# EDR Supported Fields

This document shows the fields supported by each provider and operation.

- [get_endpoint](#get_endpoint)
- [query_alerts](#query_alerts)
- [query_applications](#query_applications)
- [query_edr_events](#query_edr_events)
- [query_endpoints](#query_endpoints)
- [query_iocs](#query_iocs)
- [query_posture_score](#query_posture_score)
- [query_threatevents](#query_threatevents)


## get_endpoint

| Field | CrowdStrike Insight EDR | Microsoft Defender | SentinelOne Endpoint | Sophos Endpoint | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- | --- | --- |
| result.activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.category_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.cloud.provider | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.desc | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.device.domain | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.first_seen_time | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| result.device.hostname | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| result.device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.device.hw_info.chassis | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.device.hw_info.cpu_cores | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| result.device.hw_info.cpu_count | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| result.device.hw_info.cpu_type | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.hw_info.serial_number | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.device.instance_uid | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| result.device.ip | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| result.device.ip_addresses[] | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.last_seen_time | ✅ | ✅ | ✅ | ❌ | ✅ | timestamp |
| result.device.last_seen_time_dt | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.mac | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| result.device.mac_addresses[] | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.modified_time | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| result.device.name | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| result.device.network_interfaces[].hostname | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.network_interfaces[].ip | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.network_interfaces[].mac | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.network_interfaces[].type_id | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| result.device.network_interfaces[].uid | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.network_status | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.device.network_status_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.device.org.name | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| result.device.org.ou_name | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.org.ou_uid | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| result.device.org.uid | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| result.device.os.build | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.os.name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.device.os.type | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| result.device.os.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.device.os.version | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| result.device.risk_level | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.risk_level_id | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.sw_info[].name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.sw_info[].vendor_name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.sw_info[].version | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.device.type | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| result.device.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.device.uid | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.device.zone | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.message | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.metadata.labels[] | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.metadata.loggers[].name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.metadata.loggers[].version | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.metadata.product.name | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| result.metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.metadata.product.version | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| result.metadata.tenant_uid | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.raw_data | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.severity | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.severity_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.status | ✅ | ✅ | ❌ | ❌ | ✅ | string |
| result.status_code | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.status_detail | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| result.status_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| result.time | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.time_dt | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| result.type_name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| result.unmapped.connection_mac_address | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.unmapped.default_gateway_ip | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.unmapped.deployment_type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.unmapped.kernel_version | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.unmapped.local_ip | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| result.unmapped.provision_status | ✅ | ❌ | ❌ | ❌ | ✅ | string |


## query_alerts

| Field | CrowdStrike Insight EDR | Microsoft Defender | SentinelOne Endpoint | Tanium EDR | ThreatDown EDR | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| actor.user.domain | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| actor.user.name | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| attacks[].tactic.name | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].tactic.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].technique.name | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].technique.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| cloud.provider | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| comment | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| confidence_score | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | number |
| device.first_seen_time | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | timestamp |
| device.first_seen_time_dt | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| device.hostname | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.id | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| device.ip | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| device.last_seen_time | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | timestamp |
| device.last_seen_time_dt | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| device.mac | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.modified_time | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | timestamp |
| device.modified_time_dt | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.network_interfaces[].hostname | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| device.network_interfaces[].ip | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| device.network_interfaces[].mac | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.network_interfaces[].type | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.network_interfaces[].type_id | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | number |
| device.org.uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.os.name | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| device.os.type | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| device.os.type_id | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | number |
| device.os.version | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| device.type | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | string |
| device.uid_alt | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].actor.user.full_name | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].data.creation_time | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | timestamp |
| evidences[].data.creation_time_dt | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].data.entityType | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].device.type_id | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| evidences[].file.hashes[].algorithm | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].file.hashes[].algorithm_id | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| evidences[].file.hashes[].value | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].file.name | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].file.type_id | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| evidences[].process.cmd_line | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.created_time | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | timestamp |
| evidences[].process.created_time_dt | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| evidences[].process.file.hashes[].algorithm | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| evidences[].process.file.hashes[].algorithm_id | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | number |
| evidences[].process.file.hashes[].value | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | mixed |
| evidences[].process.file.modified_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| evidences[].process.file.modified_time_dt | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| evidences[].process.file.name | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.path | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | mixed |
| evidences[].process.file.type | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.type_id | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | number |
| evidences[].process.name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| evidences[].process.parent_process.cmd_line | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.created_time_dt | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].process.parent_process.name | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.path | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.pid | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | number |
| evidences[].process.parent_process.sha256 | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.pid | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | number |
| evidences[].process.signature.certificate | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| evidences[].process.signature.state_id | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| evidences[].process.signature.subject | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| evidences[].process.terminated_time | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | timestamp |
| evidences[].process.uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| evidences[].process.user.name | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | mixed |
| evidences[].user.account.name | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].user.domain | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].user.name | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].user.uid | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| evidences[].user.uid_alt | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.analytic.category | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.analytic.desc | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.analytic.name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.analytic.type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.analytic.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | number |
| finding_info.analytic.uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.analytic.version | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.created_time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| finding_info.data_sources[] | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| finding_info.first_seen_time | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | timestamp |
| finding_info.first_seen_time_dt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.last_seen_time | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| finding_info.last_seen_time_dt | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| finding_info.modified_time | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | timestamp |
| finding_info.modified_time_dt | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| finding_info.product_uid | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.title | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| finding_info.types[] | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| finding_info.uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.loggers[].logged_time | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| metadata.loggers[].logged_time_dt | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| metadata.product.feature.name | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| metadata.product.feature.uid | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | string |
| metadata.tenant_uid | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| metadata.uid | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| resources[].name | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| resources[].uid | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| risk_score | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | number |
| severity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| start_time | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | timestamp |
| start_time_dt | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| status | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| status_detail | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| status_id | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | string |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| vulnerabilities[].desc | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| vulnerabilities[].title | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |


## query_applications

| Field | CrowdStrike Insight EDR | Microsoft Defender | Sophos Endpoint | Tanium EDR | ThreatDown EDR | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.first_seen_time | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| device.groups[].name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| device.groups[].uid | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| device.hostname | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | mixed |
| device.hw_info.serial_number | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| device.instance_uid | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| device.ip | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | mixed |
| device.ip_addresses | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| device.last_seen_time | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| device.mac | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| device.mac_addresses | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| device.name | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | string |
| device.os.name | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | mixed |
| device.os.type | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| device.os.type_id | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | number |
| device.os.version | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | mixed |
| device.sw_info[].name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.sw_info[].uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.sw_info[].vendor_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.sw_info[].version | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.type | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | mixed |
| metadata.modified_time | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | timestamp |
| metadata.modified_time_dt | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.product.name | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| observables[].name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| observables[].type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| observables[].type_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| observables[].value | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| product.name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | mixed |
| product.path | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| product.uid | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | mixed |
| product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| product.version | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | mixed |
| severity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| start_time | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | timestamp |
| start_time_dt | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | string |
| status | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | string |
| status_id | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | mixed |
| time_dt | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | string |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |


## query_edr_events

| Field | CrowdStrike Insight EDR | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- |
| activity_id | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | string |
| actor.process.file.hashes[].algorithm | ✅ | ✅ | string |
| actor.process.file.hashes[].algorithm_id | ✅ | ✅ | number |
| actor.process.file.hashes[].value | ✅ | ✅ | string |
| actor.process.file.name | ✅ | ✅ | string |
| actor.process.file.type | ✅ | ✅ | string |
| actor.process.file.type_id | ✅ | ✅ | number |
| actor.process.name | ✅ | ✅ | string |
| attacks[].tactic.name | ✅ | ✅ | string |
| attacks[].tactic.uid | ✅ | ✅ | string |
| attacks[].technique.name | ✅ | ✅ | string |
| attacks[].technique.uid | ✅ | ✅ | string |
| category_name | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | number |
| class_name | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | number |
| confidence_score | ✅ | ✅ | number |
| device.hostname | ✅ | ✅ | string |
| device.ip | ✅ | ✅ | string |
| device.mac | ✅ | ✅ | string |
| device.os.name | ✅ | ✅ | string |
| device.os.type | ✅ | ✅ | string |
| device.os.type_id | ✅ | ✅ | number |
| device.os.version | ✅ | ✅ | string |
| device.type_id | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | string |
| end_time | ✅ | ✅ | timestamp |
| end_time_dt | ✅ | ✅ | string |
| evidences[].file.hashes[].algorithm | ✅ | ✅ | string |
| evidences[].file.hashes[].algorithm_id | ✅ | ✅ | number |
| evidences[].file.hashes[].value | ✅ | ✅ | string |
| evidences[].file.name | ✅ | ✅ | string |
| evidences[].file.path | ✅ | ✅ | string |
| evidences[].file.type | ✅ | ✅ | string |
| evidences[].file.type_id | ✅ | ✅ | number |
| evidences[].process.cmd_line | ✅ | ✅ | string |
| evidences[].process.file.hashes[].algorithm | ✅ | ✅ | string |
| evidences[].process.file.hashes[].algorithm_id | ✅ | ✅ | number |
| evidences[].process.file.hashes[].value | ✅ | ✅ | string |
| evidences[].process.file.name | ✅ | ✅ | string |
| evidences[].process.file.path | ✅ | ✅ | string |
| evidences[].process.file.type | ✅ | ✅ | string |
| evidences[].process.file.type_id | ✅ | ✅ | number |
| evidences[].process.parent_process.cmd_line | ✅ | ✅ | string |
| evidences[].process.parent_process.file.hashes[].algorithm | ✅ | ✅ | string |
| evidences[].process.parent_process.file.hashes[].algorithm_id | ✅ | ✅ | number |
| evidences[].process.parent_process.file.hashes[].value | ✅ | ✅ | string |
| evidences[].process.parent_process.file.type | ✅ | ✅ | string |
| evidences[].process.parent_process.file.type_id | ✅ | ✅ | number |
| evidences[].process.parent_process.uid | ✅ | ✅ | string |
| evidences[].user.name | ✅ | ✅ | string |
| evidences[].user.uid | ✅ | ✅ | string |
| finding_info.created_time | ✅ | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | ✅ | string |
| finding_info.last_seen_time | ✅ | ✅ | timestamp |
| finding_info.last_seen_time_dt | ✅ | ✅ | string |
| finding_info.title | ✅ | ✅ | string |
| finding_info.types[] | ✅ | ✅ | string |
| finding_info.uid | ✅ | ✅ | string |
| message | ✅ | ✅ | string |
| metadata.product.name | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | string |
| metadata.tenant_uid | ✅ | ✅ | string |
| metadata.uid | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | string |
| severity | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | number |
| start_time | ✅ | ✅ | timestamp |
| start_time_dt | ✅ | ✅ | string |
| status | ✅ | ✅ | string |
| status_id | ✅ | ✅ | number |
| time | ✅ | ✅ | number |
| time_dt | ✅ | ✅ | string |
| type_name | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | number |


## query_endpoints

| Field | CrowdStrike Insight EDR | Microsoft Defender | SentinelOne Endpoint | Sophos Endpoint | ThreatDown EDR | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| cloud.account.uid | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| cloud.project_uid | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| cloud.provider | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| count | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | number |
| device.created_time | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | timestamp |
| device.created_time_dt | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| device.desc | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.domain | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.first_seen_time | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | timestamp |
| device.first_seen_time_dt | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.hostname | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | string |
| device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.hw_info.chassis | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| device.hw_info.cpu_cores | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| device.hw_info.cpu_count | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| device.hw_info.cpu_type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.hw_info.serial_number | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | string |
| device.instance_uid | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| device.ip | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | string |
| device.ip_addresses[] | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.last_seen_time | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | timestamp |
| device.last_seen_time_dt | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| device.mac | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| device.mac_addresses[] | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.modified_time | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | timestamp |
| device.name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | mixed |
| device.network_interfaces[].hostname | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].ip | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].mac | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | mixed |
| device.network_interfaces[].type | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.network_interfaces[].type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | number |
| device.network_interfaces[].uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.network_status | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.network_status_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.org.name | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| device.org.ou_name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.org.ou_uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.org.uid | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | string |
| device.os.build | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.os.cpu_bits | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| device.os.name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.os.type | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.os.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.os.version | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | string |
| device.risk_level | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.risk_level_id | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| device.sw_info[].name | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.sw_info[].vendor_name | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.sw_info[].version | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.type | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| device.uid_alt | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.zone | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | string |
| message | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.labels[] | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.loggers[].name | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.loggers[].version | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.product.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | string |
| metadata.tenant_uid | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| result.activity_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.activity_name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.category_name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.category_uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.class_uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.domain | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.first_seen_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| result.device.hostname | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.hw_info.cpu_cores | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.hw_info.cpu_count | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.hw_info.cpu_type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.instance_uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.ip | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.last_seen_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| result.device.mac | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.modified_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| result.device.name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.network_interfaces[].hostname | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.network_interfaces[].ip | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.network_interfaces[].mac | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.network_interfaces[].type_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.network_interfaces[].uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.network_status | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.network_status_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.org.name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.org.ou_name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.org.ou_uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.org.uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.os.name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.os.type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.os.type_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.os.version | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.device.type_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.device.uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.product.name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.product.vendor_name | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.product.version | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.metadata.version | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| result.severity_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| result.type_uid | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| severity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| status | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| status_code | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| status_detail | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| status_id | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | string |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |


## query_iocs

| Field | CrowdStrike Insight EDR | Microsoft Defender | SentinelOne Endpoint | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- | --- |
| action | ✅ | ❌ | ❌ | ✅ | string |
| applied_globally | ✅ | ❌ | ❌ | ✅ | boolean |
| created | ❌ | ✅ | ❌ | ❌ | string |
| created_by_ref.created | ❌ | ✅ | ❌ | ❌ | string |
| created_by_ref.id | ❌ | ✅ | ❌ | ❌ | string |
| created_by_ref.modified | ❌ | ✅ | ❌ | ❌ | string |
| created_by_ref.name | ❌ | ✅ | ❌ | ❌ | string |
| created_by_ref.spec_version | ❌ | ✅ | ❌ | ❌ | string |
| created_by_ref.type | ❌ | ✅ | ❌ | ❌ | string |
| data.creationTime | ❌ | ❌ | ✅ | ❌ | string |
| data.description | ❌ | ❌ | ✅ | ❌ | string |
| data.externalId | ❌ | ❌ | ✅ | ❌ | string |
| data.groupIds[] | ❌ | ❌ | ✅ | ❌ | string |
| data.labels[] | ❌ | ❌ | ✅ | ❌ | string |
| data.method | ❌ | ❌ | ✅ | ❌ | string |
| data.name | ❌ | ❌ | ✅ | ❌ | string |
| data.pattern | ❌ | ❌ | ✅ | ❌ | string |
| data.patternType | ❌ | ❌ | ✅ | ❌ | string |
| data.severity | ❌ | ❌ | ✅ | ❌ | number |
| data.source | ❌ | ❌ | ✅ | ❌ | string |
| data.tenant | ❌ | ❌ | ✅ | ❌ | boolean |
| data.validUntil | ❌ | ❌ | ✅ | ❌ | string |
| description | ✅ | ✅ | ❌ | ✅ | string |
| expiration | ✅ | ❌ | ❌ | ✅ | string |
| extensions.action | ❌ | ✅ | ❌ | ❌ | string |
| extensions.alert | ❌ | ✅ | ❌ | ❌ | boolean |
| extensions.rbacGroupNames[] | ❌ | ✅ | ❌ | ❌ | string |
| extensions.severity | ❌ | ✅ | ❌ | ❌ | string |
| filter.groupIds[] | ❌ | ❌ | ✅ | ❌ | string |
| filter.tenant | ❌ | ❌ | ✅ | ❌ | boolean |
| id | ❌ | ✅ | ❌ | ❌ | string |
| modified | ❌ | ✅ | ❌ | ❌ | string |
| name | ❌ | ✅ | ❌ | ❌ | string |
| pattern | ❌ | ✅ | ❌ | ❌ | string |
| pattern_type | ❌ | ✅ | ❌ | ❌ | string |
| platforms[] | ✅ | ❌ | ❌ | ✅ | string |
| severity | ✅ | ❌ | ❌ | ✅ | string |
| source | ✅ | ❌ | ❌ | ✅ | string |
| spec_version | ❌ | ✅ | ❌ | ❌ | string |
| tags[] | ✅ | ❌ | ❌ | ✅ | string |
| type | ✅ | ✅ | ❌ | ✅ | string |
| valid_from | ❌ | ✅ | ❌ | ❌ | string |
| valid_until | ❌ | ✅ | ❌ | ❌ | string |
| value | ✅ | ❌ | ❌ | ✅ | string |


## query_posture_score

| Field | CrowdStrike Insight EDR | Microsoft Defender | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | number |
| cloud.project_uid | ❌ | ✅ | ❌ | string |
| cloud.provider | ❌ | ✅ | ❌ | string |
| device.hw_info.serial_number | ✅ | ✅ | ✅ | string |
| device.os.name | ✅ | ✅ | ✅ | string |
| device.os.type | ✅ | ❌ | ✅ | string |
| device.os.type_id | ✅ | ✅ | ✅ | number |
| device.risk_level | ❌ | ✅ | ❌ | string |
| device.risk_level_id | ❌ | ✅ | ❌ | number |
| device.type | ✅ | ❌ | ✅ | string |
| device.type_id | ✅ | ✅ | ✅ | number |
| device.uid | ✅ | ✅ | ✅ | string |
| device.vendor.uid | ✅ | ✅ | ✅ | string |
| enrichments[].name | ✅ | ✅ | ✅ | string |
| enrichments[].reputation.base_score | ✅ | ✅ | ✅ | number |
| enrichments[].reputation.score | ✅ | ✅ | ✅ | string |
| enrichments[].reputation.score_id | ✅ | ✅ | ✅ | number |
| enrichments[].value | ✅ | ✅ | ✅ | string |
| metadata.product.name | ❌ | ✅ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | string |
| osint[].comment | ✅ | ❌ | ✅ | string |
| osint[].confidence | ✅ | ❌ | ✅ | string |
| osint[].name | ✅ | ❌ | ✅ | string |
| osint[].type | ✅ | ❌ | ✅ | string |
| osint[].type_id | ✅ | ❌ | ✅ | number |
| osint[].uid | ✅ | ❌ | ✅ | string |
| osint[].value | ✅ | ❌ | ✅ | string |
| osint[].vendor_name | ✅ | ❌ | ✅ | string |
| severity | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | number |
| status | ✅ | ✅ | ✅ | string |
| status_id | ✅ | ✅ | ✅ | number |
| time | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ✅ | ✅ | string |
| type_name | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | number |


## query_threatevents

| Field | CrowdStrike Insight EDR | Microsoft Defender | Tanium EDR | ThreatDown EDR | [MOCK] CrowdStrike Insight EDR | Type |
|  --- | --- | --- | --- | --- | --- | --- |
| action | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| action_id | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| actor.invoked_by | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.process.cmd_line | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| actor.process.file.hashes[].algorithm | ✅ | ❌ | ❌ | ✅ | ✅ | string |
| actor.process.file.hashes[].algorithm_id | ✅ | ❌ | ❌ | ✅ | ✅ | number |
| actor.process.file.hashes[].value | ✅ | ❌ | ❌ | ✅ | ✅ | string |
| actor.process.file.name | ✅ | ❌ | ❌ | ✅ | ✅ | string |
| actor.process.file.path | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| actor.process.file.type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| actor.process.file.type_id | ✅ | ❌ | ❌ | ✅ | ✅ | number |
| actor.process.name | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.name | ✅ | ✅ | ❌ | ✅ | ✅ | mixed |
| actor.user.uid | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].tactic.name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].tactic.uid | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].technique.name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| attacks[].technique.uid | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| comment | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| confidence_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| confidence_score | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| device.first_seen_time | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| device.first_seen_time_dt | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.hostname | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| device.hw_info.bios_manufacturer | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.hw_info.bios_ver | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.id | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| device.ip | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| device.last_seen_time | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| device.last_seen_time_dt | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.mac | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.modified_time | ✅ | ❌ | ❌ | ❌ | ✅ | timestamp |
| device.modified_time_dt | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.network_interfaces[].hostname | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.network_interfaces[].ip | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.network_interfaces[].mac | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.network_interfaces[].type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.network_interfaces[].type_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| device.os.build | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.os.name | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.os.type | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.os.type_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| device.os.version | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.sw_info[].vendor_name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| device.type | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| device.type_id | ✅ | ❌ | ❌ | ✅ | ✅ | number |
| device.uid | ✅ | ❌ | ❌ | ✅ | ✅ | string |
| device.vendor.name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| disposition_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| enrichments[].data | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| enrichments[].name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| enrichments[].type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| enrichments[].value | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].data.description | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].data.objective | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].data.pattern_disposition | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| evidences[].data.pattern_disposition_details.blocking_unsupported_or_disabled | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.bootup_safeguard_enabled | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.containment_file_system | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.critical_process_disabled | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.detect | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.fs_operation_blocked | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.handle_operation_downgraded | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.inddet_mask | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.indicator | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.kill_action_failed | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.kill_parent | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.kill_process | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.kill_subprocess | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.mfa_required | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.operation_blocked | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.policy_disabled | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.prevention_provisioning_enabled | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.process_blocked | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.quarantine_file | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.quarantine_machine | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.registry_operation_blocked | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.response_action_already_applied | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.response_action_failed | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.response_action_triggered | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.rooting | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.sensor_only | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.suspend_parent | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].data.pattern_disposition_details.suspend_process | ✅ | ❌ | ❌ | ❌ | ✅ | boolean |
| evidences[].file.hashes[].algorithm | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].file.hashes[].algorithm_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| evidences[].file.hashes[].value | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].file.name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].file.path | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].file.type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].file.type_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| evidences[].process.cmd_line | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.created_time | ❌ | ❌ | ✅ | ❌ | ❌ | timestamp |
| evidences[].process.created_time_dt | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| evidences[].process.file.hashes[].algorithm | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| evidences[].process.file.hashes[].algorithm_id | ✅ | ❌ | ✅ | ❌ | ✅ | number |
| evidences[].process.file.hashes[].value | ✅ | ❌ | ✅ | ❌ | ✅ | mixed |
| evidences[].process.file.name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.path | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| evidences[].process.file.type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.file.type_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| evidences[].process.parent_process.cmd_line | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.file.hashes[].algorithm | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.file.hashes[].algorithm_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| evidences[].process.parent_process.file.hashes[].value | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.file.type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.parent_process.file.type_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| evidences[].process.parent_process.uid | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].process.pid | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| evidences[].process.signature.certificate | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| evidences[].process.signature.state_id | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| evidences[].process.signature.subject | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| evidences[].process.terminated_time | ❌ | ❌ | ✅ | ❌ | ❌ | timestamp |
| evidences[].user.name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| evidences[].user.uid | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.created_time | ✅ | ✅ | ✅ | ❌ | ✅ | timestamp |
| finding_info.created_time_dt | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| finding_info.data_sources[] | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| finding_info.first_seen_time | ✅ | ❌ | ❌ | ❌ | ✅ | timestamp |
| finding_info.first_seen_time_dt | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.last_seen_time | ✅ | ❌ | ✅ | ❌ | ✅ | timestamp |
| finding_info.last_seen_time_dt | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| finding_info.modified_time | ✅ | ✅ | ❌ | ❌ | ✅ | timestamp |
| finding_info.modified_time_dt | ✅ | ✅ | ❌ | ❌ | ✅ | string |
| finding_info.product_uid | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| finding_info.title | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| finding_info.types[] | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| finding_info.uid | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| message | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| metadata.correlation_uid | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| metadata.loggers[].logged_time | ❌ | ❌ | ✅ | ❌ | ❌ | timestamp |
| metadata.loggers[].logged_time_dt | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.original_time | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| metadata.product.feature.name | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.product.name | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| metadata.tenant_uid | ✅ | ❌ | ✅ | ❌ | ✅ | string |
| metadata.uid | ✅ | ✅ | ❌ | ❌ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| observables[].name | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| observables[].type | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| observables[].type_id | ✅ | ❌ | ❌ | ❌ | ✅ | number |
| observables[].value | ✅ | ❌ | ❌ | ❌ | ✅ | string |
| resources[].name | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| resources[].uid | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| severity | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| start_time | ❌ | ❌ | ✅ | ❌ | ❌ | timestamp |
| start_time_dt | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| status | ✅ | ✅ | ✅ | ❌ | ✅ | string |
| status_id | ❌ | ✅ | ✅ | ❌ | ❌ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| time_dt | ✅ | ❌ | ✅ | ✅ | ✅ | string |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | number |