SIEM Supported Fields

This document shows the fields supported by each provider and operation.

query_events

query_events

Field	CrowdStrike Next-Gen SIEM	Google Security Operations	Google Security Operations (Chronicle Compatibility)	IBM QRadar SIEM	Microsoft Sentinel	Splunk Enterprise Security	Sumo Logic Cloud SIEM	Type
ActingAppId	❌	❌	❌	❌	✅	❌	❌	string
ActingProcessId	❌	❌	❌	❌	✅	❌	❌	string
ActorUserId	❌	❌	❌	❌	✅	❌	❌	string
ActorUserIdType	❌	❌	❌	❌	✅	❌	❌	string
ActorUserType	❌	❌	❌	❌	✅	❌	❌	string
ActorUsername	❌	❌	❌	❌	✅	❌	❌	string
ActorUsernameType	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.cloud_provider	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.cloud_region	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.compliance_control	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.compliance_requirements	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.compliance_standards	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.compliance_status	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.finding_info_related_events[].type_name	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.finding_info_related_events[].uid	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.malware[].classification_ids	❌	❌	❌	❌	✅	❌	❌	unknown
AdditionalFields.malware[].name	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.malware[].path	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.observables[].name	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.observables[].type	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.observables[].type_id	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.observables[].value	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.ocsf_activity_id	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.ocsf_activity_name	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.ocsf_category_name	❌	❌	❌	❌	✅	❌	❌	unknown
AdditionalFields.ocsf_category_uid	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.ocsf_class_uid	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.ocsf_status_id	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.ocsf_target_user_email	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.ocsf_timezone_offset	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.ocsf_type_name	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.ocsf_type_uid	❌	❌	❌	❌	✅	❌	❌	number
AdditionalFields.resources[].labels[]	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.resources[].name	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.resources[].type	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.resources[].uid	❌	❌	❌	❌	✅	❌	❌	string
AdditionalFields.timezone_offset	❌	❌	❌	❌	✅	❌	❌	number
AlertDescription	❌	❌	❌	❌	✅	❌	❌	string
AlertId	❌	❌	❌	❌	✅	❌	❌	string
AlertName	❌	❌	❌	❌	✅	❌	❌	string
AlertOriginalStatus	❌	❌	❌	❌	✅	❌	❌	string
AlertStatus	❌	❌	❌	❌	✅	❌	❌	string
AlertVerdict	❌	❌	❌	❌	✅	❌	❌	string
Application	❌	❌	❌	❌	✅	❌	❌	string
AttackRemediationSteps	❌	❌	❌	❌	✅	❌	❌	string
AttackTactics	❌	❌	❌	❌	✅	❌	❌	string
AttackTechniques	❌	❌	❌	❌	✅	❌	❌	string
DetectionMethod	❌	❌	❌	❌	✅	❌	❌	string
Dst	❌	❌	❌	❌	✅	❌	❌	string
Dvc	❌	❌	❌	❌	✅	❌	❌	string
DvcFQDN	❌	❌	❌	❌	✅	❌	❌	string
DvcHostname	❌	❌	❌	❌	✅	❌	❌	string
DvcId	❌	❌	❌	❌	✅	❌	❌	string
DvcIdType	❌	❌	❌	❌	✅	❌	❌	string
DvcIpAddr	❌	❌	❌	❌	✅	❌	❌	string
DvcMacAddr	❌	❌	❌	❌	✅	❌	❌	string
DvcOs	❌	❌	❌	❌	✅	❌	❌	string
DvcOsVersion	❌	❌	❌	❌	✅	❌	❌	string
DvcZone	❌	❌	❌	❌	✅	❌	❌	string
EventCount	❌	❌	❌	❌	✅	❌	❌	number
EventEndTime	❌	❌	❌	❌	✅	❌	❌	string
EventMessage	❌	❌	❌	❌	✅	❌	❌	string
EventOriginalResultDetails	❌	❌	❌	❌	✅	❌	❌	string
EventOriginalSeverity	❌	❌	❌	❌	✅	❌	❌	string
EventOriginalSubType	❌	❌	❌	❌	✅	❌	❌	string
EventOriginalType	❌	❌	❌	❌	✅	❌	❌	string
EventProduct	❌	❌	❌	❌	✅	❌	❌	string
EventProductVersion	❌	❌	❌	❌	✅	❌	❌	string
EventResult	❌	❌	❌	❌	✅	❌	❌	string
EventSchema	❌	❌	❌	❌	✅	❌	❌	string
EventSchemaVersion	❌	❌	❌	❌	✅	❌	❌	string
EventSeverity	❌	❌	❌	❌	✅	❌	❌	string
EventStartTime	❌	❌	❌	❌	✅	❌	❌	string
EventSubType	❌	❌	❌	❌	✅	❌	❌	string
EventType	❌	❌	❌	❌	✅	❌	❌	string
EventUid	❌	❌	❌	❌	✅	❌	❌	string
EventVendor	❌	❌	❌	❌	✅	❌	❌	string
Hostname	❌	❌	❌	❌	✅	❌	❌	string
IndicatorAssociation	❌	❌	❌	❌	✅	❌	❌	string
IndicatorType	❌	❌	❌	❌	✅	❌	❌	string
IpAddr	❌	❌	❌	❌	✅	❌	❌	string
LogonProtocol	❌	❌	❌	❌	✅	❌	❌	string
Object	❌	❌	❌	❌	✅	❌	❌	string
ObjectType	❌	❌	❌	❌	✅	❌	❌	string
ProcessId	❌	❌	❌	❌	✅	❌	❌	string
Rule	❌	❌	❌	❌	✅	❌	❌	string
RuleDescription	❌	❌	❌	❌	✅	❌	❌	string
RuleName	❌	❌	❌	❌	✅	❌	❌	string
RuleNumber	❌	❌	❌	❌	✅	❌	❌	string
Src	❌	❌	❌	❌	✅	❌	❌	string
SrcDescription	❌	❌	❌	❌	✅	❌	❌	string
SrcDeviceType	❌	❌	❌	❌	✅	❌	❌	string
SrcFQDN	❌	❌	❌	❌	✅	❌	❌	string
SrcHostname	❌	❌	❌	❌	✅	❌	❌	string
SrcIpAddr	❌	❌	❌	❌	✅	❌	❌	string
SrcPortNumber	❌	❌	❌	❌	✅	❌	❌	number
Target	❌	❌	❌	❌	✅	❌	❌	string
TargetAppName	❌	❌	❌	❌	✅	❌	❌	string
TargetAppType	❌	❌	❌	❌	✅	❌	❌	string
TargetDescription	❌	❌	❌	❌	✅	❌	❌	string
TargetDeviceType	❌	❌	❌	❌	✅	❌	❌	string
TargetDvcId	❌	❌	❌	❌	✅	❌	❌	string
TargetDvcIdType	❌	❌	❌	❌	✅	❌	❌	string
TargetDvcOs	❌	❌	❌	❌	✅	❌	❌	string
TargetFQDN	❌	❌	❌	❌	✅	❌	❌	string
TargetHostname	❌	❌	❌	❌	✅	❌	❌	string
TargetIpAddr	❌	❌	❌	❌	✅	❌	❌	string
TargetOriginalUserType	❌	❌	❌	❌	✅	❌	❌	string
TargetPortNumber	❌	❌	❌	❌	✅	❌	❌	number
TargetUserId	❌	❌	❌	❌	✅	❌	❌	string
TargetUserIdType	❌	❌	❌	❌	✅	❌	❌	string
TargetUserType	❌	❌	❌	❌	✅	❌	❌	string
TargetUsername	❌	❌	❌	❌	✅	❌	❌	string
TargetUsernameType	❌	❌	❌	❌	✅	❌	❌	string
ThreatCategory	❌	❌	❌	❌	✅	❌	❌	string
ThreatConfidence	❌	❌	❌	❌	✅	❌	❌	number
ThreatFirstReportedTime	❌	❌	❌	❌	✅	❌	❌	string
ThreatIsActive	❌	❌	❌	❌	✅	❌	❌	boolean
ThreatName	❌	❌	❌	❌	✅	❌	❌	string
ThreatOriginalCategory	❌	❌	❌	❌	✅	❌	❌	string
ThreatOriginalConfidence	❌	❌	❌	❌	✅	❌	❌	string
ThreatOriginalRiskLevel	❌	❌	❌	❌	✅	❌	❌	string
ThreatRiskLevel	❌	❌	❌	❌	✅	❌	❌	number
TimeGenerated	❌	❌	❌	❌	✅	❌	❌	string
User	❌	❌	❌	❌	✅	❌	❌	string
UserType	❌	❌	❌	❌	✅	❌	❌	string
action_id	❌	❌	❌	❌	❌	✅	❌	number
activity_id	✅	✅	✅	✅	✅	✅	✅	number
activity_name	✅	✅	✅	✅	✅	✅	✅	string
actor.app_name	❌	❌	❌	❌	❌	✅	❌	string
actor.idp.name	❌	✅	✅	❌	❌	❌	❌	string
actor.process.pid	❌	✅	✅	❌	❌	❌	❌	number
actor.user.email_addr	❌	❌	❌	❌	❌	✅	❌	string
actor.user.full_name	❌	❌	❌	❌	❌	✅	❌	string
actor.user.name	❌	✅	✅	❌	❌	✅	❌	string
actor.user.type	❌	✅	✅	❌	❌	❌	❌	string
actor.user.type_id	❌	✅	✅	❌	❌	❌	❌	number
actor.user.uid_alt	❌	✅	✅	❌	❌	❌	❌	unknown
api.operation	❌	❌	❌	❌	❌	✅	❌	string
auth_factors[].factor_type	❌	✅	✅	❌	❌	❌	❌	string
auth_factors[].factor_type_id	❌	✅	✅	❌	❌	❌	❌	number
auth_factors[].unmapped_mechanism	❌	✅	✅	❌	❌	❌	❌	unknown
auth_protocol	❌	✅	✅	✅	❌	✅	❌	string
auth_protocol_id	❌	❌	❌	✅	❌	✅	❌	number
category_name	✅	✅	✅	✅	✅	✅	✅	string
category_uid	✅	✅	✅	✅	✅	✅	✅	number
class_name	✅	✅	✅	✅	✅	✅	✅	string
class_uid	✅	✅	✅	✅	✅	✅	✅	number
cloud.provider	❌	❌	❌	❌	❌	✅	❌	string
cloud.region	❌	❌	❌	❌	❌	✅	❌	string
count	❌	❌	❌	✅	❌	❌	❌	number
device.domain	❌	❌	❌	✅	❌	❌	❌	string
device.ip	❌	❌	❌	✅	❌	❌	❌	string
device.last_seen_time	❌	❌	❌	✅	❌	❌	❌	timestamp
device.location.description	❌	❌	❌	✅	❌	❌	❌	string
device.mac	❌	❌	❌	✅	❌	❌	❌	string
device.os.name	❌	✅	✅	❌	❌	❌	❌	string
device.os.type	❌	✅	✅	❌	❌	❌	❌	string
device.os.type_id	❌	✅	✅	❌	❌	❌	❌	number
device.owner.name	❌	✅	✅	❌	❌	❌	❌	string
device.owner.type	❌	✅	✅	❌	❌	❌	❌	string
device.owner.type_id	❌	✅	✅	❌	❌	❌	❌	number
device.owner.uid_alt	❌	✅	✅	❌	❌	❌	❌	string
device.type_id	❌	❌	❌	❌	❌	✅	❌	number
device.unmapped_noun_process_if_device.file.fullPath	❌	✅	✅	❌	❌	❌	❌	string
disposition	❌	✅	✅	❌	❌	✅	❌	string
disposition_id	❌	✅	✅	❌	❌	✅	❌	number
dst_endpoint.domain	❌	❌	❌	✅	❌	✅	❌	string
dst_endpoint.hostname	❌	❌	❌	✅	❌	❌	❌	string
dst_endpoint.ip	❌	❌	❌	✅	❌	❌	❌	string
dst_endpoint.location.description	❌	❌	❌	✅	❌	❌	❌	string
dst_endpoint.mac	❌	❌	❌	✅	❌	❌	❌	string
dst_endpoint.name	❌	❌	❌	❌	❌	✅	❌	string
dst_endpoint.os.name	❌	❌	❌	❌	❌	✅	❌	string
dst_endpoint.owner.name	❌	✅	✅	❌	❌	❌	❌	string
dst_endpoint.owner.type	❌	✅	✅	❌	❌	❌	❌	string
dst_endpoint.owner.type_id	❌	✅	✅	❌	❌	❌	❌	number
dst_endpoint.owner.uid_alt	❌	✅	✅	❌	❌	❌	❌	string
dst_endpoint.svc_name	❌	❌	❌	❌	❌	✅	❌	string
duration	❌	❌	❌	✅	❌	❌	❌	number
end_time	❌	❌	❌	✅	❌	❌	❌	timestamp
http_request.url.port	❌	❌	❌	✅	❌	❌	❌	number
intermediaries[].hostname	❌	✅	✅	❌	❌	❌	❌	string
is_remote	❌	✅	✅	❌	❌	❌	❌	boolean
job.file.name	❌	❌	❌	❌	❌	✅	❌	string
job.file.type_id	❌	❌	❌	❌	❌	✅	❌	number
job.name	❌	❌	❌	❌	❌	✅	❌	string
logon_process.file.path	❌	❌	❌	❌	❌	✅	❌	string
logon_process.name	❌	❌	❌	✅	❌	✅	❌	string
logon_process.pid	❌	❌	❌	❌	❌	✅	❌	string
logon_type	❌	✅	✅	✅	❌	❌	❌	string
logon_type_id	❌	✅	✅	✅	❌	❌	❌	number
message	❌	✅	✅	✅	❌	✅	❌	string
metadata.correlation_uid	❌	✅	✅	❌	✅	❌	❌	string
metadata.event_code	❌	✅	✅	✅	❌	✅	❌	mixed
metadata.labels[]	❌	❌	❌	✅	❌	✅	❌	string
metadata.log_name	❌	✅	✅	✅	❌	✅	❌	string
metadata.log_provider	❌	✅	✅	✅	✅	✅	✅	string
metadata.log_version	❌	✅	✅	❌	❌	❌	❌	string
metadata.processed_time	❌	✅	✅	❌	✅	❌	❌	timestamp
metadata.product.name	✅	✅	✅	✅	✅	✅	✅	string
metadata.product.vendor_name	✅	✅	✅	✅	✅	✅	✅	string
metadata.tenant_uid	❌	❌	❌	✅	✅	❌	❌	string
metadata.uid	✅	✅	✅	✅	✅	✅	❌	string
metadata.version	✅	✅	✅	✅	✅	✅	✅	string
observer.name	❌	❌	❌	❌	❌	✅	❌	string
process.cmd_line	❌	❌	❌	❌	❌	✅	❌	string
process.file.path	❌	❌	❌	❌	❌	✅	❌	string
process.name	❌	❌	❌	❌	❌	✅	❌	string
resource.labels[]	❌	✅	✅	❌	❌	❌	❌	string
resource.name	❌	✅	✅	❌	❌	❌	❌	string
resource.type	❌	✅	✅	❌	❌	❌	❌	string
risk_level	❌	❌	❌	✅	❌	❌	❌	string
risk_level_id	❌	❌	❌	✅	❌	❌	❌	number
service.name	❌	❌	❌	❌	❌	✅	❌	string
session.uid	❌	❌	❌	❌	❌	✅	❌	string
severity	❌	✅	✅	✅	❌	✅	❌	string
severity_id	❌	❌	❌	✅	❌	✅	❌	number
src_endpoint.domain	❌	❌	❌	✅	❌	✅	❌	string
src_endpoint.hostname	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.ip	❌	❌	❌	✅	❌	✅	❌	string
src_endpoint.mac	❌	❌	❌	✅	❌	❌	❌	string
src_endpoint.name	❌	❌	❌	✅	❌	✅	❌	string
src_endpoint.os.name	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.os.type	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.os.type_id	❌	✅	✅	❌	❌	❌	❌	number
src_endpoint.owner.type	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.owner.type_id	❌	✅	✅	❌	❌	❌	❌	number
src_endpoint.owner.uid_alt	❌	✅	✅	❌	❌	❌	❌	unknown
src_endpoint.port	❌	❌	❌	❌	❌	✅	❌	string
start_time	❌	❌	❌	✅	❌	❌	❌	timestamp
status	❌	✅	✅	✅	❌	✅	❌	string
status_id	❌	✅	✅	✅	❌	✅	❌	number
system.type	❌	✅	✅	❌	❌	❌	❌	string
system.type_id	❌	✅	✅	❌	❌	❌	❌	number
time	✅	✅	✅	✅	✅	✅	✅	number
type_name	✅	✅	✅	✅	✅	✅	✅	string
type_uid	✅	✅	✅	✅	✅	✅	✅	number
user.account.name	❌	❌	❌	✅	❌	✅	❌	string
user.domain	❌	❌	❌	✅	❌	✅	❌	string
user.full_name	❌	❌	❌	❌	❌	✅	❌	string
user.name	❌	✅	✅	✅	❌	✅	❌	string
user.type	❌	✅	✅	❌	❌	❌	❌	string
user.type_id	❌	✅	✅	❌	❌	❌	❌	number
user.uid_alt	❌	✅	✅	❌	❌	❌	❌	string

SIEM Supported Fields

query_events

Was this helpful?