Skip to main content

XDR search fields

The following tables display the XDR search fields, grouped by category:

Field name

Description

network.bytes_in

The number of bytes transferred in. The number is always higher than zero.

network.bytes_out

The number of bytes transferred out. The number is always higher than zero.

network.container_id

For virtualized environments, this field indicates an ID that uniquely identifies the network container.

network.container_name

For virtualized environments, this field indicates the name of the network container.

network.destination_ip

The destination IP address

network.destination_port

The destination port

network.direction

The direction of the network traffic:

  • outbound

  • inbound

  • both

network.domain_name

The name of the domain.

network.file_path

The path to the transferred file

network.hostname

The host name

network.mac

The MAC address of the endpoint making the request.

network.protocol

The protocol used for the network traffic.

network.request_method

The type of HTTP request method. For example: GET, POST.

network.source_ip

The source IP address

network.source_port

The source port

network.status_code

The HTTP response code. For example: 200, 300.

network.stream_type

The response method for the stream. For example: application/x-msdownload.

network.uri

The accessed URL that triggered the alert.

Field name

Description

user.domain

Identity information about the tenant organization of the user (actor) who performed the action.

user.email

The email of the user

user.extended_properties

The extended properties for an Azure Active Directory event.

user.external_access

Specifies whether the action was taken by someone inside or outside the organisation.

user.id

The user ID as provided by the third party platform or application

user.modified_properties

The field contains details about the properties that have been modified, such as property name, old value, new value. The field can contain different details, depending on the log file being processed. For more information, look for ModifiedProperties in this Microsoft web page.

user.name

The name of the user

user.operation

The operation performed on the user account:

  • none

  • enable_account

  • disable_account

  • deleted_account

  • lock_account

  • unlock_account

  • change_password

  • reset_password

  • add_to_security_group

  • remove_from_security_group

  • unknown

user.shared_with

The user that a resource was shared with.

user.sharing_permissions

The type of sharing permissions that was assigned to the user whom the resource was shared with.

user.target

The user that the action was performed on.

user.team_guid

The ID of a team in Microsoft Teams.

user.team_members

A list of the users that have been added or removed from a team. For each user, the name of your organization, and the member's email address are included. The following values indicate the Role type assigned to the user.

  • 1 - Indicates the Owner role.

  • 2 - Indicates the Member role.

  • 3 - Indicates the Guest role.

user.team_name

The name of a team in Microsoft Teams.

user.type

The type of user who performed the operation. The following values indicate the user type:

  • user - a regular user

  • organization_administrator - an administrator in your Microsoft 365 organization

  • datacenter_account - a Microsoft datacenter administrator or datacenter system account

  • system_acount - a system account

  • application - an application

  • service - a service principal

  • custom_policy - a custom policy

  • system_policy - a system policy

Field name

Description

process.access_privileges

Indicates with what privileges the process ran:

  • elevated

  • restricted

process.command_line

The command line that started the process.

process.create_type

Indicates whether the process was generated using a fork system call or the execve function.

process.injection_method

The method used to inject the process.

process.injection_target_path

The path of the executable that generated the target process.

process.injection_target_pid

The identifier of the injected process.

process.injection_writer_path

The path of the executable that generated the writer process.

process.injection_writer_pid

The identifier of the process that injects another process

process.integrity_level

The process integrity may have one of the following values:

  • untrusted

  • low

  • medium

  • high

  • system

process.is_driver

Indicates whether the process is a driver. Possible values:

  • yes

  • no

process.module

The name of the loaded module that triggered the alert.

process.module_pid

The identifier of the process that loaded the module.

process.new_service_name

The new name of the service, in case it has been renamed

process.parent_access_privileges

Indicates with what privileges the parent process ran:

  • elevated

  • restricted

process.parent_cmdline

The command line that started the parent process.

process.parent_integrity_level

The parent process integrity may have one of the following values:

  • untrusted

  • low

  • medium

  • high

  • system

process.parent_path

The parent process path

process.parent_pid

The parent process identifier

process.parent_user

The user who started the parent process.

process.path

The process path

process.pid

The process identifier

process.service_name

The name of the service

process.service_start_type

Indicates how a service started:

  • auto_start - The service started automatically along with the system.

  • manual_start - The service was started manually after the system startup.

  • disabled_service - The service is disabled.

  • none - The service was not started.

process.target_name

For scheduled task events, this field indicates the name of the executable set to run.

process.target_path

For scheduled task events, this field indicates the path to the executable set to run.

process.user

The user who started the process.

Field name

Description

file.attribute_operation

The type of operation involved in changing a file attribute:

  • security_change

  • basic_attributes_change

  • datetime_change

file.destination_file

The name of the file after it has been moved or copied, and then renamed. If it hasn't been renamed, the original file name is listed.

file.destination_url

The URL of the folder where the file is uploaded.

file.ext

The extension of the file that is being copied or moved.

file.is_remote

Indicates whether the change made on a file happened via remote connection:

  • yes

  • no

file.item_type

The type of object that was accessed or modified. Possible values include:

  • file

  • folder

  • web

  • site

  • tenant

  • library

file.md5

The MD5 hash of the file accessed, if the file is an executable.

file.name

The name of the file

file.operation

The type of operation on the file:

  • read

  • write

  • delete

  • rename

  • close

  • create

file.path

The path to the file that triggered the alert.

file.sha256

The SHA256 hash of the file accessed, if the file is an executable.

  • file

  • folder

  • web

  • site

  • tenant

  • library

file.site

The GUID of the site where the file or folder accessed by the user is located.

file.size

The file size

file.url

The direct download link of the file

Field name

Description

registry.data

The registry value that has been modified.

registry.key

The folder of the registry key that generated the alert.

registry.operation

The type of data access:

  • read

  • write

  • create

  • delete

registry.type

The type of registry data:

  • none

  • sz - A null-terminated string. It's either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.

  • expand_sz - A null-terminated string that contains unexpanded references to environment variables, for example, %PATH%. It's either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.

  • binary - Binary data in any form.

  • dword - A 32-bit number.

  • dword_little_endian - A 32-bit number in little-endian format.

  • dword_big_endian - A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures.

  • link - A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK.

  • multi_sz - A sequence of null-terminated strings, terminated by an empty string (\0).

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

  • qword - A 64-bit number.

registry.value

The registry value

Graph transitions capture interactions between nodes. Depending on these interactions, the resources involved in the alerts may differ. Find the list of searchable resource fields below.

Field name

Description

resource.app_address

The address of the app that receives the authentication tokens

resource.data

Part of, or all of the resource-related data, displayed as a string.

resource.id

The ID of the resource

resource.md5

The MD5 hash of the resource

resource.name

The name of the resource

resource.path

The file path to the resource

resource.policy_type

If the resource is a policy, this field shows the policy type.

resource.sha256

The SHA256 hash of the resource

resource.size

The resource size, expressed in bytes

resource.ssh_public_key

If the resource is an SSH key, this field displays the public key.

resource.type

The resource type:

  • application - The name of the application that is used as a resource.

  • email - The subject field of the email that is used as a resource.

  • file - The name of the file that is used a resource.

  • flow - The ID of the automated email flow that is used a resource.

  • generic - Provides general information on the resource used, where available.

  • key_vault - The name of the collection of credentials (key vault) that is used as a resource.

  • launch_template - The name of the instance configuration information (launch template) that is used as a resource.

  • policy - The name of the policy that is used as a resource.

  • role - the name of the user role that is used as a resource.

  • sharing_link - the document name from the shared link that is used as a resource.

  • ssh_key - the ssh public key that was used as a resource.

  • url - the URL address that was used as a resource.

resource.url

If the resource is a file, the field shows the direct download link of the file. If the resource is a URL, the field displays the URL.

Field name

Description

email.attachments_hashes

The attachment hashes

email.attachments_names

The attachment names

email.attachments_number

The number of email attachments

email.attachments_size

The size of each of the email attachments, expressed in bytes

email.attachments_types

The attachment types

email.attachments_uris

A list of all the URLs found in the email

email.bcc_address

The email address listed in the BCC field of the email

email.bcc_name

The display name for the email address listed in the BCC field

email.cc_address

The email address listed in the CC field of the email

email.cc_name

The display name for the email address listed in the CC field

email.client

The type of software used to access or send email. For example: Outlook.

email.date

The date the email was sent.

email.event_name

Event name

email.id

An ID that uniquely identifies the email

email.login_status

Identifies login failures that might have occurred in Office365.

email.logon_type

The type of mailbox access. The following values indicate the type of user who accessed the mailbox:

  • owner - a mailbox owner

  • administrator - an administrator

  • delegate - a delegate

  • microsoft_transport_service - the transport service in the datacenter

  • microsoft_service_account - a service account in the datacenter

  • delegated_administrator - a delegated administrator

email.mailbox_guid

An ID that uniquely identifies a mailbox.

email.mailbox_owner

The owner of the mailbox

email.origin_ip

The IP address from where the email was sent.

email.parameters

For Exchange admin activity, the name and value for all parameters that were used with the cmdlet that is identified in the Operation property.

email.path

The name of the mailbox folder where the message that was accessed is located. This property also identifies the folder where a message is created or one where a message is copied or moved to.

email.receiver

The display name and email address of the recipient

email.receiver_address

The email address of the recipient

email.receiver_name

The display name of the recipient

email.sender

The display name and email address of the sender

email.sender_address

The email address of the sender

email.sender_name

The display name of the sender

email.subject

The email subject

email.to_address

The email address of the recipient

email.to_name

The display name for the email address listed in the to field

Field name

Description

alert.actions_taken

Actions taken on the file:

  • invalid

  • no_action

  • block

  • block_and_disinfect

  • disinfect_only

  • delete

  • quarantine

alert.att&ck_subtechnique_id

Some Mitre techniques have subtechniques. This field displays the subtechnique ID. For example: T1595.002.

alert.att&ck_subtechnique

Some Mitre techniques have subtechniques. This field displays the subtechnique name.

alert.att&ck_tactic

All Mitre techniques are categorized by tactic. This field displays the tactic name.

alert.att&ck_technique

The Mitre technique name, as documented on the official website. For example: Command and Scripting Interpreter.

alert.att&ck_technique_id

The Mitre Technique ID, as documented on the official website. For example: T1074.

alert.description

A description of the events that generated the alert.

alert.incident_number

Incident number

alert.mark

Describes the type of alert. Possible values include:

  • info - the alert is informational; these alerts are just for notification purposes.

  • suspicious - the alert describes suspicious behavior. This value is common for EDR detections.

  • malware - the alert describes malicious behavior

alert.name

Alert name

alert.scan_type

The scan type:

  • on_access

  • on_demand

  • http_traffic

alert.severity_score

Alert score. The values range from 1 (representing the lowest severity) to 100 (representing the highest severity).

alert.type

The type of technology that generated the alert:

  • atd - Alert triggered based on ATD behavior detections.

  • am - Alert triggered based on an Antimalware module detection.

  • hd - Alert triggered based on Antimalware Hyperdetect detections.

  • hd_report - Alert triggered based on Antimalware Hyperdetect detections while HD was set to Report mode only.

  • cmdline - Alert triggered based on the CommandLine scanning module detections.

  • ctc - Alert triggered based on an EDR engine detection.

  • ghoster - Alert triggered based on Network Attack Defense module detections.

  • sandbox - Alert triggered based on observed Sandbox behavior.

  • memory_scan - Alert triggered based on Process Memory Scanning.

  • urlstatus - Alert triggered based on the URL blocking activity.

  • gemma - Alert triggered based on ATD Code Buffers detections.

  • anomaly_detection - Alert triggered based on the Anomaly detection engine, due to an anomalous behavior detected relative to learned behaviors.

  • amsi - Alert triggered based on Windows Antimalware Scan Interface buffers.

  • dynamic_ml - Alert triggered based on inputs from ML models.

  • self_protect - Alert triggered based on Bitdefender products protecting their own components.

  • user_detection - Alert triggered based on rules written by BD users.

  • crypt_protect - Alert triggered based on the Ransomware Protection module.

  • etw - Alert triggered based on events from the Windows ETW logs.

  • user_detection_yara - Alert triggered based on rules written by BD users in the Yara language.

Field name

Description

other.agent

Information about the user's browser, the user agent string. This information is provided by the browser.

other.api

The name of the hooked Windows API that generated the alert.

other.arch

The type of architecture:

  • x86

  • x64

other.compliance_center_event

Indicates that the activity was a Microsoft 365 compliance center event:

  • true

  • false

other.detection_class

The type of detection:

  • edr_detection - Alert triggered based on an EDR engine detection.

  • ransomware - Alert triggered based on Ransomware Protection module activity.

  • antimalware_scan_interface - Alert triggered based on Windows Antimalware Scan Interface buffers.

  • amsi_detection - Alert triggered based on Windows Antimalware Scan Interface buffers.

  • anomaly_detection - Alert triggered based on the Anomaly detection engine, due to an anomalous behavior detected relative to learned behaviors.

  • antimalware_detection - Alert triggered based on an Antimalware module detection.

  • atd_detection - Alert triggered based on ATD behavior detections.

  • gemma_detection - Alert triggered based on ATD Code Buffers detections.

  • hd_detection - Alert triggered based on Antimalware Hyperdetect detections.

  • hd_report_detection - Alert triggered based on Antimalware Hyperdetect detections while HD was set to Report mode only.

  • machine_learning_detection - Alert triggerd based on inputs from ML models.

  • memory_scan_detection - Alert triggered based on process memory scanning.

  • network_scan_detection - Alert triggered based on Network Attack Defense module detections.

  • user_defined_detection - Alert triggered based on rules written by BD users.

  • command_line_scanning_detection - Alert triggered based on the CommandLine scanning module detections.

  • sandbox_detection - Alert triggered based on observed Sandbox behavior.

  • urlstatus_detection - Alert triggered based on the URL blocking activity.

  • cryptprotect_detection - Alert triggered based on the Ransomware Protection module.

  • etw_detection - Alert triggered based on events from the Windows ETW logs.

  • user_detection_yara - Alert triggered based on rules written by BD users in the Yara language.

other.event_id

The unique ID of the event

other.event_type

Event type:

  • raw - raw event

  • alert - EDR alert

  • xalert - XDR alert

other.exclusion_id

The ID of the exclusion created by the user in GravityZone.

other.hostname

The name of the endpoint that generated the traffic or events.

other.organization_id

Indicates the company ID in GravityZone.

other.os

The type of operating system. The following values are available:

  • windows

  • linux

  • macos

other.record_type

The type of operation indicated by the record. This property indicates the service or feature that the operation was triggered in.

other.result_status

Indicates whether the action was successful or not:

  • true

  • false

other.script

The script that generated the event.

other.sensor_name

The sensor that generated the alert:

  • atc

  • edr

  • filescan

  • trafficscan

  • office365

other.user

The logged in user at the time of the event