# Cloud Security Supported Fields

This document shows the fields supported by each provider and operation.

- [query_cloud_resource_inventory](#query_cloud_resource_inventory)
- [query_compliance_findings](#query_compliance_findings)
- [query_ioms](#query_ioms)
- [query_threats](#query_threats)


## query_cloud_resource_inventory

| Field | CrowdStrike Cloud Security | Microsoft Defender for Cloud | Palo Alto Networks Cortex Cloud Security | Type |
|  --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | number |
| cloud.account.name | ✅ | ✅ | ✅ | string |
| cloud.account.type | ✅ | ✅ | ✅ | string |
| cloud.account.type_id | ❌ | ✅ | ✅ | number |
| cloud.account.uid | ✅ | ✅ | ✅ | string |
| cloud.provider | ✅ | ✅ | ✅ | string |
| cloud.region | ✅ | ✅ | ✅ | string |
| device.first_seen_time | ✅ | ✅ | ✅ | timestamp |
| device.first_seen_time_dt | ✅ | ✅ | ❌ | string |
| device.groups[].name | ❌ | ❌ | ✅ | string |
| device.groups[].type | ❌ | ❌ | ✅ | string |
| device.groups[].uid | ❌ | ❌ | ✅ | string |
| device.last_seen_time | ✅ | ✅ | ✅ | timestamp |
| device.last_seen_time_dt | ✅ | ✅ | ❌ | string |
| device.modified_time | ✅ | ✅ | ❌ | timestamp |
| device.modified_time_dt | ✅ | ✅ | ❌ | string |
| device.name | ✅ | ✅ | ✅ | string |
| device.region | ✅ | ✅ | ✅ | string |
| device.type | ✅ | ✅ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | string |
| enrichments[].data.benchmark_versions | ✅ | ❌ | ❌ | unknown |
| enrichments[].data.controls | ✅ | ❌ | ❌ | unknown |
| enrichments[].data.controls[].benchmarks[].id | ✅ | ❌ | ❌ | string |
| enrichments[].data.controls[].benchmarks[].name | ✅ | ❌ | ❌ | string |
| enrichments[].data.controls[].benchmarks[].version | ✅ | ❌ | ❌ | string |
| enrichments[].data.controls[].framework | ✅ | ❌ | ❌ | string |
| enrichments[].data.controls[].name | ✅ | ❌ | ❌ | string |
| enrichments[].data.controls[].type | ✅ | ❌ | ❌ | string |
| enrichments[].data.controls[].version | ✅ | ❌ | ❌ | string |
| enrichments[].data.ioa_counts | ✅ | ❌ | ❌ | number |
| enrichments[].data.iom_counts | ✅ | ❌ | ❌ | number |
| enrichments[].data.legacy_policy_ids[] | ✅ | ❌ | ❌ | number |
| enrichments[].data.rules | ✅ | ❌ | ❌ | unknown |
| enrichments[].data.rules[] | ✅ | ❌ | ❌ | string |
| enrichments[].desc | ✅ | ❌ | ❌ | string |
| enrichments[].name | ✅ | ❌ | ❌ | string |
| enrichments[].provider | ✅ | ❌ | ❌ | string |
| enrichments[].type | ✅ | ❌ | ❌ | string |
| enrichments[].value | ✅ | ❌ | ❌ | string |
| message | ✅ | ✅ | ✅ | string |
| metadata.product.feature.name | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | string |
| metadata.tenant_uid | ✅ | ✅ | ✅ | string |
| metadata.uid | ✅ | ❌ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | string |
| region | ❌ | ❌ | ✅ | string |
| resources[].group.name | ✅ | ❌ | ✅ | string |
| resources[].group.uid | ✅ | ❌ | ✅ | string |
| resources[].labels[] | ✅ | ❌ | ✅ | string |
| resources[].name | ✅ | ❌ | ✅ | string |
| resources[].region | ❌ | ❌ | ✅ | string |
| resources[].tags[].name | ❌ | ❌ | ✅ | string |
| resources[].tags[].value | ❌ | ❌ | ✅ | string |
| resources[].type | ✅ | ❌ | ✅ | string |
| resources[].uid | ✅ | ❌ | ✅ | string |
| severity | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | number |
| time | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ✅ | ❌ | string |
| type_name | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | number |


## query_compliance_findings

| Field | AWS Cloud Security | CrowdStrike Cloud Security | Microsoft Defender for Cloud | Palo Alto Networks Cortex Cloud Security | Type |
|  --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ❌ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ❌ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | number |
| cloud.account.uid | ✅ | ❌ | ❌ | ❌ | string |
| cloud.provider | ✅ | ❌ | ✅ | ❌ | string |
| cloud.region | ✅ | ❌ | ❌ | ❌ | string |
| compliance.control | ❌ | ❌ | ✅ | ✅ | string |
| compliance.requirements[] | ❌ | ❌ | ✅ | ❌ | string |
| compliance.standards | ✅ | ❌ | ❌ | ❌ | unknown |
| compliance.standards[] | ❌ | ❌ | ✅ | ✅ | string |
| compliance.status | ✅ | ❌ | ✅ | ✅ | string |
| compliance.status_id | ✅ | ❌ | ✅ | ✅ | number |
| count | ❌ | ✅ | ❌ | ✅ | number |
| device.desc | ❌ | ✅ | ❌ | ❌ | string |
| device.first_seen_time | ❌ | ✅ | ❌ | ❌ | timestamp |
| device.hostname | ❌ | ✅ | ❌ | ❌ | string |
| device.hw_info.bios_manufacturer | ❌ | ✅ | ❌ | ❌ | string |
| device.hw_info.bios_ver | ❌ | ✅ | ❌ | ❌ | string |
| device.hw_info.chassis | ❌ | ✅ | ❌ | ❌ | string |
| device.hw_info.serial_number | ❌ | ✅ | ❌ | ❌ | string |
| device.instance_uid | ❌ | ✅ | ❌ | ❌ | string |
| device.ip | ❌ | ✅ | ❌ | ❌ | string |
| device.last_seen_time | ❌ | ✅ | ❌ | ❌ | timestamp |
| device.mac | ❌ | ✅ | ❌ | ❌ | string |
| device.modified_time | ❌ | ✅ | ❌ | ❌ | timestamp |
| device.name | ❌ | ✅ | ❌ | ❌ | string |
| device.network_status | ❌ | ✅ | ❌ | ❌ | string |
| device.network_status_id | ❌ | ✅ | ❌ | ❌ | number |
| device.org.name | ❌ | ✅ | ❌ | ❌ | string |
| device.org.uid | ❌ | ✅ | ❌ | ❌ | string |
| device.os.build | ❌ | ✅ | ❌ | ❌ | string |
| device.os.name | ❌ | ✅ | ❌ | ❌ | string |
| device.os.type | ❌ | ✅ | ❌ | ❌ | string |
| device.os.type_id | ❌ | ✅ | ❌ | ❌ | number |
| device.os.version | ❌ | ✅ | ❌ | ❌ | string |
| device.type | ❌ | ✅ | ❌ | ❌ | string |
| device.type_id | ❌ | ✅ | ❌ | ✅ | number |
| device.uid | ❌ | ✅ | ❌ | ✅ | string |
| device.zone | ❌ | ✅ | ❌ | ❌ | string |
| finding_info.created_time | ✅ | ❌ | ❌ | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.desc | ✅ | ❌ | ❌ | ✅ | string |
| finding_info.first_seen_time | ❌ | ❌ | ❌ | ✅ | timestamp |
| finding_info.modified_time | ✅ | ❌ | ❌ | ✅ | timestamp |
| finding_info.modified_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.title | ✅ | ❌ | ✅ | ✅ | string |
| finding_info.types[] | ✅ | ❌ | ❌ | ✅ | string |
| finding_info.uid | ✅ | ❌ | ✅ | ✅ | string |
| message | ❌ | ✅ | ❌ | ✅ | string |
| metadata.event_code | ❌ | ❌ | ❌ | ✅ | string |
| metadata.labels[] | ❌ | ✅ | ❌ | ❌ | string |
| metadata.loggers[].name | ❌ | ✅ | ❌ | ❌ | string |
| metadata.loggers[].version | ❌ | ✅ | ❌ | ❌ | string |
| metadata.product.feature.uid | ✅ | ❌ | ❌ | ❌ | string |
| metadata.product.name | ✅ | ❌ | ✅ | ✅ | string |
| metadata.product.uid | ✅ | ❌ | ❌ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ❌ | ✅ | ❌ | ❌ | string |
| metadata.profiles[] | ✅ | ❌ | ❌ | ❌ | string |
| metadata.uid | ✅ | ❌ | ❌ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| remediation.desc | ✅ | ❌ | ❌ | ✅ | string |
| remediation.references[] | ✅ | ❌ | ❌ | ❌ | string |
| resource.name | ❌ | ❌ | ✅ | ❌ | string |
| resource.type | ❌ | ❌ | ✅ | ✅ | string |
| resource.uid | ❌ | ❌ | ✅ | ✅ | string |
| resources[].cloud_partition | ✅ | ❌ | ❌ | ❌ | string |
| resources[].name | ✅ | ❌ | ❌ | ❌ | string |
| resources[].owner.account.uid | ✅ | ❌ | ❌ | ❌ | string |
| resources[].region | ✅ | ❌ | ❌ | ❌ | string |
| resources[].type | ✅ | ❌ | ❌ | ❌ | string |
| resources[].uid | ✅ | ❌ | ❌ | ❌ | string |
| severity | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | number |
| start_time | ❌ | ❌ | ❌ | ✅ | timestamp |
| status | ✅ | ✅ | ❌ | ✅ | string |
| status_id | ✅ | ✅ | ❌ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ❌ | ❌ | ❌ | string |
| type_name | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | number |


## query_ioms

| Field | CrowdStrike Cloud Security | Type |
|  --- | --- | --- |
| activity_id | ✅ | number |
| activity_name | ✅ | string |
| actor.authorizations[].policy.desc | ✅ | string |
| actor.authorizations[].policy.name | ✅ | string |
| actor.authorizations[].policy.uid | ✅ | string |
| actor.user.has_mfa | ✅ | boolean |
| actor.user.name | ✅ | string |
| api.operation | ✅ | string |
| api.service.name | ✅ | string |
| category_name | ✅ | string |
| category_uid | ✅ | number |
| class_name | ✅ | string |
| class_uid | ✅ | number |
| cloud.account.name | ✅ | string |
| cloud.account.uid | ✅ | string |
| cloud.provider | ✅ | string |
| cloud.region | ✅ | string |
| finding_info.created_time | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | string |
| finding_info.desc | ✅ | string |
| finding_info.title | ✅ | string |
| finding_info.uid | ✅ | string |
| metadata.product.feature.name | ✅ | string |
| metadata.product.url_string | ✅ | string |
| metadata.product.vendor_name | ✅ | string |
| metadata.uid | ✅ | string |
| metadata.version | ✅ | string |
| resources[].data.Creation Date | ✅ | string |
| resources[].data.Password Enabled | ✅ | string |
| resources[].data.Password Last Changed | ✅ | string |
| resources[].data.Password Last Used | ✅ | string |
| resources[].data.User | ✅ | string |
| resources[].data.User Arn | ✅ | string |
| resources[].name | ✅ | string |
| resources[].owner.name | ✅ | string |
| resources[].owner.uid | ✅ | string |
| resources[].type | ✅ | string |
| resources[].uid | ✅ | string |
| severity | ✅ | string |
| severity_id | ✅ | number |
| time | ✅ | number |
| time_dt | ✅ | string |
| type_name | ✅ | string |
| type_uid | ✅ | number |


## query_threats

| Field | AWS Cloud Security | Microsoft Defender for Cloud | Type |
|  --- | --- | --- | --- |
| activity_id | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | string |
| category_name | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | number |
| class_name | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | number |
| cloud.account.type | ✅ | ❌ | string |
| cloud.account.type_id | ✅ | ❌ | number |
| cloud.account.uid | ✅ | ✅ | string |
| cloud.cloud_partition | ✅ | ❌ | string |
| cloud.project_uid | ❌ | ✅ | string |
| cloud.provider | ✅ | ✅ | string |
| cloud.region | ✅ | ❌ | string |
| count | ✅ | ❌ | number |
| device.hostname | ❌ | ✅ | string |
| device.type_id | ❌ | ✅ | number |
| evidences[].data.entityType | ❌ | ✅ | string |
| evidences[].data.resourceId | ❌ | ✅ | string |
| evidences[].data.resourceName | ❌ | ✅ | string |
| evidences[].data.resourceType | ❌ | ✅ | string |
| evidences[].device.domain | ❌ | ✅ | string |
| evidences[].device.hostname | ❌ | ✅ | string |
| evidences[].device.type_id | ❌ | ✅ | number |
| evidences[].file.hashes[].algorithm | ❌ | ✅ | string |
| evidences[].file.hashes[].algorithm_id | ❌ | ✅ | number |
| evidences[].file.hashes[].value | ❌ | ✅ | string |
| evidences[].file.name | ❌ | ✅ | string |
| evidences[].file.path | ❌ | ✅ | string |
| evidences[].file.type_id | ❌ | ✅ | number |
| evidences[].user.account.name | ❌ | ✅ | string |
| evidences[].user.account.type | ❌ | ✅ | string |
| evidences[].user.domain | ❌ | ✅ | string |
| evidences[].user.name | ❌ | ✅ | string |
| finding_info.analytic.type | ✅ | ❌ | string |
| finding_info.analytic.type_id | ✅ | ❌ | number |
| finding_info.analytic.uid | ✅ | ❌ | string |
| finding_info.created_time | ✅ | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | ✅ | string |
| finding_info.desc | ✅ | ✅ | string |
| finding_info.first_seen_time | ✅ | ❌ | timestamp |
| finding_info.first_seen_time_dt | ✅ | ❌ | string |
| finding_info.last_seen_time | ✅ | ❌ | timestamp |
| finding_info.last_seen_time_dt | ✅ | ❌ | string |
| finding_info.modified_time | ✅ | ✅ | timestamp |
| finding_info.modified_time_dt | ✅ | ✅ | string |
| finding_info.product.uid | ✅ | ❌ | string |
| finding_info.title | ✅ | ✅ | string |
| finding_info.types[] | ✅ | ✅ | string |
| finding_info.uid | ✅ | ✅ | string |
| finding_info.uid_alt | ✅ | ❌ | string |
| malware[].classification_ids[] | ✅ | ❌ | number |
| malware[].files[].hashes[].algorithm | ✅ | ❌ | string |
| malware[].files[].hashes[].algorithm_id | ✅ | ❌ | number |
| malware[].files[].hashes[].value | ✅ | ❌ | string |
| malware[].files[].name | ✅ | ❌ | string |
| malware[].files[].path | ✅ | ❌ | string |
| malware[].files[].type | ✅ | ❌ | string |
| malware[].files[].type_id | ✅ | ❌ | number |
| malware[].files[].volume | ✅ | ❌ | string |
| malware[].name | ✅ | ❌ | string |
| malware[].num_infected | ✅ | ❌ | number |
| malware[].severity | ✅ | ❌ | string |
| malware[].severity_id | ✅ | ❌ | number |
| malware_scan_info.end_time | ✅ | ❌ | timestamp |
| malware_scan_info.end_time_dt | ✅ | ❌ | string |
| malware_scan_info.num_files | ✅ | ❌ | number |
| malware_scan_info.num_infected | ✅ | ❌ | number |
| malware_scan_info.num_volumes | ✅ | ❌ | number |
| malware_scan_info.size | ✅ | ❌ | number |
| malware_scan_info.start_time | ✅ | ❌ | timestamp |
| malware_scan_info.start_time_dt | ✅ | ❌ | string |
| malware_scan_info.type | ✅ | ❌ | string |
| malware_scan_info.type_id | ✅ | ❌ | number |
| malware_scan_info.uid | ✅ | ❌ | string |
| malware_scan_info.unique_malware_count | ✅ | ❌ | number |
| message | ❌ | ✅ | string |
| metadata.product.feature.name | ✅ | ❌ | string |
| metadata.product.name | ✅ | ✅ | string |
| metadata.product.uid | ✅ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | string |
| metadata.profiles[] | ✅ | ❌ | string |
| metadata.uid | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | string |
| raw_data | ❌ | ✅ | string |
| remediation.desc | ✅ | ✅ | string |
| remediation.references[] | ✅ | ❌ | string |
| resources[].cloud_partition | ✅ | ❌ | string |
| resources[].data.availability_zone | ✅ | ❌ | string |
| resources[].data.device_name | ✅ | ❌ | string |
| resources[].data.encryption_type | ✅ | ❌ | string |
| resources[].data.iam_instance_profile.arn | ✅ | ❌ | string |
| resources[].data.iam_instance_profile.id | ✅ | ❌ | string |
| resources[].data.image_description | ✅ | ❌ | string |
| resources[].data.image_id | ✅ | ❌ | string |
| resources[].data.instance_id | ✅ | ❌ | string |
| resources[].data.instance_state | ✅ | ❌ | string |
| resources[].data.instance_type | ✅ | ❌ | string |
| resources[].data.kms_key_arn | ✅ | ❌ | string |
| resources[].data.launch_time | ✅ | ❌ | timestamp |
| resources[].data.network_interfaces[].network_interface_id | ✅ | ❌ | string |
| resources[].data.network_interfaces[].private_dns_name | ✅ | ❌ | string |
| resources[].data.network_interfaces[].private_ip_address | ✅ | ❌ | string |
| resources[].data.network_interfaces[].private_ip_addresses[].private_dns_name | ✅ | ❌ | string |
| resources[].data.network_interfaces[].private_ip_addresses[].private_ip_address | ✅ | ❌ | string |
| resources[].data.network_interfaces[].security_groups[].group_id | ✅ | ❌ | string |
| resources[].data.network_interfaces[].security_groups[].group_name | ✅ | ❌ | string |
| resources[].data.network_interfaces[].subnet_id | ✅ | ❌ | string |
| resources[].data.network_interfaces[].vpc_id | ✅ | ❌ | string |
| resources[].data.snapshot_arn | ✅ | ❌ | string |
| resources[].data.tags[].key | ✅ | ❌ | string |
| resources[].data.tags[].value | ✅ | ❌ | string |
| resources[].data.volume_arn | ✅ | ❌ | string |
| resources[].data.volume_size_in_gb | ✅ | ❌ | number |
| resources[].data.volume_type | ✅ | ❌ | string |
| resources[].name | ✅ | ✅ | string |
| resources[].owner.account.type | ✅ | ❌ | string |
| resources[].owner.account.type_id | ✅ | ❌ | number |
| resources[].owner.account.uid | ✅ | ❌ | string |
| resources[].region | ✅ | ❌ | string |
| resources[].tags[].name | ✅ | ❌ | string |
| resources[].tags[].value | ✅ | ❌ | string |
| resources[].type | ✅ | ✅ | string |
| resources[].uid | ✅ | ✅ | string |
| severity | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | number |
| status | ✅ | ✅ | string |
| status_id | ✅ | ✅ | number |
| time | ✅ | ✅ | number |
| time_dt | ✅ | ✅ | string |
| type_name | ✅ | ❌ | string |
| type_uid | ✅ | ✅ | number |
| vendor_attributes.severity | ✅ | ❌ | string |
| vendor_attributes.severity_id | ✅ | ❌ | number |