Predefined search fields and values

Skip to main content

CLOUD SOLUTIONS

Predefined search fields and values

The following tables display the search fields with predefined values, grouped by category:

File

Field name	Predefined values
file.operation	read write delete rename close create
file.attribute_operation	security_change basic_attributes_change datetime_change
file.item_type	file folder web site tenant library

Alert

Field name	Predefined values
alert.type	atd am hd atd_beta hd_report cmdline ctc ghister hd_no_report sandbox memeory_scan urlstatus gemma anomaly_detection amsi dynamic_ml self_protect user_detection crypt_protect etw
alert.mark	info malware suspicious
alert.scan_type	on_access on_demand http_traffic
alert.actions_taken	invalid no_action block block_and_disinfect disinfect_only delete quarantine

Network

Field name	Predefined values
network.direction	outbound inbound both

Process

Field name	Predefined values
process.integrity_level	untrusted low medium high system
process.parent_integrity_level	untrusted low medium high system
process.access_privileges	elevated restricted
process.parent_access_privileges	elevated restricted

Registry

Field name	Predefined values
registry.operation	read write create delete
registry.type	none sz expand_sz binary dword dword_little_endian dword_big_endian link multi_sz resource_list full_resource_descriptor resource_requirements_list qword

User

Field name	Predefined values
user.type	user organization_administrator datacenter_account system_acount application service custom_policy system_policy

Email

Field name	Predefined values
email.logon_type	owner administrator delegate microsoft_transport_service microsoft_service_account delegated_administrator

Other

Field name	Predefined values
other.event_name
other.os	windows linux macos
other.event_type	raw alert xalert
other.detection_class	edr_detection ransomware antimalware_scan_interface amsi_detection anomaly_detection antimalware_detection atd_beta_detection atd_detection gemma_detection hd_detection hd_no_report_detection hd_report_detection machine_learning_detection memory_scan_detection network_scan_detection user_defined_detection command_line_scanning_detection sandbox_detection urlstatus_detection cryptprotect_detection etw_detection
other.sensor_name	atc edr filescan trafficscan office365
other.arch	x86 x64
other.compliance_center_event	true false
other.result_status	true false

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.