# Query Email Events {% admonition type="warning" name="In Development" %} This operation is actively being developed. Breaking changes should be expected. Please contact us before using this operation. {% /admonition %} Returns a list of email events matching the query from the token-linked Email Security provider. Defaults to the last 30 days of email events. This can be overridden by using the time filter. Note that some providers may have a maximum time range limit. Operation ID: emailsecurity_query_email_events Endpoint: GET /v1/email-security/email-events Security: BearerAuth ## Query parameters: - `meta` (array) Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint. - `limit` (integer,null) Number of email events to return. Defaults to 1000 with a maximum of 5000. If a provider has a maximum limit lower than 5000, the provider's maximum limit will be used instead. - `filter` (array) Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together. - `cursor` (string,null) Start search from cursor position. ## Response 200 fields (application/json): - `result` (array, required) List of email events - `result.activity_id` (integer, required) ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Send 2 - Receive 3 - Scan: Email being scanned (example: security scanning) 4 - Trace: Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected. 5 - MTARelay: Email processed by an MTA, typically combining send, receive, and scan operations into a single activity. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value. - `result.category_uid` (integer, required) CategoryUid is an enum, and the following values are allowed. 4 - NetworkActivity: Network Activity events. - `result.class_uid` (integer, required) ClassUid is an enum, and the following values are allowed. 4009 - EmailActivity: Email Activity events report SMTP protocol and email activities including those with embedded URLs and files. See the Email object for details. - `result.direction_id` (integer, required) DirectionId is an enum, and the following values are allowed. 0 - Unknown: The email direction is unknown. 1 - Inbound: Email Inbound, from the Internet or outside network destined for an entity inside network. 2 - Outbound: Email Outbound, from inside the network destined for an entity outside network. 3 - Internal: Email Internal, from inside the network destined for an entity inside network. 4 - Local: Local network connection (localhost). The connection is intra-device, originating from and destined for services running on the same device. 99 - Other: The direction is not mapped. See the direction attribute, which contains a data source specific value. - `result.email` (object, required) The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files. - `result.email.attachment_count` (integer,null) The number of attachments in the email as reported by the event source. - `result.email.cc` (array,null) The machine-readable email header Cc values, as defined by RFC 5322. For example example.user@usersdomain.com. - `result.email.cc_mailboxes` (array,null) The human-readable email header Cc Mailbox values. For example 'Example User <example.user@usersdomain.com>'. - `result.email.delivered_to` (string) Email address. For example:john_doe@example.com. - `result.email.delivered_to_list` (array,null) The machine-readable Delivered-To email header values. For example example.user@usersdomain.com - `result.email.files` (array,null) The files embedded or attached to the email. - `result.email.files.name` (string, required) File name. For example:text-file.txt. - `result.email.files.type_id` (integer, required) FileTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - RegularFile 2 - Folder 3 - CharacterDevice 4 - BlockDevice 5 - LocalSocket 6 - NamedPipe 7 - SymbolicLink 8 - ExecutableFile 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.email.files.accessed_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessed_time_dt` (string,null) The time when the file was last accessed. - `result.email.files.accessor` (object) The User object describes the characteristics of a user/person or a security principal. - `result.email.files.accessor.account` (object) The Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise. - `result.email.files.accessor.account.is_disabled` (boolean,null) Indicates if the account is disabled. - `result.email.files.accessor.account.is_locked` (boolean,null) Indicates if the account is locked. For example, due to the amount of failed logins. - `result.email.files.accessor.account.is_on_premises_sync_enabled` (boolean,null) Indicates whether synchronization with an on-premises directory service is enabled. For example, Microsoft Entra Connect. - `result.email.files.accessor.account.labels` (array,null) The list of labels associated to the account. - `result.email.files.accessor.account.name` (string,null) The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name). - `result.email.files.accessor.account.tags` (array,null) The list of tags; {key:value} pairs associated to the account. - `result.email.files.accessor.account.type` (string,null) The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - `result.email.files.accessor.account.type_id` (integer) AccountTypeId is an enum, and the following values are allowed. 0 - Unknown: The account type is unknown. 1 - LDAPAccount 2 - WindowsAccount 3 - AWSIAMUser 4 - AWSIAMRole 5 - GCPAccount 6 - AzureADAccount: Note: The new product name for Azure AD is Microsoft Entra ID. 7 - MacOSAccount 8 - AppleAccount 9 - LinuxAccount 10 - AWSAccount 11 - GCPProject 12 - OCICompartment 13 - AzureSubscription 14 - SalesforceAccount 15 - GoogleWorkspace 16 - ServicenowInstance 17 - M365Tenant 18 - EmailAccount 19 - ActiveDirectoryAccount 99 - Other: The account type is not mapped. - `result.email.files.accessor.account.uid` (string,null) The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID). - `result.email.files.accessor.credential_uid` (string,null) The unique identifier of the user's credential. For example, AWS Access Key ID. - `result.email.files.accessor.display_name` (string,null) The display name of the user, as reported by the product. - `result.email.files.accessor.domain` (string,null) The domain where the user is defined. For example: the LDAP or Active Directory domain. - `result.email.files.accessor.email_addr` (string) Email address. For example:john_doe@example.com. - `result.email.files.accessor.forward_addr` (string) Email address. For example:john_doe@example.com. - `result.email.files.accessor.full_name` (string,null) The full name of the user, as reported by the product. - `result.email.files.accessor.groups` (array,null) The administrative groups to which the user belongs. - `result.email.files.accessor.groups.desc` (string,null) The group description. - `result.email.files.accessor.groups.domain` (string,null) The domain where the group is defined. For example: the LDAP or Active Directory domain. - `result.email.files.accessor.groups.name` (string,null) The group name. - `result.email.files.accessor.groups.privileges` (array,null) The group privileges. - `result.email.files.accessor.groups.type` (string,null) The type of the group. - `result.email.files.accessor.groups.uid` (string,null) The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. Another example, pool id or desktop id that the device belongs to. - `result.email.files.accessor.groups.uid_alt` (string,null) The alternate unique identifier. - `result.email.files.accessor.has_mfa` (boolean,null) The user has a multi-factor or secondary-factor device assigned. - `result.email.files.accessor.ldap_person` (object) The additional LDAP attributes that describe a person. - `result.email.files.accessor.ldap_person.cost_center` (string,null) The cost center associated with the user. - `result.email.files.accessor.ldap_person.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.ldap_person.created_time_dt` (string,null) The timestamp when the user was created. - `result.email.files.accessor.ldap_person.deleted_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.ldap_person.deleted_time_dt` (string,null) The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days. - `result.email.files.accessor.ldap_person.department` (string,null) The name of the department in which the user works. - `result.email.files.accessor.ldap_person.display_name` (string,null) The display name of the LDAP person. According to RFC 2798, this is the preferred name of a person to be used when displaying entries. - `result.email.files.accessor.ldap_person.email_addrs` (array,null) A list of additional email addresses for the user. - `result.email.files.accessor.ldap_person.employee_uid` (string,null) The employee identifier assigned to the user by the organization. - `result.email.files.accessor.ldap_person.given_name` (string,null) The given or first name of the user. - `result.email.files.accessor.ldap_person.hire_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.ldap_person.hire_time_dt` (string,null) The timestamp when the user was or will be hired by the organization. - `result.email.files.accessor.ldap_person.job_title` (string,null) The user's job title. - `result.email.files.accessor.ldap_person.labels` (array,null) The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee. - `result.email.files.accessor.ldap_person.last_login_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.ldap_person.last_login_time_dt` (string,null) The last time when the user logged in. - `result.email.files.accessor.ldap_person.ldap_cn` (string,null) The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - `result.email.files.accessor.ldap_person.ldap_dn` (string,null) The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - `result.email.files.accessor.ldap_person.leave_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.ldap_person.leave_time_dt` (string,null) The timestamp when the user left or will be leaving the organization. - `result.email.files.accessor.ldap_person.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. - `result.email.files.accessor.ldap_person.location.aerial_height` (string,null) Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m. - `result.email.files.accessor.ldap_person.location.city` (string,null) The name of the city. - `result.email.files.accessor.ldap_person.location.continent` (string,null) The name of the continent. - `result.email.files.accessor.ldap_person.location.coordinates` (array,null) A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719]. - `result.email.files.accessor.ldap_person.location.country` (string,null) The ISO 3166-1 Alpha-2 country code.Note: The two letter country code should be capitalized. For example: US or CA. - `result.email.files.accessor.ldap_person.location.desc` (string,null) The description of the geographical location. - `result.email.files.accessor.ldap_person.location.geodetic_altitude` (string,null) The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m. - `result.email.files.accessor.ldap_person.location.geodetic_vertical_accuracy` (string,null) Provides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters. - `result.email.files.accessor.ldap_person.location.geohash` (string,null) Geohash of the geo-coordinates (latitude and longitude).Geohashing is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string. - `result.email.files.accessor.ldap_person.location.horizontal_accuracy` (string,null) Provides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters. - `result.email.files.accessor.ldap_person.location.is_on_premises` (boolean,null) Indicates whether the location is on-premises. - `result.email.files.accessor.ldap_person.location.isp` (string,null) The name of the Internet Service Provider (ISP). - `result.email.files.accessor.ldap_person.location.lat` (number,null) The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: 42.361145. - `result.email.files.accessor.ldap_person.location.long` (number,null) The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083. - `result.email.files.accessor.ldap_person.location.postal_code` (string,null) The postal code of the location. - `result.email.files.accessor.ldap_person.location.pressure_altitude` (string,null) The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: Invalid, No Value, or Unknown: -1000 m. - `result.email.files.accessor.ldap_person.location.provider` (string,null) The provider of the geographical location data. - `result.email.files.accessor.ldap_person.location.region` (string,null) The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland - `result.email.files.accessor.ldap_person.manager` (object) The User object describes the characteristics of a user/person or a security principal. - `result.email.files.accessor.ldap_person.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.ldap_person.modified_time_dt` (string,null) The timestamp when the user entry was last modified. - `result.email.files.accessor.ldap_person.office_location` (string,null) The primary office location associated with the user. This could be any string and isn't a specific address. For example, South East Virtual. - `result.email.files.accessor.ldap_person.phone_number` (string,null) The telephone number of the user. Corresponds to the LDAP Telephone-Number CN. - `result.email.files.accessor.ldap_person.surname` (string,null) The last or family name for the user. - `result.email.files.accessor.ldap_person.tags` (array,null) The list of tags; {key:value} pairs associated to the user. - `result.email.files.accessor.name` (string) User name. For example:john_doe. - `result.email.files.accessor.org` (object) The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs. - `result.email.files.accessor.org.name` (string,null) The name of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, Widget, Inc. or the AWS Organization name . - `result.email.files.accessor.org.ou_name` (string,null) The name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the GCP Project Name , or Dev_Prod_OU . - `result.email.files.accessor.org.ou_uid` (string,null) The unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an Oracle Cloud Tenancy ID , AWS OU ID , or GCP Folder ID . - `result.email.files.accessor.org.uid` (string,null) The unique identifier of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, an AWS Org ID or Oracle Cloud Domain ID . - `result.email.files.accessor.phone_number` (string,null) The telephone number of the user. - `result.email.files.accessor.programmatic_credentials` (array,null) Details about the programmatic credential (API keys, access tokens, certificates, etc) associated to the user. - `result.email.files.accessor.programmatic_credentials.uid` (string, required) The unique identifier of the programmatic credential. This could be an API key ID, service account key ID, access token identifier, certificate serial number, or other unique identifier that distinguishes this credential from others. Examples: AWS Access Key ID, GCP Service Account Key ID, Azure Application ID, or OAuth2 token identifier. - `result.email.files.accessor.programmatic_credentials.last_used_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.accessor.programmatic_credentials.last_used_time_dt` (string,null) The timestamp when this programmatic credential was last used for authentication or API access. This helps track credential usage patterns, identify dormant credentials that may pose security risks, and support credential lifecycle management. The timestamp should reflect the most recent successful authentication or API call using this credential. - `result.email.files.accessor.programmatic_credentials.type` (string,null) The type or category of programmatic credential, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source. Examples include 'API Key', 'Service Account Key', 'Access Token', 'Client Certificate', 'OAuth Token', 'Personal Access Token', etc. - `result.email.files.accessor.risk_level` (string,null) The risk level, normalized to the caption of the risk_level_id value. - `result.email.files.accessor.risk_level_id` (integer) UserRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value. - `result.email.files.accessor.risk_score` (integer,null) The risk score as reported by the event source. - `result.email.files.accessor.type` (string,null) The type of the user. For example, System, AWS IAM User, etc. - `result.email.files.accessor.type_id` (integer) UserTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - User: Regular user account. 2 - Admin: Admin/root user account. 3 - System: System account. For example, Windows computer accounts with a trailing dollar sign ($). 4 - Service: Service account. For example, Windows service account. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.email.files.accessor.uid` (string,null) The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - `result.email.files.accessor.uid_alt` (string,null) The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - `result.email.files.attributes` (integer,null) The bitmask value that represents the file attributes. - `result.email.files.company_name` (string,null) The name of the company that published the file. For example: Microsoft Corporation. - `result.email.files.confidentiality` (string,null) The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - `result.email.files.confidentiality_id` (integer) FileConfidentialityId is an enum, and the following values are allowed. 0 - Unknown: The confidentiality is unknown. 1 - NotConfidential 2 - Confidential 3 - Secret 4 - TopSecret 5 - Private 6 - Restricted 99 - Other: The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value. - `result.email.files.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.created_time_dt` (string,null) The time when the file was created. - `result.email.files.creator` (object) The User object describes the characteristics of a user/person or a security principal. - `result.email.files.desc` (string,null) The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. - `result.email.files.drive_type` (string,null) The drive type, normalized to the caption of the drive_type_id value. In the case of Other, it is defined by the source. - `result.email.files.drive_type_id` (integer) FileDriveTypeId is an enum, and the following values are allowed. 0 - Unknown: The drive type is unknown. 1 - Removable: The drive has removable media; for example, a floppy drive, thumb drive, or flash card reader. 2 - Fixed: The drive has fixed media; for example, a hard disk drive or flash drive. 3 - Remote: The drive is a remote (network) drive. 4 - ROM: The drive is a CD-ROM drive. 5 - RAMDisk: The drive is a RAM disk. 99 - Other: The drive type is not mapped. See the drive_type attribute, which contains a data source specific value. - `result.email.files.encryption_details` (object) Details about the encryption methodology utilized. - `result.email.files.encryption_details.algorithm` (string,null) The encryption algorithm used, normalized to the caption of 'algorithm_id - `result.email.files.encryption_details.algorithm_id` (integer) EncryptionDetailsAlgorithmId is an enum, and the following values are allowed. 0 - Unknown: The algorithm is unknown. 1 - DES: Data Encryption Standard Algorithm 2 - TripleDES: Triple Data Encryption Standard Algorithm 3 - AES: Advanced Encryption Standard Algorithm. 4 - RSA: Rivest-Shamir-Adleman Algorithm 5 - ECC: Elliptic Curve Cryptography Algorithm 6 - SM2: ShangMi Cryptographic Algorithm 99 - Other: The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value. - `result.email.files.encryption_details.key_length` (integer,null) The length of the encryption key used. - `result.email.files.encryption_details.key_uid` (string,null) The unique identifier of the key used for encryption. For example, AWS KMS Key ARN. - `result.email.files.encryption_details.type` (string,null) The type of the encryption used. - `result.email.files.ext` (string,null) The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz. - `result.email.files.hashes` (array,null) An array of hash attributes. - `result.email.files.hashes.algorithm_id` (integer, required) FingerprintAlgorithmId is an enum, and the following values are allowed. 0 - Unknown: The algorithm is unknown. 1 - MD5: MD5 message-digest algorithm producing a 128-bit (16-byte) hash value. 2 - 1: Secure Hash Algorithm 1 producing a 160-bit (20-byte) hash value. 3 - 256: Secure Hash Algorithm 2 producing a 256-bit (32-byte) hash value. 4 - 512: Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value. 5 - CTPH: The ssdeep generated fuzzy checksum. Also known as Context Triggered Piecewise Hash (CTPH). 6 - TLSH: The TLSH fuzzy hashing algorithm. 7 - quickXorHash: Microsoft simple non-cryptographic hash algorithm that works by XORing the bytes in a circular-shifting fashion. 8 - 224: Secure Hash Algorithm 2 producing a 224-bit (28-byte) hash value. 9 - 384: Secure Hash Algorithm 2 producing a 384-bit (48-byte) hash value. 10 - 512_224: Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value truncated to a 224-bit (28-byte) hash value. 11 - 512_256: Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value truncated to a 256-bit (32-byte) hash value. 12 - 224: Secure Hash Algorithm 3 producing a 224-bit (28-byte) hash value. 13 - 256: Secure Hash Algorithm 3 producing a 256-bit (32-byte) hash value. 14 - 384: Secure Hash Algorithm 3 producing a 384-bit (48-byte) hash value. 15 - 512: Secure Hash Algorithm 3 producing a 512-bit (64-byte) hash value. 16 - bit: xxHash H3 producing a 64-bit hash value. 17 - bit: xxHash H3 producing a 128-bit hash value. 18 - Imphash: Import hash (imphash) based on the import table of a Portable Executable (PE) file producing a 128-bit (16-byte) hash value. 19 - NPF: Network Protocol Fingerprint (NPF) used to identify network protocols and applications. 20 - HASSH: HASSH is a network fingerprinting standard which can be used to identify specific SSH client and server implementations. 99 - Other: The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value. - `result.email.files.hashes.value` (string, required) Fingerprint. A value, in any format, that maps an arbitrarily large data item to a much shorter string that uniquely identifies the original data. Examples include cryptographic hashing of a file, code signing, and Network Protocol Fingerprinting (NPF).Note about name. The type name file_hast_t and the caption "Hash" are used for legacy reasons. This type has been generalized from a file hash to a general fingerprint. The existing type name and caption were retained for backwards compatibility. - `result.email.files.hashes.algorithm` (string,null) The algorithm or scheme used to create the fingerprint, normalized to the caption of algorithm_id. In the case of Other, it is defined by the event source. - `result.email.files.imported_symbols` (array,null) A list of symbols imported by the executable file. - `result.email.files.internal_name` (string,null) The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable. - `result.email.files.is_deleted` (boolean,null) Indicates if the file was deleted from the filesystem. - `result.email.files.is_encrypted` (boolean,null) Indicates if the file is encrypted. - `result.email.files.is_public` (boolean,null) Indicates if the file is publicly accessible. For example in an object's public access in AWS S3 - `result.email.files.is_readonly` (boolean,null) Indicates that the file cannot be modified. - `result.email.files.is_system` (boolean,null) The indication of whether the object is part of the operating system. - `result.email.files.mime_type` (string,null) The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - `result.email.files.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.modified_time_dt` (string,null) The time when the file was last modified. - `result.email.files.modifier` (object) The User object describes the characteristics of a user/person or a security principal. - `result.email.files.owner` (object) The User object describes the characteristics of a user/person or a security principal. - `result.email.files.parent_folder` (string,null) The parent folder in which the file resides. For example: c:\windows\system32 - `result.email.files.path` (string) The full path to the file. For example: For example:c:\windows\system32\svchost.exe. - `result.email.files.product` (object) The Product object describes characteristics of a software product. - `result.email.files.product.cpe_name` (string,null) The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2. - `result.email.files.product.feature` (object) The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature. - `result.email.files.product.feature.name` (string,null) The name of the feature. - `result.email.files.product.feature.uid` (string,null) The unique identifier of the feature. - `result.email.files.product.feature.version` (string,null) The version of the feature. - `result.email.files.product.lang` (string,null) The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). - `result.email.files.product.name` (string,null) The name of the product. - `result.email.files.product.path` (string,null) The installation path of the product. - `result.email.files.product.uid` (string,null) The unique identifier of the product. - `result.email.files.product.url_string` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.email.files.product.vendor_name` (string,null) The name of the vendor of the product. - `result.email.files.product.version` (string,null) The version of the product, as defined by the event source. For example: 2013.1.3-beta. - `result.email.files.security_descriptor` (string,null) The object security descriptor. - `result.email.files.signature` (object) The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application. - `result.email.files.signature.algorithm_id` (integer, required) DigitalSignatureAlgorithmId is an enum, and the following values are allowed. 0 - Unknown: The algorithm is unknown. 1 - DSA: Digital Signature Algorithm (DSA). 2 - RSA: Rivest-Shamir-Adleman (RSA) Algorithm. 3 - ECDSA: Elliptic Curve Digital Signature Algorithm. 4 - Authenticode: Microsoft Authenticode Digital Signature Algorithm. 99 - Other: The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value. - `result.email.files.signature.algorithm` (string,null) The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - `result.email.files.signature.certificate` (object) The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. - `result.email.files.signature.certificate.issuer` (string, required) The certificate issuer distinguished name. - `result.email.files.signature.certificate.serial_number` (string, required) The serial number of the certificate used to create the digital signature. - `result.email.files.signature.certificate.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.signature.certificate.created_time_dt` (string,null) The time when the certificate was created. - `result.email.files.signature.certificate.expiration_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.signature.certificate.expiration_time_dt` (string,null) The expiration time of the certificate. - `result.email.files.signature.certificate.fingerprints` (array,null) The fingerprint list of the certificate. - `result.email.files.signature.certificate.is_self_signed` (boolean,null) Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA). - `result.email.files.signature.certificate.sans` (array,null) The list of subject alternative names that are secured by a specific certificate. - `result.email.files.signature.certificate.subject` (string,null) The certificate subject distinguished name. - `result.email.files.signature.certificate.uid` (string,null) The unique identifier of the certificate. - `result.email.files.signature.certificate.version` (string,null) The certificate version. - `result.email.files.signature.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.email.files.signature.created_time_dt` (string,null) The time when the digital signature was created. - `result.email.files.signature.developer_uid` (string,null) The developer ID on the certificate that signed the file. - `result.email.files.signature.digest` (object) The Fingerprint object provides detailed information about a fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key, file content, or application implementation. It contains the algorithm or scheme and value of the fingerprint, enabling efficient and reliable identification of the associated data. - `result.email.files.signature.state` (string,null) The digital signature state defines the signature state, normalized to the caption of 'state_id'. In the case of 'Other', it is defined by the event source. - `result.email.files.signature.state_id` (integer) DigitalSignatureStateId is an enum, and the following values are allowed. 0 - Unknown: The state is unknown. 1 - Valid: The digital signature is valid. 2 - Expired: The digital signature is invalid because its timestamp does not fall within the certificate's validity period. 3 - Revoked: The digital signature is invalid due to certificate revocation. 4 - Suspended: The digital signature is invalid due to certificate suspension. 5 - Pending: The digital signature state is pending. 6 - Untrusted: The digital signature is invalid because the certificate is rooted in an untrusted CA or is an untrusted self-signed certificate. 7 - Distrusted: The digital signature is invalid because the certificate is explicitly distrusted. Note that whereas revocation is global, distrust reflects local IT/security policy. 8 - WrongUsage: The digital signature is invalid because the certificate is not intended for code signing purposes. 9 - Bad: The digital signature is cryptographically invalid, e.g. a mismatched digest. This indicates possible tampering. 10 - Broken: The digital signature is malformed and could not be processed. 99 - Other: The state is not mapped. See the state attribute, which contains a data source specific value. - `result.email.files.signatures` (array,null) A collection of Digital Signature objects. - `result.email.files.size` (integer,null) The size of data, in bytes. - `result.email.files.storage_class` (string,null) The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER. - `result.email.files.tags` (array,null) The list of tags; {key:value} pairs associated to the file. - `result.email.files.type` (string,null) The file type. - `result.email.files.uid` (string,null) The unique identifier of the file as defined by the storage system, such the file system file ID. - `result.email.files.uri` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.email.files.url` (object) The Uniform Resource Locator (URL) object describes the characteristics of a URL. - `result.email.files.url.categories` (array,null) The Website categorization names, as defined by category_ids enum values. - `result.email.files.url.category_ids` (array,null) The Website categorization identifiers. - `result.email.files.url.domain` (string,null) The domain portion of the URL. For example: example.com in https://sub.example.com. - `result.email.files.url.hostname` (string) Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com - `result.email.files.url.path` (string,null) The URL path as extracted from the URL. For example: /download/trouble from www.example.com/download/trouble. - `result.email.files.url.port` (integer) The TCP/UDP port number. For example:80,22. - `result.email.files.url.query_string` (string,null) The query portion of the URL. For example: the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date. - `result.email.files.url.resource_type` (string,null) The context in which a resource was retrieved in a web request. - `result.email.files.url.scheme` (string,null) The scheme portion of the URL. For example: http, https, ftp, or sftp. - `result.email.files.url.subdomain` (string,null) The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com. - `result.email.files.url.url_string` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.email.files.version` (string,null) The file version. For example: 8.0.7601.17514. - `result.email.files.volume` (string,null) The volume on the storage device where the file is located. - `result.email.files.xattributes` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `result.email.from` (string) Email address. For example:john_doe@example.com. - `result.email.from_list` (array,null) The machine-readable email header From values. This array should contain the value in from. For example example.user@usersdomain.com. - `result.email.from_mailbox` (string,null) The human-readable email header From Mailbox value. For example 'Example User <example.user@usersdomain.com>'. - `result.email.from_mailboxes` (array,null) The human-readable email header From Mailbox values. This array should contain the value in from_mailbox. For example 'Example User <example.user@usersdomain.com>'. - `result.email.http_headers` (array,null) Additional HTTP headers of an HTTP request or response. - `result.email.http_headers.name` (string, required) The name of the HTTP header. - `result.email.http_headers.value` (string, required) The value of the HTTP header. - `result.email.is_delivered` (boolean,null) The indication of whether the email was delivered to the recipient as reported by the event source. - `result.email.is_read` (boolean,null) The indication of whether the email has been read. - `result.email.message_uid` (string,null) The email header Message-ID value, as defined by RFC 5322. - `result.email.raw_header` (string,null) The email authentication header. - `result.email.reply_to` (string) Email address. For example:john_doe@example.com. - `result.email.reply_to_list` (array,null) The machine-readable email header Reply-To values, as defined by RFC 5322. For example example.user@usersdomain.com - `result.email.reply_to_mailboxes` (array,null) The human-readable email header Reply To Mailbox values. For example 'Example User <example.user@usersdomain.com>'. - `result.email.return_path` (string) Email address. For example:john_doe@example.com. - `result.email.sender` (string) Email address. For example:john_doe@example.com. - `result.email.sender_mailbox` (string,null) The human readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the from_mailbox field, which shows the message author. The sender mailbox field is most commonly used when multiple addresses appear in the from_mailboxes field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else). - `result.email.size` (integer,null) The size in bytes of the email, including attachments. - `result.email.smtp_from` (string) Email address. For example:john_doe@example.com. - `result.email.smtp_to` (array,null) The value of the SMTP envelope RCPT TO command. - `result.email.subject` (string,null) The email header Subject value, as defined by RFC 5322. - `result.email.to` (array,null) The machine-readable email header To values, as defined by RFC 5322. For example example.user@usersdomain.com - `result.email.to_mailboxes` (array,null) The human-readable email header To Mailbox values. For example 'Example User <example.user@usersdomain.com>'. - `result.email.uid` (string,null) The unique identifier of the email thread. - `result.email.url_count` (integer,null) The number of URLs embedded in the email as reported by the event source. - `result.email.urls` (array,null) The URLs embedded in the email. - `result.email.x_originating_ip` (array,null) The X-Originating-IP header identifying the emails originating IP address(es). - `result.metadata` (object, required) The Metadata object describes the metadata associated with the event. - `result.metadata.product` (object, required) The Product object describes characteristics of a software product. - `result.metadata.version` (string, required) The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. - `result.metadata.correlation_uid` (string,null) A unique identifier used to correlate this OCSF event with other related OCSF events, distinct from the event's uid value. This enables linking multiple OCSF events that are part of the same activity, transaction, or security incident across different systems or time periods. - `result.metadata.debug` (array,null) Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array. - `result.metadata.event_code` (string,null) The identifier of the original event. For example the numerical Windows Event Code or Cisco syslog code. - `result.metadata.extension` (object) The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file. - `result.metadata.extension.version` (string, required) The schema extension version. For example: 1.0.0-alpha.2. - `result.metadata.extension.name` (string,null) The schema extension name. For example: dev. - `result.metadata.extension.uid` (string,null) The schema extension unique identifier. For example: 999. - `result.metadata.extensions` (array,null) The schema extensions used to create the event. - `result.metadata.is_truncated` (boolean,null) Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints. - `result.metadata.labels` (array,null) The list of labels attached to the event. For example: ["sample", "dev"] - `result.metadata.log_format` (string,null) The format of data in the log where the data originated. For example CSV, XML, Windows Multiline, JSON, syslog or Cisco Log Schema. - `result.metadata.log_level` (string,null) The level at which an event was logged. This can be log provider specific. For example the audit level. - `result.metadata.log_name` (string,null) The event log name, typically for the consumer of the event. For example, the storage bucket name, SIEM repository index name, etc. - `result.metadata.log_provider` (string,null) The logging provider or logging service that logged the event. For example AWS CloudWatch or Splunk. - `result.metadata.log_source` (string,null) The log system or component where the data originated. For example, a file path, syslog server name or a Windows hostname and logging subsystem such as Security. - `result.metadata.log_version` (string,null) The event log schema version of the original event. For example the syslog version or the Cisco Log Schema version - `result.metadata.logged_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.logged_time_dt` (string,null) The time when the logging system collected and logged the event.This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - `result.metadata.loggers` (array,null) An array of Logger objects that describe the pipeline of devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow and/or to track the chain of custody of the data. - `result.metadata.loggers.device` (object) The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. - `result.metadata.loggers.device.type_id` (integer, required) DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.metadata.loggers.device.agent_list` (array,null) A list of agent objects associated with a device, endpoint, or resource. - `result.metadata.loggers.device.agent_list.name` (string,null) The name of the agent or sensor. For example: AWS SSM Agent. - `result.metadata.loggers.device.agent_list.policies` (array,null) Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc. - `result.metadata.loggers.device.agent_list.type` (string,null) The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source. - `result.metadata.loggers.device.agent_list.type_id` (integer) AgentTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - EndpointDetectionandResponse: Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh. 2 - DataLossPrevention: Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP. 3 - Recovery: Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent. 4 - Observability: Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent. 5 - VulnerabilityManagement: Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent. 6 - LogForwarding: Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent. 7 - MobileDeviceManagement: Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary. 8 - ConfigurationManagement: Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server. 9 - RemoteAccess: Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.metadata.loggers.device.agent_list.uid` (string,null) The UID of the agent or sensor, sometimes known as a Sensor ID or aid. - `result.metadata.loggers.device.agent_list.uid_alt` (string,null) An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID. - `result.metadata.loggers.device.agent_list.vendor_name` (string,null) The company or author who created the agent or sensor. For example: Crowdstrike. - `result.metadata.loggers.device.agent_list.version` (string,null) The semantic version of the agent or sensor, e.g., 7.101.50.0. - `result.metadata.loggers.device.autoscale_uid` (string,null) The unique identifier of the cloud autoscale configuration. - `result.metadata.loggers.device.boot_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.device.boot_time_dt` (string,null) The time the system was booted. - `result.metadata.loggers.device.boot_uid` (string,null) A unique identifier of the device that changes after every reboot. For example, the value of /proc/sys/kernel/random/boot_id from Linux's procfs. - `result.metadata.loggers.device.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.device.created_time_dt` (string,null) The time when the device was known to have been created. - `result.metadata.loggers.device.desc` (string,null) The description of the device, ordinarily as reported by the operating system. - `result.metadata.loggers.device.domain` (string,null) The network domain where the device resides. For example: work.example.com. - `result.metadata.loggers.device.eid` (string,null) An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device. - `result.metadata.loggers.device.first_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.device.first_seen_time_dt` (string,null) The initial discovery time of the device. - `result.metadata.loggers.device.groups` (array,null) The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]. - `result.metadata.loggers.device.hostname` (string) Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com - `result.metadata.loggers.device.hw_info` (object) The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device. - `result.metadata.loggers.device.hw_info.bios_date` (string,null) The BIOS date. For example: 03/31/16. - `result.metadata.loggers.device.hw_info.bios_manufacturer` (string,null) The BIOS manufacturer. For example: LENOVO. - `result.metadata.loggers.device.hw_info.bios_ver` (string,null) The BIOS version. For example: LENOVO G5ETA2WW (2.62). - `result.metadata.loggers.device.hw_info.chassis` (string,null) The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types - `result.metadata.loggers.device.hw_info.cpu_architecture` (string,null) The CPU architecture, normalized to the caption of the cpu_architecture_id value. In the case of Other, it is defined by the source. - `result.metadata.loggers.device.hw_info.cpu_architecture_id` (integer) DeviceHwInfoCpuArchitectureId is an enum, and the following values are allowed. 0 - Unknown: The CPU architecture is unknown. 1 - x86: CPU uses the x86 ISA. For bitness, refer to cpu_bits. 2 - ARM: CPU uses the ARM ISA. For bitness, refer to cpu_bits. 3 - V: CPU uses the RISC-V ISA. For bitness, refer to cpu_bits. 99 - Other: The CPU architecture is not mapped. See the cpu_architecture attribute, which contains a data source specific value. - `result.metadata.loggers.device.hw_info.cpu_bits` (integer,null) The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64. - `result.metadata.loggers.device.hw_info.cpu_cores` (integer,null) The number of processor cores in all installed processors. For Example: 42. - `result.metadata.loggers.device.hw_info.cpu_count` (integer,null) The number of physical processors on a system. For example: 1. - `result.metadata.loggers.device.hw_info.cpu_speed` (integer,null) The speed of the processor in Mhz. For Example: 4200. - `result.metadata.loggers.device.hw_info.cpu_type` (string,null) The processor type. For example: x86 Family 6 Model 37 Stepping 5. - `result.metadata.loggers.device.hw_info.desktop_display` (object) The Display object contains information about the physical or virtual display connected to a computer system. - `result.metadata.loggers.device.hw_info.desktop_display.color_depth` (integer,null) The numeric color depth. - `result.metadata.loggers.device.hw_info.desktop_display.physical_height` (integer,null) The numeric physical height of display. - `result.metadata.loggers.device.hw_info.desktop_display.physical_orientation` (integer,null) The numeric physical orientation of display. - `result.metadata.loggers.device.hw_info.desktop_display.physical_width` (integer,null) The numeric physical width of display. - `result.metadata.loggers.device.hw_info.desktop_display.scale_factor` (integer,null) The numeric scale factor of display. - `result.metadata.loggers.device.hw_info.gpu_count` (integer,null) The number of GPU's on a system. For example: 1. - `result.metadata.loggers.device.hw_info.gpu_info_list` (array,null) A list of GPU objects describing the hardware properties of each graphics processor installed on the device. - `result.metadata.loggers.device.hw_info.keyboard_info` (object) The Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard. - `result.metadata.loggers.device.hw_info.keyboard_info.function_keys` (integer,null) The number of function keys on client keyboard. - `result.metadata.loggers.device.hw_info.keyboard_info.ime` (string,null) The Input Method Editor (IME) file name. - `result.metadata.loggers.device.hw_info.keyboard_info.keyboard_layout` (string,null) The keyboard locale identifier name (e.g., en-US). - `result.metadata.loggers.device.hw_info.keyboard_info.keyboard_subtype` (integer,null) The keyboard numeric code. - `result.metadata.loggers.device.hw_info.keyboard_info.keyboard_type` (string,null) The keyboard type (e.g., xt, ico). - `result.metadata.loggers.device.hw_info.ram_size` (integer,null) The total amount of installed RAM, in Megabytes. For example: 2048. - `result.metadata.loggers.device.hw_info.serial_number` (string,null) The device manufacturer serial number. - `result.metadata.loggers.device.hw_info.uuid` (string,null) The device manufacturer assigned universally unique hardware identifier. For SMBIOS compatible devices such as those running Linux and Windows, it is the UUID member of the System Information structure in the SMBIOS information. For macOS devices, it is the Hardware UUID (also known as IOPlatformUUID in the I/O Registry). - `result.metadata.loggers.device.hw_info.vendor_name` (string,null) The device manufacturer. - `result.metadata.loggers.device.hypervisor` (string,null) The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - `result.metadata.loggers.device.iccid` (string,null) The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card. - `result.metadata.loggers.device.image` (object) The Image object provides a description of a specific Virtual Machine (VM) or Container image. - `result.metadata.loggers.device.image.uid` (string, required) The unique image ID. For example: 77af4d6b9913. - `result.metadata.loggers.device.image.labels` (array,null) The list of labels associated to the image. - `result.metadata.loggers.device.image.name` (string,null) The image name. For example: elixir. - `result.metadata.loggers.device.image.path` (string) The full path to the file. For example: For example:c:\windows\system32\svchost.exe. - `result.metadata.loggers.device.image.tag` (string,null) The image tag. For example: 1.11-alpine. - `result.metadata.loggers.device.image.tags` (array,null) The list of tags; {key:value} pairs associated to the image. - `result.metadata.loggers.device.imei` (string,null) The International Mobile Equipment Identity that is associated with the device. - `result.metadata.loggers.device.imei_list` (array,null) The International Mobile Equipment Identity values that are associated with the device. - `result.metadata.loggers.device.instance_uid` (string,null) The unique identifier of a VM instance. - `result.metadata.loggers.device.interface_name` (string,null) The name of the network interface (e.g. eth2). - `result.metadata.loggers.device.interface_uid` (string,null) The unique identifier of the network interface. - `result.metadata.loggers.device.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `result.metadata.loggers.device.is_backed_up` (boolean,null) Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service. - `result.metadata.loggers.device.is_compliant` (boolean,null) The event occurred on a compliant device. - `result.metadata.loggers.device.is_managed` (boolean,null) The event occurred on a managed device. - `result.metadata.loggers.device.is_mobile_account_active` (boolean,null) Indicates whether the device has an active mobile account. For example, this is indicated by the itunesStoreAccountActive value within JAMF Pro mobile devices. - `result.metadata.loggers.device.is_personal` (boolean,null) The event occurred on a personal device. - `result.metadata.loggers.device.is_shared` (boolean,null) The event occurred on a shared device. - `result.metadata.loggers.device.is_supervised` (boolean,null) The event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop. - `result.metadata.loggers.device.is_trusted` (boolean,null) The event occurred on a trusted device. - `result.metadata.loggers.device.last_seen_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.device.last_seen_time_dt` (string,null) The most recent discovery time of the device. - `result.metadata.loggers.device.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. - `result.metadata.loggers.device.mac` (string) Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A. - `result.metadata.loggers.device.mac_vendor` (string,null) The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address. - `result.metadata.loggers.device.meid` (string,null) The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device. - `result.metadata.loggers.device.model` (string,null) The model of the device. For example ThinkPad X1 Carbon. - `result.metadata.loggers.device.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.device.modified_time_dt` (string,null) The time when the device was last known to have been modified. - `result.metadata.loggers.device.name` (string,null) The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - `result.metadata.loggers.device.network_interfaces` (array,null) The physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event. - `result.metadata.loggers.device.network_interfaces.hostname` (string) Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com - `result.metadata.loggers.device.network_interfaces.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `result.metadata.loggers.device.network_interfaces.mac` (string) Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A. - `result.metadata.loggers.device.network_interfaces.name` (string,null) The name of the network interface. - `result.metadata.loggers.device.network_interfaces.namespace` (string,null) The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate. - `result.metadata.loggers.device.network_interfaces.open_ports` (array,null) The list of open ports on a network interface, including port numbers and associated protocol information. - `result.metadata.loggers.device.network_interfaces.subnet_prefix` (integer,null) The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - `result.metadata.loggers.device.network_interfaces.type` (string,null) The type of network interface. - `result.metadata.loggers.device.network_interfaces.type_id` (integer) NetworkInterfaceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Wired 2 - Wireless 3 - Mobile 4 - Tunnel 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.metadata.loggers.device.network_interfaces.uid` (string,null) The unique identifier for the network interface. - `result.metadata.loggers.device.org` (object) The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs. - `result.metadata.loggers.device.os` (object) The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. - `result.metadata.loggers.device.os.name` (string, required) The operating system name. - `result.metadata.loggers.device.os.type_id` (integer, required) OsTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. 100 - Windows 101 - WindowsMobile 200 - Linux 201 - Android 300 - macOS 301 - iOS 302 - iPadOS 400 - Solaris 401 - AIX 402 - UX - `result.metadata.loggers.device.os.build` (string,null) The operating system build number. - `result.metadata.loggers.device.os.country` (string,null) The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code).Note: The two letter country code should be capitalized. For example: US or CA. - `result.metadata.loggers.device.os.cpe_name` (string,null) The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2. - `result.metadata.loggers.device.os.cpu_bits` (integer,null) The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64. - `result.metadata.loggers.device.os.edition` (string,null) The operating system edition. For example: Professional. - `result.metadata.loggers.device.os.kernel_release` (string,null) The kernel release of the operating system. On Unix-based systems, this is determined from the uname -r command output, for example "5.15.0-122-generic". - `result.metadata.loggers.device.os.lang` (string,null) The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). - `result.metadata.loggers.device.os.sp_name` (string,null) The name of the latest Service Pack. - `result.metadata.loggers.device.os.sp_ver` (integer,null) The version number of the latest Service Pack. - `result.metadata.loggers.device.os.type` (string,null) The type of the operating system. - `result.metadata.loggers.device.os.version` (string,null) The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9". - `result.metadata.loggers.device.os_machine_uuid` (string,null) The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. In Linux, this is stored in the file: /etc/machine-id. - `result.metadata.loggers.device.owner` (object) The User object describes the characteristics of a user/person or a security principal. - `result.metadata.loggers.device.pool` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control. - `result.metadata.loggers.device.region` (string,null) The region where the virtual machine is located. For example, an AWS Region. - `result.metadata.loggers.device.risk_level` (string,null) The risk level, normalized to the caption of the risk_level_id value. - `result.metadata.loggers.device.risk_level_id` (integer) DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value. - `result.metadata.loggers.device.risk_score` (integer,null) The risk score as reported by the event source. - `result.metadata.loggers.device.subnet` (string) The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/24,2001:0db8:85a3:0000::/64 - `result.metadata.loggers.device.subnet_uid` (string,null) The unique identifier of a virtual subnet. - `result.metadata.loggers.device.type` (string,null) The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - `result.metadata.loggers.device.udid` (string,null) The Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS, tvOS, watchOS and visionOS devices, this is the UDID. For macOS devices, it is the Provisioning UDID. For example: 00008020-008D4548007B4F26 - `result.metadata.loggers.device.uid` (string,null) The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - `result.metadata.loggers.device.uid_alt` (string,null) An alternate unique identifier of the device if any. For example the ActiveDirectory DN. - `result.metadata.loggers.device.vendor_name` (string,null) The vendor for the device. For example Dell or Lenovo. - `result.metadata.loggers.device.vlan_uid` (string,null) The Virtual LAN identifier. - `result.metadata.loggers.device.vpc_uid` (string,null) The unique identifier of the Virtual Private Cloud (VPC). - `result.metadata.loggers.device.zone` (string,null) The network zone or LAN segment. - `result.metadata.loggers.event_uid` (string,null) The unique identifier of the event assigned by the logger. - `result.metadata.loggers.is_truncated` (boolean,null) Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints. - `result.metadata.loggers.log_format` (string,null) The format of data in the log. For example JSON, syslog or CSV. - `result.metadata.loggers.log_level` (string,null) The level at which an event was logged. This can be log provider specific. For example the audit level. - `result.metadata.loggers.log_name` (string,null) The log name for the logging provider log, or the file name of the system log. This may be an intermediate store-and-forward log or a vendor destination log. For example /archive/server1/var/log/messages.0 or /var/log/. - `result.metadata.loggers.log_provider` (string,null) The logging provider or logging service that logged the event. This may be an intermediate application store-and-forward log or a vendor destination log. - `result.metadata.loggers.log_version` (string,null) The event log schema version of the original event. For example the syslog version or the Cisco Log Schema version - `result.metadata.loggers.logged_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.logged_time_dt` (string,null) The time when the logging system collected and logged the event.This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - `result.metadata.loggers.name` (string,null) The name of the logging product instance. - `result.metadata.loggers.product` (object) The Product object describes characteristics of a software product. - `result.metadata.loggers.transmit_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.loggers.transmit_time_dt` (string,null) The time when the event was transmitted from the logging device to it's next destination. - `result.metadata.loggers.uid` (string,null) The unique identifier of the logging product instance. - `result.metadata.loggers.untruncated_size` (integer,null) The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event. - `result.metadata.loggers.version` (string,null) The version of the logging provider. - `result.metadata.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.modified_time_dt` (string,null) The time when the event was last modified or enriched. - `result.metadata.original_event_uid` (string,null) The unique identifier assigned to the event in its original logging system before transformation to OCSF format. This field preserves the source system's native event identifier, enabling traceability back to the raw log entry. For example, a Windows Event Record ID, a syslog message ID, a Splunk \_cd value, or a database transaction log sequence number. - `result.metadata.original_time` (string,null) The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - `result.metadata.processed_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.processed_time_dt` (string,null) The event processed time, such as an ETL operation. - `result.metadata.profiles` (array,null) The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions. - `result.metadata.reporter` (object) The entity from which an event or finding was reported. - `result.metadata.reporter.hostname` (string) Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com - `result.metadata.reporter.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `result.metadata.reporter.name` (string,null) The name of the entity from which the event or finding was reported. - `result.metadata.reporter.org` (object) The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs. - `result.metadata.reporter.uid` (string,null) The unique identifier of the entity from which the event or finding was reported. - `result.metadata.sequence` (integer,null) Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - `result.metadata.source` (string,null) The source of the event or finding. This can be any distinguishing name for the logical origin of the data — for example, 'CloudTrail Events', or a use case like 'Attack Simulations' or 'Vulnerability Scans'. - `result.metadata.tags` (array,null) The list of tags; {key:value} pairs associated to the event. - `result.metadata.tenant_uid` (string,null) The unique tenant identifier. - `result.metadata.total_queued_duration` (object) The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may be populated since each member is of integral type. In that case type_id if present should be set to Other.A timespan may also be defined by its time interval boundaries, start_time and end_time. - `result.metadata.total_queued_duration.duration` (integer,null) The duration of the time span in milliseconds. - `result.metadata.total_queued_duration.duration_days` (integer,null) The duration of the time span in days. - `result.metadata.total_queued_duration.duration_hours` (integer,null) The duration of the time span in hours. - `result.metadata.total_queued_duration.duration_mins` (integer,null) The duration of the time span in minutes. - `result.metadata.total_queued_duration.duration_months` (integer,null) The duration of the time span in months. - `result.metadata.total_queued_duration.duration_secs` (integer,null) The duration of the time span in seconds. - `result.metadata.total_queued_duration.duration_weeks` (integer,null) The duration of the time span in weeks. - `result.metadata.total_queued_duration.duration_years` (integer,null) The duration of the time span in years. - `result.metadata.total_queued_duration.end_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.total_queued_duration.end_time_dt` (string,null) The end time or conclusion of the timespan's interval. - `result.metadata.total_queued_duration.start_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.total_queued_duration.start_time_dt` (string,null) The start time or beginning of the timespan's interval. - `result.metadata.total_queued_duration.type` (string,null) The type of time span duration the object represents. - `result.metadata.total_queued_duration.type_id` (integer) TimespanTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Milliseconds 2 - Seconds 3 - Minutes 4 - Hours 5 - Days 6 - Weeks 7 - Months 8 - Years 9 - TimeInterval: The start_time and end_time should be set. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.metadata.transformation_info_list` (array,null) An array of transformation info that describes the mappings or transforms applied to the data. - `result.metadata.transformation_info_list.lang` (string,null) The transformation language used to transform the data. - `result.metadata.transformation_info_list.name` (string,null) The name of the transformation or mapping. - `result.metadata.transformation_info_list.product` (object) The Product object describes characteristics of a software product. - `result.metadata.transformation_info_list.time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.transformation_info_list.time_dt` (string,null) Time of the transformation. - `result.metadata.transformation_info_list.uid` (string,null) The unique identifier of the mapping or transformation. - `result.metadata.transformation_info_list.url_string` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.metadata.transmit_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.metadata.transmit_time_dt` (string,null) The time when the event was transmitted from the logging device to it's next destination. - `result.metadata.type` (string,null) The type of the event or finding as a subset of the source of the event. This can be any distinguishing characteristic of the data. For example 'Management Events' or 'Device Penetration Test'. - `result.metadata.uid` (string,null) A unique identifier assigned to the OCSF event. This ID is specific to the OCSF event itself and is distinct from the original event identifier in the source system (see original_event_uid). - `result.metadata.untruncated_size` (integer,null) The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event. - `result.severity_id` (integer, required) SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value. - `result.time` (integer, required) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.type_uid` (integer, required) TypeUid is an enum, and the following values are allowed. 400900 - Unknown 400901 - Send 400902 - Receive 400903 - Scan: Email being scanned (example: security scanning) 400904 - Trace: Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected. 400905 - MTARelay: Email processed by an MTA, typically combining send, receive, and scan operations into a single activity. 400999 - Other - `result.action` (string,null) The normalized caption of action_id. - `result.action_id` (integer) ActionId is an enum, and the following values are allowed. 0 - Unknown: The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'. 1 - Allowed: The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc. 2 - Denied: The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc. 3 - Observed: The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc. 4 - Modified: The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'. 99 - Other: The action is not mapped. See the action attribute which contains a data source specific value. - `result.activity_name` (string,null) The event activity name, as defined by the activity_id. - `result.attacks` (array,null) An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques. - `result.attacks.mitigation` (object) The MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. - `result.attacks.mitigation.countermeasures` (array,null) The D3FEND countermeasures that are associated with the attack technique. For example: ATT&CK Technique T1003 is addressed by Mitigation M1027, and D3FEND Technique D3-OTP. - `result.attacks.mitigation.countermeasures.d3f_tactic` (object) The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack. - `result.attacks.mitigation.countermeasures.d3f_tactic.name` (string,null) The tactic name that is associated with the defensive technique. For example: Isolate. - `result.attacks.mitigation.countermeasures.d3f_tactic.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.attacks.mitigation.countermeasures.d3f_tactic.uid` (string,null) The unique identifier of the defensive tactic. - `result.attacks.mitigation.countermeasures.d3f_technique` (object) The MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure. - `result.attacks.mitigation.countermeasures.d3f_technique.name` (string,null) The name of the defensive technique. For example: IO Port Restriction. - `result.attacks.mitigation.countermeasures.d3f_technique.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.attacks.mitigation.countermeasures.d3f_technique.uid` (string,null) The unique identifier of the defensive technique. For example: D3-IOPR. - `result.attacks.mitigation.countermeasures.version` (string,null) The D3FEND™ Matrix version. - `result.attacks.mitigation.name` (string,null) The Mitigation name that is associated with the attack technique. For example: Password Policies, or Code Signing. - `result.attacks.mitigation.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.attacks.mitigation.uid` (string,null) The Mitigation ID that is associated with the attack technique. For example: M1027, or AML.M0013. - `result.attacks.sub_technique` (object) The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. - `result.attacks.sub_technique.name` (string,null) The name of the attack sub-technique. For example: Scanning IP Blocks or User Execution: Unsafe ML Artifacts. - `result.attacks.sub_technique.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.attacks.sub_technique.uid` (string,null) The unique identifier of the attack sub-technique. For example: T1595.001 or AML.T0011.000. - `result.attacks.tactic` (object) The MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. - `result.attacks.tactic.name` (string,null) The Tactic name that is associated with the attack technique. For example: Reconnaissance or ML Model Access. - `result.attacks.tactic.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.attacks.tactic.uid` (string,null) The Tactic ID that is associated with the attack technique. For example: TA0043, or AML.TA0000. - `result.attacks.tactics` (array,null) The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK® Matrix. - `result.attacks.technique` (object) The MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. - `result.attacks.technique.name` (string,null) The name of the attack technique. For example: Active Scanning or AI Model Inference API Access. - `result.attacks.technique.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.attacks.technique.uid` (string,null) The unique identifier of the attack technique. For example: T1595 or AML.T0040. - `result.attacks.version` (string,null) The ATT&CK® or ATLAS™ Matrix version. - `result.attempt` (integer,null) The attempt number for attempting to deliver the email. - `result.authorizations` (array,null) Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event. - `result.authorizations.decision` (string,null) Authorization Result/outcome, e.g. allowed, denied. - `result.authorizations.policy` (object) The Policy object describes the policies that are applicable. Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments. - `result.authorizations.policy.data` (any,null) Additional data about the policy such as the underlying JSON policy itself or other details. - `result.authorizations.policy.desc` (string,null) The description of the policy. - `result.authorizations.policy.group` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control. - `result.authorizations.policy.is_applied` (boolean,null) A determination if the content of a policy was applied to a target or request, or not. - `result.authorizations.policy.name` (string,null) The policy name. For example: AdministratorAccess Policy. - `result.authorizations.policy.type` (string,null) The policy type. For example: Identity Policy, Resource Policy, Service Control Policy, etc.. - `result.authorizations.policy.uid` (string,null) A unique identifier of the policy instance. - `result.authorizations.policy.version` (string,null) The policy version number. - `result.banner` (string,null) The initial connection response that a messaging server receives after it connects to an email server. - `result.category_name` (string,null) The event category name, as defined by category_uid value: Network Activity. - `result.command` (string,null) The command issued by the initiator (client), such as SMTP HELO or EHLO. - `result.confidence` (string,null) The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. - `result.confidence_id` (integer) ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value. - `result.confidence_score` (integer,null) The confidence score as reported by the event source. - `result.count` (integer,null) The number of times that events in the same logical group occurred during the event Start Time to End Time period. - `result.direction` (string,null) The direction of the email, as defined by the direction_id value. - `result.disposition` (string,null) The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - `result.disposition_id` (integer) DispositionId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Allowed: Granted access or allowed the action to the protected resource. 2 - Blocked: Denied access or blocked the action to the protected resource. 3 - Quarantined: A suspicious file or other content was moved to a benign location. 4 - Isolated: A session was isolated on the network or within a browser. 5 - Deleted: A file or other content was deleted. 6 - Dropped: The request was detected as a threat and resulted in the connection being dropped. 7 - CustomAction: A custom action was executed such as running of a command script. Use the message attribute of the base class for details. 8 - Approved: A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'. 9 - Restored: A quarantined file or other content was restored to its original location. 10 - Exonerated: A suspicious or risky entity was deemed to no longer be suspicious (re-scored). 11 - Corrected: A corrupt file or configuration was corrected. 12 - PartiallyCorrected: A corrupt file or configuration was partially corrected. 13 - Uncorrected: A corrupt file or configuration was not corrected. 14 - Delayed: An operation was delayed, for example if a restart was required to finish the operation. 15 - Detected: Suspicious activity or a policy violation was detected without further action. 16 - NoAction: The outcome of an operation had no action taken. 17 - Logged: The operation or action was logged without further action. 18 - Tagged: A file or other entity was marked with extended attributes. 19 - Alert: The request or activity was detected as a threat and resulted in a notification but request was not blocked. 20 - Count: Counted the request or activity but did not determine whether to allow it or block it. 21 - Reset: The request was detected as a threat and resulted in the connection being reset. 22 - Captcha: Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request. 23 - Challenge: Ran a silent challenge that required the client session to verify that it's a browser, and not a bot. 24 - AccessRevoked: The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class. 25 - Rejected: A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'. 26 - Unauthorized: An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail. 27 - Error: An error occurred during the processing of the activity or request. Use the message attribute of the base class for details. 99 - Other: The disposition is not mapped. See the disposition attribute, which contains a data source specific value. - `result.dst_endpoint` (object) The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection. - `result.dst_endpoint.agent_list` (array,null) A list of agent objects associated with a device, endpoint, or resource. - `result.dst_endpoint.autonomous_system` (object) An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - `result.dst_endpoint.autonomous_system.name` (string,null) Organization name for the Autonomous System. - `result.dst_endpoint.autonomous_system.number` (integer,null) Unique number that the AS is identified by. - `result.dst_endpoint.domain` (string,null) The name of the domain that the endpoint belongs to or that corresponds to the endpoint. - `result.dst_endpoint.fingerprints` (array,null) Fingerprints that identify the specific application implementation on this endpoint, such as Cisco NPF or HASSH. - `result.dst_endpoint.hostname` (string) Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com - `result.dst_endpoint.hw_info` (object) The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device. - `result.dst_endpoint.instance_uid` (string,null) The unique identifier of a VM instance. - `result.dst_endpoint.interface_name` (string,null) The name of the network interface (e.g. eth2). - `result.dst_endpoint.interface_uid` (string,null) The unique identifier of the network interface. - `result.dst_endpoint.intermediate_ips` (array,null) The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - `result.dst_endpoint.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `result.dst_endpoint.isp` (string,null) The name of the Internet Service Provider (ISP). - `result.dst_endpoint.isp_org` (string,null) The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names. - `result.dst_endpoint.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. - `result.dst_endpoint.mac` (string) Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A. - `result.dst_endpoint.mac_vendor` (string,null) The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address. - `result.dst_endpoint.name` (string,null) The short name of the endpoint. - `result.dst_endpoint.network_scope` (string,null) Indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the network_scope_id. - `result.dst_endpoint.network_scope_id` (integer) NetworkEndpointNetworkScopeId is an enum, and the following values are allowed. 0 - Unknown: Unknown whether this endpoint resides within the customer’s network. 1 - Internal: The endpoint resides inside the customer’s network. 2 - External: The endpoint is on the Internet or otherwise external to the customer’s network. 99 - Other: The network scope is not mapped. See the network_scope attribute, which contains a data source specific value. - `result.dst_endpoint.os` (object) The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. - `result.dst_endpoint.owner` (object) The User object describes the characteristics of a user/person or a security principal. - `result.dst_endpoint.pool` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control. - `result.dst_endpoint.port` (integer) The TCP/UDP port number. For example:80,22. - `result.dst_endpoint.proxy_endpoint` (object) The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource. - `result.dst_endpoint.proxy_endpoint.agent_list` (array,null) A list of agent objects associated with a device, endpoint, or resource. - `result.dst_endpoint.proxy_endpoint.autonomous_system` (object) An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - `result.dst_endpoint.proxy_endpoint.domain` (string,null) The name of the domain that the endpoint belongs to or that corresponds to the endpoint. - `result.dst_endpoint.proxy_endpoint.fingerprints` (array,null) Fingerprints that identify the specific application implementation on this endpoint, such as Cisco NPF or HASSH. - `result.dst_endpoint.proxy_endpoint.hostname` (string) Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com - `result.dst_endpoint.proxy_endpoint.hw_info` (object) The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device. - `result.dst_endpoint.proxy_endpoint.instance_uid` (string,null) The unique identifier of a VM instance. - `result.dst_endpoint.proxy_endpoint.interface_name` (string,null) The name of the network interface (e.g. eth2). - `result.dst_endpoint.proxy_endpoint.interface_uid` (string,null) The unique identifier of the network interface. - `result.dst_endpoint.proxy_endpoint.intermediate_ips` (array,null) The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - `result.dst_endpoint.proxy_endpoint.ip` (string) Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. - `result.dst_endpoint.proxy_endpoint.isp` (string,null) The name of the Internet Service Provider (ISP). - `result.dst_endpoint.proxy_endpoint.isp_org` (string,null) The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names. - `result.dst_endpoint.proxy_endpoint.location` (object) The Geo Location object describes a geographical location, usually associated with an IP address. - `result.dst_endpoint.proxy_endpoint.mac` (string) Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A. - `result.dst_endpoint.proxy_endpoint.mac_vendor` (string,null) The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address. - `result.dst_endpoint.proxy_endpoint.name` (string,null) The short name of the endpoint. - `result.dst_endpoint.proxy_endpoint.network_scope` (string,null) Indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the network_scope_id. - `result.dst_endpoint.proxy_endpoint.network_scope_id` (integer) NetworkProxyNetworkScopeId is an enum, and the following values are allowed. 0 - Unknown: Unknown whether this endpoint resides within the customer’s network. 1 - Internal: The endpoint resides inside the customer’s network. 2 - External: The endpoint is on the Internet or otherwise external to the customer’s network. 99 - Other: The network scope is not mapped. See the network_scope attribute, which contains a data source specific value. - `result.dst_endpoint.proxy_endpoint.os` (object) The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. - `result.dst_endpoint.proxy_endpoint.owner` (object) The User object describes the characteristics of a user/person or a security principal. - `result.dst_endpoint.proxy_endpoint.pool` (object) The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control. - `result.dst_endpoint.proxy_endpoint.port` (integer) The TCP/UDP port number. For example:80,22. - `result.dst_endpoint.proxy_endpoint.proxy_endpoint` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `result.dst_endpoint.proxy_endpoint.subnet_uid` (string,null) The unique identifier of a virtual subnet. - `result.dst_endpoint.proxy_endpoint.svc_name` (string,null) The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - `result.dst_endpoint.proxy_endpoint.type` (string,null) The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - `result.dst_endpoint.proxy_endpoint.type_id` (integer) NetworkProxyTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.dst_endpoint.proxy_endpoint.uid` (string,null) The unique identifier of the endpoint. - `result.dst_endpoint.proxy_endpoint.vlan_uid` (string,null) The Virtual LAN identifier. - `result.dst_endpoint.proxy_endpoint.vpc_uid` (string,null) The unique identifier of the Virtual Private Cloud (VPC). - `result.dst_endpoint.proxy_endpoint.zone` (string,null) The network zone or LAN segment. - `result.dst_endpoint.subnet_uid` (string,null) The unique identifier of a virtual subnet. - `result.dst_endpoint.svc_name` (string,null) The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - `result.dst_endpoint.type` (string,null) The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - `result.dst_endpoint.type_id` (integer) NetworkEndpointTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value. - `result.dst_endpoint.uid` (string,null) The unique identifier of the endpoint. - `result.dst_endpoint.vlan_uid` (string,null) The Virtual LAN identifier. - `result.dst_endpoint.vpc_uid` (string,null) The unique identifier of the Virtual Private Cloud (VPC). - `result.dst_endpoint.zone` (string,null) The network zone or LAN segment. - `result.duration` (integer,null) The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - `result.email_auth` (object) The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email. - `result.email_auth.dkim` (string,null) The DomainKeys Identified Mail (DKIM) status of the email. - `result.email_auth.dkim_domain` (string,null) The DomainKeys Identified Mail (DKIM) signing domain of the email. - `result.email_auth.dkim_signature` (string,null) The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. - `result.email_auth.dmarc` (string,null) The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. - `result.email_auth.dmarc_override` (string,null) The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. - `result.email_auth.dmarc_policy` (string,null) The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. - `result.email_auth.spf` (string,null) The Sender Policy Framework (SPF) status of the email. - `result.end_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.end_time_dt` (string,null) The end time of a time period, or the time of the most recent event included in the aggregate event. - `result.enrichments` (array,null) The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}] - `result.enrichments.data` (any, required) The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - `result.enrichments.name` (string, required) The name of the attribute to which the enriched data pertains. - `result.enrichments.value` (string, required) The value of the attribute to which the enriched data pertains. - `result.enrichments.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.enrichments.created_time_dt` (string,null) The time when the enrichment data was generated. - `result.enrichments.desc` (string,null) A long description of the enrichment data. - `result.enrichments.provider` (string,null) The enrichment data provider name. - `result.enrichments.reputation` (object) The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain). - `result.enrichments.reputation.base_score` (number, required) The reputation score as reported by the event source. - `result.enrichments.reputation.score_id` (integer, required) ReputationScoreId is an enum, and the following values are allowed. 0 - Unknown: The reputation score is unknown. 1 - VerySafe: Long history of good behavior. 2 - Safe: Consistently good behavior. 3 - ProbablySafe: Reasonable history of good behavior. 4 - LeansSafe: Starting to establish a history of normal behavior. 5 - MaynotbeSafe: No established history of normal behavior. 6 - ExerciseCaution: Starting to establish a history of suspicious or risky behavior. 7 - Risky: A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious). 8 - PossiblyMalicious: Strong possibility of maliciousness. 9 - ProbablyMalicious: Indicators of maliciousness. 10 - Malicious: Proven evidence of maliciousness. 99 - Other: The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value. - `result.enrichments.reputation.provider` (string,null) The provider of the reputation information. - `result.enrichments.reputation.score` (string,null) The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. - `result.enrichments.short_desc` (string,null) A short description of the enrichment data. - `result.enrichments.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.enrichments.type` (string,null) The enrichment type. For example: location. - `result.firewall_rule` (object) The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall. - `result.firewall_rule.category` (string,null) The rule category. - `result.firewall_rule.condition` (string,null) The rule trigger condition for the rule. For example: SQL_INJECTION. - `result.firewall_rule.desc` (string,null) The description of the rule that generated the event. - `result.firewall_rule.duration` (integer,null) The rule response time duration, usually used for challenge completion time. - `result.firewall_rule.match_details` (array,null) The data in a request that rule matched. For example: '["10","and","1"]'. - `result.firewall_rule.match_location` (string,null) The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER. - `result.firewall_rule.name` (string,null) The name of the rule that generated the event. - `result.firewall_rule.rate_limit` (integer,null) The rate limit for a rate-based rule. - `result.firewall_rule.sensitivity` (string,null) The sensitivity of the firewall rule in the matched event. For example: HIGH. - `result.firewall_rule.type` (string,null) The rule type. - `result.firewall_rule.uid` (string,null) The unique identifier of the rule that generated the event. - `result.firewall_rule.version` (string,null) The rule version. For example: 1.1. - `result.from` (string) Email address. For example:john_doe@example.com. - `result.is_alert` (boolean,null) Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed. - `result.malware` (array,null) A list of Malware objects, describing details about the identified malware. - `result.malware.classification_ids` (array, required) The list of normalized identifiers of the malware classifications. - `result.malware.classifications` (array,null) The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source. - `result.malware.cves` (array,null) The list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. Reference: CVE - `result.malware.cves.uid` (string, required) The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. - `result.malware.cves.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.malware.cves.created_time_dt` (string,null) The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - `result.malware.cves.cvss` (array,null) The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability. - `result.malware.cves.cvss.base_score` (number, required) The CVSS base score. For example: 9.1. - `result.malware.cves.cvss.version` (string, required) The CVSS version. For example: 3.1. - `result.malware.cves.cvss.depth` (string) CvssDepth is an enum, and the following values are allowed. Base - Base Environmental - Environmental Temporal - Temporal - `result.malware.cves.cvss.metrics` (array,null) The Common Vulnerability Scoring System metrics. This attribute contains information on the CVE's impact. If the CVE has been analyzed, this attribute will contain any CVSSv2 or CVSSv3 information associated with the vulnerability. For example: { {"Access Vector", "Network"}, {"Access Complexity", "Low"}, ...}. - `result.malware.cves.cvss.overall_score` (number,null) The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1. - `result.malware.cves.cvss.severity` (string,null) The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.CVSS v2.0Low (0.0 – 3.9)Medium (4.0 – 6.9)High (7.0 – 10.0)CVSS v3.0None (0.0)Low (0.1 - 3.9)Medium (4.0 - 6.9)High (7.0 - 8.9)Critical (9.0 - 10.0) - `result.malware.cves.cvss.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.malware.cves.cvss.vector_string` (string,null) The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. - `result.malware.cves.cvss.vendor_name` (string,null) The vendor that provided the CVSS score. For example: NVD, REDHAT etc. - `result.malware.cves.cwe` (object) The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog. - `result.malware.cves.cwe.uid` (string, required) The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins "CWE" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123. - `result.malware.cves.cwe.caption` (string,null) The caption assigned to the Common Weakness Enumeration unique identifier. - `result.malware.cves.cwe.src_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.malware.cves.cwe_uid` (string,null) The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. - `result.malware.cves.cwe_url` (string) Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. - `result.malware.cves.desc` (string,null) A brief description of the CVE Record. - `result.malware.cves.epss` (object) The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS). - `result.malware.cves.epss.score` (string, required) The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication). - `result.malware.cves.epss.created_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.malware.cves.epss.created_time_dt` (string,null) The timestamp indicating when the EPSS score was calculated. - `result.malware.cves.epss.percentile` (number,null) The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset. - `result.malware.cves.epss.version` (string,null) The version of the EPSS model used to calculate the score. - `result.malware.cves.modified_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.malware.cves.modified_time_dt` (string,null) The Record Modified Date identifies when the CVE record was last updated. - `result.malware.cves.product` (object) The Product object describes characteristics of a software product. - `result.malware.cves.references` (array,null) A list of reference URLs with additional information about the CVE Record. - `result.malware.cves.related_cwes` (array,null) Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. - `result.malware.cves.title` (string,null) A title or a brief phrase summarizing the CVE record. - `result.malware.cves.type` (string,null) The vulnerability type as selected from a large dropdown menu during CVE refinement.Most frequently used vulnerability types are: DoS, Code Execution, Overflow, Memory Corruption, Sql Injection, XSS, Directory Traversal, Http Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion. For more information see Vulnerabilities By Type distributions. - `result.malware.files` (array,null) The list of file objects representing files that were identified as infected by the malware. - `result.malware.name` (string,null) The malware name, as reported by the detection engine. - `result.malware.num_infected` (integer,null) The number of files that were identified to be infected by the malware. - `result.malware.path` (string) The full path to the file. For example: For example:c:\windows\system32\svchost.exe. - `result.malware.provider` (string,null) The name or identifier of the security solution or service that provided the malware detection information. - `result.malware.severity` (string,null) The severity of the malware, normalized to the captions of the severity_id values. In the case of 'Other', they are defined by the event source. - `result.malware.severity_id` (integer) MalwareSeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value. - `result.malware.uid` (string,null) A unique identifier for the specific malware instance, as assigned by the detection engine (e.g., virus signature ID or IPS rule ID). - `result.malware_scan_info` (object) The malware scan information object describes characteristics, metadata of a malware scanning job. - `result.malware_scan_info.type_id` (integer, required) MalwareScanInfoTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Manual: The scan was manually initiated by the user or administrator. 2 - Scheduled: The scan was started based on scheduler. 3 - UpdatedContent: The scan was triggered by a content update. 4 - QuarantinedItems: The scan was triggered by newly quarantined items. 5 - AttachedMedia: The scan was triggered by the attachment of removable media. 6 - UserLogon: The scan was started due to a user logon. 7 - ELAM: The scan was triggered by an Early Launch Anti-Malware (ELAM) detection. 99 - Other: The scan type id is not mapped. See the type attribute, which contains a data source specific value. - `result.malware_scan_info.end_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.malware_scan_info.end_time_dt` (string,null) The timestamp indicating when the scan job completed execution. - `result.malware_scan_info.name` (string,null) The administrator-supplied or application-generated name of the scan. For example: "Home office weekly user database scan", "Scan folders for viruses", "Full system virus scan" - `result.malware_scan_info.num_files` (integer,null) The total number of files analyzed during the scan. - `result.malware_scan_info.num_infected` (integer,null) The total number of files identified as infected with malware during the scan. - `result.malware_scan_info.num_volumes` (integer,null) The total number of storage volumes examined during the malware scan. - `result.malware_scan_info.size` (integer,null) The total size in bytes of all files that were scanned. - `result.malware_scan_info.start_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.malware_scan_info.start_time_dt` (string,null) The timestamp indicating when the scan job began execution. - `result.malware_scan_info.type` (string,null) The type of scan. - `result.malware_scan_info.uid` (string,null) The application-defined unique identifier assigned to an instance of a scan. - `result.malware_scan_info.unique_malware_count` (integer,null) The number of unique malware detected across all infected files. - `result.message` (string,null) The description of the event/finding, as defined by the source. - `result.message_trace_uid` (string,null) The identifier that tracks a message that travels through multiple points of a messaging service. - `result.observables` (array,null) The observables associated with the event or a finding. - `result.observables.type_id` (integer, required) ObservableTypeId is an enum, and the following values are allowed. 0 - Unknown: Unknown observable data type. 1 - Hostname: Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com 2 - IPAddress: Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. 3 - MACAddress: Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A. 4 - UserName: User name. For example:john_doe. 5 - EmailAddress: Email address. For example:john_doe@example.com. 6 - URLString: Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe. 7 - FileName: File name. For example:text-file.txt. 8 - Hash: Fingerprint. A value, in any format, that maps an arbitrarily large data item to a much shorter string that uniquely identifies the original data. Examples include cryptographic hashing of a file, code signing, and Network Protocol Fingerprinting (NPF).Note about name. The type name file_hast_t and the caption "Hash" are used for legacy reasons. This type has been generalized from a file hash to a general fingerprint. The existing type name and caption were retained for backwards compatibility. 9 - ProcessName: Process name. For example:Notepad. 10 - ResourceUID: Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID. 11 - Port: The TCP/UDP port number. For example:80,22. 12 - Subnet: The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/24,2001:0db8:85a3:0000::/64 20 - Endpoint: The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints. 21 - User: The User object describes the characteristics of a user/person or a security principal. 22 - Email: The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files. 23 - UniformResourceLocator: The Uniform Resource Locator (URL) object describes the characteristics of a URL. 24 - File: The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. 25 - Process: The Process object describes a running instance of a launched program. 26 - GeoLocation: The Geo Location object describes a geographical location, usually associated with an IP address. 27 - Container: The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. 30 - Fingerprint: The Fingerprint object provides detailed information about a fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key, file content, or application implementation. It contains the algorithm or scheme and value of the fingerprint, enabling efficient and reliable identification of the associated data. 45 - FilePath: The full path to the file. For example: For example:c:\windows\system32\svchost.exe. 99 - Other: The observable data type is not mapped. See the type attribute, which may contain data source specific value. - `result.observables.event_uid` (string,null) The unique identifier (metadata.uid) of the source OCSF event from which this observable was extracted. This field enables linking observables back to their originating event data when observables are stored in a separate location or system. - `result.observables.name` (string,null) The full name of the observable attribute. The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name. Array attributes may be represented in one of three ways. For example: resources.uid, resources[].uid, resources[0].uid. - `result.observables.reputation` (object) The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain). - `result.observables.type` (string,null) The observable value type name. - `result.observables.type_uid` (integer,null) The OCSF event type UID (type_uid) of the source event that this observable was extracted from. This field enables filtering and categorizing observables by their originating event type. For example: 300101 for Network Activity (class_uid 3001) with activity_id 1. - `result.observables.value` (string,null) The value associated with the observable attribute. The meaning of the value depends on the observable type.If the name refers to a scalar attribute, then the value is the value of the attribute.If the name refers to an object attribute, then the value is not populated. - `result.policy` (object) The Policy object describes the policies that are applicable. Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments. - `result.protocol_name` (string,null) The Protocol Name specifies the email communication protocol, such as SMTP, IMAP, or POP3. - `result.raw_data` (string,null) The raw event/finding data as received from the source. - `result.raw_data_hash` (object) The Fingerprint object provides detailed information about a fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key, file content, or application implementation. It contains the algorithm or scheme and value of the fingerprint, enabling efficient and reliable identification of the associated data. - `result.raw_data_size` (integer,null) The size of the raw data which was transformed into an OCSF event, in bytes. - `result.risk_details` (string,null) Describes the risk associated with the finding. - `result.risk_level` (string,null) The risk level, normalized to the caption of the risk_level_id value. - `result.risk_level_id` (integer) RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value. - `result.risk_score` (integer,null) The risk score as reported by the event source. - `result.severity` (string,null) The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source. - `result.smtp_hello` (string,null) The value of the SMTP HELO or EHLO command sent by the initiator (client). - `result.src_endpoint` (object) The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection. - `result.start_time` (integer) The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901. - `result.start_time_dt` (string,null) The start time of a time period, or the time of the least recent event included in the aggregate event. - `result.status` (string,null) The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. - `result.status_code` (string,null) The event status code, as reported by the event source.For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. - `result.status_detail` (string,null) The status detail contains additional information about the event/finding outcome. - `result.status_id` (integer) StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The status is not mapped. See the status attribute, which contains a data source specific value. - `result.time_dt` (string,null) The normalized event occurrence time or the finding creation time. - `result.timezone_offset` (integer,null) The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. - `result.to` (array,null) The recipient address from the transmission envelope. This may differ from the 'To' header and represents where the message was actually delivered. - `result.type_name` (string,null) The event/finding type name, as defined by the type_uid. - `result.unmapped` (object) An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. - `cursor` (string, required) Cursor to use to retrieve the next page of results - `messages` (object) - `messages.problems` (array,null) Warnings or issues that occurred during processing that did not prevent the request from returning, but may indicate a problem or issue with expected processing behavior. - `messages.problems.occurred_at` (string, required) The date and time the problem occurred. - `messages.problems.status` (integer, required) The HTTP status code of the problem. Matches the HTTP response code sent by the server. - `messages.problems.instance` (string, required) A URI reference that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced. - `messages.problems.message` (string, required) A short, display-friendly summary of the problem. - `messages.problems.type` (string) A URI reference that identifies the type of problem that occurred. When the URI scheme is HTTP(s), it may or may not be possible to deference the URL to a display-friendly description of the problem type. - `messages.problems.cause` (array,null) A list of the root cause(s) for this problem occurrence. Includes at minimum one root cause, and is otherwise an unordered list of causes. - `messages.problems.cause.type` (string, required) A URI reference that identifies the type of problem that occurred. When the URI scheme is HTTP(s), it may or may not be possible to deference the URL to a display-friendly description of the problem type. - `messages.problems.cause.message` (string, required) A short, display-friendly summary of the problem. - `messages.problems.cause.detail` (string,null) A display-friendly and more detailed explanation of the problem. It may offer additional contextual detail, but may also be just a generic description of the problem. - `messages.problems.cause.remediation` (string,null) A display-friendly explanation for how to remediate the problem. This field may be omitted in case there are multiple problems, each with its own remediation, or if no remediation is possible. - `messages.problems.cause.context` (object) - `messages.problems.cause.context.parameter` (object) - `messages.problems.cause.context.parameter.id` (string, required) If the location of the parameter is body, this value is always a JSON Pointer, otherwise it's the name of the parameter. - `messages.problems.cause.context.parameter.location` (string, required) Enum: "header", "path", "query", "body" - `messages.problems.cause.context.parameter.value` (any,null) The given value of the parameter. - `messages.problems.cause.context.resources` (array,null) - `messages.problems.cause.context.resources.type` (string, required) Enum: "account", "bridge", "credential", "integration_point", "integration", "member", "operation", "organization_webhook", "role", "sub_org", "token", "transform" - `messages.problems.cause.context.resources.id` (string, required) ID of the related resource. - `messages.problems.cause.context.resources.rel` (string, required) Enum: "affected", "cause" - `messages.problems.cause.context.raw_error` (string,null) If available this represents the underlying raw error, for example an error response from a Provider. - `messages.problems.cause.context.provider_details` (object,null) If available this represents the underlying details from the provider. May include the error message, status code, and other details. - `messages.problems.detail` (string,null) A display-friendly and more detailed explanation of the problem. It may offer additional contextual detail, but may also be just a generic description of the problem. - `messages.problems.remediation` (string,null) A display-friendly explanation for how to remediate the problem. This field may be omitted in case there are multiple problems, each with its own remediation, or if no remediation is possible. - `messages.problems.context` (object) - `meta` (object) - `meta.stats` (object) - `meta.stats.count` (object,null) A count of total response times. If present "\*" will be all items, or they can be faceted into specific categories. - `meta.api` (object) - `meta.api.response` (object) - `meta.api.response.primary` (object) - `meta.api.response.primary.endpoint` (string, required) The endpoint URL of the primary API request made to fulfill the response. - `meta.api.response.primary.response` (string, required) The response from the primary API request. - `meta.api.response.list` (object,null) All responses from backing API calls, indexed by endpoint URL. - `meta.mapping` (object) - `meta.mapping.chains` (object) The list of mapping chains applied, indexed by operation ID. Each entry contains an array of mapping IDs.