SIEM Supported Fields
This document shows the fields supported by each provider and operation.
query_events
| Field | CrowdStrike SIEM | Google Security Operations | IBM QRadar | Microsoft Sentinel | Splunk | Sumo Logic Cloud SIEM | Type |
|---|---|---|---|---|---|---|---|
| action_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| activity_id | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | number |
| activity_name | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| actor.app_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| actor.user.email_addr | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| api.operation | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| auth_protocol | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| auth_protocol_id | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | number |
| category_name | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| category_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | number |
| class_name | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| class_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | number |
| cloud.provider | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| cloud.region | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| count | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| device.domain | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.ip | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.last_seen_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| device.location.description | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.mac | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| device.type_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| disposition_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| dst_endpoint.domain | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| dst_endpoint.hostname | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.ip | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.location.description | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.mac | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| dst_endpoint.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.os.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| dst_endpoint.svc_name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| duration | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| end_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| http_request.url.port | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| job.file.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| job.file.type_id | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | number |
| job.name | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_process.file.path | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_process.name | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| logon_process.pid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| logon_type | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| logon_type_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| message | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.correlation_uid | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | string |
| metadata.event_code | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | mixed |
| metadata.labels[] | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.log_name | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | string |
| metadata.log_provider | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.log_version | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | string |
| metadata.processed_time | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | timestamp |
| metadata.product.name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.product.vendor_name | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| metadata.tenant_uid | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | string |
| metadata.uid | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| metadata.version | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | string |
| risk_level | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| risk_level_id | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | number |
| session.uid | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| severity | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| severity_id | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | number |
| src_endpoint.domain | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| src_endpoint.ip | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| src_endpoint.mac | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | string |
| src_endpoint.name | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| src_endpoint.port | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | string |
| start_time | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | timestamp |
| status | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| status_id | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | number |
| time | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | number |
| type_name | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | string |
| type_uid | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | number |
| user.account.name | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| user.domain | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |
| user.name | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | string |