Skip to main content

Predefined search fields and values

The following tables display the search fields with predefined values, grouped by category:

Field name

Description

Predefined values

file.operation

The type of operation that was performed on the file.

  • read

  • write

  • delete

  • rename

  • close

  • create

file.attribute_operation

The type of operation involved in changing a file attribute.

  • security_change

  • basic_attributes_change

  • datetime_change

file.item_type

The type of object that was accessed or modified.

  • file

  • folder

  • web

  • site

  • tenant

  • library

Field name

Description

Predefined values

alert.type

The type of technology that generated the alert.

  • atd

  • am

  • hd

  • atd_beta

  • hd_report

  • cmdline

  • ctc

  • ghoster

  • hd_no_report

  • sandbox

  • memory_scan

  • urlstatus

  • gemma

  • anomaly_detection

  • amsi

  • dynamic_ml

  • self_protect

  • user_detection

  • crypt_protect

  • etw

  • user_detection_yara

alert.mark

Describes the type of alert that was generated.

  • info - the alert is informational; these alerts are just for notification purposes.

  • suspicious - the alert describes suspicious behavior. This value is common for EDR detections.

  • malware - the alert describes malicious behavior

alert.scan_type

Describes the type of scan that triggered the alert.

  • on_access

  • on_demand

  • http_traffic

alert.actions_taken

Actions taken on the file.

  • invalid

  • no_action

  • block

  • block_and_disinfect

  • disinfect_only

  • delete

  • quarantine

Field name

Description

Predefined values

network.direction

The direction of the network traffic.

  • outbound

  • inbound

  • both

Field name

Description

Predefined values

process.integrity_level

The integrity of the process.

  • untrusted

  • low

  • medium

  • high

  • system

process.parent_integrity_level

The integrity of the parent process.

  • untrusted

  • low

  • medium

  • high

  • system

process.access_privileges

Indicates with what privileges the process ran.

  • elevated

  • restricted

process.parent_access_privileges

Indicates with what privileges the parent process ran.

  • elevated

  • restricted

Field name

Description

Predefined values

registry.operation

The type of data access.

  • read

  • write

  • create

  • delete

registry.type

The type of registry data.

  • none

  • sz

  • expand_sz

  • binary

  • dword

  • dword_little_endian

  • dword_big_endian

  • link

  • multi_sz

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

  • qword

Field name

Description

Predefined values

user.type

The type of user who performed the operation.

  • user - a regular user

  • organization_administrator - an administrator in your Microsoft 365 organization

  • datacenter_account - a Microsoft datacenter administrator or datacenter system account

  • system_acount - a system account

  • application - an application

  • service - a service principal

  • custom_policy - a custom policy

  • system_policy - a system policy

Field name

Definition

Predefined values

email.logon_type

The following values indicate the type of user who accessed the mailbox.

  • owner - a mailbox owner

  • administrator - an administrator

  • delegate - a delegate

  • microsoft_transport_service - the transport service in the datacenter

  • microsoft_service_account - a service account in the datacenter

  • delegated_administrator - a delegated administrator

Field name

Description

Predefined values

other.event_name

The name of the event.

For a complete list of event names and their description, please refer to XEDR event names.XEDR event names

other.os

The type of operating system.

  • windows

  • linux

  • macos

other.event_type

The type of the event.

  • raw

  • alert

  • xalert

other.detection_class

The type of detection.

  • edr_detection

  • ransomware

  • antimalware_scan_interface

  • amsi_detection

  • anomaly_detection

  • antimalware_detection

  • atd_beta_detection

  • atd_detection

  • gemma_detection

  • hd_detection

  • hd_no_report_detection

  • hd_report_detection

  • machine_learning_detection

  • memory_scan_detection

  • network_scan_detection

  • user_defined_detection

  • command_line_scanning_detection

  • sandbox_detection

  • urlstatus_detection

  • cryptprotect_detection

  • etw_detection

  • user_detection_yara

other.sensor_name

The sensor that generated the alert.

  • atc

  • edr

  • filescan

  • trafficscan

  • office365

other.arch

The type of architecture of the operating system.

  • x86

  • x64

other.compliance_center_event

Indicates that the activity was a Microsoft 365 compliance center event.

  • true

  • false

other.result_status

Indicates whether the action was successful or not.

  • true

  • false