Key Fields for Alert Types

There are Key Fields for the following:

Key Fields for Third Party Native Alert Types

Stellar Cyber supports third party native alert integration. The Key Fields for third party native alert types are as follows:

Third Party Display Name

Key Field Name

Display Name Description

Acronis (Antimalware protection)

(acronis_cyber_protect) Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level File Name File name
file.path File Path File path
file.hash.sha1 File SHA1 File SHA1
file.hash.md5 File MD5 File MD5
file.hash.sha256 File SHA256 File SHA256

Acronis (EDR)

(acronis_cyber_protect) Alert Type Alert type
event.category Alert Category Alert category Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
acronis_cyber_protect.details.redirectLink Acronis Alert Redirect Link Acronis alert redirect link
acronis_cyber_protect.details.verdict Acronis Alert Verdict Acronis alert verdict

Acronis (Email security)

(acronis_cyber_protect) Alert Type Alert type
event.category Alert Category Alert category
event.severity_str Acronis Severity Level Acronis severity level
email.from.address Email From Address Email from address
email.subject Email Subject Email Subject

Acronis (URL filtering)

(acronis_cyber_protect) Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
url URL URL Process ID Process ID
process.executable Process Path Process path

AWS GuardDuty


aws_guardduty.Title Alert Title AWS GuardDuty alert title
host_list Host IP Address(es) Private IP addresses of the network interfaces of the resource instance User Name User name associated with the access key details of the resource Threat Name Threat name
event.severity AWS GuardDuty Severity Score AWS GuardDuty severity score
cloud.resource.type Cloud Resource Type Cloud resource type Cloud Resource ID Cloud resource ID Cloud Resource Name Cloud resource name

Bitdefender IP

(bitdefender_ip) Host Name Host name
host.ip Host IP Address Host IP address
srcip Source IP Source IP address

Bitdefender Threat

(bitdefender_threat) Host Name Host name
host.ip Host IP Address Host IP address Threat Type Threat type

Bitdefender URL

(bitdefender_url) Host Name Host name
host.ip Host IP Address Host IP address

Blackberry CylancePROTECT

(cylance_protect) Host Name Computer name
host.ip Host IP Address Host IP address
file_name File Name File name
file_path File Path File path
process_name Process Name Process name


(crowdstrike) Computer Name Computer name
hostip Host IP Address Host IP address User Name User name File Name File name
file.path File Path File path
process.command_line Command Line Command line



user_list User Names User names File Name File name Process Name Process name
host_list Host IP Address(es) Host IP address(es)



host.ip Host IP Address Host IP address Threat Name Event threat name File Name File name

Deep Instinct

(deepinstinct) Host Name Host name
host.ip Host IP Address Host IP address
file.path File Path File path
file.file_hash File Hash File hash
deep_instinct.action Event Action Deep Instinct event action

Google Workspace Alert


source Alert Source

Alert source

type Alert Type Alert type Rule Name Alert rule name
host.ip Login IP Address IP address associated with the warning event Data Email Email of the user to which this event belongs
securityInvestigationToolLink Investigation Tool Link Google Workspace security investigation tool link User ID User ID

Microsoft Defender for Endpoint

(ms_defender_atp) Host Name Host name
host.ip Host IP Address Host IP address User Name User name
user.domain User Domain User domain
threat Threat Name Threat name
file_list File List File list
process_list Process List Process list

Microsoft Entra ID (formerly Azure AD)


userDisplayName User Name User name
ipAddress Host IP Address Host IP address
riskEventType Event Type Risk event type

Microsoft Office 365

(microsoft_365) Threat Name Threat name
event.severity_str Microsoft 365 Severity Level Microsoft 365 severity level
event.category Category Microsoft 365 alert category
Source Source Microsoft 365 alert source
AlertType Alert Type

Microsoft 365 alert type

event_summary.alert_entity_list Alert Entity List Microsoft 365 Alert entity list
username User Name User name

Mimecast Attachment Protect

(mimecast_attachment_protect) File Name File name of the malicious file
mimecast.fileExt File Extension File extension of the malicious file
mimecast.Size File Size Size (in bytes) of the malicious file
file.hash.md5 File MD5 Hash MD5 hash of the malicious file
file.hash.sha1 File SHA1 Hash SHA1 hash of the malicious file
file.hash.sha256 File SHA256 Hash SHA256 hash of the malicious file
mimecast.fileMime File MIME Type Detected MIME type of the malicious file
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.senderDomain Sender Domain Sender domain
mimecast.route The Route of the Message Route of the message

Mimecast AV


srcip Source IP Address Source IP address File Name File name
mimecast.fileExt File Extension File extension
mimecast.Size File Size Size (in bytes) of the malicious file
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
mimecast.fileMime File MIME Type File MIME type
email.sender.address Sender Address Sender address
mimecast.senderDomain Sender Domain Sender domain
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Route The Route of the Message Route of the message
mimecast.Virus Virus Signature Virus signature

Mimecast Impersonation Protect


mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject Alert Definition Alert definition
mimecast.Hits Number of Items Flagged Number of items flagged for the message
mimecast.Route The Route of the Message Route of the message

Mimecast Internal Email Protect


mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
url Clicked URL URL the user clicked URL Category URL category
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Route The Route of the Message Route of the message

Mimecast Malicious Receipt Log


mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Error Errors Occurred Information about any errors that occurred during receipt
mimecast.Dir Email Direction Direction of the email based on the sending and receiving domains
mimecast.Virus Virus Signature Virus signature
mimecast.Act Action Action taken at the receipt stage
mimecast.RejInfo Rejection Information Rejection information if the email was rejected at the receipt stage
mimecast.RejType Rejection Type Rejection type if the email was rejected at the receipt stage
mimecast.TlsVer TLS Version TLS version used if the email was received using TLS
mimecast.Cphr TLS Cipher TLS cipher used if the email was received using TLS

Mimecast URL Protect


srcip Source IP Address Source IP address
url Clicked URL URL the user clicked URL Category URL category
event.reason Reason Event reason
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.action Mimecast Action Mimecast action
mimecast.senderDomain Sender Domain Sender domain
mimecast.route The Route of the Message Route of the message

Oracle Cloud Infrastructure (OCI) CloudGuard


event.type Problem Type Problem type Threat Name Threat name
event.severity_str OCI Severity Level OCI CloudGuard severity level
cloud.resource.type Cloud Resource Type Cloud resource type Cloud Resource ID Cloud resource ID Cloud Resource Name Cloud resource name Problem Recommendation Problem recommendation from OCI

Proofpoint TAP


srcip Source IP Address Source IP address
email.subject Email Subject Email subject
email.sender.address Sender Address Email sender address
email.from.address Sender Address Email from address
email.recipient.addresses Recipient Address(es) Email recipient address(es) To Address(es) Email to address(es)
email.x_mailer X-Mailer X-Mailer content
event.threat_list Proofpoint Event Threat List Threat category: Threat artifact
name Threat Name Proofpoint threat name
category Threat Category Proofpoint threat category
attachment Threat Attachment Proofpoint threat attachment
severity Proofpoint Threat Severity Proofpoint threat severity
url Proofpoint Threat URL Proofpoint threat URL

SentinelOne Cloud

(sentinelone) Host Name Computer name
host.ip Host IP Address Host IP address File Name File name
file.path File Path File path Parent Process Name Originator process name

Trellix (FireEye) Endpoint Security (AMSI)



fireeye.source Alert Type FireEye alert source type Threat Name FireEye alert name
event.severity_str Severity Severity level
host.ip Host IP Address Host IP address Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (IOC)


fireeye.source Alert Type FireEye alert source type
host.ip Host IP Address Host IP address Host Name Host name Event Name Event name File Name File name Process Name Process name
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (MAL)


fireeye.source Alert Type FireEye alert source type Threat Name FireEye alert name
fireeye.infection_type Infection Type FireEye Infection Type
event.severity_str FireEye Severity Level FireEye severity level
host.ip Host IP Address Host IP address Host IP Address Host name
file.path File Path File path
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
process.executable Event Actor Process Path FireEye event actor process path Event Actor Process Pid FireEye event actor process Pid
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (PROCGUARD)


fireeye.source Alert Type FireEye alert source type Threat Name FireEye alert name
host.ip Host IP Address Host IP address Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Varonis DatAdvantage


event.type Event Type Event type Threat Name Threat name
event.severity CEF Severity Level Original CEF severity level User Name User name File Name File name
file.path File Path File path

VMware Carbon Black Cloud

(carbonblack) Host Name Computer name
host.external_ip Host Name Host external IP address
host.ip Host Internal IP Address Host internal IP address Process Name Process name
event.description Event Reason Event reason

Windows Defender Antivirus


threat Threat Name Threat name Host Name Computer name
hostip Host IP Address Host IP address
file.path File Path File path Process Name Process name

Key Fields for Built-in and Rule-Based Alert Types

The Key Fields for built-in alert types and rule-based alert types are documented in individually. See the Key Fields and Relevant Data Points for any alert type by their display name in Machine Learning Alert Type Details or by their XDR event name in Alert Types by XDR Event Name.