Dictionary

The Dictionary defines schema attributes and includes references to the events and objects in which they are included.
Name Attribute Type Referenced By Description
feature_version String
AMSI Risk risk_ref_value Integer The Anti-malware Scan Interface (AMSI) risk level.
Access Complexity access_complexity_id Integer The access complexity Common Vulnerability Scoring System (CVSS) metric.
Access Mask access_mask Integer The access mask in platform-native format.
Access Mask Values access_mask_ids Integer Array The access mask values.
Access Scope access_scope_id Integer The scope of the requested access.
Accessed accessed Datetime The time that the file was last accessed.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Accessor accessor String The name of the user who last accessed the object.
Account Disabled account_disabled Boolean The indication of whether the user's account is disabled.
Actor actor Process The process that performed the operation or action on the target object. For example, the process that could have created a new file or violated a policy.
Actual Permissions actual_permissions Integer Array The permissions that were granted to the process.
Admin Session is_admin Boolean The indication of whether the user or user session is admin/root.
Advertised is_advertised Boolean The indication of whether the protocol is advertised by the server.
Algorithm algorithm String The algorithm that was used to create the fingerprint. The valid values are one of the following: "md5", "sha1", or "sha2".
Allocated Memory mem_allocated Long The Java Virtual Machine® (JVM) allocated memory (in bytes).
Analysis analysis String The anti-malware emulation analysis.
Application ID app_uid String The unique identifier of the application that is associated with the event or object.
Application Name app_name String The name of the application that is associated with the event or object.
Application Version app_ver String The version of the application that is associated with the event or object.
Assignee assignee String The name of the user who is assigned to the incident.
Attack Vector attack_vector_id Integer The attack vector Common Vulnerability Scoring System (CVSS) metric.
Attacker IP attacker_ip IP Address The IP address of the malicious network device. The format is either IPv4 or IPv6.
Attacks attacks Attack Array The array of attacks that are associated with the event.
Attempt attempt Integer The delivery attempt.
Attribute IDs attribute_ids Integer Array The array of file attributes.
Attributes attributes Integer The bitmask value that represents the file attributes.
Audit audit Boolean The audit mode of the event. When true, no remediation actions were performed.
Auth Protocol auth_protocol_id Integer The authentication protocol.
Authentication authentication_id Integer The authentication Common Vulnerability Scoring System (CVSS) metric.
Autoscale ID autoscale_uid String The unique identifier of the cloud autoscale configuration.
Availability Impact availability_impact_id Integer The availability impact Common Vulnerability Scoring System (CVSS) metric.
Average CPU cpu_average Long Average CPU.
BSSID bssid String The Basic Service Set Identifier (BSSID).
Banner banner String The initial SMTP connection response that a messaging server receives after it connects to a email server.
Base Address base_address String The memory address where the module was loaded.
Binding Information binding String The remote procedure call protocol family, hostname, and endpoint connection.
CVE ID cve_uid String The common vulnerabilities and exposures (CVE) identifier.
CVSSV2 cvssv2 Common Vulnerability Scoring System V2 The Common Vulnerabilities Scoring System V2 (CVSSV2) base metrics.
Categories categories String Array The array of URL categories.
Category category_id Integer The category of the event or object. See specific usage.
Category IDs category_ids Integer Array The array of URL categories.
Channel channel_id Integer The channel that was used to update the component.
Cipher cipher String The encryption algorithm.
City city String The name of the city.
Class class String The class of the peripheral device.
Classification classification String The threat classification.
Classification IDs classification_ids Integer Array The array of threat classifications.
Cleartext Credentials cleartext_credentials Boolean Indicates whether the credentials were passed in clear text.

Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.

Client Domain client_domain String The CloudSOC client domain name.
Client ID client_uid String The OAUTH 2.0 Client ID.
Client User client_user String The CloudSOC client user name.
Cloud Resource ID cloud_resource_uid String The unique identifier of the cloud resource.
Collected Time log_time Datetime The time that the system collected the event.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Collector Device IP collector_device_ip IP Address The IP address of the collector device in either IPv4 or IPv6 format.
Collector Device Name collector_device_name String The name of the collector device.
Collector ID collector_uid String The unique identifier of the collector.
Collector Name collector_name String The name of the collector.
Command ID command_uid String The unique command identifier.
Command Line cmd_line String The command line used to launch the startup application, service, process or job.
Command Name command_name String The command that pertains to the event or object.
Command Reference ID command_ref_uid String The command identifier that corresponds to the original command identifier.
Comment comment String The user-provided comment.
Company Name company_name String The name of the company that published the file. For example: "Microsoft Corporation".
Compliance Rule compliance_rule Compliance Rule The compliance rule that pertains to the event.
Compliant Device device_is_compliant Boolean The event occurred on a compliant device.
Component component String The name or relative pathname of a subcomponent of the data object, if applicable. For example: attachment.doc, attachment.zip/bad.doc, or part.mime/part.cab/part.uue/part.doc.
Composite Event composite Integer The type of composite event. See the Event Logging API for more information.
Compressed Size size_compressed Long The compressed size of the object, in bytes.
Conclusion conclusion String The conclusive description of the events that are associated with the incident.
Confidentiality confidentiality_id Integer The file content confidentiality indicator.
Confidentiality Impact confidentiality_impact_id Integer The confidentiality impact Common Vulnerability Scoring System (CVSS) metric.
Configuration config_path String The file or registry key that holds the startup application configuration.
Connection connection Network Connection The network connection object that pertains to the event.
Connection Direction connection_direction_id Integer The direction of the initiated connection.
Connection Reference Identifier connection_ref_uid String The reference to the network connection object that pertains to the event.
Container container Container The container that pertains to the event.
Container Network Information networks Network Info Array The network information objects that are associated with the container, one for each MAC address/IP address combination.

Note: The first element of the array is the network information that pertains to the event.

Content Type content_type_id Integer The type of the content to which the update pertains.
Content Type content_type File Content Type The file content type as defined by the STAR "File-typer" engine.
Continent continent String The name of the continent.
Coordinates coordinates Float Array A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719].
Correlation ID correlation_uid String The unique identifier used to correlate events.
Count count Integer The count related to the event or object.
Country country String The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.

Note: The two letter country code should be capitalized. For example: "US" or "CA".

Create Mask create_mask Integer The create disposition mask.
Create Mask create_mask_id Integer The Windows setting that is required to create the object.
Created created Datetime The time that the object was created. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Creator creator String The name of the user who created the object. See specific usage.
Creator Process creator_process String The name of the process that created (or downloaded) the file or module.
Criteria criteria_id Integer The criteria that is associated with the rule.
Current Location curr_location Location The current location.
Current Version curr_ver String The updated version of the code, content, configuration or policy.
Customer ID customer_uid String The unique customer identifier.
Customer Registry ID customer_registry_uid String The unique Symantec customer registry identifier.
CybOx cybox Cyber Observable eXpression The Cyber Observable eXpression (CybOX TM) attributes.
DKIM Domain dkim_domain String The DomainKeys Identified Mail (DKIM) signing domain of the email.
DKIM Signature dkim_signature String The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.
DKIM Status dkim_id Integer The DomainKeys Identified Mail (DKIM) status of the email.
DLP Rule Type dlp_type_id Integer The Data Loss Protection specific rule type.
DMARC Override dmarc_override String The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.
DMARC Policy dmarc_policy_id Integer The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy..
DMARC Status dmarc_id Integer The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.
Data data String The data that is associated with the event or object. See specific usage.
Data Center Region dc_region String The data center region, as defined by the cloud vendor.
Data Size data_size Integer The size of the data prior to truncation.
Days Left days_left Integer The number of days that remain before the license or certificate expires.
Default Value is_default_value Boolean The indication of whether the value is from a default value name. For example, the value name could be missing.
Description desc String The description that pertains to the object. See specific usage.
Destination IP dst_ip IP Address The IP address of the destination network connection device. The format is either IPv4 or IPv6.
Destination MAC dst_mac String The MAC address of the destination network connection device.
Destination Name dst_name String The host name of the destination network connection device.
Destination Port dst_port Integer The port number of the destination network connection.
Destination Service dst_service String The destination network connection service name.
Detection ID detection_uid String The associated unique detection event identifier. For example: detection response events include the Detection ID of the original event.
Detection Time detected Datetime The time that the threat was detected.
Detection Type detection_type String The incident detection type.
Detection Version content_ver String The version of the detection engine or signature content.

Note: AV, SONAR, and IPS have differing version string formats.

Detections num_detections Integer The number of detections.
Device Alias device_alias_name String The alternate device name, ordinarily as assigned by an administrator.
Device BIOS Date device_hw_bios_date String The BIOS date. For example: "03/31/16".
Device BIOS Manufacturer device_hw_bios_manufacturer String The BIOS manufacturer. For example: "LENOVO".
Device BIOS Version device_hw_bios_ver String The BIOS version. For example: "LENOVO G5ETA2WW (2.62)".
Device Caption device_cap String A short description or caption of the device. For example: "ATP Scanner 1 " or " CSP Manager".
Device Cloud VM device_cloud_vm Cloud Hosted VM The cloud-hosted virtual machine.
Device Description device_desc String The description of the device, ordinarily as reported by the operating system.
Device Domain device_domain String The network domain where the device resides. For example: "internal.somecompany.com".
Device Domain ID device_domain_uid String The unique identifier of the domain where the device resides.
Device End Time device_end_time Datetime The time of the last aggregated event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC, and this value must be greater than or equal to the Device Time (device_time) value.

Device Gateway device_gateway IP Address The gateway IP address. For example: "10.0.0.1".
Device Group device_group String The full path of the group to which the device belongs. For example: West Coast\Windows Laptops.
Device Group Name device_group_name String The name of the leaf group to which the device belongs. For example: Windows Laptops.
Device ID device_uid String The unique identifier of the device.
Device IMEI device_imei String The International Mobile Station Equipment Identifier that is associated with the device.
Device IP Address device_ip IP Address The IP address that pertains to the event, in either IPv4 or IPv6 format.

Note: Because the IP address of a device can change, the IP address must be captured when the event occurs, which may be different from when the event is sent. If additional network information is pertinent to the event, also populate Device Network Information (device_networks).

Device Location device_location Location The location of the device at the time of the event.
Device MAC Addresses device_mac String The Media Access Control (MAC) address that is associated with the device.
Device MD5 device_name_md5 String The MD5 hash of the device name.

Note: The hash must be of the lower-case device name.

Device Name device_name String The name of the device originating the event.

Note: The Device Name is ordinarily the host name, but could be any other string that helps to identify the device, such as a phone number; for example "computer.domain" or "310.555.1234".

Device Network Information device_networks Network Info Array The network information objects that are associated with the device, one for each MAC address/IP address combination.

Note: The first element of the array is the network information that pertains to the event.

Device OS device_os_name String The name of the operating system running on the device from which the event originated. For example: "Windows 10 Home Basic", "Mac OS X", "iOS", or "Android".
Device OS Bits device_os_bits Integer The number of processor bits. For example: 64 or 128.
Device OS Build device_os_build String The operating system build number.
Device OS Country Code device_os_country String The operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
Device OS Edition device_os_edition String The operating system edition. For example: "Professional".
Device OS Language device_os_lang String The lowercase two-letter ISO language code as defined by ISO 639-1. For example: "en", "de", or "fr".
Device OS Service Pack device_os_sp_name String The name of the latest Service Pack.
Device OS Service Pack Version device_os_sp_ver String The version number of the latest Service Pack.
Device OS Type device_os_type_id Integer The type of the operating system.
Device OS Version device_os_ver String The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9".
Device Org Unit device_org_unit String The name of the org unit to which the device belongs.
Device Org Unit ID org_unit_uid String The unique identifier of the organizational unit.
Device Processor Type device_hw_cpu_type String The processor type. For example: "x86 Family 6 Model 37 Stepping 5".
Device Proxy IP device_proxy_ip IP Address The proxy IP address.
Device Proxy Name device_proxy_name String The proxy host name. For example: "localproxy".
Device Public IP device_public_ip IP Address The public IP address.

Note: The Device Public IP is populated with the value of the x-forwarded-for message header, if present.

.
Device Reference ID device_ref_uid String The unique reference identifier of the device.
Device Site device_site String The name of the site to which the device belongs.
Device Subnet device_subnet IP Address The subnet IP address. For example: "255.0.0.0".
Device Time device_time Datetime The time that the event occurred at the device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. The event producer or the event collection agent that detects the event provides the event Device Time.

Device Type device_type String The type of device originating the event. For example: "unknown", "server", "desktop", "laptop", "tablet", "mobile", "virtual", "browser", or "other".
Device Virtual Host Type device_vhost_id Integer The device virtual host type.
Device Virtual Host Type String device_vhost String The device virtual host type string.
Direction direction_id Integer The direction of the initiated traffic.
Directory directory File The directory that pertains to the event.
Directory Result directory_result File The directory that is the result of the event.
Display Name display_name String The service display name.
Displayed Text displayed_text String The information that is displayed to the user that describes the impact of a client side override action.
Domain domain String The name of the domain.
Domain ID domain_uid String The unique domain identifier.
Domains domains String Array The domains that pertain to the event. See specific usage.
Download Bytes bytes_download Long The number of bytes downloaded from the source to the destination.
Duration duration Integer The duration of the scan (seconds).
Effective Date effective_date Datetime The date and time that the specific policy and rule was applied and became operational.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Email email Email The email that pertains to the event.
Email Attacks email_attacks JSON Array The email threat analytics report.
Email Authentication email_auth Email Auth The SPF, DKIM and DMARC attributes of an email.
Email ID email_uid String The unique identifier of the email, used to correlate related email detection and activity events.
Emails emails Email Array The emails that pertain to the event. See specific usage.
End Time end_time Datetime The end time that pertains to the event or object. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Entity entity Managed Entity The managed entity that pertains to the event.
Entity Result entity_result Managed Entity The updated managed entity.
EoC Remediation Request eoc_request JSON An object describing the Evidence of Compromise (EoC) remediation request.
Error Files num_errors Integer The number of files with either scanning or remediation errors.
EtherType ether_type Integer The EtherType indicates which protocol is encapsulated in the payload of an Ethernet frame.
Event ID event_id Integer The event ID identifies the event's semantics, structure and outcome.
Event Time time Datetime The event occurrence time (Device Time) adjusted to the server clock.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Event Unique ID uuid String The system-assigned unique identifier of an event occurrence.
Events events JSON Array The additional events that pertain to the event or incident.
Events per Second throughput_eps Integer The number of events processed per second.
Exception status_exception String The operating system exception message.
Extended Attributes xattributes JSON An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.

For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:

  • ads_name
  • ads_size
  • dacl
  • owner
  • primary_group
  • link_name - name of the link associated to the file.
  • hard_link_count - the number of links that are associated to the file.
  • Unix_permissions - Unix permissions notation style for user, group and others to access the file, including notations for setuid, setgid and sticky bit settings. For example "rwxrw-r—", "r-xr-sr-x", "rwxrwxrwt".
External Account ID external_account_uid String The user's external account unique identifier.
External ID external_uid String The user's external unique identifier.
Facility facility String The subsystem or application that is providing the event data.
Facility Detail facility_detail String Additional detail about the source facility. For example, details could include a the name of a particular application instance (such as a database name) or a path to a monitored log file.
Facility ID facility_uid String The unique identifier of the facility.
Family family_id Integer The top level file classification.
Feature ID feature_uid String The unique identifier of the feature originating the event.
Feature Name feature_name String The name of the feature originating the event.

Note: The Feature Name is ordinarily defined by the product SKU, but it could be any other name that identifies the software component originating the event. For example: "Live Update".

Feature Path feature_path String The path of the feature originating the event.
Feature Type feature_type String The type of feature.

Feature Version feature_ver String The version of the feature originating the event. For example: "2014.1.3.64".
File file File The file that pertains to the event or object. See specific usage.
File Diff file_diff String File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.
File Result file_result File The resulting file object. For example, if a file operation is allowed, the resulting file object can be included in the event.
Files files File Array The files that pertain to the event. See specific usage.
First Seen first_seen Datetime The initial detection time of the threat.
Folder folder String The parent folder in which the file resides. For example: "c:\windows\system32".
Folder ID folder_uid String The unique identifier of the folder in which the file resides.
Free Memory mem_free Long The Java Virtual Machine® (JVM) free memory (in bytes).
From header_from String The email header From values, as defined by RFC 5322.
Full Name full_name String The full name of the entity.
Gateway IP Address gateway_ip IP Address The gateway IP address. For example: "10.0.0.1".
Gateway MAC Address gateway_mac String The gateway media access control (MAC) address.
Group Description group_desc String The description of the group to which the policy belongs.
Group ID gid Integer The administrative group identifier.
Group ID group_uid String The unique identifier of the group to which the policy belongs.
Group Name group_name String The name of the group to which the policy belongs.
Group Name group String The name of the administrative group.
Groups groups String Array The administrative groups to which the user belongs.
HTTP Status http_status Integer The HTTP status code returned to the client.
HTTP User-Agent http_user_agent String The request header that is used to identify the operating system and web browser.
Home home String The user's home directory.
Host Name host_name String The hostname that pertains to the event or object. See specific usage.
Host Name host String The host name of the URL.
Host Names hostnames String Array The host names that pertains to the event or object. See specific usage.
IANA Service Name svc_name String The service name as defined by the Internet Assigned Numbers Authority (IANA). See Service Name and Transport Protocol Port Number Registry.
ID uid String The unique identifier that pertains to the event or object. See specific usage.
IPv4 Address ipv4 IP Address The IPv4 address that is associated with the network interface.
IPv4 Addresses ipv4s IP Address Array The IPv4 addresses that pertain to the event. See specific usage.
IPv6 Address ipv6 IP Address The IPv6 address that is associated with the network interface.
IPv6 Addresses ipv6s IP Address Array The IPv6 addresses that pertain to the event. See specific usage.
ISP isp String The name of the Internet Service Provider (ISP).
Identifier id Integer The identifier of the entity or the disposition of the event. See specific usage.
Idle CPU cpu_idle Long Idle CPU.
Image ID image_uid String The container unique image identifier.
Image Name image_name String The container image name.
Impersonator Customer ID impersonator_customer_uid String The unique customer identifier of the impersonating agent.
Impersonator Domain ID impersonator_domain_uid String The unique domain identifier of the impersonating agent.
Impersonator User ID impersonator_user_uid String The unique user identifier of the impersonating agent.
Incident ID incident_uid String The incident unique identifier.
Incident URL incident_url String The URL used to access the original incident.
Injection Type injection_type_id Integer The process injection method.
Instance ID instance_uid String The unique identifier of the instance that pertains to the event or object. See specific usage.
Integrity Impact integrity_impact_id Integer The integrity impact Common Vulnerability Scoring System (CVSS) metric.
Integrity Level integrity_id Integer The process integrity level (Windows only).
Interface ID interface_uid String The unique identifier of the remote procedure call interface.
Interface Version interface_ver String The remote procedure call interface version.
Interpreter interpreter String The script interpreter used. For example: "CMD", "POWERSHELL", "VBSCRIPT", "JAVASCRIPT".
Issuer Name issuer_name String The certificate issuer name.
Issuer Organization issuer_organization String The certificate issuer organization.
Job job Job The job object that pertains to the event.
Kernel kernel Kernel Resource The kernel resource object that pertains to the event.
Key Length key_length Integer The length of the encryption key.
Kilobytes per Second throughput_kbps Integer The number of kilobytes of data processed per second (kB/s).
Label label String The label set for the policy.
Last Run last_run Datetime The last run time that pertains to the event. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Last Written last_write Datetime The last write time that pertains to the event or object. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

License license License Information The license information that pertains to the event.
Lineage lineage String Array The lineage of the actor process.
Load Type load_type_id Integer The load type identifies how the module was loaded in memory.
Load Type load_type String The load type describes how the module was loaded in memory.
Loaded Module loaded_module_name String The name of the module loaded by the service.
Loaded Modules loaded_modules String Array The list of loaded module names.
Local local Boolean The indication of whether the connection is between two endpoints on the same device. For example, if Source IP (src_ip) and Destination IP (dst_ip) could be the same.
Log Level log_level String The log level as reported by the logger subsystem.
Log Name log_name String The name of the database, index, or archive where the event was logged.
Logging Device ID logging_device_ref_uid String The unique identifier of the device that collects logs from other devices.
Logging Device IP logging_device_ip IP Address The IP address of the device that logged the event.
Logging Device Name logging_device_name String The name of the device that logged the event.
Logging Device Time logging_device_post_time Datetime The time when the event was logged by the logging device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Logon Name logon_name String The logon name of the entity.
Logon Type logon_type_id Integer The type of logon.
MAC Address mac String The MAC address that is associated with the network interface.
MAC Addresses macs String Array The MAC addresses that are associated with the network interface. See specific usage.
MD5 md5 String The MD5 checksum of the object content.
MIME type mime_type String The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
Maximum Memory mem_max Long The Java Virtual Machine® (JVM) maximum memory (in bytes).
Message message String The description of the event.
Message Code message_code String The coded string representation of the message, ordinarily used for trouble shooting.
Message ID message_id String The numeric representation of the message, ordinarily used for translation purposes.
Message ID header_message_id String The email header Message-Id value, as defined by RFC 5322.
Method method String The HTTP method used in the URL request.
Model model String The peripheral device model.
Modified modified Datetime The time when the object was last modified. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Modifier modifier String The name of the user who last modified the object. See specific usage.
Module module Module The module that pertains to the event.
Module Type module_type String The type of module.
Name name String The name of the entity. See specific usage.
Net Detection ID net_detection_uid String The unique identifier of the network detection event that is associated with this event.
Network Information network Network Info The network information object that is associated with the event.
Next Run next_run Datetime The next run time that pertains to the event. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Normalized Command Line normalized_cmd_line String The CSIDL normalized command line used to launch the startup application, service, process or job (Windows only).
Normalized Path normalized_path String The CSIDL normalized path name. For example: "CSIDL_SYSTEM\svchost.exe" (Windows only).
OS Code status_os String The operating system result code.
OS Code Source status_os_src Integer The indication of whether the OS Code (status_os) returned to the application for the requested operation was returned by the OS (0) or generated by the security product (1).
OS Name os_name String The container operating system name.
On Premises on_premises Boolean The indication of whether the location is on premises.
Open Mask open_mask_id Integer The Windows setting that is required to open the object.
Open Mode open_mode Boolean The mode in which the file or folder was opened.
Operation operation String The operating system operation that initiated the event.
Operation Number interface_op Integer The remote procedure call interface operation number.
Original Data orig_data String The pre-normalized event data.
Original Event ID ref_orig_uid String The unique identifier of the external event that corresponds to Reference Event ID (ref_uid) ,if applicable.
Original Name original_name String The original name of the file.
Override Duration override_duration Integer The length in minutes for the override action to remain in place until restored upon expiration of time. If not provided it implies infinite duration of policy enforcement or until such time as another policy action occurs.
Owner owner String The owner of the file.
Owner data_owner_name String The name of the data owner.
Owner Email data_owner_email String The email address of the data owner.
Parent Categories parent_categories String Array The array of parent URL categories.
Parent File parent_name String The name of the file that contains this file.
Parent Process parent Process The parent process of the process associated with the event. See specific usage.
Parent SHA2 parent_sha2 String The SHA-256 checksum of the parent file.
Password Expires password_expires Boolean The indication of whether the user's password is configured to expire.
Path path String The path that pertains to the event or object. See specific usage.
Peripheral Device peripheral_device Peripheral Device The peripheral device that pertains to the event.
Personal Device device_is_personal Boolean The event occurred on a personal device.
Policy policy Policy The policy that pertains to the event.
Policy Change Type change_type_id Integer The reason for the policy change.
Port port Integer The port that is associated with the event or object. See specific usage.
Previous Location prev_location Location The previous location.
Previous Security Level prev_security_level_id Integer The previous security level of the entity.
Previous Security States prev_security_state_ids Integer Array The previous security states of the entity.
Previous Users previous_users String Array An ordered list of the previous user names used within in the session, from latest to earliest.
Previous Version prev_ver String The pre-update version of the code, content, configuration or policy.
Print Job print_job String The name of the print or FAX job.
Printer printer Printer The printer associated with the event.
Priority priority_id Integer The incident priority.
Privileges privileges String Array The user privileges.
Process process Process The process that pertains to the event.
Process ID pid Integer The process identifier, as reported by the operating system.
Product Data product_data JSON The event attributes that are specific to the reporting product.
Product ID product_uid String The unique identifier of the product originating the event.
Product Language product_lang String The two letter lower case language codes as defined by ISO 639-1. For example: "en" (English), "de" (German), or "fr" (French).
Product Name product_name String The name of the product that pertains to the event or object. See specific usage.
Product Path product_path String The path to the product that includes the file.
Product Version product_ver String The version of the product.

Note: The version is as defined by the product SKU, originating the event. For example: "2013.1.3-beta".

Protocol protocol_id Integer The network protocol as defined by RFC1340. For example: TCP=6 and UDP=17.
Provider provider String The origin of the reputation and category information. For example: "CAS", "CASMA", "Cynic", "Skeptic", or "Synapse".
Proxy Connection proxy_connection Network Connection If a proxy connection is present, the connection from the proxy server to the remote destination server.
Proxy Device IP proxy_device_ip IP Address The IP address of the proxy device that is collecting events from other devices. For example: the IP address of a Windows Domain controller. The format is either IPv4 or IPv6.
Proxy Device Name proxy_device_name String The name of the proxy device that is collecting events from other devices.
Public Network is_public Boolean The indication of whether the network interface is a public IP address.
Quarantine ID quarantine_uid String The unique identifier of the item that was quarantined or restored from quarantine.
Query query String The query portion of the URL. For example: the query portion of the URL "http://www.example.com/search?q=bad&sort=date" is "q=bad&sort=date".
RPC rpc Remote Procedure Call The RPC object that pertains to the network connection.
Raw Data raw_data String The event data as received.
Raw Header raw_header String The email authentication header.
Reason reason String The reason for the detection.
Reason reason_id Integer The reason for the detection.
Recipient recipient String The Click-time protection email to address.
Recovery Key ID recovery_key_uid String The unique identifier of the recovery key of the volume.
Reference Event ID ref_uid String The unique external original message or event identifier that was used to record the event. For example: the Windows Event Log Event ID, the SEPM event UID, or the SYSLOG msgid.
Reference Event Log Name ref_log_name String The log name of the reference event.
Reference Event Log Time ref_log_time Datetime The log time of the reference event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Reference Incident ID ref_incident_uid String The unique identifier of the original incident.
Referrer referrer String The address accessed prior to this one.
Region region String The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For examples, see the region codes for the US.
Registry Key reg_key Registry Key The registry key that pertains to the event.
Registry Key Result reg_key_result Registry Key The registry key that is the result of the event.
Registry Value reg_value Registry Value The registry value that pertains to the event.
Registry Value Result reg_value_result Registry Value The registry value that is the result of the event.
Remediated remediated Boolean The indication of whether the event was remediated.
Remediation remediation String The remediation information.
Remediation ID remediation_uid String The unique identifier of the remediation information.
Remediation Reference remediation_ref String The reference to remediation information.

Note: The information can be either internal or external to the reporting product.

Remote remote Boolean The indication of whether the session is remote.
Remote Device Name remote_device_name String The name of the device associated with the remote process.
Remote Host remote_host String The host name of the device associated with the remote session.
Remote IP remote_ip IP Address The IP address of the device associated with the remote session. The format is either IPv4 or IPv6.
Remote Process remote_process Process The remote process that performed the operation or action on the target object.
Reply To header_reply_to String The email header Reply-To values, as defined by RFC 5322.
Reputation Discovered rep_discovered_date Datetime The Symantec discovery date of the reputed file or URL.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Reputation Discovered Band rep_discovered_band Integer The discovery fuzzed band number, expressed as the number of days since discovery.
Reputation Prevalence rep_prevalence Integer The file reputation prevalence, as provided by a reputation query.
Reputation Prevalence Band rep_prevalence_band Integer The file reputation prevalence fuzzed band number.
Reputation Score rep_score_id Integer The reputation score of the URL.
Reputation Score rep_score Integer The reputation score of the file.
Reputation Score Band rep_score_band Integer The file reputation score fuzzed band number.
Request Headers request_headers JSON The additional information associated with and HTTP request.
Request ID request_uid String The unique identifier of the request. See specific usage.
Requested Permissions requested_permissions Integer Array The permissions that were requested by the process.
Resolution resolution_id Integer The incident resolution.
Resolutions num_resolutions Integer The number of items that were resolved.
Resource resource String The target resource.
Resource Type resource_type String The context in which a resoruce was retrieved in a web request..
Response response_id Integer The response action taken.
Response Headers response_headers JSON The additional information associated with and HTTP response.
Risk risk_id Integer The cumulative risk rating of the threat as defined by the Foresight policy.
Risk risk Float The Common Vulnerability Scoring System (CVSS) calculated risk.
Rule Category rule_category_id Integer The category to which the rule belongs.
Rule Criteria Target rule_criteria_target String The target of the rule criteria.
Rule Description rule_desc String The additional information that describes the rule.
Rule Group Description rule_group_desc String The additional information that describes the group to which the rule belongs.
Rule Group ID rule_group_uid String The unique identifier of the group to which the rule belongs.
Rule Group Name rule_group_name String The name of the group to which the rule belongs.
Rule ID rule_uid String The unique identifier of the rule that generated the event or was in effect when the event occurred.
Rule Name rule_name String The rule associated with the event. See specific usage.
Rules rules Rule Array The additional rules that are associated with the policy.
Run Count run_count Integer The prefetch file run count.
SHA-1 sha1 String The SHA-1 checksum of the object content.
SHA-256 sha2 String The SHA-256 checksum of the object content.
SMTP From smtp_from String The value of the SMTP MAIL FROM command.
SMTP Hello smtp_hello String The value of the SMTP HELO or EHLO command.
SMTP To smtp_to String Array The value of the SMTP envelope RCPT TO command.
SPF Status spf_id Integer The Sender Policy Framework (SPF) status of the email.
SSID ssid String The Service Set Identifier (SSID).
SSL Certificate certificate Certificate The certificate that pertains to the event.
STIC Control Data ID stic_schema_id String The telemetry submission control data identifier, represented as an 8 byte hexadecimal string.
STIC Enterprise IDs stic_legacy_ent_uids String Array The list of Enterprise IDs (related to license entitlement) that have been associated with the device.
STIC Hardware ID stic_hw_uid String The device hardware ID.
STIC Hardware IDs stic_legacy_hw_uids String Array The list of Hardware IDs that have been associated with the device.
STIC IP Hash stic_ip_hash String The STIC hash of the IP address.
STIC Machine ID stic_uid String The device Machine ID.
STIC Machine IDs stic_legacy_uids String Array The list of Machine IDs that have been associated with the device.
STIC PII stic_has_pii Boolean The indication of whether the event has any Personally Identifiable Information (PII).
STIC Version stic_version String The version of the STIC library.
Sandbox sandbox_name String The name of the containment jail (i.e., sandbox).
Scan End scan_end Datetime The time that the scan ended.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Scan ID scan_uid String The unique identifier of the scan that is associated with the event.
Scan Name scan_name String The administrator-supplied or application-generated name of the scan. For example:
  • "Home office weekly user database scan"
  • "Scan folders for viruses"
  • "Full system virus scan"
Scan Outcome verdict_id Integer The outcome of the Scan.
Scan Start scan_start Datetime The time that the scan started.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Scan Type scan_type String The type of scan.
Scan Type scan_type_id Integer The type of scan.
Scanned Archives num_archives Integer The number of archives scanned.
Scanned Files num_files Integer The number of files scanned.
Scanned Folders num_folders Integer The number of folders scanned.
Scanned Network Items num_network Integer The number of network items scanned.
Scanned Processes num_processes Integer The number of processes scanned.
Scanned Registry Items num_registry Integer The number of registry items scanned.
Schedule ID schedule_uid String The unique identifier of the schedule that is associated with the event.
Scheme scheme String The scheme portion of the URL. For example: "http", "https", "ftp" or "sftp".
Security Descriptor security_descriptor String The object security descriptor.
Security ID sid String The user security identifier (SID). The SID is a unique value of variable length used to identify a trustee. Each user account has a SID issued by an authority, such as a Windows domain controller, and stored in a security database.
Security Level curr_security_level_id Integer The current security level of the entity.
Security States curr_security_state_ids Integer Array The current security states of the entity.
Sender Email sender_email String The email address of the sender.
Sender Host Name sender_host String The host name of the sending email server.
Sender IP Address sender_ip IP Address The IP address of the sender, in either IPv4 or IPv6 format.
Sequence Number seq_num Integer A 32-bit positive number that indicates the order of events sent by the client.

Note: The first event that a client sends has a Sequence Number of 1 and the client increments the Sequence Number with each subsequent event. For UNPACK (2) composite events, each event in the events array must have a unique seq_num, such as events[i+1].seq_num = events[i].seq_num + 1. When the sequence number wraps around, based on java.lang.Integer.MAX_VALUE, it must start from 1. The event service records sequence numbers to detect lost events.

Serial Number serial String The serial number that pertains to the object. See specific usage.
Service service Service The service that pertains to the object.
Session session Session The user session that pertains to the event.
Session ID session_id Integer The ID of the user session that pertains to the event or object, as reported by the OS.
Session ID session_uid String The unique ID of the user session that pertains to the event.
Sessions sessions Session Array The user sessions on the device.
Severity severity_id Integer The severity of the event.
Shell shell String The user's login shell.
Signature Bits signature_value Long The digital signature bitmask.
Signature Company Name signature_company_name String The company name on the certificate that signed the file.
Signature Created Date signature_created_date Datetime The date and time when the signature was created.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Signature Developer ID signature_developer_uid String The developer ID on the certificate that signed the file.
Signature Fingerprints signature_fingerprints Fingerprint Array The array of fingerprint objects associated with the certificate.
Signature Issuer signature_issuer String The issuer of the object signature.
Signature Level signature_level_id Integer A numeric representation of the signature level. The signature levels are defined by STAR.
Signature Serial Number signature_serial_number String The object serial number.
Signature Value IDs signature_value_ids Integer Array The array of signature values as derived from the Signature Bits.
Size size Long The size of the object, in bytes.
Skipped num_skipped Integer The number of skipped items.
Source source Event Source The monitored source that originated the event.
Source Event ID ref_event Integer The event source's event id.
Source Event Name ref_event_name String The event source's event name.
Source IP src_ip IP Address The source device IP address that pertains to the event or object. The format is either IPv4 or IPv6.
Source MAC src_mac String The MAC address of the device that initiated the network connection.
Source Name src_name String The host name of the source device that pertains to the event or object.
Source Port src_port Integer The port number of the source device.
Source Service src_service String The source network connection service name.
Stack Trace status_stack_trace String The list of calls that the application was making when an exception was thrown.
Start Time start_time Datetime The start time that pertains to the event or object. See specific usage.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Start Type start_id Integer The start type of the service or startup application.
Startup Application startup_app Startup App The startup application that pertains to the event.
State state_id Integer The state of the event or object. See specific usage.
State run_state_id Integer The state of the job or service. See specific usage.
States state_ids Integer Array The states that are related to the policy.
Status status_id Integer The cross-platform event status.
Status Details status_detail String The status details.
Sub-feature Name subfeature_name String The name of the sub-feature originating the event.
Sub-technique ID sub_technique_uid String The unique identifier of the attack sub-technique, as defined by ATT&CK MatrixTM.
Sub-technique Name sub_technique_name String The name of the attack sub-technique, as defined by ATT&CK MatrixTM.
Subject header_subject String The email header Subject value, as defined by RFC 5322.
Subject City subject_city String The certificate subject city.
Subject Country subject_country String The certificate subject country.
Subject Email subject_email String The certificate subject email.
Subject Name subject_name String The certificate subject name.
Subject Org Unit subject_org_unit String The certificate subject organizational unit.
Subject Organization subject_organization String The certificate subject organization.
Subject State subject_state String The certificate subject state.
Subject Street subject_street String The certificate subject street.
Subnet ID subnet_uid String The unique identifier of the virtual subnet.
Subtype subtype String The specific format for the type of data.
Suspected Breach suspected_breach Boolean The indication of whether a breach is suspected.
System is_system Boolean The indication of whether the object is part of the operating system.
System Activity activity_id Integer The related system activity.
System CPU cpu_system Long System CPU.
System Call system_call String The system call that was invoked.
TCP Flags tcp_flags Integer The network connection TCP header flags (i.e., control bits).
TLS tls Tls The Transport Layer Security (TLS) attributes.
TLS Policy tls_policy_id Integer The Transport Layer Security (TLS) policy.
Tactics tactic_uids String Array The tactics that are associated with the attack technique, as defined by ATT&CK MatrixTM.
Tactics tactic_ids Integer Array The tactics that are associated with the attack technique (To be deprecated, use tactic_uids).
Target target JSON The target is the object of the Action.
Target Name target_name String The target name.
Technique ID technique_uid String The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.
Technique Name technique_name String The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.
Thread ID tid Integer The Identifier of the thread associated with the event, as returned by the operating system.
Thread Name status_thread_name String The name of the thread that pertains to the status.
Threat threat Threat The primary threat identified by the event.

Note: The primary threat may be the first threat found by the detection engine, or it may be the most severe threat found. The client determines the primary threat.

Threat Sub ID sub_id Integer The threat sub identifier as reported by the detection engine.

Note: Pertains only to IPS threats.

Threats threats Threat Array The additional threats that were detected.
Time Zone timezone Integer The number of minutes that the reported Device Time is ahead or behind UTC. A number in the range -1,080 to +1,080.
To header_to String Array The email header To values, as defined by RFC 5322.
Top Attacked top_attacked JSON Array The top 20 email accounts in your organization who were intended recipients of malicious emails during the report period.
Total total Integer The total number of items. See specific usage.
Transaction ID transaction_uid String The unique identifier of the transaction.
Trusted num_trusted Integer The number of trusted items.
Trusted Device device_is_trusted Boolean The event occurred on a trusted device.
Type type_id Integer The type of the object or event. See specific usage.
Type String type String The type of the event, object, or value. See specific usage.
Types type_ids Integer Array The service type identifiers.
URL url Uniform Resource Locator The URL object that pertains to the event or object. See specific usage.
URL Text text String THE URL text string.
URLs urls Uniform Resource Locator Array The URLs that pertain to the event. See specific usage.
Unmanaged Device device_is_unmanaged Boolean The event occurred on an unmanaged device.
Unresolved num_unresolved Integer The number of scanned itmes with threats, but no resolution.
Upload Bytes bytes_upload Long The number of bytes uploaded from the source to the destination.
Used is_used Boolean The indication of whether the TLS is used.
Used used Integer The number of items used.
User user User The user that pertains to the event or object. See specific usage.
User Activity activity String The user activity related to the event.
User CPU cpu_user Long User CPU.
User ID user_uid String The unique identifier of the user associated with the event.
User Name user_name String The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
User Present is_user_present Boolean The indication of whether the user was logged on at event generation time.
Users users User Array The users that belong to the administrative group.
VPC ID vpc_uid String The unique identifier of the Virtual Private Cloud (VPC).
Valid is_valid Boolean The indication of whether the certificate is valid.
Value value String The value that pertains to the object. See specific usage.
Vendor vendor String The vendor that pertains to the object. See specific usage.
Version version String The version that pertains to the event or object. See specific usage.
Violations num_violations Integer The number of times the policy or rule was violated.
Volume ID volume_uid String The unique identifier of the volume.