Skip to main content

CLOUD SOLUTIONS

XDR search fields

The following tables display the XDR search fields, grouped by category:

Field name

Description

network.bytes_in

The number of bytes transferred in. The number is always higher than zero.

network.bytes_out

The number of bytes transferred out. The number is always higher than zero.

network.destination_ip

The destination IP address

network.destination_port

The destination port

network.direction

The direction of the network traffic:

  • outbound

  • inbound

  • both

network.file_path

The path to the transferred file

network.hostname

The host name

network.mac

The MAC address of the endpoint making the request.

network.protocol

The protocol used for the network traffic.

network.request_method

The type of HTTP request method. For example: GET, POST.

network.source_ip

The source IP address

network.source_port

The source port

network.status_code

The HTTP response code. For example: 200, 300.

network.stream_type

The response method for the stream. For example: application/x-msdownload.

network.uri

The accessed URL that triggered the alert.

Field name

Description

user.domain

Identity information about the tenant organization of the user (actor) who performed the action.

user.email

The email of the user

user.extended_properties

The extended properties for an Azure Active Directory event.

user.external_access

Specifies whether the action was taken by someone inside or outside the organisation.

user.id

The user ID as provided by the third party platform or application

user.modified_properties

The field contains details about the properties that have been modified, such as property name, old value, new value. The field can contain different details, depending on the log file being processed. For more information, look for ModifiedProperties in this Microsoft web page.

user.name

The name of the user

user.shared_with

The user that a resource was shared with.

user.sharing_permissions

The type of sharing permissions that was assigned to the user whom the resource was shared with.

user.target

The user that the action was performed on.

user.team_guid

The ID of a team in Microsoft Teams.

user.team_members

A list of the users that have been added or removed from a team. For each user, the name of your organization, and the member's email address are included. The following values indicate the Role type assigned to the user.

  • 1 - Indicates the Owner role.

  • 2 - Indicates the Member role.

  • 3 - Indicates the Guest role.

user.team_name

The name of a team in Microsoft Teams.

user.type

The type of user who performed the operation. The following values indicate the user type:

  • user - a regular user

  • organization_administrator - an administrator in your Microsoft 365 organization

  • datacenter_account - a Microsoft datacenter administrator or datacenter system account

  • system_acount - a system account

  • application - an application

  • service - a service principal

  • custom_policy - a custom policy

  • system_policy - a system policy

Field name

Description

process.access_privileges

Indicates with what privileges the process ran:

  • elevated

  • restricted

process.command_line

The command line that started the process.

process.injection_target_path

The path of the executable that generated the target process.

process.injection_target_pid

The identifier of the injected process.

process.injection_writer_path

The path of the executable that generated the writer process.

process.injection_writer_pid

The identifier of the process that injects another process

process.integrity_level

The process integrity may have one of the following values:

  • untrusted

  • low

  • medium

  • high

  • system

process.module

The name of the loaded module that triggered the alert.

process.module_pid

The identifier of the process that loaded the module.

process.parent_access_privileges

Indicates with what privileges the parent process ran:

  • elevated

  • restricted

process.parent_cmdline

The command line that started the parent process.

process.parent_integrity_level

The parent process integrity may have one of the following values:

  • untrusted

  • low

  • medium

  • high

  • system

process.parent_path

The parent process path

process.parent_pid

The parent process identifier

process.parent_user

The user who started the parent process.

process.path

The process path

process.pid

The process identifier

process.user

The user who started the process.

Field name

Description

file.attribute_operation

The type of operation involved in changing a file attribute:

  • security_change

  • basic_attributes_change

  • datetime_change

file.destination_file

The name of the file after it has been moved or copied, and then renamed. If it hasn't been renamed, the original file name is listed.

file.destination_url

The URL of the folder where the file is uploaded.

file.ext

The extension of the file that is being copied or moved.

file.item_type

The type of object that was accessed or modified. Possible values include:

  • file

  • folder

  • web

  • site

  • tenant

  • library

file.md5

The MD5 hash of the file accessed, if the file is an executable.

file.name

The name of the file

file.operation

The type of operation on the file:

  • read

  • write

  • delete

  • rename

  • close

  • create

file.path

The path to the file that triggered the alert.

file.sha256

The SHA256 hash of the file accessed, if the file is an executable.

  • file

  • folder

  • web

  • site

  • tenant

  • library

file.site

The GUID of the site where the file or folder accessed by the user is located.

file.size

The file size

file.url

The direct download link of the file

Field name

Description

registry.data

The registry value that has been modified.

registry.key

The folder of the registry key that generated the alert.

registry.operation

The type of data access:

  • read

  • write

  • create

  • delete

registry.type

The type of registry data:

  • none

  • sz

  • expand_sz

  • binary

  • dword

  • dword_little_endian

  • dword_big_endian

  • link

  • multi_sz

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

  • qword

registry.value

The registry value

Graph transitions capture interactions between nodes. Depending on these interactions, the resources involved in the alerts may differ. Find the list of searchable resource fields below.

Field name

Description

resource.app_address

The address of the app that receives the authentication tokens

resource.data

Part of, or all of the resource-related data, displayed as a string.

resource.id

The ID of the resource

resource.md5

The MD5 hash of the resource

resource.name

The name of the resource

resource.path

The file path to the resource

resource.policy_type

If the resource is a policy, this field shows the policy type.

resource.sha256

The SHA256 hash of the resource

resource.size

The resource size, expressed in bytes

resource.ssh_public_key

If the resource is an SSH key, this field displays the public key.

resource.type

The resource type:

  • application

  • email

  • file

  • flow

  • generic

  • key_vault

  • launch_template

  • policy

  • role

  • sharing_link

  • ssh_key

  • url

resource.url

If the resource is a file, the field shows the direct download link of the file. If the resource is a URL, the field displays the URL.

Field name

Description

email.attachments_hashes

The attachment hashes

email.attachments_names

The attachment names

email.attachments_number

The number of email attachments

email.attachments_size

The size of each of the email attachments, expressed in bytes

email.attachments_types

The attachment types

email.attachments_uris

A list of all the URLs found in the email

email.bcc_address

The email address listed in the BCC field of the email

email.bcc_name

The display name for the email address listed in the BCC field

email.cc_address

The email address listed in the CC field of the email

email.cc_name

The display name for the email address listed in the CC field

email.client

The type of software used to access or send email. For example: Outlook.

email.date

The date the email was sent.

email.event_name

Event name

email.id

An ID that uniquely identifies the email

email.login_status

Identifies login failures that might have occurred in Office365.

email.logon_type

The type of mailbox access. The following values indicate the type of user who accessed the mailbox:

  • owner - a mailbox owner

  • administrator - an administrator

  • delegate - a delegate

  • microsoft_transport_service - the transport service in the datacenter

  • microsoft_service_account - a service account in the datacenter

  • delegated_administrator - a delegated administrator

email.mailbox_guid

An ID that uniquely identifies a mailbox.

email.mailbox_owner

The owner of the mailbox

email.origin_ip

The IP address from where the email was sent.

email.parameters

For Exchange admin activity, the name and value for all parameters that were used with the cmdlet that is identified in the Operation property.

email.path

The name of the mailbox folder where the message that was accessed is located. This property also identifies the folder where a message is created or one where a message is copied or moved to.

email.receiver

The email address of the receiver

email.sender

The email address of the sender

email.subject

The email subject

email.to_address

The email address of the recipient

email.to_name

The display name for the email address listed in the to field

Field name

Description

alert.actions_taken

Actions taken on the file:

  • invalid

  • no_action

  • block

  • block_and_disinfect

  • disinfect_only

  • delete

  • quarantine

alert.att&ck_subtechnique_id

Some Mitre techniques have subtechniques. This field displays the subtechnique ID. For example: T1595.002.

alert.att&ck_subtechnique

Some Mitre techniques have subtechniques. This field displays the subtechnique name.

alert.att&ck_tactic

All Mitre techniques are categorized by tactic. This field displays the tactic name.

alert.att&ck_technique

The Mitre technique name, as documented on the official website. For example: Command and Scripting Interpreter.

alert.att&ck_technique_id

The Mitre Technique ID, as documented on the official website. For example: T1074.

alert.description

A description of the events that generated the alert.

alert.incident_number

Incident number

alert.mark

Describes the type of alert. Possible values include:

  • info - the alert is informational; these alerts are just for notification purposes.

  • suspicious - the alert describes suspicious behavior. This value is common for EDR detections.

  • malware - the alert describes malicious behavior

alert.name

Alert name

alert.scan_type

The scan type:

  • on_access

  • on_demand

  • http_traffic

alert.severity_score

Alert score. The values range from 1 (representing the lowest severity) to 100 (representing the highest severity).

alert.type

The type of technology that generated the alert:

  • atd

  • am

  • hd

  • atd_beta

  • hd_report

  • cmdline

  • ctc

  • ghoster

  • hd_no_report

  • sandbox

  • memory_scan

  • urlstatus

  • gemma

  • anomaly_detection

  • amsi

  • dynamic_ml

  • self_protect

  • user_detection

  • crypt_protect

  • etw

Field name

Description

other.agent

Information about the user's browser, the user agent string. This information is provided by the browser.

other.api

The name of the hooked Windows API that generated the alert.

other.arch

The type of architecture:

  • x86

  • x64

other.compliance_center_event

Indicates that the activity was a Microsoft 365 compliance center event:

  • true

  • false

other.detection_class

The type of detection:

  • edr_detection

  • ransomware

  • antimalware_scan_interface

  • amsi_detection

  • anomaly_detection

  • antimalware_detection

  • atd_beta_detection

  • atd_detection

  • gemma_detection

  • hd_detection

  • hd_no_report_detection

  • hd_report_detection

  • machine_learning_detection

  • memory_scan_detection

  • network_scan_detection

  • user_defined_detection

  • command_line_scanning_detection

  • sandbox_detection

  • urlstatus_detection

  • cryptprotect_detection

  • etw_detection

other.event_id

The unique ID of the event

other.event_type

Event type:

  • raw - raw event

  • alert - EDR alert

  • xalert - XDR alert

other.exclusion_id

The ID of the exclusion created by the user in GravityZone.

other.hostname

The name of the endpoint that generated the traffic or events.

other.organization_id

Indicates the company ID in GravityZone.

other.os

The type of operating system. The following values are available:

  • windows

  • linux

  • macos

other.record_type

The type of operation indicated by the record. This property indicates the service or feature that the operation was triggered in.

other.result_status

Indicates whether the action was successful or not:

  • true

  • false

other.sensor_name

The sensor that generated the alert:

  • atc

  • edr

  • filescan

  • trafficscan

  • office365

other.user

The logged in user at the time of the event