENTITY_MAP.SourceIpAddress |
Source IP Address(es) |
Source IP address(es) |
| KEY.ip_addr |
IP Address |
IP address |
| fortinet_lacework.ENTITY_MAP.FileExePath |
File Path(s) |
File path(s) |
| KEY.exe_path |
File Path |
File path |
| fortinet_lacework.ENTITY_MAP.Process |
Process(es) |
Process(es) |
| PROPS.hostname |
Host Name |
Host name |
| PROPS.cmdline |
Command Line |
Command line |
| PROPS.pid |
PID |
Unique identifier of the process |
| fortinet_lacework.ENTITY_MAP.Machine |
Machine(s) |
Machine(s) |
| PROPS.hostname |
Host Name |
Host name |
| PROPS.internal_ip_addr |
IP Address |
IP address |
|
|
Google Workspace Alert
(google_workspace_alert)
|
| source |
Alert Source |
Alert source
|
| type |
Alert Type |
Alert type |
| rule.name |
Rule Name |
Alert rule name |
| host.ip |
Login IP Address |
IP address associated with the warning event |
| data.email |
Data Email |
Email of the user to which this event belongs |
| securityInvestigationToolLink |
Investigation Tool Link |
Google Workspace security investigation tool link |
| user.id |
User ID |
User ID |
| user.name |
User Name |
User name |
| email.from.address |
Email From Address |
Email from IP address |
| email.recipient.addresses |
Email Recipient Addresses |
Email recipient addresses |
|
|
Huntress
(huntress_incident)
|
| huntress.organization_name |
Organization Name |
Huntress organization name |
| huntress.security_products |
Originating Security Products |
Originating security products |
| huntress.incident_report_url |
Incident Report URL |
Huntress incident report URL |
| huntress.user_url |
User URL |
Huntress user URL |
| huntress.host_url |
Host URL |
Huntress host URL |
| host.name |
Host Name |
Host name |
| host.ip |
Host IP |
Host IP address |
| user_name |
User Name |
User name |
| event.threat_list |
Huntress Event Threat List |
Huntress event threat list |
| name |
Threat Name |
Huntress Event Threat Name |
| severity |
Threat Severity |
Huntress Event Threat Severity |
|
|
HYAS Protect
(hyas_protect_block)
|
| srcip |
Client IP |
Client IP address |
| dns.question.name |
Domain |
Domain |
| hyas_protect.registrar |
Domain Registrar |
Domain registrar |
| domain_creation |
Domain Creation Date |
Domain creation date |
| hyas_protect.verdictStatus |
HYAS Protect Verdict Status |
HYAS Protect verdict status:
-
Allow: allow
-
Block: block
-
Highly Suspicious: bad
-
Watch Engine: suspicious
|
| hyas_protect.reason.type |
HYAS Protect Reason Type |
HYAS Protect reason type |
| hyas_protect.reason.lists |
HYAS Protect Reason Lists |
HYAS Protect reason lists |
| id |
ID |
Reason ID |
| name |
Name |
Reason name |
| datatype |
Datatype |
Reason data type |
| dns.resolved_ip |
Resolved IP(s) |
Resolved IP address(es) |
| dns.answers |
DNS Answer(s) |
DNS answer(s) |
| name |
Domain name |
Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data. |
| type |
Data Type |
Type of data contained in this resource record |
| data |
Data |
Data in this resource record |
|
|
HYAS Protect
(hyas_protect_bad)
|
| srcip |
Client IP |
Client IP address |
| dns.question.name |
Domain |
Domain |
| hyas_protect.registrar |
Domain Registrar |
Domain registrar |
| domain_creation |
Domain Creation Date |
Domain creation date |
| hyas_protect.verdictStatus |
HYAS Protect Verdict Status |
HYAS Protect verdict status:
-
Allow: allow
-
Block: block
-
Highly Suspicious: bad
-
Watch Engine: suspicious
|
| hyas_protect.reason.type |
HYAS Protect Reason Type |
HYAS Protect reason type |
| hyas_protect.reason.lists |
HYAS Protect Reason Lists |
HYAS Protect reason lists |
| id |
ID |
Reason ID |
| name |
Name |
Reason name |
| datatype |
Datatype |
Reason data type |
| dns.resolved_ip |
Resolved IP(s) |
Resolved IP address(es) |
| dns.answers |
DNS Answer(s) |
DNS answer(s) |
| name |
Domain name |
Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data. |
| type |
Data Type |
Type of data contained in this resource record |
| data |
Data |
Data in this resource record |
|
|
HYAS Protect
(hyas_protect_suspicious)
|
| srcip |
Client IP |
Client IP address |
| dns.question.name |
Domain |
Domain |
| hyas_protect.registrar |
Domain Registrar |
Domain registrar |
| domain_creation |
Domain Creation Date |
Domain creation date |
| hyas_protect.verdictStatus |
HYAS Protect Verdict Status |
HYAS Protect verdict status:
-
Allow: allow
-
Block: block
-
Highly Suspicious: bad
-
Watch Engine: suspicious
|
| hyas_protect.reason.type |
HYAS Protect Reason Type |
HYAS Protect reason type |
| hyas_protect.reason.lists |
HYAS Protect Reason Lists |
HYAS Protect reason lists |
| id |
ID |
Reason ID |
| name |
Name |
Reason name |
| datatype |
Datatype |
Reason data type |
| dns.resolved_ip |
Resolved IP(s) |
Resolved IP address(es) |
| dns.answers |
DNS Answer(s) |
DNS answer(s) |
| name |
Domain name |
Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data. |
| type |
Data Type |
Type of data contained in this resource record |
| data |
Data |
Data in this resource record |
|
|
LimaCharlie Events
(limacharlie_alert)
|
| srcip_host |
Source Host |
Name of the workstation |
| srcip |
Source IP |
IP address of the source |
| srcport |
Source IP Port |
Port of the source IP address |
| host.name |
Host Name |
Host name |
| host.ip |
Host IP |
Host IP address |
| limacharlie.detect.event.ACTION |
Action |
Event action |
| limacharlie.detect.event.REGISTRY_KEY |
Registry Key |
Registry key |
| limacharlie.detect.event.REGISTRY_VALUE |
Registry Value |
Registry value |
| process.name |
Process File Path |
File path of the process |
| process.hash.sha256 |
Process File Hash |
File hash of the process |
| process.threat_indicator.labels |
Process File Hash Reputation Label(s) |
Process file hash reputation label(s) |
| process.threat_indicator.sources |
Process File Hash Reputation Source(s) |
Process file hash reputation source(s) |
| event.severity_str |
LimaCharlie Severity |
Original severity of the LimaCharlie alert |
| limacharlie.detect.event.EVENT.EventData.TargetUserSid |
SID |
SID of the target user |
| file.path |
File Path |
Path of the file |
| file.hash.sha256 |
File Hash |
SHA256 hash of the file |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
| process.command_line |
Process Command Line |
Command line of the process |
| process.pid |
Process ID |
Process ID |
| user.name |
User Name |
User name |
| limacharlie.detect.event.EVENT.System.EventID |
Event ID |
Event ID |
| limacharlie.detect.event.EVENT.EventData.LogonType |
Logon Type |
Logon type |
| limacharlie.detect.event.EVENT.EventData.ProcessName |
Process Name |
Process name |
| limacharlie.detect.event.PARENT.FILE_PATH |
Parent Process File Path |
File path of the parent process |
| limacharlie.detect.event.PARENT.HASH |
Parent Process File Hash |
File hash of the parent process |
| process.parent.threat_indicator.labels |
Parent Process File Hash Reputation Label(s) |
Reputation label(s) of the parent process file hash |
| process.parent.threat_indicator.sources |
Parent Process File Hash Reputation Source(s) |
Reputation source(s) of the parent process file hash |
| process.parent.command_line |
Parent Process Command Line |
Command line of the parent process |
| process.parent.pid |
Parent Process ID |
Parent process ID |
| limacharlie.detect.event.PARENT.USER_NAME |
Parent User Name |
User name of the parent process |
| limacharlie.link |
LimaCharlie Alert Link |
LimaCharlie alert link |
| limacharlie.source_rule |
Source Rule |
Source rule that LimaCharlie used to generate the alert |
| limacharlie.detect_mtd.references |
Rule References |
References of the rule |
|
|
Microsoft Defender for Endpoint
(ms_defender_atp)
|
| host.name |
Host Name |
Host name |
| host.ip |
Host IP Address |
Host IP address |
| user.name |
User Name |
User name |
| user.domain |
User Domain |
User domain |
| threat |
Threat Name |
Threat name |
| file_list |
File List |
File list |
| process_list |
Process List |
Process list |
|
|
Microsoft Entra ID (formerly Azure Active Directory)
(azure_ad_risk_detection)
|
| userDisplayName |
User Name |
User name |
| ipAddress |
Host IP Address |
Host IP address |
| riskEventType |
Event Type |
Risk event type |
|
|
Microsoft Defender for Cloud
(microsoft_defender_cloud)
|
| microsoft_defender_cloud.AlertUri |
Microsoft Defender for Cloud Alert URI |
Microsoft Defender for Cloud alert URI |
| event.severity_str |
Microsoft Defender for Cloud Severity |
Original severity from Microsoft Defender for Cloud |
| microsoft_defender_cloud.AlertDisplayName |
Microsoft Defender for Cloud Alert Name |
Microsoft Defender for Cloud alert name |
| cloud.resource.name |
Cloud Resource Name |
Cloud resource name |
| cloud.resource.type |
Cloud Resource Type |
Cloud resource type |
| cloud.resource.id |
Cloud Resource ID |
Cloud resource ID |
| srcip_list |
Source IP List |
Source IP address list |
| srcip |
Source IP |
Source IP address |
| user.name |
User Name |
User name |
| host.name |
Host Name |
Host name |
| host.ip |
Host IP Address |
Host IP address |
| file.name |
File Name |
File name |
| file.path |
File Path |
File path |
| file.hash.md5 |
File MD5 Hash |
File MD5 hash |
| file.hash.sha256 |
File SHA256 Hash |
File SHA256 hash |
| process.executable |
Process Executable |
Process executable |
| process.id |
Process ID |
Process ID |
| process.command_line |
Process Command Line |
Process command line |
| process.parent.name |
Parent Process Name |
Parent process name |
| process.parent.executable |
Parent Process Executable |
Parent process executable |
| process.parent.id |
Parent Process ID |
Parent process ID |
| process.parent.command_line |
Parent Process Command Line |
Parent process command line |
| microsoft_defender_cloud.ExtendedProperties |
Extended Properties |
Extended properties |
| microsoft_defender_cloud.ExtendedProperties.Potential causes |
Potential Causes |
Potential causes |
| microsoft_defender_cloud.ExtendedProperties.Recommended actions |
Recommended Actions |
Recommended actions |
| microsoft_defender_cloud.ExtendedProperties.Event of Interest |
Event of Interest |
Event of interest |
| microsoft_defender_cloud.RemediationSteps |
Remediation Steps |
Remediation steps |
|
|
Microsoft Defender for Cloud Apps
(ms_defender_for_cloud_apps)
|
| microsoft_defender_for_cloud_apps.URL |
Microsoft Defender for Cloud Apps URL |
Microsoft Defender for Cloud Apps URL |
| event.threat_list |
Risk category |
Threat list |
| name |
Risk category |
Microsoft Defender for Cloud Apps risk category |
| event.severity_str |
Microsoft Defender for Cloud Apps Severity |
Original severity value from Microsoft Defender for Cloud Apps |
| microsoft_defender_for_cloud_apps.isPreview |
Preview |
Alerts that have been recently released as GA |
| user.id |
User ID |
User ID of entity that was involved in this alert |
| user.name |
Username |
Username of entity that was involved in this alert |
| srcip |
Source IP Address |
Source IP address of attack that was involved in this alert |
| srcip_host |
Source Host |
Name of the source workstation involved in this alert |
| dstip_host |
Destination Host |
Name of the destination workstation involved in this alert |
| observables |
Entities |
List of observables related to the alert |
| name |
Entity name |
Entity name |
| type |
Entity type |
Entity type |
| id |
Entity ID |
Entity ID |
|
|
Microsoft Office 365
(microsoft_365)
|
| event.threat.name |
Threat Name |
Threat name |
| event.severity_str |
Microsoft 365 Severity Level |
Microsoft 365 severity level |
| event.category |
Category |
Microsoft 365 alert category |
| Source |
Source |
Microsoft 365 alert source |
| AlertType |
Alert Type |
Microsoft 365 alert type
|
| event_summary.alert_entity_list |
Alert Entity List |
Microsoft 365 Alert entity list |
| username |
User Name |
User name |
|
|
Microsoft Sentinel
(ms_sentinel_incident)
|
| microsoft_sentinel.Title |
Incident Title |
Microsoft Sentinel incident title |
| microsoft_sentinel.ModifiedBy |
Modified By |
Microsoft Sentinel modified by |
| microsoft_sentinel.AdditionalData.alertsCount |
Alerts Count |
Microsoft Sentinel additional data alerts count |
| microsoft_sentinel.IncidentUrl |
Incident Link |
Microsoft Sentinel incident link |
| microsoft_sentinel.SourceSystem |
Source System |
Microsoft Sentinel source system |
| microsoft_sentinel.AlertIds |
Alert IDs |
Microsoft Sentinel alert IDs |
|
|
Mimecast Attachment Protect
(mimecast_attachment_protect)
Mimecast API 1.0
|
| srcip |
Source IP Address |
Source IP address of the original message that contained the malicious file |
| file.name |
File Name |
File name of the malicious file |
| mimecast.fileExt |
File Extension |
File extension of the malicious file |
| mimecast.Size |
File Size |
Size (in bytes) of the malicious file |
| mimecast.sizeAttachment |
File Size |
Size (in bytes) of the malicious file |
| file.hash.md5 |
File MD5 Hash |
MD5 hash of the malicious file |
| file.hash.sha1 |
File SHA1 Hash |
SHA1 hash of the malicious file |
| file.hash.sha256 |
File SHA256 Hash |
SHA256 hash of the malicious file |
| mimecast.fileMime |
File MIME Type |
Detected MIME type of the malicious file |
| email.sender.address |
Sender Address |
Sender address |
| email.recipient.addresses |
Recipient Address(es) |
Recipient address(es) |
| email.subject |
Email Subject |
Email subject |
| mimecast.senderDomain |
Sender Domain |
Sender domain |
| mimecast.Route |
The Route of the Message |
Route of the message |
| mimecast.route |
The Route of the Message |
Route of the message |
|
|
Mimecast AV
(mimecast_av)
Mimecast API 1.0
|
| srcip |
Source IP Address |
Source IP address of the original message |
| file.name |
File Name |
File name |
| mimecast.fileExt |
File Extension |
File extension |
| mimecast.fileExtension |
File Extension |
File extension |
| mimecast.Size |
Email Size |
Total size of the email |
| mimecast.emailSize |
Email Size |
Total size of the email |
| file.hash.md5 |
File MD5 Hash |
File MD5 hash |
| file.hash.sha1 |
File SHA1 Hash |
File SHA1 hash |
| file.hash.sha256 |
File SHA256 Hash |
File SHA256 hash |
| mimecast.fileMime |
File MIME Type |
File MIME type |
| email.sender.address |
Sender Address |
Sender address |
| mimecast.senderDomain |
Sender Domain |
Sender domain |
| email.recipient.addresses |
Recipient Address(es) |
Recipient address(es) |
| email.subject |
Email Subject |
Email subject |
| mimecast.Route |
The Route of the Message |
Route of the message |
| mimecast.route |
The Route of the Message |
Route of the message |
| mimecast.Virus |
Virus Signature |
Virus signature |
| mimecast.virusFound |
Virus Signature |
Virus signature |
|
|
Mimecast Impersonation Protect
(mimecast_email_impersonation_protect)
Mimecast API 1.0
Mimecast API 2.0
|
| mimecast.aCode |
Mimecast aCode |
Unique ID used to track the email through the different log types from Mimecast |
| srcip |
Source IP Address |
Source IP address of the original message |
| email.sender.address |
Sender Address |
Sender address |
| email.recipient.addresses |
Recipient Address(es) |
Recipient address(es) |
| email.subject |
Email Subject |
Email subject |
| event.threat.name |
Alert Definition |
Alert definition |
| mimecast.Hits |
Number of Items Flagged |
Number of items flagged for the message |
| mimecast.Route |
The Route of the Message |
Route of the message |
|
|
Mimecast Internal Email Protect
(mimecast_internal_email_protect)
Mimecast API 1.0
Mimecast API 2.0
|
|
mimecast.aCode
|
Mimecast aCode |
Unique ID used to track the email through the different log types from Mimecast |
|
mimecast.processingId
|
Mimecast aCode |
Unique ID used to track the email through the different log types from Mimecast |
| srcip |
Source IP Address |
Source IP address of the sending mail server |
| url |
Clicked URL |
URL the user clicked |
| event.threat.name |
URL Category |
URL category |
| email.sender.address |
Sender Address |
Sender address |
| email.recipient.addresses |
Recipient Address(es) |
Recipient address(es) |
| email.subject |
Email Subject |
Email subject |
| mimecast.Route |
The Route of the Message |
Route of the message |
|
|
Mimecast Malicious Receipt Log
(mimecast_receipt_with_virus)
Mimecast API 1.0
Mimecast API 2.0
|
|
mimecast.aCode
|
Mimecast aCode |
Unique ID used to track the email through the different log types from Mimecast |
|
mimecast.processingId
|
Mimecast aCode |
Unique ID used to track the email through the different log types from Mimecast |
| srcip |
Source IP Address |
Source IP address of the sending mail server |
| email.sender.address |
Sender Address |
Sender address |
| email.recipient.addresses |
Recipient Address(es) |
Recipient address(es) |
| email.subject |
Email Subject |
Email subject |
|
mimecast.Error
|
Errors Occurred |
Information about any errors that occurred during receipt |
|
mimecast.receiptErrors
|
Errors Occurred |
Information about any errors that occurred during receipt |
|
mimecast.Dir
|
Email Direction |
Direction of the email based on the sending and receiving domains |
|
mimecast.direction
|
Email Direction |
Direction of the email based on the sending and receiving domains |
|
mimecast.Virus
|
Virus Signature |
Virus signature |
|
mimecast.virusFound
|
Virus Signature |
Virus signature |
|
mimecast.Act
|
Action |
Action taken at the receipt stage |
|
mimecast.action
|
Action |
Action taken at the receipt stage |
|
mimecast.RejInfo
|
Rejection Information |
Rejection information if the email was rejected at the receipt stage |
|
mimecast.rejectionInfo
|
Rejection Information |
Rejection information if the email was rejected at the receipt stage |
|
mimecast.RejType
|
Rejection Type |
Rejection type if the email was rejected at the receipt stage |
|
mimecast.rejectionType
|
Rejection Type |
Rejection type if the email was rejected at the receipt stage |
|
mimecast.TlsVer
|
TLS Version |
TLS version used if the email was received using TLS |
|
mimecast.tlsVersion
|
TLS Version |
TLS version used if the email was received using TLS |
|
mimecast.Cphr
|
TLS Cipher |
TLS cipher used if the email was received using TLS |
|
mimecast.tlsCipher
|
TLS Cipher |
TLS cipher used if the email was received using TLS |
|
|
Mimecast URL Protect
(mimecast_url_protect)
Mimecast API 1.0
|
| srcip |
Source IP Address |
Source IP address of the sending mail server |
| url |
Clicked URL |
URL the user clicked |
| event.threat.name |
URL Category |
URL category |
| event.reason |
Reason |
Event reason |
| email.sender.address |
Sender Address |
Sender address |
| email.recipient.addresses |
Recipient Address(es) |
Recipient address(es) |
| email.subject |
Email Subject |
Email subject |
| mimecast.action |
Mimecast Action |
Mimecast action |
| mimecast.senderDomain |
Sender Domain |
Sender domain |
| mimecast.route |
The Route of the Message |
Route of the message |
|
|
Netskope Alert (Breach)
(netskope_protect_breach)
|
| netskopewsg.type |
Netskope Alert Type |
Netskope alert type |
| netskopewsg.breach_id |
Netskope Breach ID |
Netskope breach ID |
| netskopewsg.alert_name |
Alert Name |
Alert name |
| srcip |
Source IP |
Source IP address |
| dstip |
Destination IP |
Destination IP address |
| host.ip |
Host IP (User's IP) |
Host IP address (user's IP address) |
| user.name |
User Name |
User name associated with Netskope account |
| netskopewsg.matched_username |
Matched User Name |
Email address associated with the breached access method |
| url |
URL |
URL |
| event.severity_str |
Netskope Alert Severity |
Netskope alert severity |
| netskopewsg.breach_score |
Netskope Breach Score |
Netskope breach score |
| file.hash.sha256 |
File SHA256 Hash |
SHA256 hash of the file |
| file.hash.md5 |
File MD5 Hash |
MD5 hash of the file |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
Netskope Alert (Connection)
(netskope_protect_connection)
|
| netskopewsg.type |
Netskope Alert Type |
Netskope alert type |
| netskopewsg.connection_id |
Netskope Connection ID |
Netskope connection ID |
| srcip |
Source IP |
Source IP address |
| dstip |
Destination IP |
Destination IP address |
| host.ip |
Host IP (User's IP) |
Host IP address (user's IP address) |
| user.name |
User Name |
User name |
| url |
URL |
URL |
| event.severity_str |
Netskope Alert Severity |
Netskope alert severity |
| file.hash.sha256 |
File SHA256 Hash |
SHA256 hash of the file |
| file.hash.md5 |
File MD5 Hash |
MD5 hash of the file |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
Netskope Alert
(netskope_protect)
|
| netskopewsg.type |
Netskope Alert Type |
Netskope alert type |
| netskopewsg.breach_id |
Netskope Breach ID |
Netskope breach ID |
| netskopewsg.alert_name |
Alert Name |
Alert name |
| srcip |
Source IP |
Source IP address |
| dstip |
Destination IP |
Destination IP address |
| host.ip |
Host IP (User's IP) |
Host IP address (user's IP address) |
| host.name |
Host Name |
Host name |
| user.name |
User Name |
User name associated with Netskope account |
| netskopewsg.matched_username |
Matched User Name |
Email address associated with the breached access method |
| netskopewsg.activity |
Activity |
Activity |
| netskopewsg.action |
Action |
Action |
| netskopewsg.policy |
Policy Name |
Policy name |
| netskopewsg.app |
Application |
Application |
| url |
Application URL |
Application URL |
| event.severity_str |
Netskope Alert Severity |
Netskope alert severity |
| netskopewsg.breach_score |
Netskope Breach Score |
Netskope breach score |
| file.hash.sha256 |
File SHA256 Hash |
SHA256 hash of the file |
| file.hash.md5 |
File MD5 Hash |
MD5 hash of the file |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
Netskope Alert (Malsite)
(netskope_protect_malsite)
|
| netskopewsg.type |
Netskope Alert Type |
Netskope alert type |
| event.threat.name |
Malsite Category |
Malsite category |
| netskopewsg.malsite_id |
Malsite ID |
Malsite ID |
| srcip |
Source IP |
Source IP address |
| dstip |
Destination IP |
Destination IP address |
| host.ip |
Host IP (User's IP) |
Host IP address (user's IP address) |
| user.name |
User Name |
User name |
| url |
Malsite URL |
Malsite URL |
| event.severity_str |
Netskope Alert Severity |
Netskope alert severity |
| file.hash.sha256 |
File SHA256 Hash |
SHA256 hash of the file |
| file.hash.md5 |
File MD5 Hash |
MD5 hash of the file |
| file.threat_indicator.labels |
File Hash Reputation Label(s) |
File hash reputation label(s) |
| file.threat_indicator.sources |
File Hash Reputation Source(s) |
File hash reputation source(s) |
|
|
Oracle Cloud Infrastructure (OCI) CloudGuard
(oci_cloudguard)
|
| event.type |
Problem Type |
Problem type |
| event.threat.name |
Threat Name |
Threat name |
| event.severity_str |
OCI Severity Level |
OCI CloudGuard severity level |
| cloud.resource.type |
Cloud Resource Type |
Cloud resource type |
| cloud.resource.id |
Cloud Resource ID |
Cloud resource ID |
| cloud.resource.name |
Cloud Resource Name |
Cloud resource name |
| oracle.data.additionalDetails.problemRecommendation |
Problem Recommendation |
Problem recommendation from OCI |
|
|
Proofpoint TAP
(proofpoint_tap)
|
| srcip |
Source IP Address |
Source IP address |
| url |
Malicious URL |
Malicious URL that was clicked |
| email.subject |
Email Subject |
Email subject |
| email.sender.address |
Sender Address |
Who actually sent the email on behalf of the primary sender |
| email.from.address |
From Address |
Who the email is from |
| email.recipient.addresses |
Recipient Address(es) |
Who received the email (including CC and BCC) |
| email.to.addresses |
To Address(es) |
Primary intended recipient of the email |
| email.x_mailer |
X-Mailer |
X-Mailer content |
| event.threat_list |
Proofpoint Event Threat List |
Threat category: Threat artifact |
| name |
Threat Name |
Proofpoint threat name |
| category |
Threat Category |
Proofpoint threat category |
| attachment |
Threat Attachment |
Proofpoint threat attachment |
| severity |
Proofpoint Threat Severity |
Proofpoint threat severity |
| url |
Proofpoint Threat URL |
Proofpoint threat URL |
|
|
SentinelOne Cloud
(sentinelone)
|
| host.name |
Host Name |
Computer name |
| host.ip |
Host IP Address |
Host IP address |
| file.name |
File Name |
File name |
| file.path |
File Path |
File path |
| process.parent.name |
Parent Process Name |
Originator process name |
|
|
Sophos Alerts
(sophos_alerts)
|
| host.ip |
Host IP |
Host IP address |
| user.name |
User Name |
User name |
| event.severity_str |
Sophos Severity |
Original severity level from Sophos |
| sophos.type |
Sophos Event Type |
Sophos event type |
| sophos.data.endpoint_platform |
Endpoint Platform |
Endpoint platform |
| file.path |
File Path |
File path |
| file.hash.sha256 |
File SHA256 |
File SHA256 |
|
|
Sophos Events
(sophos_events)
|
| host.ip |
Host IP |
Host IP address |
| user.name |
User Name |
User name |
| sophos.user_id |
User ID |
User ID |
| event.severity_str |
Sophos Severity |
Original severity level from Sophos |
| sophos.type |
Sophos Event Type |
Sophos event type |
| sophos.endpoint_type |
Endpoint Platform |
Endpoint platform |
| file.path |
File Path |
File path |
| file.hash.sha256 |
File SHA256 |
File SHA256 |
|
|
Trellix (FireEye) Endpoint Security (AMSI)
(fireeye_amsi)
|
| fireeye.source |
Alert Type |
FireEye alert source type |
| event.threat.name |
Threat Name |
FireEye alert name |
| event.severity_str |
Severity |
Severity level |
| host.ip |
Host IP Address |
Host IP address |
| host.name |
Host Name |
Host name |
| file_list |
File List |
File list |
| process_list |
Process List |
Process list: Pid (process command line) |
| event.url |
Event URL |
FireEye event URL |
|
|
Trellix (FireEye) Endpoint Security (IOC)
(fireeye_ioc)
|
| fireeye.source |
Alert Type |
FireEye alert source type |
| host.ip |
Host IP Address |
Host IP address |
| host.name |
Host Name |
Host name |
| event.name |
Event Name |
Event name |
| file.name |
File Name |
File name |
| process.name |
Process Name |
Process name |
| event.url |
Event URL |
FireEye event URL |
|
|
Trellix (FireEye) Endpoint Security (MAL)
(fireeye_mal)
|
| fireeye.source |
Alert Type |
FireEye alert source type |
| event.threat.name |
Threat Name |
FireEye alert name |
| fireeye.infection_type |
Infection Type |
FireEye Infection Type |
| event.severity_str |
FireEye Severity Level |
FireEye severity level |
| host.ip |
Host IP Address |
Host IP address |
| host.name |
Host IP Address |
Host name |
| file.path |
File Path |
File path |
| file.hash.md5 |
File MD5 Hash |
File MD5 hash |
| file.hash.sha1 |
File SHA1 Hash |
File SHA1 hash |
| file.hash.sha256 |
File SHA256 Hash |
File SHA256 hash |
| process.executable |
Event Actor Process Path |
FireEye event actor process path |
| process.pid |
Event Actor Process Pid |
FireEye event actor process Pid |
| event.url |
Event URL |
FireEye event URL |
|
|
Trellix (FireEye) Endpoint Security (PROCGUARD)
(fireeye_procguard)
|
| fireeye.source |
Alert Type |
FireEye alert source type |
| event.threat.name |
Threat Name |
FireEye alert name |
| host.ip |
Host IP Address |
Host IP address |
| host.name |
Host Name |
Host name |
| file_list |
File List |
File list |
| process_list |
Process List |
Process list: Pid (process command line) |
| event.url |
Event URL |
FireEye event URL |
|
|
Trellix MVISION
(trellix_mvision)
|
| process.command_line |
Command Line |
Full command line that was executed by the process |
| process.pid |
Process ID |
Unique identifier of the process |
| process.executable |
Executable |
Executable file associated with the process |
| host.name |
Host Name |
Name of the host where the event occurred |
| user.name |
User Name |
Name of the user associated with the event |
| event.severity_str |
Trellix MVISION Severity |
Original severity from Trellix MVISION |
| event.threat.name |
Threat Name |
Name of the detected threat or activity |
|
|
Trend Micro Vision One
(trendmicro_visionone)
|
| event.threat.name |
Threat Name |
Threat name |
| event.severity_str |
Trend Micro Vision One Severity |
Original Trend Micro Vision One severity level |
| trendmicro_visionone.workbenchLink |
Trend Micro Vision One Workbench Link |
Trend Micro Vision One workbench link |
| host_list |
Host(s) |
Related host(s) |
| name |
Host Name |
Host name |
| ips |
Host IP(s) |
Host IP addresses |
| process_list |
Process(es) |
Related process(es) |
| file_list |
File(s) |
Related file(s) |
| name |
File Name |
File name |
| path |
File Path |
File path |
| hash.md5 |
File MD5 Hash |
File MD5 hash |
| hash.sha1 |
File SHA1 Hash |
File SHA1 hash |
| hash.sha256 |
File SHA256 Hash |
File SHA256 hash |
| trendmicro_visionone.alertProvider |
Alert Provider |
Trend Micro Vision One alert provider |
| user_list |
User(s) |
Related user(s) |
|
|
Varonis DatAdvantage
(varonis_datadvantage)
|
| event.type |
Event Type |
Event type |
| event.threat.name |
Threat Name |
Threat name |
| event.severity |
CEF Severity Level |
Original CEF severity level |
| user.name |
User Name |
User name |
| file.name |
File Name |
File name |
| file.path |
File Path |
File path |
|
|
VMware Carbon Black Cloud
(carbonblack)
|
| host.name |
Host Name |
Computer name |
| host.external_ip |
Host Name |
Host external IP address |
| host.ip |
Host Internal IP Address |
Host internal IP address |
| process.name |
Process Name |
Process name |
| event.description |
Event Reason |
Event reason |
|
|
Windows Defender Antivirus
(windows_defender_antivirus)
|
| event.ms_incident_id |
Incident ID |
Windows Defender incident ID |
| threat |
Threat Name |
Threat name |
| host.name |
Host Name |
Computer name |
| hostip |
Host IP Address |
Host IP address |
| file.path |
File Path |
File path |
| process.name |
Process Name |
Process name |
|
