Skip to main content

Predefined search fields and values

The following tables display the search fields with predefined values, grouped by category:

Network

Field name

Description

Predefined values

network.direction

The direction of the network traffic.

  • outbound

  • inbound

  • both

Process

Field name

Description

Predefined values

process.integrity_level

The integrity of the process.

  • untrusted

  • low

  • medium

  • high

  • system

process.parent_integrity_level

The integrity of the parent process.

  • untrusted

  • low

  • medium

  • high

  • system

process.access_privileges

Indicates with what privileges the process ran.

  • elevated

  • restricted

process.parent_access_privileges

Indicates with what privileges the parent process ran.

  • elevated

  • restricted

Registry

Field name

Description

Predefined values

registry.operation

The type of data access.

  • read

  • write

  • create

  • delete

registry.type

The type of registry data.

  • none

  • sz

  • expand_sz

  • binary

  • dword

  • dword_little_endian

  • dword_big_endian

  • link

  • multi_sz

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

  • qword

User

Field name

Description

Predefined values

user.type

The type of user who performed the operation.

  • user - a regular user

  • organization_administrator - an administrator in your Microsoft 365 organization

  • datacenter_account - a Microsoft datacenter administrator or datacenter system account

  • system_acount - a system account

  • application - an application

  • service - a service principal

  • custom_policy - a custom policy

  • system_policy - a system policy

Email

Field name

Definition

Predefined values

email.logon_type

The following values indicate the type of user who accessed the mailbox.

  • owner - a mailbox owner

  • administrator - an administrator

  • delegate - a delegate

  • microsoft_transport_service - the transport service in the datacenter

  • microsoft_service_account - a service account in the datacenter

  • delegated_administrator - a delegated administrator

In this section: