| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| _ResourceId |
A unique identifier for the resource that the record is associated with |
String |
| _SubscriptionId |
A unique identifier for the subscription that the record is associated with |
String |
| Activity |
A string that represents a human-readable and understandable description of the event. |
String |
| AdditionalExtensions |
A placeholder for additional fields. Fields are logged as key-value pairs. |
String |
| ApplicationProtocol |
The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. |
String |
| CollectorHostName |
The hostname of the collector machine running the agent. |
String |
| CommunicationDirection |
Any information about the direction the observed communication has taken. Valid values: 0 = Inbound, 1 = Outbound. |
String |
| Computer |
Host, from Syslog. |
String |
| DestinationDnsDomain |
The DNS part of the fully-qualified domain name (FQDN). |
String |
| DestinationHostName |
The destination that the event refers to in an IP network. The format should be an FQDN associated with the destination node, when a node is available. For example: host.domain.com or host. |
String |
| DestinationIP |
The destination IpV4 address that the event refers to in an IP network. |
String |
| DestinationMACAddress |
The destination MAC address (FQDN). |
String |
| DestinationNTDomain |
The Windows domain name of the destination address. |
String |
| DestinationPort |
Destination port. Valid values: 0 - 65535. |
Int32 |
| DestinationProcessId |
The ID of the destination process associated with the event. |
Int32 |
| DestinationProcessName |
The name of the event’s destination process, such as telnetd or sshd. |
String |
| DestinationServiceName |
The service that is targeted by the event. For example: sshd. |
String |
| DestinationTranslatedAddress |
Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address. |
String |
| DestinationTranslatedPort |
Port after translation, such as a firewall Valid port numbers: 0 - 65535. |
Int32 |
| DestinationUserID |
Identifies the destination user by ID. For example: in Unix, the root user is generally associated with the user ID 0. |
String |
| DestinationUserName |
Identifies the destination user by name. |
String |
| DestinationUserPrivileges |
Defines the destination use’s privileges. Valid values: Admninistrator, User, Guest. |
String |
| DeviceAction |
The action mentioned in the event. |
String |
| DeviceAddress |
The IPv4 address of the device generating the event. |
String |
| DeviceCustomDate1 |
One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomDate1Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomDate2 |
One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomDate2Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomFloatingPoint1 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
Double |
| DeviceCustomFloatingPoint1Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomFloatingPoint2 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
Double |
| DeviceCustomFloatingPoint2Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomFloatingPoint3 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
Double |
| DeviceCustomFloatingPoint3Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomFloatingPoint4 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. |
Double |
| DeviceCustomFloatingPoint4Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomIPv6Address1 |
One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
String |
| DeviceCustomIPv6Address1Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomIPv6Address2 |
One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
String |
| DeviceCustomIPv6Address2Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomIPv6Address3 |
One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
String |
| DeviceCustomIPv6Address3Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomIPv6Address4 |
One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. |
String |
| DeviceCustomIPv6Address4Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomNumber1 |
Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber1. |
Int32 |
| DeviceCustomNumber1Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomNumber2 |
Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber2. |
Int32 |
| DeviceCustomNumber2Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomNumber3 |
Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber3. |
Int32 |
| DeviceCustomNumber3Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomString1 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomString1Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomString2 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomString2Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomString3 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomString3Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomString4 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomString4Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomString5 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomString5Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceCustomString6 |
One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. |
String |
| DeviceCustomString6Label |
All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. |
String |
| DeviceDnsDomain |
The DNS domain part of the full qualified domain name (FQDN). |
String |
| DeviceEventCategory |
Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: ‘/Monitor/Disk/Read’. |
String |
| DeviceEventClassID |
String or integer that serves as a unique identifier per event type. |
String |
| DeviceExternalID |
A name that uniquely identifies the device generating the event. |
String |
| DeviceFacility |
The facility generating the event. For example: auth or local1. |
String |
| DeviceInboundInterface |
The interface on which the packet or data entered the device. For example: ethernet1/2. |
String |
| DeviceMacAddress |
The MAC address of the device generating the event. |
String |
| DeviceName |
The FQDN associated with the device node, when a node is available. For example: host.domain.com or host. |
String |
| DeviceNtDomain |
The Windows domain of the device address. |
String |
| DeviceOutboundInterface |
Interface on which the packet or data left the device. |
String |
| DevicePayloadId |
Unique identifier for the payload associated with the event. |
String |
| DeviceProduct |
String that together with device product and version definitions, uniquely identifies the type of sending device. |
String |
| DeviceTimeZone |
Timezone of the device generating the event. |
String |
| DeviceTranslatedAddress |
Identifies the translated device address that the event refers to, in an IP network. The format is an Ipv4 address. |
String |
| DeviceVendor |
String that together with device product and version definitions, uniquely identifies the type of sending device. |
String |
| DeviceVersion |
String that together with device product and version definitions, uniquely identifies the type of sending device. |
String |
| EndTime |
The time at which the activity related to the event ended. |
DateTime |
| EventCount |
A count associated with the event, showing how many times the same event was observed. |
Int32 |
| EventOutcome |
Displays the outcome, usually as ‘success’ or ‘failure’. |
String |
| EventType |
Event type. Value values include: 0: base event, 1: aggregated, 2: correlation event, 3: action event. Note: This event can be omitted for base events. |
Int32 |
| ExternalID |
Soon to be a deprecated field. Will be replaced by ExtID. |
Int32 |
| ExtID |
An ID used by the originating device (will replace legacy ExternalID). Typically, these values have increasing values that are each associated with an event. |
String |
| FieldDeviceCustomNumber1 |
One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber1). Use sparingly and seek a more specific, dictionary supplied field when possible. |
Int64 |
| FieldDeviceCustomNumber2 |
One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber2). Use sparingly and seek a more specific, dictionary supplied field when possible. |
Int64 |
| FieldDeviceCustomNumber3 |
One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber3). Use sparingly and seek a more specific, dictionary supplied field when possible. |
Int64 |
| FileCreateTime |
Time when the file was created. |
String |
| FileHash |
Hash of a file. |
String |
| FileID |
An ID associated with a file, such as the inode. |
String |
| FileModificationTime |
Time when the file was last modified. |
String |
| FileName |
The file’s name, without the path. |
String |
| FilePath |
Full path to the file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip. |
String |
| FilePermission |
The file’s permissions. For example: ‘2,1,1’. |
String |
| FileSize |
The size of the file in bytes. |
Int32 |
| FileType |
File type, such as pipe, socket, and so on. |
String |
| FlexDate1 |
A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
String |
| FlexDate1Label |
The label field is a string and describes the purpose of the flex field. |
String |
| FlexNumber1 |
Number fields available to map Int data that does not apply to any other field in this dictionary. |
Int32 |
| FlexNumber1Label |
The label that describes the value in FlexNumber1 |
String |
| FlexNumber2 |
Number fields available to map Int data that does not apply to any other field in this dictionary. |
Int32 |
| FlexNumber2Label |
The label that describes the value in FlexNumber2 |
String |
| FlexString1 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
String |
| FlexString1Label |
The label field is a string and describes the purpose of the flex field. |
String |
| FlexString2 |
One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. |
String |
| FlexString2Label |
The label field is a string and describes the purpose of the flex field. |
String |
| IndicatorThreatType |
The threat type of the MaliciousIP according to our TI feed. |
String |
| LogSeverity |
A string or integer that describes the importance of the event. Valid string values: Unknown , Low, Medium, High, Very-High Valid integer values are: 0-3 = Low, 4-6 = Medium, 7-8 = High, 9-10 = Very-High. |
String |
| MaliciousIP |
If one of the IP in the message was correlate with the current TI feed we have it will show up here. |
String |
| MaliciousIPCountry |
The country of the MaliciousIP according to the GEO information at the time of the record ingestion. |
String |
| MaliciousIPLatitude |
The Latitude of the MaliciousIP according to the GEO information at the time of the record ingestion. |
Double |
| MaliciousIPLongitude |
The Longitude of the MaliciousIP according to the GEO information at the time of the record ingestion. |
Double |
| Message |
A message that gives more details about the event. |
String |
| OldFileCreateTime |
Time when the old file was created. |
String |
| OldFileHash |
Hash of the old file. |
String |
| OldFileID |
And ID associated with the old file, such as the inode. |
String |
| OldFileModificationTime |
Time when the old file was last modified. |
String |
| OldFileName |
Name of the old file. |
String |
| OldFilePath |
Full path to the old file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip. |
String |
| OldFilePermission |
Permissions of the old file. For example: ‘2,1,1’. |
String |
| OldFileSize |
The size of the old file in bytes. |
Int32 |
| OldFileType |
File type of the old file, such as a pipe, socket, and so on. |
String |
| OriginalLogSeverity |
A non-mapped version of LogSeverity. For example: Warning/Critical/Info insted of the normilized Low/Medium/High in the LogSeverity Field |
String |
| ProcessID |
Defines the ID of the process on the device generating the event. |
Int32 |
| ProcessName |
Process name associated with the event. For example: in UNIX, the process generating the syslog entry. |
String |
| Protocol |
Transport protocol that identifies the Layer-4 protocol used. Possible values include protocol names, such as TCP or UDP. |
String |
| Reason |
The reason an audit event was generated. For example ‘bad password’ or ‘unknown user’. This could also be an error or return code. Example: ‘0x1234’. |
String |
| ReceiptTime |
The time at which the event related to the activity was received. Different then the ‘Timegenerated’ field, which is when the event was recieved in the log collector machine. |
String |
| ReceivedBytes |
Number of bytes transferred inbound. |
Int64 |
| RemoteIP |
The remote IP address, derived from the event’s direction value, if possible. |
String |
| RemotePort |
The remote port, derived from the event’s direction value, if possible. |
String |
| ReportReferenceLink |
Link to the report of the TI feed. |
String |
| RequestClientApplication |
The user agent associated with the request. |
String |
| RequestContext |
Describes the content from which the request originated, such as the HTTP Referrer. |
String |
| RequestCookies |
Cookies associated with the request. |
String |
| RequestMethod |
The method used to access a URL. Valid values include methods such as POST, GET, and so on. |
String |
| RequestURL |
The URL accessed for an HTTP request, including the protocol. For example: http://www/secure.com. |
String |
| SentBytes |
Number of bytes transferred outbound. |
Int64 |
| SimplifiedDeviceAction |
A mapped version of DeviceAction, such as Denied > Deny. |
String |
| SourceDnsDomain |
The DNS domain part of the complete FQDN. |
String |
| SourceHostName |
Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example: host or host.domain.com. |
String |
| SourceIP |
The source that an event refers to in an IP network, as an IPv4 address. |
String |
| SourceMACAddress |
Source MAC address. |
String |
| SourceNTDomain |
The Windows domain name for the source address. |
String |
| SourcePort |
The source port number. Valid port numbers are 0 - 65535. |
Int32 |
| SourceProcessId |
The ID of the source process associated with the event. |
Int32 |
| SourceProcessName |
The name of the event’s source process. |
String |
| SourceServiceName |
The service responsible for generating the event. |
String |
| SourceSystem |
Hard coded- ‘OpsManager’. |
String |
| SourceTranslatedAddress |
Identifies the translated source that the event refers to in an IP network. |
String |
| SourceTranslatedPort |
Source port after translation, such as a firewall. Valid port numbers are 0 - 65535. |
Int32 |
| SourceUserID |
Identifies the source user by ID. |
String |
| SourceUserName |
Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. |
String |
| SourceUserPrivileges |
The source user’s privileges. Valid values include: Administrator, User, Guest. |
String |
| StartTime |
The time when the activity that the event refers to started. |
DateTime |
| TenantId |
|
String |
| ThreatConfidence |
The threat confidence of the MaliciousIP according to our TI feed. |
String |
| ThreatDescription |
The threat description of the MaliciousIP according to our TI feed. |
String |
| ThreatSeverity |
The threat severity of the MaliciousIP according to our TI feed at the time of the record ingestion. |
Int32 |
| TimeGenerated |
Event collection time in UTC. |
DateTime |
| Type |
The name of the table |
String |