This document shows the fields supported by each provider and operation.
| Field | CrowdStrike Next-Gen SIEM | Google Security Operations | Google Security Operations (Chronicle Compatibility) | IBM QRadar SIEM | Microsoft Sentinel | Splunk Enterprise Security | Sumo Logic Cloud SIEM | Type |
|---|---|---|---|---|---|---|---|---|
| action_id | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| actor.app_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.idp.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| actor.process.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| actor.process.pid | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | mixed |
| actor.session.uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| actor.user.account.name | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| actor.user.domain | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| actor.user.email_addr | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.full_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.name | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | mixed |
| actor.user.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| actor.user.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| actor.user.uid | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | mixed |
| actor.user.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | unknown |
| api.operation | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | string |
| auth_factors[].factor_type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| auth_factors[].factor_type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| auth_factors[].unmapped_mechanism | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | unknown |
| auth_protocol | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| auth_protocol_id | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | number |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| cloud.provider | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| cloud.region | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| connection_info.boundary | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| connection_info.boundary_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| connection_info.direction | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| connection_info.direction_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| connection_info.protocol_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| connection_info.protocol_num | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| connection_info.protocol_ver | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| count | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| device.domain | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| device.hostname | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.ip | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| device.last_seen_time | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| device.location.description | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.mac | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.os.name | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| device.os.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.os.type_id | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | number |
| device.os.version | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.owner.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.owner.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.owner.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| device.owner.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| device.type_id | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | number |
| device.uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| device.unmapped_noun_process_if_device.file.fullPath | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| disposition | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | string |
| disposition_id | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | number |
| dst_endpoint.domain | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | mixed |
| dst_endpoint.hostname | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| dst_endpoint.interface_uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| dst_endpoint.ip | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| dst_endpoint.location.city | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| dst_endpoint.location.country | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| dst_endpoint.location.description | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.location.lat | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| dst_endpoint.location.long | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| dst_endpoint.location.region | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| dst_endpoint.mac | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| dst_endpoint.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.os.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.owner.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| dst_endpoint.owner.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| dst_endpoint.owner.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| dst_endpoint.owner.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| dst_endpoint.port | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| dst_endpoint.svc_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| duration | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | mixed |
| end_time | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | timestamp |
| file.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| file.path | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| file.type_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| finding_info.attacks[].sub_technique.name | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].sub_technique.src_url | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].sub_technique.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].tactic.name | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].tactic.src_url | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].tactic.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].technique.name | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].technique.src_url | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].technique.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.attacks[].version | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.created_time | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | timestamp |
| finding_info.desc | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.related_analytics[].category | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.related_analytics[].desc | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.related_analytics[].name | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.related_analytics[].type | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.related_analytics[].type_id | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | number |
| finding_info.related_analytics[].uid | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.related_analytics[].version | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.title | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| finding_info.uid | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| http_request.url.port | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| intermediaries[].hostname | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| is_remote | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | boolean |
| job.file.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| job.file.type_id | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| job.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_process.file.path | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_process.name | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| logon_process.pid | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_type | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | string |
| logon_type_id | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | number |
| message | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| metadata.correlation_uid | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.event_code | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.labels[] | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.log_name | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| metadata.log_provider | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.log_version | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.logged_time | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | timestamp |
| metadata.processed_time | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | timestamp |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.version | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.tenant_uid | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| metadata.uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| observables[].name | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| observables[].reputation.base_score | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | number |
| observables[].reputation.provider | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| observables[].reputation.score | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| observables[].reputation.score_id | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | number |
| observables[].type | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| observables[].type_id | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | number |
| observables[].value | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | string |
| observer.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| process.cmd_line | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| process.file.path | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| process.group.name | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| process.group.uid | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| process.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| resource.labels[] | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| resource.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| resource.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| service.name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| session.is_remote | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | boolean |
| session.uid | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | string |
| severity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| severity_id | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | number |
| src_endpoint.domain | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | mixed |
| src_endpoint.hostname | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | string |
| src_endpoint.interface_uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| src_endpoint.ip | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | string |
| src_endpoint.location.city | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| src_endpoint.location.country | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| src_endpoint.location.lat | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| src_endpoint.location.long | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | unknown |
| src_endpoint.location.region | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| src_endpoint.mac | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| src_endpoint.name | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| src_endpoint.os.name | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.os.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.os.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| src_endpoint.owner.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| src_endpoint.owner.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| src_endpoint.owner.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | unknown |
| src_endpoint.port | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | mixed |
| src_endpoint.uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| start_time | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| status | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| status_detail | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| status_id | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | number |
| system.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| system.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| test_extra | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| user.account.name | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ❌ | string |
| user.domain | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| user.full_name | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| user.name | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| user.type | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| user.type_id | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | number |
| user.uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| user.uid_alt | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | string |