EDR Supported Fields
This document shows the fields supported by each provider and operation.
- get_endpoint
- query_alerts
- query_applications
- query_endpoints
- query_iocs
- query_posture_score
- query_threatevents
get_endpoint
| Field | CrowdStrike EDR | Defender EDR | SentinelOne EDR | Sophos EDR | Type |
|---|---|---|---|---|---|
| result.activity_id | ✅ | ✅ | ✅ | ✅ | number |
| result.activity_name | ✅ | ✅ | ✅ | ✅ | string |
| result.category_name | ✅ | ✅ | ✅ | ✅ | string |
| result.category_uid | ✅ | ✅ | ✅ | ✅ | number |
| result.class_uid | ✅ | ✅ | ✅ | ✅ | number |
| result.cloud.provider | ❌ | ✅ | ❌ | ❌ | string |
| result.device.desc | ✅ | ❌ | ❌ | ❌ | string |
| result.device.domain | ❌ | ❌ | ✅ | ❌ | string |
| result.device.first_seen_time | ✅ | ❌ | ✅ | ❌ | timestamp |
| result.device.hostname | ✅ | ✅ | ✅ | ❌ | string |
| result.device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | string |
| result.device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | string |
| result.device.hw_info.chassis | ✅ | ❌ | ❌ | ❌ | string |
| result.device.hw_info.cpu_cores | ❌ | ❌ | ✅ | ❌ | number |
| result.device.hw_info.cpu_count | ❌ | ❌ | ✅ | ❌ | number |
| result.device.hw_info.cpu_type | ❌ | ❌ | ✅ | ❌ | string |
| result.device.hw_info.serial_number | ✅ | ❌ | ❌ | ❌ | string |
| result.device.instance_uid | ✅ | ❌ | ✅ | ❌ | string |
| result.device.ip | ✅ | ✅ | ✅ | ❌ | string |
| result.device.ip_addresses[] | ❌ | ❌ | ❌ | ✅ | string |
| result.device.last_seen_time | ✅ | ✅ | ✅ | ❌ | timestamp |
| result.device.last_seen_time_dt | ❌ | ✅ | ❌ | ❌ | string |
| result.device.mac | ✅ | ❌ | ✅ | ❌ | string |
| result.device.mac_addresses[] | ❌ | ❌ | ❌ | ✅ | string |
| result.device.modified_time | ✅ | ❌ | ✅ | ❌ | timestamp |
| result.device.name | ✅ | ❌ | ✅ | ✅ | string |
| result.device.network_interfaces[].hostname | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].ip | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].mac | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].type_id | ❌ | ❌ | ✅ | ❌ | number |
| result.device.network_interfaces[].uid | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_status | ✅ | ✅ | ✅ | ✅ | string |
| result.device.network_status_id | ✅ | ✅ | ✅ | ✅ | number |
| result.device.org.name | ✅ | ❌ | ✅ | ❌ | string |
| result.device.org.ou_name | ❌ | ❌ | ✅ | ❌ | string |
| result.device.org.ou_uid | ❌ | ❌ | ✅ | ❌ | string |
| result.device.org.uid | ✅ | ❌ | ✅ | ❌ | string |
| result.device.os.build | ❌ | ✅ | ❌ | ❌ | string |
| result.device.os.name | ✅ | ✅ | ✅ | ✅ | string |
| result.device.os.type | ✅ | ❌ | ✅ | ✅ | string |
| result.device.os.type_id | ✅ | ✅ | ✅ | ✅ | number |
| result.device.os.version | ✅ | ❌ | ✅ | ❌ | string |
| result.device.risk_level | ❌ | ✅ | ❌ | ❌ | string |
| result.device.sw_info[].name | ❌ | ❌ | ❌ | ✅ | string |
| result.device.sw_info[].vendor_name | ❌ | ❌ | ❌ | ✅ | string |
| result.device.sw_info[].version | ❌ | ❌ | ❌ | ✅ | string |
| result.device.type | ✅ | ❌ | ✅ | ✅ | string |
| result.device.type_id | ✅ | ✅ | ✅ | ✅ | number |
| result.device.uid | ✅ | ✅ | ✅ | ✅ | string |
| result.device.zone | ✅ | ❌ | ❌ | ❌ | string |
| result.message | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.labels[] | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.loggers[].name | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.loggers[].version | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.product.name | ✅ | ✅ | ✅ | ❌ | string |
| result.metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| result.metadata.product.version | ❌ | ✅ | ✅ | ❌ | string |
| result.metadata.tenant_uid | ❌ | ❌ | ❌ | ✅ | string |
| result.metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| result.raw_data | ✅ | ❌ | ❌ | ❌ | string |
| result.severity | ✅ | ❌ | ❌ | ❌ | string |
| result.severity_id | ✅ | ✅ | ✅ | ✅ | number |
| result.status | ✅ | ✅ | ❌ | ❌ | string |
| result.status_code | ❌ | ✅ | ❌ | ❌ | string |
| result.status_detail | ❌ | ✅ | ❌ | ✅ | string |
| result.status_id | ✅ | ❌ | ❌ | ❌ | number |
| result.time | ✅ | ✅ | ✅ | ✅ | number |
| result.time_dt | ❌ | ❌ | ❌ | ✅ | string |
| result.type_name | ✅ | ❌ | ❌ | ❌ | string |
| result.type_uid | ✅ | ✅ | ✅ | ✅ | number |
| result.unmapped.connection_mac_address | ✅ | ❌ | ❌ | ❌ | string |
| result.unmapped.default_gateway_ip | ✅ | ❌ | ❌ | ❌ | string |
| result.unmapped.deployment_type | ✅ | ❌ | ❌ | ❌ | string |
| result.unmapped.kernel_version | ✅ | ❌ | ❌ | ❌ | string |
| result.unmapped.local_ip | ✅ | ❌ | ❌ | ❌ | string |
| result.unmapped.provision_status | ✅ | ❌ | ❌ | ❌ | string |
query_alerts
| Field | CrowdStrike EDR | Defender EDR | Malwarebytes EDR | SentinelOne EDR | Type |
|---|---|---|---|---|---|
| activity_id | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | string |
| actor.user.domain | ❌ | ✅ | ❌ | ❌ | string |
| actor.user.name | ❌ | ✅ | ❌ | ❌ | string |
| attacks[].tactic.name | ✅ | ❌ | ❌ | ❌ | string |
| attacks[].tactic.uid | ✅ | ❌ | ❌ | ❌ | string |
| attacks[].technique.name | ✅ | ❌ | ❌ | ❌ | string |
| attacks[].technique.uid | ✅ | ❌ | ❌ | ❌ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ❌ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | number |
| comment | ✅ | ✅ | ❌ | ❌ | string |
| confidence_score | ✅ | ❌ | ❌ | ❌ | number |
| device.first_seen_time | ✅ | ❌ | ❌ | ❌ | timestamp |
| device.first_seen_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| device.hostname | ✅ | ✅ | ❌ | ✅ | string |
| device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | string |
| device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | string |
| device.ip | ✅ | ❌ | ❌ | ❌ | string |
| device.last_seen_time | ✅ | ❌ | ❌ | ❌ | timestamp |
| device.last_seen_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| device.mac | ✅ | ❌ | ❌ | ❌ | string |
| device.modified_time | ✅ | ❌ | ❌ | ❌ | timestamp |
| device.modified_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| device.name | ❌ | ❌ | ✅ | ❌ | string |
| device.network_interfaces[].hostname | ✅ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].ip | ✅ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].mac | ✅ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].type_id | ✅ | ❌ | ❌ | ❌ | number |
| device.org.uid | ❌ | ❌ | ❌ | ✅ | string |
| device.os.name | ✅ | ❌ | ❌ | ✅ | string |
| device.os.type | ✅ | ❌ | ❌ | ✅ | string |
| device.os.type_id | ✅ | ❌ | ❌ | ✅ | number |
| device.os.version | ✅ | ❌ | ❌ | ✅ | string |
| device.type | ✅ | ❌ | ❌ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | ✅ | string |
| device.uid_alt | ✅ | ❌ | ❌ | ❌ | string |
| evidences[].actor.user.full_name | ✅ | ❌ | ❌ | ❌ | string |
| evidences[].process.cmd_line | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.created_time | ✅ | ❌ | ❌ | ✅ | timestamp |
| evidences[].process.created_time_dt | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.hashes[].algorithm | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.hashes[].algorithm_id | ✅ | ❌ | ❌ | ✅ | number |
| evidences[].process.file.hashes[].value | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.modified_time | ❌ | ❌ | ❌ | ✅ | timestamp |
| evidences[].process.file.modified_time_dt | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.name | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.path | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.type_id | ✅ | ❌ | ❌ | ✅ | number |
| evidences[].process.name | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.cmd_line | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.name | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.path | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.pid | ✅ | ❌ | ❌ | ✅ | number |
| evidences[].process.parent_process.sha256 | ✅ | ❌ | ❌ | ❌ | string |
| evidences[].process.pid | ✅ | ❌ | ❌ | ✅ | number |
| evidences[].process.terminated_time | ✅ | ❌ | ❌ | ❌ | timestamp |
| evidences[].process.uid | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.user.name | ✅ | ❌ | ❌ | ✅ | string |
| finding_info.analytic.category | ❌ | ✅ | ❌ | ❌ | string |
| finding_info.analytic.desc | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.analytic.name | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.analytic.type | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.analytic.type_id | ❌ | ✅ | ❌ | ✅ | number |
| finding_info.analytic.uid | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.analytic.version | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.created_time | ✅ | ✅ | ✅ | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | ✅ | ✅ | ✅ | string |
| finding_info.first_seen_time | ❌ | ✅ | ❌ | ✅ | timestamp |
| finding_info.first_seen_time_dt | ❌ | ✅ | ❌ | ✅ | string |
| finding_info.last_seen_time | ✅ | ✅ | ❌ | ❌ | timestamp |
| finding_info.last_seen_time_dt | ✅ | ✅ | ❌ | ❌ | string |
| finding_info.modified_time | ❌ | ✅ | ❌ | ✅ | timestamp |
| finding_info.modified_time_dt | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.product_uid | ❌ | ✅ | ❌ | ❌ | string |
| finding_info.title | ✅ | ✅ | ✅ | ✅ | string |
| finding_info.types[] | ✅ | ❌ | ❌ | ✅ | string |
| finding_info.uid | ✅ | ✅ | ✅ | ✅ | string |
| metadata.loggers[].logged_time | ✅ | ✅ | ❌ | ❌ | timestamp |
| metadata.loggers[].logged_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| metadata.product.feature.name | ✅ | ❌ | ❌ | ❌ | string |
| metadata.product.feature.uid | ❌ | ✅ | ❌ | ❌ | string |
| metadata.product.name | ✅ | ✅ | ❌ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ❌ | ❌ | ✅ | string |
| metadata.tenant_uid | ✅ | ✅ | ❌ | ❌ | string |
| metadata.uid | ❌ | ✅ | ✅ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| resources[].name | ✅ | ❌ | ❌ | ❌ | string |
| resources[].uid | ✅ | ❌ | ❌ | ❌ | string |
| risk_score | ✅ | ❌ | ❌ | ❌ | number |
| severity | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | number |
| start_time | ✅ | ❌ | ❌ | ❌ | timestamp |
| start_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| status | ✅ | ✅ | ❌ | ✅ | string |
| status_detail | ❌ | ❌ | ✅ | ✅ | string |
| status_id | ✅ | ✅ | ❌ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ❌ | ✅ | ✅ | string |
| type_name | ❌ | ❌ | ✅ | ❌ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | number |
| vulnerabilities[].desc | ✅ | ❌ | ❌ | ❌ | string |
| vulnerabilities[].title | ✅ | ❌ | ❌ | ❌ | string |
query_applications
| Field | CrowdStrike EDR | Defender EDR | Malwarebytes EDR | Sophos EDR | Type |
|---|---|---|---|---|---|
| activity_id | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | number |
| class_uid | ✅ | ✅ | ✅ | ✅ | number |
| device.groups[].name | ❌ | ✅ | ❌ | ✅ | string |
| device.groups[].uid | ❌ | ✅ | ❌ | ✅ | string |
| device.hostname | ✅ | ✅ | ❌ | ❌ | string |
| device.ip | ✅ | ❌ | ❌ | ❌ | string |
| device.mac | ✅ | ❌ | ❌ | ❌ | string |
| device.name | ✅ | ❌ | ✅ | ❌ | string |
| device.os.name | ✅ | ✅ | ❌ | ❌ | string |
| device.os.type | ✅ | ✅ | ❌ | ❌ | string |
| device.os.type_id | ✅ | ✅ | ❌ | ❌ | number |
| device.os.version | ✅ | ❌ | ❌ | ❌ | string |
| device.type | ✅ | ❌ | ✅ | ❌ | string |
| device.type_id | ✅ | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | ❌ | string |
| metadata.modified_time | ✅ | ❌ | ❌ | ❌ | timestamp |
| metadata.modified_time_dt | ✅ | ❌ | ❌ | ❌ | string |
| metadata.product.name | ❌ | ✅ | ❌ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ❌ | ❌ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| observables[].name | ❌ | ❌ | ❌ | ✅ | string |
| observables[].type | ❌ | ❌ | ❌ | ✅ | string |
| observables[].type_id | ❌ | ❌ | ❌ | ✅ | number |
| observables[].value | ❌ | ❌ | ❌ | ✅ | string |
| product.name | ✅ | ✅ | ✅ | ✅ | string |
| product.path | ✅ | ❌ | ❌ | ✅ | string |
| product.uid | ✅ | ❌ | ❌ | ❌ | string |
| product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| product.version | ✅ | ✅ | ✅ | ❌ | string |
| severity | ✅ | ❌ | ❌ | ❌ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | number |
| start_time | ✅ | ✅ | ✅ | ❌ | timestamp |
| start_time_dt | ✅ | ❌ | ✅ | ❌ | string |
| status | ✅ | ❌ | ❌ | ❌ | string |
| status_id | ✅ | ❌ | ❌ | ❌ | number |
| time | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ❌ | ✅ | ❌ | string |
| type_name | ✅ | ❌ | ✅ | ❌ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | number |
query_endpoints
| Field | CrowdStrike EDR | Defender EDR | Malwarebytes EDR | SentinelOne EDR | Sophos EDR | Type |
|---|---|---|---|---|---|---|
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| cloud.account.uid | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| cloud.project_uid | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| cloud.provider | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| count | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| device.created_time | ❌ | ❌ | ✅ | ❌ | ❌ | timestamp |
| device.created_time_dt | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.desc | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.domain | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.first_seen_time | ✅ | ❌ | ❌ | ✅ | ❌ | timestamp |
| device.hostname | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.hw_info.chassis | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.hw_info.cpu_cores | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| device.hw_info.cpu_count | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| device.hw_info.cpu_type | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.hw_info.serial_number | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| device.instance_uid | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| device.ip | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| device.ip_addresses[] | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.last_seen_time | ✅ | ✅ | ✅ | ✅ | ❌ | timestamp |
| device.last_seen_time_dt | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| device.mac | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| device.mac_addresses[] | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.modified_time | ✅ | ❌ | ❌ | ✅ | ❌ | timestamp |
| device.name | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| device.network_interfaces[].hostname | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.network_interfaces[].ip | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| device.network_interfaces[].mac | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| device.network_interfaces[].type | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].type_id | ❌ | ✅ | ❌ | ✅ | ❌ | number |
| device.network_interfaces[].uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.network_status | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.network_status_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.org.name | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| device.org.ou_name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.org.ou_uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.org.uid | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| device.os.build | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| device.os.cpu_bits | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| device.os.name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.os.type | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.os.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.os.version | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| device.risk_level | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.sw_info[].name | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.sw_info[].vendor_name | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.sw_info[].version | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.type | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.uid_alt | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.zone | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| message | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.labels[] | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| metadata.loggers[].name | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.loggers[].version | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.product.name | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| metadata.tenant_uid | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.activity_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.activity_name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.category_name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.category_uid | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.class_uid | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.domain | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.first_seen_time | ❌ | ❌ | ❌ | ✅ | ❌ | timestamp |
| result.device.hostname | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.hw_info.cpu_cores | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.hw_info.cpu_count | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.hw_info.cpu_type | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.instance_uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.ip | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.last_seen_time | ❌ | ❌ | ❌ | ✅ | ❌ | timestamp |
| result.device.mac | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.modified_time | ❌ | ❌ | ❌ | ✅ | ❌ | timestamp |
| result.device.name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].hostname | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].ip | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].mac | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_interfaces[].type_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.network_interfaces[].uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_status | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.network_status_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.org.name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.org.ou_name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.org.ou_uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.org.uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.os.name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.os.type | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.os.type_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.os.version | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.type | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.type_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.device.uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.metadata.product.name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.metadata.product.vendor_name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.metadata.product.version | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.metadata.version | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.severity_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.time | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| result.type_uid | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| severity | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| status | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| status_code | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| status_detail | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| status_id | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| type_name | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
query_iocs
| Field | CrowdStrike EDR | Defender EDR | SentinelOne EDR | Type |
|---|---|---|---|---|
| action | ✅ | ❌ | ❌ | string |
| applied_globally | ✅ | ❌ | ❌ | boolean |
| created | ❌ | ✅ | ❌ | string |
| created_by_ref.created | ❌ | ✅ | ❌ | string |
| created_by_ref.id | ❌ | ✅ | ❌ | string |
| created_by_ref.modified | ❌ | ✅ | ❌ | string |
| created_by_ref.name | ❌ | ✅ | ❌ | string |
| created_by_ref.spec_version | ❌ | ✅ | ❌ | string |
| created_by_ref.type | ❌ | ✅ | ❌ | string |
| data.creationTime | ❌ | ❌ | ✅ | string |
| data.description | ❌ | ❌ | ✅ | string |
| data.externalId | ❌ | ❌ | ✅ | string |
| data.groupIds[] | ❌ | ❌ | ✅ | string |
| data.labels[] | ❌ | ❌ | ✅ | string |
| data.method | ❌ | ❌ | ✅ | string |
| data.name | ❌ | ❌ | ✅ | string |
| data.pattern | ❌ | ❌ | ✅ | string |
| data.patternType | ❌ | ❌ | ✅ | string |
| data.severity | ❌ | ❌ | ✅ | number |
| data.source | ❌ | ❌ | ✅ | string |
| data.tenant | ❌ | ❌ | ✅ | boolean |
| data.validUntil | ❌ | ❌ | ✅ | string |
| description | ✅ | ✅ | ❌ | string |
| expiration | ✅ | ❌ | ❌ | string |
| extensions.action | ❌ | ✅ | ❌ | string |
| extensions.alert | ❌ | ✅ | ❌ | boolean |
| extensions.rbacGroupNames[] | ❌ | ✅ | ❌ | string |
| extensions.severity | ❌ | ✅ | ❌ | string |
| filter.groupIds[] | ❌ | ❌ | ✅ | string |
| filter.tenant | ❌ | ❌ | ✅ | boolean |
| id | ❌ | ✅ | ❌ | string |
| modified | ❌ | ✅ | ❌ | string |
| name | ❌ | ✅ | ❌ | string |
| pattern | ❌ | ✅ | ❌ | string |
| pattern_type | ❌ | ✅ | ❌ | string |
| platforms[] | ✅ | ❌ | ❌ | string |
| severity | ✅ | ❌ | ❌ | string |
| source | ✅ | ❌ | ❌ | string |
| spec_version | ❌ | ✅ | ❌ | string |
| tags[] | ✅ | ❌ | ❌ | string |
| type | ✅ | ✅ | ❌ | string |
| valid_from | ❌ | ✅ | ❌ | string |
| valid_until | ❌ | ✅ | ❌ | string |
| value | ✅ | ❌ | ❌ | string |
query_posture_score
| Field | CrowdStrike EDR | Defender EDR | Type |
|---|---|---|---|
| activity_id | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | string |
| category_name | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | number |
| class_uid | ✅ | ✅ | number |
| cloud.project_uid | ❌ | ✅ | string |
| cloud.provider | ❌ | ✅ | string |
| device.hw_info.serial_number | ✅ | ✅ | string |
| device.os.name | ✅ | ✅ | string |
| device.os.type_id | ✅ | ✅ | number |
| device.type_id | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | string |
| device.vendor.uid | ✅ | ✅ | string |
| enrichments[].data | ❌ | ✅ | unknown |
| enrichments[].name | ✅ | ✅ | string |
| enrichments[].reputation.base_score | ✅ | ✅ | number |
| enrichments[].reputation.score | ❌ | ✅ | string |
| enrichments[].reputation.score_id | ✅ | ✅ | number |
| enrichments[].value | ✅ | ✅ | string |
| metadata.product.name | ❌ | ✅ | string |
| metadata.product.vendor_name | ❌ | ✅ | string |
| metadata.product.version | ❌ | ✅ | string |
| metadata.version | ❌ | ✅ | string |
| osint | ❌ | ✅ | unknown |
| osint[].comment | ✅ | ❌ | string |
| osint[].confidence | ✅ | ❌ | string |
| osint[].name | ✅ | ❌ | string |
| osint[].type_id | ✅ | ❌ | number |
| osint[].uid | ✅ | ❌ | string |
| osint[].value | ✅ | ❌ | string |
| osint[].vendor_name | ✅ | ❌ | string |
| severity_id | ✅ | ✅ | number |
| status | ❌ | ✅ | string |
| status_id | ✅ | ✅ | number |
| time | ✅ | ✅ | number |
| time_dt | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | number |
query_threatevents
| Field | CrowdStrike EDR | Defender EDR | Malwarebytes EDR | Type |
|---|---|---|---|---|
| action | ❌ | ❌ | ✅ | string |
| action_id | ❌ | ❌ | ✅ | number |
| activity_id | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | string |
| actor.invoked_by | ❌ | ❌ | ✅ | string |
| actor.process.cmd_line | ✅ | ❌ | ❌ | string |
| actor.process.file.hashes[].algorithm | ✅ | ❌ | ✅ | string |
| actor.process.file.hashes[].algorithm_id | ✅ | ❌ | ✅ | number |
| actor.process.file.hashes[].value | ✅ | ❌ | ✅ | string |
| actor.process.file.name | ✅ | ❌ | ✅ | string |
| actor.process.file.path | ✅ | ❌ | ❌ | string |
| actor.process.file.type | ✅ | ❌ | ❌ | string |
| actor.process.file.type_id | ❌ | ❌ | ✅ | number |
| actor.process.name | ❌ | ❌ | ✅ | string |
| actor.user.name | ✅ | ❌ | ✅ | string |
| attacks[].tactic.name | ✅ | ❌ | ❌ | string |
| attacks[].tactic.uid | ✅ | ❌ | ❌ | string |
| attacks[].technique.name | ✅ | ❌ | ❌ | string |
| attacks[].technique.uid | ✅ | ❌ | ❌ | string |
| category_name | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | number |
| class_uid | ✅ | ✅ | ✅ | number |
| confidence_id | ✅ | ❌ | ❌ | number |
| confidence_score | ✅ | ❌ | ❌ | number |
| device.first_seen_time | ✅ | ❌ | ❌ | timestamp |
| device.first_seen_time_dt | ✅ | ❌ | ❌ | string |
| device.hostname | ✅ | ❌ | ✅ | string |
| device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | string |
| device.hw_info.bios_ver | ✅ | ❌ | ❌ | string |
| device.id | ✅ | ❌ | ❌ | string |
| device.ip | ✅ | ❌ | ✅ | string |
| device.last_seen_time | ✅ | ❌ | ❌ | timestamp |
| device.last_seen_time_dt | ✅ | ❌ | ❌ | string |
| device.mac | ✅ | ❌ | ❌ | string |
| device.modified_time | ✅ | ❌ | ❌ | timestamp |
| device.modified_time_dt | ✅ | ❌ | ❌ | string |
| device.network_interfaces[].hostname | ✅ | ❌ | ❌ | string |
| device.network_interfaces[].ip | ✅ | ❌ | ❌ | string |
| device.network_interfaces[].mac | ✅ | ❌ | ❌ | string |
| device.os.name | ✅ | ❌ | ❌ | string |
| device.os.type | ✅ | ❌ | ❌ | string |
| device.os.version | ✅ | ❌ | ❌ | string |
| device.type | ✅ | ❌ | ❌ | string |
| device.type_id | ❌ | ❌ | ✅ | number |
| device.uid | ✅ | ❌ | ✅ | string |
| enrichments[].data | ✅ | ❌ | ❌ | string |
| enrichments[].name | ✅ | ❌ | ❌ | string |
| enrichments[].type | ✅ | ❌ | ❌ | string |
| enrichments[].value | ✅ | ❌ | ❌ | string |
| finding_info | ❌ | ❌ | ✅ | unknown |
| finding_info.created_time | ✅ | ✅ | ❌ | timestamp |
| finding_info.created_time_dt | ✅ | ✅ | ❌ | string |
| finding_info.data_sources[] | ❌ | ✅ | ❌ | string |
| finding_info.first_seen_time | ✅ | ❌ | ❌ | timestamp |
| finding_info.first_seen_time_dt | ✅ | ❌ | ❌ | string |
| finding_info.last_seen_time | ✅ | ❌ | ❌ | timestamp |
| finding_info.last_seen_time_dt | ✅ | ❌ | ❌ | string |
| finding_info.modified_time | ❌ | ✅ | ❌ | timestamp |
| finding_info.modified_time_dt | ❌ | ✅ | ❌ | string |
| finding_info.product_uid | ✅ | ❌ | ❌ | string |
| finding_info.title | ✅ | ✅ | ❌ | string |
| finding_info.uid | ❌ | ✅ | ❌ | string |
| message | ❌ | ✅ | ❌ | string |
| metadata.correlation_uid | ❌ | ✅ | ❌ | string |
| metadata.product.name | ❌ | ✅ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ❌ | ❌ | string |
| metadata.tenant_uid | ✅ | ❌ | ❌ | string |
| metadata.uid | ❌ | ✅ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | string |
| severity | ✅ | ✅ | ❌ | string |
| severity_id | ✅ | ✅ | ✅ | number |
| status | ✅ | ✅ | ❌ | string |
| status_id | ❌ | ✅ | ❌ | number |
| time | ❌ | ✅ | ✅ | number |
| time_dt | ❌ | ❌ | ✅ | string |
| type_uid | ❌ | ✅ | ✅ | number |