CLOUD SOLUTIONS

XEDR search fields

The following tables display the XEDR search fields, grouped by category:

Field name

Description

network.hostname

The hostname

network.uri

The accessed URL that triggered the alert.

network.destination_ip

The destination IP address

network.source_ip

The source IP address

network.mac

The MAC address of the endpoint making the request.

network.destination_port

The destination port

network.source_port

The source port

network.protocol

The protocol used for the network traffic.

network.bytes_in

The number of bytes transferred in. The number is always higher than zero.

network.bytes_out

The number of bytes transferred out. The number is always higher than zero.

network.direction

The direction of the network traffic:

  • outbound

  • inbound

  • both

network.stream_type

The response method for the stream. For example: application/x-msdownload

network.status_code

The HTTP response code. For example: 200, 300.

network.request_method

The type of HTTP request method. For example: GET, POST.

network.file_path

The path to the transferred file

Field name

Description

user.name

The name of the user

user.email

The email of the user

user.type

The type of user who performed the operation. The following values indicate the user type:

  • user - a regular user

  • organization_administrator - an administrator in your Microsoft 365 organization

  • datacenter_account - a Microsoft datacenter administrator or datacenter system account

  • system_acount - a system account

  • application - an application

  • service - a service principal

  • custom_policy - a custom policy

  • system_policy - a system policy

user.id

The user ID as provided by the third party platform or application

user.domain

Identity information about the tenant organization of the user (actor) who performed the action.

user.shared_with

The user that a resource was shared with.

user.target

The user that the action was performed on.

user.sharing_permissions

The type of sharing permissions that was assigned to the user whom the resource was shared with.

user.modified_properties

The field contains details about the properties that have been modified, such as property name, old value, new value. The field can contain different details, depending on the log file being processed. For more information, look for ModifiedProperties in this Microsoft webpage.

user.team_name

The name of a team in Microsoft Teams.

user.team_guid

The ID of a team in Microsoft Teams.

user.team_members

A list of the users that have been added or removed from a team. For each user, the name of your organization, and the member's email address are included. The following values indicate the Role type assigned to the user.

  • 1 - Indicates the Owner role.

  • 2 - Indicates the Member role.

  • 3 - Indicates the Guest role.

user.extended_properties

The extended properties for an Azure Active Directory event.

user.external_access

Specifies whether the action was taken by someone inside or outside the organisation.

Field name

Description

process.integrity_level

The process integrity may have one of the following values:

  • untrusted

  • low

  • medium

  • high

  • system

process.parent_integrity_level

The parent process integrity may have one of the following values:

  • untrusted

  • low

  • medium

  • high

  • system

process.access_privileges

Indicates with what privileges the process ran:

  • elevated

  • restricted

process.parent_access_privileges

Indicates with what privileges the parent process ran:

  • elevated

  • restricted

process.command_line

The command line that started the process.

process.path

The process path

process.user

The user who started the process.

process.parent_pid

The parent process identifier

process.parent_path

The parent process path

process.parent_cmdline

The command line that started the parent process.

process.parent_user

The user who started the parent process.

process.module

The name of the loaded module that triggered the alert.

process.module_pid

The identifier of the process that loaded the module.

process.injection_writer_path

The path of the executable that generated the writer process.

process.injection_writer_pid

The identifier of the process that injects another process

process.injection_target_path

The path of the executable that generated the target process.

process.injection_target_pid

The identifier of the injected process.

process.pid

The process identifier

Field name

Description

file.name

The name of the file

file.path

The path to the file that triggered the alert.

file.size

The file size

file.operation

The type of operation on the file:

  • read

  • write

  • delete

  • rename

  • close

  • create

file.attribute_operation

The type of operation involved in changing a file attribute:

  • security_change

  • basic_attributes_change

  • datetime_change

file.md5

The MD5 hash of the file accessed, if the file is an executable.

file.sha256

The SHA256 hash of the file accessed, if the file is an executable.

file.ext

The extension of the file that is being copied or moved.

file.url

The direct download link of the file

file.site

The GUID of the site where the file or folder accessed by the user is located.

file.destination_url

The URL of the folder where the file is uploaded.

file.destination_file

The name of the file after it has been moved or copied and then renamed. If it hasn't been renamed, the original file name is listed.

file.item_type

The type of object that was accessed or modified. Possible values include:

  • file

  • folder

  • web

  • site

  • tenant

  • library

Field name

Description

registry.data

The registry value that has been modified.

registry.key

The folder of the registry key that generated the alert.

registry.operation

The type of data access:

  • read

  • write

  • create

  • delete

registry.type

The type of registry data:

  • none

  • sz

  • expand_sz

  • binary

  • dword

  • dword_little_endian

  • dword_big_endian

  • link

  • multi_sz

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

  • qword

registry.value

The registry value

Field name

Description

email.event_name

Event name

email.sender

The email address of the sender

email.receiver

The email address of the receiver

email.attachments_uris

A list of all the URLs found in the email

email.attachments_names

The attachment names

email.attachments_hashes

The attachment hashes

email.attachments_types

The attachment types

email.attachments_number

The number of email attachments

email.subject

The email subject

email.origin_ip

The IP address from where the email was sent.

email.date

The date the email was sent.

email.path

The name of the mailbox folder where the message that was accessed is located. This property also identifies the folder where a message is created or one where a message is copied or moved to.

email.mailbox_owner

The owner of the mailbox

email.mailbox_guid

An ID that uniquely identifies a mailbox.

email.logon_type

The type of mailbox access. The following values indicate the type of user who accessed the mailbox:

  • owner - a mailbox owner

  • administrator - an administrator

  • delegate - a delegate

  • microsoft_transport_service - the transport service in the datacenter

  • microsoft_service_account - a service account in the datacenter

  • delegated_administrator - a delegated administrator

email.login_status

Identifies login failures that might have occurred in Office365.

email.client

The type of software used to access or send email. For example: Outlook.

email.parameters

For Exchange admin activity, the name and value for all parameters that were used with the cmdlet that is identified in the Operation property.

Field name

Description

alert.name

Alert name

alert.type

The type of technology that generated the alert:

  • atd

  • am

  • hd

  • atd_beta

  • hd_report

  • cmdline

  • ctc

  • ghoster

  • hd_no_report

  • sandbox

  • memory_scan

  • urlstatus

  • gemma

  • anomaly_detection

  • amsi

  • dynamic_ml

  • self_protect

  • user_detection

  • crypt_protect

  • etw

alert.mark

Describes the type of alert. Possible values include:

  • info - the alert is informational; these alerts are just for notification purposes.

  • suspicious - the alert describes suspicious behavior. This value is common for EDR detections.

  • malware - the alert describes malicious behavior

alert.description

A description of the events that generated the alert.

alert.att&ck_technique_id

The Mitre Technique ID, as documented on the official website. For example: T1074.

alert.att&ck_technique

The Mitre technique name, as documented on the official website. For example: Command and Scripting Interpreter.

alert.att&ack_subtechnique_id

Some Mitre techniques have subtechniques. This field displays the subtechnique ID. For example: T1595.002.

alert.att&ck_subtechnique

Some Mitre techniques have subtechniques. This field displays the subtechnique name.

alert.actions_taken

Actions taken on the file:

  • invalid

  • no_action

  • block

  • block_and_disinfect

  • disinfect_only

  • delete

  • quarantine

alert.scan_type

The scan type:

  • on_access

  • on_demand

  • http_traffic

alert.severity_score

Alert score. The values range from 1 (representing the lowest severity) to 100 (representing the highest severity).

alert.att&ck_tactic

All Mitre techniques are categorized by tactic. This field displays the tactic name.

alert.incident_number

Incident number

Field name

Description

other.api

The name of the hooked Windows API that generated the alert.

other.event_id

The unique ID of the event

other.hostname

The name of the endpoint that generated the traffic or events.

other.event_name

For a complete list of event names and their description, please refer to XEDR event names.XEDR event names

other.exclusion_id

The ID of the exclusion created by the user in GravityZone.

other.os

The type of operating system. The following values are available:

  • windows

  • linux

  • macos

other.user

The logged in user at the time of the event

other.sensor_name

The sensor that generated the alert:

  • atc

  • edr

  • filescan

  • trafficscan

  • office365

other.event_type

Event type:

  • raw

  • alert

other.detection_class

The type of detection:

  • edr_detection

  • ransomware

  • antimalware_scan_interface

  • amsi_detection

  • anomaly_detection

  • antimalware_detection

  • atd_beta_detection

  • atd_detection

  • gemma_detection

  • hd_detection

  • hd_no_report_detection

  • hd_report_detection

  • machine_learning_detection

  • memory_scan_detection

  • network_scan_detection

  • user_defined_detection

  • command_line_scanning_detection

  • sandbox_detection

  • urlstatus_detection

  • cryptprotect_detection

  • etw_detection

other.arch

The type of architecture:

  • x86

  • x64

other.agent

Information about the user's browser, the user agent string. This information is provided by the browser.

other.compliance_center_event

Indicates that the activity was a Microsoft 365 compliance center event:

  • true

  • false

other.result_status

Indicates whether the action was successful or not:

  • true

  • false

other.record_type

The type of operation indicated by the record. This property indicates the service or feature that the operation was triggered in.

other.organization_id

Indicates the company ID in GravityZone.