Key Fields for Alert Types

There are Key Fields for the following:

Third Party Native Alert Types
Built-in and Rule-Based Alert Types

For information on Key Fields in the user interface, see Key Fields in User Interface.

Key Fields for Third Party Native Alert Types

Stellar Cyber supports third party native alert integration. The Key Fields for third party native alert types are as follows:

Third Party Display Name

Key Field Name

Display Name

Description

Acronis (Antimalware protection)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
acronis_cyber_protect.details.threatName	Acronis Threat Name	Acronis threat name
event.category	Alert Category	Alert category
host.name	Host Name	Host name
event.severity_str	Acronis Severity Level	Acronis severity level
file.name	File Name	File name
file.path	File Path	File path
file.hash.sha1	File SHA1	File SHA1
file.hash.md5	File MD5	File MD5
file.hash.sha256	File SHA256	File SHA256

Acronis (EDR)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
event.category	Alert Category	Alert category
host.name	Host Name	Host name
event.severity_str	Acronis Severity Level	Acronis severity level
acronis_cyber_protect.details.redirectLink	Acronis Alert Redirect Link	Acronis alert redirect link
acronis_cyber_protect.details.verdict	Acronis Alert Verdict	Acronis alert verdict

Acronis (Email security)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
event.category	Alert Category	Alert category
event.severity_str	Acronis Severity Level	Acronis severity level
email.from.address	Email From Address	Email from address
email.subject	Email Subject	Email Subject

Acronis (URL filtering)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
acronis_cyber_protect.details.threatName	Acronis Threat Name	Acronis threat name
event.category	Alert Category	Alert category
host.name	Host Name	Host name
event.severity_str	Acronis Severity Level	Acronis severity level
url	URL	URL
process.pid	Process ID	Process ID
process.executable	Process Path	Process path

Avanan (Delivered)

(avanan)

email.from.address	From Address	Who the email is from
email.to.addresses	To Address(es)	Primary intended recipient of the email
email.sender.address	Sender Address	Who actually sent the email on behalf of the primary sender
email.recipient.addresses	Recipient Address(es)	Who received the email (including CC and BCC)
email.subject	Email Subject	Email subject
url_list	URL List	URL(s) in the email
domain_list	Email Links Domain(s)	Email links domain(s)
file_list	File List	File name of the malicious file
name	File Name	File name
hash.md5	Host Hash	File hash
threat_indicator.labels	File Hash Reputation Label(s)	File hash reputation label(s)
threat_indicator.sources	File Hash Reputation Source(s)	File hash reputation source(s)

Avanan (Quarantined)

(avanan)

email.from.address	From Address	Who the email is from
email.to.addresses	To Address(es)	Primary intended recipient of the email
email.sender.address	Sender Address	Who actually sent the email on behalf of the primary sender
email.recipient.addresses	Recipient Address(es)	Who received the email (including CC and BCC)
email.subject	Email Subject	Email subject
url_list	URL List	URL(s) in the email
domain_list	Email Links Domain(s)	Email links domain(s)
file_list	File List	File name of the malicious file
name	File Name	File name
hash.md5	Host Hash	File hash
threat_indicator.labels	File Hash Reputation Label(s)	File hash reputation label(s)
threat_indicator.sources	File Hash Reputation Source(s)	File hash reputation source(s)

AWS GuardDuty

(aws_guardduty)

aws_guardduty.Title	Alert Title	AWS GuardDuty alert title
host_list	Host IP Address(es)	Private IP addresses of the network interfaces of the resource instance
user.name	User Name	User name associated with the access key details of the resource
event.threat.name	Threat Name	Threat name
event.severity	AWS GuardDuty Severity Score	AWS GuardDuty severity score
cloud.resource.type	Cloud Resource Type	Cloud resource type
cloud.resource.id	Cloud Resource ID	Cloud resource ID
cloud.resource.name	Cloud Resource Name	Cloud resource name

Bitdefender IP

(bitdefender_ip)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
srcip	Source IP	Source IP address

Bitdefender Threat

(bitdefender_threat)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
event.threat.name	Threat Type	Threat type

Bitdefender URL

(bitdefender_url)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
url	URL	URL

Blackberry CylancePROTECT

(cylance_protect)

host.name	Host Name	Computer name
host.ip	Host IP Address	Host IP address
file_name	File Name	File name
file_path	File Path	File path
process_name	Process Name	Process name

CrowdStrike

(crowdstrike)

host.name	Computer Name	Computer name
hostip	Host IP Address	Host IP address
user.name	User Name	User name
file.name	File Name	File name
file.path	File Path	File path
process.command_line	Command Line	Command line

Cybereason

(cybereason)

user_list	User Names	User names
file.name	File Name	File name
process.name	Process Name	Process name
host_list	Host IP Address(es)	Host IP address(es)

Cynet

(cynet)

host.ip	Host IP Address	Host IP address
event.threat.name	Threat Name	Event threat name
file.name	File Name	File name

Deep Instinct

(deepinstinct)

deep_instinct.msp_name	MSP Name	MSP name
event.id	Event ID	Event ID
deep_instinct.type	Type	Deep Instinct event type
host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
file.path	File Path	File path
file.file_hash	File Hash	File hash
file.threat_indicator.labels	File Hash Reputation Label(s)	File hash reputation label(s)
file.threat_indicator.sources	File Hash Reputation Source(s)	File hash reputation source(s)
deep_instinct.action	Event Action	Deep Instinct event action
deep_instinct.threat_type	Deep Instinct Threat Type	Deep Instinct threat type
event.severity_str	Original Deep Instinct Severity	Original Deep Instinct severity

ESET Protect

(eset_protect_filtered_websites_event)

srcip	Source IP	Source IP address
dstip	Destination IP	Destination IP address
eset.rule_id	ESET Protect Rule ID	ESET Protect rule ID
eset.event_type	ESET Protect Event Type	ESET Protect event type
event.severity_str	ESET Protect Event Severity	ESET Protect event severity
event.threat.name	ESET Protect Threat Name	ESET Protect threat name
process.executable	Process Path	Process path
user.name	User Name	User name
host.name	Host Name	Host name
file.hash.sha1	File SHA1 Hash	File SHA1 hash
file.threat_indicator.labels	File Hash Reputation Label(s)	File hash reputation label(s)
file.threat_indicator.sources	File Hash Reputation Source(s)	File hash reputation source(s)

ESET Protect

(eset_protect_firewall_aggregated_event)

srcip	Source IP	Source IP address
dstip	Destination IP	Destination IP address
eset.event_type	ESET Protect Event Type	ESET Protect event type
event.severity_str	ESET Protect Event Severity	ESET Protect event severity
event.threat.name	ESET Protect Threat Name	ESET Protect threat name
process.executable	Process Path	Process path
user.name	User Name	User name

ESET Protect

(eset_protect_inspect_alert)

host.ip	Host IP	Host IP address
host.name	Host Name	Host name
eset.event_type	ESET Protect Event Type	ESET Protect event type
eset.rulename	ESET Protect Rule Name	ESET Protect rule name
process.executable	Process Path	Process path
user.name	User Name	User name
event.severity_str	ESET Protect Event Severity	ESET Protect event severity
eset.eiconsolelink	ESET Protect Console Link	ESET Protect console link
eset.source_uuid	ESET Protect Source UUID	ESET Protect source UUID
file.hash.sha1	File SHA1 Hash	File SHA1 hash
file.threat_indicator.labels	File Hash Reputation Label(s)	File Hash reputation label(s)
file.threat_indicator.sources	File Hash Reputation Source(s)	File Hash reputation source(s)

ESET Protect

(eset_protect_threat_event)

host.ip	Host IP	Host IP address
host.name	Host Name	Host name
eset.event_type	ESET Protect Event Type	ESET Protect event type
process.executable	Process Path	Process path
user.name	User Name	User name
event.severity_str	ESET Protect Event Severity	ESET Protect event severity
eset.source_uuid	ESET Protect Source UUID	ESET Protect source UUID
file.hash.sha1	File SHA1 Hash	File SHA1 hash
file.threat_indicator.labels	File Hash Reputation Label(s)	File Hash reputation label(s)
file.threat_indicator.sources	File Hash Reputation Source(s)	File Hash reputation source(s)

Google Workspace Alert

(google_workspace_alert)

source	Alert Source	Alert source
type	Alert Type	Alert type
rule.name	Rule Name	Alert rule name
host.ip	Login IP Address	IP address associated with the warning event
data.email	Data Email	Email of the user to which this event belongs
securityInvestigationToolLink	Investigation Tool Link	Google Workspace security investigation tool link
user.id	User ID	User ID

Huntress

(huntress_incident)

huntress.organization_name	Organization Name	Huntress organization name
huntress.security_products	Originating Security Products	Originating security products
huntress.incident_report_url	Incident Report URL	Huntress incident report URL
huntress.user_url	User URL	Huntress user URL
huntress.host_url	Host URL	Huntress host URL
host.name	Host Name	Host name
host.ip	Host IP	Host IP address
user_name	User Name	User name
event.threat_list	Huntress Event Threat List	Huntress event threat list
name	Threat Name	Huntress Event Threat Name
severity	Threat Severity	Huntress Event Threat Severity

HYAS Protect

(hyas_protect_block)

srcip	Client IP	Client IP address
dns.question.name	Domain	Domain
hyas_protect.registrar	Domain Registrar	Domain registrar
domain_creation	Domain Creation Date	Domain creation date
hyas_protect.verdictStatus	HYAS Protect Verdict Status	HYAS Protect verdict status: Allow: allow Block: block Highly Suspicious: bad Watch Engine: suspicious
hyas_protect.reason.type	HYAS Protect Reason Type	HYAS Protect reason type
hyas_protect.reason.lists	HYAS Protect Reason Lists	HYAS Protect reason lists
id	ID	Reason ID
name	Name	Reason name
datatype	Datatype	Reason data type
dns.resolved_ip	Resolved IP(s)	Resolved IP address(es)
dns.answers	DNS Answer(s)	DNS answer(s)
name	Domain name	Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data.
type	Data Type	Type of data contained in this resource record
data	Data	Data in this resource record

HYAS Protect

(hyas_protect_bad)

srcip	Client IP	Client IP address
dns.question.name	Domain	Domain
hyas_protect.registrar	Domain Registrar	Domain registrar
domain_creation	Domain Creation Date	Domain creation date
hyas_protect.verdictStatus	HYAS Protect Verdict Status	HYAS Protect verdict status: Allow: allow Block: block Highly Suspicious: bad Watch Engine: suspicious
hyas_protect.reason.type	HYAS Protect Reason Type	HYAS Protect reason type
hyas_protect.reason.lists	HYAS Protect Reason Lists	HYAS Protect reason lists
id	ID	Reason ID
name	Name	Reason name
datatype	Datatype	Reason data type
dns.resolved_ip	Resolved IP(s)	Resolved IP address(es)
dns.answers	DNS Answer(s)	DNS answer(s)
name	Domain name	Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data.
type	Data Type	Type of data contained in this resource record
data	Data	Data in this resource record

HYAS Protect

(hyas_protect_suspicious)

srcip	Client IP	Client IP address
dns.question.name	Domain	Domain
hyas_protect.registrar	Domain Registrar	Domain registrar
domain_creation	Domain Creation Date	Domain creation date
hyas_protect.verdictStatus	HYAS Protect Verdict Status	HYAS Protect verdict status: Allow: allow Block: block Highly Suspicious: bad Watch Engine: suspicious
hyas_protect.reason.type	HYAS Protect Reason Type	HYAS Protect reason type
hyas_protect.reason.lists	HYAS Protect Reason Lists	HYAS Protect reason lists
id	ID	Reason ID
name	Name	Reason name
datatype	Datatype	Reason data type
dns.resolved_ip	Resolved IP(s)	Resolved IP address(es)
dns.answers	DNS Answer(s)	DNS answer(s)
name	Domain name	Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data.
type	Data Type	Type of data contained in this resource record
data	Data	Data in this resource record

LimaCharlie Events

(limacharlie_alert)

srcip_host	Source Host	Name of the workstation
srcip	Source IP	IP address of the source
srcport	Source IP Port	Port of the source IP address
host.name	Host Name	Host name
host.ip	Host IP	Host IP address
limacharlie.detect.event.ACTION	Action	Event action
limacharlie.detect.event.REGISTRY_KEY	Registry Key	Registry key
limacharlie.detect.event.REGISTRY_VALUE	Registry Value	Registry value
process.name	Process File Path	File path of the process
process.hash.sha256	Process File Hash	File hash of the process
process.threat_indicator.labels	Process File Hash Reputation Label(s)	Process file hash reputation label(s)
process.threat_indicator.sources	Process File Hash Reputation Source(s)	Process file hash reputation source(s)
event.severity_str	LimaCharlie Severity	Original severity of the LimaCharlie alert
limacharlie.detect.event.EVENT.EventData.TargetUserSid	SID	SID of the target user
file.path	File Path	Path of the file
file.hash.sha256	File Hash	SHA256 hash of the file
file.threat_indicator.labels	File Hash Reputation Label(s)	File hash reputation label(s)
file.threat_indicator.sources	File Hash Reputation Source(s)	File hash reputation source(s)
process.command_line	Process Command Line	Command line of the process
process.pid	Process ID	Process ID
user.name	User Name	User name
limacharlie.detect.event.EVENT.System.EventID	Event ID	Event ID
limacharlie.detect.event.EVENT.EventData.LogonType	Logon Type	Logon type
limacharlie.detect.event.EVENT.EventData.ProcessName	Process Name	Process name
limacharlie.detect.event.PARENT.FILE_PATH	Parent Process File Path	File path of the parent process
limacharlie.detect.event.PARENT.HASH	Parent Process File Hash	File hash of the parent process
process.parent.threat_indicator.labels	Parent Process File Hash Reputation Label(s)	Parent process file hash reputation label(s)
process.parent.threat_indicator.sources	Parent Process File Hash Reputation Source(s)	Parent process file hash reputation source(s)
process.parent.command_line	Parent Process Command Line	Command line of the parent process
process.parent.pid	Parent Process ID	Parent process ID
limacharlie.detect.event.PARENT.USER_NAME	Parent User Name	User name of the parent process
limacharlie.link	LimaCharlie Alert Link	LimaCharlie alert link
limacharlie.source_rule	Source Rule	Source rule that LimaCharlie used to generate the alert
limacharlie.detect_mtd.references	Rule References	References of the rule

Microsoft Defender for Endpoint

(ms_defender_atp)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
user.name	User Name	User name
user.domain	User Domain	User domain
threat	Threat Name	Threat name
file_list	File List	File list
process_list	Process List	Process list

Microsoft Entra ID (formerly Azure Active Directory)

(azure_ad_risk_detection)

userDisplayName	User Name	User name
ipAddress	Host IP Address	Host IP address
riskEventType	Event Type	Risk event type

Microsoft Defender for Cloud

(microsoft_defender_cloud)

microsoft_defender_cloud.AlertUri	Microsoft Defender for Cloud Alert URI	Microsoft Defender for Cloud alert URI
event.severity_str	Microsoft Defender for Cloud Severity	Original severity from Microsoft Defender for Cloud
microsoft_defender_cloud.AlertDisplayName	Microsoft Defender for Cloud Alert Name	Microsoft Defender for Cloud alert name
cloud.resource.name	Cloud Resource Name	Cloud resource name
cloud.resource.type	Cloud Resource Type	Cloud resource type
cloud.resource.id	Cloud Resource ID	Cloud resource ID
srcip_list	Source IP List	Source IP address list
srcip	Source IP	Source IP address
user.name	User Name	User name
host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
file.name	File Name	File name
file.path	File Path	File path
file.hash.md5	File MD5 Hash	File MD5 hash
file.hash.sha256	File SHA256 Hash	File SHA256 hash
process.executable	Process Executable	Process executable
process.id	Process ID	Process ID
process.command_line	Process Command Line	Process command line
process.parent.name	Parent Process Name	Parent process name
process.parent.executable	Parent Process Executable	Parent process executable
process.parent.id	Parent Process ID	Parent process ID
process.parent.command_line	Parent Process Command Line	Parent process command line
microsoft_defender_cloud.ExtendedProperties	Extended Properties	Extended properties
microsoft_defender_cloud.ExtendedProperties.Potential causes	Potential Causes	Potential causes
microsoft_defender_cloud.ExtendedProperties.Recommended actions	Recommended Actions	Recommended actions
microsoft_defender_cloud.ExtendedProperties.Event of Interest	Event of Interest	Event of interest
microsoft_defender_cloud.RemediationSteps	Remediation Steps	Remediation steps

Microsoft Defender for Cloud Apps

(ms_defender_for_cloud_apps)

microsoft_defender_for_cloud_apps.URL	Microsoft Defender for Cloud Apps URL	Microsoft Defender for Cloud Apps URL
event.threat_list	Risk category	Threat list
name	Risk category	Microsoft Defender for Cloud Apps risk category
event.severity_str	Microsoft Defender for Cloud Apps Severity	Original severity value from Microsoft Defender for Cloud Apps
microsoft_defender_for_cloud_apps.isPreview	Preview	Alerts that have been recently released as GA
user.id	User ID	User ID of entity that was involved in this alert
user.name	Username	Username of entity that was involved in this alert
srcip	Source IP Address	Source IP address of attack that was involved in this alert
srcip_host	Source Host	Name of the source workstation involved in this alert
dstip_host	Destination Host	Name of the destination workstation involved in this alert
observables	Entities	List of observables related to the alert
name	Entity name	Entity name
type	Entity type	Entity type
id	Entity ID	Entity ID

Microsoft Office 365

(microsoft_365)

event.threat.name	Threat Name	Threat name
event.severity_str	Microsoft 365 Severity Level	Microsoft 365 severity level
event.category	Category	Microsoft 365 alert category
Source	Source	Microsoft 365 alert source
AlertType	Alert Type	Microsoft 365 alert type
event_summary.alert_entity_list	Alert Entity List	Microsoft 365 Alert entity list
username	User Name	User name

Microsoft Sentinel

(ms_sentinel_incident)

microsoft_sentinel.Title	Incident Title	Microsoft Sentinel incident title
microsoft_sentinel.ModifiedBy	Modified By	Microsoft Sentinel modified by
microsoft_sentinel.AdditionalData.alertsCount	Alerts Count	Microsoft Sentinel additional data alerts count
microsoft_sentinel.IncidentUrl	Incident Link	Microsoft Sentinel incident link
microsoft_sentinel.SourceSystem	Source System	Microsoft Sentinel source system
microsoft_sentinel.AlertIds	Alert IDs	Microsoft Sentinel alert IDs

Mimecast Attachment Protect

(mimecast_attachment_protect)

file.name	File Name	File name of the malicious file
mimecast.fileExt	File Extension	File extension of the malicious file
mimecast.Size	File Size	Size (in bytes) of the malicious file
file.hash.md5	File MD5 Hash	MD5 hash of the malicious file
file.hash.sha1	File SHA1 Hash	SHA1 hash of the malicious file
file.hash.sha256	File SHA256 Hash	SHA256 hash of the malicious file
mimecast.fileMime	File MIME Type	Detected MIME type of the malicious file
email.sender.address	Sender Address	Sender address
email.recipient.addresses	Recipient Address(es)	Recipient address(es)
email.subject	Email Subject	Email subject
mimecast.senderDomain	Sender Domain	Sender domain
mimecast.route	The Route of the Message	Route of the message

Mimecast AV

(mimecast_av)

srcip	Source IP Address	Source IP address
file.name	File Name	File name
mimecast.fileExt	File Extension	File extension
mimecast.Size	File Size	Size (in bytes) of the malicious file
file.hash.md5	File MD5 Hash	File MD5 hash
file.hash.sha1	File SHA1 Hash	File SHA1 hash
file.hash.sha256	File SHA256 Hash	File SHA256 hash
mimecast.fileMime	File MIME Type	File MIME type
email.sender.address	Sender Address	Sender address
mimecast.senderDomain	Sender Domain	Sender domain
email.recipient.addresses	Recipient Address(es)	Recipient address(es)
email.subject	Email Subject	Email subject
mimecast.Route	The Route of the Message	Route of the message
mimecast.Virus	Virus Signature	Virus signature

Mimecast Impersonation Protect

(mimecast_email_impersonation_protect)

mimecast.aCode	Mimecast aCode	Unique ID used to track the email through the different log types from Mimecast
srcip	Source IP Address	Source IP address
email.sender.address	Sender Address	Sender address
email.recipient.addresses	Recipient Address(es)	Recipient address(es)
email.subject	Email Subject	Email subject
event.threat.name	Alert Definition	Alert definition
mimecast.Hits	Number of Items Flagged	Number of items flagged for the message
mimecast.Route	The Route of the Message	Route of the message

Mimecast Internal Email Protect

(mimecast_internal_email_protect)

mimecast.aCode	Mimecast aCode	Unique ID used to track the email through the different log types from Mimecast
srcip	Source IP Address	Source IP address
url	Clicked URL	URL the user clicked
event.threat.name	URL Category	URL category
email.sender.address	Sender Address	Sender address
email.recipient.addresses	Recipient Address(es)	Recipient address(es)
email.subject	Email Subject	Email subject
mimecast.Route	The Route of the Message	Route of the message

Mimecast Malicious Receipt Log

(mimecast_receipt_with_virus)

mimecast.aCode	Mimecast aCode	Unique ID used to track the email through the different log types from Mimecast
srcip	Source IP Address	Source IP address
email.sender.address	Sender Address	Sender address
email.recipient.addresses	Recipient Address(es)	Recipient address(es)
email.subject	Email Subject	Email subject
mimecast.Error	Errors Occurred	Information about any errors that occurred during receipt
mimecast.Dir	Email Direction	Direction of the email based on the sending and receiving domains
mimecast.Virus	Virus Signature	Virus signature
mimecast.Act	Action	Action taken at the receipt stage
mimecast.RejInfo	Rejection Information	Rejection information if the email was rejected at the receipt stage
mimecast.RejType	Rejection Type	Rejection type if the email was rejected at the receipt stage
mimecast.TlsVer	TLS Version	TLS version used if the email was received using TLS
mimecast.Cphr	TLS Cipher	TLS cipher used if the email was received using TLS

Mimecast URL Protect

(mimecast_url_protect)

srcip	Source IP Address	Source IP address
url	Clicked URL	URL the user clicked
event.threat.name	URL Category	URL category
event.reason	Reason	Event reason
email.sender.address	Sender Address	Sender address
email.recipient.addresses	Recipient Address(es)	Recipient address(es)
email.subject	Email Subject	Email subject
mimecast.action	Mimecast Action	Mimecast action
mimecast.senderDomain	Sender Domain	Sender domain
mimecast.route	The Route of the Message	Route of the message

Netskope Alert (Breach)

(netskope_protect_breach)

netskopewsg.type	Netskope Alert Type	Netskope alert type
netskopewsg.breach_id	Netskope Breach ID	Netskope breach ID
netskopewsg.alert_name	Alert Name	Alert name
srcip	Source IP	Source IP address
dstip	Destination IP	Destination IP address
host.ip	Host IP (User's IP)	Host IP address (user's IP address)
user.name	User Name	User name associated with Netskope account
netskopewsg.matched_username	Matched User Name	Email address associated with the breached access method
url	URL	URL
event.severity_str	Netskope Alert Severity	Netskope alert severity
netskopewsg.breach_score	Netskope Breach Score	Netskope breach score

Netskope Alert (Connection)

(netskope_protect_connection)

netskopewsg.type	Netskope Alert Type	Netskope alert type
netskopewsg.connection_id	Netskope Connection ID	Netskope connection ID
srcip	Source IP	Source IP address
dstip	Destination IP	Destination IP address
host.ip	Host IP (User's IP)	Host IP address (user's IP address)
user.name	User Name	User name
url	URL	URL
event.severity_str	Netskope Alert Severity	Netskope alert severity

Netskope Alert (Malsite)

(netskope_protect_malsite)

netskopewsg.type	Netskope Alert Type	Netskope alert type
event.threat.name	Malsite Category	Malsite category
netskopewsg.malsite_id	Malsite ID	Malsite ID
srcip	Source IP	Source IP address
dstip	Destination IP	Destination IP address
host.ip	Host IP (User's IP)	Host IP address (user's IP address)
user.name	User Name	User name
url	Malsite URL	Malsite URL
event.severity_str	Netskope Alert Severity	Netskope alert severity

Oracle Cloud Infrastructure (OCI) CloudGuard

(oci_cloudguard)

event.type	Problem Type	Problem type
event.threat.name	Threat Name	Threat name
event.severity_str	OCI Severity Level	OCI CloudGuard severity level
cloud.resource.type	Cloud Resource Type	Cloud resource type
cloud.resource.id	Cloud Resource ID	Cloud resource ID
cloud.resource.name	Cloud Resource Name	Cloud resource name
oracle.data.additionalDetails.problemRecommendation	Problem Recommendation	Problem recommendation from OCI

Proofpoint TAP

(proofpoint_tap)

srcip	Source IP Address	Source IP address
url	Malicious URL	Malicious URL that was clicked
email.subject	Email Subject	Email subject
email.sender.address	Sender Address	Who actually sent the email on behalf of the primary sender
email.from.address	From Address	Who the email is from
email.recipient.addresses	Recipient Address(es)	Who received the email (including CC and BCC)
email.to.addresses	To Address(es)	Primary intended recipient of the email
email.x_mailer	X-Mailer	X-Mailer content
event.threat_list	Proofpoint Event Threat List	Threat category: Threat artifact
name	Threat Name	Proofpoint threat name
category	Threat Category	Proofpoint threat category
attachment	Threat Attachment	Proofpoint threat attachment
severity	Proofpoint Threat Severity	Proofpoint threat severity
url	Proofpoint Threat URL	Proofpoint threat URL

SentinelOne Cloud

(sentinelone)

host.name	Host Name	Computer name
host.ip	Host IP Address	Host IP address
file.name	File Name	File name
file.path	File Path	File path
process.parent.name	Parent Process Name	Originator process name

Sophos Alerts

(sophos_alerts)

host.ip	Host IP	Host IP address
user.name	User Name	User name
event.severity_str	Sophos Severity	Original severity level from Sophos
sophos.type	Sophos Event Type	Sophos event type
sophos.data.endpoint_platform	Endpoint Platform	Endpoint platform
file.path	File Path	File path
file.hash.sha256	File SHA256	File SHA256

Sophos Events

(sophos_events)

host.ip	Host IP	Host IP address
user.name	User Name	User name
sophos.user_id	User ID	User ID
event.severity_str	Sophos Severity	Original severity level from Sophos
sophos.type	Sophos Event Type	Sophos event type
sophos.endpoint_type	Endpoint Platform	Endpoint platform
file.path	File Path	File path
file.hash.sha256	File SHA256	File SHA256

Trellix (FireEye) Endpoint Security (AMSI)

(fireeye_amsi)

fireeye.source	Alert Type	FireEye alert source type
event.threat.name	Threat Name	FireEye alert name
event.severity_str	Severity	Severity level
host.ip	Host IP Address	Host IP address
host.name	Host Name	Host name
file_list	File List	File list
process_list	Process List	Process list: Pid (process command line)
event.url	Event URL	FireEye event URL

Trellix (FireEye) Endpoint Security (IOC)

(fireeye_ioc)

fireeye.source	Alert Type	FireEye alert source type
host.ip	Host IP Address	Host IP address
host.name	Host Name	Host name
event.name	Event Name	Event name
file.name	File Name	File name
process.name	Process Name	Process name
event.url	Event URL	FireEye event URL

Trellix (FireEye) Endpoint Security (MAL)

(fireeye_mal)

fireeye.source	Alert Type	FireEye alert source type
event.threat.name	Threat Name	FireEye alert name
fireeye.infection_type	Infection Type	FireEye Infection Type
event.severity_str	FireEye Severity Level	FireEye severity level
host.ip	Host IP Address	Host IP address
host.name	Host IP Address	Host name
file.path	File Path	File path
file.hash.md5	File MD5 Hash	File MD5 hash
file.hash.sha1	File SHA1 Hash	File SHA1 hash
file.hash.sha256	File SHA256 Hash	File SHA256 hash
process.executable	Event Actor Process Path	FireEye event actor process path
process.pid	Event Actor Process Pid	FireEye event actor process Pid
event.url	Event URL	FireEye event URL

Trellix (FireEye) Endpoint Security (PROCGUARD)

(fireeye_procguard)

fireeye.source	Alert Type	FireEye alert source type
event.threat.name	Threat Name	FireEye alert name
host.ip	Host IP Address	Host IP address
host.name	Host Name	Host name
file_list	File List	File list
process_list	Process List	Process list: Pid (process command line)
event.url	Event URL	FireEye event URL

Trend Micro Vision One

(trendmicro_visionone)

event.threat.name	Threat Name	Threat name
event.severity_str	Trend Micro Vision One Severity	Original Trend Micro Vision One severity level
trendmicro_visionone.workbenchLink	Trend Micro Vision One Workbench Link	Trend Micro Vision One workbench link
host_list	Host(s)	Related host(s)
name	Host Name	Host name
ips	Host IP(s)	Host IP addresses
process_list	Process(es)	Related process(es)
file_list	File(s)	Related file(s)
name	File Name	File name
path	File Path	File path
hash.md5	File MD5 Hash	File MD5 hash
hash.sha1	File SHA1 Hash	File SHA1 hash
hash.sha256	File SHA256 Hash	File SHA256 hash
trendmicro_visionone.alertProvider	Alert Provider	Trend Micro Vision One alert provider
user_list	User(s)	Related user(s)

Varonis DatAdvantage

(varonis_datadvantage)

event.type	Event Type	Event type
event.threat.name	Threat Name	Threat name
event.severity	CEF Severity Level	Original CEF severity level
user.name	User Name	User name
file.name	File Name	File name
file.path	File Path	File path

VMware Carbon Black Cloud

(carbonblack)

host.name	Host Name	Computer name
host.external_ip	Host Name	Host external IP address
host.ip	Host Internal IP Address	Host internal IP address
process.name	Process Name	Process name
event.description	Event Reason	Event reason

Windows Defender Antivirus

(windows_defender_antivirus)

event.ms_incident_id	Incident ID	Windows Defender incident ID
threat	Threat Name	Threat name
host.name	Host Name	Computer name
hostip	Host IP Address	Host IP address
file.path	File Path	File path
process.name	Process Name	Process name

Key Fields for Built-in and Rule-Based Alert Types

The Key Fields for built-in alert types and rule-based alert types are documented in individually. See the Key Fields and Relevant Data Points for any alert type by their display name in Machine Learning Alert Type Details or by their XDR event name in Alert Types by XDR Event Name.

Key Fields in User Interface

To view the Key Fields in the user interface, click the Key Fields tab.

If the alert description is long, click the Show More button to display the full alert description. After the alert description is expanded, the button toggles to Show Less.

Some Key Fields, such as File Path, have an icon. Click the icon to copy the field value to the clipboard.

If the value of a Key Field is long, only three lines of text are displayed. Click the More button to expand the value. After the value is expanded, the button toggles to Less.

If there are multiple values in a Key Field such as for an Event Threat List, the sub-fields will appear below the Key Field in a smaller and lighter font.