Schemas¶
Security Events¶
This is the primary schema used for normalizing across data sources. Queries are written to match this schema, and data sources are converted to this schema. This unifies sources to a unified by a common language and a common data model, so analytics can be written generically and are easy shareable.
Globally provided fields
- hostname
- pid
- process_name
- process_path
- unique_pid
- user
- user_domain
- user_name
- user_sid
network¶
subtype options
- incoming
- outgoing
- disconnect
fields
- destination_address
- destination_port
- protocol
- source_address
- source_port
- total_in_bytes
- total_out_bytes
process¶
subtype options
- create
- terminate
fields
- command_line
- logon_id
- original_file_name
- parent_process_name
- parent_process_path
- ppid
- unique_ppid
registry¶
hive options
- hku
- hklm
registry_type options
- dword
- qword
- string
- expand_string
- multi_string
- binary
fields
- registry_data
- registry_key
- registry_path
- registry_value