XDR search fields
The following tables display the XDR search fields, grouped by category:
Field name | Description |
|---|---|
network.bytes_in | The number of bytes transferred in. The number is always higher than zero. |
network.bytes_out | The number of bytes transferred out. The number is always higher than zero. |
network.container_id | For virtualized environments, this field indicates an ID that uniquely identifies the network container. |
network.container_name | For virtualized environments, this field indicates the name of the network container. |
network.destination_ip | The destination IP address |
network.destination_port | The destination port |
network.direction | The direction of the network traffic:
|
network.domain_name | The name of the domain. |
network.file_path | The path to the transferred file |
network.hostname | The host name |
network.mac | The MAC address of the endpoint making the request. |
network.protocol | The protocol used for the network traffic. |
network.request_method | The type of HTTP request method. For example: |
network.source_ip | The source IP address |
network.source_port | The source port |
network.status_code | The HTTP response code. For example: |
network.stream_type | The response method for the stream. For example: |
network.uri | The accessed URL that triggered the alert. |
Field name | Description |
|---|---|
user.domain | Identity information about the tenant organization of the user (actor) who performed the action. |
user.email | The email of the user |
user.extended_properties | The extended properties for an Azure Active Directory event. |
user.external_access | Specifies whether the action was taken by someone inside or outside the organisation. |
user.id | The user ID as provided by the third party platform or application |
user.modified_properties | The field contains details about the properties that have been modified, such as property name, old value, new value. The field can contain different details, depending on the log file being processed. For more information, look for |
user.name | The name of the user |
user.operation | The operation performed on the user account:
|
user.shared_with | The user that a resource was shared with. |
user.sharing_permissions | The type of sharing permissions that was assigned to the user whom the resource was shared with. |
user.target | The user that the action was performed on. |
user.team_guid | The ID of a team in Microsoft Teams. |
user.team_members | A list of the users that have been added or removed from a team. For each user, the name of your organization, and the member's email address are included. The following values indicate the Role type assigned to the user.
|
user.team_name | The name of a team in Microsoft Teams. |
user.type | The type of user who performed the operation. The following values indicate the user type:
|
Field name | Description |
|---|---|
process.access_privileges | Indicates with what privileges the process ran:
|
process.command_line | The command line that started the process. |
process.create_type | Indicates whether the process was generated using a |
process.injection_method | The method used to inject the process. |
process.injection_target_path | The path of the executable that generated the target process. |
process.injection_target_pid | The identifier of the injected process. |
process.injection_writer_path | The path of the executable that generated the writer process. |
process.injection_writer_pid | The identifier of the process that injects another process |
process.integrity_level | The process integrity may have one of the following values:
|
process.is_driver | Indicates whether the process is a driver. Possible values:
|
process.module | The name of the loaded module that triggered the alert. |
process.module_pid | The identifier of the process that loaded the module. |
process.new_service_name | The new name of the service, in case it has been renamed |
process.parent_access_privileges | Indicates with what privileges the parent process ran:
|
process.parent_cmdline | The command line that started the parent process. |
process.parent_integrity_level | The parent process integrity may have one of the following values:
|
process.parent_path | The parent process path |
process.parent_pid | The parent process identifier |
process.parent_user | The user who started the parent process. |
process.path | The process path |
process.pid | The process identifier |
process.service_name | The name of the service |
process.service_start_type | Indicates how a service started:
|
process.target_name | For scheduled task events, this field indicates the name of the executable set to run. |
process.target_path | For scheduled task events, this field indicates the path to the executable set to run. |
process.user | The user who started the process. |
Field name | Description |
|---|---|
file.attribute_operation | The type of operation involved in changing a file attribute:
|
file.destination_file | The name of the file after it has been moved or copied, and then renamed. If it hasn't been renamed, the original file name is listed. |
file.destination_url | The URL of the folder where the file is uploaded. |
file.ext | The extension of the file that is being copied or moved. |
file.is_remote | Indicates whether the change made on a file happened via remote connection:
|
file.item_type | The type of object that was accessed or modified. Possible values include:
|
file.md5 | The MD5 hash of the file accessed, if the file is an executable. |
file.name | The name of the file |
file.operation | The type of operation on the file:
|
file.path | The path to the file that triggered the alert. |
file.sha256 | The SHA256 hash of the file accessed, if the file is an executable.
|
file.site | The GUID of the site where the file or folder accessed by the user is located. |
file.size | The file size |
file.url | The direct download link of the file |
Field name | Description |
|---|---|
registry.data | The registry value that has been modified. |
registry.key | The folder of the registry key that generated the alert. |
registry.operation | The type of data access:
|
registry.type | The type of registry data:
|
registry.value | The registry value |
Graph transitions capture interactions between nodes. Depending on these interactions, the resources involved in the alerts may differ. Find the list of searchable resource fields below.
Field name | Description |
|---|---|
resource.app_address | The address of the app that receives the authentication tokens |
resource.data | Part of, or all of the resource-related data, displayed as a string. |
resource.id | The ID of the resource |
resource.md5 | The MD5 hash of the resource |
resource.name | The name of the resource |
resource.path | The file path to the resource |
resource.policy_type | If the resource is a policy, this field shows the policy type. |
resource.sha256 | The SHA256 hash of the resource |
resource.size | The resource size, expressed in bytes |
resource.ssh_public_key | If the resource is an SSH key, this field displays the public key. |
resource.type | The resource type:
|
resource.url | If the resource is a file, the field shows the direct download link of the file. If the resource is a URL, the field displays the URL. |
Field name | Description |
|---|---|
email.attachments_hashes | The attachment hashes |
email.attachments_names | The attachment names |
email.attachments_number | The number of email attachments |
email.attachments_size | The size of each of the email attachments, expressed in bytes |
email.attachments_types | The attachment types |
email.attachments_uris | A list of all the URLs found in the email |
email.bcc_address | The email address listed in the BCC field of the email |
email.bcc_name | The display name for the email address listed in the BCC field |
email.cc_address | The email address listed in the CC field of the email |
email.cc_name | The display name for the email address listed in the CC field |
email.client | The type of software used to access or send email. For example: Outlook. |
email.date | The date the email was sent. |
email.event_name | Event name |
email.id | An ID that uniquely identifies the email |
email.login_status | Identifies login failures that might have occurred in Office365. |
email.logon_type | The type of mailbox access. The following values indicate the type of user who accessed the mailbox:
|
email.mailbox_guid | An ID that uniquely identifies a mailbox. |
email.mailbox_owner | The owner of the mailbox |
email.origin_ip | The IP address from where the email was sent. |
email.parameters | For Exchange admin activity, the name and value for all parameters that were used with the |
email.path | The name of the mailbox folder where the message that was accessed is located. This property also identifies the folder where a message is created or one where a message is copied or moved to. |
email.receiver | The display name and email address of the recipient |
email.receiver_address | The email address of the recipient |
email.receiver_name | The display name of the recipient |
email.sender | The display name and email address of the sender |
email.sender_address | The email address of the sender |
email.sender_name | The display name of the sender |
email.subject | The email subject |
email.to_address | The email address of the recipient |
email.to_name | The display name for the email address listed in the to field |
Field name | Description |
|---|---|
alert.actions_taken | Actions taken on the file:
|
alert.att&ck_subtechnique_id | Some Mitre techniques have subtechniques. This field displays the subtechnique ID. For example: |
alert.att&ck_subtechnique | Some Mitre techniques have subtechniques. This field displays the subtechnique name. |
alert.att&ck_tactic | All Mitre techniques are categorized by tactic. This field displays the tactic name. |
alert.att&ck_technique | The Mitre technique name, as documented on the official website. For example: |
alert.att&ck_technique_id | The Mitre Technique ID, as documented on the official website. For example: |
alert.description | A description of the events that generated the alert. |
alert.incident_number | Incident number |
alert.mark | Describes the type of alert. Possible values include:
|
alert.name | Alert name |
alert.scan_type | The scan type:
|
alert.severity_score | Alert score. The values range from |
alert.type | The type of technology that generated the alert:
|
Field name | Description |
|---|---|
other.agent | Information about the user's browser, the user agent string. This information is provided by the browser. |
other.api | The name of the hooked Windows API that generated the alert. |
other.arch | The type of architecture:
|
other.compliance_center_event | Indicates that the activity was a Microsoft 365 compliance center event:
|
other.detection_class | The type of detection:
|
other.event_id | The unique ID of the event |
other.event_type | Event type:
|
other.exclusion_id | The ID of the exclusion created by the user in GravityZone. |
other.hostname | The name of the endpoint that generated the traffic or events. |
other.organization_id | Indicates the company ID in GravityZone. |
other.os | The type of operating system. The following values are available:
|
other.record_type | The type of operation indicated by the record. This property indicates the service or feature that the operation was triggered in. |
other.result_status | Indicates whether the action was successful or not:
|
other.script | The script that generated the event. |
other.sensor_name | The sensor that generated the alert:
|
other.user | The logged in user at the time of the event |