Schemas

Security Events

This is the primary schema used for normalizing across data sources. Queries are written to match this schema, and data sources are converted to this schema. This unifies sources to a unified by a common language and a common data model, so analytics can be written generically and are easy shareable.

Globally provided fields

  • hostname
  • pid
  • process_name
  • process_path
  • unique_pid
  • user
  • user_domain
  • user_name
  • user_sid

file

subtype options

  • create
  • modify
  • delete

fields

  • file_name
  • file_path

image_load

fields

  • image_name
  • image_path

network

subtype options

  • incoming
  • outgoing
  • disconnect

fields

  • destination_address
  • destination_port
  • protocol
  • source_address
  • source_port
  • total_in_bytes
  • total_out_bytes

process

subtype options

  • create
  • terminate

fields

  • command_line
  • logon_id
  • parent_process_name
  • parent_process_path
  • ppid
  • unique_ppid

registry

hive options

  • hku
  • hklm

registry_type options

  • dword
  • qword
  • string
  • expand_string
  • multi_string
  • binary

fields

  • registry_data
  • registry_key
  • registry_path
  • registry_value