SIEM Supported Fields
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

This document shows the fields supported by each provider and operation.

query_alerts
query_events

query_alerts

Field	CrowdStrike Next-Gen SIEM	Panther SIEM	Splunk Enterprise Security	Type
activity_id	✅	✅	✅	number
activity_name	✅	✅	✅	string
actor.app_name	✅	❌	❌	string
actor.app_uid	✅	❌	❌	string
actor.process.cmd_line	✅	❌	❌	string
actor.process.created_time	✅	❌	❌	timestamp
actor.process.created_time_dt	✅	❌	❌	string
actor.process.file.hashes[].algorithm	✅	❌	❌	string
actor.process.file.hashes[].algorithm_id	✅	❌	❌	number
actor.process.file.hashes[].value	✅	❌	❌	string
actor.process.file.name	✅	❌	❌	string
actor.process.file.path	✅	❌	❌	string
actor.process.file.type_id	✅	❌	❌	number
actor.process.name	✅	❌	❌	string
actor.process.parent_process.cmd_line	✅	❌	❌	string
actor.process.parent_process.created_time	✅	❌	❌	timestamp
actor.process.parent_process.created_time_dt	✅	❌	❌	string
actor.process.parent_process.file.hashes[].algorithm	✅	❌	❌	string
actor.process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	number
actor.process.parent_process.file.hashes[].value	✅	❌	❌	string
actor.process.parent_process.file.name	✅	❌	❌	string
actor.process.parent_process.file.path	✅	❌	❌	string
actor.process.parent_process.file.type	✅	❌	❌	string
actor.process.parent_process.file.type_id	✅	❌	❌	number
actor.process.parent_process.name	✅	❌	❌	string
actor.process.parent_process.parent_process.cmd_line	✅	❌	❌	string
actor.process.parent_process.parent_process.created_time	✅	❌	❌	timestamp
actor.process.parent_process.parent_process.created_time_dt	✅	❌	❌	string
actor.process.parent_process.parent_process.file.hashes[].algorithm	✅	❌	❌	string
actor.process.parent_process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	number
actor.process.parent_process.parent_process.file.hashes[].value	✅	❌	❌	string
actor.process.parent_process.parent_process.file.name	✅	❌	❌	string
actor.process.parent_process.parent_process.file.path	✅	❌	❌	string
actor.process.parent_process.parent_process.file.type	✅	❌	❌	string
actor.process.parent_process.parent_process.file.type_id	✅	❌	❌	number
actor.process.parent_process.parent_process.name	✅	❌	❌	string
actor.process.parent_process.parent_process.path	✅	❌	❌	string
actor.process.parent_process.parent_process.pid	✅	❌	❌	number
actor.process.parent_process.parent_process.uid	✅	❌	❌	string
actor.process.parent_process.parent_process.user.name	✅	❌	❌	string
actor.process.parent_process.parent_process.user.uid	✅	❌	❌	string
actor.process.parent_process.path	✅	❌	❌	string
actor.process.parent_process.pid	✅	❌	❌	number
actor.process.parent_process.uid	✅	❌	❌	string
actor.process.parent_process.user.name	✅	❌	❌	string
actor.process.parent_process.user.uid	✅	❌	❌	string
actor.process.pid	✅	❌	❌	number
actor.process.terminated_time	✅	❌	❌	timestamp
actor.process.terminated_time_dt	✅	❌	❌	string
actor.process.user.name	✅	❌	❌	string
actor.process.user.uid	✅	❌	❌	string
actor.user.full_name	✅	❌	❌	string
actor.user.name	❌	❌	✅	string
actor.user.uid	✅	❌	✅	string
api.operation	✅	❌	❌	string
api.service.name	✅	❌	❌	string
attacks[].tactic.name	✅	❌	❌	string
attacks[].tactic.uid	✅	❌	❌	string
attacks[].technique.name	✅	❌	❌	string
attacks[].technique.uid	✅	❌	❌	string
category_name	✅	✅	✅	string
category_uid	✅	✅	✅	number
class_name	✅	✅	✅	string
class_uid	✅	✅	✅	number
cloud.account.uid	✅	❌	❌	string
cloud.provider	✅	❌	❌	string
cloud.region	✅	❌	❌	string
comment	✅	❌	❌	string
confidence	✅	❌	✅	string
confidence_id	✅	❌	✅	number
confidence_score	✅	❌	❌	number
device.first_seen_time	✅	❌	❌	timestamp
device.first_seen_time_dt	✅	❌	❌	string
device.hostname	✅	❌	❌	string
device.hw_info.bios_manufacturer	✅	❌	❌	string
device.hw_info.bios_ver	✅	❌	❌	string
device.hw_info.system_manufacturer	✅	❌	❌	string
device.hw_info.system_product_name	✅	❌	❌	string
device.ip	✅	❌	❌	string
device.last_seen_time	✅	❌	❌	timestamp
device.last_seen_time_dt	✅	❌	❌	string
device.mac	✅	❌	❌	string
device.modified_time	✅	❌	❌	timestamp
device.modified_time_dt	✅	❌	❌	string
device.network_interfaces[].hostname	✅	❌	❌	string
device.network_interfaces[].ip	✅	❌	❌	string
device.network_interfaces[].mac	✅	❌	❌	string
device.network_interfaces[].type_id	✅	❌	❌	number
device.os.name	✅	❌	❌	string
device.os.type	✅	❌	❌	string
device.os.type_id	✅	❌	❌	number
device.os.version	✅	❌	❌	string
device.type	✅	❌	❌	string
device.type_id	✅	❌	❌	number
device.uid	✅	❌	❌	string
device.uid_alt	✅	❌	❌	string
end_time	✅	✅	❌	timestamp
end_time_dt	✅	✅	❌	string
evidences[].connection_info.direction	✅	❌	❌	string
evidences[].connection_info.direction_id	✅	❌	❌	number
evidences[].connection_info.protocol_name	✅	❌	❌	string
evidences[].connection_info.protocol_ver	✅	❌	❌	string
evidences[].connection_info.protocol_ver_id	✅	❌	❌	number
evidences[].connection_info.session.created_time	✅	❌	❌	timestamp
evidences[].device.hostname	✅	❌	❌	string
evidences[].device.type_id	✅	❌	❌	number
evidences[].dst_endpoint.ip	✅	❌	❌	string
evidences[].dst_endpoint.port	✅	❌	❌	number
evidences[].file.hashes[].algorithm	✅	❌	❌	string
evidences[].file.hashes[].algorithm_id	✅	❌	❌	number
evidences[].file.hashes[].value	✅	❌	❌	string
evidences[].file.name	✅	❌	❌	string
evidences[].file.path	✅	❌	❌	string
evidences[].file.type_id	✅	❌	❌	number
evidences[].process.cmd_line	✅	❌	❌	string
evidences[].process.created_time	✅	❌	❌	timestamp
evidences[].process.created_time_dt	✅	❌	❌	string
evidences[].process.file.hashes[].algorithm	✅	❌	❌	string
evidences[].process.file.hashes[].algorithm_id	✅	❌	❌	number
evidences[].process.file.hashes[].value	✅	❌	❌	string
evidences[].process.file.name	✅	❌	❌	string
evidences[].process.file.path	✅	❌	❌	string
evidences[].process.file.type_id	✅	❌	❌	number
evidences[].process.name	✅	❌	❌	string
evidences[].process.parent_process.cmd_line	✅	❌	❌	string
evidences[].process.parent_process.created_time	✅	❌	❌	timestamp
evidences[].process.parent_process.created_time_dt	✅	❌	❌	string
evidences[].process.parent_process.file.hashes[].algorithm	✅	❌	❌	string
evidences[].process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	number
evidences[].process.parent_process.file.hashes[].value	✅	❌	❌	string
evidences[].process.parent_process.file.name	✅	❌	❌	string
evidences[].process.parent_process.file.path	✅	❌	❌	string
evidences[].process.parent_process.file.type	✅	❌	❌	string
evidences[].process.parent_process.file.type_id	✅	❌	❌	number
evidences[].process.parent_process.name	✅	❌	❌	string
evidences[].process.parent_process.parent_process.cmd_line	✅	❌	❌	string
evidences[].process.parent_process.parent_process.created_time	✅	❌	❌	timestamp
evidences[].process.parent_process.parent_process.created_time_dt	✅	❌	❌	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm	✅	❌	❌	string
evidences[].process.parent_process.parent_process.file.hashes[].algorithm_id	✅	❌	❌	number
evidences[].process.parent_process.parent_process.file.hashes[].value	✅	❌	❌	string
evidences[].process.parent_process.parent_process.file.name	✅	❌	❌	string
evidences[].process.parent_process.parent_process.file.path	✅	❌	❌	string
evidences[].process.parent_process.parent_process.file.type	✅	❌	❌	string
evidences[].process.parent_process.parent_process.file.type_id	✅	❌	❌	number
evidences[].process.parent_process.parent_process.name	✅	❌	❌	string
evidences[].process.parent_process.parent_process.path	✅	❌	❌	string
evidences[].process.parent_process.parent_process.pid	✅	❌	❌	number
evidences[].process.parent_process.parent_process.uid	✅	❌	❌	string
evidences[].process.parent_process.parent_process.user.name	✅	❌	❌	string
evidences[].process.parent_process.parent_process.user.uid	✅	❌	❌	string
evidences[].process.parent_process.path	✅	❌	❌	string
evidences[].process.parent_process.pid	✅	❌	❌	number
evidences[].process.parent_process.uid	✅	❌	❌	string
evidences[].process.parent_process.user.name	✅	❌	❌	string
evidences[].process.pid	✅	❌	❌	number
evidences[].process.terminated_time	✅	❌	❌	timestamp
evidences[].process.terminated_time_dt	✅	❌	❌	string
evidences[].process.user.name	✅	❌	❌	string
evidences[].process.user.uid	✅	❌	❌	string
evidences[].src_endpoint.ip	✅	❌	❌	string
evidences[].src_endpoint.port	✅	❌	❌	number
evidences[].user.name	✅	❌	❌	string
evidences[].user.uid	✅	❌	❌	string
finding_info.analytic.category	❌	❌	✅	string
finding_info.analytic.name	✅	✅	✅	string
finding_info.analytic.type	✅	✅	❌	string
finding_info.analytic.type_id	✅	✅	✅	number
finding_info.analytic.uid	✅	✅	✅	string
finding_info.created_time	✅	✅	❌	timestamp
finding_info.created_time_dt	✅	✅	❌	string
finding_info.desc	✅	❌	❌	string
finding_info.last_seen_time	✅	❌	❌	timestamp
finding_info.last_seen_time_dt	✅	❌	❌	string
finding_info.product_uid	❌	❌	✅	string
finding_info.src_url	✅	❌	✅	string
finding_info.title	✅	✅	✅	string
finding_info.types[]	✅	❌	❌	string
finding_info.uid	✅	✅	✅	string
message	✅	✅	✅	string
metadata.correlation_uid	❌	❌	✅	string
metadata.event_code	❌	✅	✅	string
metadata.labels[]	❌	❌	✅	string
metadata.log_provider	❌	❌	✅	string
metadata.loggers[].logged_time	✅	❌	❌	timestamp
metadata.loggers[].logged_time_dt	✅	❌	❌	string
metadata.product.feature.name	✅	❌	❌	string
metadata.product.name	✅	✅	✅	string
metadata.product.vendor_name	✅	✅	✅	string
metadata.product.version	✅	❌	❌	string
metadata.tenant_uid	✅	❌	❌	string
metadata.uid	❌	✅	✅	string
metadata.version	✅	✅	✅	string
resources[].cloud_partition	✅	❌	❌	string
resources[].name	✅	❌	❌	string
resources[].type	✅	❌	❌	string
resources[].uid	✅	❌	❌	string
risk_details	❌	✅	❌	string
risk_level	❌	✅	❌	string
risk_level_id	❌	✅	❌	number
risk_score	✅	✅	❌	number
severity	✅	✅	✅	string
severity_id	✅	✅	✅	number
start_time	✅	✅	❌	timestamp
start_time_dt	✅	✅	❌	string
status	✅	✅	❌	string
status_id	✅	✅	✅	number
time	✅	✅	✅	number
time_dt	✅	✅	❌	string
type_name	✅	✅	✅	string
type_uid	✅	✅	✅	number
vulnerabilities[].desc	✅	❌	❌	string
vulnerabilities[].title	✅	❌	❌	string

query_events

Field	CrowdStrike Next-Gen SIEM	Google Security Operations	Google Security Operations (Chronicle Compatibility)	IBM QRadar SIEM	Microsoft Sentinel	Splunk Enterprise Security	Sumo Logic Cloud SIEM	Type
action_id	❌	❌	❌	❌	❌	✅	❌	number
activity_id	✅	✅	✅	✅	✅	✅	✅	number
activity_name	✅	✅	✅	✅	✅	✅	✅	string
actor.app_name	❌	❌	❌	❌	❌	✅	❌	string
actor.idp.name	❌	✅	✅	❌	❌	❌	❌	string
actor.process.name	❌	❌	❌	❌	✅	❌	❌	unknown
actor.process.pid	❌	✅	✅	❌	✅	❌	❌	mixed
actor.session.uid	❌	❌	❌	❌	✅	❌	❌	string
actor.user.account.name	❌	❌	❌	✅	❌	❌	❌	string
actor.user.domain	❌	❌	❌	❌	✅	❌	❌	unknown
actor.user.email_addr	❌	❌	❌	❌	❌	✅	❌	string
actor.user.full_name	❌	❌	❌	❌	❌	✅	❌	string
actor.user.name	❌	✅	✅	✅	✅	✅	❌	mixed
actor.user.type	❌	✅	✅	❌	❌	❌	❌	string
actor.user.type_id	❌	✅	✅	❌	❌	❌	❌	number
actor.user.uid	❌	❌	❌	✅	✅	❌	❌	mixed
actor.user.uid_alt	❌	✅	✅	❌	❌	❌	❌	unknown
api.operation	❌	❌	❌	❌	✅	✅	❌	string
auth_factors[].factor_type	❌	✅	✅	❌	❌	❌	❌	string
auth_factors[].factor_type_id	❌	✅	✅	❌	❌	❌	❌	number
auth_factors[].unmapped_mechanism	❌	✅	✅	❌	❌	❌	❌	unknown
auth_protocol	❌	✅	✅	✅	❌	✅	❌	string
auth_protocol_id	❌	❌	❌	✅	✅	✅	❌	number
category_name	✅	✅	✅	✅	✅	✅	✅	string
category_uid	✅	✅	✅	✅	✅	✅	✅	number
class_name	✅	✅	✅	✅	✅	✅	✅	string
class_uid	✅	✅	✅	✅	✅	✅	✅	number
cloud.provider	❌	❌	❌	❌	❌	✅	❌	string
cloud.region	❌	❌	❌	❌	❌	✅	❌	string
connection_info.boundary	❌	❌	❌	❌	✅	❌	❌	unknown
connection_info.boundary_id	❌	❌	❌	❌	✅	❌	❌	number
connection_info.direction	❌	❌	❌	❌	✅	❌	❌	string
connection_info.direction_id	❌	❌	❌	❌	✅	❌	❌	number
connection_info.protocol_name	❌	❌	❌	❌	✅	❌	❌	unknown
connection_info.protocol_num	❌	❌	❌	❌	✅	❌	❌	unknown
connection_info.protocol_ver	❌	❌	❌	❌	✅	❌	❌	string
count	✅	❌	❌	✅	❌	❌	❌	number
device.domain	❌	❌	❌	✅	✅	❌	❌	string
device.hostname	❌	❌	❌	❌	✅	❌	❌	string
device.ip	❌	❌	❌	✅	✅	❌	❌	string
device.last_seen_time	❌	❌	❌	✅	❌	❌	❌	timestamp
device.location.description	❌	❌	❌	✅	❌	❌	❌	string
device.mac	❌	❌	❌	✅	❌	❌	❌	string
device.os.name	❌	✅	✅	❌	✅	❌	❌	string
device.os.type	❌	✅	✅	❌	❌	❌	❌	string
device.os.type_id	❌	✅	✅	❌	✅	❌	❌	number
device.os.version	❌	❌	❌	❌	✅	❌	❌	string
device.owner.name	❌	✅	✅	❌	❌	❌	❌	string
device.owner.type	❌	✅	✅	❌	❌	❌	❌	string
device.owner.type_id	❌	✅	✅	❌	❌	❌	❌	number
device.owner.uid_alt	❌	✅	✅	❌	❌	❌	❌	string
device.type_id	❌	❌	❌	✅	✅	✅	❌	number
device.uid	❌	❌	❌	❌	✅	❌	❌	string
device.unmapped_noun_process_if_device.file.fullPath	❌	✅	✅	❌	❌	❌	❌	string
disposition	✅	✅	✅	❌	❌	✅	❌	string
disposition_id	✅	✅	✅	❌	❌	✅	❌	number
dst_endpoint.domain	❌	❌	❌	✅	✅	✅	❌	mixed
dst_endpoint.hostname	❌	❌	❌	✅	✅	❌	❌	string
dst_endpoint.interface_uid	❌	❌	❌	❌	✅	❌	❌	string
dst_endpoint.ip	❌	❌	❌	✅	✅	❌	❌	string
dst_endpoint.location.city	❌	❌	❌	❌	✅	❌	❌	string
dst_endpoint.location.country	❌	❌	❌	❌	✅	❌	❌	string
dst_endpoint.location.description	❌	❌	❌	✅	❌	❌	❌	string
dst_endpoint.location.lat	❌	❌	❌	❌	✅	❌	❌	unknown
dst_endpoint.location.long	❌	❌	❌	❌	✅	❌	❌	unknown
dst_endpoint.location.region	❌	❌	❌	❌	✅	❌	❌	string
dst_endpoint.mac	❌	❌	❌	✅	✅	❌	❌	string
dst_endpoint.name	❌	❌	❌	❌	❌	✅	❌	string
dst_endpoint.os.name	❌	❌	❌	❌	❌	✅	❌	string
dst_endpoint.owner.name	❌	✅	✅	❌	❌	❌	❌	string
dst_endpoint.owner.type	❌	✅	✅	❌	❌	❌	❌	string
dst_endpoint.owner.type_id	❌	✅	✅	❌	❌	❌	❌	number
dst_endpoint.owner.uid_alt	❌	✅	✅	❌	❌	❌	❌	string
dst_endpoint.port	❌	❌	❌	❌	✅	❌	❌	number
dst_endpoint.svc_name	❌	❌	❌	❌	❌	✅	❌	string
dst_endpoint.uid	❌	❌	❌	❌	✅	❌	❌	string
duration	❌	❌	❌	✅	✅	❌	❌	mixed
end_time	❌	❌	❌	✅	✅	❌	❌	timestamp
file.name	❌	❌	❌	❌	✅	❌	❌	string
file.path	❌	❌	❌	❌	✅	❌	❌	string
file.type_id	❌	❌	❌	❌	✅	❌	❌	number
finding_info.attacks[].sub_technique.name	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].sub_technique.src_url	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].sub_technique.uid	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].tactic.name	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].tactic.src_url	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].tactic.uid	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].technique.name	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].technique.src_url	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].technique.uid	✅	❌	❌	❌	❌	❌	❌	string
finding_info.attacks[].version	✅	❌	❌	❌	❌	❌	❌	string
finding_info.created_time	✅	❌	❌	❌	❌	❌	❌	timestamp
finding_info.desc	✅	❌	❌	❌	❌	❌	❌	string
finding_info.related_analytics[].category	✅	❌	❌	❌	❌	❌	❌	string
finding_info.related_analytics[].desc	✅	❌	❌	❌	❌	❌	❌	string
finding_info.related_analytics[].name	✅	❌	❌	❌	❌	❌	❌	string
finding_info.related_analytics[].type	✅	❌	❌	❌	❌	❌	❌	string
finding_info.related_analytics[].type_id	✅	❌	❌	❌	❌	❌	❌	number
finding_info.related_analytics[].uid	✅	❌	❌	❌	❌	❌	❌	string
finding_info.related_analytics[].version	✅	❌	❌	❌	❌	❌	❌	string
finding_info.title	✅	❌	❌	❌	❌	❌	❌	string
finding_info.uid	✅	❌	❌	❌	❌	❌	❌	string
http_request.url.port	❌	❌	❌	✅	❌	❌	❌	number
intermediaries[].hostname	❌	✅	✅	❌	❌	❌	❌	string
is_remote	❌	✅	✅	❌	✅	❌	❌	boolean
job.file.name	❌	❌	❌	❌	❌	✅	❌	string
job.file.type_id	❌	❌	❌	❌	❌	✅	❌	number
job.name	❌	❌	❌	❌	❌	✅	❌	string
logon_process.file.path	❌	❌	❌	❌	❌	✅	❌	string
logon_process.name	❌	❌	❌	✅	❌	✅	❌	string
logon_process.pid	❌	❌	❌	❌	❌	✅	❌	string
logon_type	✅	✅	✅	✅	✅	❌	❌	string
logon_type_id	✅	✅	✅	✅	✅	❌	❌	number
message	✅	✅	✅	✅	✅	✅	❌	string
metadata.correlation_uid	❌	✅	✅	❌	✅	❌	❌	string
metadata.event_code	❌	✅	✅	✅	❌	✅	❌	string
metadata.labels[]	❌	❌	❌	✅	❌	✅	❌	string
metadata.log_name	❌	✅	✅	✅	✅	✅	❌	string
metadata.log_provider	✅	✅	✅	✅	✅	✅	✅	string
metadata.log_version	❌	✅	✅	❌	✅	❌	❌	string
metadata.logged_time	❌	❌	❌	❌	✅	❌	❌	timestamp
metadata.processed_time	❌	✅	✅	❌	❌	❌	❌	timestamp
metadata.product.name	✅	✅	✅	✅	✅	✅	✅	string
metadata.product.vendor_name	✅	✅	✅	✅	✅	✅	✅	string
metadata.product.version	❌	❌	❌	❌	✅	❌	❌	string
metadata.tenant_uid	❌	❌	❌	✅	✅	❌	❌	string
metadata.uid	✅	✅	✅	✅	✅	✅	❌	string
metadata.version	✅	✅	✅	✅	✅	✅	✅	string
observables[].name	✅	❌	❌	❌	❌	❌	❌	string
observables[].reputation.base_score	✅	❌	❌	❌	❌	❌	❌	number
observables[].reputation.provider	✅	❌	❌	❌	❌	❌	❌	string
observables[].reputation.score	✅	❌	❌	❌	❌	❌	❌	string
observables[].reputation.score_id	✅	❌	❌	❌	❌	❌	❌	number
observables[].type	✅	❌	❌	❌	❌	❌	❌	string
observables[].type_id	✅	❌	❌	❌	❌	❌	❌	number
observables[].value	✅	❌	❌	❌	❌	❌	❌	string
observer.name	❌	❌	❌	❌	❌	✅	❌	string
process.cmd_line	❌	❌	❌	❌	❌	✅	❌	string
process.file.path	❌	❌	❌	❌	❌	✅	❌	string
process.group.name	❌	❌	❌	✅	❌	❌	❌	string
process.group.uid	❌	❌	❌	✅	❌	❌	❌	string
process.name	❌	❌	❌	❌	❌	✅	❌	string
resource.labels[]	❌	✅	✅	❌	❌	❌	❌	string
resource.name	❌	✅	✅	❌	❌	❌	❌	string
resource.type	❌	✅	✅	❌	❌	❌	❌	string
service.name	❌	❌	❌	❌	❌	✅	❌	string
session.is_remote	❌	❌	❌	❌	✅	❌	❌	boolean
session.uid	✅	❌	❌	❌	✅	✅	❌	string
severity	✅	✅	✅	✅	✅	✅	❌	string
severity_id	✅	❌	❌	✅	✅	✅	❌	number
src_endpoint.domain	❌	❌	❌	✅	✅	✅	❌	mixed
src_endpoint.hostname	❌	✅	✅	❌	✅	❌	❌	string
src_endpoint.interface_uid	❌	❌	❌	❌	✅	❌	❌	string
src_endpoint.ip	❌	❌	❌	✅	✅	✅	❌	string
src_endpoint.location.city	❌	❌	❌	❌	✅	❌	❌	string
src_endpoint.location.country	❌	❌	❌	❌	✅	❌	❌	string
src_endpoint.location.lat	❌	❌	❌	❌	✅	❌	❌	unknown
src_endpoint.location.long	❌	❌	❌	❌	✅	❌	❌	unknown
src_endpoint.location.region	❌	❌	❌	❌	✅	❌	❌	string
src_endpoint.mac	❌	❌	❌	✅	✅	❌	❌	string
src_endpoint.name	❌	❌	❌	✅	❌	✅	❌	string
src_endpoint.os.name	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.os.type	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.os.type_id	❌	✅	✅	❌	❌	❌	❌	number
src_endpoint.owner.type	❌	✅	✅	❌	❌	❌	❌	string
src_endpoint.owner.type_id	❌	✅	✅	❌	❌	❌	❌	number
src_endpoint.owner.uid_alt	❌	✅	✅	❌	❌	❌	❌	unknown
src_endpoint.port	❌	❌	❌	❌	✅	✅	❌	mixed
src_endpoint.uid	❌	❌	❌	❌	✅	❌	❌	string
start_time	✅	❌	❌	✅	❌	❌	❌	timestamp
status	✅	✅	✅	✅	✅	✅	❌	string
status_detail	✅	❌	❌	❌	✅	❌	❌	string
status_id	✅	✅	✅	✅	✅	✅	❌	number
system.type	❌	✅	✅	❌	❌	❌	❌	string
system.type_id	❌	✅	✅	❌	❌	❌	❌	number
test_extra	❌	❌	❌	❌	✅	❌	❌	number
time	✅	✅	✅	✅	✅	✅	✅	number
type_name	✅	✅	✅	✅	✅	✅	✅	string
type_uid	✅	✅	✅	✅	✅	✅	✅	number
user.account.name	❌	❌	❌	✅	✅	✅	❌	string
user.domain	❌	❌	❌	✅	❌	✅	❌	string
user.full_name	❌	❌	❌	❌	❌	✅	❌	string
user.name	❌	✅	✅	✅	✅	✅	❌	string
user.type	❌	✅	✅	❌	❌	❌	❌	string
user.type_id	❌	✅	✅	❌	❌	❌	❌	number
user.uid	❌	❌	❌	❌	✅	❌	❌	string
user.uid_alt	❌	✅	✅	❌	❌	❌	❌	string

SIEM Supported FieldsCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude

query_alerts

query_events

Was this helpful?

SIEM Supported Fields
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude