qdm-1.1.0 Release Notes
Query's schema release process involves an automated process that compares proposed changes to the last stable version of the schema and preserves or deprecates key elements of older schemata. This allows Query to safely accept most changes from upstream OCSF without breaking customer configurations.
Here are the possible types of changes:
- Add
- An element was added in the new version.
- Remove
- An element was removed in the new version.
- Update
- Schema was updated in the new version.
- Preserve
- The schema changed, but the old version was preserved.
- Deprecate
- The schema changed, but the old version was deprecated rather than removed.
- Ignore
- A schema change was ignored because it is irrelevant to Query.
Below is a list of all changes in qdm-1.1.0. You may also jump straight to the summary.
Action | Path | New Value | Cause |
---|---|---|---|
ADD | objects.web_resource | {'caption': 'Web Resource', 'description': 'The Web... | ADD |
ADD | objects.data_security | {'caption': 'Data Security', 'description': "The Data... | ADD |
ADD | objects._entity | {'caption': 'Entity', 'name': '_entity', 'description':... | ADD |
ADD | objects.rpc_interface | {'caption': 'RPC Interface', 'name': 'rpc_interface',... | ADD |
ADD | objects.endpoint_connection | {'caption': 'Endpoint Connection', 'name':... | ADD |
ADD | objects.cve | {'caption': 'CVE', 'description': "The Common... | ADD |
ADD | objects.databucket | {'caption': 'Databucket', 'description': 'The databucket... | ADD |
ADD | objects.query_info | {'caption': 'Query Information', 'description': 'The... | ADD |
ADD | objects.resource_details | {'caption': 'Resource Details', 'description': 'The... | ADD |
ADD | objects.epss | {'caption': 'EPSS', 'description': "The Exploit... | ADD |
ADD | objects.agent | {'caption': 'Agent', 'description': 'An Agent (also... | ADD |
ADD | objects.cwe | {'caption': 'CWE', 'description': "The CWE object... | ADD |
ADD | objects.account | {'caption': 'Account', 'description': 'The Account... | ADD |
ADD | objects.ldap_person | {'caption': 'LDAP Person', 'description': 'The... | ADD |
ADD | objects.cis_csc | {'caption': 'CIS CSC', 'description': "The CIS Critical... | ADD |
ADD | objects.evidences | {'caption': 'Evidence Artifacts', 'description': 'A... | ADD |
ADD | objects.kill_chain_phase | {'caption': 'Kill Chain Phase', 'description': "The Kill... | ADD |
ADD | objects.package | {'caption': 'Software Package', 'description': "The... | ADD |
ADD | objects.affected_code | {'caption': 'Affected Code', 'description': 'The... | ADD |
ADD | objects.database | {'caption': 'Database', 'description': 'The database... | ADD |
ADD | objects.table | {'caption': 'Table', 'description': 'The table object... | ADD |
ADD | objects.security_state | {'caption': 'Security State', 'description': 'The... | ADD |
ADD | objects.metric | {'caption': 'Metric', 'description': 'The Metric object... | ADD |
ADD | objects.load_balancer | {'caption': 'Load Balancer', 'name': 'load_balancer',... | ADD |
ADD | objects.analytic | {'caption': 'Analytic', 'name': 'analytic',... | ADD |
ADD | objects.logger | {'caption': 'Logger', 'description': 'The Logger object... | ADD |
ADD | objects.organization | {'caption': 'Organization', 'description': 'The... | ADD |
ADD | objects.cis_control | {'caption': 'CIS Control', 'description': "The CIS... | ADD |
ADD | objects._resource | {'caption': 'Resource', 'description': 'The Resource... | ADD |
ADD | objects.kb_article | {'caption': 'KB Article', 'description': 'The KB Article... | ADD |
ADD | objects.related_event | {'caption': 'Related Event', 'description': 'The Related... | ADD |
ADD | objects.scan | {'caption': 'Scan', 'description': 'The Scan object... | ADD |
ADD | objects.cis_benchmark | {'caption': 'CIS Benchmark', 'description': "The CIS... | ADD |
ADD | objects.sub_technique | {'caption': 'Sub Technique', 'description': "The Sub... | ADD |
ADD | objects.extension | {'caption': 'Schema Extension', 'name': 'extension',... | ADD |
ADD | objects.finding_info | {'caption': 'Finding Information', 'description': 'The... | ADD |
ADD | objects.firewall_rule | {'caption': 'Firewall Rule', 'description': "The... | ADD |
ADD | objects.affected_package | {'caption': 'Affected Software Package', 'description':... | ADD |
ADD | objects.reg_key | {'caption': 'Registry Key', 'observable': 28, 'name':... | ADD |
ADD | objects.reg_value | {'caption': 'Registry Value', 'description': 'The... | ADD |
ADD | objects.win_resource | {'description': 'The Windows resource object describes a... | ADD |
ADD | objects.network_file_activity | {'@deprecated': {'message': "Use the new class:... | ADD |
ADD | objects.ntp_activity | {'caption': 'NTP Activity', 'description': 'The Network... | ADD |
ADD | objects.network | {'caption': 'Network', 'category': 'network',... | ADD |
ADD | objects.patch_state | {'caption': 'Operating System Patch State',... | ADD |
ADD | objects.user_inventory | {'caption': 'User Inventory Info', 'description': 'User... | ADD |
ADD | objects.device_config_state_change | {'caption': 'Device Config State Change', 'description':... | ADD |
ADD | objects.iam | {'caption': 'Identity & Access Management', 'category':... | ADD |
ADD | objects.user_access | {'caption': 'User Access Management', 'description':... | ADD |
ADD | objects.entity_management | {'caption': 'Entity Management', 'uid': 4, 'name':... | ADD |
ADD | objects.group_management | {'caption': 'Group Management', 'description': 'Group... | ADD |
ADD | objects.authorize_session | {'caption': 'Authorize Session', 'description':... | ADD |
ADD | objects.detection_finding | {'uid': 4, 'caption': 'Detection Finding', 'category':... | ADD |
ADD | objects.compliance_finding | {'uid': 3, 'caption': 'Compliance Finding', 'category':... | ADD |
ADD | objects.incident_finding | {'uid': 5, 'caption': 'Incident Finding', 'category':... | ADD |
ADD | objects.finding | {'caption': 'Finding', 'category': 'findings',... | ADD |
ADD | objects.vulnerability_finding | {'caption': 'Vulnerability Finding', 'description': 'The... | ADD |
ADD | objects.data_security_finding | {'uid': 6, 'caption': 'Data Security Finding',... | ADD |
ADD | objects.file_hosting | {'caption': 'File Hosting Activity', 'description':... | ADD |
ADD | objects.api_activity | {'uid': 3, 'description': 'API events describe general... | ADD |
ADD | objects.web_resource_access_activity | {'caption': 'Web Resource Access Activity', 'category':... | ADD |
ADD | objects.datastore_activity | {'uid': 5, 'description': 'Datastore events describe... | ADD |
ADD | objects.web_resources_activity | {'uid': 1, 'description': 'Web Resources Activity events... | ADD |
ADD | objects.application_lifecycle | {'uid': 2, 'description': 'Application Lifecycle events... | ADD |
ADD | objects.scan_activity | {'caption': 'Scan Activity', 'category': 'application',... | ADD |
REMOVE | objects.pixel_info | REMOVE | |
REMOVE | objects.identity | REMOVE | |
DEPRECATE | objects.domain_info | {'caption': 'Domain Information', 'name': 'domain_info',... | REMOVE |
DEPRECATE | objects.registry_key | {'caption': 'Registry Key', 'observable': 28, 'name':... | REMOVE |
REMOVE | objects.vnc_auth | REMOVE | |
DEPRECATE | objects.registry_value | {'caption': 'Registry Value', 'description': 'The... | REMOVE |
DEPRECATE | objects.resource | {'description': 'The resource object describes a managed... | REMOVE |
REMOVE | objects.frame_buffer | REMOVE | |
DEPRECATE | objects.related_findings | {'description': 'Related Findings object describes... | REMOVE |
REMOVE | objects.printer | REMOVE | |
REMOVE | objects.os_service | REMOVE | |
REMOVE | objects.startup_app | REMOVE | |
REMOVE | objects.event_source | REMOVE | |
REMOVE | objects.public_key_certificate | REMOVE | |
REMOVE | objects.smtp_tls | REMOVE | |
REMOVE | objects.license_info | REMOVE | |
REMOVE | events.throughput | REMOVE | |
REMOVE | events.diagnostic | REMOVE | |
REMOVE | events.mem_usage | REMOVE | |
REMOVE | events.cpu_usage | REMOVE | |
REMOVE | events.status | REMOVE | |
REMOVE | events.networks_info | REMOVE | |
REMOVE | events.service_info | REMOVE | |
REMOVE | events.user_info | REMOVE | |
REMOVE | events.peripheral_device_info | REMOVE | |
REMOVE | events.startup_app_info | REMOVE | |
REMOVE | events.kernel_object_info | REMOVE | |
REMOVE | events.network_connection_info | REMOVE | |
REMOVE | events.file_info | REMOVE | |
REMOVE | events.job_info | REMOVE | |
REMOVE | events.session_info | REMOVE | |
REMOVE | events.admin_group_info | REMOVE | |
REMOVE | events.module_info | REMOVE | |
REMOVE | events.process_info | REMOVE | |
REMOVE | events.discovery_no_result | REMOVE | |
REMOVE | events.folder_info | REMOVE | |
REMOVE | events.peripheral_activity | REMOVE | |
REMOVE | events.policy_audit | REMOVE | |
REMOVE | events.email_url_finding | REMOVE | |
REMOVE | events.email_file_finding | REMOVE | |
REMOVE | events.email_delivery_finding | REMOVE | |
REMOVE | events.email_finding | REMOVE | |
REMOVE | events.application_log | REMOVE | |
REMOVE | events.policy_change | REMOVE | |
REMOVE | events.update_available | REMOVE | |
REMOVE | events.bit_locker | REMOVE | |
REMOVE | events.registration | REMOVE | |
REMOVE | events.license_lifecycle | REMOVE | |
REMOVE | events.license_count | REMOVE | |
REMOVE | events.command_activity | REMOVE | |
REMOVE | events.license | REMOVE | |
REMOVE | events.public_key_cert_lifecycle | REMOVE | |
REMOVE | events.update | REMOVE | |
REMOVE | events.incident | REMOVE | |
REMOVE | events.incident_close | REMOVE | |
REMOVE | events.incident_update | REMOVE | |
REMOVE | events.incident_associate | REMOVE | |
REMOVE | events.incident_create | REMOVE | |
REMOVE | events.conclusion | REMOVE | |
REMOVE | events.policy | REMOVE | |
REMOVE | events.im_content_protection | REMOVE | |
REMOVE | events.unscannable_file | REMOVE | |
REMOVE | events.compliance_scan | REMOVE | |
REMOVE | events.information_protection | REMOVE | |
REMOVE | events.print_content_protection | REMOVE | |
REMOVE | events.clipboard_content_protection | REMOVE | |
REMOVE | events.network_policy | REMOVE | |
REMOVE | events.file_content_protection | REMOVE | |
REMOVE | events.scan | REMOVE | |
REMOVE | events.compliance | REMOVE | |
REMOVE | events.email_content_protection | REMOVE | |
REMOVE | events.kernel_remediation_result | REMOVE | |
REMOVE | events.file_remediation_result | REMOVE | |
REMOVE | events.network_remediation_result | REMOVE | |
REMOVE | events.process_remediation_result | REMOVE | |
REMOVE | events.remediation_no_result | REMOVE | |
REMOVE | events.session_remediation_result | REMOVE | |
REMOVE | events.remediation_result | REMOVE | |
REMOVE | events.remediation | REMOVE | |
REMOVE | events.module_remediation_result | REMOVE | |
REMOVE | events.registry_value_remediation_result | REMOVE | |
REMOVE | events.folder_remediation_result | REMOVE | |
REMOVE | events.registry_key_remediation_result | REMOVE | |
REMOVE | events.job_remediation_result | REMOVE | |
REMOVE | events.startup_app_remediation_result | REMOVE | |
REMOVE | events.service_remediation_result | REMOVE | |
REMOVE | events.database_lifecycle | REMOVE | |
REMOVE | events.database | REMOVE | |
REMOVE | events.container_lifecycle | REMOVE | |
REMOVE | events.virtualization_activity | REMOVE | |
REMOVE | events.virtual_machine_activity | REMOVE | |
REMOVE | events.rfb_activity | REMOVE | |
REMOVE | events.smtp_activity | REMOVE | |
REMOVE | events.audit | REMOVE | |
REMOVE | events.entity_management_audit | REMOVE | |
REMOVE | events.authorization | REMOVE | |
REMOVE | events.findings | REMOVE | |
REMOVE | events.inventory | REMOVE | |
REMOVE | events.cloud | REMOVE | |
REMOVE | events.cloud_storage | REMOVE | |
REMOVE | events.cloud_api | REMOVE | |
REMOVE | events.access_activity | REMOVE | |
ADD | objects.http_cookie.attributes.is_http_only | {'requirement': 'optional', 'caption': 'HTTP Only',... | ADD |
ADD | objects.http_cookie.attributes.secure.@deprecated | {'message': 'Use the <code> is_secure </code> attribute... | ADD |
ADD | objects.http_cookie.attributes.is_secure | {'requirement': 'optional', 'caption': 'Secure',... | ADD |
ADD | objects.http_cookie.attributes.http_only.@deprecated | {'message': 'Use the <code> is_http_only </code>... | ADD |
DEPRECATE | objects.http_cookie.attributes.path.type | path_t | UPDATE |
UPDATE | objects.http_cookie.description | The HTTP Cookie object, also known as a web cookie or... | UPDATE |
ADD | objects.request.attributes.data | {'description': 'The additional data that is associated... | ADD |
ADD | objects.request.attributes.containers | {'requirement': 'optional', 'caption': 'Containers',... | ADD |
UPDATE | objects.request.attributes.flags.description | The list of communication flags, normalized to the... | UPDATE |
UPDATE | objects.request.description | The Request Elements object describes characteristics of... | UPDATE |
ADD | objects.rule.constraints | {'at_least_one': ['name', 'uid']} | ADD |
UPDATE | objects.rule.description | The Rule object describes characteristics of a rule... | UPDATE |
IGNORE | objects.rule.extends | UPDATE | |
UPDATE | objects.rule.attributes.name.requirement | recommended | UPDATE |
ADD | objects.feature.constraints | {'at_least_one': ['name', 'uid']} | ADD |
REMOVE | objects.feature.attributes.version.caption | UPDATE | |
UPDATE | objects.feature.description | The Feature object provides information about the... | UPDATE |
REMOVE | objects.feature.attributes.name.caption | UPDATE | |
UPDATE | objects.feature.attributes.uid.description | The unique identifier of the feature. | UPDATE |
REMOVE | objects.feature.attributes.uid.caption | UPDATE | |
UPDATE | objects.feature.attributes.name.description | The name of the feature. | UPDATE |
IGNORE | objects.feature.extends | UPDATE | |
UPDATE | objects.feature.attributes.version.description | The version of the feature. | UPDATE |
ADD | objects.policy.constraints | {'at_least_one': ['name', 'uid']} | ADD |
ADD | objects.policy.attributes.is_applied | {'caption': 'Applied', 'description': 'A determination... | ADD |
DEPRECATE | objects.policy.attributes.type_id | {'description': 'The policy type identifier; one of:',... | REMOVE |
DEPRECATE | objects.policy.attributes.label | {'requirement': 'recommended', 'caption': 'Label',... | REMOVE |
DEPRECATE | objects.policy.attributes.type | {'description': 'The type of the policy.', 'caption':... | REMOVE |
DEPRECATE | objects.policy.attributes.rules | {'description': 'Additional rules that triggered the... | REMOVE |
DEPRECATE | objects.policy.attributes.effective_time | {'requirement': 'recommended', 'caption': 'Effective... | REMOVE |
DEPRECATE | objects.policy.attributes.rule | {'description': 'The primary rule that triggered the... | REMOVE |
UPDATE | objects.policy.attributes.name.description | The policy name. For example: <code>IAM Policy</code>. | UPDATE |
UPDATE | objects.policy.attributes.group.requirement | optional | UPDATE |
UPDATE | objects.policy.description | The policy object describes the policies that are... | UPDATE |
IGNORE | objects.policy.extends | UPDATE | |
UPDATE | objects.policy.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.policy.attributes.desc.requirement | optional | UPDATE |
ADD | objects.email_auth.attributes.dkim_signature | {'requirement': 'recommended', 'caption': 'DKIM... | ADD |
IGNORE | objects.email_auth.extension | REMOVE | |
DEPRECATE | objects.email_auth.attributes.raw_header | {'requirement': 'recommended', 'caption': 'Raw Header',... | REMOVE |
ADD | objects.tactic.constraints | {'at_least_one': ['name', 'uid']} | ADD |
ADD | objects.tactic.attributes.src_url | {'description': "The versioned permalink of the attack... | ADD |
UPDATE | objects.tactic.attributes.uid.description | The tactic ID that is associated with the attack... | UPDATE |
UPDATE | objects.tactic.attributes.uid.requirement | recommended | UPDATE |
UPDATE | objects.tactic.description | The Tactic object describes the tactic ID and/or name... | UPDATE |
IGNORE | objects.tactic.extends | UPDATE | |
UPDATE | objects.tactic.attributes.name.description | The tactic name that is associated with the attack... | UPDATE |
ADD | objects.network_traffic.attributes.bytes_in.requirement | optional | ADD |
ADD | objects.network_traffic.attributes.chunks_in | {'description': 'The number of chunks sent from the... | ADD |
ADD | objects.network_traffic.attributes.bytes_out.requirement | optional | ADD |
ADD | objects.network_traffic.attributes.chunks_out | {'description': 'The number of chunks sent from the... | ADD |
ADD | objects.network_traffic.attributes.chunks | {'description': 'The total number of chunks (in and... | ADD |
ADD | objects.network_traffic.attributes.packets_in.requirement | optional | ADD |
ADD | objects.network_traffic.attributes.packets_out.requirement | optional | ADD |
DEPRECATE | objects.network_traffic.attributes.bytes.default | REMOVE | |
DEPRECATE | objects.network_traffic.attributes.packets.default | REMOVE | |
DEPRECATE | objects.network_traffic.attributes.bytes_in.default | REMOVE | |
DEPRECATE | objects.network_traffic.attributes.packets_out.default | REMOVE | |
DEPRECATE | objects.network_traffic.attributes.packets_in.default | REMOVE | |
DEPRECATE | objects.network_traffic.attributes.bytes_out.default | REMOVE | |
UPDATE | objects.network_traffic.description | The Network Traffic object describes characteristics of... | UPDATE |
ADD | objects.tls.attributes.ja3_hash | {'requirement': 'recommended', 'caption': 'JA3 Hash',... | ADD |
ADD | objects.tls.attributes.tls_extension_list | {'requirement': 'optional', 'caption': 'TLS Extension... | ADD |
ADD | objects.tls.attributes.ja3s_hash | {'requirement': 'recommended', 'caption': 'JA3S Hash',... | ADD |
ADD | objects.tls.attributes.extension_list.@deprecated | {'message': 'Use the <code> tls_extension_list </code>... | ADD |
DEPRECATE | objects.tls.attributes.ja3s_fingerprint | {'requirement': 'recommended', 'caption': 'JAS3... | REMOVE |
DEPRECATE | objects.tls.attributes.ja3_fingerprint | {'requirement': 'recommended', 'caption': 'JA3... | REMOVE |
DEPRECATE | objects.tls.attributes.ja3_string | {'requirement': 'recommended', 'caption': 'JA3 String',... | REMOVE |
DEPRECATE | objects.tls.attributes.ja3s_string | {'requirement': 'recommended', 'caption': 'JAS3 String',... | REMOVE |
UPDATE | objects.tls.description | The Transport Layer Security (TLS) object describes the... | UPDATE |
UPDATE | objects.tls.attributes.extension_list.description | The list of TLS extensions. | UPDATE |
ADD | objects.session.attributes.is_mfa | {'requirement': 'optional', 'caption': 'Multi Factor... | ADD |
ADD | objects.session.attributes.count | {'description': 'The number of identical sessions... | ADD |
ADD | objects.session.attributes.is_remote | {'requirement': 'recommended', 'caption': 'Remote',... | ADD |
ADD | objects.session.attributes.expiration_reason | {'description': 'The reason which triggered the session... | ADD |
ADD | objects.session.attributes.is_vpn | {'requirement': 'optional', 'caption': 'VPN Session',... | ADD |
ADD | objects.session.attributes.uid_alt | {'description': 'The alternate unique identifier of the... | ADD |
ADD | objects.session.attributes.terminal | {'description': 'The Pseudo Terminal associated with the... | ADD |
ADD | objects.session.attributes.uuid | {'description': 'The universally unique identifier of... | ADD |
DEPRECATE | objects.session.attributes.mfa | {'requirement': 'optional', 'caption': 'Multi Factor... | REMOVE |
UPDATE | objects.session.description | The Session object describes details about an... | UPDATE |
UPDATE | objects.session.attributes.uid.description | The unique identifier of the session. | UPDATE |
ADD | objects.api.attributes.group | {'description': 'The information pertaining to the API... | ADD |
UPDATE | objects.api.description | The API, or Application Programming Interface, object... | UPDATE |
UPDATE | objects.api.caption | API | UPDATE |
ADD | objects.network_interface.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
ADD | objects.network_interface.attributes.type_id.enum.4 | {'caption': 'Tunnel'} | ADD |
ADD | objects.network_interface.attributes.subnet_prefix | {'requirement': 'optional', 'caption': 'Subnet Prefix... | ADD |
IGNORE | objects.network_interface.profiles | REMOVE | |
REMOVE | objects.network_interface.attributes.$include | REMOVE | |
UPDATE | objects.network_interface.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.network_interface.attributes.type_id.default | REMOVE | |
DEPRECATE | objects.network_interface.attributes.reputation | {'requirement': 'optional', 'caption': 'Reputation... | REMOVE |
UPDATE | objects.network_interface.description | The Network Interface object describes the type and... | UPDATE |
UPDATE | objects.network_interface.constraints.at_least_one | ['ip', 'mac', 'name', 'hostname'] | UPDATE |
IGNORE | objects.network_interface.extends | UPDATE | |
UPDATE | objects.network_interface.attributes.namespace.description | The namespace is useful in merger or acquisition... | UPDATE |
ADD | objects.vulnerability.constraints | {'at_least_one': ['cve', 'cwe']} | ADD |
ADD | objects.vulnerability.attributes.first_seen_time | {'description': 'The time when the vulnerability was... | ADD |
ADD | objects.vulnerability.attributes.kb_article_list | {'requirement': 'optional', 'caption': 'Knowledgebase... | ADD |
ADD | objects.vulnerability.attributes.packages.@deprecated | {'message': 'Use the <code> affected_packages </code>... | ADD |
ADD | objects.vulnerability.attributes.affected_code | {'requirement': 'optional', 'caption': 'Affected Code',... | ADD |
ADD | objects.vulnerability.attributes.last_seen_time | {'description': 'The time when the vulnerability was... | ADD |
ADD | objects.vulnerability.attributes.remediation | {'description': 'The remediation recommendations on how... | ADD |
ADD | objects.vulnerability.attributes.is_fix_available | {'requirement': 'optional', 'caption': 'Fix... | ADD |
ADD | objects.vulnerability.attributes.fix_available | {'requirement': 'optional', '@deprecated': {'message':... | ADD |
ADD | objects.vulnerability.attributes.kb_articles.@deprecated | {'message': 'Use the <code> kb_article_list </code>... | ADD |
ADD | objects.vulnerability.attributes.is_exploit_available | {'requirement': 'optional', 'caption': 'Exploit... | ADD |
ADD | objects.vulnerability.attributes.cwe | {'requirement': 'recommended', 'caption': 'CWE',... | ADD |
ADD | objects.vulnerability.attributes.affected_packages | {'requirement': 'optional', 'caption': 'Affected... | ADD |
ADD | objects.vulnerability.attributes.cve | {'requirement': 'recommended', 'caption': 'CVE',... | ADD |
DEPRECATE | objects.vulnerability.attributes.uid | {'description': 'The vulnerability unique identifier.',... | REMOVE |
DEPRECATE | objects.vulnerability.attributes.cvss | {'requirement': 'recommended', 'caption': 'CVSS Scores',... | REMOVE |
UPDATE | objects.vulnerability.description | The vulnerability is an unintended characteristic of a... | UPDATE |
REMOVE | objects.vulnerability.attributes.packages.caption | UPDATE | |
UPDATE | objects.vulnerability.attributes.related_vulnerabilities.requirement | optional | UPDATE |
UPDATE | objects.vulnerability.attributes.references.description | A list of reference URLs with additional information... | UPDATE |
UPDATE | objects.vulnerability.attributes.vendor_name.description | The name of the vendor that identified the vulnerability. | UPDATE |
UPDATE | objects.vulnerability.attributes.title.description | A title or a brief phrase summarizing the discovered... | UPDATE |
UPDATE | objects.vulnerability.attributes.kb_articles.description | The KB article/s related to the entity. A KB Article... | UPDATE |
UPDATE | objects.vulnerability.attributes.severity.description | The vendor assigned severity of the vulnerability. | UPDATE |
DEPRECATE | objects.vulnerability.attributes.packages.type | string_t | UPDATE |
REMOVE | objects.vulnerability.attributes.vendor_name.caption | UPDATE | |
ADD | objects.os.attributes.cpe_name | {'requirement': 'optional', 'caption': 'The product CPE... | ADD |
ADD | objects.os.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
UPDATE | objects.os.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.os.attributes.type_id.default | REMOVE | |
UPDATE | objects.os.caption | Operating System (OS) | UPDATE |
UPDATE | objects.os.description | The Operating System (OS) object describes... | UPDATE |
UPDATE | objects.http_header.description | TThe HTTP Header object represents the headers sent in... | UPDATE |
UPDATE | objects._dns.attributes.type.requirement | recommended | UPDATE |
UPDATE | objects._dns.attributes.class.requirement | recommended | UPDATE |
UPDATE | objects._dns.description | The Domain Name System (DNS) object represents the... | UPDATE |
ADD | objects.managed_entity.constraints | {'at_least_one': ['name', 'uid']} | ADD |
DEPRECATE | objects.managed_entity.attributes.type.notes | For example: <i>policy</i>, <i>user</i>,... | REMOVE |
DEPRECATE | objects.managed_entity.attributes.name.notes | For example <i>Browser Isolation Policy. | REMOVE |
UPDATE | objects.managed_entity.attributes.name.description | The name of the managed entity. | UPDATE |
IGNORE | objects.managed_entity.extends | UPDATE | |
UPDATE | objects.managed_entity.description | The Managed Entity object describes the type and version... | UPDATE |
UPDATE | objects.managed_entity.attributes.type.description | The managed entity type. For example:... | UPDATE |
UPDATE | objects.managed_entity.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.managed_entity.attributes.uid.description | The identifier of the managed entity. | UPDATE |
UPDATE | objects.managed_entity.attributes.version.description | The version of the managed entity. For example:... | UPDATE |
ADD | objects.location.constraints | {'at_least_one': ['coordinates', 'city', 'country',... | ADD |
UPDATE | objects.location.description | The Geo Location object describes a geographical... | UPDATE |
UPDATE | objects.location.attributes.coordinates.requirement | recommended | UPDATE |
ADD | objects.malware.attributes.classification_ids.enum.99 | {'caption': 'Other'} | ADD |
ADD | objects.malware.constraints | {'at_least_one': ['name', 'uid']} | ADD |
ADD | objects.malware.attributes.cves | {'requirement': 'optional', 'caption': 'CVE List',... | ADD |
DEPRECATE | objects.malware.attributes.cve_uids | {'requirement': 'optional', 'caption': 'CVE UIDs',... | REMOVE |
UPDATE | objects.malware.attributes.classification_ids.enum.-1 | REMOVE | |
DEPRECATE | objects.malware.attributes.path.type | path_t | UPDATE |
UPDATE | objects.malware.description | The Malware object describes the classification of known... | UPDATE |
IGNORE | objects.malware.extends | UPDATE | |
UPDATE | objects.malware.attributes.classification_ids.description | The list of normalized identifiers of the malware... | UPDATE |
UPDATE | objects.malware.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.malware.attributes.classifications.description | The list of malware classifications, normalized to the... | UPDATE |
ADD | objects.kernel.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
DEPRECATE | objects.kernel.attributes.type_id.enum.3 | {'caption': 'Named Pipe'} | REMOVE |
DEPRECATE | objects.kernel.attributes.type_id.default | REMOVE | |
UPDATE | objects.kernel.attributes.type_id.enum.-1 | REMOVE | |
UPDATE | objects.kernel.description | The Kernel Resource object provides information about a... | UPDATE |
DEPRECATE | objects.kernel.attributes.path.type | path_t | UPDATE |
ADD | objects.http_response.attributes.http_headers | {'requirement': 'recommended', 'caption': 'HTTP... | ADD |
UPDATE | objects.http_response.attributes.latency.description | The HTTP response latency measured in milliseconds. | UPDATE |
UPDATE | objects.http_response.attributes.code.description | The Hypertext Transfer Protocol (HTTP) status code... | UPDATE |
UPDATE | objects.http_response.description | The HTTP Response object contains detailed information... | UPDATE |
UPDATE | objects.http_response.attributes.status.description | The response status. For example: A successful HTTP... | UPDATE |
UPDATE | objects.http_response.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
ADD | objects.device.attributes.uid_alt | {'description': 'An alternate unique identifier of the... | ADD |
ADD | objects.device.attributes.type_id.enum.11 | {'caption': 'Hub', 'description': "A <a target='_blank'... | ADD |
ADD | objects.device.attributes.owner | {'description': 'The identity of the service or user... | ADD |
ADD | objects.device.attributes.type_id.enum.2.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.type_id.enum.7.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.type_id.enum.6.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.namespace_pid | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.device.attributes.interface_name | {'requirement': 'recommended', 'caption': 'Network... | ADD |
ADD | objects.device.attributes.type_id.enum.8.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.type_id.enum.9 | {'caption': 'Firewall', 'description': "A <a... | ADD |
ADD | objects.device.attributes.type_id.enum.3.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.created_time | {'description': 'The time when the device was known to... | ADD |
ADD | objects.device.attributes.type_id.enum.1.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.org | {'description': 'Organization and org unit related to... | ADD |
ADD | objects.device.attributes.zone | {'requirement': 'optional', 'caption': 'Network Zone',... | ADD |
ADD | objects.device.attributes.type_id.enum.4.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.modified_time | {'description': 'The time when the device was last known... | ADD |
ADD | objects.device.attributes.type_id.enum.5.description | A <a target='_blank'... | ADD |
ADD | objects.device.attributes.last_seen_time | {'description': 'The most recent discovery time of the... | ADD |
ADD | objects.device.attributes.agent_list | {'requirement': 'optional', 'caption': 'Agent List',... | ADD |
ADD | objects.device.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
ADD | objects.device.attributes.type_id.enum.10 | {'caption': 'Switch', 'description': "A <a... | ADD |
ADD | objects.device.attributes.first_seen_time | {'description': 'The initial discovery time of the... | ADD |
ADD | objects.device.attributes.container | {'group': 'context', 'requirement': 'recommended',... | ADD |
DEPRECATE | objects.device.attributes.reputation | {'requirement': 'optional', 'caption': 'Reputation... | REMOVE |
DEPRECATE | objects.device.attributes.type_id.default | REMOVE | |
UPDATE | objects.device.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.device.attributes.org_unit | {'requirement': 'optional', 'caption': 'Org Unit',... | REMOVE |
UPDATE | objects.device.attributes.network_interfaces.description | The network interfaces that are associated with the... | UPDATE |
UPDATE | objects.device.observable | 20 | UPDATE |
REMOVE | objects.device.attributes.location.caption | UPDATE | |
UPDATE | objects.device.attributes.location.description | The geographical location of the device. | UPDATE |
UPDATE | objects.device.attributes.os.description | The endpoint operating system. | UPDATE |
UPDATE | objects.device.attributes.hw_info.description | The endpoint hardware information. | UPDATE |
UPDATE | objects.device.attributes.mac.description | The Media Access Control (MAC) address of the endpoint. | UPDATE |
UPDATE | objects.device.attributes.uid.description | The unique identifier of the device. For example the... | UPDATE |
IGNORE | objects.device.profiles | UPDATE | |
UPDATE | objects.device.constraints.at_least_one | ['ip', 'uid', 'name', 'hostname', 'instance_uid',... | UPDATE |
UPDATE | objects.device.description | The Device object represents an addressable computer... | UPDATE |
REMOVE | objects.device.attributes.$include | UPDATE | |
UPDATE | objects.device.attributes.risk_level.description | The risk level, normalized to the caption of the... | UPDATE |
ADD | objects.endpoint.attributes.interface_name | {'requirement': 'recommended', 'caption': 'Network... | ADD |
ADD | objects.endpoint.attributes.os | {'description': 'The endpoint operating system.',... | ADD |
ADD | objects.endpoint.attributes.container | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.endpoint.attributes.owner | {'description': 'The identity of the service or user... | ADD |
ADD | objects.endpoint.attributes.type | {'caption': 'Type', 'description': 'The endpoint type.... | ADD |
ADD | objects.endpoint.attributes.zone | {'requirement': 'optional', 'caption': 'Network Zone',... | ADD |
ADD | objects.endpoint.attributes.namespace_pid | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.endpoint.attributes.hw_info | {'requirement': 'optional', 'caption': 'Hardware Info',... | ADD |
ADD | objects.endpoint.attributes.type_id | {'caption': 'Type ID', 'description': 'The endpoint type... | ADD |
ADD | objects.endpoint.attributes.agent_list | {'requirement': 'optional', 'caption': 'Agent List',... | ADD |
DEPRECATE | objects.endpoint.attributes.reputation | {'requirement': 'optional', 'caption': 'Reputation... | REMOVE |
UPDATE | objects.endpoint.description | The Endpoint object describes a physical or virtual... | UPDATE |
UPDATE | objects.endpoint.constraints.at_least_one | ['ip', 'uid', 'name', 'hostname', 'instance_uid',... | UPDATE |
IGNORE | objects.endpoint.extends | UPDATE | |
REMOVE | objects.endpoint.attributes.location.caption | UPDATE | |
REMOVE | objects.endpoint.attributes.$include | UPDATE | |
IGNORE | objects.endpoint.profiles | UPDATE | |
ADD | objects.cloud.attributes.account | {'requirement': 'optional', 'caption': 'Account',... | ADD |
ADD | objects.cloud.attributes.org | {'requirement': 'optional', 'caption': 'Organization',... | ADD |
DEPRECATE | objects.cloud.attributes.account_uid | {'requirement': 'recommended', 'caption': 'Account UID',... | REMOVE |
DEPRECATE | objects.cloud.attributes.org_uid | {'requirement': 'optional', 'caption': 'Org ID',... | REMOVE |
DEPRECATE | objects.cloud.attributes.account_type | {'requirement': 'optional', 'caption': 'Account Type',... | REMOVE |
DEPRECATE | objects.cloud.attributes.account_type_id | {'requirement': 'optional', 'caption': 'Account Type... | REMOVE |
DEPRECATE | objects.cloud.attributes.resource_uid | {'requirement': 'optional', 'caption': 'Resource ID',... | REMOVE |
UPDATE | objects.cloud.description | The Cloud object contains information about a cloud... | UPDATE |
UPDATE | objects.cloud.attributes.project_uid.description | The unique identifier of a Cloud project. | UPDATE |
ADD | objects.file.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
ADD | objects.file.attributes.confidentiality_id.enum.6 | {'caption': 'Restricted'} | ADD |
ADD | objects.file.attributes.hashes | {'requirement': 'recommended', 'caption': 'Hashes',... | ADD |
ADD | objects.file.attributes.confidentiality_id.enum.5 | {'caption': 'Private'} | ADD |
ADD | objects.file.constraints | {'at_least_one': ['name', 'uid']} | ADD |
ADD | objects.file.attributes.confidentiality_id.enum.99 | {'caption': 'Other', 'description': 'The confidentiality... | ADD |
ADD | objects.file.attributes.confidentiality_id.enum.0.description | The confidentiality is unknown. | ADD |
DEPRECATE | objects.file.attributes.type_id.default | REMOVE | |
DEPRECATE | objects.file.attributes.fingerprints | {'requirement': 'recommended', 'caption':... | REMOVE |
DEPRECATE | objects.file.attributes.name.name | file_name_t | REMOVE |
UPDATE | objects.file.attributes.confidentiality_id.enum.-1 | REMOVE | |
UPDATE | objects.file.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.file.attributes.creator.type | string_t | UPDATE |
DEPRECATE | objects.file.attributes.name.type | string_t | UPDATE |
DEPRECATE | objects.file.attributes.path.type | path_t | UPDATE |
DEPRECATE | objects.file.attributes.parent_folder.type | path_t | UPDATE |
UPDATE | objects.file.attributes.path.requirement | recommended | UPDATE |
DEPRECATE | objects.file.attributes.owner.type | string_t | UPDATE |
IGNORE | objects.file.extends | UPDATE | |
DEPRECATE | objects.file.attributes.accessor.type | string_t | UPDATE |
UPDATE | objects.file.attributes.confidentiality.description | The file content confidentiality, normalized to the... | UPDATE |
DEPRECATE | objects.file.attributes.modifier.type | string_t | UPDATE |
UPDATE | objects.file.description | The File object represents the metadata associated with... | UPDATE |
ADD | objects.actor.attributes.session | {'description': 'The user session from which the... | ADD |
ADD | objects.actor.attributes.idp | {'requirement': 'optional', 'caption': 'Identity... | ADD |
ADD | objects.actor.attributes.invoked_by | {'requirement': 'optional', 'caption': 'Invoked by',... | ADD |
ADD | objects.actor.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
UPDATE | objects.actor.constraints.at_least_one | ['process', 'user', 'invoked_by', 'session'] | UPDATE |
UPDATE | objects.actor.description | The Actor object contains details about the user, role,... | UPDATE |
ADD | objects.service.constraints | {'at_least_one': ['name', 'uid']} | ADD |
DEPRECATE | objects.service.attributes.types | {'description': 'The service types.', 'requirement':... | REMOVE |
DEPRECATE | objects.service.attributes.run_state | {'description': 'The service run state.', 'requirement':... | REMOVE |
DEPRECATE | objects.service.attributes.run_state_id | {'description': 'The service run state ID.',... | REMOVE |
DEPRECATE | objects.service.attributes.start_type_id | {'description': 'The service start type ID.',... | REMOVE |
DEPRECATE | objects.service.attributes.start_type | {'description': 'The service start type.',... | REMOVE |
DEPRECATE | objects.service.attributes.file | {'description': 'The service file object.',... | REMOVE |
DEPRECATE | objects.service.attributes.cmd_line | {'requirement': 'recommended', 'caption': 'Command... | REMOVE |
DEPRECATE | objects.service.attributes.loaded_module_name | {'requirement': 'recommended', 'caption': 'Loaded... | REMOVE |
DEPRECATE | objects.service.attributes.type_ids | {'description': 'The service type identifiers.',... | REMOVE |
UPDATE | objects.service.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.service.caption | Service | UPDATE |
IGNORE | objects.service.name | UPDATE | |
IGNORE | objects.service.extends | UPDATE | |
UPDATE | objects.service.attributes.name.description | The name of the service. | UPDATE |
UPDATE | objects.service.attributes.uid.requirement | recommended | UPDATE |
UPDATE | objects.service.description | The Service object describes characteristics of a... | UPDATE |
ADD | objects.metadata.attributes.extensions | {'requirement': 'optional', 'caption': 'Schema... | ADD |
ADD | objects.metadata.attributes.logged_time.requirement | optional | ADD |
ADD | objects.metadata.attributes.loggers | {'caption': 'Loggers', 'description': 'An array of... | ADD |
ADD | objects.metadata.attributes.log_version | {'requirement': 'optional', 'caption': 'Log Version',... | ADD |
ADD | objects.metadata.attributes.log_provider | {'requirement': 'recommended', 'caption': 'Log... | ADD |
ADD | objects.metadata.attributes.sequence.requirement | optional | ADD |
ADD | objects.metadata.attributes.labels.requirement | optional | ADD |
ADD | objects.metadata.attributes.log_level | {'requirement': 'optional', 'caption': 'Log Level',... | ADD |
ADD | objects.metadata.attributes.log_name | {'requirement': 'recommended', 'caption': 'Log Name',... | ADD |
ADD | objects.metadata.attributes.extension | {'requirement': 'optional', '@deprecated': {'message':... | ADD |
ADD | objects.metadata.attributes.profiles.requirement | optional | ADD |
ADD | objects.metadata.attributes.modified_time.requirement | optional | ADD |
ADD | objects.metadata.attributes.tenant_uid | {'requirement': 'recommended', 'caption': 'Tenant UID',... | ADD |
ADD | objects.metadata.attributes.correlation_uid.requirement | optional | ADD |
ADD | objects.metadata.attributes.event_code | {'requirement': 'optional', 'caption': 'Event Code',... | ADD |
ADD | objects.metadata.attributes.processed_time.requirement | optional | ADD |
DEPRECATE | objects.metadata.attributes.version.default | 1.0.0 | REMOVE |
UPDATE | objects.metadata.attributes.original_time.description | The original event time as reported by the event source.... | UPDATE |
UPDATE | objects.metadata.attributes.labels.description | <p>The list of category labels attached to the event or... | UPDATE |
UPDATE | objects.metadata.description | The Metadata object describes the metadata associated... | UPDATE |
UPDATE | objects.metadata.attributes.logged_time.description | <p>The time when the logging system collected and logged... | UPDATE |
UPDATE | objects.metadata.attributes.version.description | The version of the OCSF schema, using Semantic... | UPDATE |
UPDATE | objects.kernel_driver.description | The Kernel Extension object describes a kernel driver... | UPDATE |
UPDATE | objects.kernel_driver.caption | Kernel Extension | UPDATE |
ADD | objects.fingerprint.attributes.algorithm_id.enum.99 | {'caption': 'Other', 'description': 'The algorithm is... | ADD |
ADD | objects.fingerprint.attributes.algorithm_id.enum.7 | {'caption': 'quickXorHash', 'description': 'Microsoft... | ADD |
ADD | objects.fingerprint.attributes.algorithm_id.enum.6 | {'caption': 'TLSH', 'description': 'The TLSH fuzzy... | ADD |
ADD | objects.fingerprint.observable | 30 | ADD |
ADD | objects.fingerprint.attributes.algorithm_id.enum.0.description | The algorithm is unknown. | ADD |
UPDATE | objects.fingerprint.attributes.algorithm_id.enum.-1 | REMOVE | |
UPDATE | objects.fingerprint.description | The Fingerprint object provides detailed information... | UPDATE |
DEPRECATE | objects.fingerprint.attributes.value.type | string_t | UPDATE |
UPDATE | objects.fingerprint.attributes.algorithm.description | The hash algorithm used to create the digital... | UPDATE |
ADD | objects.network_connection_info.attributes.protocol_ver_id.enum.99 | {'caption': 'Other'} | ADD |
ADD | objects.network_connection_info.attributes.boundary_id.enum.99 | {'caption': 'Other', 'description': 'The boundary is not... | ADD |
ADD | objects.network_connection_info.attributes.direction_id.enum.99 | {'caption': 'Other', 'description': 'The direction is... | ADD |
ADD | objects.network_connection_info.attributes.session | {'requirement': 'optional', 'caption': 'Session',... | ADD |
UPDATE | objects.network_connection_info.attributes.direction_id.enum.-1 | REMOVE | |
UPDATE | objects.network_connection_info.attributes.boundary_id.enum.-1 | REMOVE | |
UPDATE | objects.network_connection_info.attributes.protocol_ver_id.enum.-1 | REMOVE | |
UPDATE | objects.network_connection_info.attributes.boundary_id.description | <p>The normalized identifier of the boundary of the... | UPDATE |
UPDATE | objects.network_connection_info.attributes.boundary.description | The boundary of the connection, normalized to the... | UPDATE |
UPDATE | objects.network_connection_info.description | The Network Connection Information object describes... | UPDATE |
UPDATE | objects.network_connection_info.attributes.direction_id.description | The normalized identifier of the direction of the... | UPDATE |
DEPRECATE | objects.network_connection_info.attributes.direction_id.enum.0.description | Connection direction is unknown. | UPDATE |
UPDATE | objects.network_connection_info.attributes.direction.description | The direction of the initiated connection, traffic, or... | UPDATE |
UPDATE | objects.authorization.attributes.decision.requirement | REMOVE | |
UPDATE | objects.authorization.attributes.policy.requirement | REMOVE | |
UPDATE | objects.authorization.description | The Authorization Result object provides details about... | UPDATE |
UPDATE | objects.authorization.attributes.decision.description | Authorization Result/outcome, e.g. allowed, denied. | UPDATE |
UPDATE | objects.authorization.caption | Authorization Result | UPDATE |
ADD | objects.tls_extension.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
UPDATE | objects.tls_extension.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.tls_extension.attributes.type_id.default | REMOVE | |
UPDATE | objects.tls_extension.description | The TLS Extension object describes additional attributes... | UPDATE |
ADD | objects.peripheral_device.constraints | {'at_least_one': ['name', 'uid']} | ADD |
IGNORE | objects.peripheral_device.extends | UPDATE | |
REMOVE | objects.peripheral_device.attributes.vendor_name.caption | UPDATE | |
UPDATE | objects.display.description | The Display object contains information about the... | UPDATE |
UPDATE | objects.cis_benchmark_result.description | The CIS Benchmark Result object contains information as... | UPDATE |
REMOVE | objects.cis_benchmark_result.attributes.remediation.caption | UPDATE | |
UPDATE | objects.cis_benchmark_result.attributes.remediation.description | Describes the recommended remediation steps to address... | UPDATE |
UPDATE | objects.device_hw_info.attributes.ram_size.description | The total amount of installed RAM, in Megabytes. For... | UPDATE |
UPDATE | objects.device_hw_info.description | The Device Hardware Information object contains details... | UPDATE |
REMOVE | objects.device_hw_info.attributes.cpu_speed.caption | UPDATE | |
ADD | objects.container.attributes.pod_uuid | {'requirement': 'optional', 'caption': 'Pod UUID',... | ADD |
ADD | objects.container.attributes.hash | {'description': 'Commit hash of image created for docker... | ADD |
ADD | objects.container.constraints | {'at_least_one': ['uid', 'name']} | ADD |
DEPRECATE | objects.container.attributes.exposed_port | {'description': 'The port exposed by container to allow... | REMOVE |
DEPRECATE | objects.container.attributes.fingerprint | {'description': 'The SHA256 hash of the container.',... | REMOVE |
UPDATE | objects.container.attributes.runtime.description | The backend running the container, such as containerd or cri-o. | UPDATE |
UPDATE | objects.container.description | The Container object describes an instance of a specific... | UPDATE |
UPDATE | objects.container.attributes.uid.description | The full container unique identifier for this... | UPDATE |
UPDATE | objects.container.attributes.network_driver.description | The network driver used by the container. For example,... | UPDATE |
UPDATE | objects.container.attributes.image.requirement | recommended | UPDATE |
UPDATE | objects.container.attributes.orchestrator.description | The orchestrator managing the container, such as ECS,... | UPDATE |
UPDATE | objects.container.attributes.uid.requirement | recommended | UPDATE |
ADD | objects.network_proxy.attributes.interface_name | {'requirement': 'recommended', 'caption': 'Network... | ADD |
ADD | objects.network_proxy.attributes.domain | {'requirement': 'optional', 'caption': 'Domain',... | ADD |
ADD | objects.network_proxy.attributes.type_id | {'description': 'The network endpoint type ID.',... | ADD |
ADD | objects.network_proxy.attributes.subnet_uid | {'requirement': 'optional', 'caption': 'Subnet UID',... | ADD |
ADD | objects.network_proxy.attributes.agent_list | {'requirement': 'optional', 'caption': 'Agent List',... | ADD |
ADD | objects.network_proxy.attributes.proxy_endpoint | {'description': 'The network proxy information... | ADD |
ADD | objects.network_proxy.attributes.zone | {'requirement': 'optional', 'caption': 'Network Zone',... | ADD |
ADD | objects.network_proxy.attributes.container | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.network_proxy.attributes.vpc_uid | {'requirement': 'optional', 'caption': 'VPC UID',... | ADD |
ADD | objects.network_proxy.constraints | {'at_least_one': ['ip', 'uid', 'name', 'hostname',... | ADD |
ADD | objects.network_proxy.attributes.type | {'description': 'The network endpoint type. For example:... | ADD |
ADD | objects.network_proxy.attributes.intermediate_ips | {'requirement': 'optional', 'caption': 'Intermediate IP... | ADD |
ADD | objects.network_proxy.attributes.os | {'description': 'The endpoint operating system.',... | ADD |
ADD | objects.network_proxy.attributes.mac | {'description': 'The Media Access Control (MAC) address... | ADD |
ADD | objects.network_proxy.observable | ADD | |
ADD | objects.network_proxy.attributes.location | {'description': 'The geographical location of the... | ADD |
ADD | objects.network_proxy.attributes.$include | ['profiles/container.json'] | ADD |
ADD | objects.network_proxy.attributes.ip_intelligence | {'requirement': 'optional', 'caption': 'IP... | ADD |
ADD | objects.network_proxy.attributes.hw_info | {'requirement': 'optional', 'caption': 'Hardware Info',... | ADD |
ADD | objects.network_proxy.attributes.interface_uid | {'requirement': 'recommended', 'caption': 'Network... | ADD |
ADD | objects.network_proxy.profiles | ['container'] | ADD |
ADD | objects.network_proxy.attributes.vlan_uid | {'requirement': 'optional', 'caption': 'VLAN',... | ADD |
ADD | objects.network_proxy.attributes.namespace_pid | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.network_proxy.attributes.instance_uid | {'requirement': 'recommended', 'caption': 'Instance ID',... | ADD |
ADD | objects.network_proxy.attributes.name | {'description': 'The short name of the endpoint.',... | ADD |
ADD | objects.network_proxy.attributes.owner | {'description': 'The identity of the service or user... | ADD |
UPDATE | objects.network_proxy.attributes.hostname.requirement | recommended | UPDATE |
UPDATE | objects.network_proxy.attributes.ip.requirement | recommended | UPDATE |
UPDATE | objects.network_proxy.attributes.port.description | The port used for communication within the network connection. | UPDATE |
UPDATE | objects.network_proxy.attributes.port.requirement | recommended | UPDATE |
UPDATE | objects.network_proxy.description | The network proxy endpoint object describes a proxy... | UPDATE |
UPDATE | objects.network_proxy.caption | Network Proxy Endpoint | UPDATE |
UPDATE | objects.network_proxy.attributes.ip.description | The IP address of the endpoint, in either IPv4 or IPv6 format. | UPDATE |
UPDATE | objects.network_proxy.attributes.svc_name.description | The service name in service-to-service connections. For... | UPDATE |
UPDATE | objects.network_proxy.attributes.hostname.description | The fully qualified name of the endpoint. | UPDATE |
IGNORE | objects.network_proxy.extends | UPDATE | |
UPDATE | objects.network_proxy.attributes.uid.description | The unique identifier of the endpoint. | UPDATE |
UPDATE | objects.network_proxy.attributes.svc_name.requirement | recommended | UPDATE |
ADD | objects.technique.attributes.src_url | {'description': "The versioned permalink of the attack... | ADD |
ADD | objects.technique.constraints | {'at_least_one': ['name', 'uid']} | ADD |
UPDATE | objects.technique.attributes.uid.description | The unique identifier of the attack technique, as... | UPDATE |
IGNORE | objects.technique.extends | UPDATE | |
UPDATE | objects.technique.description | The Technique object describes the technique ID and/or... | UPDATE |
UPDATE | objects.technique.attributes.name.description | The name of the attack technique, as defined by <a... | UPDATE |
UPDATE | objects.technique.attributes.uid.requirement | recommended | UPDATE |
UPDATE | objects.technique.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.dns_query.attributes.type.requirement | recommended | UPDATE |
UPDATE | objects.dns_query.attributes.class.requirement | recommended | UPDATE |
UPDATE | objects.dns_query.description | The DNS query object represents a specific request made... | UPDATE |
ADD | objects.certificate.attributes.fingerprints | {'description': 'The fingerprint list of the... | ADD |
ADD | objects.certificate.attributes.issuer | {'caption': 'Issuer Distinguished Name', 'description':... | ADD |
ADD | objects.certificate.attributes.uid | {'description': 'The unique identifier of the... | ADD |
ADD | objects.certificate.attributes.subject | {'caption': 'Subject Distinguished Name', 'description':... | ADD |
DEPRECATE | objects.certificate.attributes.issuer_dn | {'requirement': 'required', 'caption': 'Issuer... | REMOVE |
DEPRECATE | objects.certificate.attributes.fingerprint | {'description': 'The fingerprint of the certificate.',... | REMOVE |
DEPRECATE | objects.certificate.attributes.subject_dn | {'requirement': 'recommended', 'caption': 'Subject... | REMOVE |
UPDATE | objects.certificate.description | The Digital Certificate, also known as a Public Key... | UPDATE |
UPDATE | objects.certificate.attributes.serial_number.description | The serial number of the certificate used to create the... | UPDATE |
ADD | objects.user.attributes.org | {'description': 'Organization and org unit related to... | ADD |
ADD | objects.user.attributes.ldap_person | {'description': 'The additional LDAP attributes that... | ADD |
ADD | objects.user.attributes.uid_alt | {'description': 'The alternate user identifier. For... | ADD |
ADD | objects.user.attributes.account | {'description': "The user's account or the account... | ADD |
ADD | objects.user.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
DEPRECATE | objects.user.attributes.uuid | {'description': 'The universally unique identifier of... | REMOVE |
DEPRECATE | objects.user.attributes.org_uid | {'requirement': 'optional', 'caption': 'Org ID',... | REMOVE |
DEPRECATE | objects.user.attributes.account_uid | {'requirement': 'optional', 'caption': 'Account UID',... | REMOVE |
DEPRECATE | objects.user.attributes.name.name | username_t | REMOVE |
DEPRECATE | objects.user.attributes.type_id.name | integer_t | REMOVE |
DEPRECATE | objects.user.attributes.account_type_id | {'requirement': 'optional', 'caption': 'Account Type... | REMOVE |
DEPRECATE | objects.user.attributes.session_uuid | {'requirement': 'optional', 'caption': 'Session UUID',... | REMOVE |
DEPRECATE | objects.user.attributes.account_type | {'requirement': 'optional', 'caption': 'Account Type',... | REMOVE |
DEPRECATE | objects.user.attributes.session_uid | {'requirement': 'optional', 'caption': 'Session UID',... | REMOVE |
UPDATE | objects.user.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.user.attributes.type_id.default | REMOVE | |
REMOVE | objects.user.attributes.uid.caption | UPDATE | |
UPDATE | objects.user.attributes.domain.requirement | required | UPDATE |
UPDATE | objects.user.attributes.email_addr.description | The user's primary email address. | UPDATE |
UPDATE | objects.user.attributes.uid.description | The unique user identifier. For example, the Windows... | UPDATE |
UPDATE | objects.user.attributes.name.description | The username. For example, <code>janedoe1</code>. | UPDATE |
UPDATE | objects.user.constraints.at_least_one | ['account', 'name', 'uid'] | UPDATE |
UPDATE | objects.user.attributes.type_id.requirement | recommended | UPDATE |
DEPRECATE | objects.user.attributes.name.type | string_t | UPDATE |
ADD | objects.url.attributes.subdomain | {'requirement': 'optional', 'caption': 'Subdomain',... | ADD |
ADD | objects.url.attributes.category_ids.enum.99 | {'caption': 'Other', 'description': 'The Domain/URL... | ADD |
ADD | objects.url.constraints | {'at_least_one': ['url_string', 'path']} | ADD |
ADD | objects.url.attributes.url_string | {'description': 'The URL string. See RFC 1738. For... | ADD |
DEPRECATE | objects.url.attributes.text | {'requirement': 'required', 'caption': 'URL Text',... | REMOVE |
IGNORE | objects.url.profiles | REMOVE | |
REMOVE | objects.url.attributes.$include | REMOVE | |
DEPRECATE | objects.url.attributes.reputation | {'requirement': 'optional', 'caption': 'Reputation... | REMOVE |
UPDATE | objects.url.attributes.category_ids.enum.-1 | REMOVE | |
UPDATE | objects.url.attributes.hostname.requirement | recommended | UPDATE |
DEPRECATE | objects.url.attributes.path.type | path_t | UPDATE |
UPDATE | objects.url.description | The Uniform Resource Locator(URL) object describes the... | UPDATE |
UPDATE | objects.url.attributes.hostname.description | The URL host as extracted from the URL. For example:... | UPDATE |
UPDATE | objects.url.attributes.path.requirement | recommended | UPDATE |
UPDATE | objects.url.attributes.path.description | The URL path as extracted from the URL. For example:... | UPDATE |
ADD | objects.attack.attributes.tactic | {'requirement': 'optional', 'caption': 'Tactic',... | ADD |
ADD | objects.attack.constraints | {'at_least_one': ['tactic', 'technique', 'sub_technique']} | ADD |
ADD | objects.attack.attributes.tactics.@deprecated | {'message': 'Use the <code> tactic </code> attribute... | ADD |
ADD | objects.attack.attributes.sub_technique | {'requirement': 'optional', 'caption': 'Sub Technique',... | ADD |
UPDATE | objects.attack.attributes.tactics.requirement | optional | UPDATE |
UPDATE | objects.attack.attributes.version.requirement | recommended | UPDATE |
UPDATE | objects.attack.description | The <a target='_blank'... | UPDATE |
UPDATE | objects.attack.caption | MITRE ATT&CK® | UPDATE |
UPDATE | objects.attack.attributes.version.description | The <a target='_blank'... | UPDATE |
UPDATE | objects.attack.attributes.technique.requirement | optional | UPDATE |
UPDATE | objects.attack.attributes.tactics.description | The Tactic object describes the tactic ID and/or tactic... | UPDATE |
UPDATE | objects.attack.attributes.technique.description | The Technique object describes the technique ID and/or... | UPDATE |
ADD | objects.http_request.attributes.http_method.enum | {'CONNECT': {'caption': 'Connect', 'description': 'The... | ADD |
ADD | objects.http_request.attributes.length | {'caption': 'Request Length', 'description': 'The HTTP... | ADD |
DEPRECATE | objects.http_request.attributes.prefix | {'description': 'Domain prefix.', 'requirement':... | REMOVE |
PRESERVE | objects.http_request.attributes.http_method.requirement | recommended | REMOVE |
PRESERVE | objects.http_request.constraints | {'at_least_one': ['user_agent', 'url', 'hostname']} | REMOVE |
UPDATE | objects.http_request.attributes.http_method.description | The <a target='_blank'... | UPDATE |
UPDATE | objects.http_request.description | The HTTP Request object represents the attributes of a... | UPDATE |
ADD | objects.remediation.attributes.kb_article_list | {'requirement': 'optional', 'caption': 'Knowledgebase... | ADD |
ADD | objects.remediation.attributes.kb_articles.@deprecated | {'message': 'Use the <code> kb_article_list </code>... | ADD |
ADD | objects.remediation.attributes.references | {'description': 'A list of supporting URL/s, references... | ADD |
UPDATE | objects.remediation.attributes.desc.requirement | required | UPDATE |
UPDATE | objects.remediation.description | The Remediation object describes the recommended... | UPDATE |
UPDATE | objects.remediation.attributes.kb_articles.requirement | optional | UPDATE |
UPDATE | objects.remediation.attributes.kb_articles.description | The KB article/s related to the entity. A KB Article... | UPDATE |
ADD | objects.cvss.attributes.depth | {'requirement': 'recommended', 'caption': 'CVSS Depth',... | ADD |
ADD | objects.cvss.attributes.overall_score | {'description': 'The CVSS overall score, impacted by... | ADD |
ADD | objects.cvss.attributes.severity | {'description': '<p>The Common Vulnerability Scoring... | ADD |
ADD | objects.cvss.attributes.base_score | {'description': 'The CVSS base score. For example:... | ADD |
ADD | objects.cvss.attributes.metrics | {'description': 'The Common Vulnerability Scoring System... | ADD |
DEPRECATE | objects.cvss.attributes.integrity_id | {'description': 'The Integrity Common Vulnerability... | REMOVE |
DEPRECATE | objects.cvss.attributes.integrity_impact_id | {'description': 'Name: Integrity Impact (I). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.target_distribution_id | {'description': 'Name: Target Distribution (TD). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_integrity_id | {'description': 'Name: Modified Integrity (MI). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.exploitability_id | {'description': 'Name: Exploitability (E). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.remediation_level_id | {'description': 'Name: Remediation Level (RL). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_attack_vector_id | {'description': 'Name: Modified Attack Vector (MAV).... | REMOVE |
DEPRECATE | objects.cvss.attributes.integrity_requirement_id | {'description': 'Name: Integrity Requirement (IR).... | REMOVE |
DEPRECATE | objects.cvss.attributes.collateral_damage_potential_id | {'description': 'Name: Collateral Damage Potential... | REMOVE |
DEPRECATE | objects.cvss.attributes.severity_id | {'caption': 'Qualitative Severity Rating',... | REMOVE |
DEPRECATE | objects.cvss.attributes.access_complexity_id | {'description': 'Name: Access Complexity (AC). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.privileges_required_id | {'caption': 'Privileges Required (PR)', 'description':... | REMOVE |
DEPRECATE | objects.cvss.attributes.availability_requirement_id | {'description': 'Name: Availability Requirement (AR).... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_privileges_required_id | {'description': 'Name: Modified Privileges Required... | REMOVE |
DEPRECATE | objects.cvss.attributes.report_confidence_id | {'description': 'Name: Report Confidence (RC). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.confidentiality_id | {'caption': 'Confidentiality (C)', 'description': 'The... | REMOVE |
DEPRECATE | objects.cvss.attributes.confidentiality_requirement_id | {'description': 'Name: Confidentiality Requirement (CR).... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_confidentiality_id | {'description': 'Name: Modified Confidentiality (MC).... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_user_interaction_id | {'description': 'Name: Modified User Interaction (MUI).... | REMOVE |
DEPRECATE | objects.cvss.attributes.access_vector_id | {'description': 'Name: Access Vector (AV). Group: Base.... | REMOVE |
DEPRECATE | objects.cvss.attributes.user_interaction_id | {'caption': 'User Interaction (UI)', 'description': 'The... | REMOVE |
DEPRECATE | objects.cvss.attributes.confidentiality_impact_id | {'description': 'Name: Confidentiality Impact (C).... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_attack_complexity_id | {'description': 'Name: Modified Attack Complexity (MAC).... | REMOVE |
DEPRECATE | objects.cvss.attributes.depth_id | {'description': 'The CVSS depth. Representing a depth of... | REMOVE |
DEPRECATE | objects.cvss.attributes.exploit_code_maturity_id | {'description': 'Name: Exploit Code Maturity (E). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.scope_id | {'description': 'Name: Scope (S). Group: Base. CVSS... | REMOVE |
DEPRECATE | objects.cvss.attributes.attack_complexity_id | {'caption': 'Attack Complexity (AC)', 'description':... | REMOVE |
DEPRECATE | objects.cvss.attributes.availability_impact_id | {'description': 'Name: Availability Impact (A). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_scope_id | {'description': 'Name: Modified Scope (MS). Group:... | REMOVE |
DEPRECATE | objects.cvss.attributes.raw_score | {'description': 'CVSS Score in the range of 0.0 to... | REMOVE |
DEPRECATE | objects.cvss.attributes.attack_vector_id | {'description': 'Name: Attack Vector (AV). Group: Base.... | REMOVE |
DEPRECATE | objects.cvss.attributes.modified_availability_id | {'description': 'Name: Modified Availability (MA).... | REMOVE |
DEPRECATE | objects.cvss.attributes.availability_id | {'description': 'Name: Availability (A). Group: Base.... | REMOVE |
DEPRECATE | objects.cvss.attributes.authentication_id | {'description': 'Name: Authentication (Au). Group: Base.... | REMOVE |
UPDATE | objects.cvss.attributes.version.requirement | required | UPDATE |
UPDATE | objects.cvss.description | The Common Vulnerability Scoring System (<a... | UPDATE |
UPDATE | objects.cvss.attributes.vector_string.description | The CVSS vector string is a text representation of a set... | UPDATE |
UPDATE | objects.cvss.caption | CVSS Score | UPDATE |
UPDATE | objects.cvss.attributes.version.description | The CVSS version. For example: <code>3.1</code>. | UPDATE |
ADD | objects.job.attributes.run_state_id.enum.99 | {'caption': 'Other'} | ADD |
UPDATE | objects.job.attributes.run_state_id.enum.-1 | REMOVE | |
UPDATE | objects.job.description | The Job object provides information about a scheduled... | UPDATE |
ADD | objects.digital_signature.attributes.digest | {'requirement': 'optional', 'caption': 'Message Digest',... | ADD |
ADD | objects.digital_signature.attributes.algorithm | {'description': "The digital signature algorithm used to... | ADD |
ADD | objects.digital_signature.attributes.algorithm_id | {'description': 'The identifier of the normalized... | ADD |
ADD | objects.digital_signature.attributes.certificate | {'requirement': 'recommended', 'caption': 'Certificate',... | ADD |
DEPRECATE | objects.digital_signature.attributes.company_name | {'requirement': 'required', 'caption': 'Company Name',... | REMOVE |
DEPRECATE | objects.digital_signature.attributes.serial_number | {'description': 'The serial number of the digital... | REMOVE |
DEPRECATE | objects.digital_signature.attributes.issuer_name | {'requirement': 'optional', 'caption': 'Issuer Name',... | REMOVE |
DEPRECATE | objects.digital_signature.attributes.fingerprints | {'requirement': 'optional', 'caption': 'Fingerprints',... | REMOVE |
UPDATE | objects.digital_signature.description | The Digital Signature object contains information about... | UPDATE |
ADD | objects.reputation.attributes.score_id.enum.99 | {'caption': 'Other', 'description': 'The reputation... | ADD |
ADD | objects.reputation.attributes.base_score | {'caption': 'Reputation Score', 'description': 'The... | ADD |
DEPRECATE | objects.reputation.attributes.raw_score | {'requirement': 'required', 'caption': 'Reputation... | REMOVE |
UPDATE | objects.reputation.attributes.score_id.enum.-1 | REMOVE | |
UPDATE | objects.reputation.attributes.score.description | The reputation score, normalized to the caption of the... | UPDATE |
UPDATE | objects.reputation.description | The Reputation object describes the reputation/risk... | UPDATE |
ADD | objects.dce_rpc.attributes.rpc_interface | {'requirement': 'required', 'caption': 'Remote Procedure... | ADD |
DEPRECATE | objects.dce_rpc.attributes.network_interfaces | {'description': 'The list of DCE/RPC interfaces',... | REMOVE |
UPDATE | objects.dce_rpc.caption | DCE/RPC | UPDATE |
UPDATE | objects.dce_rpc.description | The DCE/RPC, or Distributed Computing Environment/Remote... | UPDATE |
ADD | objects.finding.@deprecated | {'message': 'Use the new <code>finding_info</code>... | ADD |
ADD | objects.finding.attributes.related_events | {'requirement': 'optional', 'caption': 'Related Events',... | ADD |
DEPRECATE | objects.finding.attributes.related_findings | {'requirement': 'optional', 'caption': 'Related... | REMOVE |
DEPRECATE | objects.finding.attributes.supporting_data.is_array | True | REMOVE |
UPDATE | objects.finding.description | The Finding object describes metadata related to a... | UPDATE |
UPDATE | objects.finding.attributes.title.description | A title or a brief phrase summarizing the reported finding. | UPDATE |
UPDATE | objects.finding.caption | Finding | UPDATE |
UPDATE | objects.finding.attributes.remediation.description | Describes the recommended remediation steps to address... | UPDATE |
DEPRECATE | objects.finding.attributes.src_url.type | string_t | UPDATE |
REMOVE | objects.finding.attributes.remediation.caption | UPDATE | |
ADD | objects.module.attributes.load_type_id.enum.99 | {'caption': 'Other'} | ADD |
UPDATE | objects.module.attributes.load_type_id.enum.-1 | REMOVE | |
UPDATE | objects.module.attributes.load_type.description | The load type, normalized to the caption of the... | UPDATE |
UPDATE | objects.module.description | The Module object describes the load attributes of a module. | UPDATE |
ADD | objects.observable.attributes.type_id.enum.30 | {'caption': 'Fingerprint', 'description': 'The... | ADD |
ADD | objects.observable.attributes.reputation | {'requirement': 'optional', 'caption': 'Reputation... | ADD |
ADD | objects.observable.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The observable data... | ADD |
UPDATE | objects.observable.attributes.type_id.enum.-1 | REMOVE | |
UPDATE | objects.observable.attributes.type_id.default | REMOVE | |
IGNORE | objects.observable.attributes.type_id.enum.26.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.28.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.2.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.27.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.21.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.25.description | UPDATE | |
UPDATE | objects.observable.attributes.value.description | The value associated with the observable attribute. The... | UPDATE |
IGNORE | objects.observable.attributes.type_id.enum.23.description | UPDATE | |
UPDATE | objects.observable.attributes.name.description | The full name of the observable attribute. The... | UPDATE |
IGNORE | objects.observable.attributes.type_id.enum.20.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.24.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.22.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.8.description | UPDATE | |
IGNORE | objects.observable.attributes.type_id.enum.8.caption | UPDATE | |
ADD | objects.email.attributes.uid | {'caption': 'Email UID', 'description': 'The email... | ADD |
ADD | objects.email.attributes.raw_header | {'requirement': 'optional', 'caption': 'Raw Header',... | ADD |
DEPRECATE | objects.email.attributes.direction | {'description': 'The direction of the email, as defined... | REMOVE |
DEPRECATE | objects.email.attributes.direction_id | {'description': 'The direction of the email relative to... | REMOVE |
DEPRECATE | objects.email.attributes.smtp_hello | {'requirement': 'recommended', 'caption': 'SMTP Hello',... | REMOVE |
PRESERVE | objects.email.attributes.subject.requirement | required | REMOVE |
UPDATE | objects.hassh.attributes.algorithm.description | The concatenation of key exchange, encryption,... | UPDATE |
UPDATE | objects.hassh.description | The HASSH object contains SSH network fingerprinting... | UPDATE |
ADD | objects.process.attributes.integrity_id.sibling | integrity | ADD |
ADD | objects.process.attributes.$include | ['profiles/linux_users.json'] | ADD |
ADD | objects.process.attributes.terminated_time | {'description': 'The time when the process was... | ADD |
ADD | objects.process.attributes.group | {'description': 'The group under which this process is... | ADD |
ADD | objects.process.profiles | ['linux/linux_users'] | ADD |
ADD | objects.process.attributes.container | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.process.attributes.auid | {'requirement': 'optional', 'caption': 'Audit User ID',... | ADD |
ADD | objects.process.attributes.integrity_id.enum.99 | {'caption': 'Other'} | ADD |
ADD | objects.process.attributes.egid | {'requirement': 'optional', 'caption': 'Effective Group... | ADD |
ADD | objects.process.attributes.namespace_pid | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.process.attributes.session | {'description': 'The user session under which this... | ADD |
ADD | objects.process.attributes.euid | {'requirement': 'optional', 'caption': 'Effective User... | ADD |
UPDATE | objects.process.attributes.integrity_id.enum.-1 | REMOVE | |
DEPRECATE | objects.process.attributes.integrity.sibling | integrity | REMOVE |
DEPRECATE | objects.process.attributes.name.name | process_name_t | REMOVE |
UPDATE | objects.process.attributes.integrity.description | The process integrity level, normalized to the caption... | UPDATE |
IGNORE | objects.process.extends | UPDATE | |
UPDATE | objects.process.attributes.user.description | The user under which this process is running. | UPDATE |
REMOVE | objects.process.attributes.uid.caption | UPDATE | |
DEPRECATE | objects.process.attributes.name.type | string_t | UPDATE |
REMOVE | objects.process.attributes.user.caption | UPDATE | |
UPDATE | objects.process.caption | Linux Process | UPDATE |
UPDATE | objects.process.attributes.lineage.description | The lineage of the process, represented by a list of... | UPDATE |
UPDATE | objects.process.description | Extends the process object to add Linux specific fields | UPDATE |
UPDATE | objects.san.attributes.name.requirement | required | UPDATE |
UPDATE | objects.san.description | The Subject Alternative name (SAN) object describes a... | UPDATE |
UPDATE | objects.san.attributes.type.requirement | required | UPDATE |
ADD | objects.group.attributes.domain | {'description': 'The domain where the group is defined.... | ADD |
ADD | objects.group.constraints | {'at_least_one': ['name', 'uid']} | ADD |
UPDATE | objects.group.description | The Group object represents a collection or association... | UPDATE |
UPDATE | objects.group.attributes.name.requirement | recommended | UPDATE |
IGNORE | objects.group.extends | UPDATE | |
ADD | objects.response.attributes.data | {'description': 'The additional data that is associated... | ADD |
ADD | objects.response.attributes.containers | {'requirement': 'optional', 'caption': 'Containers',... | ADD |
UPDATE | objects.response.attributes.flags.description | The list of communication flags, normalized to the... | UPDATE |
UPDATE | objects.response.description | The Response Elements object describes characteristics... | UPDATE |
UPDATE | objects.response.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
ADD | objects.product.attributes.url_string | {'description': 'The URL pointing towards the product.',... | ADD |
ADD | objects.product.constraints | {'at_least_one': ['name', 'uid']} | ADD |
ADD | objects.product.attributes.cpe_name | {'requirement': 'optional', 'caption': 'The product CPE... | ADD |
REMOVE | objects.product.attributes.uid.caption | UPDATE | |
REMOVE | objects.product.attributes.path.caption | UPDATE | |
UPDATE | objects.product.attributes.lang.requirement | optional | UPDATE |
DEPRECATE | objects.product.attributes.path.type | path_t | UPDATE |
IGNORE | objects.product.extends | UPDATE | |
UPDATE | objects.product.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.product.description | The Product object describes characteristics of a... | UPDATE |
REMOVE | objects.product.attributes.name.caption | UPDATE | |
REMOVE | objects.product.attributes.version.caption | UPDATE | |
UPDATE | objects.enrichment.attributes.type.description | The enrichment type. For example: <code>location</code>. | UPDATE |
UPDATE | objects.enrichment.description | The Enrichment object provides inline enrichment data... | UPDATE |
UPDATE | objects.keyboard_info.description | The Keyboard Information object contains details and... | UPDATE |
ADD | objects.compliance.attributes.standards | {'requirement': 'required', 'caption': 'Security... | ADD |
ADD | objects.compliance.attributes.control | {'requirement': 'recommended', 'caption': 'Security... | ADD |
ADD | objects.compliance.attributes.status_code | {'description': 'The resultant status code of the... | ADD |
ADD | objects.compliance.attributes.status_id | {'description': 'The normalized status identifier of the... | ADD |
UPDATE | objects.compliance.attributes.status.description | The resultant status of the compliance check normalized... | UPDATE |
UPDATE | objects.compliance.attributes.status_detail.description | The contextual description of the status, status_code values. | UPDATE |
UPDATE | objects.compliance.attributes.status.requirement | recommended | UPDATE |
UPDATE | objects.compliance.caption | Compliance | UPDATE |
UPDATE | objects.compliance.attributes.requirements.description | A list of requirements associated to a specific control... | UPDATE |
UPDATE | objects.compliance.description | The Compliance object contains information about... | UPDATE |
REMOVE | objects.compliance.attributes.requirements.caption | UPDATE | |
ADD | objects.image.constraints | {'at_least_one': ['name', 'uid']} | ADD |
UPDATE | objects.image.description | The Image object provides a description of a specific... | UPDATE |
REMOVE | objects.image.attributes.uid.caption | UPDATE | |
REMOVE | objects.image.attributes.name.caption | UPDATE | |
IGNORE | objects.image.extends | UPDATE | |
DEPRECATE | objects.image.attributes.path.type | path_t | UPDATE |
ADD | objects.dns_answer.attributes.flag_ids.enum.99 | {'caption': 'Other', 'description': 'The event DNS... | ADD |
UPDATE | objects.dns_answer.attributes.flag_ids.enum.-1 | REMOVE | |
UPDATE | objects.dns_answer.description | The DNS Answer object represents a specific response... | UPDATE |
UPDATE | objects.dns_answer.attributes.type.requirement | recommended | UPDATE |
UPDATE | objects.dns_answer.attributes.class.requirement | recommended | UPDATE |
ADD | objects.idp.constraints | {'at_least_one': ['name', 'uid']} | ADD |
UPDATE | objects.idp.attributes.uid.description | The unique identifier of the identity provider. | UPDATE |
IGNORE | objects.idp.extends | UPDATE | |
UPDATE | objects.idp.attributes.name.description | The name of the identity provider. | UPDATE |
UPDATE | objects.idp.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.idp.description | The Identity Provider object contains detailed... | UPDATE |
UPDATE | objects.idp.attributes.uid.requirement | recommended | UPDATE |
ADD | objects.network_endpoint.attributes.zone | {'requirement': 'optional', 'caption': 'Network Zone',... | ADD |
ADD | objects.network_endpoint.attributes.namespace_pid | {'group': 'context', 'requirement': 'recommended',... | ADD |
ADD | objects.network_endpoint.attributes.type_id | {'description': 'The network endpoint type ID.',... | ADD |
ADD | objects.network_endpoint.attributes.os | {'description': 'The endpoint operating system.',... | ADD |
ADD | objects.network_endpoint.attributes.agent_list | {'requirement': 'optional', 'caption': 'Agent List',... | ADD |
ADD | objects.network_endpoint.attributes.proxy_endpoint | {'description': 'The network proxy information... | ADD |
ADD | objects.network_endpoint.attributes.type | {'description': 'The network endpoint type. For example:... | ADD |
ADD | objects.network_endpoint.attributes.hw_info | {'requirement': 'optional', 'caption': 'Hardware Info',... | ADD |
ADD | objects.network_endpoint.attributes.owner | {'description': 'The identity of the service or user... | ADD |
ADD | objects.network_endpoint.attributes.interface_name | {'requirement': 'recommended', 'caption': 'Network... | ADD |
ADD | objects.network_endpoint.attributes.container | {'group': 'context', 'requirement': 'recommended',... | ADD |
DEPRECATE | objects.network_endpoint.attributes.reputation | {'requirement': 'optional', 'caption': 'Reputation... | REMOVE |
REMOVE | objects.network_endpoint.attributes.$include | UPDATE | |
REMOVE | objects.network_endpoint.attributes.location.caption | UPDATE | |
IGNORE | objects.network_endpoint.profiles | UPDATE | |
UPDATE | objects.network_endpoint.attributes.name.requirement | recommended | UPDATE |
UPDATE | objects.network_endpoint.constraints.at_least_one | ['ip', 'uid', 'name', 'hostname', 'svc_name',... | UPDATE |
ADD | objects.url_intelligence.attributes.category_ids.enum.99 | {'caption': 'Other', 'description': 'The Domain/URL... | ADD |
UPDATE | objects.url_intelligence.attributes.category_ids.enum.-1 | REMOVE | |
UPDATE | objects.url_intelligence.attributes.references.description | A list of reference URLs supporting the finding/detection. | UPDATE |
REMOVE | objects.url_intelligence.attributes.vendor_name.caption | UPDATE | |
ADD | objects.threat_intelligence.attributes.type_id.enum.99 | {'caption': 'Other', 'description': 'The type is not... | ADD |
UPDATE | objects.threat_intelligence.attributes.type_id.enum.-1 | REMOVE | |
DEPRECATE | objects.threat_intelligence.attributes.type_id.default | REMOVE | |
REMOVE | objects.ip_intelligence.attributes.location.caption | UPDATE | |
UPDATE | objects.ip_intelligence.attributes.references.description | A list of reference URLs supporting the finding/detection. | UPDATE |
REMOVE | objects.ip_intelligence.attributes.vendor_name.caption | UPDATE | |
PRESERVE | objects.domain_intelligence.attributes.domain_info.description | The registration information pertaining to a domain. | REMOVE |
REMOVE | objects.domain_intelligence.attributes.domain_info.caption | REMOVE | |
DEPRECATE | objects.domain_intelligence.attributes.domain_info.type | domain_info | REMOVE |
REMOVE | objects.domain_intelligence.attributes.vendor_name.caption | UPDATE | |
UPDATE | objects.domain_intelligence.attributes.references.description | A list of reference URLs supporting the finding/detection. | UPDATE |
UPDATE | objects.file_intelligence.attributes.references.description | A list of reference URLs supporting the finding/detection. | UPDATE |
REMOVE | objects.file_intelligence.attributes.vendor_name.caption | UPDATE | |
REMOVE | objects._base_threat_intelligence.attributes.vendor_name.caption | UPDATE | |
UPDATE | objects._base_threat_intelligence.attributes.references.description | A list of reference URLs supporting the finding/detection. | UPDATE |
ADD | events.registry_value_info.attributes.$include | ['profiles/host.json'] | ADD |
ADD | events.registry_value_info.attributes.status_detail.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.device | {'requirement': 'recommended', 'caption': 'Device',... | ADD |
ADD | events.registry_value_info.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.registry_value_info.attributes.actor | {'requirement': 'optional', 'caption': 'Actor',... | ADD |
ADD | events.registry_value_info.attributes.end_time.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.registry_value_info.attributes.unmapped.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500501 | {'caption': 'Registry Value Info: Exists'} | ADD |
ADD | events.registry_value_info.attributes.duration.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.registry_value_info.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.registry_value_info.attributes.count.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500504 | {'caption': 'Registry Value Info: Error'} | ADD |
ADD | events.registry_value_info.attributes.enrichments.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500503 | {'caption': 'Registry Value Info: Does not exist'} | ADD |
ADD | events.registry_value_info.attributes.activity_id.enum.4 | {'caption': 'Error', 'description': 'The discovery... | ADD |
ADD | events.registry_value_info.attributes.activity_id.enum.5 | {'caption': 'Unsupported', 'description': 'Discovery of... | ADD |
ADD | events.registry_value_info.attributes.activity_id.enum.1.description | The target was found. | ADD |
ADD | events.registry_value_info.attributes.class_uid.enum.5005 | {'caption': 'Registry Value Info', 'description':... | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500502 | {'caption': 'Registry Value Info: Partial'} | ADD |
ADD | events.registry_value_info.attributes.status_code.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.category_uid.enum.5 | {'caption': 'Discovery', 'description': 'Discovery... | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500505 | {'caption': 'Registry Value Info: Unsupported'} | ADD |
ADD | events.registry_value_info.attributes.start_time.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.activity_id.enum.3 | {'caption': 'Does not exist', 'description': 'The target... | ADD |
ADD | events.registry_value_info.attributes.activity_id.enum.2.description | The target was partially found. | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500500 | {'caption': 'Registry Value Info: Unknown'} | ADD |
ADD | events.registry_value_info.attributes.raw_data.requirement | optional | ADD |
ADD | events.registry_value_info.attributes.type_uid.enum.500599 | {'caption': 'Registry Value Info: Other'} | ADD |
ADD | events.registry_value_info.attributes.cloud.group | primary | ADD |
ADD | events.registry_value_info.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
DEPRECATE | events.registry_value_info.attributes.scan_uid | {'description': 'The unique identifier of the discovery... | REMOVE |
UPDATE | events.registry_value_info.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.registry_value_info.attributes.category_uid.default | REMOVE | |
DEPRECATE | events.registry_value_info.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
IGNORE | events.registry_value_info.attributes.type_uid.enum.3201301 | REMOVE | |
DEPRECATE | events.registry_value_info.attributes.command_uid | {'description': 'The unique identifier of the discovery... | REMOVE |
IGNORE | events.registry_value_info.attributes.class_uid.enum.32013 | REMOVE | |
IGNORE | events.registry_value_info.attributes.type_uid.enum.3201300 | REMOVE | |
UPDATE | events.registry_value_info.attributes.activity_id.enum.-1 | REMOVE | |
REMOVE | events.registry_value_info.attributes.activity_id.$include | REMOVE | |
UPDATE | events.registry_value_info.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.registry_value_info.attributes.type_uid.enum.3201302 | REMOVE | |
IGNORE | events.registry_value_info.attributes.type_uid.enum.3201299 | REMOVE | |
IGNORE | events.registry_value_info.attributes.category_uid.enum.32 | REMOVE | |
DEPRECATE | events.registry_value_info.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.registry_value_info.attributes.count.default | 1 | REMOVE |
IGNORE | events.registry_value_info.attributes.class_uid.default | REMOVE | |
UPDATE | events.registry_value_info.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.registry_value_info.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
IGNORE | events.registry_value_info.profiles | UPDATE | |
UPDATE | events.registry_value_info.attributes.reg_value.description | The registry value that pertains to the event. | UPDATE |
DEPRECATE | events.registry_value_info.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.registry_value_info.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.registry_value_info.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
IGNORE | events.registry_value_info.attributes.type_uid.description | UPDATE | |
IGNORE | events.registry_value_info.attributes.type_uid.type | UPDATE | |
UPDATE | events.registry_value_info.description | Registry Value Info events report information about... | UPDATE |
UPDATE | events.registry_value_info.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.registry_value_info.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.registry_value_info.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
DEPRECATE | events.registry_value_info.attributes.reg_value.type | registry_value | UPDATE |
UPDATE | events.registry_value_info.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.registry_value_info.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.registry_value_info.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
IGNORE | events.registry_value_info.uid | UPDATE | |
UPDATE | events.registry_value_info.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
ADD | events.registry_key_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100102 | {'caption': 'Registry Key Activity: Read'} | ADD |
ADD | events.registry_key_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.registry_key_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.registry_key_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.registry_key_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.registry_key_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100100 | {'caption': 'Registry Key Activity: Unknown'} | ADD |
ADD | events.registry_key_activity.attributes.count.requirement | optional | ADD |
ADD | events.registry_key_activity.extension | windows | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100103 | {'caption': 'Registry Key Activity: Modify'} | ADD |
ADD | events.registry_key_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.registry_key_activity.attributes.duration.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.prev_reg_key | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.registry_key_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.registry_key_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100199 | {'caption': 'Registry Key Activity: Other'} | ADD |
ADD | events.registry_key_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100106 | {'caption': 'Registry Key Activity: Set Security'} | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.registry_key_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100104 | {'caption': 'Registry Key Activity: Delete'} | ADD |
ADD | events.registry_key_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.registry_key_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.registry_key_activity.attributes.class_uid.enum.1001 | {'caption': 'Registry Key Activity', 'description':... | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100101 | {'caption': 'Registry Key Activity: Create'} | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.registry_key_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.registry_key_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100105 | {'caption': 'Registry Key Activity: Rename'} | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100108 | {'caption': 'Registry Key Activity: Import'} | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.registry_key_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100107 | {'caption': 'Registry Key Activity: Restore'} | ADD |
ADD | events.registry_key_activity.attributes.cloud.group | primary | ADD |
ADD | events.registry_key_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.registry_key_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.registry_key_activity.attributes.type_uid.enum.100109 | {'caption': 'Registry Key Activity: Export'} | ADD |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100802 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100805 | REMOVE | |
UPDATE | events.registry_key_activity.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100807 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100809 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100803 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100804 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100799 | REMOVE | |
UPDATE | events.registry_key_activity.attributes.activity_id.enum.-1 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100801 | REMOVE | |
DEPRECATE | events.registry_key_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
UPDATE | events.registry_key_activity.attributes.status_id.enum.-1 | REMOVE | |
UPDATE | events.registry_key_activity.attributes.disposition_id.enum.-1 | REMOVE | |
DEPRECATE | events.registry_key_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
IGNORE | events.registry_key_activity.attributes.class_uid.enum.1008 | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100800 | REMOVE | |
DEPRECATE | events.registry_key_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.registry_key_activity.attributes.category_uid.default | REMOVE | |
IGNORE | events.registry_key_activity.attributes.class_uid.default | REMOVE | |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100806 | REMOVE | |
DEPRECATE | events.registry_key_activity.attributes.reg_key_result | {'group': 'primary', 'requirement': 'optional',... | REMOVE |
IGNORE | events.registry_key_activity.attributes.type_uid.enum.100808 | REMOVE | |
REMOVE | events.registry_key_activity.attributes.activity_id.$include | REMOVE | |
DEPRECATE | events.registry_key_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
UPDATE | events.registry_key_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.requirement | UPDATE | |
UPDATE | events.registry_key_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
IGNORE | events.registry_key_activity.uid | UPDATE | |
UPDATE | events.registry_key_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
IGNORE | events.registry_key_activity.profiles | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
DEPRECATE | events.registry_key_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
UPDATE | events.registry_key_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.registry_key_activity.attributes.malware.requirement | optional | UPDATE |
DEPRECATE | events.registry_key_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.registry_key_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
REMOVE | events.registry_key_activity.attributes.$include | UPDATE | |
UPDATE | events.registry_key_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
DEPRECATE | events.registry_key_activity.attributes.reg_key.type | registry_key | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.registry_key_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
IGNORE | events.registry_key_activity.attributes.type_uid.description | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.description | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
UPDATE | events.registry_key_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.registry_key_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.registry_key_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
UPDATE | events.registry_key_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
REMOVE | events.registry_key_activity.attributes.attacks.caption | UPDATE | |
IGNORE | events.registry_key_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.registry_key_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.registry_key_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
UPDATE | events.registry_key_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
REMOVE | events.registry_key_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
DEPRECATE | events.registry_key_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.registry_key_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
ADD | events.registry_value_activity.attributes.type_uid.enum.100299 | {'caption': 'Registry Value Activity: Other'} | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.registry_value_activity.attributes.type_uid.enum.100204 | {'caption': 'Registry Value Activity: Delete'} | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.registry_value_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.registry_value_activity.attributes.type_uid.enum.100202 | {'caption': 'Registry Value Activity: Set'} | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.registry_value_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.registry_value_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.type_uid.enum.100200 | {'caption': 'Registry Value Activity: Unknown'} | ADD |
ADD | events.registry_value_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.registry_value_activity.attributes.class_uid.enum.1002 | {'caption': 'Registry Value Activity', 'description':... | ADD |
ADD | events.registry_value_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.registry_value_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.registry_value_activity.attributes.duration.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.registry_value_activity.attributes.type_uid.enum.100203 | {'caption': 'Registry Value Activity: Modify'} | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.registry_value_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.registry_value_activity.attributes.prev_reg_value | {'requirement': 'optional', 'caption': 'Previous... | ADD |
ADD | events.registry_value_activity.attributes.count.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.cloud.group | primary | ADD |
ADD | events.registry_value_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.registry_value_activity.attributes.type_uid.enum.100201 | {'caption': 'Registry Value Activity: Get'} | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.registry_value_activity.extension | windows | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.registry_value_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.registry_value_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.registry_value_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.registry_value_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
UPDATE | events.registry_value_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.registry_value_activity.attributes.category_uid.default | REMOVE | |
UPDATE | events.registry_value_activity.attributes.severity_id.enum.-1 | REMOVE | |
UPDATE | events.registry_value_activity.attributes.activity_id.enum.-1 | REMOVE | |
IGNORE | events.registry_value_activity.attributes.type_uid.enum.100900 | REMOVE | |
IGNORE | events.registry_value_activity.attributes.type_uid.enum.100899 | REMOVE | |
DEPRECATE | events.registry_value_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.registry_value_activity.attributes.disposition_id.enum.-1 | REMOVE | |
IGNORE | events.registry_value_activity.attributes.class_uid.enum.1009 | REMOVE | |
IGNORE | events.registry_value_activity.attributes.type_uid.enum.100902 | REMOVE | |
DEPRECATE | events.registry_value_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.registry_value_activity.attributes.class_uid.default | REMOVE | |
IGNORE | events.registry_value_activity.attributes.type_uid.enum.100901 | REMOVE | |
IGNORE | events.registry_value_activity.attributes.type_uid.enum.100904 | REMOVE | |
REMOVE | events.registry_value_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.registry_value_activity.attributes.type_uid.enum.100903 | REMOVE | |
DEPRECATE | events.registry_value_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.registry_value_activity.attributes.reg_value_result | {'requirement': 'optional', 'caption': 'Registry Value... | REMOVE |
UPDATE | events.registry_value_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
DEPRECATE | events.registry_value_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
DEPRECATE | events.registry_value_activity.attributes.reg_value.type | registry_value | UPDATE |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.attacks.caption | UPDATE | |
IGNORE | events.registry_value_activity.attributes.type_uid.type | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
UPDATE | events.registry_value_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.registry_value_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.registry_value_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
UPDATE | events.registry_value_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.requirement | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
UPDATE | events.registry_value_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.registry_value_activity.attributes.malware.requirement | optional | UPDATE |
UPDATE | events.registry_value_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
IGNORE | events.registry_value_activity.attributes.type_uid.description | UPDATE | |
IGNORE | events.registry_value_activity.profiles | UPDATE | |
DEPRECATE | events.registry_value_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.registry_value_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.registry_value_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
DEPRECATE | events.registry_value_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
REMOVE | events.registry_value_activity.attributes.$include | UPDATE | |
UPDATE | events.registry_value_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
UPDATE | events.registry_value_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.registry_value_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.registry_value_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
IGNORE | events.registry_value_activity.uid | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.description | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
DEPRECATE | events.registry_value_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
UPDATE | events.registry_value_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.registry_value_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
REMOVE | events.registry_value_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
ADD | events.resource_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.resource_activity.attributes.type_uid.enum.100300 | {'caption': 'Windows Resource Activity: Unknown'} | ADD |
ADD | events.resource_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.resource_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.resource_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.resource_activity.attributes.win_resource | {'group': 'primary', 'requirement': 'required',... | ADD |
ADD | events.resource_activity.extension | windows | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.resource_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.resource_activity.attributes.cloud.group | primary | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.resource_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.resource_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.resource_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.resource_activity.attributes.count.requirement | optional | ADD |
ADD | events.resource_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.resource_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.resource_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.resource_activity.attributes.class_uid.enum.1003 | {'caption': 'Windows Resource Activity', 'description':... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.resource_activity.attributes.duration.requirement | optional | ADD |
ADD | events.resource_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.resource_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.resource_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.resource_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.resource_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.resource_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.resource_activity.attributes.type_uid.enum.100399 | {'caption': 'Windows Resource Activity: Other'} | ADD |
ADD | events.resource_activity.attributes.type_uid.enum.100301 | {'caption': 'Windows Resource Activity: Access'} | ADD |
ADD | events.resource_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
IGNORE | events.resource_activity.attributes.type_uid.enum.101000 | REMOVE | |
IGNORE | events.resource_activity.attributes.type_uid.enum.101001 | REMOVE | |
UPDATE | events.resource_activity.attributes.severity_id.enum.-1 | REMOVE | |
DEPRECATE | events.resource_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.resource_activity.attributes.resource | {'description': 'The resource that was accessed.',... | REMOVE |
IGNORE | events.resource_activity.attributes.class_uid.default | REMOVE | |
DEPRECATE | events.resource_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.resource_activity.attributes.category_uid.default | REMOVE | |
IGNORE | events.resource_activity.attributes.type_uid.enum.100999 | REMOVE | |
DEPRECATE | events.resource_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.resource_activity.attributes.disposition_id.enum.-1 | REMOVE | |
UPDATE | events.resource_activity.attributes.activity_id.enum.-1 | REMOVE | |
REMOVE | events.resource_activity.attributes.activity_id.$include | REMOVE | |
UPDATE | events.resource_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.resource_activity.attributes.class_uid.enum.1010 | REMOVE | |
REMOVE | events.resource_activity.attributes.attacks.caption | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
IGNORE | events.resource_activity.uid | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.malware.requirement | optional | UPDATE |
DEPRECATE | events.resource_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
UPDATE | events.resource_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.resource_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
UPDATE | events.resource_activity.caption | Windows Resource Activity | UPDATE |
DEPRECATE | events.resource_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
IGNORE | events.resource_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.resource_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
IGNORE | events.resource_activity.profiles | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
REMOVE | events.resource_activity.attributes.$include | UPDATE | |
UPDATE | events.resource_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.resource_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
DEPRECATE | events.resource_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
IGNORE | events.resource_activity.attributes.type_uid.description | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
DEPRECATE | events.resource_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
REMOVE | events.resource_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.resource_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
UPDATE | events.resource_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.resource_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.resource_activity.description | Windows Resource Activity events report when a process... | UPDATE |
UPDATE | events.resource_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
UPDATE | events.resource_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.description | UPDATE | |
UPDATE | events.resource_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
REMOVE | events.resource_activity.attributes.disposition_id.requirement | UPDATE | |
ADD | events.prefetch_info.attributes.type_uid.enum.501905 | {'caption': 'Prefetch Info: Unsupported'} | ADD |
ADD | events.prefetch_info.attributes.$include | ['profiles/host.json'] | ADD |
ADD | events.prefetch_info.attributes.unmapped.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.duration.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.raw_data.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.actor | {'requirement': 'optional', 'caption': 'Actor',... | ADD |
ADD | events.prefetch_info.attributes.type_uid.enum.501999 | {'caption': 'Prefetch Info: Other'} | ADD |
ADD | events.prefetch_info.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.prefetch_info.attributes.end_time.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.prefetch_info.attributes.type_uid.enum.501901 | {'caption': 'Prefetch Info: Exists'} | ADD |
ADD | events.prefetch_info.attributes.status_detail.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.category_uid.enum.5 | {'caption': 'Discovery', 'description': 'Discovery... | ADD |
ADD | events.prefetch_info.attributes.cloud.group | primary | ADD |
ADD | events.prefetch_info.attributes.activity_id.enum.1.description | The target was found. | ADD |
ADD | events.prefetch_info.attributes.device | {'requirement': 'recommended', 'caption': 'Device',... | ADD |
ADD | events.prefetch_info.attributes.type_uid.enum.501903 | {'caption': 'Prefetch Info: Does not exist'} | ADD |
ADD | events.prefetch_info.attributes.count.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.start_time.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.class_uid.enum.5019 | {'caption': 'Prefetch Info', 'description': 'Prefetch... | ADD |
ADD | events.prefetch_info.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.prefetch_info.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.prefetch_info.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.prefetch_info.attributes.status_code.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.activity_id.enum.5 | {'caption': 'Unsupported', 'description': 'Discovery of... | ADD |
ADD | events.prefetch_info.attributes.activity_id.enum.4 | {'caption': 'Error', 'description': 'The discovery... | ADD |
ADD | events.prefetch_info.attributes.type_uid.enum.501900 | {'caption': 'Prefetch Info: Unknown'} | ADD |
ADD | events.prefetch_info.attributes.enrichments.requirement | optional | ADD |
ADD | events.prefetch_info.attributes.activity_id.enum.2.description | The target was partially found. | ADD |
ADD | events.prefetch_info.attributes.type_uid.enum.501902 | {'caption': 'Prefetch Info: Partial'} | ADD |
ADD | events.prefetch_info.attributes.activity_id.enum.3 | {'caption': 'Does not exist', 'description': 'The target... | ADD |
ADD | events.prefetch_info.attributes.type_uid.enum.501904 | {'caption': 'Prefetch Info: Error'} | ADD |
IGNORE | events.prefetch_info.attributes.type_uid.enum.3201000 | REMOVE | |
DEPRECATE | events.prefetch_info.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.prefetch_info.attributes.activity_id.enum.-1 | REMOVE | |
UPDATE | events.prefetch_info.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.prefetch_info.attributes.class_uid.enum.32010 | REMOVE | |
DEPRECATE | events.prefetch_info.attributes.count.default | 1 | REMOVE |
IGNORE | events.prefetch_info.attributes.type_uid.enum.3201001 | REMOVE | |
DEPRECATE | events.prefetch_info.attributes.command_uid | {'description': 'The unique identifier of the discovery... | REMOVE |
IGNORE | events.prefetch_info.attributes.type_uid.enum.3200999 | REMOVE | |
IGNORE | events.prefetch_info.attributes.category_uid.enum.32 | REMOVE | |
IGNORE | events.prefetch_info.attributes.category_uid.default | REMOVE | |
IGNORE | events.prefetch_info.attributes.type_uid.enum.3201002 | REMOVE | |
UPDATE | events.prefetch_info.attributes.severity_id.enum.-1 | REMOVE | |
DEPRECATE | events.prefetch_info.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
REMOVE | events.prefetch_info.attributes.activity_id.$include | REMOVE | |
IGNORE | events.prefetch_info.attributes.class_uid.default | REMOVE | |
DEPRECATE | events.prefetch_info.attributes.scan_uid | {'description': 'The unique identifier of the discovery... | REMOVE |
DEPRECATE | events.prefetch_info.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.prefetch_info.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
IGNORE | events.prefetch_info.uid | UPDATE | |
IGNORE | events.prefetch_info.profiles | UPDATE | |
UPDATE | events.prefetch_info.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.prefetch_info.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
UPDATE | events.prefetch_info.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.prefetch_info.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.prefetch_info.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.prefetch_info.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
IGNORE | events.prefetch_info.attributes.type_uid.description | UPDATE | |
IGNORE | events.prefetch_info.attributes.type_uid.type | UPDATE | |
UPDATE | events.prefetch_info.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.prefetch_info.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.prefetch_info.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.prefetch_info.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
ADD | events.registry_key_info.attributes.category_uid.enum.5 | {'caption': 'Discovery', 'description': 'Discovery... | ADD |
ADD | events.registry_key_info.attributes.$include | ['profiles/host.json'] | ADD |
ADD | events.registry_key_info.attributes.activity_id.enum.3 | {'caption': 'Does not exist', 'description': 'The target... | ADD |
ADD | events.registry_key_info.attributes.cloud.group | primary | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500404 | {'caption': 'Registry Key Info: Error'} | ADD |
ADD | events.registry_key_info.attributes.raw_data.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.class_uid.enum.5004 | {'caption': 'Registry Key Info', 'description':... | ADD |
ADD | events.registry_key_info.attributes.activity_id.enum.1.description | The target was found. | ADD |
ADD | events.registry_key_info.attributes.unmapped.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500499 | {'caption': 'Registry Key Info: Other'} | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500403 | {'caption': 'Registry Key Info: Does not exist'} | ADD |
ADD | events.registry_key_info.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.registry_key_info.attributes.duration.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.actor | {'requirement': 'optional', 'caption': 'Actor',... | ADD |
ADD | events.registry_key_info.attributes.activity_id.enum.4 | {'caption': 'Error', 'description': 'The discovery... | ADD |
ADD | events.registry_key_info.attributes.status_code.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.registry_key_info.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.registry_key_info.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.registry_key_info.attributes.activity_id.enum.5 | {'caption': 'Unsupported', 'description': 'Discovery of... | ADD |
ADD | events.registry_key_info.attributes.device | {'requirement': 'recommended', 'caption': 'Device',... | ADD |
ADD | events.registry_key_info.attributes.count.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.activity_id.enum.2.description | The target was partially found. | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500402 | {'caption': 'Registry Key Info: Partial'} | ADD |
ADD | events.registry_key_info.attributes.status_detail.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500401 | {'caption': 'Registry Key Info: Exists'} | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500400 | {'caption': 'Registry Key Info: Unknown'} | ADD |
ADD | events.registry_key_info.attributes.enrichments.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.type_uid.enum.500405 | {'caption': 'Registry Key Info: Unsupported'} | ADD |
ADD | events.registry_key_info.attributes.end_time.requirement | optional | ADD |
ADD | events.registry_key_info.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.registry_key_info.attributes.start_time.requirement | optional | ADD |
UPDATE | events.registry_key_info.attributes.activity_id.enum.-1 | REMOVE | |
IGNORE | events.registry_key_info.attributes.class_uid.default | REMOVE | |
IGNORE | events.registry_key_info.attributes.category_uid.enum.32 | REMOVE | |
DEPRECATE | events.registry_key_info.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
UPDATE | events.registry_key_info.attributes.status_id.enum.-1 | REMOVE | |
DEPRECATE | events.registry_key_info.attributes.scan_uid | {'description': 'The unique identifier of the discovery... | REMOVE |
IGNORE | events.registry_key_info.attributes.type_uid.enum.3201199 | REMOVE | |
DEPRECATE | events.registry_key_info.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
DEPRECATE | events.registry_key_info.attributes.command_uid | {'description': 'The unique identifier of the discovery... | REMOVE |
IGNORE | events.registry_key_info.attributes.type_uid.enum.3201201 | REMOVE | |
IGNORE | events.registry_key_info.attributes.category_uid.default | REMOVE | |
DEPRECATE | events.registry_key_info.attributes.count.default | 1 | REMOVE |
REMOVE | events.registry_key_info.attributes.activity_id.$include | REMOVE | |
IGNORE | events.registry_key_info.attributes.type_uid.enum.3201202 | REMOVE | |
IGNORE | events.registry_key_info.attributes.class_uid.enum.32012 | REMOVE | |
IGNORE | events.registry_key_info.attributes.type_uid.enum.3201200 | REMOVE | |
UPDATE | events.registry_key_info.attributes.severity_id.enum.-1 | REMOVE | |
UPDATE | events.registry_key_info.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.registry_key_info.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.registry_key_info.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
DEPRECATE | events.registry_key_info.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.registry_key_info.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.registry_key_info.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.registry_key_info.description | Registry Key Info events report information about... | UPDATE |
UPDATE | events.registry_key_info.attributes.reg_key.description | The registry key that pertains to the event. | UPDATE |
IGNORE | events.registry_key_info.attributes.type_uid.type | UPDATE | |
DEPRECATE | events.registry_key_info.attributes.reg_key.type | registry_key | UPDATE |
UPDATE | events.registry_key_info.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.registry_key_info.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
IGNORE | events.registry_key_info.uid | UPDATE | |
IGNORE | events.registry_key_info.profiles | UPDATE | |
UPDATE | events.registry_key_info.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.registry_key_info.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.registry_key_info.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.registry_key_info.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
IGNORE | events.registry_key_info.attributes.type_uid.description | UPDATE | |
ADD | events.email_delivery_activity.attributes.type_uid.enum.402999 | {'caption': 'Email Delivery Activity: Other'} | ADD |
ADD | events.email_delivery_activity.attributes.type_uid.enum.403002 | {'caption': 'Email Delivery Activity: Failed'} | ADD |
ADD | events.email_delivery_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.email_delivery_activity.attributes.type_uid.enum.403000 | {'caption': 'Email Delivery Activity: Unknown'} | ADD |
ADD | events.email_delivery_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.email_delivery_activity.attributes.type_uid.enum.403001 | {'caption': 'Email Delivery Activity: Delivered'} | ADD |
ADD | events.email_delivery_activity.attributes.class_uid.enum.4030 | {'caption': 'Email Delivery Activity', 'description':... | ADD |
ADD | events.email_delivery_activity.attributes.category_uid.enum.4 | {'caption': 'Network Activity', 'description': 'Network... | ADD |
ADD | events.email_delivery_activity.attributes.type_uid.enum.403003 | {'caption': 'Email Delivery Activity: Temporary Failure'} | ADD |
ADD | events.email_delivery_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.email_delivery_activity.@deprecated | {'since': '1.1.0', 'message': 'Deprecated in upgrade... | ADD |
ADD | events.email_delivery_activity.attributes.disposition_id.enum.0.description | The disposition is unknown. | ADD |
ADD | events.email_delivery_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.email_delivery_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
DEPRECATE | events.email_delivery_activity.attributes.email_auth | {'requirement': 'recommended', 'group': 'primary',... | REMOVE |
IGNORE | events.email_delivery_activity.attributes.type_uid.enum.100000 | REMOVE | |
REMOVE | events.email_delivery_activity.attributes.$include | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.type_uid.enum.99999 | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.category_uid.default | REMOVE | |
DEPRECATE | events.email_delivery_activity.attributes.sender_ip | {'requirement': 'optional', 'group': 'context',... | REMOVE |
DEPRECATE | events.email_delivery_activity.attributes.receiver_ip | {'requirement': 'optional', 'group': 'context',... | REMOVE |
DEPRECATE | events.email_delivery_activity.attributes.receiver_hostname | {'requirement': 'optional', 'group': 'context',... | REMOVE |
DEPRECATE | events.email_delivery_activity.attributes.dkim_signature | {'requirement': 'recommended', 'group': 'context',... | REMOVE |
DEPRECATE | events.email_delivery_activity.attributes.category_name | {'requirement': 'optional', 'caption': 'Category',... | REMOVE |
IGNORE | events.email_delivery_activity.attributes.type_uid.enum.100003 | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.category_uid.requirement | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.class_uid.enum.1000 | REMOVE | |
DEPRECATE | events.email_delivery_activity.attributes.attempt | {'requirement': 'recommended', 'group': 'context',... | REMOVE |
DEPRECATE | events.email_delivery_activity.attributes.connection_uid | {'requirement': 'optional', 'group': 'context',... | REMOVE |
PRESERVE | events.email_delivery_activity.associations | {'device': ['actor.user'], 'actor.user': ['device']} | REMOVE |
IGNORE | events.email_delivery_activity.attributes.type_uid.enum.100002 | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.type_uid.enum.100001 | REMOVE | |
DEPRECATE | events.email_delivery_activity.attributes.sender_hostname | {'requirement': 'optional', 'group': 'context',... | REMOVE |
IGNORE | events.email_delivery_activity.extension | REMOVE | |
DEPRECATE | events.email_delivery_activity.attributes.email_uid | {'requirement': 'recommended', 'group': 'primary',... | REMOVE |
IGNORE | events.email_delivery_activity.attributes.class_uid.default | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.type_uid.requirement | REMOVE | |
DEPRECATE | events.email_delivery_activity.attributes.class_name | {'requirement': 'optional', 'caption': 'Class',... | REMOVE |
DEPRECATE | events.email_delivery_activity.attributes.banner | {'requirement': 'optional', 'group': 'context',... | REMOVE |
IGNORE | events.email_delivery_activity.attributes.class_uid.requirement | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.category_uid.enum.1 | REMOVE | |
IGNORE | events.email_delivery_activity.extends | REMOVE | |
DEPRECATE | events.email_delivery_activity.attributes.email | {'requirement': 'required', 'group': 'primary',... | REMOVE |
REMOVE | events.email_delivery_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.email_delivery_activity.attributes.type_uid.description | UPDATE | |
IGNORE | events.email_delivery_activity.attributes.type_uid.type | UPDATE | |
IGNORE | events.email_delivery_activity.uid | UPDATE | |
UPDATE | events.email_delivery_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
UPDATE | events.email_delivery_activity.category | network | UPDATE |
UPDATE | events.email_delivery_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
ADD | events.security_finding.attributes.evidence | {'group': 'context', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.@deprecated | {'message': 'Use the new specific classes according to... | ADD |
ADD | events.security_finding.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.security_finding.attributes.data_sources | {'group': 'context', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.risk_level_id | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.cloud.group | primary | ADD |
ADD | events.security_finding.attributes.enrichments.requirement | optional | ADD |
ADD | events.security_finding.attributes.count.requirement | optional | ADD |
ADD | events.security_finding.attributes.raw_data.requirement | optional | ADD |
ADD | events.security_finding.attributes.status_detail.requirement | optional | ADD |
ADD | events.security_finding.attributes.cis_csc | {'group': 'context', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.security_finding.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.security_finding.attributes.risk_level | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.type_uid.enum.200103 | {'caption': 'Security Finding: Close'} | ADD |
ADD | events.security_finding.attributes.analytic | {'group': 'primary', 'requirement': 'recommended',... | ADD |
ADD | events.security_finding.attributes.impact_score | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.start_time.requirement | optional | ADD |
ADD | events.security_finding.attributes.status_code.requirement | optional | ADD |
ADD | events.security_finding.attributes.activity_id.enum.3 | {'caption': 'Close', 'description': 'A security finding... | ADD |
ADD | events.security_finding.attributes.impact | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.kill_chain | {'group': 'context', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.duration.requirement | optional | ADD |
ADD | events.security_finding.attributes.nist | {'group': 'context', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.unmapped.requirement | optional | ADD |
ADD | events.security_finding.attributes.risk_score | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.security_finding.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.security_finding.attributes.impact_id | {'group': 'primary', 'requirement': 'recommended',... | ADD |
ADD | events.security_finding.attributes.confidence_id | {'group': 'primary', 'requirement': 'recommended',... | ADD |
ADD | events.security_finding.attributes.type_uid.enum.200199 | {'caption': 'Security Finding: Other'} | ADD |
ADD | events.security_finding.attributes.state_id.enum.99 | {'caption': 'Other', 'description': 'The state is not... | ADD |
ADD | events.security_finding.attributes.state_id.enum.0.description | The state is unknown. | ADD |
ADD | events.security_finding.attributes.confidence_score | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.security_finding.attributes.end_time.requirement | optional | ADD |
DEPRECATE | events.security_finding.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
UPDATE | events.security_finding.attributes.status_id.enum.-1 | REMOVE | |
REMOVE | events.security_finding.attributes.activity_id.$include | REMOVE | |
IGNORE | events.security_finding.attributes.class_uid.default | REMOVE | |
UPDATE | events.security_finding.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.security_finding.attributes.type_uid.enum.200099 | REMOVE | |
IGNORE | events.security_finding.attributes.category_uid.default | REMOVE | |
DEPRECATE | events.security_finding.attributes.disposition | {'requirement': 'optional', 'caption': 'Disposition',... | REMOVE |
UPDATE | events.security_finding.attributes.activity_id.enum.-1 | REMOVE | |
UPDATE | events.security_finding.attributes.state_id.enum.-1 | REMOVE | |
DEPRECATE | events.security_finding.attributes.disposition_id | {'requirement': 'required', 'caption': 'Disposition ID',... | REMOVE |
DEPRECATE | events.security_finding.attributes.count.default | 1 | REMOVE |
DEPRECATE | events.security_finding.attributes.confidence.group | classification | UPDATE |
UPDATE | events.security_finding.attributes.malware.requirement | optional | UPDATE |
IGNORE | events.security_finding.attributes.type_uid.description | UPDATE | |
UPDATE | events.security_finding.attributes.activity_id.enum.2.description | A security finding was updated. | UPDATE |
UPDATE | events.security_finding.attributes.confidence.description | The confidence, normalized to the caption of the... | UPDATE |
UPDATE | events.security_finding.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
IGNORE | events.security_finding.attributes.type_uid.type | UPDATE | |
REMOVE | events.security_finding.attributes.attacks.caption | UPDATE | |
UPDATE | events.security_finding.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.security_finding.attributes.device.description | An addressable device, computer system or host. | UPDATE |
UPDATE | events.security_finding.attributes.activity_id.enum.1.caption | Create | UPDATE |
UPDATE | events.security_finding.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.security_finding.attributes.activity_id.enum.1.description | A security finding was created. | UPDATE |
PRESERVE | events.security_finding.attributes.resources.type | resource | UPDATE |
PRESERVE | events.security_finding.attributes.resources.description | A list of resources associated to an event. | UPDATE |
UPDATE | events.security_finding.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
IGNORE | events.security_finding.profiles | UPDATE | |
UPDATE | events.security_finding.attributes.vulnerabilities.description | This object describes vulnerabilities reported in a... | UPDATE |
UPDATE | events.security_finding.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.security_finding.attributes.attacks.description | The attack object describes the technique and associated... | UPDATE |
DEPRECATE | events.security_finding.attributes.confidence.type | integer_t | UPDATE |
UPDATE | events.security_finding.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.security_finding.attributes.finding.description | The Finding object provides details about a... | UPDATE |
UPDATE | events.security_finding.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.security_finding.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.security_finding.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.security_finding.attributes.compliance.description | The compliance object provides context to compliance... | UPDATE |
UPDATE | events.security_finding.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
DEPRECATE | events.security_finding.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.security_finding.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.security_finding.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
IGNORE | events.security_finding.attributes.type_uid.enum.200101.caption | UPDATE | |
ADD | events.base_event.attributes.end_time.requirement | optional | ADD |
ADD | events.base_event.attributes.duration.requirement | optional | ADD |
ADD | events.base_event.attributes.status_code.requirement | optional | ADD |
ADD | events.base_event.attributes.class_uid.enum.0 | {'caption': 'Base Event'} | ADD |
ADD | events.base_event.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.base_event.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.base_event.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.base_event.attributes.enrichments.requirement | optional | ADD |
ADD | events.base_event.attributes.unmapped.requirement | optional | ADD |
ADD | events.base_event.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.base_event.category | other | ADD |
ADD | events.base_event.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.base_event.attributes.category_uid.enum.0 | {'caption': 'Uncategorized'} | ADD |
ADD | events.base_event.attributes.cloud.group | primary | ADD |
ADD | events.base_event.attributes.start_time.requirement | optional | ADD |
ADD | events.base_event.attributes.count.requirement | optional | ADD |
ADD | events.base_event.attributes.raw_data.requirement | optional | ADD |
ADD | events.base_event.attributes.status_detail.requirement | optional | ADD |
REMOVE | events.base_event.attributes.activity_id.$include | REMOVE | |
DEPRECATE | events.base_event.attributes.count.default | 1 | REMOVE |
UPDATE | events.base_event.attributes.activity_id.enum.-1 | REMOVE | |
DEPRECATE | events.base_event.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.base_event.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.base_event.attributes.status_id.enum.-1 | REMOVE | |
UPDATE | events.base_event.attributes.class_uid.enum.-1 | REMOVE | |
IGNORE | events.base_event.attributes.category_uid.default | REMOVE | |
UPDATE | events.base_event.attributes.category_uid.enum.-1 | REMOVE | |
IGNORE | events.base_event.attributes.class_uid.default | REMOVE | |
UPDATE | events.base_event.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.base_event.attributes.type_uid.type | UPDATE | |
UPDATE | events.base_event.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.base_event.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.base_event.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.base_event.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
IGNORE | events.base_event.attributes.type_uid.description | UPDATE | |
UPDATE | events.base_event.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.base_event.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.base_event.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
DEPRECATE | events.base_event.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.base_event.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.base_event.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
UPDATE | events.base_event.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.base_event.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
ADD | events.ssh_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.ssh_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.ssh_activity.attributes.auth_type_id | {'description': 'The normalized identifier of the SSH... | ADD |
ADD | events.ssh_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.ssh_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
ADD | events.ssh_activity.attributes.type_uid.enum.400799 | {'caption': 'SSH Activity: Other'} | ADD |
ADD | events.ssh_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.ssh_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.ssh_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.ssh_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.ssh_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.ssh_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.ssh_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.ssh_activity.attributes.duration.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.ssh_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.ssh_activity.attributes.type_uid.enum.400705 | {'caption': 'SSH Activity: Refuse'} | ADD |
ADD | events.ssh_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.ssh_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.ssh_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.ssh_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.ssh_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.auth_type | {'description': "The SSH authentication type, normalized... | ADD |
ADD | events.ssh_activity.attributes.activity_id.enum.5 | {'caption': 'Refuse', 'description': 'The network... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.ssh_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.ssh_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.ssh_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.ssh_activity.attributes.type_uid.enum.400706 | {'caption': 'SSH Activity: Traffic'} | ADD |
ADD | events.ssh_activity.attributes.activity_id.enum.6 | {'caption': 'Traffic', 'description': 'Network traffic report.'} | ADD |
ADD | events.ssh_activity.attributes.count.requirement | optional | ADD |
ADD | events.ssh_activity.attributes.proxy.@deprecated | {'message': 'Use the <code> proxy_endpoint </code>... | ADD |
ADD | events.ssh_activity.attributes.cloud.group | primary | ADD |
DEPRECATE | events.ssh_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400102 | REMOVE | |
UPDATE | events.ssh_activity.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400100 | REMOVE | |
REMOVE | events.ssh_activity.attributes.activity_id.$include | REMOVE | |
UPDATE | events.ssh_activity.attributes.disposition_id.enum.-1 | REMOVE | |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400104 | REMOVE | |
IGNORE | events.ssh_activity.attributes.class_uid.default | REMOVE | |
IGNORE | events.ssh_activity.attributes.category_uid.default | REMOVE | |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400103 | REMOVE | |
DEPRECATE | events.ssh_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400699 | REMOVE | |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400101 | REMOVE | |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400099 | REMOVE | |
DEPRECATE | events.ssh_activity.attributes.count.default | 1 | REMOVE |
UPDATE | events.ssh_activity.attributes.activity_id.enum.-1 | REMOVE | |
UPDATE | events.ssh_activity.attributes.status_id.enum.-1 | REMOVE | |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.ssh_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.requirement | UPDATE | |
DEPRECATE | events.ssh_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.ssh_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
UPDATE | events.ssh_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.ssh_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
UPDATE | events.ssh_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
DEPRECATE | events.ssh_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.ssh_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
IGNORE | events.ssh_activity.attributes.type_uid.enum.400704.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.activity_id.enum.4.caption | Fail | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
DEPRECATE | events.ssh_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
UPDATE | events.ssh_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.description | UPDATE | |
UPDATE | events.ssh_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
IGNORE | events.ssh_activity.attributes.type_uid.description | UPDATE | |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
DEPRECATE | events.ssh_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
UPDATE | events.ssh_activity.attributes.malware.requirement | optional | UPDATE |
REMOVE | events.ssh_activity.attributes.attacks.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.ssh_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
IGNORE | events.ssh_activity.attributes.type_uid.type | UPDATE | |
IGNORE | events.ssh_activity.profiles | UPDATE | |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
UPDATE | events.ssh_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
UPDATE | events.ssh_activity.attributes.proxy.description | The proxy (server) in a network connection. | UPDATE |
UPDATE | events.ssh_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
IGNORE | events.ssh_activity.extends | UPDATE | |
UPDATE | events.ssh_activity.attributes.activity_id.enum.4.description | The network connection failed. For example a connection... | UPDATE |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
REMOVE | events.ssh_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
ADD | events.dhcp_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.dhcp_activity.attributes.tls | {'group': 'primary', 'caption': 'TLS', 'description':... | ADD |
ADD | events.dhcp_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.dhcp_activity.attributes.cloud.group | primary | ADD |
ADD | events.dhcp_activity.attributes.proxy | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.dhcp_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.dhcp_activity.attributes.app_name | {'group': 'context', 'requirement': 'optional',... | ADD |
ADD | events.dhcp_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.dhcp_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.dhcp_activity.attributes.traffic | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.dhcp_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.dhcp_activity.attributes.malware | {'requirement': 'optional', 'caption': 'Malware',... | ADD |
ADD | events.dhcp_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.dhcp_activity.attributes.disposition_id | {'requirement': 'recommended', 'enum': {'99':... | ADD |
ADD | events.dhcp_activity.attributes.count.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.src_endpoint | {'description': 'The initiator (client) of the DHCP... | ADD |
ADD | events.dhcp_activity.attributes.type_uid.enum.400499 | {'caption': 'DHCP Activity: Other'} | ADD |
ADD | events.dhcp_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.dhcp_activity.attributes.attacks | {'requirement': 'optional', 'caption': 'MITRE ATT&CK®... | ADD |
ADD | events.dhcp_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.dhcp_activity.attributes.disposition | {'requirement': 'optional', 'caption': 'Disposition',... | ADD |
ADD | events.dhcp_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.dst_endpoint | {'description': 'The responder (server) of the DHCP... | ADD |
ADD | events.dhcp_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.dhcp_activity.attributes.connection_info | {'group': 'primary', 'requirement': 'recommended',... | ADD |
ADD | events.dhcp_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.dhcp_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.dhcp_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.dhcp_activity.attributes.duration.requirement | optional | ADD |
ADD | events.dhcp_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.dhcp_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.dhcp_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
DEPRECATE | events.dhcp_activity.attributes.count.default | 1 | REMOVE |
UPDATE | events.dhcp_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.dhcp_activity.attributes.category_uid.default | REMOVE | |
UPDATE | events.dhcp_activity.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.dhcp_activity.attributes.type_uid.enum.400399 | REMOVE | |
REMOVE | events.dhcp_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.dhcp_activity.attributes.class_uid.default | REMOVE | |
UPDATE | events.dhcp_activity.attributes.activity_id.enum.-1 | REMOVE | |
DEPRECATE | events.dhcp_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.dhcp_activity.attributes.network_interface | {'group': 'primary', 'requirement': 'required',... | REMOVE |
DEPRECATE | events.dhcp_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
IGNORE | events.dhcp_activity.attributes.type_uid.type | UPDATE | |
IGNORE | events.dhcp_activity.extends | UPDATE | |
UPDATE | events.dhcp_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
UPDATE | events.dhcp_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
UPDATE | events.dhcp_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
UPDATE | events.dhcp_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.dhcp_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.dhcp_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.dhcp_activity.attributes.lease_dur.description | This represents the length of the DHCP lease in seconds.... | UPDATE |
UPDATE | events.dhcp_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.dhcp_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
IGNORE | events.dhcp_activity.attributes.type_uid.description | UPDATE | |
UPDATE | events.dhcp_activity.description | DHCP Activity events report MAC to IP assignment via... | UPDATE |
UPDATE | events.dhcp_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.dhcp_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
DEPRECATE | events.dhcp_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.dhcp_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
IGNORE | events.dhcp_activity.attributes.class_uid.enum.4004.description | UPDATE | |
UPDATE | events.dhcp_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.dhcp_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
ADD | events.smb_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.smb_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.smb_activity.attributes.share_type_id | {'group': 'primary', 'requirement': 'recommended',... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.smb_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.smb_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.smb_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.smb_activity.attributes.duration.requirement | optional | ADD |
ADD | events.smb_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.smb_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.smb_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.smb_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.smb_activity.attributes.cloud.group | primary | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.smb_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.smb_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.smb_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.smb_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.smb_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.smb_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.smb_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.smb_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
ADD | events.smb_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.smb_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.smb_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.smb_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.smb_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.smb_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.smb_activity.attributes.type_uid.enum.400699 | {'caption': 'SMB Activity: Other'} | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.smb_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.smb_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.smb_activity.attributes.count.requirement | optional | ADD |
ADD | events.smb_activity.attributes.proxy.@deprecated | {'message': 'Use the <code> proxy_endpoint </code>... | ADD |
IGNORE | events.smb_activity.attributes.type_uid.enum.400099 | REMOVE | |
IGNORE | events.smb_activity.attributes.type_uid.enum.400101 | REMOVE | |
UPDATE | events.smb_activity.attributes.status_id.enum.-1 | REMOVE | |
REMOVE | events.smb_activity.attributes.activity_id.$include | REMOVE | |
DEPRECATE | events.smb_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
IGNORE | events.smb_activity.attributes.class_uid.default | REMOVE | |
IGNORE | events.smb_activity.attributes.type_uid.enum.400103 | REMOVE | |
DEPRECATE | events.smb_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.smb_activity.attributes.severity_id.enum.-1 | REMOVE | |
UPDATE | events.smb_activity.attributes.activity_id.enum.-1 | REMOVE | |
DEPRECATE | events.smb_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.smb_activity.attributes.type_uid.enum.400102 | REMOVE | |
UPDATE | events.smb_activity.attributes.disposition_id.enum.-1 | REMOVE | |
IGNORE | events.smb_activity.attributes.category_uid.default | REMOVE | |
IGNORE | events.smb_activity.attributes.type_uid.enum.400104 | REMOVE | |
IGNORE | events.smb_activity.attributes.type_uid.enum.400599 | REMOVE | |
IGNORE | events.smb_activity.attributes.type_uid.enum.400100 | REMOVE | |
UPDATE | events.smb_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.smb_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.description | UPDATE | |
DEPRECATE | events.smb_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
IGNORE | events.smb_activity.attributes.type_uid.type | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
IGNORE | events.smb_activity.profiles | UPDATE | |
UPDATE | events.smb_activity.attributes.malware.requirement | optional | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.smb_activity.attributes.command.requirement | recommended | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.requirement | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.proxy.description | The proxy (server) in a network connection. | UPDATE |
REMOVE | events.smb_activity.attributes.attacks.caption | UPDATE | |
DEPRECATE | events.smb_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.smb_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.smb_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.smb_activity.attributes.response.requirement | recommended | UPDATE |
DEPRECATE | events.smb_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
UPDATE | events.smb_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
IGNORE | events.smb_activity.attributes.type_uid.description | UPDATE | |
REMOVE | events.smb_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
DEPRECATE | events.smb_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.smb_activity.attributes.share_type.description | The SMB share type, normalized to the caption of the... | UPDATE |
UPDATE | events.smb_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.smb_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.smb_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.smb_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.smb_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.smb_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
REMOVE | events.smb_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
IGNORE | events.smb_activity.extends | UPDATE | |
ADD | events.email_url_activity.attributes.type_uid.enum.401299 | {'caption': 'Email URL Activity: Other'} | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.email_url_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.email_url_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.email_url_activity.attributes.duration.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.email_url_activity.attributes.activity_id.enum.2 | {'caption': 'Receive'} | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.email_url_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.activity_id.enum.3 | {'caption': 'Scan', 'description': 'Email URL being... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.email_url_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.email_url_activity.attributes.class_uid.enum.4012 | {'caption': 'Email URL Activity', 'description': 'Email... | ADD |
ADD | events.email_url_activity.attributes.count.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.email_url_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.type_uid.enum.401202 | {'caption': 'Email URL Activity: Receive'} | ADD |
ADD | events.email_url_activity.attributes.category_uid.enum.4 | {'caption': 'Network Activity', 'description': 'Network... | ADD |
ADD | events.email_url_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.email_url_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.email_url_activity.attributes.type_uid.enum.401201 | {'caption': 'Email URL Activity: Send'} | ADD |
ADD | events.email_url_activity.attributes.type_uid.enum.401200 | {'caption': 'Email URL Activity: Unknown'} | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.email_url_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.email_url_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.email_url_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.email_url_activity.attributes.type_uid.enum.401203 | {'caption': 'Email URL Activity: Scan'} | ADD |
ADD | events.email_url_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.email_url_activity.attributes.cloud.group | primary | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.email_url_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.email_url_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.email_url_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
IGNORE | events.email_url_activity.attributes.class_uid.default | REMOVE | |
PRESERVE | events.email_url_activity.associations | {'device': ['actor.user'], 'actor.user': ['device']} | REMOVE |
UPDATE | events.email_url_activity.attributes.activity_id.enum.-1 | REMOVE | |
UPDATE | events.email_url_activity.attributes.severity_id.enum.-1 | REMOVE | |
IGNORE | events.email_url_activity.attributes.type_uid.enum.100201 | REMOVE | |
UPDATE | events.email_url_activity.attributes.status_id.enum.-1 | REMOVE | |
DEPRECATE | events.email_url_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
REMOVE | events.email_url_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.email_url_activity.attributes.category_uid.enum.1 | REMOVE | |
DEPRECATE | events.email_url_activity.attributes.actor.group | primary | REMOVE |
DEPRECATE | events.email_url_activity.attributes.device.group | primary | REMOVE |
IGNORE | events.email_url_activity.extension | REMOVE | |
DEPRECATE | events.email_url_activity.attributes.count.default | 1 | REMOVE |
DEPRECATE | events.email_url_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
REMOVE | events.email_url_activity.attributes.$include | REMOVE | |
IGNORE | events.email_url_activity.attributes.class_uid.enum.1002 | REMOVE | |
IGNORE | events.email_url_activity.attributes.type_uid.enum.100200 | REMOVE | |
IGNORE | events.email_url_activity.attributes.type_uid.enum.100199 | REMOVE | |
UPDATE | events.email_url_activity.attributes.disposition_id.enum.-1 | REMOVE | |
IGNORE | events.email_url_activity.attributes.category_uid.default | REMOVE | |
DEPRECATE | events.email_url_activity.attributes.connection_uid | {'requirement': 'optional', 'group': 'context',... | REMOVE |
UPDATE | events.email_url_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.email_url_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.email_url_activity.attributes.activity_id.requirement | optional | UPDATE |
UPDATE | events.email_url_activity.description | Email URL Activity events report URLs within an email. | UPDATE |
UPDATE | events.email_url_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
IGNORE | events.email_url_activity.profiles | UPDATE | |
UPDATE | events.email_url_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
UPDATE | events.email_url_activity.category | network | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.requirement | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
IGNORE | events.email_url_activity.attributes.type_uid.type | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
UPDATE | events.email_url_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.email_url_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.email_url_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.email_url_activity.attributes.email_uid.requirement | required | UPDATE |
UPDATE | events.email_url_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
DEPRECATE | events.email_url_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
UPDATE | events.email_url_activity.attributes.activity_id.enum.1.caption | Send | UPDATE |
DEPRECATE | events.email_url_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.email_url_activity.attributes.malware.requirement | optional | UPDATE |
UPDATE | events.email_url_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
IGNORE | events.email_url_activity.uid | UPDATE | |
UPDATE | events.email_url_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
IGNORE | events.email_url_activity.extends | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
UPDATE | events.email_url_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.email_url_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
REMOVE | events.email_url_activity.attributes.attacks.caption | UPDATE | |
UPDATE | events.email_url_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.email_url_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
DEPRECATE | events.email_url_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.email_url_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
UPDATE | events.email_url_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
REMOVE | events.email_url_activity.attributes.disposition_id.description | UPDATE | |
IGNORE | events.email_url_activity.attributes.type_uid.description | UPDATE | |
REMOVE | events.email_url_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
DEPRECATE | events.email_url_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
ADD | events.rdp_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.rdp_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.rdp_activity.attributes.activity_id.enum.6 | {'caption': 'Traffic', 'description': 'Network traffic report.'} | ADD |
ADD | events.rdp_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.type_uid.enum.400505 | {'caption': 'RDP Activity: TLS Handshake'} | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.rdp_activity.attributes.activity_id.enum.5 | {'caption': 'TLS Handshake', 'description': 'The TLS handshake.'} | ADD |
ADD | events.rdp_activity.attributes.cloud.group | primary | ADD |
ADD | events.rdp_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.rdp_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.rdp_activity.attributes.duration.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.rdp_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.rdp_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.rdp_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.rdp_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.rdp_activity.attributes.type_uid.enum.400599 | {'caption': 'RDP Activity: Other'} | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.rdp_activity.attributes.proxy.@deprecated | {'message': 'Use the <code> proxy_endpoint </code>... | ADD |
ADD | events.rdp_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.rdp_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.rdp_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.rdp_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.rdp_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
ADD | events.rdp_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.rdp_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.rdp_activity.attributes.type_uid.enum.400506 | {'caption': 'RDP Activity: Traffic'} | ADD |
ADD | events.rdp_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.rdp_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.rdp_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.rdp_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.count.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.rdp_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
DEPRECATE | events.rdp_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.rdp_activity.attributes.severity_id.enum.-1 | REMOVE | |
UPDATE | events.rdp_activity.attributes.disposition_id.enum.-1 | REMOVE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400099 | REMOVE | |
IGNORE | events.rdp_activity.attributes.category_uid.default | REMOVE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400101 | REMOVE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400100 | REMOVE | |
REMOVE | events.rdp_activity.attributes.activity_id.$include | REMOVE | |
DEPRECATE | events.rdp_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400499 | REMOVE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400102 | REMOVE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400104 | REMOVE | |
DEPRECATE | events.rdp_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
UPDATE | events.rdp_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400103 | REMOVE | |
IGNORE | events.rdp_activity.attributes.class_uid.default | REMOVE | |
UPDATE | events.rdp_activity.attributes.activity_id.enum.-1 | REMOVE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.rdp_activity.attributes.activity_id.enum.2.caption | Initial Response | UPDATE |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400504.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.activity_id.enum.1.caption | Initial Request | UPDATE |
REMOVE | events.rdp_activity.attributes.attacks.caption | UPDATE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400502.caption | UPDATE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.activity_id.enum.3.caption | Connect Request | UPDATE |
UPDATE | events.rdp_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.description | UPDATE | |
UPDATE | events.rdp_activity.attributes.response.requirement | recommended | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.rdp_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
UPDATE | events.rdp_activity.attributes.malware.requirement | optional | UPDATE |
UPDATE | events.rdp_activity.attributes.request.requirement | recommended | UPDATE |
UPDATE | events.rdp_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
DEPRECATE | events.rdp_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
DEPRECATE | events.rdp_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.rdp_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
IGNORE | events.rdp_activity.attributes.type_uid.description | UPDATE | |
IGNORE | events.rdp_activity.profiles | UPDATE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.rdp_activity.attributes.activity_id.enum.4.caption | Connect Response | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.activity_id.enum.2.description | The initial RDP response. | UPDATE |
UPDATE | events.rdp_activity.attributes.activity_id.enum.3.description | An RDP connection request. | UPDATE |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400501.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.proxy.description | The proxy (server) in a network connection. | UPDATE |
DEPRECATE | events.rdp_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
IGNORE | events.rdp_activity.extends | UPDATE | |
UPDATE | events.rdp_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.requirement | UPDATE | |
IGNORE | events.rdp_activity.attributes.type_uid.enum.400503.caption | UPDATE | |
DEPRECATE | events.rdp_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
UPDATE | events.rdp_activity.attributes.activity_id.enum.4.description | An RDP connection response. | UPDATE |
UPDATE | events.rdp_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
UPDATE | events.rdp_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
REMOVE | events.rdp_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
UPDATE | events.rdp_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
UPDATE | events.rdp_activity.attributes.activity_id.enum.1.description | The initial RDP request. | UPDATE |
IGNORE | events.rdp_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.rdp_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.rdp_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
ADD | events.network_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.network_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.network_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.network_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.network_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.network_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.network_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.network_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.network_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.network_activity.attributes.type_uid.enum.400106 | {'caption': 'Network Activity: Traffic'} | ADD |
ADD | events.network_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.network_activity.attributes.count.requirement | optional | ADD |
ADD | events.network_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.network_activity.attributes.activity_id.enum.6 | {'caption': 'Traffic', 'description': 'Network traffic report.'} | ADD |
ADD | events.network_activity.attributes.type_uid.enum.400199 | {'caption': 'Network Activity: Other'} | ADD |
ADD | events.network_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.network_activity.attributes.type_uid.enum.400105 | {'caption': 'Network Activity: Refuse'} | ADD |
ADD | events.network_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.network_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.network_activity.attributes.duration.requirement | optional | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.network_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.network_activity.attributes.cloud.group | primary | ADD |
ADD | events.network_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.network_activity.attributes.proxy.@deprecated | {'message': 'Use the <code> proxy_endpoint </code>... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.network_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.network_activity.attributes.url | {'description': 'The URL details relevant to the network... | ADD |
ADD | events.network_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.network_activity.attributes.activity_id.enum.5 | {'caption': 'Refuse', 'description': 'The network... | ADD |
ADD | events.network_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.network_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.network_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.network_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.network_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.network_activity.attributes.raw_data.requirement | optional | ADD |
UPDATE | events.network_activity.attributes.disposition_id.enum.-1 | REMOVE | |
DEPRECATE | events.network_activity.attributes.count.default | 1 | REMOVE |
DEPRECATE | events.network_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
UPDATE | events.network_activity.attributes.activity_id.enum.-1 | REMOVE | |
UPDATE | events.network_activity.attributes.severity_id.enum.-1 | REMOVE | |
REMOVE | events.network_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.network_activity.attributes.class_uid.default | REMOVE | |
DEPRECATE | events.network_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
IGNORE | events.network_activity.attributes.type_uid.enum.400099 | REMOVE | |
UPDATE | events.network_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.network_activity.attributes.category_uid.default | REMOVE | |
UPDATE | events.network_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.network_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
REMOVE | events.network_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
REMOVE | events.network_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.network_activity.attributes.activity_id.enum.4.caption | Fail | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
REMOVE | events.network_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
DEPRECATE | events.network_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
UPDATE | events.network_activity.attributes.activity_id.enum.4.description | The network connection failed. For example a connection... | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
UPDATE | events.network_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
IGNORE | events.network_activity.extends | UPDATE | |
REMOVE | events.network_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
UPDATE | events.network_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
UPDATE | events.network_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
UPDATE | events.network_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.network_activity.attributes.malware.requirement | optional | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.requirement | UPDATE | |
REMOVE | events.network_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
UPDATE | events.network_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
UPDATE | events.network_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
IGNORE | events.network_activity.attributes.type_uid.enum.400104.caption | UPDATE | |
DEPRECATE | events.network_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.network_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
UPDATE | events.network_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.network_activity.attributes.proxy.description | The proxy (server) in a network connection. | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
DEPRECATE | events.network_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
UPDATE | events.network_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
IGNORE | events.network_activity.profiles | UPDATE | |
UPDATE | events.network_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
DEPRECATE | events.network_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
UPDATE | events.network_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
REMOVE | events.network_activity.attributes.attacks.caption | UPDATE | |
IGNORE | events.network_activity.attributes.type_uid.description | UPDATE | |
UPDATE | events.network_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
REMOVE | events.network_activity.attributes.disposition_id.description | UPDATE | |
IGNORE | events.network_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.network_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
UPDATE | events.network_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
ADD | events.dns_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.dns_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.dns_activity.attributes.cloud.group | primary | ADD |
ADD | events.dns_activity.attributes.count.requirement | optional | ADD |
ADD | events.dns_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.dns_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.dns_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.dns_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.dns_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.dns_activity.attributes.duration.requirement | optional | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.dns_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.dns_activity.attributes.type_uid.enum.400306 | {'caption': 'DNS Activity: Traffic'} | ADD |
ADD | events.dns_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.dns_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.dns_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.dns_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
ADD | events.dns_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.dns_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.dns_activity.attributes.proxy.@deprecated | {'message': 'Use the <code> proxy_endpoint </code>... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.dns_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.dns_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.dns_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.dns_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.dns_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.dns_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.dns_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.dns_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.dns_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.dns_activity.attributes.type_uid.enum.400399 | {'caption': 'DNS Activity: Other'} | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.dns_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.dns_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.dns_activity.attributes.activity_id.enum.6 | {'caption': 'Traffic', 'description': 'Bidirectional DNS... | ADD |
ADD | events.dns_activity.attributes.rcode_id.enum.99 | {'caption': 'Other', 'description': 'The dns response... | ADD |
UPDATE | events.dns_activity.attributes.severity_id.enum.-1 | REMOVE | |
REMOVE | events.dns_activity.attributes.activity_id.$include | REMOVE | |
UPDATE | events.dns_activity.attributes.rcode_id.enum.-1 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400303 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400101 | REMOVE | |
IGNORE | events.dns_activity.attributes.class_uid.default | REMOVE | |
DEPRECATE | events.dns_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.dns_activity.attributes.type_uid.enum.400099 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400100 | REMOVE | |
UPDATE | events.dns_activity.attributes.disposition_id.enum.-1 | REMOVE | |
UPDATE | events.dns_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400102 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400304 | REMOVE | |
UPDATE | events.dns_activity.attributes.activity_id.enum.3 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400299 | REMOVE | |
UPDATE | events.dns_activity.attributes.activity_id.enum.4 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400104 | REMOVE | |
UPDATE | events.dns_activity.attributes.activity_id.enum.-1 | REMOVE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400103 | REMOVE | |
IGNORE | events.dns_activity.attributes.category_uid.default | REMOVE | |
DEPRECATE | events.dns_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.dns_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
REMOVE | events.dns_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
DEPRECATE | events.dns_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.dns_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.dns_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
IGNORE | events.dns_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.dns_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
UPDATE | events.dns_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.dns_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.dns_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.requirement | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
UPDATE | events.dns_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
IGNORE | events.dns_activity.extends | UPDATE | |
UPDATE | events.dns_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.dns_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.dns_activity.attributes.activity_id.enum.2.caption | Response | UPDATE |
DEPRECATE | events.dns_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
IGNORE | events.dns_activity.profiles | UPDATE | |
REMOVE | events.dns_activity.attributes.attacks.caption | UPDATE | |
UPDATE | events.dns_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
UPDATE | events.dns_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
IGNORE | events.dns_activity.attributes.type_uid.enum.400302.caption | UPDATE | |
UPDATE | events.dns_activity.attributes.malware.requirement | optional | UPDATE |
UPDATE | events.dns_activity.attributes.dst_endpoint.requirement | recommended | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
UPDATE | events.dns_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.dns_activity.attributes.proxy.description | The proxy (server) in a network connection. | UPDATE |
DEPRECATE | events.dns_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
UPDATE | events.dns_activity.attributes.activity_id.enum.1.description | The DNS query request. | UPDATE |
UPDATE | events.dns_activity.attributes.activity_id.enum.2.description | The DNS query response. | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.description | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
UPDATE | events.dns_activity.attributes.activity_id.enum.1.caption | Query | UPDATE |
UPDATE | events.dns_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
UPDATE | events.dns_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.dns_activity.attributes.rcode.description | The DNS server response code, normalized to the caption... | UPDATE |
REMOVE | events.dns_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
REMOVE | events.dns_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
DEPRECATE | events.dns_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
UPDATE | events.dns_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
IGNORE | events.dns_activity.attributes.type_uid.enum.400301.caption | UPDATE | |
IGNORE | events.dns_activity.attributes.type_uid.description | UPDATE | |
UPDATE | events.dns_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
ADD | events.http_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.http_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.http_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.http_activity.attributes.type_uid.enum.400206 | {'caption': 'HTTP Activity: Post'} | ADD |
ADD | events.http_activity.attributes.proxy_tls | {'description': 'The TLS protocol negotiated between the... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.http_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.http_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.http_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.http_activity.attributes.activity_id.enum.8 | {'caption': 'Trace', 'description': 'The TRACE method... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.http_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.http_activity.attributes.cloud.group | primary | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.http_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.http_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.http_activity.attributes.load_balancer | {'requirement': 'recommended', 'caption': 'Load... | ADD |
ADD | events.http_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.http_activity.attributes.http_response.group | primary | ADD |
ADD | events.http_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.http_activity.attributes.type_uid.enum.400299 | {'caption': 'HTTP Activity: Other'} | ADD |
ADD | events.http_activity.attributes.proxy_connection_info | {'description': 'The connection information from the... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.http_activity.attributes.count.requirement | optional | ADD |
ADD | events.http_activity.attributes.duration.requirement | optional | ADD |
ADD | events.http_activity.attributes.proxy_http_response | {'description': 'The HTTP Response from the remote... | ADD |
ADD | events.http_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.http_activity.attributes.http_status.@deprecated | {'message': 'Use the <code> http_response.code </code>... | ADD |
ADD | events.http_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.http_activity.attributes.type_uid.enum.400208 | {'caption': 'HTTP Activity: Trace'} | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.http_activity.attributes.proxy_traffic | {'description': 'The network traffic refers to the... | ADD |
ADD | events.http_activity.attributes.activity_id.enum.5 | {'caption': 'Options', 'description': 'The OPTIONS... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.http_activity.attributes.activity_id.enum.6 | {'caption': 'Post', 'description': 'The POST method... | ADD |
ADD | events.http_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.http_activity.attributes.http_cookies | {'group': 'primary', 'requirement': 'optional',... | ADD |
ADD | events.http_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.http_activity.attributes.proxy_http_request | {'description': 'The HTTP Request from the proxy server... | ADD |
ADD | events.http_activity.attributes.activity_id.enum.7 | {'caption': 'Put', 'description': 'The PUT method... | ADD |
ADD | events.http_activity.attributes.proxy_endpoint | {'description': 'The proxy (server) in a network... | ADD |
ADD | events.http_activity.attributes.http_request.group | primary | ADD |
ADD | events.http_activity.attributes.type_uid.enum.400205 | {'caption': 'HTTP Activity: Options'} | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.http_activity.attributes.proxy.@deprecated | {'message': 'Use the <code> proxy_endpoint </code>... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.http_activity.attributes.type_uid.enum.400207 | {'caption': 'HTTP Activity: Put'} | ADD |
ADD | events.http_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.http_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.http_activity.attributes.enrichments.requirement | optional | ADD |
IGNORE | events.http_activity.attributes.type_uid.enum.400199 | REMOVE | |
UPDATE | events.http_activity.attributes.activity_id.enum.-1 | REMOVE | |
IGNORE | events.http_activity.attributes.type_uid.enum.400102 | REMOVE | |
IGNORE | events.http_activity.attributes.type_uid.enum.400101 | REMOVE | |
IGNORE | events.http_activity.attributes.type_uid.enum.400103 | REMOVE | |
UPDATE | events.http_activity.attributes.status_id.enum.-1 | REMOVE | |
UPDATE | events.http_activity.attributes.disposition_id.enum.-1 | REMOVE | |
DEPRECATE | events.http_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
DEPRECATE | events.http_activity.attributes.count.default | 1 | REMOVE |
DEPRECATE | events.http_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
IGNORE | events.http_activity.attributes.class_uid.default | REMOVE | |
IGNORE | events.http_activity.attributes.type_uid.enum.400100 | REMOVE | |
IGNORE | events.http_activity.attributes.category_uid.default | REMOVE | |
IGNORE | events.http_activity.attributes.type_uid.enum.400099 | REMOVE | |
REMOVE | events.http_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.http_activity.attributes.type_uid.enum.400104 | REMOVE | |
UPDATE | events.http_activity.attributes.severity_id.enum.-1 | REMOVE | |
UPDATE | events.http_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
REMOVE | events.http_activity.attributes.attacks.caption | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
UPDATE | events.http_activity.attributes.activity_id.enum.2.caption | Delete | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
UPDATE | events.http_activity.attributes.activity_id.enum.3.caption | Get | UPDATE |
UPDATE | events.http_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.http_activity.attributes.http_request.description | The HTTP Request Object documents attributes of a... | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
UPDATE | events.http_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
DEPRECATE | events.http_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
UPDATE | events.http_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
IGNORE | events.http_activity.attributes.type_uid.enum.400202.caption | UPDATE | |
UPDATE | events.http_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.http_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
UPDATE | events.http_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
UPDATE | events.http_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
UPDATE | events.http_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
UPDATE | events.http_activity.attributes.activity_id.enum.3.description | The GET method requests a representation of the... | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.http_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
UPDATE | events.http_activity.attributes.activity_id.enum.1.description | The CONNECT method establishes a tunnel to the server... | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
UPDATE | events.http_activity.attributes.activity_id.enum.1.caption | Connect | UPDATE |
UPDATE | events.http_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
IGNORE | events.http_activity.attributes.type_uid.description | UPDATE | |
UPDATE | events.http_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.http_activity.attributes.activity_id.enum.4.description | The HEAD method asks for a response identical to a GET... | UPDATE |
UPDATE | events.http_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
UPDATE | events.http_activity.attributes.activity_id.enum.4.caption | Head | UPDATE |
IGNORE | events.http_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.http_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
IGNORE | events.http_activity.extends | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.requirement | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.description | UPDATE | |
REMOVE | events.http_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
UPDATE | events.http_activity.attributes.activity_id.enum.2.description | The DELETE method deletes the specified resource. | UPDATE |
IGNORE | events.http_activity.attributes.type_uid.enum.400201.caption | UPDATE | |
UPDATE | events.http_activity.attributes.malware.requirement | optional | UPDATE |
REMOVE | events.http_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
IGNORE | events.http_activity.profiles | UPDATE | |
DEPRECATE | events.http_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
UPDATE | events.http_activity.attributes.proxy.description | The proxy (server) in a network connection. | UPDATE |
DEPRECATE | events.http_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
IGNORE | events.http_activity.attributes.type_uid.enum.400204.caption | UPDATE | |
UPDATE | events.http_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
DEPRECATE | events.http_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
IGNORE | events.http_activity.attributes.type_uid.enum.400203.caption | UPDATE | |
UPDATE | events.http_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
ADD | events.email_file_activity.attributes.type_uid.enum.401199 | {'caption': 'Email File Activity: Other'} | ADD |
ADD | events.email_file_activity.attributes.type_uid.enum.401101 | {'caption': 'Email File Activity: Send'} | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |
ADD | events.email_file_activity.attributes.type_uid.enum.401100 | {'caption': 'Email File Activity: Unknown'} | ADD |
ADD | events.email_file_activity.attributes.category_uid.enum.4 | {'caption': 'Network Activity', 'description': 'Network... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.email_file_activity.attributes.count.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.email_file_activity.attributes.activity_id.enum.2 | {'caption': 'Receive'} | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.email_file_activity.attributes.type_uid.enum.401103 | {'caption': 'Email File Activity: Scan'} | ADD |
ADD | events.email_file_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.email_file_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.email_file_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.email_file_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.email_file_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.email_file_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.email_file_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.email_file_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.email_file_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.email_file_activity.attributes.duration.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.email_file_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.email_file_activity.attributes.class_uid.enum.4011 | {'caption': 'Email File Activity', 'description': 'Email... | ADD |
ADD | events.email_file_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.email_file_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.email_file_activity.attributes.activity_id.enum.3 | {'caption': 'Scan', 'description': 'Email file being... | ADD |
ADD | events.email_file_activity.attributes.cloud.group | primary | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.7.description | A custom action was executed such as running of a... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.email_file_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.email_file_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.email_file_activity.attributes.type_uid.enum.401102 | {'caption': 'Email File Activity: Receive'} | ADD |
DEPRECATE | events.email_file_activity.attributes.actor.group | primary | REMOVE |
PRESERVE | events.email_file_activity.associations | {'device': ['actor.user'], 'actor.user': ['device']} | REMOVE |
REMOVE | events.email_file_activity.attributes.activity_id.$include | REMOVE | |
IGNORE | events.email_file_activity.attributes.class_uid.enum.1001 | REMOVE | |
REMOVE | events.email_file_activity.attributes.$include | REMOVE | |
IGNORE | events.email_file_activity.attributes.category_uid.default | REMOVE | |
UPDATE | events.email_file_activity.attributes.disposition_id.enum.-1 | REMOVE | |
IGNORE | events.email_file_activity.attributes.class_uid.default | REMOVE | |
DEPRECATE | events.email_file_activity.attributes.device.group | primary | REMOVE |
IGNORE | events.email_file_activity.attributes.type_uid.enum.100100 | REMOVE | |
DEPRECATE | events.email_file_activity.attributes.confidence | {'group': 'classification', 'requirement': 'optional',... | REMOVE |
IGNORE | events.email_file_activity.attributes.category_uid.enum.1 | REMOVE | |
UPDATE | events.email_file_activity.attributes.status_id.enum.-1 | REMOVE | |
IGNORE | events.email_file_activity.extension | REMOVE | |
UPDATE | events.email_file_activity.attributes.severity_id.enum.-1 | REMOVE | |
DEPRECATE | events.email_file_activity.attributes.connection_uid | {'requirement': 'optional', 'group': 'context',... | REMOVE |
DEPRECATE | events.email_file_activity.attributes.count.default | 1 | REMOVE |
IGNORE | events.email_file_activity.attributes.type_uid.enum.100099 | REMOVE | |
UPDATE | events.email_file_activity.attributes.activity_id.enum.-1 | REMOVE | |
IGNORE | events.email_file_activity.attributes.type_uid.enum.100101 | REMOVE | |
DEPRECATE | events.email_file_activity.attributes.data | {'description': 'Additional data that is associated with... | REMOVE |
UPDATE | events.email_file_activity.attributes.severity.description | The event/finding severity, normalized to the caption of... | UPDATE |
IGNORE | events.email_file_activity.profiles | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.8.caption | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.14.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.device.description | An addressable device, computer system or host. | UPDATE |
DEPRECATE | events.email_file_activity.attributes.severity_id.enum.0.description | The event severity is not known. | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.7.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.metadata.description | The metadata associated with the event or a finding. | UPDATE |
UPDATE | events.email_file_activity.attributes.actor.description | The actor object describes details about the... | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.11.caption | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.3.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.malware.description | A list of Malware objects, describing details about the... | UPDATE |
IGNORE | events.email_file_activity.attributes.type_uid.type | UPDATE | |
UPDATE | events.email_file_activity.attributes.message.description | The description of the event/finding, as defined by the source. | UPDATE |
UPDATE | events.email_file_activity.attributes.activity_id.requirement | optional | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.description | UPDATE | |
IGNORE | events.email_file_activity.extends | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.15.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.severity_id.description | <p>The normalized identifier of the event/finding... | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.5.caption | UPDATE | |
UPDATE | events.email_file_activity.description | Email File Activity events report files within emails. | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.6.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.time.description | The normalized event occurrence time or the finding... | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.1.caption | UPDATE | |
UPDATE | events.email_file_activity.category | network | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.13.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.status_detail.description | The status details contains additional information about... | UPDATE |
UPDATE | events.email_file_activity.attributes.email_uid.requirement | required | UPDATE |
REMOVE | events.email_file_activity.attributes.attacks.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.status.description | The event status, normalized to the caption of the... | UPDATE |
DEPRECATE | events.email_file_activity.attributes.disposition_id.enum.14.description | No longer suspicious (re-scored). | UPDATE |
UPDATE | events.email_file_activity.attributes.observables.description | The observables associated with the event or a finding. | UPDATE |
UPDATE | events.email_file_activity.attributes.cloud.description | Describes details about the Cloud environment where the... | UPDATE |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.2.caption | UPDATE | |
DEPRECATE | events.email_file_activity.attributes.disposition_id.enum.15.description | Marked with extended attributes. | UPDATE |
IGNORE | events.email_file_activity.uid | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.4.caption | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.10.caption | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.enum.12.caption | UPDATE | |
UPDATE | events.email_file_activity.attributes.enrichments.description | The additional information from an external data source,... | UPDATE |
DEPRECATE | events.email_file_activity.attributes.disposition_id.enum.10.description | Requires reboot to finish the operation. | UPDATE |
UPDATE | events.email_file_activity.attributes.activity_id.enum.1.caption | Send | UPDATE |
UPDATE | events.email_file_activity.attributes.malware.requirement | optional | UPDATE |
UPDATE | events.email_file_activity.attributes.disposition.description | The disposition name, normalized to the caption of the... | UPDATE |
IGNORE | events.email_file_activity.attributes.type_uid.description | UPDATE | |
REMOVE | events.email_file_activity.attributes.disposition_id.requirement | UPDATE | |
UPDATE | events.email_file_activity.attributes.type_name.description | The event/finding type name, as defined by the type_uid. | UPDATE |
UPDATE | events.email_file_activity.attributes.attacks.description | An array of <a target='_blank'... | UPDATE |
ADD | events.email_activity.attributes.disposition_id.enum.26 | {'caption': 'Unauthorized', 'description': "An attempt... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.16 | {'caption': 'No Action', 'description': 'The outcome of... | ADD |
ADD | events.email_activity.attributes.src_endpoint | {'description': 'The initiator (client) sending the... | ADD |
ADD | events.email_activity.attributes.status_detail.requirement | optional | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.23 | {'caption': 'Challenge', 'description': "Ran a silent... | ADD |
ADD | events.email_activity.attributes.activity_id.enum.3 | {'caption': 'Scan', 'description': 'Email being scanned... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.9 | {'caption': 'Restored', 'description': 'A quarantined... | ADD |
ADD | events.email_activity.attributes.action | {'caption': 'Action', 'description': 'The normalized... | ADD |
ADD | events.email_activity.attributes.activity_id.enum.99 | {'caption': 'Other', 'description': 'The event activity... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.13.description | A corrupt file or configuration was not corrected. | ADD |
ADD | events.email_activity.attributes.status_id.enum.99 | {'caption': 'Other', 'description': 'The event status is... | ADD |
ADD | events.email_activity.attributes.enrichments.requirement | optional | ADD |
ADD | events.email_activity.attributes.severity_id.enum.99 | {'caption': 'Other', 'description': 'The event/finding... | ADD |
ADD | events.email_activity.attributes.attempt | {'requirement': 'optional', 'description': 'The attempt... | ADD |
ADD | events.email_activity.attributes.action_id | {'caption': 'Action ID', 'description': "The action... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.27 | {'caption': 'Error', 'description': 'An error occurred... | ADD |
ADD | events.email_activity.attributes.status_id.enum.0.description | The status is unknown. | ADD |
ADD | events.email_activity.attributes.type_uid.enum | {'400901': {'caption': 'Email Activity: Send'},... | ADD |
ADD | events.email_activity.attributes.authorizations | {'requirement': 'optional', 'caption': 'Authorization... | ADD |
ADD | events.email_activity.attributes.direction | {'description': 'The direction of the email, as defined... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.18 | {'caption': 'Tagged', 'description': 'A file or other... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.22 | {'caption': 'Captcha', 'description': 'Required the end... | ADD |
ADD | events.email_activity.uid | 9 | ADD |
ADD | events.email_activity.attributes.cloud.group | primary | ADD |
ADD | events.email_activity.attributes.banner | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.2.description | Denied access or blocked the action to the protected resource. | ADD |
ADD | events.email_activity.attributes.raw_data.requirement | optional | ADD |
ADD | events.email_activity.attributes.start_time.requirement | optional | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.25 | {'caption': 'Rejected', 'description': "A request or... | ADD |
ADD | events.email_activity.attributes.email_auth | {'requirement': 'recommended', 'group': 'primary',... | ADD |
ADD | events.email_activity.attributes.duration.requirement | optional | ADD |
ADD | events.email_activity.attributes.count.requirement | optional | ADD |
ADD | events.email_activity.attributes.dst_endpoint | {'description': 'The responder (server) receiving the... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.11.description | A corrupt file or configuration was corrected. | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.99 | {'caption': 'Other', 'description': 'The disposition is... | ADD |
ADD | events.email_activity.attributes.category_uid.enum.4 | {'caption': 'Network Activity', 'description': 'Network... | ADD |
ADD | events.email_activity.attributes.api | {'requirement': 'optional', 'group': 'context',... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.21 | {'caption': 'Reset', 'description': 'The request was... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.24 | {'caption': 'Access Revoked', 'description': "The... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.17 | {'caption': 'Logged', 'description': 'The operation or... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.20 | {'caption': 'Count', 'description': 'Counted the request... | ADD |
ADD | events.email_activity.attributes.email | {'requirement': 'required', 'group': 'primary',... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.12.description | A corrupt file or configuration was partially corrected. | ADD |
ADD | events.email_activity.attributes.end_time.requirement | optional | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.8.description | A request or submission was approved. For example, when... | ADD |
ADD | events.email_activity.attributes.class_uid.enum.4009 | {'caption': 'Email Activity', 'description': 'Email... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.1.description | Granted access or allowed the action to the protected resource. | ADD |
ADD | events.email_activity.attributes.status_code.requirement | optional | ADD |
ADD | events.email_activity.attributes.activity_id.enum.2 | {'caption': 'Receive'} | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.0.description | The disposition was not known. | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.4.description | A session was isolated on the network or within a browser. | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.5.description | A file or other content was deleted. | ADD |
ADD | events.email_activity.attributes.direction_id | {'description': '<p>The direction of the email relative... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.3.description | A suspicious file or other content was moved to a benign... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.19 | {'caption': 'Alert', 'description': 'The request or... | ADD |
ADD | events.email_activity.attributes.unmapped.requirement | optional | ADD |
ADD | events.email_activity.attributes.firewall_rule | {'requirement': 'optional', 'caption': 'Firewall Rule',... | ADD |
ADD | events.email_activity.attributes.smtp_hello | {'description': 'The value of the SMTP HELO or EHLO... | ADD |
ADD | events.email_activity.attributes.disposition_id.enum.6.description | The request was detected as a threat and resulted in the... | ADD |