PARTNERS

Predefined search fields and values

The following tables display the search fields with predefined values, grouped by category:

Field name

Predefined values

file.operation

  • read

  • write

  • delete

  • rename

  • close

  • create

file.attribute_operation

  • security_change

  • basic_attributes_change

  • datetime_change

file.item_type

  • file

  • folder

  • web

  • site

  • tenant

  • library

Field name

Predefined values

alert.type

  • atd

  • am

  • hd

  • atd_beta

  • hd_report

  • cmdline

  • ctc

  • ghister

  • hd_no_report

  • sandbox

  • memeory_scan

  • urlstatus

  • gemma

  • anomaly_detection

  • amsi

  • dynamic_ml

  • self_protect

  • user_detection

  • crypt_protect

  • etw

alert.mark

  • info

  • malware

  • suspicious

alert.scan_type

  • on_access

  • on_demand

  • http_traffic

alert.actions_taken

  • invalid

  • no_action

  • block

  • block_and_disinfect

  • disinfect_only

  • delete

  • quarantine

Field name

Predefined values

network.direction

  • outbound

  • inbound

  • both

Field name

Predefined values

process.integrity_level

  • untrusted

  • low

  • medium

  • high

  • system

process.parent_integrity_level

  • untrusted

  • low

  • medium

  • high

  • system

process.access_privileges

  • elevated

  • restricted

process.parent_access_privileges

  • elevated

  • restricted

Field name

Predefined values

registry.operation

  • read

  • write

  • create

  • delete

registry.type

  • none

  • sz

  • expand_sz

  • binary

  • dword

  • dword_little_endian

  • dword_big_endian

  • link

  • multi_sz

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

  • qword

Field name

Predefined values

user.type

  • user

  • organization_administrator

  • datacenter_account

  • system_acount

  • application

  • service

  • custom_policy

  • system_policy

Field name

Predefined values

email.logon_type

  • owner

  • administrator

  • delegate

  • microsoft_transport_service

  • microsoft_service_account

  • delegated_administrator

Field name

Predefined values

other.event_name

other.os

  • windows

  • linux

  • macos

other.event_type

  • raw

  • alert

other.detection_class

  • edr_detection

  • ransomware

  • antimalware_scan_interface

  • amsi_detection

  • anomaly_detection

  • antimalware_detection

  • atd_beta_detection

  • atd_detection

  • gemma_detection

  • hd_detection

  • hd_no_report_detection

  • hd_report_detection

  • machine_learning_detection

  • memory_scan_detection

  • network_scan_detection

  • user_defined_detection

  • command_line_scanning_detection

  • sandbox_detection

  • urlstatus_detection

  • cryptprotect_detection

  • etw_detection

other.sensor_name

  • atc

  • edr

  • filescan

  • trafficscan

  • office365

other.arch

  • x86

  • x64

other.compliance_center_event

  • true

  • false

other.result_status

  • true

  • false