Key Fields for Alert Types

There are Key Fields for the following:

For information on Key Fields in the user interface, see Key Fields in User Interface.

Key Fields for Third Party Native Alert Types

Stellar Cyber supports third party native alert integration. The Key Fields for third party native alert types are as follows:

Third Party Display Name

Key Field Name

Display Name Description

Acronis (Antimalware protection)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
file.name File Name File name
file.path File Path File path
file.hash.sha1 File SHA1 File SHA1
file.hash.md5 File MD5 File MD5
file.hash.sha256 File SHA256 File SHA256

Acronis (EDR)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
acronis_cyber_protect.details.redirectLink Acronis Alert Redirect Link Acronis alert redirect link
acronis_cyber_protect.details.verdict Acronis Alert Verdict Acronis alert verdict

Acronis (Email security)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
event.category Alert Category Alert category
event.severity_str Acronis Severity Level Acronis severity level
email.from.address Email From Address Email from address
email.subject Email Subject Email Subject

Acronis (URL filtering)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
url URL URL
process.pid Process ID Process ID
process.executable Process Path Process path

Avanan (Delivered)

(avanan)

email.from.address From Address Who the email is from
email.to.addresses To Address(es) Primary intended recipient of the email
email.sender.address Sender Address Who actually sent the email on behalf of the primary sender
email.recipient.addresses Recipient Address(es) Who received the email (including CC and BCC)
email.subject Email Subject Email subject
url_list URL List URL(s) in the email
domain_list Email Links Domain(s) Email links domain(s)
file_list File List File name of the malicious file
name File Name File name
hash.md5 Host Hash File hash
threat_indicator.labels File Hash Reputation Label(s) File hash reputation label(s)
threat_indicator.sources File Hash Reputation Source(s) File hash reputation source(s)

Avanan (Quarantined)

(avanan)

email.from.address From Address Who the email is from
email.to.addresses To Address(es) Primary intended recipient of the email
email.sender.address Sender Address Who actually sent the email on behalf of the primary sender
email.recipient.addresses Recipient Address(es) Who received the email (including CC and BCC)
email.subject Email Subject Email subject
url_list URL List URL(s) in the email
domain_list Email Links Domain(s) Email links domain(s)
file_list File List File name of the malicious file
name File Name File name
hash.md5 Host Hash File hash
threat_indicator.labels File Hash Reputation Label(s) File hash reputation label(s)
threat_indicator.sources File Hash Reputation Source(s) File hash reputation source(s)

AWS GuardDuty

(aws_guardduty)

aws_guardduty.Title Alert Title AWS GuardDuty alert title
host_list Host IP Address(es) Private IP addresses of the network interfaces of the resource instance
user.name User Name User name associated with the access key details of the resource
event.threat.name Threat Name Threat name
event.severity AWS GuardDuty Severity Score AWS GuardDuty severity score
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
cloud.resource.name Cloud Resource Name Cloud resource name

Bitdefender IP

(bitdefender_ip)

host.name Host Name Host name
host.ip Host IP Address Host IP address
srcip Source IP Source IP address

Bitdefender Threat

(bitdefender_threat)

host.name Host Name Host name
host.ip Host IP Address Host IP address
event.threat.name Threat Type Threat type

Bitdefender URL

(bitdefender_url)

host.name Host Name Host name
host.ip Host IP Address Host IP address
url URL URL

Blackberry CylancePROTECT

(cylance_protect)

host.name Host Name Computer name
host.ip Host IP Address Host IP address
file_name File Name File name
file_path File Path File path
process_name Process Name Process name

CrowdStrike

(crowdstrike)

host.name Computer Name Computer name
hostip Host IP Address Host IP address
user.name User Name User name
file.name File Name File name
file.path File Path File path
process.command_line Command Line Command line

Cybereason

(cybereason)

user_list User Names User names
file.name File Name File name
process.name Process Name Process name
host_list Host IP Address(es) Host IP address(es)

Cynet

(cynet)

host.ip Host IP Address Host IP address
event.threat.name Threat Name Event threat name
file.name File Name File name

Deep Instinct

(deepinstinct)

deep_instinct.msp_name MSP Name MSP name
event.id Event ID Event ID
deep_instinct.type Type Deep Instinct event type
host.name Host Name Host name
host.ip Host IP Address Host IP address
file.path File Path File path
file.file_hash File Hash File hash
file.threat_indicator.labels File Hash Reputation Label(s) File hash reputation label(s)
file.threat_indicator.sources File Hash Reputation Source(s) File hash reputation source(s)
deep_instinct.action Event Action Deep Instinct event action
deep_instinct.threat_type Deep Instinct Threat Type Deep Instinct threat type
event.severity_str Original Deep Instinct Severity Original Deep Instinct severity

ESET Protect

(eset_protect_filtered_websites_event)

srcip Source IP Source IP address
dstip Destination IP Destination IP address
eset.rule_id ESET Protect Rule ID ESET Protect rule ID
eset.event_type ESET Protect Event Type ESET Protect event type
event.severity_str ESET Protect Event Severity ESET Protect event severity
event.threat.name ESET Protect Threat Name ESET Protect threat name
process.executable Process Path Process path
user.name User Name User name
host.name Host Name Host name
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.threat_indicator.labels File Hash Reputation Label(s) File hash reputation label(s)
file.threat_indicator.sources File Hash Reputation Source(s) File hash reputation source(s)

ESET Protect

(eset_protect_firewall_aggregated_event)

srcip Source IP Source IP address
dstip Destination IP Destination IP address
eset.event_type ESET Protect Event Type ESET Protect event type
event.severity_str ESET Protect Event Severity ESET Protect event severity
event.threat.name ESET Protect Threat Name ESET Protect threat name
process.executable Process Path Process path
user.name User Name User name

ESET Protect

(eset_protect_inspect_alert)

host.ip Host IP Host IP address
host.name Host Name Host name
eset.event_type ESET Protect Event Type ESET Protect event type
eset.rulename ESET Protect Rule Name ESET Protect rule name
process.executable Process Path Process path
user.name User Name User name
event.severity_str ESET Protect Event Severity ESET Protect event severity
eset.eiconsolelink ESET Protect Console Link ESET Protect console link
eset.source_uuid ESET Protect Source UUID ESET Protect source UUID
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.threat_indicator.labels File Hash Reputation Label(s) File Hash reputation label(s)
file.threat_indicator.sources File Hash Reputation Source(s) File Hash reputation source(s)

ESET Protect

(eset_protect_threat_event)

host.ip Host IP Host IP address
host.name Host Name Host name
eset.event_type ESET Protect Event Type ESET Protect event type
process.executable Process Path Process path
user.name User Name User name
event.severity_str ESET Protect Event Severity ESET Protect event severity
eset.source_uuid ESET Protect Source UUID ESET Protect source UUID
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.threat_indicator.labels File Hash Reputation Label(s) File Hash reputation label(s)
file.threat_indicator.sources File Hash Reputation Source(s) File Hash reputation source(s)

Google Workspace Alert

(google_workspace_alert)

source Alert Source

Alert source

type Alert Type Alert type
rule.name Rule Name Alert rule name
host.ip Login IP Address IP address associated with the warning event
data.email Data Email Email of the user to which this event belongs
securityInvestigationToolLink Investigation Tool Link Google Workspace security investigation tool link
user.id User ID User ID

Huntress

(huntress_incident)

huntress.organization_name Organization Name Huntress organization name
huntress.security_products Originating Security Products Originating security products
huntress.incident_report_url Incident Report URL Huntress incident report URL
huntress.user_url User URL Huntress user URL
huntress.host_url Host URL Huntress host URL
host.name Host Name Host name
host.ip Host IP Host IP address
user_name User Name User name
event.threat_list Huntress Event Threat List Huntress event threat list
name Threat Name Huntress Event Threat Name
severity Threat Severity Huntress Event Threat Severity

HYAS Protect

(hyas_protect_block)

srcip Client IP Client IP address
dns.question.name Domain Domain
hyas_protect.registrar Domain Registrar Domain registrar
domain_creation Domain Creation Date Domain creation date
hyas_protect.verdictStatus HYAS Protect Verdict Status

HYAS Protect verdict status:

  • Allow: allow

  • Block: block

  • Highly Suspicious: bad

  • Watch Engine: suspicious

hyas_protect.reason.type HYAS Protect Reason Type HYAS Protect reason type
hyas_protect.reason.lists HYAS Protect Reason Lists HYAS Protect reason lists
id ID Reason ID
name Name Reason name
datatype Datatype Reason data type
dns.resolved_ip Resolved IP(s) Resolved IP address(es)
dns.answers DNS Answer(s) DNS answer(s)
name Domain name Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data.
type Data Type Type of data contained in this resource record
data Data Data in this resource record

HYAS Protect

(hyas_protect_bad)

srcip Client IP Client IP address
dns.question.name Domain Domain
hyas_protect.registrar Domain Registrar Domain registrar
domain_creation Domain Creation Date Domain creation date
hyas_protect.verdictStatus HYAS Protect Verdict Status

HYAS Protect verdict status:

  • Allow: allow

  • Block: block

  • Highly Suspicious: bad

  • Watch Engine: suspicious

hyas_protect.reason.type HYAS Protect Reason Type HYAS Protect reason type
hyas_protect.reason.lists HYAS Protect Reason Lists HYAS Protect reason lists
id ID Reason ID
name Name Reason name
datatype Datatype Reason data type
dns.resolved_ip Resolved IP(s) Resolved IP address(es)
dns.answers DNS Answer(s) DNS answer(s)
name Domain name Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data.
type Data Type Type of data contained in this resource record
data Data Data in this resource record

HYAS Protect

(hyas_protect_suspicious)

srcip Client IP Client IP address
dns.question.name Domain Domain
hyas_protect.registrar Domain Registrar Domain registrar
domain_creation Domain Creation Date Domain creation date
hyas_protect.verdictStatus HYAS Protect Verdict Status

HYAS Protect verdict status:

  • Allow: allow

  • Block: block

  • Highly Suspicious: bad

  • Watch Engine: suspicious

hyas_protect.reason.type HYAS Protect Reason Type HYAS Protect reason type
hyas_protect.reason.lists HYAS Protect Reason Lists HYAS Protect reason lists
id ID Reason ID
name Name Reason name
datatype Datatype Reason data type
dns.resolved_ip Resolved IP(s) Resolved IP address(es)
dns.answers DNS Answer(s) DNS answer(s)
name Domain name Domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s name should be the one that corresponds with the answer’s data.
type Data Type Type of data contained in this resource record
data Data Data in this resource record

LimaCharlie Events

(limacharlie_alert)

srcip_host Source Host Name of the workstation
srcip Source IP IP address of the source
srcport Source IP Port Port of the source IP address
host.name Host Name Host name
host.ip Host IP Host IP address
limacharlie.detect.event.ACTION Action Event action
limacharlie.detect.event.REGISTRY_KEY Registry Key Registry key
limacharlie.detect.event.REGISTRY_VALUE Registry Value Registry value
process.name Process File Path File path of the process
process.hash.sha256 Process File Hash File hash of the process
process.threat_indicator.labels Process File Hash Reputation Label(s) Process file hash reputation label(s)
process.threat_indicator.sources Process File Hash Reputation Source(s) Process file hash reputation source(s)
event.severity_str LimaCharlie Severity Original severity of the LimaCharlie alert
limacharlie.detect.event.EVENT.EventData.TargetUserSid SID SID of the target user
file.path File Path Path of the file
file.hash.sha256 File Hash SHA256 hash of the file
file.threat_indicator.labels File Hash Reputation Label(s) File hash reputation label(s)
file.threat_indicator.sources File Hash Reputation Source(s) File hash reputation source(s)
process.command_line Process Command Line Command line of the process
process.pid Process ID Process ID
user.name User Name User name
limacharlie.detect.event.EVENT.System.EventID Event ID Event ID
limacharlie.detect.event.EVENT.EventData.LogonType Logon Type Logon type
limacharlie.detect.event.EVENT.EventData.ProcessName Process Name Process name
limacharlie.detect.event.PARENT.FILE_PATH Parent Process File Path File path of the parent process
limacharlie.detect.event.PARENT.HASH Parent Process File Hash File hash of the parent process
process.parent.threat_indicator.labels Parent Process File Hash Reputation Label(s) Parent process file hash reputation label(s)
process.parent.threat_indicator.sources Parent Process File Hash Reputation Source(s) Parent process file hash reputation source(s)
process.parent.command_line Parent Process Command Line Command line of the parent process
process.parent.pid Parent Process ID Parent process ID
limacharlie.detect.event.PARENT.USER_NAME Parent User Name User name of the parent process
limacharlie.link LimaCharlie Alert Link LimaCharlie alert link
limacharlie.source_rule Source Rule Source rule that LimaCharlie used to generate the alert
limacharlie.detect_mtd.references Rule References References of the rule

Microsoft Defender for Endpoint

(ms_defender_atp)

host.name Host Name Host name
host.ip Host IP Address Host IP address
user.name User Name User name
user.domain User Domain User domain
threat Threat Name Threat name
file_list File List File list
process_list Process List Process list

Microsoft Entra ID (formerly Azure Active Directory)

(azure_ad_risk_detection)

userDisplayName User Name User name
ipAddress Host IP Address Host IP address
riskEventType Event Type Risk event type

Microsoft Defender for Cloud

(microsoft_defender_cloud)

microsoft_defender_cloud.AlertUri Microsoft Defender for Cloud Alert URI Microsoft Defender for Cloud alert URI
event.severity_str Microsoft Defender for Cloud Severity Original severity from Microsoft Defender for Cloud
microsoft_defender_cloud.AlertDisplayName Microsoft Defender for Cloud Alert Name Microsoft Defender for Cloud alert name
cloud.resource.name Cloud Resource Name Cloud resource name
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
srcip_list Source IP List Source IP address list
srcip Source IP Source IP address
user.name User Name User name
host.name Host Name Host name
host.ip Host IP Address Host IP address
file.name File Name File name
file.path File Path File path
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
process.executable Process Executable Process executable
process.id Process ID Process ID
process.command_line Process Command Line Process command line
process.parent.name Parent Process Name Parent process name
process.parent.executable Parent Process Executable Parent process executable
process.parent.id Parent Process ID Parent process ID
process.parent.command_line Parent Process Command Line Parent process command line
microsoft_defender_cloud.ExtendedProperties Extended Properties Extended properties
microsoft_defender_cloud.ExtendedProperties.Potential causes Potential Causes Potential causes
microsoft_defender_cloud.ExtendedProperties.Recommended actions Recommended Actions Recommended actions
microsoft_defender_cloud.ExtendedProperties.Event of Interest Event of Interest Event of interest
microsoft_defender_cloud.RemediationSteps Remediation Steps Remediation steps

Microsoft Defender for Cloud Apps

(ms_defender_for_cloud_apps)

microsoft_defender_for_cloud_apps.URL Microsoft Defender for Cloud Apps URL Microsoft Defender for Cloud Apps URL
event.threat_list Risk category Threat list
name Risk category Microsoft Defender for Cloud Apps risk category
event.severity_str Microsoft Defender for Cloud Apps Severity Original severity value from Microsoft Defender for Cloud Apps
microsoft_defender_for_cloud_apps.isPreview Preview Alerts that have been recently released as GA
user.id User ID User ID of entity that was involved in this alert
user.name Username Username of entity that was involved in this alert
srcip Source IP Address Source IP address of attack that was involved in this alert
srcip_host Source Host Name of the source workstation involved in this alert
dstip_host Destination Host Name of the destination workstation involved in this alert
observables Entities List of observables related to the alert
name Entity name Entity name
type Entity type Entity type
id Entity ID Entity ID

Microsoft Office 365

(microsoft_365)

event.threat.name Threat Name Threat name
event.severity_str Microsoft 365 Severity Level Microsoft 365 severity level
event.category Category Microsoft 365 alert category
Source Source Microsoft 365 alert source
AlertType Alert Type

Microsoft 365 alert type

event_summary.alert_entity_list Alert Entity List Microsoft 365 Alert entity list
username User Name User name

Microsoft Sentinel

(ms_sentinel_incident)

microsoft_sentinel.Title Incident Title Microsoft Sentinel incident title
microsoft_sentinel.ModifiedBy Modified By Microsoft Sentinel modified by
microsoft_sentinel.AdditionalData.alertsCount Alerts Count Microsoft Sentinel additional data alerts count
microsoft_sentinel.IncidentUrl Incident Link Microsoft Sentinel incident link
microsoft_sentinel.SourceSystem Source System Microsoft Sentinel source system
microsoft_sentinel.AlertIds Alert IDs Microsoft Sentinel alert IDs

Mimecast Attachment Protect

(mimecast_attachment_protect)

file.name File Name File name of the malicious file
mimecast.fileExt File Extension File extension of the malicious file
mimecast.Size File Size Size (in bytes) of the malicious file
file.hash.md5 File MD5 Hash MD5 hash of the malicious file
file.hash.sha1 File SHA1 Hash SHA1 hash of the malicious file
file.hash.sha256 File SHA256 Hash SHA256 hash of the malicious file
mimecast.fileMime File MIME Type Detected MIME type of the malicious file
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.senderDomain Sender Domain Sender domain
mimecast.route The Route of the Message Route of the message

Mimecast AV

(mimecast_av)

srcip Source IP Address Source IP address
file.name File Name File name
mimecast.fileExt File Extension File extension
mimecast.Size File Size Size (in bytes) of the malicious file
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
mimecast.fileMime File MIME Type File MIME type
email.sender.address Sender Address Sender address
mimecast.senderDomain Sender Domain Sender domain
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Route The Route of the Message Route of the message
mimecast.Virus Virus Signature Virus signature

Mimecast Impersonation Protect

(mimecast_email_impersonation_protect)

mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
event.threat.name Alert Definition Alert definition
mimecast.Hits Number of Items Flagged Number of items flagged for the message
mimecast.Route The Route of the Message Route of the message

Mimecast Internal Email Protect

(mimecast_internal_email_protect)

mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
url Clicked URL URL the user clicked
event.threat.name URL Category URL category
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Route The Route of the Message Route of the message

Mimecast Malicious Receipt Log

(mimecast_receipt_with_virus)

mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Error Errors Occurred Information about any errors that occurred during receipt
mimecast.Dir Email Direction Direction of the email based on the sending and receiving domains
mimecast.Virus Virus Signature Virus signature
mimecast.Act Action Action taken at the receipt stage
mimecast.RejInfo Rejection Information Rejection information if the email was rejected at the receipt stage
mimecast.RejType Rejection Type Rejection type if the email was rejected at the receipt stage
mimecast.TlsVer TLS Version TLS version used if the email was received using TLS
mimecast.Cphr TLS Cipher TLS cipher used if the email was received using TLS

Mimecast URL Protect

(mimecast_url_protect)

srcip Source IP Address Source IP address
url Clicked URL URL the user clicked
event.threat.name URL Category URL category
event.reason Reason Event reason
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.action Mimecast Action Mimecast action
mimecast.senderDomain Sender Domain Sender domain
mimecast.route The Route of the Message Route of the message

Netskope Alert (Breach)

(netskope_protect_breach)

netskopewsg.type Netskope Alert Type Netskope alert type
netskopewsg.breach_id Netskope Breach ID Netskope breach ID
netskopewsg.alert_name Alert Name Alert name
srcip Source IP Source IP address
dstip Destination IP Destination IP address
host.ip Host IP (User's IP) Host IP address (user's IP address)
user.name User Name User name associated with Netskope account
netskopewsg.matched_username Matched User Name Email address associated with the breached access method
url URL URL
event.severity_str Netskope Alert Severity Netskope alert severity
netskopewsg.breach_score Netskope Breach Score Netskope breach score

Netskope Alert (Connection)

(netskope_protect_connection)

netskopewsg.type Netskope Alert Type Netskope alert type
netskopewsg.connection_id Netskope Connection ID Netskope connection ID
srcip Source IP Source IP address
dstip Destination IP Destination IP address
host.ip Host IP (User's IP) Host IP address (user's IP address)
user.name User Name User name
url URL URL
event.severity_str Netskope Alert Severity Netskope alert severity

Netskope Alert (Malsite)

(netskope_protect_malsite)

netskopewsg.type Netskope Alert Type Netskope alert type
event.threat.name Malsite Category Malsite category
netskopewsg.malsite_id Malsite ID Malsite ID
srcip Source IP Source IP address
dstip Destination IP Destination IP address
host.ip Host IP (User's IP) Host IP address (user's IP address)
user.name User Name User name
url Malsite URL Malsite URL
event.severity_str Netskope Alert Severity Netskope alert severity

Oracle Cloud Infrastructure (OCI) CloudGuard

(oci_cloudguard)

event.type Problem Type Problem type
event.threat.name Threat Name Threat name
event.severity_str OCI Severity Level OCI CloudGuard severity level
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
cloud.resource.name Cloud Resource Name Cloud resource name
oracle.data.additionalDetails.problemRecommendation Problem Recommendation Problem recommendation from OCI

Proofpoint TAP

(proofpoint_tap)

srcip Source IP Address Source IP address
url Malicious URL Malicious URL that was clicked
email.subject Email Subject Email subject
email.sender.address Sender Address Who actually sent the email on behalf of the primary sender
email.from.address From Address Who the email is from
email.recipient.addresses Recipient Address(es) Who received the email (including CC and BCC)
email.to.addresses To Address(es) Primary intended recipient of the email
email.x_mailer X-Mailer X-Mailer content
event.threat_list Proofpoint Event Threat List Threat category: Threat artifact
name Threat Name Proofpoint threat name
category Threat Category Proofpoint threat category
attachment Threat Attachment Proofpoint threat attachment
severity Proofpoint Threat Severity Proofpoint threat severity
url Proofpoint Threat URL Proofpoint threat URL

SentinelOne Cloud

(sentinelone)

host.name Host Name Computer name
host.ip Host IP Address Host IP address
file.name File Name File name
file.path File Path File path
process.parent.name Parent Process Name Originator process name

Sophos Alerts

(sophos_alerts)

host.ip Host IP Host IP address
user.name User Name User name
event.severity_str Sophos Severity Original severity level from Sophos
sophos.type Sophos Event Type Sophos event type
sophos.data.endpoint_platform Endpoint Platform Endpoint platform
file.path File Path File path
file.hash.sha256 File SHA256 File SHA256

Sophos Events

(sophos_events)

host.ip Host IP Host IP address
user.name User Name User name
sophos.user_id User ID User ID
event.severity_str Sophos Severity Original severity level from Sophos
sophos.type Sophos Event Type Sophos event type
sophos.endpoint_type Endpoint Platform Endpoint platform
file.path File Path File path
file.hash.sha256 File SHA256 File SHA256

Trellix (FireEye) Endpoint Security (AMSI)

(fireeye_amsi)

 

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
event.severity_str Severity Severity level
host.ip Host IP Address Host IP address
host.name Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (IOC)

(fireeye_ioc)

fireeye.source Alert Type FireEye alert source type
host.ip Host IP Address Host IP address
host.name Host Name Host name
event.name Event Name Event name
file.name File Name File name
process.name Process Name Process name
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (MAL)

(fireeye_mal)

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
fireeye.infection_type Infection Type FireEye Infection Type
event.severity_str FireEye Severity Level FireEye severity level
host.ip Host IP Address Host IP address
host.name Host IP Address Host name
file.path File Path File path
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
process.executable Event Actor Process Path FireEye event actor process path
process.pid Event Actor Process Pid FireEye event actor process Pid
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (PROCGUARD)

(fireeye_procguard)

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
host.ip Host IP Address Host IP address
host.name Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Trend Micro Vision One

(trendmicro_visionone)

event.threat.name Threat Name Threat name
event.severity_str Trend Micro Vision One Severity Original Trend Micro Vision One severity level
trendmicro_visionone.workbenchLink Trend Micro Vision One Workbench Link Trend Micro Vision One workbench link
host_list Host(s) Related host(s)
name Host Name Host name
ips Host IP(s) Host IP addresses
process_list Process(es) Related process(es)
file_list File(s) Related file(s)
name File Name File name
path File Path File path
hash.md5 File MD5 Hash File MD5 hash
hash.sha1 File SHA1 Hash File SHA1 hash
hash.sha256 File SHA256 Hash File SHA256 hash
trendmicro_visionone.alertProvider Alert Provider Trend Micro Vision One alert provider
user_list User(s) Related user(s)

Varonis DatAdvantage

(varonis_datadvantage)

event.type Event Type Event type
event.threat.name Threat Name Threat name
event.severity CEF Severity Level Original CEF severity level
user.name User Name User name
file.name File Name File name
file.path File Path File path

VMware Carbon Black Cloud

(carbonblack)

host.name Host Name Computer name
host.external_ip Host Name Host external IP address
host.ip Host Internal IP Address Host internal IP address
process.name Process Name Process name
event.description Event Reason Event reason

Windows Defender Antivirus

(windows_defender_antivirus)

event.ms_incident_id Incident ID Windows Defender incident ID
threat Threat Name Threat name
host.name Host Name Computer name
hostip Host IP Address Host IP address
file.path File Path File path
process.name Process Name Process name

Key Fields for Built-in and Rule-Based Alert Types

The Key Fields for built-in alert types and rule-based alert types are documented in individually. See the Key Fields and Relevant Data Points for any alert type by their display name in Machine Learning Alert Type Details or by their XDR event name in Alert Types by XDR Event Name.

Key Fields in User Interface

To view the Key Fields in the user interface, click the Key Fields tab.

If the alert description is long, click the Show More button to display the full alert description. After the alert description is expanded, the button toggles to Show Less.

Some Key Fields, such as File Path, have an icon. Click the icon to copy the field value to the clipboard.

If the value of a Key Field is long, only three lines of text are displayed. Click the More button to expand the value. After the value is expanded, the button toggles to Less.

If there are multiple values in a Key Field such as for an Event Threat List, the sub-fields will appear below the Key Field in a smaller and lighter font.