# Identity Supported Fields

This document shows the fields supported by each provider and operation.

- [get_group](#get_group)
- [get_group_members](#get_group_members)
- [get_user](#get_user)
- [query_audit_log](#query_audit_log)
- [query_groups](#query_groups)
- [query_users](#query_users)


## get_group

| Field | Microsoft Entra ID | PingOne Cloud Platform | Type |
|  --- | --- | --- | --- |
| activity_id | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | string |
| category_name | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | number |
| class_name | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | number |
| entity.group.desc | ✅ | ✅ | string |
| entity.group.name | ✅ | ✅ | string |
| entity.group.privileges[] | ✅ | ✅ | string |
| entity.group.uid | ✅ | ✅ | string |
| entity.type | ✅ | ✅ | string |
| entity.type_id | ✅ | ✅ | number |
| entity.uid | ✅ | ✅ | string |
| metadata.product.name | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | string |
| severity | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | number |
| time | ✅ | ✅ | number |
| type_name | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | number |


## get_group_members

| Field | Google Workspace | Type |
|  --- | --- | --- |
| activity_id | ✅ | number |
| activity_name | ✅ | string |
| category_name | ✅ | string |
| category_uid | ✅ | number |
| class_name | ✅ | string |
| class_uid | ✅ | number |
| entity.type | ✅ | string |
| entity.type_id | ✅ | number |
| entity.uid | ✅ | string |
| entity.user.email_addr | ✅ | string |
| entity.user.type | ✅ | string |
| entity.user.type_id | ✅ | number |
| entity.user.uid | ✅ | string |
| entity.user.uid_alt | ✅ | string |
| metadata.product.name | ✅ | string |
| metadata.product.vendor_name | ✅ | string |
| metadata.version | ✅ | string |
| severity | ✅ | string |
| severity_id | ✅ | number |
| time | ✅ | number |
| type_name | ✅ | string |
| type_uid | ✅ | number |


## get_user

| Field | Google Workspace | Microsoft Entra ID | Okta Identity | PingOne Cloud Platform | Type |
|  --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | number |
| entity.type | ✅ | ✅ | ✅ | ✅ | string |
| entity.type_id | ✅ | ✅ | ✅ | ✅ | number |
| entity.uid | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.email_addr | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.full_name | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.groups[].desc | ❌ | ✅ | ✅ | ✅ | string |
| entity.user.groups[].name | ❌ | ✅ | ✅ | ✅ | string |
| entity.user.groups[].type | ❌ | ✅ | ❌ | ✅ | string |
| entity.user.groups[].uid | ❌ | ✅ | ✅ | ✅ | string |
| entity.user.has_mfa | ✅ | ✅ | ✅ | ✅ | boolean |
| entity.user.ldap_person.cost_center | ❌ | ❌ | ✅ | ✅ | string |
| entity.user.ldap_person.created_time | ✅ | ✅ | ✅ | ✅ | timestamp |
| entity.user.ldap_person.employee_uid | ❌ | ✅ | ✅ | ✅ | string |
| entity.user.ldap_person.given_name | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.ldap_person.job_title | ❌ | ✅ | ✅ | ✅ | string |
| entity.user.ldap_person.last_login_time | ✅ | ✅ | ❌ | ❌ | timestamp |
| entity.user.ldap_person.manager.email_addr | ❌ | ✅ | ❌ | ❌ | string |
| entity.user.ldap_person.manager.full_name | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.ldap_person.manager.name | ❌ | ✅ | ❌ | ❌ | string |
| entity.user.ldap_person.manager.type | ❌ | ✅ | ❌ | ❌ | string |
| entity.user.ldap_person.manager.type_id | ❌ | ✅ | ❌ | ❌ | number |
| entity.user.ldap_person.manager.uid | ❌ | ✅ | ❌ | ❌ | string |
| entity.user.ldap_person.manager.uid_alt | ❌ | ✅ | ❌ | ❌ | string |
| entity.user.ldap_person.modified_time | ❌ | ❌ | ✅ | ✅ | timestamp |
| entity.user.ldap_person.surname | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.mfa_status | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.mfa_status_id | ✅ | ✅ | ✅ | ✅ | number |
| entity.user.name | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.org.name | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.org.ou_name | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.privileges[] | ❌ | ✅ | ✅ | ✅ | string |
| entity.user.type | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.type_id | ✅ | ✅ | ✅ | ✅ | number |
| entity.user.uid | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.uid_alt | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.user_status | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.user_status_id | ✅ | ✅ | ✅ | ✅ | number |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| severity | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | number |
| type_name | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | number |


## query_audit_log

| Field | Google Workspace | Microsoft Entra ID | Okta Identity | PingOne Cloud Platform | Type |
|  --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | string |
| actor.idp.name | ❌ | ❌ | ❌ | ✅ | string |
| actor.idp.uid | ❌ | ❌ | ❌ | ✅ | string |
| actor.user.email_addr | ✅ | ❌ | ✅ | ❌ | string |
| actor.user.name | ❌ | ✅ | ✅ | ✅ | string |
| actor.user.type | ❌ | ❌ | ✅ | ✅ | string |
| actor.user.uid | ✅ | ✅ | ✅ | ✅ | string |
| actor.user.uid_alt | ❌ | ❌ | ✅ | ❌ | string |
| auth_protocol | ❌ | ❌ | ✅ | ❌ | string |
| auth_protocol_id | ❌ | ✅ | ✅ | ❌ | number |
| category_name | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | number |
| count | ❌ | ✅ | ✅ | ✅ | number |
| direction_id | ✅ | ❌ | ❌ | ❌ | number |
| dst_endpoint.hostname | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.instance_uid | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.interface_uid | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.svc_name | ❌ | ❌ | ✅ | ❌ | string |
| email.from | ✅ | ❌ | ❌ | ❌ | string |
| email.to[] | ✅ | ❌ | ❌ | ❌ | string |
| enrichments[].data | ❌ | ✅ | ❌ | ❌ | string |
| enrichments[].data.boolValue | ✅ | ❌ | ❌ | ❌ | boolean |
| enrichments[].data.city | ❌ | ✅ | ✅ | ❌ | string |
| enrichments[].data.country | ❌ | ❌ | ✅ | ❌ | string |
| enrichments[].data.countryOrRegion | ❌ | ✅ | ❌ | ❌ | string |
| enrichments[].data.geoCoordinates.altitude | ❌ | ✅ | ❌ | ❌ | unknown |
| enrichments[].data.geoCoordinates.latitude | ❌ | ✅ | ❌ | ❌ | number |
| enrichments[].data.geoCoordinates.longitude | ❌ | ✅ | ❌ | ❌ | number |
| enrichments[].data.geolocation.lat | ❌ | ❌ | ✅ | ❌ | number |
| enrichments[].data.geolocation.lon | ❌ | ❌ | ✅ | ❌ | number |
| enrichments[].data.intValue | ✅ | ❌ | ❌ | ❌ | string |
| enrichments[].data.multiValue[] | ✅ | ❌ | ❌ | ❌ | string |
| enrichments[].data.postalCode | ❌ | ❌ | ✅ | ❌ | string |
| enrichments[].data.state | ❌ | ✅ | ✅ | ❌ | string |
| enrichments[].name | ✅ | ✅ | ✅ | ✅ | string |
| enrichments[].type | ✅ | ✅ | ✅ | ✅ | string |
| enrichments[].value | ✅ | ✅ | ✅ | ✅ | string |
| file.name | ✅ | ❌ | ❌ | ❌ | string |
| file.owner.email_addr | ✅ | ❌ | ❌ | ❌ | string |
| file.type | ✅ | ❌ | ❌ | ❌ | string |
| file.type_id | ✅ | ❌ | ❌ | ❌ | number |
| file.uid | ✅ | ❌ | ❌ | ❌ | string |
| file_result.name | ✅ | ❌ | ❌ | ❌ | string |
| file_result.owner.email_addr | ✅ | ❌ | ❌ | ❌ | string |
| file_result.parent_folder | ✅ | ❌ | ❌ | ❌ | string |
| file_result.type | ✅ | ❌ | ❌ | ❌ | string |
| file_result.type_id | ✅ | ❌ | ❌ | ❌ | number |
| file_result.uid | ✅ | ❌ | ❌ | ❌ | string |
| from | ✅ | ❌ | ❌ | ❌ | string |
| group.name | ✅ | ✅ | ✅ | ✅ | string |
| group.type | ❌ | ✅ | ✅ | ❌ | string |
| group.uid | ✅ | ✅ | ✅ | ❌ | string |
| http_request.http_method | ✅ | ❌ | ❌ | ❌ | string |
| http_request.url.url_string | ✅ | ❌ | ✅ | ❌ | string |
| http_request.user_agent | ❌ | ❌ | ✅ | ❌ | string |
| is_cleartext | ❌ | ❌ | ✅ | ❌ | boolean |
| is_mfa | ❌ | ✅ | ❌ | ❌ | boolean |
| logon_type | ❌ | ❌ | ✅ | ❌ | string |
| logon_type_id | ❌ | ✅ | ✅ | ❌ | number |
| message | ✅ | ✅ | ✅ | ✅ | string |
| metadata.correlation_uid | ❌ | ❌ | ❌ | ✅ | string |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.uid | ✅ | ✅ | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| privileges[] | ✅ | ❌ | ❌ | ❌ | string |
| service.name | ❌ | ✅ | ❌ | ❌ | string |
| service.uid | ❌ | ✅ | ❌ | ❌ | string |
| session.uid | ❌ | ❌ | ✅ | ❌ | string |
| severity | ✅ | ❌ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | number |
| src_endpoint.ip | ✅ | ✅ | ✅ | ✅ | string |
| src_endpoint.location.city | ❌ | ✅ | ✅ | ❌ | string |
| src_endpoint.location.coordinates[] | ❌ | ✅ | ✅ | ❌ | number |
| src_endpoint.location.country | ❌ | ✅ | ✅ | ❌ | string |
| src_endpoint.location.lat | ❌ | ❌ | ✅ | ❌ | number |
| src_endpoint.location.latitude | ❌ | ✅ | ❌ | ❌ | number |
| src_endpoint.location.long | ❌ | ❌ | ✅ | ❌ | number |
| src_endpoint.location.longitude | ❌ | ✅ | ❌ | ❌ | number |
| src_endpoint.location.region | ❌ | ✅ | ✅ | ❌ | string |
| src_endpoint.uid | ❌ | ❌ | ✅ | ❌ | string |
| status | ✅ | ❌ | ✅ | ✅ | string |
| status_code | ❌ | ❌ | ✅ | ❌ | string |
| status_detail | ❌ | ✅ | ✅ | ✅ | string |
| status_id | ✅ | ✅ | ✅ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | number |
| to[] | ✅ | ❌ | ❌ | ❌ | string |
| type_name | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | number |
| user.email_addr | ✅ | ❌ | ✅ | ❌ | string |
| user.full_name | ❌ | ✅ | ❌ | ❌ | string |
| user.name | ✅ | ✅ | ✅ | ✅ | string |
| user.type | ❌ | ✅ | ✅ | ✅ | string |
| user.type_id | ❌ | ✅ | ✅ | ✅ | number |
| user.uid | ✅ | ✅ | ✅ | ✅ | string |
| user.uid_alt | ❌ | ❌ | ✅ | ❌ | string |
| user_result.email_addr | ❌ | ❌ | ✅ | ❌ | string |
| user_result.name | ❌ | ❌ | ✅ | ❌ | string |
| user_result.type | ❌ | ❌ | ✅ | ❌ | string |
| user_result.uid | ❌ | ❌ | ✅ | ❌ | string |
| user_result.uid_alt | ❌ | ❌ | ✅ | ❌ | string |
| web_resources[].name | ❌ | ❌ | ✅ | ❌ | string |
| web_resources[].type | ❌ | ❌ | ✅ | ❌ | string |
| web_resources[].uid | ❌ | ❌ | ✅ | ❌ | string |
| web_resources[].url_string | ❌ | ❌ | ✅ | ❌ | string |


## query_groups

| Field | Okta Identity | PingOne Cloud Platform | Type |
|  --- | --- | --- | --- |
| activity_id | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | string |
| category_name | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | number |
| class_name | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | number |
| entity.group.desc | ✅ | ✅ | string |
| entity.group.name | ✅ | ✅ | string |
| entity.group.type | ✅ | ❌ | string |
| entity.group.uid | ✅ | ✅ | string |
| entity.type | ✅ | ✅ | string |
| entity.type_id | ✅ | ✅ | number |
| entity.uid | ✅ | ✅ | string |
| metadata.product.name | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | string |
| severity | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | number |
| time | ✅ | ✅ | number |
| type_name | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | number |


## query_users

| Field | Google Workspace | Microsoft Entra ID | Okta Identity | PingOne Cloud Platform | Type |
|  --- | --- | --- | --- | --- | --- |
| activity_id | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | string |
| category_name | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | number |
| entity.type | ✅ | ✅ | ✅ | ✅ | string |
| entity.type_id | ✅ | ✅ | ✅ | ✅ | number |
| entity.uid | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.email_addr | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.full_name | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.has_mfa | ✅ | ❌ | ❌ | ✅ | boolean |
| entity.user.ldap_person.cost_center | ❌ | ❌ | ✅ | ❌ | string |
| entity.user.ldap_person.created_time | ✅ | ✅ | ✅ | ✅ | timestamp |
| entity.user.ldap_person.employee_uid | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.ldap_person.given_name | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.ldap_person.job_title | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.ldap_person.last_login_time | ✅ | ✅ | ❌ | ❌ | timestamp |
| entity.user.ldap_person.manager.full_name | ❌ | ❌ | ✅ | ❌ | string |
| entity.user.ldap_person.modified_time | ❌ | ❌ | ✅ | ✅ | timestamp |
| entity.user.ldap_person.surname | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.mfa_status | ✅ | ❌ | ❌ | ✅ | string |
| entity.user.mfa_status_id | ✅ | ❌ | ❌ | ✅ | number |
| entity.user.name | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.org.name | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.org.ou_name | ❌ | ✅ | ✅ | ❌ | string |
| entity.user.type | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.type_id | ✅ | ✅ | ✅ | ✅ | number |
| entity.user.uid | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.uid_alt | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.user_status | ✅ | ✅ | ✅ | ✅ | string |
| entity.user.user_status_id | ✅ | ✅ | ✅ | ✅ | number |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | string |
| severity | ✅ | ✅ | ✅ | ✅ | string |
| severity_id | ✅ | ✅ | ✅ | ✅ | number |
| time | ✅ | ✅ | ✅ | ✅ | number |
| type_name | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | number |