EDR Supported Fields
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

This document shows the fields supported by each provider and operation.

get_endpoint
query_alerts
query_applications
query_edr_events
query_endpoints
query_iocs
query_posture_score
query_threatevents

get_endpoint

Field	CrowdStrike Insight EDR	Microsoft Defender	SentinelOne Endpoint	Sophos Endpoint	[MOCK] CrowdStrike Insight EDR	Type
result.activity_id	✅	✅	✅	✅	✅	number
result.activity_name	✅	✅	✅	✅	✅	string
result.category_name	✅	✅	✅	✅	✅	string
result.category_uid	✅	✅	✅	✅	✅	number
result.class_uid	✅	✅	✅	✅	✅	number
result.cloud.provider	❌	✅	❌	❌	❌	string
result.device.desc	✅	❌	❌	❌	✅	string
result.device.domain	❌	❌	✅	❌	❌	string
result.device.first_seen_time	✅	❌	✅	❌	✅	timestamp
result.device.hostname	✅	✅	✅	❌	✅	string
result.device.hw_info.bios_manufacturer	✅	❌	❌	❌	✅	string
result.device.hw_info.bios_ver	✅	❌	❌	❌	✅	string
result.device.hw_info.chassis	✅	❌	❌	❌	✅	string
result.device.hw_info.cpu_cores	❌	❌	✅	❌	❌	number
result.device.hw_info.cpu_count	❌	❌	✅	❌	❌	number
result.device.hw_info.cpu_type	❌	❌	✅	❌	❌	string
result.device.hw_info.serial_number	✅	❌	❌	❌	✅	string
result.device.instance_uid	✅	❌	✅	❌	✅	string
result.device.ip	✅	✅	✅	❌	✅	string
result.device.ip_addresses[]	❌	❌	❌	✅	❌	string
result.device.last_seen_time	✅	✅	✅	❌	✅	timestamp
result.device.last_seen_time_dt	❌	✅	❌	❌	❌	string
result.device.mac	✅	❌	✅	❌	✅	string
result.device.mac_addresses[]	❌	❌	❌	✅	❌	string
result.device.modified_time	✅	❌	✅	❌	✅	timestamp
result.device.name	✅	❌	✅	✅	✅	string
result.device.network_interfaces[].hostname	❌	❌	✅	❌	❌	string
result.device.network_interfaces[].ip	❌	❌	✅	❌	❌	string
result.device.network_interfaces[].mac	❌	❌	✅	❌	❌	string
result.device.network_interfaces[].type_id	❌	❌	✅	❌	❌	number
result.device.network_interfaces[].uid	❌	❌	✅	❌	❌	string
result.device.network_status	✅	✅	✅	✅	✅	string
result.device.network_status_id	✅	✅	✅	✅	✅	number
result.device.org.name	✅	❌	✅	❌	✅	string
result.device.org.ou_name	❌	❌	✅	❌	❌	string
result.device.org.ou_uid	❌	❌	✅	❌	❌	string
result.device.org.uid	✅	❌	✅	❌	✅	string
result.device.os.build	❌	✅	❌	❌	❌	string
result.device.os.name	✅	✅	✅	✅	✅	string
result.device.os.type	✅	❌	✅	✅	✅	string
result.device.os.type_id	✅	✅	✅	✅	✅	number
result.device.os.version	✅	❌	✅	❌	✅	string
result.device.risk_level	❌	✅	❌	❌	❌	string
result.device.risk_level_id	❌	✅	❌	❌	❌	number
result.device.sw_info[].name	❌	❌	❌	✅	❌	string
result.device.sw_info[].vendor_name	❌	❌	❌	✅	❌	string
result.device.sw_info[].version	❌	❌	❌	✅	❌	string
result.device.type	✅	❌	✅	✅	✅	string
result.device.type_id	✅	✅	✅	✅	✅	number
result.device.uid	✅	✅	✅	✅	✅	string
result.device.zone	✅	❌	❌	❌	✅	string
result.message	✅	❌	❌	❌	✅	string
result.metadata.labels[]	✅	❌	❌	❌	✅	string
result.metadata.loggers[].name	✅	❌	❌	❌	✅	string
result.metadata.loggers[].version	✅	❌	❌	❌	✅	string
result.metadata.product.name	✅	✅	✅	❌	✅	string
result.metadata.product.vendor_name	✅	✅	✅	✅	✅	string
result.metadata.product.version	❌	✅	✅	❌	❌	string
result.metadata.tenant_uid	❌	❌	❌	✅	❌	string
result.metadata.version	✅	✅	✅	✅	✅	string
result.raw_data	✅	❌	❌	❌	✅	string
result.severity	✅	❌	❌	❌	✅	string
result.severity_id	✅	✅	✅	✅	✅	number
result.status	✅	✅	❌	❌	✅	string
result.status_code	❌	✅	❌	❌	❌	string
result.status_detail	❌	✅	❌	✅	❌	string
result.status_id	✅	❌	❌	❌	✅	number
result.time	✅	✅	✅	✅	✅	number
result.time_dt	❌	❌	❌	✅	❌	string
result.type_name	✅	❌	❌	❌	✅	string
result.type_uid	✅	✅	✅	✅	✅	number

query_alerts

Field	CrowdStrike Insight EDR	Microsoft Defender	SentinelOne Endpoint	Tanium EDR	ThreatDown EDR	[MOCK] CrowdStrike Insight EDR	Type
activity_id	✅	✅	✅	✅	✅	✅	number
activity_name	✅	✅	✅	✅	✅	✅	string
actor.process.cmd_line	✅	❌	❌	❌	❌	✅	string
actor.process.created_time	✅	❌	❌	❌	❌	✅	timestamp
actor.process.created_time_dt	✅	❌	❌	❌	❌	✅	string
actor.process.file.hashes[].algorithm	✅	❌	❌	❌	❌	✅	string
actor.process.file.hashes[].algorithm_id	✅	❌	❌	❌	❌	✅	number
actor.process.file.hashes[].value	✅	❌	❌	❌	❌	✅	string
actor.process.file.name	✅	❌	❌	❌	❌	✅	string
actor.process.file.path	✅	❌	❌	❌	❌	✅	string
actor.process.file.type_id	✅	❌	❌	❌	❌	✅	number
actor.process.name	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.cmd_line	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.created_time	✅	❌	❌	❌	❌	✅	timestamp
actor.process.parent_process.created_time_dt	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	❌	✅	number
actor.process.parent_process.file.hashes[].value	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.file.name	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.file.path	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.file.type	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.file.type_id	✅	❌	❌	❌	❌	✅	number
actor.process.parent_process.name	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.cmd_line	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.created_time	✅	❌	❌	❌	❌	✅	timestamp
actor.process.parent_process.parent_process.created_time_dt	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	❌	✅	number
actor.process.parent_process.parent_process.file.hashes[].value	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.file.name	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.file.path	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.file.type	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.file.type_id	✅	❌	❌	❌	❌	✅	number
actor.process.parent_process.parent_process.name	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.path	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.pid	✅	❌	❌	❌	❌	✅	number
actor.process.parent_process.parent_process.uid	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.parent_process.user.name	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.path	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.pid	✅	❌	❌	❌	❌	✅	number
actor.process.parent_process.uid	✅	❌	❌	❌	❌	✅	string
actor.process.parent_process.user.name	✅	❌	❌	❌	❌	✅	string
actor.process.pid	✅	❌	❌	❌	❌	✅	number
actor.process.terminated_time	✅	❌	❌	❌	❌	✅	timestamp
actor.process.terminated_time_dt	✅	❌	❌	❌	❌	✅	string
actor.process.user.name	✅	❌	❌	❌	❌	✅	string
actor.user.domain	❌	✅	❌	❌	❌	❌	string
actor.user.full_name	✅	❌	❌	❌	❌	✅	string
actor.user.name	❌	✅	❌	❌	❌	❌	string
attacks[].tactic.name	✅	❌	❌	❌	❌	✅	string
attacks[].tactic.uid	✅	❌	❌	❌	❌	✅	string
attacks[].technique.name	✅	❌	❌	❌	❌	✅	string
attacks[].technique.uid	✅	❌	❌	❌	❌	✅	string
category_name	✅	✅	✅	✅	✅	✅	string
category_uid	✅	✅	✅	✅	✅	✅	number
class_name	✅	✅	✅	✅	✅	✅	string
class_uid	✅	✅	✅	✅	✅	✅	number
comment	✅	✅	❌	✅	❌	✅	string
confidence_score	✅	❌	❌	❌	❌	✅	number
device.first_seen_time	✅	❌	❌	✅	❌	✅	timestamp
device.first_seen_time_dt	✅	❌	❌	✅	❌	✅	string
device.hostname	✅	✅	✅	✅	❌	✅	string
device.hw_info.bios_manufacturer	✅	❌	❌	❌	❌	✅	string
device.hw_info.bios_ver	✅	❌	❌	❌	❌	✅	string
device.hw_info.system_manufacturer	✅	❌	❌	❌	❌	✅	string
device.hw_info.system_product_name	✅	❌	❌	❌	❌	✅	string
device.id	❌	❌	❌	✅	❌	❌	number
device.ip	✅	❌	❌	✅	❌	✅	string
device.last_seen_time	✅	❌	❌	✅	❌	✅	timestamp
device.last_seen_time_dt	✅	❌	❌	✅	❌	✅	string
device.mac	✅	❌	❌	❌	❌	✅	string
device.modified_time	✅	❌	❌	❌	❌	✅	timestamp
device.modified_time_dt	✅	❌	❌	❌	❌	✅	string
device.name	❌	❌	❌	❌	✅	❌	string
device.network_interfaces[].hostname	✅	❌	❌	✅	❌	✅	string
device.network_interfaces[].ip	✅	❌	❌	✅	❌	✅	string
device.network_interfaces[].mac	✅	❌	❌	❌	❌	✅	string
device.network_interfaces[].type_id	✅	❌	❌	❌	❌	✅	number
device.org.uid	❌	❌	✅	❌	❌	❌	string
device.os.name	✅	❌	✅	✅	❌	✅	string
device.os.type	✅	❌	✅	✅	❌	✅	string
device.os.type_id	✅	❌	✅	❌	❌	✅	number
device.os.version	✅	❌	✅	✅	❌	✅	string
device.type	✅	❌	✅	✅	❌	✅	string
device.type_id	✅	✅	✅	❌	✅	✅	number
device.uid	✅	✅	✅	❌	✅	✅	string
device.uid_alt	✅	❌	❌	❌	❌	✅	string
evidences[].data.creation_time	❌	✅	❌	❌	❌	❌	timestamp
evidences[].data.creation_time_dt	❌	✅	❌	❌	❌	❌	string
evidences[].data.entityType	❌	✅	❌	❌	❌	❌	string
evidences[].device.type_id	❌	✅	❌	❌	❌	❌	number
evidences[].file.hashes[].algorithm	✅	✅	❌	❌	❌	✅	string
evidences[].file.hashes[].algorithm_id	✅	✅	❌	❌	❌	✅	number
evidences[].file.hashes[].value	✅	✅	❌	❌	❌	✅	string
evidences[].file.name	✅	✅	❌	❌	❌	✅	string
evidences[].file.path	✅	❌	❌	❌	❌	✅	string
evidences[].file.type_id	✅	✅	❌	❌	❌	✅	number
evidences[].process.cmd_line	✅	✅	✅	❌	❌	✅	string
evidences[].process.created_time	✅	✅	✅	✅	❌	✅	timestamp
evidences[].process.created_time_dt	✅	✅	✅	✅	❌	✅	string
evidences[].process.file.hashes[].algorithm	✅	❌	✅	✅	❌	✅	string
evidences[].process.file.hashes[].algorithm_id	✅	❌	✅	✅	❌	✅	number
evidences[].process.file.hashes[].value	✅	❌	✅	✅	❌	✅	mixed
evidences[].process.file.modified_time	❌	❌	✅	❌	❌	❌	timestamp
evidences[].process.file.modified_time_dt	❌	❌	✅	❌	❌	❌	string
evidences[].process.file.name	✅	❌	✅	❌	❌	✅	string
evidences[].process.file.path	✅	❌	✅	✅	❌	✅	mixed
evidences[].process.file.type_id	✅	❌	✅	❌	❌	✅	number
evidences[].process.name	✅	❌	✅	❌	❌	✅	string
evidences[].process.parent_process.cmd_line	✅	❌	✅	❌	❌	✅	string
evidences[].process.parent_process.created_time	✅	❌	❌	❌	❌	✅	timestamp
evidences[].process.parent_process.created_time_dt	✅	✅	❌	❌	❌	✅	string
evidences[].process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	❌	✅	number
evidences[].process.parent_process.file.hashes[].value	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.file.name	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.file.path	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.file.type	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.file.type_id	✅	❌	❌	❌	❌	✅	number
evidences[].process.parent_process.name	✅	✅	✅	❌	❌	✅	string
evidences[].process.parent_process.parent_process.cmd_line	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.created_time	✅	❌	❌	❌	❌	✅	timestamp
evidences[].process.parent_process.parent_process.created_time_dt	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	❌	✅	number
evidences[].process.parent_process.parent_process.file.hashes[].value	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.file.name	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.file.path	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.file.type	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.file.type_id	✅	❌	❌	❌	❌	✅	number
evidences[].process.parent_process.parent_process.name	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.path	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.pid	✅	❌	❌	❌	❌	✅	number
evidences[].process.parent_process.parent_process.uid	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.parent_process.user.name	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.path	✅	✅	✅	❌	❌	✅	string
evidences[].process.parent_process.pid	✅	✅	✅	❌	❌	✅	number
evidences[].process.parent_process.uid	✅	❌	❌	❌	❌	✅	string
evidences[].process.parent_process.user.name	✅	❌	❌	❌	❌	✅	string
evidences[].process.pid	✅	✅	✅	✅	❌	✅	number
evidences[].process.signature.certificate	❌	❌	❌	✅	❌	❌	unknown
evidences[].process.signature.state_id	❌	❌	❌	✅	❌	❌	number
evidences[].process.signature.subject	❌	❌	❌	✅	❌	❌	unknown
evidences[].process.terminated_time	✅	❌	❌	✅	❌	✅	timestamp
evidences[].process.terminated_time_dt	✅	❌	❌	❌	❌	✅	string
evidences[].process.uid	❌	❌	✅	❌	❌	❌	string
evidences[].process.user.name	✅	❌	✅	❌	❌	✅	mixed
evidences[].user.account.name	❌	✅	❌	❌	❌	❌	string
evidences[].user.domain	❌	✅	❌	❌	❌	❌	string
evidences[].user.name	✅	✅	❌	❌	❌	✅	string
evidences[].user.uid	❌	✅	❌	❌	❌	❌	string
evidences[].user.uid_alt	❌	✅	❌	❌	❌	❌	string
finding_info.analytic.category	❌	✅	❌	❌	❌	❌	string
finding_info.analytic.desc	❌	❌	✅	❌	❌	❌	string
finding_info.analytic.name	❌	❌	✅	❌	❌	❌	string
finding_info.analytic.type	❌	❌	✅	❌	❌	❌	string
finding_info.analytic.type_id	❌	✅	✅	❌	❌	❌	number
finding_info.analytic.uid	❌	❌	✅	❌	❌	❌	string
finding_info.analytic.version	❌	❌	✅	❌	❌	❌	string
finding_info.created_time	✅	✅	✅	✅	✅	✅	timestamp
finding_info.created_time_dt	✅	✅	✅	✅	✅	✅	string
finding_info.data_sources[]	❌	❌	❌	✅	❌	❌	string
finding_info.first_seen_time	❌	✅	✅	❌	❌	❌	timestamp
finding_info.first_seen_time_dt	❌	✅	✅	❌	❌	❌	string
finding_info.last_seen_time	✅	✅	❌	✅	❌	✅	timestamp
finding_info.last_seen_time_dt	✅	✅	❌	✅	❌	✅	string
finding_info.modified_time	❌	✅	✅	❌	❌	❌	timestamp
finding_info.modified_time_dt	❌	❌	✅	❌	❌	❌	string
finding_info.product_uid	❌	✅	❌	❌	❌	❌	string
finding_info.title	✅	✅	✅	✅	✅	✅	string
finding_info.types[]	✅	❌	✅	✅	❌	✅	string
finding_info.uid	✅	✅	✅	✅	✅	✅	string
metadata.loggers[].logged_time	✅	✅	❌	✅	❌	✅	timestamp
metadata.loggers[].logged_time_dt	✅	❌	❌	✅	❌	✅	string
metadata.product.feature.name	✅	❌	❌	✅	❌	✅	string
metadata.product.feature.uid	❌	✅	❌	❌	❌	❌	string
metadata.product.name	✅	✅	✅	✅	❌	✅	string
metadata.product.vendor_name	✅	✅	✅	✅	✅	✅	string
metadata.product.version	✅	❌	✅	✅	❌	✅	string
metadata.tenant_uid	✅	✅	❌	✅	❌	✅	string
metadata.uid	❌	✅	❌	❌	✅	❌	string
metadata.version	✅	✅	✅	✅	✅	✅	string
resources[].name	✅	❌	❌	✅	❌	✅	string
resources[].uid	✅	❌	❌	✅	❌	✅	string
risk_score	✅	❌	❌	❌	❌	✅	number
severity	✅	✅	✅	✅	✅	✅	string
severity_id	✅	✅	✅	✅	✅	✅	number
start_time	✅	❌	❌	✅	❌	✅	timestamp
start_time_dt	✅	❌	❌	✅	❌	✅	string
status	✅	✅	✅	✅	❌	✅	string
status_detail	❌	❌	❌	❌	✅	❌	string
status_id	✅	✅	✅	✅	❌	✅	number
time	✅	✅	✅	✅	✅	✅	number
time_dt	✅	❌	✅	✅	✅	✅	string
type_name	✅	✅	✅	✅	✅	✅	string
type_uid	✅	✅	✅	✅	✅	✅	number
vulnerabilities[].desc	✅	❌	❌	❌	❌	✅	string
vulnerabilities[].title	✅	❌	❌	❌	❌	✅	string

query_applications

Field	CrowdStrike Insight EDR	Microsoft Defender	Sophos Endpoint	Tanium EDR	ThreatDown EDR	[MOCK] CrowdStrike Insight EDR	Type
activity_id	✅	✅	✅	✅	✅	✅	number
activity_name	✅	✅	✅	✅	✅	✅	string
category_name	✅	✅	✅	✅	✅	✅	string
category_uid	✅	✅	✅	✅	✅	✅	number
class_name	✅	✅	✅	✅	✅	✅	string
class_uid	✅	✅	✅	✅	✅	✅	number
device.first_seen_time	❌	❌	❌	✅	❌	❌	timestamp
device.groups[].name	❌	✅	✅	❌	❌	❌	string
device.groups[].uid	❌	✅	✅	❌	❌	❌	string
device.hostname	✅	✅	❌	✅	❌	✅	string
device.hw_info.serial_number	❌	❌	❌	✅	❌	❌	string
device.instance_uid	❌	❌	❌	✅	❌	❌	string
device.ip	✅	❌	❌	✅	❌	✅	string
device.ip_addresses[]	❌	❌	❌	✅	❌	❌	string
device.last_seen_time	❌	❌	❌	✅	❌	❌	timestamp
device.mac	✅	❌	❌	✅	❌	✅	string
device.mac_addresses[]	❌	❌	❌	✅	❌	❌	string
device.name	✅	❌	✅	❌	✅	✅	string
device.os.name	✅	✅	❌	✅	✅	✅	string
device.os.type	✅	✅	❌	✅	✅	✅	string
device.os.type_id	✅	✅	❌	✅	✅	✅	number
device.os.version	✅	❌	❌	✅	✅	✅	string
device.sw_info[].name	❌	❌	❌	❌	✅	❌	string
device.sw_info[].uid	❌	❌	❌	❌	✅	❌	string
device.sw_info[].vendor_name	❌	❌	❌	❌	✅	❌	string
device.sw_info[].version	❌	❌	❌	❌	✅	❌	string
device.type	✅	❌	❌	✅	✅	✅	string
device.type_id	✅	✅	✅	✅	✅	✅	number
device.uid	✅	✅	❌	✅	✅	✅	string
metadata.modified_time	✅	❌	❌	❌	❌	✅	timestamp
metadata.modified_time_dt	✅	❌	❌	❌	❌	✅	string
metadata.product.name	❌	✅	❌	❌	❌	❌	string
metadata.product.vendor_name	✅	✅	✅	✅	✅	✅	string
metadata.product.version	✅	❌	❌	✅	❌	✅	string
metadata.version	✅	✅	✅	✅	✅	✅	string
observables[].name	❌	❌	✅	❌	❌	❌	string
observables[].type	❌	❌	✅	❌	❌	❌	string
observables[].type_id	❌	❌	✅	❌	❌	❌	number
observables[].value	❌	❌	✅	❌	❌	❌	string
product.name	✅	✅	✅	✅	✅	✅	string
product.path	✅	❌	✅	❌	❌	✅	string
product.uid	✅	❌	❌	❌	✅	✅	mixed
product.vendor_name	✅	✅	✅	✅	✅	✅	string
product.version	✅	✅	❌	✅	✅	✅	string
severity	✅	✅	✅	✅	✅	✅	string
severity_id	✅	✅	✅	✅	✅	✅	number
start_time	✅	✅	❌	❌	✅	✅	timestamp
start_time_dt	✅	❌	❌	❌	✅	✅	string
status	✅	❌	❌	✅	❌	✅	string
status_id	✅	❌	❌	✅	❌	✅	number
time	✅	✅	✅	✅	✅	✅	number
time_dt	✅	❌	❌	❌	✅	✅	string
type_name	✅	✅	✅	✅	✅	✅	string
type_uid	✅	✅	✅	✅	✅	✅	number

query_edr_events

Field	CrowdStrike Insight EDR	[MOCK] CrowdStrike Insight EDR	Type
activity_id	✅	✅	number
activity_name	✅	✅	string
actor.process.cmd_line	✅	✅	string
actor.process.created_time	✅	✅	timestamp
actor.process.created_time_dt	✅	✅	string
actor.process.file.hashes[].algorithm	✅	✅	string
actor.process.file.hashes[].algorithm_id	✅	✅	number
actor.process.file.hashes[].value	✅	✅	string
actor.process.file.name	✅	✅	string
actor.process.file.path	✅	✅	string
actor.process.file.type_id	✅	✅	number
actor.process.name	✅	✅	string
actor.process.parent_process.cmd_line	✅	✅	string
actor.process.parent_process.created_time	✅	✅	timestamp
actor.process.parent_process.created_time_dt	✅	✅	string
actor.process.parent_process.file.hashes[].algorithm	✅	✅	string
actor.process.parent_process.file.hashes[].algorithm_id	✅	✅	number
actor.process.parent_process.file.hashes[].value	✅	✅	string
actor.process.parent_process.file.name	✅	✅	string
actor.process.parent_process.file.path	✅	✅	string
actor.process.parent_process.file.type	✅	✅	string
actor.process.parent_process.file.type_id	✅	✅	number
actor.process.parent_process.name	✅	✅	string
actor.process.parent_process.parent_process.cmd_line	✅	✅	string
actor.process.parent_process.parent_process.created_time	✅	✅	timestamp
actor.process.parent_process.parent_process.created_time_dt	✅	✅	string
actor.process.parent_process.parent_process.file.hashes[].algorithm	✅	✅	string
actor.process.parent_process.parent_process.file.hashes[].algorithm_id	✅	✅	number
actor.process.parent_process.parent_process.file.hashes[].value	✅	✅	string
actor.process.parent_process.parent_process.file.name	✅	✅	string
actor.process.parent_process.parent_process.file.path	✅	✅	string
actor.process.parent_process.parent_process.file.type	✅	✅	string
actor.process.parent_process.parent_process.file.type_id	✅	✅	number
actor.process.parent_process.parent_process.name	✅	✅	string
actor.process.parent_process.parent_process.path	✅	✅	string
actor.process.parent_process.parent_process.pid	✅	✅	number
actor.process.parent_process.parent_process.uid	✅	✅	string
actor.process.parent_process.parent_process.user.name	✅	✅	string
actor.process.parent_process.parent_process.user.uid	✅	✅	string
actor.process.parent_process.path	✅	✅	string
actor.process.parent_process.pid	✅	✅	number
actor.process.parent_process.uid	✅	✅	string
actor.process.parent_process.user.name	✅	✅	string
actor.process.parent_process.user.uid	✅	✅	string
actor.process.pid	✅	✅	number
actor.process.terminated_time	✅	✅	timestamp
actor.process.terminated_time_dt	✅	✅	string
actor.process.uid	✅	✅	string
actor.process.user.name	✅	✅	string
actor.process.user.uid	✅	✅	string
actor.user.name	✅	✅	string
actor.user.uid	✅	✅	string
attacks[].tactic.name	✅	✅	string
attacks[].tactic.uid	✅	✅	string
attacks[].technique.name	✅	✅	string
attacks[].technique.uid	✅	✅	string
category_name	✅	✅	string
category_uid	✅	✅	number
class_name	✅	✅	string
class_uid	✅	✅	number
confidence_id	✅	✅	number
confidence_score	✅	✅	number
device.first_seen_time	✅	✅	timestamp
device.first_seen_time_dt	✅	✅	string
device.hostname	✅	✅	string
device.hw_info.bios_manufacturer	✅	✅	string
device.hw_info.bios_ver	✅	✅	string
device.hw_info.system_manufacturer	✅	✅	string
device.hw_info.system_product_name	✅	✅	string
device.ip	✅	✅	string
device.last_seen_time	✅	✅	timestamp
device.last_seen_time_dt	✅	✅	string
device.mac	✅	✅	string
device.modified_time	✅	✅	timestamp
device.modified_time_dt	✅	✅	string
device.network_interfaces[].hostname	✅	✅	string
device.network_interfaces[].ip	✅	✅	string
device.network_interfaces[].mac	✅	✅	string
device.network_interfaces[].type	✅	✅	string
device.network_interfaces[].type_id	✅	✅	number
device.os.name	✅	✅	string
device.os.type	✅	✅	string
device.os.type_id	✅	✅	number
device.type	✅	✅	string
device.type_id	✅	✅	number
device.uid	✅	✅	string
enrichments[].data	✅	✅	string
enrichments[].name	✅	✅	string
enrichments[].type	✅	✅	string
enrichments[].value	✅	✅	string
evidences[].file.hashes[].algorithm	✅	✅	string
evidences[].file.hashes[].algorithm_id	✅	✅	number
evidences[].file.hashes[].value	✅	✅	string
evidences[].file.name	✅	✅	string
evidences[].file.path	✅	✅	string
evidences[].file.type	✅	✅	string
evidences[].file.type_id	✅	✅	number
evidences[].process.cmd_line	✅	✅	string
evidences[].process.created_time	✅	✅	timestamp
evidences[].process.created_time_dt	✅	✅	string
evidences[].process.file.hashes[].algorithm	✅	✅	string
evidences[].process.file.hashes[].algorithm_id	✅	✅	number
evidences[].process.file.hashes[].value	✅	✅	string
evidences[].process.file.name	✅	✅	string
evidences[].process.file.path	✅	✅	string
evidences[].process.file.type	✅	✅	string
evidences[].process.file.type_id	✅	✅	number
evidences[].process.name	✅	✅	string
evidences[].process.parent_process.cmd_line	✅	✅	string
evidences[].process.parent_process.created_time	✅	✅	timestamp
evidences[].process.parent_process.created_time_dt	✅	✅	string
evidences[].process.parent_process.file.hashes[].algorithm	✅	✅	string
evidences[].process.parent_process.file.hashes[].algorithm_id	✅	✅	number
evidences[].process.parent_process.file.hashes[].value	✅	✅	string
evidences[].process.parent_process.file.type	✅	✅	string
evidences[].process.parent_process.file.type_id	✅	✅	number
evidences[].process.parent_process.name	✅	✅	string
evidences[].process.parent_process.parent_process.cmd_line	✅	✅	string
evidences[].process.parent_process.parent_process.created_time	✅	✅	timestamp
evidences[].process.parent_process.parent_process.created_time_dt	✅	✅	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm	✅	✅	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm_id	✅	✅	number
evidences[].process.parent_process.parent_process.file.hashes[].value	✅	✅	string
evidences[].process.parent_process.parent_process.file.type	✅	✅	string
evidences[].process.parent_process.parent_process.file.type_id	✅	✅	number
evidences[].process.parent_process.parent_process.name	✅	✅	string
evidences[].process.parent_process.parent_process.path	✅	✅	string
evidences[].process.parent_process.parent_process.pid	✅	✅	number
evidences[].process.parent_process.parent_process.uid	✅	✅	string
evidences[].process.parent_process.parent_process.user.name	✅	✅	string
evidences[].process.parent_process.parent_process.user.uid	✅	✅	string
evidences[].process.parent_process.path	✅	✅	string
evidences[].process.parent_process.pid	✅	✅	number
evidences[].process.parent_process.uid	✅	✅	string
evidences[].process.pid	✅	✅	number
evidences[].process.terminated_time	✅	✅	timestamp
evidences[].process.terminated_time_dt	✅	✅	string
evidences[].process.uid	✅	✅	string
evidences[].process.user.name	✅	✅	string
evidences[].process.user.uid	✅	✅	string
evidences[].user.name	✅	✅	string
evidences[].user.uid	✅	✅	string
finding_info.created_time	✅	✅	timestamp
finding_info.created_time_dt	✅	✅	string
finding_info.product_uid	✅	✅	string
finding_info.title	✅	✅	string
finding_info.uid	✅	✅	string
message	✅	✅	string
metadata.product.feature.name	✅	✅	string
metadata.product.name	✅	✅	string
metadata.product.vendor_name	✅	✅	string
metadata.tenant_uid	✅	✅	string
metadata.uid	✅	✅	string
metadata.version	✅	✅	string
observables[].name	✅	✅	string
observables[].type	✅	✅	string
observables[].type_id	✅	✅	number
observables[].value	✅	✅	string
severity	✅	✅	string
severity_id	✅	✅	number
status	✅	✅	string
status_id	✅	✅	number
time	✅	✅	number
time_dt	✅	✅	string
type_name	✅	✅	string
type_uid	✅	✅	number

query_endpoints

Field	CrowdStrike Insight EDR	Microsoft Defender	SentinelOne Endpoint	Sophos Endpoint	ThreatDown EDR	[MOCK] CrowdStrike Insight EDR	Type
activity_id	✅	✅	✅	✅	✅	✅	number
activity_name	❌	✅	✅	✅	✅	❌	string
category_name	✅	✅	✅	✅	✅	✅	string
category_uid	✅	✅	✅	✅	✅	✅	number
class_name	✅	✅	✅	✅	✅	✅	string
class_uid	✅	✅	✅	✅	✅	✅	number
cloud.account.uid	❌	✅	❌	❌	❌	❌	string
cloud.project_uid	❌	✅	❌	❌	❌	❌	string
cloud.provider	❌	✅	❌	✅	❌	❌	string
count	✅	❌	❌	❌	❌	✅	number
device.created_time	❌	❌	❌	❌	✅	❌	timestamp
device.created_time_dt	❌	❌	❌	❌	✅	❌	string
device.desc	✅	❌	❌	❌	❌	✅	string
device.domain	❌	❌	✅	❌	❌	❌	string
device.first_seen_time	✅	✅	✅	❌	❌	✅	timestamp
device.first_seen_time_dt	❌	✅	❌	❌	❌	❌	string
device.hostname	✅	✅	✅	❌	✅	✅	string
device.hw_info.bios_manufacturer	✅	❌	❌	❌	❌	✅	string
device.hw_info.bios_ver	✅	❌	❌	❌	❌	✅	string
device.hw_info.chassis	✅	❌	❌	❌	❌	✅	string
device.hw_info.cpu_cores	❌	❌	✅	❌	❌	❌	number
device.hw_info.cpu_count	❌	❌	✅	❌	❌	❌	number
device.hw_info.cpu_type	❌	❌	✅	❌	❌	❌	string
device.hw_info.serial_number	✅	❌	❌	❌	✅	✅	string
device.instance_uid	✅	❌	✅	❌	❌	✅	string
device.ip	✅	✅	✅	❌	✅	✅	string
device.ip_addresses[]	❌	❌	❌	✅	❌	❌	string
device.last_seen_time	✅	✅	✅	❌	✅	✅	timestamp
device.last_seen_time_dt	❌	✅	❌	❌	✅	❌	string
device.mac	✅	❌	✅	❌	❌	✅	string
device.mac_addresses[]	❌	❌	❌	✅	❌	❌	string
device.modified_time	✅	❌	✅	❌	❌	✅	timestamp
device.name	✅	✅	✅	✅	✅	✅	mixed
device.network_interfaces[].hostname	❌	❌	✅	❌	❌	❌	string
device.network_interfaces[].ip	❌	✅	✅	❌	❌	❌	string
device.network_interfaces[].mac	❌	✅	✅	❌	❌	❌	mixed
device.network_interfaces[].type	❌	✅	❌	❌	❌	❌	string
device.network_interfaces[].type_id	❌	✅	✅	❌	❌	❌	number
device.network_interfaces[].uid	❌	❌	✅	❌	❌	❌	string
device.network_status	✅	✅	✅	✅	✅	✅	string
device.network_status_id	✅	✅	✅	✅	✅	✅	number
device.org.name	✅	❌	✅	❌	❌	✅	string
device.org.ou_name	❌	❌	✅	❌	❌	❌	string
device.org.ou_uid	❌	❌	✅	❌	❌	❌	string
device.org.uid	✅	❌	✅	❌	❌	✅	string
device.os.build	✅	✅	❌	❌	❌	✅	string
device.os.cpu_bits	❌	❌	❌	❌	✅	❌	number
device.os.name	✅	✅	✅	✅	✅	✅	string
device.os.type	✅	✅	✅	✅	✅	✅	string
device.os.type_id	✅	✅	✅	✅	✅	✅	number
device.os.version	✅	✅	✅	❌	✅	✅	string
device.risk_level	❌	✅	❌	❌	❌	❌	string
device.risk_level_id	❌	✅	❌	❌	❌	❌	number
device.sw_info[].name	❌	❌	❌	✅	❌	❌	string
device.sw_info[].vendor_name	❌	❌	❌	✅	❌	❌	string
device.sw_info[].version	❌	❌	❌	✅	❌	❌	string
device.type	✅	❌	✅	✅	✅	✅	string
device.type_id	✅	✅	✅	✅	✅	✅	number
device.uid	✅	✅	✅	✅	✅	✅	string
device.uid_alt	❌	✅	❌	❌	❌	❌	string
device.zone	✅	❌	❌	❌	✅	✅	string
message	✅	❌	❌	❌	❌	✅	string
metadata.labels[]	✅	✅	❌	❌	❌	✅	string
metadata.loggers[].name	✅	❌	❌	❌	❌	✅	string
metadata.loggers[].version	✅	❌	❌	❌	❌	✅	string
metadata.product.name	❌	✅	✅	❌	❌	❌	string
metadata.product.vendor_name	✅	✅	✅	✅	✅	✅	string
metadata.product.version	✅	✅	✅	❌	✅	✅	string
metadata.tenant_uid	❌	❌	❌	✅	❌	❌	string
metadata.version	✅	✅	✅	✅	✅	✅	string
result.activity_id	❌	❌	✅	❌	❌	❌	number
result.activity_name	❌	❌	✅	❌	❌	❌	string
result.category_name	❌	❌	✅	❌	❌	❌	string
result.category_uid	❌	❌	✅	❌	❌	❌	number
result.class_uid	❌	❌	✅	❌	❌	❌	number
result.device.domain	❌	❌	✅	❌	❌	❌	string
result.device.first_seen_time	❌	❌	✅	❌	❌	❌	timestamp
result.device.hostname	❌	❌	✅	❌	❌	❌	string
result.device.hw_info.cpu_cores	❌	❌	✅	❌	❌	❌	number
result.device.hw_info.cpu_count	❌	❌	✅	❌	❌	❌	number
result.device.hw_info.cpu_type	❌	❌	✅	❌	❌	❌	string
result.device.instance_uid	❌	❌	✅	❌	❌	❌	string
result.device.ip	❌	❌	✅	❌	❌	❌	string
result.device.last_seen_time	❌	❌	✅	❌	❌	❌	timestamp
result.device.mac	❌	❌	✅	❌	❌	❌	string
result.device.modified_time	❌	❌	✅	❌	❌	❌	timestamp
result.device.name	❌	❌	✅	❌	❌	❌	string
result.device.network_interfaces[].hostname	❌	❌	✅	❌	❌	❌	string
result.device.network_interfaces[].ip	❌	❌	✅	❌	❌	❌	string
result.device.network_interfaces[].mac	❌	❌	✅	❌	❌	❌	string
result.device.network_interfaces[].type_id	❌	❌	✅	❌	❌	❌	number
result.device.network_interfaces[].uid	❌	❌	✅	❌	❌	❌	string
result.device.network_status	❌	❌	✅	❌	❌	❌	string
result.device.network_status_id	❌	❌	✅	❌	❌	❌	number
result.device.org.name	❌	❌	✅	❌	❌	❌	string
result.device.org.ou_name	❌	❌	✅	❌	❌	❌	string
result.device.org.ou_uid	❌	❌	✅	❌	❌	❌	string
result.device.org.uid	❌	❌	✅	❌	❌	❌	string
result.device.os.name	❌	❌	✅	❌	❌	❌	string
result.device.os.type	❌	❌	✅	❌	❌	❌	string
result.device.os.type_id	❌	❌	✅	❌	❌	❌	number
result.device.os.version	❌	❌	✅	❌	❌	❌	string
result.device.type	❌	❌	✅	❌	❌	❌	string
result.device.type_id	❌	❌	✅	❌	❌	❌	number
result.device.uid	❌	❌	✅	❌	❌	❌	string
result.metadata.product.name	❌	❌	✅	❌	❌	❌	string
result.metadata.product.vendor_name	❌	❌	✅	❌	❌	❌	string
result.metadata.product.version	❌	❌	✅	❌	❌	❌	string
result.metadata.version	❌	❌	✅	❌	❌	❌	string
result.severity_id	❌	❌	✅	❌	❌	❌	number
result.time	❌	❌	✅	❌	❌	❌	number
result.type_uid	❌	❌	✅	❌	❌	❌	number
severity	✅	✅	✅	✅	✅	✅	string
severity_id	✅	✅	✅	✅	✅	✅	number
status	✅	✅	❌	❌	❌	✅	string
status_code	❌	✅	❌	❌	❌	❌	string
status_detail	❌	✅	❌	✅	❌	❌	string
status_id	✅	❌	❌	❌	❌	✅	number
time	✅	✅	✅	✅	✅	✅	number
time_dt	❌	❌	❌	✅	✅	❌	string
type_name	✅	✅	✅	✅	✅	✅	string
type_uid	✅	✅	✅	✅	✅	✅	number

query_iocs

Field	CrowdStrike Insight EDR	Microsoft Defender	SentinelOne Endpoint	[MOCK] CrowdStrike Insight EDR	Type
action	✅	❌	❌	✅	string
applied_globally	✅	❌	❌	✅	boolean
created	❌	✅	❌	❌	string
created_by_ref.created	❌	✅	❌	❌	string
created_by_ref.id	❌	✅	❌	❌	string
created_by_ref.modified	❌	✅	❌	❌	string
created_by_ref.name	❌	✅	❌	❌	string
created_by_ref.spec_version	❌	✅	❌	❌	string
created_by_ref.type	❌	✅	❌	❌	string
data.creationTime	❌	❌	✅	❌	string
data.description	❌	❌	✅	❌	string
data.externalId	❌	❌	✅	❌	string
data.groupIds[]	❌	❌	✅	❌	string
data.labels[]	❌	❌	✅	❌	string
data.method	❌	❌	✅	❌	string
data.name	❌	❌	✅	❌	string
data.pattern	❌	❌	✅	❌	string
data.patternType	❌	❌	✅	❌	string
data.severity	❌	❌	✅	❌	number
data.source	❌	❌	✅	❌	string
data.tenant	❌	❌	✅	❌	boolean
data.validUntil	❌	❌	✅	❌	string
description	✅	✅	❌	✅	string
expiration	✅	❌	❌	✅	string
extensions.action	❌	✅	❌	❌	string
extensions.alert	❌	✅	❌	❌	boolean
extensions.rbacGroupNames[]	❌	✅	❌	❌	string
extensions.severity	❌	✅	❌	❌	string
filter.groupIds[]	❌	❌	✅	❌	string
filter.tenant	❌	❌	✅	❌	boolean
id	❌	✅	❌	❌	string
modified	❌	✅	❌	❌	string
name	❌	✅	❌	❌	string
pattern	❌	✅	❌	❌	string
pattern_type	❌	✅	❌	❌	string
platforms[]	✅	❌	❌	✅	string
severity	✅	❌	❌	✅	string
source	✅	❌	❌	✅	string
spec_version	❌	✅	❌	❌	string
tags[]	✅	❌	❌	✅	string
type	✅	✅	❌	✅	string
valid_from	❌	✅	❌	❌	string
valid_until	❌	✅	❌	❌	string
value	✅	❌	❌	✅	string

query_posture_score

Field	CrowdStrike Insight EDR	Microsoft Defender	[MOCK] CrowdStrike Insight EDR	Type
activity_id	✅	✅	✅	number
activity_name	✅	✅	✅	string
category_name	✅	✅	✅	string
category_uid	✅	✅	✅	number
class_name	✅	✅	✅	string
class_uid	✅	✅	✅	number
cloud.project_uid	❌	✅	❌	string
cloud.provider	❌	✅	❌	string
device.hw_info.serial_number	✅	✅	✅	string
device.os.name	✅	✅	✅	string
device.os.type	✅	❌	✅	string
device.os.type_id	✅	✅	✅	number
device.risk_level	❌	✅	❌	string
device.risk_level_id	❌	✅	❌	number
device.type	✅	❌	✅	string
device.type_id	✅	✅	✅	number
device.uid	✅	✅	✅	string
device.vendor.uid	✅	✅	✅	string
enrichments[].name	✅	✅	✅	string
enrichments[].reputation.base_score	✅	✅	✅	number
enrichments[].reputation.score	✅	✅	✅	string
enrichments[].reputation.score_id	✅	✅	✅	number
enrichments[].value	✅	✅	✅	string
metadata.product.name	❌	✅	❌	string
metadata.product.vendor_name	✅	✅	✅	string
metadata.product.version	✅	✅	✅	string
metadata.version	✅	✅	✅	string
osint[].comment	✅	❌	✅	string
osint[].confidence	✅	❌	✅	string
osint[].name	✅	❌	✅	string
osint[].type	✅	❌	✅	string
osint[].type_id	✅	❌	✅	number
osint[].uid	✅	❌	✅	string
osint[].value	✅	❌	✅	string
osint[].vendor_name	✅	❌	✅	string
severity	✅	✅	✅	string
severity_id	✅	✅	✅	number
status	✅	✅	✅	string
status_id	✅	✅	✅	number
time	✅	✅	✅	number
time_dt	✅	✅	✅	string
type_name	✅	✅	✅	string
type_uid	✅	✅	✅	number

query_threatevents

Field	CrowdStrike Insight EDR	Microsoft Defender	Tanium EDR	ThreatDown EDR	Type
action	❌	❌	❌	✅	string
action_id	❌	❌	❌	✅	number
activity_id	✅	✅	✅	✅	number
activity_name	✅	✅	✅	✅	string
actor.invoked_by	❌	❌	❌	✅	string
actor.process.cmd_line	✅	❌	❌	❌	string
actor.process.created_time	✅	❌	❌	❌	timestamp
actor.process.created_time_dt	✅	❌	❌	❌	string
actor.process.file.hashes[].algorithm	✅	❌	❌	✅	string
actor.process.file.hashes[].algorithm_id	✅	❌	❌	✅	number
actor.process.file.hashes[].value	✅	❌	❌	✅	string
actor.process.file.name	✅	❌	❌	✅	string
actor.process.file.path	✅	❌	❌	❌	string
actor.process.file.type_id	✅	❌	❌	✅	number
actor.process.name	✅	❌	❌	✅	string
actor.process.parent_process.cmd_line	✅	❌	❌	❌	string
actor.process.parent_process.created_time	✅	❌	❌	❌	timestamp
actor.process.parent_process.created_time_dt	✅	❌	❌	❌	string
actor.process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	string
actor.process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	number
actor.process.parent_process.file.hashes[].value	✅	❌	❌	❌	string
actor.process.parent_process.file.name	✅	❌	❌	❌	string
actor.process.parent_process.file.path	✅	❌	❌	❌	string
actor.process.parent_process.file.type	✅	❌	❌	❌	string
actor.process.parent_process.file.type_id	✅	❌	❌	❌	number
actor.process.parent_process.name	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.cmd_line	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.created_time	✅	❌	❌	❌	timestamp
actor.process.parent_process.parent_process.created_time_dt	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	number
actor.process.parent_process.parent_process.file.hashes[].value	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.file.name	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.file.path	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.file.type	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.file.type_id	✅	❌	❌	❌	number
actor.process.parent_process.parent_process.name	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.path	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.pid	✅	❌	❌	❌	number
actor.process.parent_process.parent_process.uid	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.user.name	✅	❌	❌	❌	string
actor.process.parent_process.parent_process.user.uid	✅	❌	❌	❌	string
actor.process.parent_process.path	✅	❌	❌	❌	string
actor.process.parent_process.pid	✅	❌	❌	❌	number
actor.process.parent_process.uid	✅	❌	❌	❌	string
actor.process.parent_process.user.name	✅	❌	❌	❌	string
actor.process.parent_process.user.uid	✅	❌	❌	❌	string
actor.process.pid	✅	❌	❌	❌	number
actor.process.terminated_time	✅	❌	❌	❌	timestamp
actor.process.terminated_time_dt	✅	❌	❌	❌	string
actor.process.uid	✅	❌	❌	❌	string
actor.process.user.name	✅	❌	❌	❌	string
actor.process.user.uid	✅	❌	❌	❌	string
actor.user.name	✅	✅	❌	✅	mixed
actor.user.uid	✅	❌	❌	❌	string
attacks[].tactic.name	✅	❌	❌	❌	string
attacks[].tactic.uid	✅	❌	❌	❌	string
attacks[].technique.name	✅	❌	❌	❌	string
attacks[].technique.uid	✅	❌	❌	❌	string
category_name	✅	✅	✅	✅	string
category_uid	✅	✅	✅	✅	number
class_name	✅	✅	✅	✅	string
class_uid	✅	✅	✅	✅	number
comment	❌	❌	✅	❌	string
confidence_id	✅	❌	❌	❌	number
confidence_score	✅	❌	❌	❌	number
device.first_seen_time	✅	❌	✅	❌	timestamp
device.first_seen_time_dt	✅	❌	✅	❌	string
device.hostname	✅	❌	✅	✅	string
device.hw_info.bios_manufacturer	✅	❌	❌	❌	string
device.hw_info.bios_ver	✅	❌	❌	❌	string
device.hw_info.system_manufacturer	✅	❌	❌	❌	string
device.hw_info.system_product_name	✅	❌	❌	❌	string
device.id	❌	❌	✅	❌	number
device.ip	✅	❌	✅	✅	string
device.last_seen_time	✅	❌	✅	❌	timestamp
device.last_seen_time_dt	✅	❌	✅	❌	string
device.mac	✅	❌	❌	❌	string
device.modified_time	✅	❌	❌	❌	timestamp
device.modified_time_dt	✅	❌	❌	❌	string
device.network_interfaces[].hostname	✅	❌	✅	❌	string
device.network_interfaces[].ip	✅	❌	✅	❌	string
device.network_interfaces[].mac	✅	❌	❌	❌	string
device.network_interfaces[].type	✅	❌	❌	❌	string
device.network_interfaces[].type_id	✅	❌	❌	❌	number
device.os.name	✅	❌	✅	❌	string
device.os.type	✅	❌	✅	❌	string
device.os.type_id	✅	❌	❌	❌	number
device.os.version	❌	❌	✅	❌	string
device.type	✅	❌	✅	❌	string
device.type_id	✅	❌	❌	✅	number
device.uid	✅	❌	❌	✅	string
enrichments[].data	✅	❌	❌	❌	string
enrichments[].name	✅	❌	❌	❌	string
enrichments[].type	✅	❌	❌	❌	string
enrichments[].value	✅	❌	❌	❌	string
evidences[].file.hashes[].algorithm	✅	❌	❌	❌	string
evidences[].file.hashes[].algorithm_id	✅	❌	❌	❌	number
evidences[].file.hashes[].value	✅	❌	❌	❌	string
evidences[].file.name	✅	❌	❌	❌	string
evidences[].file.path	✅	❌	❌	❌	string
evidences[].file.type	✅	❌	❌	❌	string
evidences[].file.type_id	✅	❌	❌	❌	number
evidences[].process.cmd_line	✅	❌	❌	❌	string
evidences[].process.created_time	✅	❌	✅	❌	timestamp
evidences[].process.created_time_dt	✅	❌	✅	❌	string
evidences[].process.file.hashes[].algorithm	✅	❌	✅	❌	string
evidences[].process.file.hashes[].algorithm_id	✅	❌	✅	❌	number
evidences[].process.file.hashes[].value	✅	❌	✅	❌	mixed
evidences[].process.file.name	✅	❌	❌	❌	string
evidences[].process.file.path	✅	❌	✅	❌	string
evidences[].process.file.type	✅	❌	❌	❌	string
evidences[].process.file.type_id	✅	❌	❌	❌	number
evidences[].process.name	✅	❌	❌	❌	string
evidences[].process.parent_process.cmd_line	✅	❌	❌	❌	string
evidences[].process.parent_process.created_time	✅	❌	❌	❌	timestamp
evidences[].process.parent_process.created_time_dt	✅	❌	❌	❌	string
evidences[].process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	string
evidences[].process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	number
evidences[].process.parent_process.file.hashes[].value	✅	❌	❌	❌	string
evidences[].process.parent_process.file.type	✅	❌	❌	❌	string
evidences[].process.parent_process.file.type_id	✅	❌	❌	❌	number
evidences[].process.parent_process.name	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.cmd_line	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.created_time	✅	❌	❌	❌	timestamp
evidences[].process.parent_process.parent_process.created_time_dt	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	❌	number
evidences[].process.parent_process.parent_process.file.hashes[].value	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.file.type	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.file.type_id	✅	❌	❌	❌	number
evidences[].process.parent_process.parent_process.name	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.path	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.pid	✅	❌	❌	❌	number
evidences[].process.parent_process.parent_process.uid	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.user.name	✅	❌	❌	❌	string
evidences[].process.parent_process.parent_process.user.uid	✅	❌	❌	❌	string
evidences[].process.parent_process.path	✅	❌	❌	❌	string
evidences[].process.parent_process.pid	✅	❌	❌	❌	number
evidences[].process.parent_process.uid	✅	❌	❌	❌	string
evidences[].process.parent_process.user.name	✅	❌	❌	❌	string
evidences[].process.parent_process.user.uid	✅	❌	❌	❌	string
evidences[].process.pid	✅	❌	✅	❌	number
evidences[].process.signature.certificate	❌	❌	✅	❌	unknown
evidences[].process.signature.state_id	❌	❌	✅	❌	number
evidences[].process.signature.subject	❌	❌	✅	❌	unknown
evidences[].process.terminated_time	✅	❌	✅	❌	timestamp
evidences[].process.terminated_time_dt	✅	❌	❌	❌	string
evidences[].process.uid	✅	❌	❌	❌	string
evidences[].process.user.name	✅	❌	❌	❌	string
evidences[].process.user.uid	✅	❌	❌	❌	string
evidences[].user.name	✅	❌	❌	❌	string
evidences[].user.uid	✅	❌	❌	❌	string
finding_info.created_time	✅	✅	✅	❌	timestamp
finding_info.created_time_dt	✅	✅	✅	❌	string
finding_info.data_sources[]	❌	✅	✅	❌	string
finding_info.last_seen_time	❌	❌	✅	❌	timestamp
finding_info.last_seen_time_dt	❌	❌	✅	❌	string
finding_info.modified_time	❌	✅	❌	❌	timestamp
finding_info.modified_time_dt	❌	✅	❌	❌	string
finding_info.product_uid	✅	❌	❌	❌	string
finding_info.title	✅	✅	✅	✅	string
finding_info.types[]	❌	❌	✅	❌	string
finding_info.uid	✅	✅	✅	✅	string
message	✅	✅	❌	❌	string
metadata.correlation_uid	❌	✅	❌	❌	string
metadata.loggers[].logged_time	❌	❌	✅	❌	timestamp
metadata.loggers[].logged_time_dt	❌	❌	✅	❌	string
metadata.product.feature.name	✅	❌	✅	❌	string
metadata.product.name	✅	✅	✅	❌	string
metadata.product.vendor_name	✅	✅	✅	✅	string
metadata.product.version	✅	❌	✅	❌	string
metadata.tenant_uid	✅	❌	✅	❌	string
metadata.uid	✅	✅	❌	❌	string
metadata.version	✅	✅	✅	✅	string
observables[].name	✅	❌	❌	❌	string
observables[].type	✅	❌	❌	❌	string
observables[].type_id	✅	❌	❌	❌	number
observables[].value	✅	❌	❌	❌	string
resources[].name	❌	❌	✅	❌	string
resources[].uid	❌	❌	✅	❌	string
severity	✅	✅	✅	✅	string
severity_id	✅	✅	✅	✅	number
start_time	❌	❌	✅	❌	timestamp
start_time_dt	❌	❌	✅	❌	string
status	✅	✅	✅	❌	string
status_id	✅	✅	✅	❌	number
time	✅	✅	✅	✅	number
time_dt	✅	❌	✅	✅	string
type_name	✅	✅	✅	✅	string
type_uid	✅	✅	✅	✅	number

EDR Supported FieldsCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude

get_endpoint

query_alerts

query_applications

query_edr_events

query_endpoints

query_iocs

query_posture_score

query_threatevents

Was this helpful?

EDR Supported Fields
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude