qdm-1.1.0 Release Notes

Query's schema release process involves an automated process that compares proposed changes to the last stable version of the schema and preserves or deprecates key elements of older schemata. This allows Query to safely accept most changes from upstream OCSF without breaking customer configurations.

Here are the possible types of changes:

Add
An element was added in the new version.
Remove
An element was removed in the new version.
Update
Schema was updated in the new version.
Preserve
The schema changed, but the old version was preserved.
Deprecate
The schema changed, but the old version was deprecated rather than removed.
Ignore
A schema change was ignored because it is irrelevant to Query.

Below is a list of all changes in qdm-1.1.0. You may also jump straight to the summary.

Action Path New Value Cause
ADD objects.web_resource {'caption': 'Web Resource', 'description': 'The Web... ADD
ADD objects.data_security {'caption': 'Data Security', 'description': "The Data... ADD
ADD objects._entity {'caption': 'Entity', 'name': '_entity', 'description':... ADD
ADD objects.rpc_interface {'caption': 'RPC Interface', 'name': 'rpc_interface',... ADD
ADD objects.endpoint_connection {'caption': 'Endpoint Connection', 'name':... ADD
ADD objects.cve {'caption': 'CVE', 'description': "The Common... ADD
ADD objects.databucket {'caption': 'Databucket', 'description': 'The databucket... ADD
ADD objects.query_info {'caption': 'Query Information', 'description': 'The... ADD
ADD objects.resource_details {'caption': 'Resource Details', 'description': 'The... ADD
ADD objects.epss {'caption': 'EPSS', 'description': "The Exploit... ADD
ADD objects.agent {'caption': 'Agent', 'description': 'An Agent (also... ADD
ADD objects.cwe {'caption': 'CWE', 'description': "The CWE object... ADD
ADD objects.account {'caption': 'Account', 'description': 'The Account... ADD
ADD objects.ldap_person {'caption': 'LDAP Person', 'description': 'The... ADD
ADD objects.cis_csc {'caption': 'CIS CSC', 'description': "The CIS Critical... ADD
ADD objects.evidences {'caption': 'Evidence Artifacts', 'description': 'A... ADD
ADD objects.kill_chain_phase {'caption': 'Kill Chain Phase', 'description': "The Kill... ADD
ADD objects.package {'caption': 'Software Package', 'description': "The... ADD
ADD objects.affected_code {'caption': 'Affected Code', 'description': 'The... ADD
ADD objects.database {'caption': 'Database', 'description': 'The database... ADD
ADD objects.table {'caption': 'Table', 'description': 'The table object... ADD
ADD objects.security_state {'caption': 'Security State', 'description': 'The... ADD
ADD objects.metric {'caption': 'Metric', 'description': 'The Metric object... ADD
ADD objects.load_balancer {'caption': 'Load Balancer', 'name': 'load_balancer',... ADD
ADD objects.analytic {'caption': 'Analytic', 'name': 'analytic',... ADD
ADD objects.logger {'caption': 'Logger', 'description': 'The Logger object... ADD
ADD objects.organization {'caption': 'Organization', 'description': 'The... ADD
ADD objects.cis_control {'caption': 'CIS Control', 'description': "The CIS... ADD
ADD objects._resource {'caption': 'Resource', 'description': 'The Resource... ADD
ADD objects.kb_article {'caption': 'KB Article', 'description': 'The KB Article... ADD
ADD objects.related_event {'caption': 'Related Event', 'description': 'The Related... ADD
ADD objects.scan {'caption': 'Scan', 'description': 'The Scan object... ADD
ADD objects.cis_benchmark {'caption': 'CIS Benchmark', 'description': "The CIS... ADD
ADD objects.sub_technique {'caption': 'Sub Technique', 'description': "The Sub... ADD
ADD objects.extension {'caption': 'Schema Extension', 'name': 'extension',... ADD
ADD objects.finding_info {'caption': 'Finding Information', 'description': 'The... ADD
ADD objects.firewall_rule {'caption': 'Firewall Rule', 'description': "The... ADD
ADD objects.affected_package {'caption': 'Affected Software Package', 'description':... ADD
ADD objects.reg_key {'caption': 'Registry Key', 'observable': 28, 'name':... ADD
ADD objects.reg_value {'caption': 'Registry Value', 'description': 'The... ADD
ADD objects.win_resource {'description': 'The Windows resource object describes a... ADD
ADD objects.network_file_activity {'@deprecated': {'message': "Use the new class:... ADD
ADD objects.ntp_activity {'caption': 'NTP Activity', 'description': 'The Network... ADD
ADD objects.network {'caption': 'Network', 'category': 'network',... ADD
ADD objects.patch_state {'caption': 'Operating System Patch State',... ADD
ADD objects.user_inventory {'caption': 'User Inventory Info', 'description': 'User... ADD
ADD objects.device_config_state_change {'caption': 'Device Config State Change', 'description':... ADD
ADD objects.iam {'caption': 'Identity & Access Management', 'category':... ADD
ADD objects.user_access {'caption': 'User Access Management', 'description':... ADD
ADD objects.entity_management {'caption': 'Entity Management', 'uid': 4, 'name':... ADD
ADD objects.group_management {'caption': 'Group Management', 'description': 'Group... ADD
ADD objects.authorize_session {'caption': 'Authorize Session', 'description':... ADD
ADD objects.detection_finding {'uid': 4, 'caption': 'Detection Finding', 'category':... ADD
ADD objects.compliance_finding {'uid': 3, 'caption': 'Compliance Finding', 'category':... ADD
ADD objects.incident_finding {'uid': 5, 'caption': 'Incident Finding', 'category':... ADD
ADD objects.finding {'caption': 'Finding', 'category': 'findings',... ADD
ADD objects.vulnerability_finding {'caption': 'Vulnerability Finding', 'description': 'The... ADD
ADD objects.data_security_finding {'uid': 6, 'caption': 'Data Security Finding',... ADD
ADD objects.file_hosting {'caption': 'File Hosting Activity', 'description':... ADD
ADD objects.api_activity {'uid': 3, 'description': 'API events describe general... ADD
ADD objects.web_resource_access_activity {'caption': 'Web Resource Access Activity', 'category':... ADD
ADD objects.datastore_activity {'uid': 5, 'description': 'Datastore events describe... ADD
ADD objects.web_resources_activity {'uid': 1, 'description': 'Web Resources Activity events... ADD
ADD objects.application_lifecycle {'uid': 2, 'description': 'Application Lifecycle events... ADD
ADD objects.scan_activity {'caption': 'Scan Activity', 'category': 'application',... ADD
REMOVE objects.pixel_info REMOVE
REMOVE objects.identity REMOVE
DEPRECATE objects.domain_info {'caption': 'Domain Information', 'name': 'domain_info',... REMOVE
DEPRECATE objects.registry_key {'caption': 'Registry Key', 'observable': 28, 'name':... REMOVE
REMOVE objects.vnc_auth REMOVE
DEPRECATE objects.registry_value {'caption': 'Registry Value', 'description': 'The... REMOVE
DEPRECATE objects.resource {'description': 'The resource object describes a managed... REMOVE
REMOVE objects.frame_buffer REMOVE
DEPRECATE objects.related_findings {'description': 'Related Findings object describes... REMOVE
REMOVE objects.printer REMOVE
REMOVE objects.os_service REMOVE
REMOVE objects.startup_app REMOVE
REMOVE objects.event_source REMOVE
REMOVE objects.public_key_certificate REMOVE
REMOVE objects.smtp_tls REMOVE
REMOVE objects.license_info REMOVE
REMOVE events.throughput REMOVE
REMOVE events.diagnostic REMOVE
REMOVE events.mem_usage REMOVE
REMOVE events.cpu_usage REMOVE
REMOVE events.status REMOVE
REMOVE events.networks_info REMOVE
REMOVE events.service_info REMOVE
REMOVE events.user_info REMOVE
REMOVE events.peripheral_device_info REMOVE
REMOVE events.startup_app_info REMOVE
REMOVE events.kernel_object_info REMOVE
REMOVE events.network_connection_info REMOVE
REMOVE events.file_info REMOVE
REMOVE events.job_info REMOVE
REMOVE events.session_info REMOVE
REMOVE events.admin_group_info REMOVE
REMOVE events.module_info REMOVE
REMOVE events.process_info REMOVE
REMOVE events.discovery_no_result REMOVE
REMOVE events.folder_info REMOVE
REMOVE events.peripheral_activity REMOVE
REMOVE events.policy_audit REMOVE
REMOVE events.email_url_finding REMOVE
REMOVE events.email_file_finding REMOVE
REMOVE events.email_delivery_finding REMOVE
REMOVE events.email_finding REMOVE
REMOVE events.application_log REMOVE
REMOVE events.policy_change REMOVE
REMOVE events.update_available REMOVE
REMOVE events.bit_locker REMOVE
REMOVE events.registration REMOVE
REMOVE events.license_lifecycle REMOVE
REMOVE events.license_count REMOVE
REMOVE events.command_activity REMOVE
REMOVE events.license REMOVE
REMOVE events.public_key_cert_lifecycle REMOVE
REMOVE events.update REMOVE
REMOVE events.incident REMOVE
REMOVE events.incident_close REMOVE
REMOVE events.incident_update REMOVE
REMOVE events.incident_associate REMOVE
REMOVE events.incident_create REMOVE
REMOVE events.conclusion REMOVE
REMOVE events.policy REMOVE
REMOVE events.im_content_protection REMOVE
REMOVE events.unscannable_file REMOVE
REMOVE events.compliance_scan REMOVE
REMOVE events.information_protection REMOVE
REMOVE events.print_content_protection REMOVE
REMOVE events.clipboard_content_protection REMOVE
REMOVE events.network_policy REMOVE
REMOVE events.file_content_protection REMOVE
REMOVE events.scan REMOVE
REMOVE events.compliance REMOVE
REMOVE events.email_content_protection REMOVE
REMOVE events.kernel_remediation_result REMOVE
REMOVE events.file_remediation_result REMOVE
REMOVE events.network_remediation_result REMOVE
REMOVE events.process_remediation_result REMOVE
REMOVE events.remediation_no_result REMOVE
REMOVE events.session_remediation_result REMOVE
REMOVE events.remediation_result REMOVE
REMOVE events.remediation REMOVE
REMOVE events.module_remediation_result REMOVE
REMOVE events.registry_value_remediation_result REMOVE
REMOVE events.folder_remediation_result REMOVE
REMOVE events.registry_key_remediation_result REMOVE
REMOVE events.job_remediation_result REMOVE
REMOVE events.startup_app_remediation_result REMOVE
REMOVE events.service_remediation_result REMOVE
REMOVE events.database_lifecycle REMOVE
REMOVE events.database REMOVE
REMOVE events.container_lifecycle REMOVE
REMOVE events.virtualization_activity REMOVE
REMOVE events.virtual_machine_activity REMOVE
REMOVE events.rfb_activity REMOVE
REMOVE events.smtp_activity REMOVE
REMOVE events.audit REMOVE
REMOVE events.entity_management_audit REMOVE
REMOVE events.authorization REMOVE
REMOVE events.findings REMOVE
REMOVE events.inventory REMOVE
REMOVE events.cloud REMOVE
REMOVE events.cloud_storage REMOVE
REMOVE events.cloud_api REMOVE
REMOVE events.access_activity REMOVE
ADD objects.http_cookie.attributes.is_http_only {'requirement': 'optional', 'caption': 'HTTP Only',... ADD
ADD objects.http_cookie.attributes.secure.@deprecated {'message': 'Use the <code> is_secure </code> attribute... ADD
ADD objects.http_cookie.attributes.is_secure {'requirement': 'optional', 'caption': 'Secure',... ADD
ADD objects.http_cookie.attributes.http_only.@deprecated {'message': 'Use the <code> is_http_only </code>... ADD
DEPRECATE objects.http_cookie.attributes.path.type path_t UPDATE
UPDATE objects.http_cookie.description The HTTP Cookie object, also known as a web cookie or... UPDATE
ADD objects.request.attributes.data {'description': 'The additional data that is associated... ADD
ADD objects.request.attributes.containers {'requirement': 'optional', 'caption': 'Containers',... ADD
UPDATE objects.request.attributes.flags.description The list of communication flags, normalized to the... UPDATE
UPDATE objects.request.description The Request Elements object describes characteristics of... UPDATE
ADD objects.rule.constraints {'at_least_one': ['name', 'uid']} ADD
UPDATE objects.rule.description The Rule object describes characteristics of a rule... UPDATE
IGNORE objects.rule.extends UPDATE
UPDATE objects.rule.attributes.name.requirement recommended UPDATE
ADD objects.feature.constraints {'at_least_one': ['name', 'uid']} ADD
REMOVE objects.feature.attributes.version.caption UPDATE
UPDATE objects.feature.description The Feature object provides information about the... UPDATE
REMOVE objects.feature.attributes.name.caption UPDATE
UPDATE objects.feature.attributes.uid.description The unique identifier of the feature. UPDATE
REMOVE objects.feature.attributes.uid.caption UPDATE
UPDATE objects.feature.attributes.name.description The name of the feature. UPDATE
IGNORE objects.feature.extends UPDATE
UPDATE objects.feature.attributes.version.description The version of the feature. UPDATE
ADD objects.policy.constraints {'at_least_one': ['name', 'uid']} ADD
ADD objects.policy.attributes.is_applied {'caption': 'Applied', 'description': 'A determination... ADD
DEPRECATE objects.policy.attributes.type_id {'description': 'The policy type identifier; one of:',... REMOVE
DEPRECATE objects.policy.attributes.label {'requirement': 'recommended', 'caption': 'Label',... REMOVE
DEPRECATE objects.policy.attributes.type {'description': 'The type of the policy.', 'caption':... REMOVE
DEPRECATE objects.policy.attributes.rules {'description': 'Additional rules that triggered the... REMOVE
DEPRECATE objects.policy.attributes.effective_time {'requirement': 'recommended', 'caption': 'Effective... REMOVE
DEPRECATE objects.policy.attributes.rule {'description': 'The primary rule that triggered the... REMOVE
UPDATE objects.policy.attributes.name.description The policy name. For example: <code>IAM Policy</code>. UPDATE
UPDATE objects.policy.attributes.group.requirement optional UPDATE
UPDATE objects.policy.description The policy object describes the policies that are... UPDATE
IGNORE objects.policy.extends UPDATE
UPDATE objects.policy.attributes.name.requirement recommended UPDATE
UPDATE objects.policy.attributes.desc.requirement optional UPDATE
ADD objects.email_auth.attributes.dkim_signature {'requirement': 'recommended', 'caption': 'DKIM... ADD
IGNORE objects.email_auth.extension REMOVE
DEPRECATE objects.email_auth.attributes.raw_header {'requirement': 'recommended', 'caption': 'Raw Header',... REMOVE
ADD objects.tactic.constraints {'at_least_one': ['name', 'uid']} ADD
ADD objects.tactic.attributes.src_url {'description': "The versioned permalink of the attack... ADD
UPDATE objects.tactic.attributes.uid.description The tactic ID that is associated with the attack... UPDATE
UPDATE objects.tactic.attributes.uid.requirement recommended UPDATE
UPDATE objects.tactic.description The Tactic object describes the tactic ID and/or name... UPDATE
IGNORE objects.tactic.extends UPDATE
UPDATE objects.tactic.attributes.name.description The tactic name that is associated with the attack... UPDATE
ADD objects.network_traffic.attributes.bytes_in.requirement optional ADD
ADD objects.network_traffic.attributes.chunks_in {'description': 'The number of chunks sent from the... ADD
ADD objects.network_traffic.attributes.bytes_out.requirement optional ADD
ADD objects.network_traffic.attributes.chunks_out {'description': 'The number of chunks sent from the... ADD
ADD objects.network_traffic.attributes.chunks {'description': 'The total number of chunks (in and... ADD
ADD objects.network_traffic.attributes.packets_in.requirement optional ADD
ADD objects.network_traffic.attributes.packets_out.requirement optional ADD
DEPRECATE objects.network_traffic.attributes.bytes.default REMOVE
DEPRECATE objects.network_traffic.attributes.packets.default REMOVE
DEPRECATE objects.network_traffic.attributes.bytes_in.default REMOVE
DEPRECATE objects.network_traffic.attributes.packets_out.default REMOVE
DEPRECATE objects.network_traffic.attributes.packets_in.default REMOVE
DEPRECATE objects.network_traffic.attributes.bytes_out.default REMOVE
UPDATE objects.network_traffic.description The Network Traffic object describes characteristics of... UPDATE
ADD objects.tls.attributes.ja3_hash {'requirement': 'recommended', 'caption': 'JA3 Hash',... ADD
ADD objects.tls.attributes.tls_extension_list {'requirement': 'optional', 'caption': 'TLS Extension... ADD
ADD objects.tls.attributes.ja3s_hash {'requirement': 'recommended', 'caption': 'JA3S Hash',... ADD
ADD objects.tls.attributes.extension_list.@deprecated {'message': 'Use the <code> tls_extension_list </code>... ADD
DEPRECATE objects.tls.attributes.ja3s_fingerprint {'requirement': 'recommended', 'caption': 'JAS3... REMOVE
DEPRECATE objects.tls.attributes.ja3_fingerprint {'requirement': 'recommended', 'caption': 'JA3... REMOVE
DEPRECATE objects.tls.attributes.ja3_string {'requirement': 'recommended', 'caption': 'JA3 String',... REMOVE
DEPRECATE objects.tls.attributes.ja3s_string {'requirement': 'recommended', 'caption': 'JAS3 String',... REMOVE
UPDATE objects.tls.description The Transport Layer Security (TLS) object describes the... UPDATE
UPDATE objects.tls.attributes.extension_list.description The list of TLS extensions. UPDATE
ADD objects.session.attributes.is_mfa {'requirement': 'optional', 'caption': 'Multi Factor... ADD
ADD objects.session.attributes.count {'description': 'The number of identical sessions... ADD
ADD objects.session.attributes.is_remote {'requirement': 'recommended', 'caption': 'Remote',... ADD
ADD objects.session.attributes.expiration_reason {'description': 'The reason which triggered the session... ADD
ADD objects.session.attributes.is_vpn {'requirement': 'optional', 'caption': 'VPN Session',... ADD
ADD objects.session.attributes.uid_alt {'description': 'The alternate unique identifier of the... ADD
ADD objects.session.attributes.terminal {'description': 'The Pseudo Terminal associated with the... ADD
ADD objects.session.attributes.uuid {'description': 'The universally unique identifier of... ADD
DEPRECATE objects.session.attributes.mfa {'requirement': 'optional', 'caption': 'Multi Factor... REMOVE
UPDATE objects.session.description The Session object describes details about an... UPDATE
UPDATE objects.session.attributes.uid.description The unique identifier of the session. UPDATE
ADD objects.api.attributes.group {'description': 'The information pertaining to the API... ADD
UPDATE objects.api.description The API, or Application Programming Interface, object... UPDATE
UPDATE objects.api.caption API UPDATE
ADD objects.network_interface.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
ADD objects.network_interface.attributes.type_id.enum.4 {'caption': 'Tunnel'} ADD
ADD objects.network_interface.attributes.subnet_prefix {'requirement': 'optional', 'caption': 'Subnet Prefix... ADD
IGNORE objects.network_interface.profiles REMOVE
REMOVE objects.network_interface.attributes.$include REMOVE
UPDATE objects.network_interface.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.network_interface.attributes.type_id.default REMOVE
DEPRECATE objects.network_interface.attributes.reputation {'requirement': 'optional', 'caption': 'Reputation... REMOVE
UPDATE objects.network_interface.description The Network Interface object describes the type and... UPDATE
UPDATE objects.network_interface.constraints.at_least_one ['ip', 'mac', 'name', 'hostname'] UPDATE
IGNORE objects.network_interface.extends UPDATE
UPDATE objects.network_interface.attributes.namespace.description The namespace is useful in merger or acquisition... UPDATE
ADD objects.vulnerability.constraints {'at_least_one': ['cve', 'cwe']} ADD
ADD objects.vulnerability.attributes.first_seen_time {'description': 'The time when the vulnerability was... ADD
ADD objects.vulnerability.attributes.kb_article_list {'requirement': 'optional', 'caption': 'Knowledgebase... ADD
ADD objects.vulnerability.attributes.packages.@deprecated {'message': 'Use the <code> affected_packages </code>... ADD
ADD objects.vulnerability.attributes.affected_code {'requirement': 'optional', 'caption': 'Affected Code',... ADD
ADD objects.vulnerability.attributes.last_seen_time {'description': 'The time when the vulnerability was... ADD
ADD objects.vulnerability.attributes.remediation {'description': 'The remediation recommendations on how... ADD
ADD objects.vulnerability.attributes.is_fix_available {'requirement': 'optional', 'caption': 'Fix... ADD
ADD objects.vulnerability.attributes.fix_available {'requirement': 'optional', '@deprecated': {'message':... ADD
ADD objects.vulnerability.attributes.kb_articles.@deprecated {'message': 'Use the <code> kb_article_list </code>... ADD
ADD objects.vulnerability.attributes.is_exploit_available {'requirement': 'optional', 'caption': 'Exploit... ADD
ADD objects.vulnerability.attributes.cwe {'requirement': 'recommended', 'caption': 'CWE',... ADD
ADD objects.vulnerability.attributes.affected_packages {'requirement': 'optional', 'caption': 'Affected... ADD
ADD objects.vulnerability.attributes.cve {'requirement': 'recommended', 'caption': 'CVE',... ADD
DEPRECATE objects.vulnerability.attributes.uid {'description': 'The vulnerability unique identifier.',... REMOVE
DEPRECATE objects.vulnerability.attributes.cvss {'requirement': 'recommended', 'caption': 'CVSS Scores',... REMOVE
UPDATE objects.vulnerability.description The vulnerability is an unintended characteristic of a... UPDATE
REMOVE objects.vulnerability.attributes.packages.caption UPDATE
UPDATE objects.vulnerability.attributes.related_vulnerabilities.requirement optional UPDATE
UPDATE objects.vulnerability.attributes.references.description A list of reference URLs with additional information... UPDATE
UPDATE objects.vulnerability.attributes.vendor_name.description The name of the vendor that identified the vulnerability. UPDATE
UPDATE objects.vulnerability.attributes.title.description A title or a brief phrase summarizing the discovered... UPDATE
UPDATE objects.vulnerability.attributes.kb_articles.description The KB article/s related to the entity. A KB Article... UPDATE
UPDATE objects.vulnerability.attributes.severity.description The vendor assigned severity of the vulnerability. UPDATE
DEPRECATE objects.vulnerability.attributes.packages.type string_t UPDATE
REMOVE objects.vulnerability.attributes.vendor_name.caption UPDATE
ADD objects.os.attributes.cpe_name {'requirement': 'optional', 'caption': 'The product CPE... ADD
ADD objects.os.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
UPDATE objects.os.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.os.attributes.type_id.default REMOVE
UPDATE objects.os.caption Operating System (OS) UPDATE
UPDATE objects.os.description The Operating System (OS) object describes... UPDATE
UPDATE objects.http_header.description TThe HTTP Header object represents the headers sent in... UPDATE
UPDATE objects._dns.attributes.type.requirement recommended UPDATE
UPDATE objects._dns.attributes.class.requirement recommended UPDATE
UPDATE objects._dns.description The Domain Name System (DNS) object represents the... UPDATE
ADD objects.managed_entity.constraints {'at_least_one': ['name', 'uid']} ADD
DEPRECATE objects.managed_entity.attributes.type.notes For example: <i>policy</i>, <i>user</i>,... REMOVE
DEPRECATE objects.managed_entity.attributes.name.notes For example <i>Browser Isolation Policy. REMOVE
UPDATE objects.managed_entity.attributes.name.description The name of the managed entity. UPDATE
IGNORE objects.managed_entity.extends UPDATE
UPDATE objects.managed_entity.description The Managed Entity object describes the type and version... UPDATE
UPDATE objects.managed_entity.attributes.type.description The managed entity type. For example:... UPDATE
UPDATE objects.managed_entity.attributes.name.requirement recommended UPDATE
UPDATE objects.managed_entity.attributes.uid.description The identifier of the managed entity. UPDATE
UPDATE objects.managed_entity.attributes.version.description The version of the managed entity. For example:... UPDATE
ADD objects.location.constraints {'at_least_one': ['coordinates', 'city', 'country',... ADD
UPDATE objects.location.description The Geo Location object describes a geographical... UPDATE
UPDATE objects.location.attributes.coordinates.requirement recommended UPDATE
ADD objects.malware.attributes.classification_ids.enum.99 {'caption': 'Other'} ADD
ADD objects.malware.constraints {'at_least_one': ['name', 'uid']} ADD
ADD objects.malware.attributes.cves {'requirement': 'optional', 'caption': 'CVE List',... ADD
DEPRECATE objects.malware.attributes.cve_uids {'requirement': 'optional', 'caption': 'CVE UIDs',... REMOVE
UPDATE objects.malware.attributes.classification_ids.enum.-1 REMOVE
DEPRECATE objects.malware.attributes.path.type path_t UPDATE
UPDATE objects.malware.description The Malware object describes the classification of known... UPDATE
IGNORE objects.malware.extends UPDATE
UPDATE objects.malware.attributes.classification_ids.description The list of normalized identifiers of the malware... UPDATE
UPDATE objects.malware.attributes.name.requirement recommended UPDATE
UPDATE objects.malware.attributes.classifications.description The list of malware classifications, normalized to the... UPDATE
ADD objects.kernel.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
DEPRECATE objects.kernel.attributes.type_id.enum.3 {'caption': 'Named Pipe'} REMOVE
DEPRECATE objects.kernel.attributes.type_id.default REMOVE
UPDATE objects.kernel.attributes.type_id.enum.-1 REMOVE
UPDATE objects.kernel.description The Kernel Resource object provides information about a... UPDATE
DEPRECATE objects.kernel.attributes.path.type path_t UPDATE
ADD objects.http_response.attributes.http_headers {'requirement': 'recommended', 'caption': 'HTTP... ADD
UPDATE objects.http_response.attributes.latency.description The HTTP response latency measured in milliseconds. UPDATE
UPDATE objects.http_response.attributes.code.description The Hypertext Transfer Protocol (HTTP) status code... UPDATE
UPDATE objects.http_response.description The HTTP Response object contains detailed information... UPDATE
UPDATE objects.http_response.attributes.status.description The response status. For example: A successful HTTP... UPDATE
UPDATE objects.http_response.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
ADD objects.device.attributes.uid_alt {'description': 'An alternate unique identifier of the... ADD
ADD objects.device.attributes.type_id.enum.11 {'caption': 'Hub', 'description': "A <a target='_blank'... ADD
ADD objects.device.attributes.owner {'description': 'The identity of the service or user... ADD
ADD objects.device.attributes.type_id.enum.2.description A <a target='_blank'... ADD
ADD objects.device.attributes.type_id.enum.7.description A <a target='_blank'... ADD
ADD objects.device.attributes.type_id.enum.6.description A <a target='_blank'... ADD
ADD objects.device.attributes.namespace_pid {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.device.attributes.interface_name {'requirement': 'recommended', 'caption': 'Network... ADD
ADD objects.device.attributes.type_id.enum.8.description A <a target='_blank'... ADD
ADD objects.device.attributes.type_id.enum.9 {'caption': 'Firewall', 'description': "A <a... ADD
ADD objects.device.attributes.type_id.enum.3.description A <a target='_blank'... ADD
ADD objects.device.attributes.created_time {'description': 'The time when the device was known to... ADD
ADD objects.device.attributes.type_id.enum.1.description A <a target='_blank'... ADD
ADD objects.device.attributes.org {'description': 'Organization and org unit related to... ADD
ADD objects.device.attributes.zone {'requirement': 'optional', 'caption': 'Network Zone',... ADD
ADD objects.device.attributes.type_id.enum.4.description A <a target='_blank'... ADD
ADD objects.device.attributes.modified_time {'description': 'The time when the device was last known... ADD
ADD objects.device.attributes.type_id.enum.5.description A <a target='_blank'... ADD
ADD objects.device.attributes.last_seen_time {'description': 'The most recent discovery time of the... ADD
ADD objects.device.attributes.agent_list {'requirement': 'optional', 'caption': 'Agent List',... ADD
ADD objects.device.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
ADD objects.device.attributes.type_id.enum.10 {'caption': 'Switch', 'description': "A <a... ADD
ADD objects.device.attributes.first_seen_time {'description': 'The initial discovery time of the... ADD
ADD objects.device.attributes.container {'group': 'context', 'requirement': 'recommended',... ADD
DEPRECATE objects.device.attributes.reputation {'requirement': 'optional', 'caption': 'Reputation... REMOVE
DEPRECATE objects.device.attributes.type_id.default REMOVE
UPDATE objects.device.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.device.attributes.org_unit {'requirement': 'optional', 'caption': 'Org Unit',... REMOVE
UPDATE objects.device.attributes.network_interfaces.description The network interfaces that are associated with the... UPDATE
UPDATE objects.device.observable 20 UPDATE
REMOVE objects.device.attributes.location.caption UPDATE
UPDATE objects.device.attributes.location.description The geographical location of the device. UPDATE
UPDATE objects.device.attributes.os.description The endpoint operating system. UPDATE
UPDATE objects.device.attributes.hw_info.description The endpoint hardware information. UPDATE
UPDATE objects.device.attributes.mac.description The Media Access Control (MAC) address of the endpoint. UPDATE
UPDATE objects.device.attributes.uid.description The unique identifier of the device. For example the... UPDATE
IGNORE objects.device.profiles UPDATE
UPDATE objects.device.constraints.at_least_one ['ip', 'uid', 'name', 'hostname', 'instance_uid',... UPDATE
UPDATE objects.device.description The Device object represents an addressable computer... UPDATE
REMOVE objects.device.attributes.$include UPDATE
UPDATE objects.device.attributes.risk_level.description The risk level, normalized to the caption of the... UPDATE
ADD objects.endpoint.attributes.interface_name {'requirement': 'recommended', 'caption': 'Network... ADD
ADD objects.endpoint.attributes.os {'description': 'The endpoint operating system.',... ADD
ADD objects.endpoint.attributes.container {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.endpoint.attributes.owner {'description': 'The identity of the service or user... ADD
ADD objects.endpoint.attributes.type {'caption': 'Type', 'description': 'The endpoint type.... ADD
ADD objects.endpoint.attributes.zone {'requirement': 'optional', 'caption': 'Network Zone',... ADD
ADD objects.endpoint.attributes.namespace_pid {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.endpoint.attributes.hw_info {'requirement': 'optional', 'caption': 'Hardware Info',... ADD
ADD objects.endpoint.attributes.type_id {'caption': 'Type ID', 'description': 'The endpoint type... ADD
ADD objects.endpoint.attributes.agent_list {'requirement': 'optional', 'caption': 'Agent List',... ADD
DEPRECATE objects.endpoint.attributes.reputation {'requirement': 'optional', 'caption': 'Reputation... REMOVE
UPDATE objects.endpoint.description The Endpoint object describes a physical or virtual... UPDATE
UPDATE objects.endpoint.constraints.at_least_one ['ip', 'uid', 'name', 'hostname', 'instance_uid',... UPDATE
IGNORE objects.endpoint.extends UPDATE
REMOVE objects.endpoint.attributes.location.caption UPDATE
REMOVE objects.endpoint.attributes.$include UPDATE
IGNORE objects.endpoint.profiles UPDATE
ADD objects.cloud.attributes.account {'requirement': 'optional', 'caption': 'Account',... ADD
ADD objects.cloud.attributes.org {'requirement': 'optional', 'caption': 'Organization',... ADD
DEPRECATE objects.cloud.attributes.account_uid {'requirement': 'recommended', 'caption': 'Account UID',... REMOVE
DEPRECATE objects.cloud.attributes.org_uid {'requirement': 'optional', 'caption': 'Org ID',... REMOVE
DEPRECATE objects.cloud.attributes.account_type {'requirement': 'optional', 'caption': 'Account Type',... REMOVE
DEPRECATE objects.cloud.attributes.account_type_id {'requirement': 'optional', 'caption': 'Account Type... REMOVE
DEPRECATE objects.cloud.attributes.resource_uid {'requirement': 'optional', 'caption': 'Resource ID',... REMOVE
UPDATE objects.cloud.description The Cloud object contains information about a cloud... UPDATE
UPDATE objects.cloud.attributes.project_uid.description The unique identifier of a Cloud project. UPDATE
ADD objects.file.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
ADD objects.file.attributes.confidentiality_id.enum.6 {'caption': 'Restricted'} ADD
ADD objects.file.attributes.hashes {'requirement': 'recommended', 'caption': 'Hashes',... ADD
ADD objects.file.attributes.confidentiality_id.enum.5 {'caption': 'Private'} ADD
ADD objects.file.constraints {'at_least_one': ['name', 'uid']} ADD
ADD objects.file.attributes.confidentiality_id.enum.99 {'caption': 'Other', 'description': 'The confidentiality... ADD
ADD objects.file.attributes.confidentiality_id.enum.0.description The confidentiality is unknown. ADD
DEPRECATE objects.file.attributes.type_id.default REMOVE
DEPRECATE objects.file.attributes.fingerprints {'requirement': 'recommended', 'caption':... REMOVE
DEPRECATE objects.file.attributes.name.name file_name_t REMOVE
UPDATE objects.file.attributes.confidentiality_id.enum.-1 REMOVE
UPDATE objects.file.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.file.attributes.creator.type string_t UPDATE
DEPRECATE objects.file.attributes.name.type string_t UPDATE
DEPRECATE objects.file.attributes.path.type path_t UPDATE
DEPRECATE objects.file.attributes.parent_folder.type path_t UPDATE
UPDATE objects.file.attributes.path.requirement recommended UPDATE
DEPRECATE objects.file.attributes.owner.type string_t UPDATE
IGNORE objects.file.extends UPDATE
DEPRECATE objects.file.attributes.accessor.type string_t UPDATE
UPDATE objects.file.attributes.confidentiality.description The file content confidentiality, normalized to the... UPDATE
DEPRECATE objects.file.attributes.modifier.type string_t UPDATE
UPDATE objects.file.description The File object represents the metadata associated with... UPDATE
ADD objects.actor.attributes.session {'description': 'The user session from which the... ADD
ADD objects.actor.attributes.idp {'requirement': 'optional', 'caption': 'Identity... ADD
ADD objects.actor.attributes.invoked_by {'requirement': 'optional', 'caption': 'Invoked by',... ADD
ADD objects.actor.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
UPDATE objects.actor.constraints.at_least_one ['process', 'user', 'invoked_by', 'session'] UPDATE
UPDATE objects.actor.description The Actor object contains details about the user, role,... UPDATE
ADD objects.service.constraints {'at_least_one': ['name', 'uid']} ADD
DEPRECATE objects.service.attributes.types {'description': 'The service types.', 'requirement':... REMOVE
DEPRECATE objects.service.attributes.run_state {'description': 'The service run state.', 'requirement':... REMOVE
DEPRECATE objects.service.attributes.run_state_id {'description': 'The service run state ID.',... REMOVE
DEPRECATE objects.service.attributes.start_type_id {'description': 'The service start type ID.',... REMOVE
DEPRECATE objects.service.attributes.start_type {'description': 'The service start type.',... REMOVE
DEPRECATE objects.service.attributes.file {'description': 'The service file object.',... REMOVE
DEPRECATE objects.service.attributes.cmd_line {'requirement': 'recommended', 'caption': 'Command... REMOVE
DEPRECATE objects.service.attributes.loaded_module_name {'requirement': 'recommended', 'caption': 'Loaded... REMOVE
DEPRECATE objects.service.attributes.type_ids {'description': 'The service type identifiers.',... REMOVE
UPDATE objects.service.attributes.name.requirement recommended UPDATE
UPDATE objects.service.caption Service UPDATE
IGNORE objects.service.name UPDATE
IGNORE objects.service.extends UPDATE
UPDATE objects.service.attributes.name.description The name of the service. UPDATE
UPDATE objects.service.attributes.uid.requirement recommended UPDATE
UPDATE objects.service.description The Service object describes characteristics of a... UPDATE
ADD objects.metadata.attributes.extensions {'requirement': 'optional', 'caption': 'Schema... ADD
ADD objects.metadata.attributes.logged_time.requirement optional ADD
ADD objects.metadata.attributes.loggers {'caption': 'Loggers', 'description': 'An array of... ADD
ADD objects.metadata.attributes.log_version {'requirement': 'optional', 'caption': 'Log Version',... ADD
ADD objects.metadata.attributes.log_provider {'requirement': 'recommended', 'caption': 'Log... ADD
ADD objects.metadata.attributes.sequence.requirement optional ADD
ADD objects.metadata.attributes.labels.requirement optional ADD
ADD objects.metadata.attributes.log_level {'requirement': 'optional', 'caption': 'Log Level',... ADD
ADD objects.metadata.attributes.log_name {'requirement': 'recommended', 'caption': 'Log Name',... ADD
ADD objects.metadata.attributes.extension {'requirement': 'optional', '@deprecated': {'message':... ADD
ADD objects.metadata.attributes.profiles.requirement optional ADD
ADD objects.metadata.attributes.modified_time.requirement optional ADD
ADD objects.metadata.attributes.tenant_uid {'requirement': 'recommended', 'caption': 'Tenant UID',... ADD
ADD objects.metadata.attributes.correlation_uid.requirement optional ADD
ADD objects.metadata.attributes.event_code {'requirement': 'optional', 'caption': 'Event Code',... ADD
ADD objects.metadata.attributes.processed_time.requirement optional ADD
DEPRECATE objects.metadata.attributes.version.default 1.0.0 REMOVE
UPDATE objects.metadata.attributes.original_time.description The original event time as reported by the event source.... UPDATE
UPDATE objects.metadata.attributes.labels.description <p>The list of category labels attached to the event or... UPDATE
UPDATE objects.metadata.description The Metadata object describes the metadata associated... UPDATE
UPDATE objects.metadata.attributes.logged_time.description <p>The time when the logging system collected and logged... UPDATE
UPDATE objects.metadata.attributes.version.description The version of the OCSF schema, using Semantic... UPDATE
UPDATE objects.kernel_driver.description The Kernel Extension object describes a kernel driver... UPDATE
UPDATE objects.kernel_driver.caption Kernel Extension UPDATE
ADD objects.fingerprint.attributes.algorithm_id.enum.99 {'caption': 'Other', 'description': 'The algorithm is... ADD
ADD objects.fingerprint.attributes.algorithm_id.enum.7 {'caption': 'quickXorHash', 'description': 'Microsoft... ADD
ADD objects.fingerprint.attributes.algorithm_id.enum.6 {'caption': 'TLSH', 'description': 'The TLSH fuzzy... ADD
ADD objects.fingerprint.observable 30 ADD
ADD objects.fingerprint.attributes.algorithm_id.enum.0.description The algorithm is unknown. ADD
UPDATE objects.fingerprint.attributes.algorithm_id.enum.-1 REMOVE
UPDATE objects.fingerprint.description The Fingerprint object provides detailed information... UPDATE
DEPRECATE objects.fingerprint.attributes.value.type string_t UPDATE
UPDATE objects.fingerprint.attributes.algorithm.description The hash algorithm used to create the digital... UPDATE
ADD objects.network_connection_info.attributes.protocol_ver_id.enum.99 {'caption': 'Other'} ADD
ADD objects.network_connection_info.attributes.boundary_id.enum.99 {'caption': 'Other', 'description': 'The boundary is not... ADD
ADD objects.network_connection_info.attributes.direction_id.enum.99 {'caption': 'Other', 'description': 'The direction is... ADD
ADD objects.network_connection_info.attributes.session {'requirement': 'optional', 'caption': 'Session',... ADD
UPDATE objects.network_connection_info.attributes.direction_id.enum.-1 REMOVE
UPDATE objects.network_connection_info.attributes.boundary_id.enum.-1 REMOVE
UPDATE objects.network_connection_info.attributes.protocol_ver_id.enum.-1 REMOVE
UPDATE objects.network_connection_info.attributes.boundary_id.description <p>The normalized identifier of the boundary of the... UPDATE
UPDATE objects.network_connection_info.attributes.boundary.description The boundary of the connection, normalized to the... UPDATE
UPDATE objects.network_connection_info.description The Network Connection Information object describes... UPDATE
UPDATE objects.network_connection_info.attributes.direction_id.description The normalized identifier of the direction of the... UPDATE
DEPRECATE objects.network_connection_info.attributes.direction_id.enum.0.description Connection direction is unknown. UPDATE
UPDATE objects.network_connection_info.attributes.direction.description The direction of the initiated connection, traffic, or... UPDATE
UPDATE objects.authorization.attributes.decision.requirement REMOVE
UPDATE objects.authorization.attributes.policy.requirement REMOVE
UPDATE objects.authorization.description The Authorization Result object provides details about... UPDATE
UPDATE objects.authorization.attributes.decision.description Authorization Result/outcome, e.g. allowed, denied. UPDATE
UPDATE objects.authorization.caption Authorization Result UPDATE
ADD objects.tls_extension.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
UPDATE objects.tls_extension.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.tls_extension.attributes.type_id.default REMOVE
UPDATE objects.tls_extension.description The TLS Extension object describes additional attributes... UPDATE
ADD objects.peripheral_device.constraints {'at_least_one': ['name', 'uid']} ADD
IGNORE objects.peripheral_device.extends UPDATE
REMOVE objects.peripheral_device.attributes.vendor_name.caption UPDATE
UPDATE objects.display.description The Display object contains information about the... UPDATE
UPDATE objects.cis_benchmark_result.description The CIS Benchmark Result object contains information as... UPDATE
REMOVE objects.cis_benchmark_result.attributes.remediation.caption UPDATE
UPDATE objects.cis_benchmark_result.attributes.remediation.description Describes the recommended remediation steps to address... UPDATE
UPDATE objects.device_hw_info.attributes.ram_size.description The total amount of installed RAM, in Megabytes. For... UPDATE
UPDATE objects.device_hw_info.description The Device Hardware Information object contains details... UPDATE
REMOVE objects.device_hw_info.attributes.cpu_speed.caption UPDATE
ADD objects.container.attributes.pod_uuid {'requirement': 'optional', 'caption': 'Pod UUID',... ADD
ADD objects.container.attributes.hash {'description': 'Commit hash of image created for docker... ADD
ADD objects.container.constraints {'at_least_one': ['uid', 'name']} ADD
DEPRECATE objects.container.attributes.exposed_port {'description': 'The port exposed by container to allow... REMOVE
DEPRECATE objects.container.attributes.fingerprint {'description': 'The SHA256 hash of the container.',... REMOVE
UPDATE objects.container.attributes.runtime.description The backend running the container, such as containerd or cri-o. UPDATE
UPDATE objects.container.description The Container object describes an instance of a specific... UPDATE
UPDATE objects.container.attributes.uid.description The full container unique identifier for this... UPDATE
UPDATE objects.container.attributes.network_driver.description The network driver used by the container. For example,... UPDATE
UPDATE objects.container.attributes.image.requirement recommended UPDATE
UPDATE objects.container.attributes.orchestrator.description The orchestrator managing the container, such as ECS,... UPDATE
UPDATE objects.container.attributes.uid.requirement recommended UPDATE
ADD objects.network_proxy.attributes.interface_name {'requirement': 'recommended', 'caption': 'Network... ADD
ADD objects.network_proxy.attributes.domain {'requirement': 'optional', 'caption': 'Domain',... ADD
ADD objects.network_proxy.attributes.type_id {'description': 'The network endpoint type ID.',... ADD
ADD objects.network_proxy.attributes.subnet_uid {'requirement': 'optional', 'caption': 'Subnet UID',... ADD
ADD objects.network_proxy.attributes.agent_list {'requirement': 'optional', 'caption': 'Agent List',... ADD
ADD objects.network_proxy.attributes.proxy_endpoint {'description': 'The network proxy information... ADD
ADD objects.network_proxy.attributes.zone {'requirement': 'optional', 'caption': 'Network Zone',... ADD
ADD objects.network_proxy.attributes.container {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.network_proxy.attributes.vpc_uid {'requirement': 'optional', 'caption': 'VPC UID',... ADD
ADD objects.network_proxy.constraints {'at_least_one': ['ip', 'uid', 'name', 'hostname',... ADD
ADD objects.network_proxy.attributes.type {'description': 'The network endpoint type. For example:... ADD
ADD objects.network_proxy.attributes.intermediate_ips {'requirement': 'optional', 'caption': 'Intermediate IP... ADD
ADD objects.network_proxy.attributes.os {'description': 'The endpoint operating system.',... ADD
ADD objects.network_proxy.attributes.mac {'description': 'The Media Access Control (MAC) address... ADD
ADD objects.network_proxy.observable ADD
ADD objects.network_proxy.attributes.location {'description': 'The geographical location of the... ADD
ADD objects.network_proxy.attributes.$include ['profiles/container.json'] ADD
ADD objects.network_proxy.attributes.ip_intelligence {'requirement': 'optional', 'caption': 'IP... ADD
ADD objects.network_proxy.attributes.hw_info {'requirement': 'optional', 'caption': 'Hardware Info',... ADD
ADD objects.network_proxy.attributes.interface_uid {'requirement': 'recommended', 'caption': 'Network... ADD
ADD objects.network_proxy.profiles ['container'] ADD
ADD objects.network_proxy.attributes.vlan_uid {'requirement': 'optional', 'caption': 'VLAN',... ADD
ADD objects.network_proxy.attributes.namespace_pid {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.network_proxy.attributes.instance_uid {'requirement': 'recommended', 'caption': 'Instance ID',... ADD
ADD objects.network_proxy.attributes.name {'description': 'The short name of the endpoint.',... ADD
ADD objects.network_proxy.attributes.owner {'description': 'The identity of the service or user... ADD
UPDATE objects.network_proxy.attributes.hostname.requirement recommended UPDATE
UPDATE objects.network_proxy.attributes.ip.requirement recommended UPDATE
UPDATE objects.network_proxy.attributes.port.description The port used for communication within the network connection. UPDATE
UPDATE objects.network_proxy.attributes.port.requirement recommended UPDATE
UPDATE objects.network_proxy.description The network proxy endpoint object describes a proxy... UPDATE
UPDATE objects.network_proxy.caption Network Proxy Endpoint UPDATE
UPDATE objects.network_proxy.attributes.ip.description The IP address of the endpoint, in either IPv4 or IPv6 format. UPDATE
UPDATE objects.network_proxy.attributes.svc_name.description The service name in service-to-service connections. For... UPDATE
UPDATE objects.network_proxy.attributes.hostname.description The fully qualified name of the endpoint. UPDATE
IGNORE objects.network_proxy.extends UPDATE
UPDATE objects.network_proxy.attributes.uid.description The unique identifier of the endpoint. UPDATE
UPDATE objects.network_proxy.attributes.svc_name.requirement recommended UPDATE
ADD objects.technique.attributes.src_url {'description': "The versioned permalink of the attack... ADD
ADD objects.technique.constraints {'at_least_one': ['name', 'uid']} ADD
UPDATE objects.technique.attributes.uid.description The unique identifier of the attack technique, as... UPDATE
IGNORE objects.technique.extends UPDATE
UPDATE objects.technique.description The Technique object describes the technique ID and/or... UPDATE
UPDATE objects.technique.attributes.name.description The name of the attack technique, as defined by <a... UPDATE
UPDATE objects.technique.attributes.uid.requirement recommended UPDATE
UPDATE objects.technique.attributes.name.requirement recommended UPDATE
UPDATE objects.dns_query.attributes.type.requirement recommended UPDATE
UPDATE objects.dns_query.attributes.class.requirement recommended UPDATE
UPDATE objects.dns_query.description The DNS query object represents a specific request made... UPDATE
ADD objects.certificate.attributes.fingerprints {'description': 'The fingerprint list of the... ADD
ADD objects.certificate.attributes.issuer {'caption': 'Issuer Distinguished Name', 'description':... ADD
ADD objects.certificate.attributes.uid {'description': 'The unique identifier of the... ADD
ADD objects.certificate.attributes.subject {'caption': 'Subject Distinguished Name', 'description':... ADD
DEPRECATE objects.certificate.attributes.issuer_dn {'requirement': 'required', 'caption': 'Issuer... REMOVE
DEPRECATE objects.certificate.attributes.fingerprint {'description': 'The fingerprint of the certificate.',... REMOVE
DEPRECATE objects.certificate.attributes.subject_dn {'requirement': 'recommended', 'caption': 'Subject... REMOVE
UPDATE objects.certificate.description The Digital Certificate, also known as a Public Key... UPDATE
UPDATE objects.certificate.attributes.serial_number.description The serial number of the certificate used to create the... UPDATE
ADD objects.user.attributes.org {'description': 'Organization and org unit related to... ADD
ADD objects.user.attributes.ldap_person {'description': 'The additional LDAP attributes that... ADD
ADD objects.user.attributes.uid_alt {'description': 'The alternate user identifier. For... ADD
ADD objects.user.attributes.account {'description': "The user's account or the account... ADD
ADD objects.user.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
DEPRECATE objects.user.attributes.uuid {'description': 'The universally unique identifier of... REMOVE
DEPRECATE objects.user.attributes.org_uid {'requirement': 'optional', 'caption': 'Org ID',... REMOVE
DEPRECATE objects.user.attributes.account_uid {'requirement': 'optional', 'caption': 'Account UID',... REMOVE
DEPRECATE objects.user.attributes.name.name username_t REMOVE
DEPRECATE objects.user.attributes.type_id.name integer_t REMOVE
DEPRECATE objects.user.attributes.account_type_id {'requirement': 'optional', 'caption': 'Account Type... REMOVE
DEPRECATE objects.user.attributes.session_uuid {'requirement': 'optional', 'caption': 'Session UUID',... REMOVE
DEPRECATE objects.user.attributes.account_type {'requirement': 'optional', 'caption': 'Account Type',... REMOVE
DEPRECATE objects.user.attributes.session_uid {'requirement': 'optional', 'caption': 'Session UID',... REMOVE
UPDATE objects.user.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.user.attributes.type_id.default REMOVE
REMOVE objects.user.attributes.uid.caption UPDATE
UPDATE objects.user.attributes.domain.requirement required UPDATE
UPDATE objects.user.attributes.email_addr.description The user's primary email address. UPDATE
UPDATE objects.user.attributes.uid.description The unique user identifier. For example, the Windows... UPDATE
UPDATE objects.user.attributes.name.description The username. For example, <code>janedoe1</code>. UPDATE
UPDATE objects.user.constraints.at_least_one ['account', 'name', 'uid'] UPDATE
UPDATE objects.user.attributes.type_id.requirement recommended UPDATE
DEPRECATE objects.user.attributes.name.type string_t UPDATE
ADD objects.url.attributes.subdomain {'requirement': 'optional', 'caption': 'Subdomain',... ADD
ADD objects.url.attributes.category_ids.enum.99 {'caption': 'Other', 'description': 'The Domain/URL... ADD
ADD objects.url.constraints {'at_least_one': ['url_string', 'path']} ADD
ADD objects.url.attributes.url_string {'description': 'The URL string. See RFC 1738. For... ADD
DEPRECATE objects.url.attributes.text {'requirement': 'required', 'caption': 'URL Text',... REMOVE
IGNORE objects.url.profiles REMOVE
REMOVE objects.url.attributes.$include REMOVE
DEPRECATE objects.url.attributes.reputation {'requirement': 'optional', 'caption': 'Reputation... REMOVE
UPDATE objects.url.attributes.category_ids.enum.-1 REMOVE
UPDATE objects.url.attributes.hostname.requirement recommended UPDATE
DEPRECATE objects.url.attributes.path.type path_t UPDATE
UPDATE objects.url.description The Uniform Resource Locator(URL) object describes the... UPDATE
UPDATE objects.url.attributes.hostname.description The URL host as extracted from the URL. For example:... UPDATE
UPDATE objects.url.attributes.path.requirement recommended UPDATE
UPDATE objects.url.attributes.path.description The URL path as extracted from the URL. For example:... UPDATE
ADD objects.attack.attributes.tactic {'requirement': 'optional', 'caption': 'Tactic',... ADD
ADD objects.attack.constraints {'at_least_one': ['tactic', 'technique', 'sub_technique']} ADD
ADD objects.attack.attributes.tactics.@deprecated {'message': 'Use the <code> tactic </code> attribute... ADD
ADD objects.attack.attributes.sub_technique {'requirement': 'optional', 'caption': 'Sub Technique',... ADD
UPDATE objects.attack.attributes.tactics.requirement optional UPDATE
UPDATE objects.attack.attributes.version.requirement recommended UPDATE
UPDATE objects.attack.description The <a target='_blank'... UPDATE
UPDATE objects.attack.caption MITRE ATT&CK® UPDATE
UPDATE objects.attack.attributes.version.description The <a target='_blank'... UPDATE
UPDATE objects.attack.attributes.technique.requirement optional UPDATE
UPDATE objects.attack.attributes.tactics.description The Tactic object describes the tactic ID and/or tactic... UPDATE
UPDATE objects.attack.attributes.technique.description The Technique object describes the technique ID and/or... UPDATE
ADD objects.http_request.attributes.http_method.enum {'CONNECT': {'caption': 'Connect', 'description': 'The... ADD
ADD objects.http_request.attributes.length {'caption': 'Request Length', 'description': 'The HTTP... ADD
DEPRECATE objects.http_request.attributes.prefix {'description': 'Domain prefix.', 'requirement':... REMOVE
PRESERVE objects.http_request.attributes.http_method.requirement recommended REMOVE
PRESERVE objects.http_request.constraints {'at_least_one': ['user_agent', 'url', 'hostname']} REMOVE
UPDATE objects.http_request.attributes.http_method.description The <a target='_blank'... UPDATE
UPDATE objects.http_request.description The HTTP Request object represents the attributes of a... UPDATE
ADD objects.remediation.attributes.kb_article_list {'requirement': 'optional', 'caption': 'Knowledgebase... ADD
ADD objects.remediation.attributes.kb_articles.@deprecated {'message': 'Use the <code> kb_article_list </code>... ADD
ADD objects.remediation.attributes.references {'description': 'A list of supporting URL/s, references... ADD
UPDATE objects.remediation.attributes.desc.requirement required UPDATE
UPDATE objects.remediation.description The Remediation object describes the recommended... UPDATE
UPDATE objects.remediation.attributes.kb_articles.requirement optional UPDATE
UPDATE objects.remediation.attributes.kb_articles.description The KB article/s related to the entity. A KB Article... UPDATE
ADD objects.cvss.attributes.depth {'requirement': 'recommended', 'caption': 'CVSS Depth',... ADD
ADD objects.cvss.attributes.overall_score {'description': 'The CVSS overall score, impacted by... ADD
ADD objects.cvss.attributes.severity {'description': '<p>The Common Vulnerability Scoring... ADD
ADD objects.cvss.attributes.base_score {'description': 'The CVSS base score. For example:... ADD
ADD objects.cvss.attributes.metrics {'description': 'The Common Vulnerability Scoring System... ADD
DEPRECATE objects.cvss.attributes.integrity_id {'description': 'The Integrity Common Vulnerability... REMOVE
DEPRECATE objects.cvss.attributes.integrity_impact_id {'description': 'Name: Integrity Impact (I). Group:... REMOVE
DEPRECATE objects.cvss.attributes.target_distribution_id {'description': 'Name: Target Distribution (TD). Group:... REMOVE
DEPRECATE objects.cvss.attributes.modified_integrity_id {'description': 'Name: Modified Integrity (MI). Group:... REMOVE
DEPRECATE objects.cvss.attributes.exploitability_id {'description': 'Name: Exploitability (E). Group:... REMOVE
DEPRECATE objects.cvss.attributes.remediation_level_id {'description': 'Name: Remediation Level (RL). Group:... REMOVE
DEPRECATE objects.cvss.attributes.modified_attack_vector_id {'description': 'Name: Modified Attack Vector (MAV).... REMOVE
DEPRECATE objects.cvss.attributes.integrity_requirement_id {'description': 'Name: Integrity Requirement (IR).... REMOVE
DEPRECATE objects.cvss.attributes.collateral_damage_potential_id {'description': 'Name: Collateral Damage Potential... REMOVE
DEPRECATE objects.cvss.attributes.severity_id {'caption': 'Qualitative Severity Rating',... REMOVE
DEPRECATE objects.cvss.attributes.access_complexity_id {'description': 'Name: Access Complexity (AC). Group:... REMOVE
DEPRECATE objects.cvss.attributes.privileges_required_id {'caption': 'Privileges Required (PR)', 'description':... REMOVE
DEPRECATE objects.cvss.attributes.availability_requirement_id {'description': 'Name: Availability Requirement (AR).... REMOVE
DEPRECATE objects.cvss.attributes.modified_privileges_required_id {'description': 'Name: Modified Privileges Required... REMOVE
DEPRECATE objects.cvss.attributes.report_confidence_id {'description': 'Name: Report Confidence (RC). Group:... REMOVE
DEPRECATE objects.cvss.attributes.confidentiality_id {'caption': 'Confidentiality (C)', 'description': 'The... REMOVE
DEPRECATE objects.cvss.attributes.confidentiality_requirement_id {'description': 'Name: Confidentiality Requirement (CR).... REMOVE
DEPRECATE objects.cvss.attributes.modified_confidentiality_id {'description': 'Name: Modified Confidentiality (MC).... REMOVE
DEPRECATE objects.cvss.attributes.modified_user_interaction_id {'description': 'Name: Modified User Interaction (MUI).... REMOVE
DEPRECATE objects.cvss.attributes.access_vector_id {'description': 'Name: Access Vector (AV). Group: Base.... REMOVE
DEPRECATE objects.cvss.attributes.user_interaction_id {'caption': 'User Interaction (UI)', 'description': 'The... REMOVE
DEPRECATE objects.cvss.attributes.confidentiality_impact_id {'description': 'Name: Confidentiality Impact (C).... REMOVE
DEPRECATE objects.cvss.attributes.modified_attack_complexity_id {'description': 'Name: Modified Attack Complexity (MAC).... REMOVE
DEPRECATE objects.cvss.attributes.depth_id {'description': 'The CVSS depth. Representing a depth of... REMOVE
DEPRECATE objects.cvss.attributes.exploit_code_maturity_id {'description': 'Name: Exploit Code Maturity (E). Group:... REMOVE
DEPRECATE objects.cvss.attributes.scope_id {'description': 'Name: Scope (S). Group: Base. CVSS... REMOVE
DEPRECATE objects.cvss.attributes.attack_complexity_id {'caption': 'Attack Complexity (AC)', 'description':... REMOVE
DEPRECATE objects.cvss.attributes.availability_impact_id {'description': 'Name: Availability Impact (A). Group:... REMOVE
DEPRECATE objects.cvss.attributes.modified_scope_id {'description': 'Name: Modified Scope (MS). Group:... REMOVE
DEPRECATE objects.cvss.attributes.raw_score {'description': 'CVSS Score in the range of 0.0 to... REMOVE
DEPRECATE objects.cvss.attributes.attack_vector_id {'description': 'Name: Attack Vector (AV). Group: Base.... REMOVE
DEPRECATE objects.cvss.attributes.modified_availability_id {'description': 'Name: Modified Availability (MA).... REMOVE
DEPRECATE objects.cvss.attributes.availability_id {'description': 'Name: Availability (A). Group: Base.... REMOVE
DEPRECATE objects.cvss.attributes.authentication_id {'description': 'Name: Authentication (Au). Group: Base.... REMOVE
UPDATE objects.cvss.attributes.version.requirement required UPDATE
UPDATE objects.cvss.description The Common Vulnerability Scoring System (<a... UPDATE
UPDATE objects.cvss.attributes.vector_string.description The CVSS vector string is a text representation of a set... UPDATE
UPDATE objects.cvss.caption CVSS Score UPDATE
UPDATE objects.cvss.attributes.version.description The CVSS version. For example: <code>3.1</code>. UPDATE
ADD objects.job.attributes.run_state_id.enum.99 {'caption': 'Other'} ADD
UPDATE objects.job.attributes.run_state_id.enum.-1 REMOVE
UPDATE objects.job.description The Job object provides information about a scheduled... UPDATE
ADD objects.digital_signature.attributes.digest {'requirement': 'optional', 'caption': 'Message Digest',... ADD
ADD objects.digital_signature.attributes.algorithm {'description': "The digital signature algorithm used to... ADD
ADD objects.digital_signature.attributes.algorithm_id {'description': 'The identifier of the normalized... ADD
ADD objects.digital_signature.attributes.certificate {'requirement': 'recommended', 'caption': 'Certificate',... ADD
DEPRECATE objects.digital_signature.attributes.company_name {'requirement': 'required', 'caption': 'Company Name',... REMOVE
DEPRECATE objects.digital_signature.attributes.serial_number {'description': 'The serial number of the digital... REMOVE
DEPRECATE objects.digital_signature.attributes.issuer_name {'requirement': 'optional', 'caption': 'Issuer Name',... REMOVE
DEPRECATE objects.digital_signature.attributes.fingerprints {'requirement': 'optional', 'caption': 'Fingerprints',... REMOVE
UPDATE objects.digital_signature.description The Digital Signature object contains information about... UPDATE
ADD objects.reputation.attributes.score_id.enum.99 {'caption': 'Other', 'description': 'The reputation... ADD
ADD objects.reputation.attributes.base_score {'caption': 'Reputation Score', 'description': 'The... ADD
DEPRECATE objects.reputation.attributes.raw_score {'requirement': 'required', 'caption': 'Reputation... REMOVE
UPDATE objects.reputation.attributes.score_id.enum.-1 REMOVE
UPDATE objects.reputation.attributes.score.description The reputation score, normalized to the caption of the... UPDATE
UPDATE objects.reputation.description The Reputation object describes the reputation/risk... UPDATE
ADD objects.dce_rpc.attributes.rpc_interface {'requirement': 'required', 'caption': 'Remote Procedure... ADD
DEPRECATE objects.dce_rpc.attributes.network_interfaces {'description': 'The list of DCE/RPC interfaces',... REMOVE
UPDATE objects.dce_rpc.caption DCE/RPC UPDATE
UPDATE objects.dce_rpc.description The DCE/RPC, or Distributed Computing Environment/Remote... UPDATE
ADD objects.finding.@deprecated {'message': 'Use the new <code>finding_info</code>... ADD
ADD objects.finding.attributes.related_events {'requirement': 'optional', 'caption': 'Related Events',... ADD
DEPRECATE objects.finding.attributes.related_findings {'requirement': 'optional', 'caption': 'Related... REMOVE
DEPRECATE objects.finding.attributes.supporting_data.is_array True REMOVE
UPDATE objects.finding.description The Finding object describes metadata related to a... UPDATE
UPDATE objects.finding.attributes.title.description A title or a brief phrase summarizing the reported finding. UPDATE
UPDATE objects.finding.caption Finding UPDATE
UPDATE objects.finding.attributes.remediation.description Describes the recommended remediation steps to address... UPDATE
DEPRECATE objects.finding.attributes.src_url.type string_t UPDATE
REMOVE objects.finding.attributes.remediation.caption UPDATE
ADD objects.module.attributes.load_type_id.enum.99 {'caption': 'Other'} ADD
UPDATE objects.module.attributes.load_type_id.enum.-1 REMOVE
UPDATE objects.module.attributes.load_type.description The load type, normalized to the caption of the... UPDATE
UPDATE objects.module.description The Module object describes the load attributes of a module. UPDATE
ADD objects.observable.attributes.type_id.enum.30 {'caption': 'Fingerprint', 'description': 'The... ADD
ADD objects.observable.attributes.reputation {'requirement': 'optional', 'caption': 'Reputation... ADD
ADD objects.observable.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The observable data... ADD
UPDATE objects.observable.attributes.type_id.enum.-1 REMOVE
UPDATE objects.observable.attributes.type_id.default REMOVE
IGNORE objects.observable.attributes.type_id.enum.26.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.28.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.2.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.27.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.21.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.25.description UPDATE
UPDATE objects.observable.attributes.value.description The value associated with the observable attribute. The... UPDATE
IGNORE objects.observable.attributes.type_id.enum.23.description UPDATE
UPDATE objects.observable.attributes.name.description The full name of the observable attribute. The... UPDATE
IGNORE objects.observable.attributes.type_id.enum.20.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.24.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.22.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.8.description UPDATE
IGNORE objects.observable.attributes.type_id.enum.8.caption UPDATE
ADD objects.email.attributes.uid {'caption': 'Email UID', 'description': 'The email... ADD
ADD objects.email.attributes.raw_header {'requirement': 'optional', 'caption': 'Raw Header',... ADD
DEPRECATE objects.email.attributes.direction {'description': 'The direction of the email, as defined... REMOVE
DEPRECATE objects.email.attributes.direction_id {'description': 'The direction of the email relative to... REMOVE
DEPRECATE objects.email.attributes.smtp_hello {'requirement': 'recommended', 'caption': 'SMTP Hello',... REMOVE
PRESERVE objects.email.attributes.subject.requirement required REMOVE
UPDATE objects.hassh.attributes.algorithm.description The concatenation of key exchange, encryption,... UPDATE
UPDATE objects.hassh.description The HASSH object contains SSH network fingerprinting... UPDATE
ADD objects.process.attributes.integrity_id.sibling integrity ADD
ADD objects.process.attributes.$include ['profiles/linux_users.json'] ADD
ADD objects.process.attributes.terminated_time {'description': 'The time when the process was... ADD
ADD objects.process.attributes.group {'description': 'The group under which this process is... ADD
ADD objects.process.profiles ['linux/linux_users'] ADD
ADD objects.process.attributes.container {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.process.attributes.auid {'requirement': 'optional', 'caption': 'Audit User ID',... ADD
ADD objects.process.attributes.integrity_id.enum.99 {'caption': 'Other'} ADD
ADD objects.process.attributes.egid {'requirement': 'optional', 'caption': 'Effective Group... ADD
ADD objects.process.attributes.namespace_pid {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.process.attributes.session {'description': 'The user session under which this... ADD
ADD objects.process.attributes.euid {'requirement': 'optional', 'caption': 'Effective User... ADD
UPDATE objects.process.attributes.integrity_id.enum.-1 REMOVE
DEPRECATE objects.process.attributes.integrity.sibling integrity REMOVE
DEPRECATE objects.process.attributes.name.name process_name_t REMOVE
UPDATE objects.process.attributes.integrity.description The process integrity level, normalized to the caption... UPDATE
IGNORE objects.process.extends UPDATE
UPDATE objects.process.attributes.user.description The user under which this process is running. UPDATE
REMOVE objects.process.attributes.uid.caption UPDATE
DEPRECATE objects.process.attributes.name.type string_t UPDATE
REMOVE objects.process.attributes.user.caption UPDATE
UPDATE objects.process.caption Linux Process UPDATE
UPDATE objects.process.attributes.lineage.description The lineage of the process, represented by a list of... UPDATE
UPDATE objects.process.description Extends the process object to add Linux specific fields UPDATE
UPDATE objects.san.attributes.name.requirement required UPDATE
UPDATE objects.san.description The Subject Alternative name (SAN) object describes a... UPDATE
UPDATE objects.san.attributes.type.requirement required UPDATE
ADD objects.group.attributes.domain {'description': 'The domain where the group is defined.... ADD
ADD objects.group.constraints {'at_least_one': ['name', 'uid']} ADD
UPDATE objects.group.description The Group object represents a collection or association... UPDATE
UPDATE objects.group.attributes.name.requirement recommended UPDATE
IGNORE objects.group.extends UPDATE
ADD objects.response.attributes.data {'description': 'The additional data that is associated... ADD
ADD objects.response.attributes.containers {'requirement': 'optional', 'caption': 'Containers',... ADD
UPDATE objects.response.attributes.flags.description The list of communication flags, normalized to the... UPDATE
UPDATE objects.response.description The Response Elements object describes characteristics... UPDATE
UPDATE objects.response.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
ADD objects.product.attributes.url_string {'description': 'The URL pointing towards the product.',... ADD
ADD objects.product.constraints {'at_least_one': ['name', 'uid']} ADD
ADD objects.product.attributes.cpe_name {'requirement': 'optional', 'caption': 'The product CPE... ADD
REMOVE objects.product.attributes.uid.caption UPDATE
REMOVE objects.product.attributes.path.caption UPDATE
UPDATE objects.product.attributes.lang.requirement optional UPDATE
DEPRECATE objects.product.attributes.path.type path_t UPDATE
IGNORE objects.product.extends UPDATE
UPDATE objects.product.attributes.name.requirement recommended UPDATE
UPDATE objects.product.description The Product object describes characteristics of a... UPDATE
REMOVE objects.product.attributes.name.caption UPDATE
REMOVE objects.product.attributes.version.caption UPDATE
UPDATE objects.enrichment.attributes.type.description The enrichment type. For example: <code>location</code>. UPDATE
UPDATE objects.enrichment.description The Enrichment object provides inline enrichment data... UPDATE
UPDATE objects.keyboard_info.description The Keyboard Information object contains details and... UPDATE
ADD objects.compliance.attributes.standards {'requirement': 'required', 'caption': 'Security... ADD
ADD objects.compliance.attributes.control {'requirement': 'recommended', 'caption': 'Security... ADD
ADD objects.compliance.attributes.status_code {'description': 'The resultant status code of the... ADD
ADD objects.compliance.attributes.status_id {'description': 'The normalized status identifier of the... ADD
UPDATE objects.compliance.attributes.status.description The resultant status of the compliance check normalized... UPDATE
UPDATE objects.compliance.attributes.status_detail.description The contextual description of the status, status_code values. UPDATE
UPDATE objects.compliance.attributes.status.requirement recommended UPDATE
UPDATE objects.compliance.caption Compliance UPDATE
UPDATE objects.compliance.attributes.requirements.description A list of requirements associated to a specific control... UPDATE
UPDATE objects.compliance.description The Compliance object contains information about... UPDATE
REMOVE objects.compliance.attributes.requirements.caption UPDATE
ADD objects.image.constraints {'at_least_one': ['name', 'uid']} ADD
UPDATE objects.image.description The Image object provides a description of a specific... UPDATE
REMOVE objects.image.attributes.uid.caption UPDATE
REMOVE objects.image.attributes.name.caption UPDATE
IGNORE objects.image.extends UPDATE
DEPRECATE objects.image.attributes.path.type path_t UPDATE
ADD objects.dns_answer.attributes.flag_ids.enum.99 {'caption': 'Other', 'description': 'The event DNS... ADD
UPDATE objects.dns_answer.attributes.flag_ids.enum.-1 REMOVE
UPDATE objects.dns_answer.description The DNS Answer object represents a specific response... UPDATE
UPDATE objects.dns_answer.attributes.type.requirement recommended UPDATE
UPDATE objects.dns_answer.attributes.class.requirement recommended UPDATE
ADD objects.idp.constraints {'at_least_one': ['name', 'uid']} ADD
UPDATE objects.idp.attributes.uid.description The unique identifier of the identity provider. UPDATE
IGNORE objects.idp.extends UPDATE
UPDATE objects.idp.attributes.name.description The name of the identity provider. UPDATE
UPDATE objects.idp.attributes.name.requirement recommended UPDATE
UPDATE objects.idp.description The Identity Provider object contains detailed... UPDATE
UPDATE objects.idp.attributes.uid.requirement recommended UPDATE
ADD objects.network_endpoint.attributes.zone {'requirement': 'optional', 'caption': 'Network Zone',... ADD
ADD objects.network_endpoint.attributes.namespace_pid {'group': 'context', 'requirement': 'recommended',... ADD
ADD objects.network_endpoint.attributes.type_id {'description': 'The network endpoint type ID.',... ADD
ADD objects.network_endpoint.attributes.os {'description': 'The endpoint operating system.',... ADD
ADD objects.network_endpoint.attributes.agent_list {'requirement': 'optional', 'caption': 'Agent List',... ADD
ADD objects.network_endpoint.attributes.proxy_endpoint {'description': 'The network proxy information... ADD
ADD objects.network_endpoint.attributes.type {'description': 'The network endpoint type. For example:... ADD
ADD objects.network_endpoint.attributes.hw_info {'requirement': 'optional', 'caption': 'Hardware Info',... ADD
ADD objects.network_endpoint.attributes.owner {'description': 'The identity of the service or user... ADD
ADD objects.network_endpoint.attributes.interface_name {'requirement': 'recommended', 'caption': 'Network... ADD
ADD objects.network_endpoint.attributes.container {'group': 'context', 'requirement': 'recommended',... ADD
DEPRECATE objects.network_endpoint.attributes.reputation {'requirement': 'optional', 'caption': 'Reputation... REMOVE
REMOVE objects.network_endpoint.attributes.$include UPDATE
REMOVE objects.network_endpoint.attributes.location.caption UPDATE
IGNORE objects.network_endpoint.profiles UPDATE
UPDATE objects.network_endpoint.attributes.name.requirement recommended UPDATE
UPDATE objects.network_endpoint.constraints.at_least_one ['ip', 'uid', 'name', 'hostname', 'svc_name',... UPDATE
ADD objects.url_intelligence.attributes.category_ids.enum.99 {'caption': 'Other', 'description': 'The Domain/URL... ADD
UPDATE objects.url_intelligence.attributes.category_ids.enum.-1 REMOVE
UPDATE objects.url_intelligence.attributes.references.description A list of reference URLs supporting the finding/detection. UPDATE
REMOVE objects.url_intelligence.attributes.vendor_name.caption UPDATE
ADD objects.threat_intelligence.attributes.type_id.enum.99 {'caption': 'Other', 'description': 'The type is not... ADD
UPDATE objects.threat_intelligence.attributes.type_id.enum.-1 REMOVE
DEPRECATE objects.threat_intelligence.attributes.type_id.default REMOVE
REMOVE objects.ip_intelligence.attributes.location.caption UPDATE
UPDATE objects.ip_intelligence.attributes.references.description A list of reference URLs supporting the finding/detection. UPDATE
REMOVE objects.ip_intelligence.attributes.vendor_name.caption UPDATE
PRESERVE objects.domain_intelligence.attributes.domain_info.description The registration information pertaining to a domain. REMOVE
REMOVE objects.domain_intelligence.attributes.domain_info.caption REMOVE
DEPRECATE objects.domain_intelligence.attributes.domain_info.type domain_info REMOVE
REMOVE objects.domain_intelligence.attributes.vendor_name.caption UPDATE
UPDATE objects.domain_intelligence.attributes.references.description A list of reference URLs supporting the finding/detection. UPDATE
UPDATE objects.file_intelligence.attributes.references.description A list of reference URLs supporting the finding/detection. UPDATE
REMOVE objects.file_intelligence.attributes.vendor_name.caption UPDATE
REMOVE objects._base_threat_intelligence.attributes.vendor_name.caption UPDATE
UPDATE objects._base_threat_intelligence.attributes.references.description A list of reference URLs supporting the finding/detection. UPDATE
ADD events.registry_value_info.attributes.$include ['profiles/host.json'] ADD
ADD events.registry_value_info.attributes.status_detail.requirement optional ADD
ADD events.registry_value_info.attributes.device {'requirement': 'recommended', 'caption': 'Device',... ADD
ADD events.registry_value_info.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.registry_value_info.attributes.actor {'requirement': 'optional', 'caption': 'Actor',... ADD
ADD events.registry_value_info.attributes.end_time.requirement optional ADD
ADD events.registry_value_info.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.registry_value_info.attributes.unmapped.requirement optional ADD
ADD events.registry_value_info.attributes.type_uid.enum.500501 {'caption': 'Registry Value Info: Exists'} ADD
ADD events.registry_value_info.attributes.duration.requirement optional ADD
ADD events.registry_value_info.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.registry_value_info.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.registry_value_info.attributes.count.requirement optional ADD
ADD events.registry_value_info.attributes.type_uid.enum.500504 {'caption': 'Registry Value Info: Error'} ADD
ADD events.registry_value_info.attributes.enrichments.requirement optional ADD
ADD events.registry_value_info.attributes.type_uid.enum.500503 {'caption': 'Registry Value Info: Does not exist'} ADD
ADD events.registry_value_info.attributes.activity_id.enum.4 {'caption': 'Error', 'description': 'The discovery... ADD
ADD events.registry_value_info.attributes.activity_id.enum.5 {'caption': 'Unsupported', 'description': 'Discovery of... ADD
ADD events.registry_value_info.attributes.activity_id.enum.1.description The target was found. ADD
ADD events.registry_value_info.attributes.class_uid.enum.5005 {'caption': 'Registry Value Info', 'description':... ADD
ADD events.registry_value_info.attributes.type_uid.enum.500502 {'caption': 'Registry Value Info: Partial'} ADD
ADD events.registry_value_info.attributes.status_code.requirement optional ADD
ADD events.registry_value_info.attributes.category_uid.enum.5 {'caption': 'Discovery', 'description': 'Discovery... ADD
ADD events.registry_value_info.attributes.type_uid.enum.500505 {'caption': 'Registry Value Info: Unsupported'} ADD
ADD events.registry_value_info.attributes.start_time.requirement optional ADD
ADD events.registry_value_info.attributes.activity_id.enum.3 {'caption': 'Does not exist', 'description': 'The target... ADD
ADD events.registry_value_info.attributes.activity_id.enum.2.description The target was partially found. ADD
ADD events.registry_value_info.attributes.type_uid.enum.500500 {'caption': 'Registry Value Info: Unknown'} ADD
ADD events.registry_value_info.attributes.raw_data.requirement optional ADD
ADD events.registry_value_info.attributes.type_uid.enum.500599 {'caption': 'Registry Value Info: Other'} ADD
ADD events.registry_value_info.attributes.cloud.group primary ADD
ADD events.registry_value_info.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
DEPRECATE events.registry_value_info.attributes.scan_uid {'description': 'The unique identifier of the discovery... REMOVE
UPDATE events.registry_value_info.attributes.severity_id.enum.-1 REMOVE
IGNORE events.registry_value_info.attributes.category_uid.default REMOVE
DEPRECATE events.registry_value_info.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
IGNORE events.registry_value_info.attributes.type_uid.enum.3201301 REMOVE
DEPRECATE events.registry_value_info.attributes.command_uid {'description': 'The unique identifier of the discovery... REMOVE
IGNORE events.registry_value_info.attributes.class_uid.enum.32013 REMOVE
IGNORE events.registry_value_info.attributes.type_uid.enum.3201300 REMOVE
UPDATE events.registry_value_info.attributes.activity_id.enum.-1 REMOVE
REMOVE events.registry_value_info.attributes.activity_id.$include REMOVE
UPDATE events.registry_value_info.attributes.status_id.enum.-1 REMOVE
IGNORE events.registry_value_info.attributes.type_uid.enum.3201302 REMOVE
IGNORE events.registry_value_info.attributes.type_uid.enum.3201299 REMOVE
IGNORE events.registry_value_info.attributes.category_uid.enum.32 REMOVE
DEPRECATE events.registry_value_info.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.registry_value_info.attributes.count.default 1 REMOVE
IGNORE events.registry_value_info.attributes.class_uid.default REMOVE
UPDATE events.registry_value_info.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.registry_value_info.attributes.status_detail.description The status details contains additional information about... UPDATE
IGNORE events.registry_value_info.profiles UPDATE
UPDATE events.registry_value_info.attributes.reg_value.description The registry value that pertains to the event. UPDATE
DEPRECATE events.registry_value_info.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.registry_value_info.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.registry_value_info.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
IGNORE events.registry_value_info.attributes.type_uid.description UPDATE
IGNORE events.registry_value_info.attributes.type_uid.type UPDATE
UPDATE events.registry_value_info.description Registry Value Info events report information about... UPDATE
UPDATE events.registry_value_info.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.registry_value_info.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.registry_value_info.attributes.enrichments.description The additional information from an external data source,... UPDATE
DEPRECATE events.registry_value_info.attributes.reg_value.type registry_value UPDATE
UPDATE events.registry_value_info.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.registry_value_info.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.registry_value_info.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
IGNORE events.registry_value_info.uid UPDATE
UPDATE events.registry_value_info.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
ADD events.registry_key_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100102 {'caption': 'Registry Key Activity: Read'} ADD
ADD events.registry_key_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.registry_key_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.registry_key_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.registry_key_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.registry_key_activity.attributes.unmapped.requirement optional ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100100 {'caption': 'Registry Key Activity: Unknown'} ADD
ADD events.registry_key_activity.attributes.count.requirement optional ADD
ADD events.registry_key_activity.extension windows ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100103 {'caption': 'Registry Key Activity: Modify'} ADD
ADD events.registry_key_activity.attributes.end_time.requirement optional ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.registry_key_activity.attributes.duration.requirement optional ADD
ADD events.registry_key_activity.attributes.prev_reg_key {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.registry_key_activity.attributes.status_code.requirement optional ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.registry_key_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100199 {'caption': 'Registry Key Activity: Other'} ADD
ADD events.registry_key_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100106 {'caption': 'Registry Key Activity: Set Security'} ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.registry_key_activity.attributes.status_detail.requirement optional ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100104 {'caption': 'Registry Key Activity: Delete'} ADD
ADD events.registry_key_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.registry_key_activity.attributes.start_time.requirement optional ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.registry_key_activity.attributes.class_uid.enum.1001 {'caption': 'Registry Key Activity', 'description':... ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100101 {'caption': 'Registry Key Activity: Create'} ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.registry_key_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.registry_key_activity.attributes.enrichments.requirement optional ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100105 {'caption': 'Registry Key Activity: Rename'} ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100108 {'caption': 'Registry Key Activity: Import'} ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.registry_key_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100107 {'caption': 'Registry Key Activity: Restore'} ADD
ADD events.registry_key_activity.attributes.cloud.group primary ADD
ADD events.registry_key_activity.attributes.raw_data.requirement optional ADD
ADD events.registry_key_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.registry_key_activity.attributes.type_uid.enum.100109 {'caption': 'Registry Key Activity: Export'} ADD
IGNORE events.registry_key_activity.attributes.type_uid.enum.100802 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100805 REMOVE
UPDATE events.registry_key_activity.attributes.severity_id.enum.-1 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100807 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100809 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100803 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100804 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100799 REMOVE
UPDATE events.registry_key_activity.attributes.activity_id.enum.-1 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100801 REMOVE
DEPRECATE events.registry_key_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
UPDATE events.registry_key_activity.attributes.status_id.enum.-1 REMOVE
UPDATE events.registry_key_activity.attributes.disposition_id.enum.-1 REMOVE
DEPRECATE events.registry_key_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
IGNORE events.registry_key_activity.attributes.class_uid.enum.1008 REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100800 REMOVE
DEPRECATE events.registry_key_activity.attributes.count.default 1 REMOVE
IGNORE events.registry_key_activity.attributes.category_uid.default REMOVE
IGNORE events.registry_key_activity.attributes.class_uid.default REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100806 REMOVE
DEPRECATE events.registry_key_activity.attributes.reg_key_result {'group': 'primary', 'requirement': 'optional',... REMOVE
IGNORE events.registry_key_activity.attributes.type_uid.enum.100808 REMOVE
REMOVE events.registry_key_activity.attributes.activity_id.$include REMOVE
DEPRECATE events.registry_key_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.3.caption UPDATE
UPDATE events.registry_key_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.15.caption UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.requirement UPDATE
UPDATE events.registry_key_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
IGNORE events.registry_key_activity.uid UPDATE
UPDATE events.registry_key_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.1.caption UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.11.caption UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.8.caption UPDATE
IGNORE events.registry_key_activity.profiles UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.7.caption UPDATE
DEPRECATE events.registry_key_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.5.caption UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.6.caption UPDATE
UPDATE events.registry_key_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.registry_key_activity.attributes.malware.requirement optional UPDATE
DEPRECATE events.registry_key_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.registry_key_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
REMOVE events.registry_key_activity.attributes.$include UPDATE
UPDATE events.registry_key_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
DEPRECATE events.registry_key_activity.attributes.reg_key.type registry_key UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.registry_key_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
IGNORE events.registry_key_activity.attributes.type_uid.description UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.description UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.10.caption UPDATE
UPDATE events.registry_key_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.registry_key_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.registry_key_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
UPDATE events.registry_key_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.13.caption UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.4.caption UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.14.caption UPDATE
REMOVE events.registry_key_activity.attributes.attacks.caption UPDATE
IGNORE events.registry_key_activity.attributes.type_uid.type UPDATE
UPDATE events.registry_key_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.registry_key_activity.attributes.device.description An addressable device, computer system or host. UPDATE
UPDATE events.registry_key_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
REMOVE events.registry_key_activity.attributes.disposition_id.enum.2.caption UPDATE
DEPRECATE events.registry_key_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.registry_key_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
ADD events.registry_value_activity.attributes.type_uid.enum.100299 {'caption': 'Registry Value Activity: Other'} ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.registry_value_activity.attributes.type_uid.enum.100204 {'caption': 'Registry Value Activity: Delete'} ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.registry_value_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.registry_value_activity.attributes.type_uid.enum.100202 {'caption': 'Registry Value Activity: Set'} ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.registry_value_activity.attributes.end_time.requirement optional ADD
ADD events.registry_value_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.registry_value_activity.attributes.enrichments.requirement optional ADD
ADD events.registry_value_activity.attributes.type_uid.enum.100200 {'caption': 'Registry Value Activity: Unknown'} ADD
ADD events.registry_value_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.registry_value_activity.attributes.class_uid.enum.1002 {'caption': 'Registry Value Activity', 'description':... ADD
ADD events.registry_value_activity.attributes.raw_data.requirement optional ADD
ADD events.registry_value_activity.attributes.unmapped.requirement optional ADD
ADD events.registry_value_activity.attributes.status_detail.requirement optional ADD
ADD events.registry_value_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.registry_value_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.registry_value_activity.attributes.duration.requirement optional ADD
ADD events.registry_value_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.registry_value_activity.attributes.type_uid.enum.100203 {'caption': 'Registry Value Activity: Modify'} ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.registry_value_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.registry_value_activity.attributes.prev_reg_value {'requirement': 'optional', 'caption': 'Previous... ADD
ADD events.registry_value_activity.attributes.count.requirement optional ADD
ADD events.registry_value_activity.attributes.cloud.group primary ADD
ADD events.registry_value_activity.attributes.status_code.requirement optional ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.registry_value_activity.attributes.type_uid.enum.100201 {'caption': 'Registry Value Activity: Get'} ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.registry_value_activity.extension windows ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.registry_value_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.registry_value_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.registry_value_activity.attributes.start_time.requirement optional ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.registry_value_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
UPDATE events.registry_value_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.registry_value_activity.attributes.category_uid.default REMOVE
UPDATE events.registry_value_activity.attributes.severity_id.enum.-1 REMOVE
UPDATE events.registry_value_activity.attributes.activity_id.enum.-1 REMOVE
IGNORE events.registry_value_activity.attributes.type_uid.enum.100900 REMOVE
IGNORE events.registry_value_activity.attributes.type_uid.enum.100899 REMOVE
DEPRECATE events.registry_value_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.registry_value_activity.attributes.disposition_id.enum.-1 REMOVE
IGNORE events.registry_value_activity.attributes.class_uid.enum.1009 REMOVE
IGNORE events.registry_value_activity.attributes.type_uid.enum.100902 REMOVE
DEPRECATE events.registry_value_activity.attributes.count.default 1 REMOVE
IGNORE events.registry_value_activity.attributes.class_uid.default REMOVE
IGNORE events.registry_value_activity.attributes.type_uid.enum.100901 REMOVE
IGNORE events.registry_value_activity.attributes.type_uid.enum.100904 REMOVE
REMOVE events.registry_value_activity.attributes.activity_id.$include REMOVE
IGNORE events.registry_value_activity.attributes.type_uid.enum.100903 REMOVE
DEPRECATE events.registry_value_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.registry_value_activity.attributes.reg_value_result {'requirement': 'optional', 'caption': 'Registry Value... REMOVE
UPDATE events.registry_value_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
DEPRECATE events.registry_value_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
DEPRECATE events.registry_value_activity.attributes.reg_value.type registry_value UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.14.caption UPDATE
REMOVE events.registry_value_activity.attributes.attacks.caption UPDATE
IGNORE events.registry_value_activity.attributes.type_uid.type UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.10.caption UPDATE
UPDATE events.registry_value_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.registry_value_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.registry_value_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
UPDATE events.registry_value_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.13.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.requirement UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.7.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.3.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.6.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.15.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.5.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.11.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.4.caption UPDATE
UPDATE events.registry_value_activity.attributes.device.description An addressable device, computer system or host. UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.registry_value_activity.attributes.malware.requirement optional UPDATE
UPDATE events.registry_value_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
IGNORE events.registry_value_activity.attributes.type_uid.description UPDATE
IGNORE events.registry_value_activity.profiles UPDATE
DEPRECATE events.registry_value_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.registry_value_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.registry_value_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
DEPRECATE events.registry_value_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
REMOVE events.registry_value_activity.attributes.$include UPDATE
UPDATE events.registry_value_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
UPDATE events.registry_value_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.registry_value_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.registry_value_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
IGNORE events.registry_value_activity.uid UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.description UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.1.caption UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.8.caption UPDATE
DEPRECATE events.registry_value_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
UPDATE events.registry_value_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.registry_value_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
REMOVE events.registry_value_activity.attributes.disposition_id.enum.2.caption UPDATE
ADD events.resource_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.resource_activity.attributes.type_uid.enum.100300 {'caption': 'Windows Resource Activity: Unknown'} ADD
ADD events.resource_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.resource_activity.attributes.unmapped.requirement optional ADD
ADD events.resource_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.resource_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.resource_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.resource_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.resource_activity.attributes.win_resource {'group': 'primary', 'requirement': 'required',... ADD
ADD events.resource_activity.extension windows ADD
ADD events.resource_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.resource_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.resource_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.resource_activity.attributes.end_time.requirement optional ADD
ADD events.resource_activity.attributes.cloud.group primary ADD
ADD events.resource_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.resource_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.resource_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.resource_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.resource_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.resource_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.resource_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.resource_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.resource_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.resource_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.resource_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.resource_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.resource_activity.attributes.count.requirement optional ADD
ADD events.resource_activity.attributes.start_time.requirement optional ADD
ADD events.resource_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.resource_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.resource_activity.attributes.status_code.requirement optional ADD
ADD events.resource_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.resource_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.resource_activity.attributes.class_uid.enum.1003 {'caption': 'Windows Resource Activity', 'description':... ADD
ADD events.resource_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.resource_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.resource_activity.attributes.duration.requirement optional ADD
ADD events.resource_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.resource_activity.attributes.status_detail.requirement optional ADD
ADD events.resource_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.resource_activity.attributes.raw_data.requirement optional ADD
ADD events.resource_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.resource_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.resource_activity.attributes.enrichments.requirement optional ADD
ADD events.resource_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.resource_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.resource_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.resource_activity.attributes.type_uid.enum.100399 {'caption': 'Windows Resource Activity: Other'} ADD
ADD events.resource_activity.attributes.type_uid.enum.100301 {'caption': 'Windows Resource Activity: Access'} ADD
ADD events.resource_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
IGNORE events.resource_activity.attributes.type_uid.enum.101000 REMOVE
IGNORE events.resource_activity.attributes.type_uid.enum.101001 REMOVE
UPDATE events.resource_activity.attributes.severity_id.enum.-1 REMOVE
DEPRECATE events.resource_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.resource_activity.attributes.resource {'description': 'The resource that was accessed.',... REMOVE
IGNORE events.resource_activity.attributes.class_uid.default REMOVE
DEPRECATE events.resource_activity.attributes.count.default 1 REMOVE
IGNORE events.resource_activity.attributes.category_uid.default REMOVE
IGNORE events.resource_activity.attributes.type_uid.enum.100999 REMOVE
DEPRECATE events.resource_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.resource_activity.attributes.disposition_id.enum.-1 REMOVE
UPDATE events.resource_activity.attributes.activity_id.enum.-1 REMOVE
REMOVE events.resource_activity.attributes.activity_id.$include REMOVE
UPDATE events.resource_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.resource_activity.attributes.class_uid.enum.1010 REMOVE
REMOVE events.resource_activity.attributes.attacks.caption UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.6.caption UPDATE
UPDATE events.resource_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.3.caption UPDATE
IGNORE events.resource_activity.uid UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.14.caption UPDATE
UPDATE events.resource_activity.attributes.malware.requirement optional UPDATE
DEPRECATE events.resource_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
UPDATE events.resource_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.resource_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
UPDATE events.resource_activity.caption Windows Resource Activity UPDATE
DEPRECATE events.resource_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
IGNORE events.resource_activity.attributes.type_uid.type UPDATE
UPDATE events.resource_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.8.caption UPDATE
IGNORE events.resource_activity.profiles UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.resource_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
REMOVE events.resource_activity.attributes.$include UPDATE
UPDATE events.resource_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.resource_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.11.caption UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.10.caption UPDATE
UPDATE events.resource_activity.attributes.actor.description The actor object describes details about the... UPDATE
DEPRECATE events.resource_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
IGNORE events.resource_activity.attributes.type_uid.description UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.2.caption UPDATE
DEPRECATE events.resource_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.5.caption UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.4.caption UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.7.caption UPDATE
UPDATE events.resource_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.resource_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
UPDATE events.resource_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.15.caption UPDATE
UPDATE events.resource_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.resource_activity.attributes.device.description An addressable device, computer system or host. UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.resource_activity.description Windows Resource Activity events report when a process... UPDATE
UPDATE events.resource_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
REMOVE events.resource_activity.attributes.disposition_id.enum.1.caption UPDATE
UPDATE events.resource_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
REMOVE events.resource_activity.attributes.disposition_id.description UPDATE
UPDATE events.resource_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
REMOVE events.resource_activity.attributes.disposition_id.requirement UPDATE
ADD events.prefetch_info.attributes.type_uid.enum.501905 {'caption': 'Prefetch Info: Unsupported'} ADD
ADD events.prefetch_info.attributes.$include ['profiles/host.json'] ADD
ADD events.prefetch_info.attributes.unmapped.requirement optional ADD
ADD events.prefetch_info.attributes.duration.requirement optional ADD
ADD events.prefetch_info.attributes.raw_data.requirement optional ADD
ADD events.prefetch_info.attributes.actor {'requirement': 'optional', 'caption': 'Actor',... ADD
ADD events.prefetch_info.attributes.type_uid.enum.501999 {'caption': 'Prefetch Info: Other'} ADD
ADD events.prefetch_info.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.prefetch_info.attributes.end_time.requirement optional ADD
ADD events.prefetch_info.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.prefetch_info.attributes.type_uid.enum.501901 {'caption': 'Prefetch Info: Exists'} ADD
ADD events.prefetch_info.attributes.status_detail.requirement optional ADD
ADD events.prefetch_info.attributes.category_uid.enum.5 {'caption': 'Discovery', 'description': 'Discovery... ADD
ADD events.prefetch_info.attributes.cloud.group primary ADD
ADD events.prefetch_info.attributes.activity_id.enum.1.description The target was found. ADD
ADD events.prefetch_info.attributes.device {'requirement': 'recommended', 'caption': 'Device',... ADD
ADD events.prefetch_info.attributes.type_uid.enum.501903 {'caption': 'Prefetch Info: Does not exist'} ADD
ADD events.prefetch_info.attributes.count.requirement optional ADD
ADD events.prefetch_info.attributes.start_time.requirement optional ADD
ADD events.prefetch_info.attributes.class_uid.enum.5019 {'caption': 'Prefetch Info', 'description': 'Prefetch... ADD
ADD events.prefetch_info.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.prefetch_info.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.prefetch_info.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.prefetch_info.attributes.status_code.requirement optional ADD
ADD events.prefetch_info.attributes.activity_id.enum.5 {'caption': 'Unsupported', 'description': 'Discovery of... ADD
ADD events.prefetch_info.attributes.activity_id.enum.4 {'caption': 'Error', 'description': 'The discovery... ADD
ADD events.prefetch_info.attributes.type_uid.enum.501900 {'caption': 'Prefetch Info: Unknown'} ADD
ADD events.prefetch_info.attributes.enrichments.requirement optional ADD
ADD events.prefetch_info.attributes.activity_id.enum.2.description The target was partially found. ADD
ADD events.prefetch_info.attributes.type_uid.enum.501902 {'caption': 'Prefetch Info: Partial'} ADD
ADD events.prefetch_info.attributes.activity_id.enum.3 {'caption': 'Does not exist', 'description': 'The target... ADD
ADD events.prefetch_info.attributes.type_uid.enum.501904 {'caption': 'Prefetch Info: Error'} ADD
IGNORE events.prefetch_info.attributes.type_uid.enum.3201000 REMOVE
DEPRECATE events.prefetch_info.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.prefetch_info.attributes.activity_id.enum.-1 REMOVE
UPDATE events.prefetch_info.attributes.status_id.enum.-1 REMOVE
IGNORE events.prefetch_info.attributes.class_uid.enum.32010 REMOVE
DEPRECATE events.prefetch_info.attributes.count.default 1 REMOVE
IGNORE events.prefetch_info.attributes.type_uid.enum.3201001 REMOVE
DEPRECATE events.prefetch_info.attributes.command_uid {'description': 'The unique identifier of the discovery... REMOVE
IGNORE events.prefetch_info.attributes.type_uid.enum.3200999 REMOVE
IGNORE events.prefetch_info.attributes.category_uid.enum.32 REMOVE
IGNORE events.prefetch_info.attributes.category_uid.default REMOVE
IGNORE events.prefetch_info.attributes.type_uid.enum.3201002 REMOVE
UPDATE events.prefetch_info.attributes.severity_id.enum.-1 REMOVE
DEPRECATE events.prefetch_info.attributes.data {'description': 'Additional data that is associated with... REMOVE
REMOVE events.prefetch_info.attributes.activity_id.$include REMOVE
IGNORE events.prefetch_info.attributes.class_uid.default REMOVE
DEPRECATE events.prefetch_info.attributes.scan_uid {'description': 'The unique identifier of the discovery... REMOVE
DEPRECATE events.prefetch_info.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.prefetch_info.attributes.status.description The event status, normalized to the caption of the... UPDATE
IGNORE events.prefetch_info.uid UPDATE
IGNORE events.prefetch_info.profiles UPDATE
UPDATE events.prefetch_info.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.prefetch_info.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
UPDATE events.prefetch_info.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.prefetch_info.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.prefetch_info.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.prefetch_info.attributes.observables.description The observables associated with the event or a finding. UPDATE
IGNORE events.prefetch_info.attributes.type_uid.description UPDATE
IGNORE events.prefetch_info.attributes.type_uid.type UPDATE
UPDATE events.prefetch_info.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.prefetch_info.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.prefetch_info.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.prefetch_info.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
ADD events.registry_key_info.attributes.category_uid.enum.5 {'caption': 'Discovery', 'description': 'Discovery... ADD
ADD events.registry_key_info.attributes.$include ['profiles/host.json'] ADD
ADD events.registry_key_info.attributes.activity_id.enum.3 {'caption': 'Does not exist', 'description': 'The target... ADD
ADD events.registry_key_info.attributes.cloud.group primary ADD
ADD events.registry_key_info.attributes.type_uid.enum.500404 {'caption': 'Registry Key Info: Error'} ADD
ADD events.registry_key_info.attributes.raw_data.requirement optional ADD
ADD events.registry_key_info.attributes.class_uid.enum.5004 {'caption': 'Registry Key Info', 'description':... ADD
ADD events.registry_key_info.attributes.activity_id.enum.1.description The target was found. ADD
ADD events.registry_key_info.attributes.unmapped.requirement optional ADD
ADD events.registry_key_info.attributes.type_uid.enum.500499 {'caption': 'Registry Key Info: Other'} ADD
ADD events.registry_key_info.attributes.type_uid.enum.500403 {'caption': 'Registry Key Info: Does not exist'} ADD
ADD events.registry_key_info.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.registry_key_info.attributes.duration.requirement optional ADD
ADD events.registry_key_info.attributes.actor {'requirement': 'optional', 'caption': 'Actor',... ADD
ADD events.registry_key_info.attributes.activity_id.enum.4 {'caption': 'Error', 'description': 'The discovery... ADD
ADD events.registry_key_info.attributes.status_code.requirement optional ADD
ADD events.registry_key_info.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.registry_key_info.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.registry_key_info.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.registry_key_info.attributes.activity_id.enum.5 {'caption': 'Unsupported', 'description': 'Discovery of... ADD
ADD events.registry_key_info.attributes.device {'requirement': 'recommended', 'caption': 'Device',... ADD
ADD events.registry_key_info.attributes.count.requirement optional ADD
ADD events.registry_key_info.attributes.activity_id.enum.2.description The target was partially found. ADD
ADD events.registry_key_info.attributes.type_uid.enum.500402 {'caption': 'Registry Key Info: Partial'} ADD
ADD events.registry_key_info.attributes.status_detail.requirement optional ADD
ADD events.registry_key_info.attributes.type_uid.enum.500401 {'caption': 'Registry Key Info: Exists'} ADD
ADD events.registry_key_info.attributes.type_uid.enum.500400 {'caption': 'Registry Key Info: Unknown'} ADD
ADD events.registry_key_info.attributes.enrichments.requirement optional ADD
ADD events.registry_key_info.attributes.type_uid.enum.500405 {'caption': 'Registry Key Info: Unsupported'} ADD
ADD events.registry_key_info.attributes.end_time.requirement optional ADD
ADD events.registry_key_info.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.registry_key_info.attributes.start_time.requirement optional ADD
UPDATE events.registry_key_info.attributes.activity_id.enum.-1 REMOVE
IGNORE events.registry_key_info.attributes.class_uid.default REMOVE
IGNORE events.registry_key_info.attributes.category_uid.enum.32 REMOVE
DEPRECATE events.registry_key_info.attributes.data {'description': 'Additional data that is associated with... REMOVE
UPDATE events.registry_key_info.attributes.status_id.enum.-1 REMOVE
DEPRECATE events.registry_key_info.attributes.scan_uid {'description': 'The unique identifier of the discovery... REMOVE
IGNORE events.registry_key_info.attributes.type_uid.enum.3201199 REMOVE
DEPRECATE events.registry_key_info.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
DEPRECATE events.registry_key_info.attributes.command_uid {'description': 'The unique identifier of the discovery... REMOVE
IGNORE events.registry_key_info.attributes.type_uid.enum.3201201 REMOVE
IGNORE events.registry_key_info.attributes.category_uid.default REMOVE
DEPRECATE events.registry_key_info.attributes.count.default 1 REMOVE
REMOVE events.registry_key_info.attributes.activity_id.$include REMOVE
IGNORE events.registry_key_info.attributes.type_uid.enum.3201202 REMOVE
IGNORE events.registry_key_info.attributes.class_uid.enum.32012 REMOVE
IGNORE events.registry_key_info.attributes.type_uid.enum.3201200 REMOVE
UPDATE events.registry_key_info.attributes.severity_id.enum.-1 REMOVE
UPDATE events.registry_key_info.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.registry_key_info.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.registry_key_info.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
DEPRECATE events.registry_key_info.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.registry_key_info.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.registry_key_info.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.registry_key_info.description Registry Key Info events report information about... UPDATE
UPDATE events.registry_key_info.attributes.reg_key.description The registry key that pertains to the event. UPDATE
IGNORE events.registry_key_info.attributes.type_uid.type UPDATE
DEPRECATE events.registry_key_info.attributes.reg_key.type registry_key UPDATE
UPDATE events.registry_key_info.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.registry_key_info.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
IGNORE events.registry_key_info.uid UPDATE
IGNORE events.registry_key_info.profiles UPDATE
UPDATE events.registry_key_info.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.registry_key_info.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.registry_key_info.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.registry_key_info.attributes.time.description The normalized event occurrence time or the finding... UPDATE
IGNORE events.registry_key_info.attributes.type_uid.description UPDATE
ADD events.email_delivery_activity.attributes.type_uid.enum.402999 {'caption': 'Email Delivery Activity: Other'} ADD
ADD events.email_delivery_activity.attributes.type_uid.enum.403002 {'caption': 'Email Delivery Activity: Failed'} ADD
ADD events.email_delivery_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.email_delivery_activity.attributes.type_uid.enum.403000 {'caption': 'Email Delivery Activity: Unknown'} ADD
ADD events.email_delivery_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.email_delivery_activity.attributes.type_uid.enum.403001 {'caption': 'Email Delivery Activity: Delivered'} ADD
ADD events.email_delivery_activity.attributes.class_uid.enum.4030 {'caption': 'Email Delivery Activity', 'description':... ADD
ADD events.email_delivery_activity.attributes.category_uid.enum.4 {'caption': 'Network Activity', 'description': 'Network... ADD
ADD events.email_delivery_activity.attributes.type_uid.enum.403003 {'caption': 'Email Delivery Activity: Temporary Failure'} ADD
ADD events.email_delivery_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.email_delivery_activity.@deprecated {'since': '1.1.0', 'message': 'Deprecated in upgrade... ADD
ADD events.email_delivery_activity.attributes.disposition_id.enum.0.description The disposition is unknown. ADD
ADD events.email_delivery_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.email_delivery_activity.attributes.status_id.enum.0.description The status is unknown. ADD
DEPRECATE events.email_delivery_activity.attributes.email_auth {'requirement': 'recommended', 'group': 'primary',... REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.enum.100000 REMOVE
REMOVE events.email_delivery_activity.attributes.$include REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.enum.99999 REMOVE
IGNORE events.email_delivery_activity.attributes.category_uid.default REMOVE
DEPRECATE events.email_delivery_activity.attributes.sender_ip {'requirement': 'optional', 'group': 'context',... REMOVE
DEPRECATE events.email_delivery_activity.attributes.receiver_ip {'requirement': 'optional', 'group': 'context',... REMOVE
DEPRECATE events.email_delivery_activity.attributes.receiver_hostname {'requirement': 'optional', 'group': 'context',... REMOVE
DEPRECATE events.email_delivery_activity.attributes.dkim_signature {'requirement': 'recommended', 'group': 'context',... REMOVE
DEPRECATE events.email_delivery_activity.attributes.category_name {'requirement': 'optional', 'caption': 'Category',... REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.enum.100003 REMOVE
IGNORE events.email_delivery_activity.attributes.category_uid.requirement REMOVE
IGNORE events.email_delivery_activity.attributes.class_uid.enum.1000 REMOVE
DEPRECATE events.email_delivery_activity.attributes.attempt {'requirement': 'recommended', 'group': 'context',... REMOVE
DEPRECATE events.email_delivery_activity.attributes.connection_uid {'requirement': 'optional', 'group': 'context',... REMOVE
PRESERVE events.email_delivery_activity.associations {'device': ['actor.user'], 'actor.user': ['device']} REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.enum.100002 REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.enum.100001 REMOVE
DEPRECATE events.email_delivery_activity.attributes.sender_hostname {'requirement': 'optional', 'group': 'context',... REMOVE
IGNORE events.email_delivery_activity.extension REMOVE
DEPRECATE events.email_delivery_activity.attributes.email_uid {'requirement': 'recommended', 'group': 'primary',... REMOVE
IGNORE events.email_delivery_activity.attributes.class_uid.default REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.requirement REMOVE
DEPRECATE events.email_delivery_activity.attributes.class_name {'requirement': 'optional', 'caption': 'Class',... REMOVE
DEPRECATE events.email_delivery_activity.attributes.banner {'requirement': 'optional', 'group': 'context',... REMOVE
IGNORE events.email_delivery_activity.attributes.class_uid.requirement REMOVE
IGNORE events.email_delivery_activity.attributes.category_uid.enum.1 REMOVE
IGNORE events.email_delivery_activity.extends REMOVE
DEPRECATE events.email_delivery_activity.attributes.email {'requirement': 'required', 'group': 'primary',... REMOVE
REMOVE events.email_delivery_activity.attributes.activity_id.$include REMOVE
IGNORE events.email_delivery_activity.attributes.type_uid.description UPDATE
IGNORE events.email_delivery_activity.attributes.type_uid.type UPDATE
IGNORE events.email_delivery_activity.uid UPDATE
UPDATE events.email_delivery_activity.attributes.device.description An addressable device, computer system or host. UPDATE
UPDATE events.email_delivery_activity.category network UPDATE
UPDATE events.email_delivery_activity.attributes.actor.description The actor object describes details about the... UPDATE
ADD events.security_finding.attributes.evidence {'group': 'context', 'requirement': 'optional',... ADD
ADD events.security_finding.@deprecated {'message': 'Use the new specific classes according to... ADD
ADD events.security_finding.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.security_finding.attributes.data_sources {'group': 'context', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.risk_level_id {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.cloud.group primary ADD
ADD events.security_finding.attributes.enrichments.requirement optional ADD
ADD events.security_finding.attributes.count.requirement optional ADD
ADD events.security_finding.attributes.raw_data.requirement optional ADD
ADD events.security_finding.attributes.status_detail.requirement optional ADD
ADD events.security_finding.attributes.cis_csc {'group': 'context', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.security_finding.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.security_finding.attributes.risk_level {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.type_uid.enum.200103 {'caption': 'Security Finding: Close'} ADD
ADD events.security_finding.attributes.analytic {'group': 'primary', 'requirement': 'recommended',... ADD
ADD events.security_finding.attributes.impact_score {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.start_time.requirement optional ADD
ADD events.security_finding.attributes.status_code.requirement optional ADD
ADD events.security_finding.attributes.activity_id.enum.3 {'caption': 'Close', 'description': 'A security finding... ADD
ADD events.security_finding.attributes.impact {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.kill_chain {'group': 'context', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.duration.requirement optional ADD
ADD events.security_finding.attributes.nist {'group': 'context', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.unmapped.requirement optional ADD
ADD events.security_finding.attributes.risk_score {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.security_finding.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.security_finding.attributes.impact_id {'group': 'primary', 'requirement': 'recommended',... ADD
ADD events.security_finding.attributes.confidence_id {'group': 'primary', 'requirement': 'recommended',... ADD
ADD events.security_finding.attributes.type_uid.enum.200199 {'caption': 'Security Finding: Other'} ADD
ADD events.security_finding.attributes.state_id.enum.99 {'caption': 'Other', 'description': 'The state is not... ADD
ADD events.security_finding.attributes.state_id.enum.0.description The state is unknown. ADD
ADD events.security_finding.attributes.confidence_score {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.security_finding.attributes.end_time.requirement optional ADD
DEPRECATE events.security_finding.attributes.data {'description': 'Additional data that is associated with... REMOVE
UPDATE events.security_finding.attributes.status_id.enum.-1 REMOVE
REMOVE events.security_finding.attributes.activity_id.$include REMOVE
IGNORE events.security_finding.attributes.class_uid.default REMOVE
UPDATE events.security_finding.attributes.severity_id.enum.-1 REMOVE
IGNORE events.security_finding.attributes.type_uid.enum.200099 REMOVE
IGNORE events.security_finding.attributes.category_uid.default REMOVE
DEPRECATE events.security_finding.attributes.disposition {'requirement': 'optional', 'caption': 'Disposition',... REMOVE
UPDATE events.security_finding.attributes.activity_id.enum.-1 REMOVE
UPDATE events.security_finding.attributes.state_id.enum.-1 REMOVE
DEPRECATE events.security_finding.attributes.disposition_id {'requirement': 'required', 'caption': 'Disposition ID',... REMOVE
DEPRECATE events.security_finding.attributes.count.default 1 REMOVE
DEPRECATE events.security_finding.attributes.confidence.group classification UPDATE
UPDATE events.security_finding.attributes.malware.requirement optional UPDATE
IGNORE events.security_finding.attributes.type_uid.description UPDATE
UPDATE events.security_finding.attributes.activity_id.enum.2.description A security finding was updated. UPDATE
UPDATE events.security_finding.attributes.confidence.description The confidence, normalized to the caption of the... UPDATE
UPDATE events.security_finding.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
IGNORE events.security_finding.attributes.type_uid.type UPDATE
REMOVE events.security_finding.attributes.attacks.caption UPDATE
UPDATE events.security_finding.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.security_finding.attributes.device.description An addressable device, computer system or host. UPDATE
UPDATE events.security_finding.attributes.activity_id.enum.1.caption Create UPDATE
UPDATE events.security_finding.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.security_finding.attributes.activity_id.enum.1.description A security finding was created. UPDATE
PRESERVE events.security_finding.attributes.resources.type resource UPDATE
PRESERVE events.security_finding.attributes.resources.description A list of resources associated to an event. UPDATE
UPDATE events.security_finding.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
IGNORE events.security_finding.profiles UPDATE
UPDATE events.security_finding.attributes.vulnerabilities.description This object describes vulnerabilities reported in a... UPDATE
UPDATE events.security_finding.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.security_finding.attributes.attacks.description The attack object describes the technique and associated... UPDATE
DEPRECATE events.security_finding.attributes.confidence.type integer_t UPDATE
UPDATE events.security_finding.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.security_finding.attributes.finding.description The Finding object provides details about a... UPDATE
UPDATE events.security_finding.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.security_finding.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.security_finding.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.security_finding.attributes.compliance.description The compliance object provides context to compliance... UPDATE
UPDATE events.security_finding.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
DEPRECATE events.security_finding.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.security_finding.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.security_finding.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
IGNORE events.security_finding.attributes.type_uid.enum.200101.caption UPDATE
ADD events.base_event.attributes.end_time.requirement optional ADD
ADD events.base_event.attributes.duration.requirement optional ADD
ADD events.base_event.attributes.status_code.requirement optional ADD
ADD events.base_event.attributes.class_uid.enum.0 {'caption': 'Base Event'} ADD
ADD events.base_event.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.base_event.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.base_event.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.base_event.attributes.enrichments.requirement optional ADD
ADD events.base_event.attributes.unmapped.requirement optional ADD
ADD events.base_event.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.base_event.category other ADD
ADD events.base_event.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.base_event.attributes.category_uid.enum.0 {'caption': 'Uncategorized'} ADD
ADD events.base_event.attributes.cloud.group primary ADD
ADD events.base_event.attributes.start_time.requirement optional ADD
ADD events.base_event.attributes.count.requirement optional ADD
ADD events.base_event.attributes.raw_data.requirement optional ADD
ADD events.base_event.attributes.status_detail.requirement optional ADD
REMOVE events.base_event.attributes.activity_id.$include REMOVE
DEPRECATE events.base_event.attributes.count.default 1 REMOVE
UPDATE events.base_event.attributes.activity_id.enum.-1 REMOVE
DEPRECATE events.base_event.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.base_event.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.base_event.attributes.status_id.enum.-1 REMOVE
UPDATE events.base_event.attributes.class_uid.enum.-1 REMOVE
IGNORE events.base_event.attributes.category_uid.default REMOVE
UPDATE events.base_event.attributes.category_uid.enum.-1 REMOVE
IGNORE events.base_event.attributes.class_uid.default REMOVE
UPDATE events.base_event.attributes.severity_id.enum.-1 REMOVE
IGNORE events.base_event.attributes.type_uid.type UPDATE
UPDATE events.base_event.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.base_event.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.base_event.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.base_event.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
IGNORE events.base_event.attributes.type_uid.description UPDATE
UPDATE events.base_event.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.base_event.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.base_event.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
DEPRECATE events.base_event.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.base_event.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.base_event.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
UPDATE events.base_event.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.base_event.attributes.enrichments.description The additional information from an external data source,... UPDATE
ADD events.ssh_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.ssh_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.ssh_activity.attributes.auth_type_id {'description': 'The normalized identifier of the SSH... ADD
ADD events.ssh_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.ssh_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
ADD events.ssh_activity.attributes.type_uid.enum.400799 {'caption': 'SSH Activity: Other'} ADD
ADD events.ssh_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.ssh_activity.attributes.raw_data.requirement optional ADD
ADD events.ssh_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.ssh_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.ssh_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.ssh_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.ssh_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.ssh_activity.attributes.enrichments.requirement optional ADD
ADD events.ssh_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.ssh_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.ssh_activity.attributes.start_time.requirement optional ADD
ADD events.ssh_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.ssh_activity.attributes.duration.requirement optional ADD
ADD events.ssh_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.ssh_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.ssh_activity.attributes.type_uid.enum.400705 {'caption': 'SSH Activity: Refuse'} ADD
ADD events.ssh_activity.attributes.end_time.requirement optional ADD
ADD events.ssh_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.ssh_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.ssh_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.ssh_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.ssh_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.ssh_activity.attributes.unmapped.requirement optional ADD
ADD events.ssh_activity.attributes.auth_type {'description': "The SSH authentication type, normalized... ADD
ADD events.ssh_activity.attributes.activity_id.enum.5 {'caption': 'Refuse', 'description': 'The network... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.ssh_activity.attributes.status_code.requirement optional ADD
ADD events.ssh_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.ssh_activity.attributes.status_detail.requirement optional ADD
ADD events.ssh_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.ssh_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.ssh_activity.attributes.type_uid.enum.400706 {'caption': 'SSH Activity: Traffic'} ADD
ADD events.ssh_activity.attributes.activity_id.enum.6 {'caption': 'Traffic', 'description': 'Network traffic report.'} ADD
ADD events.ssh_activity.attributes.count.requirement optional ADD
ADD events.ssh_activity.attributes.proxy.@deprecated {'message': 'Use the <code> proxy_endpoint </code>... ADD
ADD events.ssh_activity.attributes.cloud.group primary ADD
DEPRECATE events.ssh_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400102 REMOVE
UPDATE events.ssh_activity.attributes.severity_id.enum.-1 REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400100 REMOVE
REMOVE events.ssh_activity.attributes.activity_id.$include REMOVE
UPDATE events.ssh_activity.attributes.disposition_id.enum.-1 REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400104 REMOVE
IGNORE events.ssh_activity.attributes.class_uid.default REMOVE
IGNORE events.ssh_activity.attributes.category_uid.default REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400103 REMOVE
DEPRECATE events.ssh_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400699 REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400101 REMOVE
IGNORE events.ssh_activity.attributes.type_uid.enum.400099 REMOVE
DEPRECATE events.ssh_activity.attributes.count.default 1 REMOVE
UPDATE events.ssh_activity.attributes.activity_id.enum.-1 REMOVE
UPDATE events.ssh_activity.attributes.status_id.enum.-1 REMOVE
REMOVE events.ssh_activity.attributes.disposition_id.enum.2.caption UPDATE
UPDATE events.ssh_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.ssh_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.requirement UPDATE
DEPRECATE events.ssh_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.ssh_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
UPDATE events.ssh_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.ssh_activity.attributes.actor.description The actor object describes details about the... UPDATE
UPDATE events.ssh_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.14.caption UPDATE
DEPRECATE events.ssh_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.ssh_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.3.caption UPDATE
IGNORE events.ssh_activity.attributes.type_uid.enum.400704.caption UPDATE
UPDATE events.ssh_activity.attributes.activity_id.enum.4.caption Fail UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.10.caption UPDATE
DEPRECATE events.ssh_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
UPDATE events.ssh_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.description UPDATE
UPDATE events.ssh_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.15.caption UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.6.caption UPDATE
UPDATE events.ssh_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.5.caption UPDATE
IGNORE events.ssh_activity.attributes.type_uid.description UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.4.caption UPDATE
DEPRECATE events.ssh_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
UPDATE events.ssh_activity.attributes.malware.requirement optional UPDATE
REMOVE events.ssh_activity.attributes.attacks.caption UPDATE
UPDATE events.ssh_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.ssh_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.ssh_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
IGNORE events.ssh_activity.attributes.type_uid.type UPDATE
IGNORE events.ssh_activity.profiles UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.1.caption UPDATE
UPDATE events.ssh_activity.attributes.device.description An addressable device, computer system or host. UPDATE
UPDATE events.ssh_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.8.caption UPDATE
UPDATE events.ssh_activity.attributes.proxy.description The proxy (server) in a network connection. UPDATE
UPDATE events.ssh_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
IGNORE events.ssh_activity.extends UPDATE
UPDATE events.ssh_activity.attributes.activity_id.enum.4.description The network connection failed. For example a connection... UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.13.caption UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.7.caption UPDATE
REMOVE events.ssh_activity.attributes.disposition_id.enum.11.caption UPDATE
ADD events.dhcp_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.dhcp_activity.attributes.tls {'group': 'primary', 'caption': 'TLS', 'description':... ADD
ADD events.dhcp_activity.attributes.enrichments.requirement optional ADD
ADD events.dhcp_activity.attributes.unmapped.requirement optional ADD
ADD events.dhcp_activity.attributes.status_detail.requirement optional ADD
ADD events.dhcp_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.dhcp_activity.attributes.cloud.group primary ADD
ADD events.dhcp_activity.attributes.proxy {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.dhcp_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.dhcp_activity.attributes.app_name {'group': 'context', 'requirement': 'optional',... ADD
ADD events.dhcp_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.dhcp_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.dhcp_activity.attributes.traffic {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.dhcp_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.dhcp_activity.attributes.malware {'requirement': 'optional', 'caption': 'Malware',... ADD
ADD events.dhcp_activity.attributes.raw_data.requirement optional ADD
ADD events.dhcp_activity.attributes.end_time.requirement optional ADD
ADD events.dhcp_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.dhcp_activity.attributes.disposition_id {'requirement': 'recommended', 'enum': {'99':... ADD
ADD events.dhcp_activity.attributes.count.requirement optional ADD
ADD events.dhcp_activity.attributes.src_endpoint {'description': 'The initiator (client) of the DHCP... ADD
ADD events.dhcp_activity.attributes.type_uid.enum.400499 {'caption': 'DHCP Activity: Other'} ADD
ADD events.dhcp_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.dhcp_activity.attributes.attacks {'requirement': 'optional', 'caption': 'MITRE ATT&CK®... ADD
ADD events.dhcp_activity.attributes.status_code.requirement optional ADD
ADD events.dhcp_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.dhcp_activity.attributes.disposition {'requirement': 'optional', 'caption': 'Disposition',... ADD
ADD events.dhcp_activity.attributes.start_time.requirement optional ADD
ADD events.dhcp_activity.attributes.dst_endpoint {'description': 'The responder (server) of the DHCP... ADD
ADD events.dhcp_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.dhcp_activity.attributes.connection_info {'group': 'primary', 'requirement': 'recommended',... ADD
ADD events.dhcp_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.dhcp_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.dhcp_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.dhcp_activity.attributes.duration.requirement optional ADD
ADD events.dhcp_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.dhcp_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.dhcp_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
DEPRECATE events.dhcp_activity.attributes.count.default 1 REMOVE
UPDATE events.dhcp_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.dhcp_activity.attributes.category_uid.default REMOVE
UPDATE events.dhcp_activity.attributes.severity_id.enum.-1 REMOVE
IGNORE events.dhcp_activity.attributes.type_uid.enum.400399 REMOVE
REMOVE events.dhcp_activity.attributes.activity_id.$include REMOVE
IGNORE events.dhcp_activity.attributes.class_uid.default REMOVE
UPDATE events.dhcp_activity.attributes.activity_id.enum.-1 REMOVE
DEPRECATE events.dhcp_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.dhcp_activity.attributes.network_interface {'group': 'primary', 'requirement': 'required',... REMOVE
DEPRECATE events.dhcp_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
IGNORE events.dhcp_activity.attributes.type_uid.type UPDATE
IGNORE events.dhcp_activity.extends UPDATE
UPDATE events.dhcp_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
UPDATE events.dhcp_activity.attributes.actor.description The actor object describes details about the... UPDATE
UPDATE events.dhcp_activity.attributes.device.description An addressable device, computer system or host. UPDATE
UPDATE events.dhcp_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.dhcp_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.dhcp_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.dhcp_activity.attributes.lease_dur.description This represents the length of the DHCP lease in seconds.... UPDATE
UPDATE events.dhcp_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.dhcp_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
IGNORE events.dhcp_activity.attributes.type_uid.description UPDATE
UPDATE events.dhcp_activity.description DHCP Activity events report MAC to IP assignment via... UPDATE
UPDATE events.dhcp_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.dhcp_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
DEPRECATE events.dhcp_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.dhcp_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
IGNORE events.dhcp_activity.attributes.class_uid.enum.4004.description UPDATE
UPDATE events.dhcp_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.dhcp_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
ADD events.smb_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.smb_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.smb_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.smb_activity.attributes.share_type_id {'group': 'primary', 'requirement': 'recommended',... ADD
ADD events.smb_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.smb_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.smb_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.smb_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.smb_activity.attributes.end_time.requirement optional ADD
ADD events.smb_activity.attributes.status_code.requirement optional ADD
ADD events.smb_activity.attributes.duration.requirement optional ADD
ADD events.smb_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.smb_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.smb_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.smb_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.smb_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.smb_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.smb_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.smb_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.smb_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.smb_activity.attributes.cloud.group primary ADD
ADD events.smb_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.smb_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.smb_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.smb_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.smb_activity.attributes.raw_data.requirement optional ADD
ADD events.smb_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.smb_activity.attributes.enrichments.requirement optional ADD
ADD events.smb_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.smb_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.smb_activity.attributes.unmapped.requirement optional ADD
ADD events.smb_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.smb_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
ADD events.smb_activity.attributes.start_time.requirement optional ADD
ADD events.smb_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.smb_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.smb_activity.attributes.status_detail.requirement optional ADD
ADD events.smb_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.smb_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.smb_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.smb_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.smb_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.smb_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.smb_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.smb_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.smb_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.smb_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.smb_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.smb_activity.attributes.type_uid.enum.400699 {'caption': 'SMB Activity: Other'} ADD
ADD events.smb_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.smb_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.smb_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.smb_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.smb_activity.attributes.count.requirement optional ADD
ADD events.smb_activity.attributes.proxy.@deprecated {'message': 'Use the <code> proxy_endpoint </code>... ADD
IGNORE events.smb_activity.attributes.type_uid.enum.400099 REMOVE
IGNORE events.smb_activity.attributes.type_uid.enum.400101 REMOVE
UPDATE events.smb_activity.attributes.status_id.enum.-1 REMOVE
REMOVE events.smb_activity.attributes.activity_id.$include REMOVE
DEPRECATE events.smb_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
IGNORE events.smb_activity.attributes.class_uid.default REMOVE
IGNORE events.smb_activity.attributes.type_uid.enum.400103 REMOVE
DEPRECATE events.smb_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.smb_activity.attributes.severity_id.enum.-1 REMOVE
UPDATE events.smb_activity.attributes.activity_id.enum.-1 REMOVE
DEPRECATE events.smb_activity.attributes.count.default 1 REMOVE
IGNORE events.smb_activity.attributes.type_uid.enum.400102 REMOVE
UPDATE events.smb_activity.attributes.disposition_id.enum.-1 REMOVE
IGNORE events.smb_activity.attributes.category_uid.default REMOVE
IGNORE events.smb_activity.attributes.type_uid.enum.400104 REMOVE
IGNORE events.smb_activity.attributes.type_uid.enum.400599 REMOVE
IGNORE events.smb_activity.attributes.type_uid.enum.400100 REMOVE
UPDATE events.smb_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.smb_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.6.caption UPDATE
UPDATE events.smb_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.11.caption UPDATE
UPDATE events.smb_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.smb_activity.attributes.disposition_id.description UPDATE
DEPRECATE events.smb_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.4.caption UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.3.caption UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.5.caption UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.smb_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
IGNORE events.smb_activity.attributes.type_uid.type UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.1.caption UPDATE
IGNORE events.smb_activity.profiles UPDATE
UPDATE events.smb_activity.attributes.malware.requirement optional UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.smb_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.smb_activity.attributes.command.requirement recommended UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.14.caption UPDATE
REMOVE events.smb_activity.attributes.disposition_id.requirement UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.2.caption UPDATE
UPDATE events.smb_activity.attributes.proxy.description The proxy (server) in a network connection. UPDATE
REMOVE events.smb_activity.attributes.attacks.caption UPDATE
DEPRECATE events.smb_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.10.caption UPDATE
UPDATE events.smb_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.smb_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.smb_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.smb_activity.attributes.response.requirement recommended UPDATE
DEPRECATE events.smb_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.8.caption UPDATE
UPDATE events.smb_activity.attributes.actor.description The actor object describes details about the... UPDATE
IGNORE events.smb_activity.attributes.type_uid.description UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.7.caption UPDATE
DEPRECATE events.smb_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.smb_activity.attributes.share_type.description The SMB share type, normalized to the caption of the... UPDATE
UPDATE events.smb_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.smb_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.smb_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.smb_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.smb_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.smb_activity.attributes.device.description An addressable device, computer system or host. UPDATE
REMOVE events.smb_activity.attributes.disposition_id.enum.15.caption UPDATE
IGNORE events.smb_activity.extends UPDATE
ADD events.email_url_activity.attributes.type_uid.enum.401299 {'caption': 'Email URL Activity: Other'} ADD
ADD events.email_url_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.email_url_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.email_url_activity.attributes.unmapped.requirement optional ADD
ADD events.email_url_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.email_url_activity.attributes.duration.requirement optional ADD
ADD events.email_url_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.email_url_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.email_url_activity.attributes.activity_id.enum.2 {'caption': 'Receive'} ADD
ADD events.email_url_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.email_url_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.email_url_activity.attributes.end_time.requirement optional ADD
ADD events.email_url_activity.attributes.activity_id.enum.3 {'caption': 'Scan', 'description': 'Email URL being... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.email_url_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.email_url_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.email_url_activity.attributes.class_uid.enum.4012 {'caption': 'Email URL Activity', 'description': 'Email... ADD
ADD events.email_url_activity.attributes.count.requirement optional ADD
ADD events.email_url_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.email_url_activity.attributes.raw_data.requirement optional ADD
ADD events.email_url_activity.attributes.enrichments.requirement optional ADD
ADD events.email_url_activity.attributes.status_detail.requirement optional ADD
ADD events.email_url_activity.attributes.type_uid.enum.401202 {'caption': 'Email URL Activity: Receive'} ADD
ADD events.email_url_activity.attributes.category_uid.enum.4 {'caption': 'Network Activity', 'description': 'Network... ADD
ADD events.email_url_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.email_url_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.email_url_activity.attributes.status_code.requirement optional ADD
ADD events.email_url_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.email_url_activity.attributes.type_uid.enum.401201 {'caption': 'Email URL Activity: Send'} ADD
ADD events.email_url_activity.attributes.type_uid.enum.401200 {'caption': 'Email URL Activity: Unknown'} ADD
ADD events.email_url_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.email_url_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.email_url_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.email_url_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.email_url_activity.attributes.type_uid.enum.401203 {'caption': 'Email URL Activity: Scan'} ADD
ADD events.email_url_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.email_url_activity.attributes.cloud.group primary ADD
ADD events.email_url_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.email_url_activity.attributes.start_time.requirement optional ADD
ADD events.email_url_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.email_url_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.email_url_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
IGNORE events.email_url_activity.attributes.class_uid.default REMOVE
PRESERVE events.email_url_activity.associations {'device': ['actor.user'], 'actor.user': ['device']} REMOVE
UPDATE events.email_url_activity.attributes.activity_id.enum.-1 REMOVE
UPDATE events.email_url_activity.attributes.severity_id.enum.-1 REMOVE
IGNORE events.email_url_activity.attributes.type_uid.enum.100201 REMOVE
UPDATE events.email_url_activity.attributes.status_id.enum.-1 REMOVE
DEPRECATE events.email_url_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
REMOVE events.email_url_activity.attributes.activity_id.$include REMOVE
IGNORE events.email_url_activity.attributes.category_uid.enum.1 REMOVE
DEPRECATE events.email_url_activity.attributes.actor.group primary REMOVE
DEPRECATE events.email_url_activity.attributes.device.group primary REMOVE
IGNORE events.email_url_activity.extension REMOVE
DEPRECATE events.email_url_activity.attributes.count.default 1 REMOVE
DEPRECATE events.email_url_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
REMOVE events.email_url_activity.attributes.$include REMOVE
IGNORE events.email_url_activity.attributes.class_uid.enum.1002 REMOVE
IGNORE events.email_url_activity.attributes.type_uid.enum.100200 REMOVE
IGNORE events.email_url_activity.attributes.type_uid.enum.100199 REMOVE
UPDATE events.email_url_activity.attributes.disposition_id.enum.-1 REMOVE
IGNORE events.email_url_activity.attributes.category_uid.default REMOVE
DEPRECATE events.email_url_activity.attributes.connection_uid {'requirement': 'optional', 'group': 'context',... REMOVE
UPDATE events.email_url_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.email_url_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.email_url_activity.attributes.activity_id.requirement optional UPDATE
UPDATE events.email_url_activity.description Email URL Activity events report URLs within an email. UPDATE
UPDATE events.email_url_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
IGNORE events.email_url_activity.profiles UPDATE
UPDATE events.email_url_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.12.caption UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.6.caption UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.7.caption UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.4.caption UPDATE
UPDATE events.email_url_activity.category network UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.requirement UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.1.caption UPDATE
IGNORE events.email_url_activity.attributes.type_uid.type UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.11.caption UPDATE
UPDATE events.email_url_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.email_url_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.email_url_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.email_url_activity.attributes.email_uid.requirement required UPDATE
UPDATE events.email_url_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
DEPRECATE events.email_url_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
UPDATE events.email_url_activity.attributes.activity_id.enum.1.caption Send UPDATE
DEPRECATE events.email_url_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.email_url_activity.attributes.malware.requirement optional UPDATE
UPDATE events.email_url_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
IGNORE events.email_url_activity.uid UPDATE
UPDATE events.email_url_activity.attributes.actor.description The actor object describes details about the... UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.8.caption UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.10.caption UPDATE
IGNORE events.email_url_activity.extends UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.3.caption UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.14.caption UPDATE
UPDATE events.email_url_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.email_url_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.2.caption UPDATE
REMOVE events.email_url_activity.attributes.attacks.caption UPDATE
UPDATE events.email_url_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.email_url_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.5.caption UPDATE
DEPRECATE events.email_url_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.email_url_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
UPDATE events.email_url_activity.attributes.device.description An addressable device, computer system or host. UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.description UPDATE
IGNORE events.email_url_activity.attributes.type_uid.description UPDATE
REMOVE events.email_url_activity.attributes.disposition_id.enum.15.caption UPDATE
DEPRECATE events.email_url_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
ADD events.rdp_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.rdp_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.rdp_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.rdp_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.rdp_activity.attributes.activity_id.enum.6 {'caption': 'Traffic', 'description': 'Network traffic report.'} ADD
ADD events.rdp_activity.attributes.start_time.requirement optional ADD
ADD events.rdp_activity.attributes.type_uid.enum.400505 {'caption': 'RDP Activity: TLS Handshake'} ADD
ADD events.rdp_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.rdp_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.rdp_activity.attributes.activity_id.enum.5 {'caption': 'TLS Handshake', 'description': 'The TLS handshake.'} ADD
ADD events.rdp_activity.attributes.cloud.group primary ADD
ADD events.rdp_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.rdp_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.rdp_activity.attributes.duration.requirement optional ADD
ADD events.rdp_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.rdp_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.rdp_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.rdp_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.rdp_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.rdp_activity.attributes.type_uid.enum.400599 {'caption': 'RDP Activity: Other'} ADD
ADD events.rdp_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.rdp_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.rdp_activity.attributes.proxy.@deprecated {'message': 'Use the <code> proxy_endpoint </code>... ADD
ADD events.rdp_activity.attributes.unmapped.requirement optional ADD
ADD events.rdp_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.rdp_activity.attributes.raw_data.requirement optional ADD
ADD events.rdp_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.rdp_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.rdp_activity.attributes.end_time.requirement optional ADD
ADD events.rdp_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.rdp_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
ADD events.rdp_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.rdp_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.rdp_activity.attributes.type_uid.enum.400506 {'caption': 'RDP Activity: Traffic'} ADD
ADD events.rdp_activity.attributes.enrichments.requirement optional ADD
ADD events.rdp_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.rdp_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.rdp_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.rdp_activity.attributes.status_code.requirement optional ADD
ADD events.rdp_activity.attributes.count.requirement optional ADD
ADD events.rdp_activity.attributes.status_detail.requirement optional ADD
ADD events.rdp_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.rdp_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
DEPRECATE events.rdp_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.rdp_activity.attributes.severity_id.enum.-1 REMOVE
UPDATE events.rdp_activity.attributes.disposition_id.enum.-1 REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400099 REMOVE
IGNORE events.rdp_activity.attributes.category_uid.default REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400101 REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400100 REMOVE
REMOVE events.rdp_activity.attributes.activity_id.$include REMOVE
DEPRECATE events.rdp_activity.attributes.count.default 1 REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400499 REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400102 REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400104 REMOVE
DEPRECATE events.rdp_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
UPDATE events.rdp_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.rdp_activity.attributes.type_uid.enum.400103 REMOVE
IGNORE events.rdp_activity.attributes.class_uid.default REMOVE
UPDATE events.rdp_activity.attributes.activity_id.enum.-1 REMOVE
REMOVE events.rdp_activity.attributes.disposition_id.enum.10.caption UPDATE
UPDATE events.rdp_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.2.caption Initial Response UPDATE
IGNORE events.rdp_activity.attributes.type_uid.enum.400504.caption UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.1.caption Initial Request UPDATE
REMOVE events.rdp_activity.attributes.attacks.caption UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.8.caption UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.6.caption UPDATE
IGNORE events.rdp_activity.attributes.type_uid.enum.400502.caption UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.1.caption UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.3.caption Connect Request UPDATE
UPDATE events.rdp_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.rdp_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.description UPDATE
UPDATE events.rdp_activity.attributes.response.requirement recommended UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.rdp_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.rdp_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.2.caption UPDATE
UPDATE events.rdp_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
UPDATE events.rdp_activity.attributes.malware.requirement optional UPDATE
UPDATE events.rdp_activity.attributes.request.requirement recommended UPDATE
UPDATE events.rdp_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.11.caption UPDATE
DEPRECATE events.rdp_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
DEPRECATE events.rdp_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.rdp_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.14.caption UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.3.caption UPDATE
IGNORE events.rdp_activity.attributes.type_uid.description UPDATE
IGNORE events.rdp_activity.profiles UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.4.caption UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.7.caption UPDATE
UPDATE events.rdp_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.4.caption Connect Response UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.15.caption UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.2.description The initial RDP response. UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.3.description An RDP connection request. UPDATE
IGNORE events.rdp_activity.attributes.type_uid.enum.400501.caption UPDATE
UPDATE events.rdp_activity.attributes.proxy.description The proxy (server) in a network connection. UPDATE
DEPRECATE events.rdp_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
IGNORE events.rdp_activity.extends UPDATE
UPDATE events.rdp_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.requirement UPDATE
IGNORE events.rdp_activity.attributes.type_uid.enum.400503.caption UPDATE
DEPRECATE events.rdp_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.4.description An RDP connection response. UPDATE
UPDATE events.rdp_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
UPDATE events.rdp_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
REMOVE events.rdp_activity.attributes.disposition_id.enum.5.caption UPDATE
UPDATE events.rdp_activity.attributes.actor.description The actor object describes details about the... UPDATE
UPDATE events.rdp_activity.attributes.activity_id.enum.1.description The initial RDP request. UPDATE
IGNORE events.rdp_activity.attributes.type_uid.type UPDATE
UPDATE events.rdp_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.rdp_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
ADD events.network_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.network_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.network_activity.attributes.unmapped.requirement optional ADD
ADD events.network_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.network_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.network_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.network_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.network_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.network_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.network_activity.attributes.status_detail.requirement optional ADD
ADD events.network_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.network_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.network_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.network_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.network_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.network_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.network_activity.attributes.enrichments.requirement optional ADD
ADD events.network_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.network_activity.attributes.type_uid.enum.400106 {'caption': 'Network Activity: Traffic'} ADD
ADD events.network_activity.attributes.end_time.requirement optional ADD
ADD events.network_activity.attributes.count.requirement optional ADD
ADD events.network_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
ADD events.network_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.network_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.network_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.network_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.network_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.network_activity.attributes.activity_id.enum.6 {'caption': 'Traffic', 'description': 'Network traffic report.'} ADD
ADD events.network_activity.attributes.type_uid.enum.400199 {'caption': 'Network Activity: Other'} ADD
ADD events.network_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.network_activity.attributes.type_uid.enum.400105 {'caption': 'Network Activity: Refuse'} ADD
ADD events.network_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.network_activity.attributes.start_time.requirement optional ADD
ADD events.network_activity.attributes.duration.requirement optional ADD
ADD events.network_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.network_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.network_activity.attributes.cloud.group primary ADD
ADD events.network_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.network_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.network_activity.attributes.proxy.@deprecated {'message': 'Use the <code> proxy_endpoint </code>... ADD
ADD events.network_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.network_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.network_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.network_activity.attributes.url {'description': 'The URL details relevant to the network... ADD
ADD events.network_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.network_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.network_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.network_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.network_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.network_activity.attributes.activity_id.enum.5 {'caption': 'Refuse', 'description': 'The network... ADD
ADD events.network_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.network_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.network_activity.attributes.status_code.requirement optional ADD
ADD events.network_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.network_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.network_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.network_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.network_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.network_activity.attributes.raw_data.requirement optional ADD
UPDATE events.network_activity.attributes.disposition_id.enum.-1 REMOVE
DEPRECATE events.network_activity.attributes.count.default 1 REMOVE
DEPRECATE events.network_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
UPDATE events.network_activity.attributes.activity_id.enum.-1 REMOVE
UPDATE events.network_activity.attributes.severity_id.enum.-1 REMOVE
REMOVE events.network_activity.attributes.activity_id.$include REMOVE
IGNORE events.network_activity.attributes.class_uid.default REMOVE
DEPRECATE events.network_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
IGNORE events.network_activity.attributes.type_uid.enum.400099 REMOVE
UPDATE events.network_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.network_activity.attributes.category_uid.default REMOVE
UPDATE events.network_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.network_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.6.caption UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.8.caption UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.network_activity.attributes.activity_id.enum.4.caption Fail UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.14.caption UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.12.caption UPDATE
DEPRECATE events.network_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.11.caption UPDATE
UPDATE events.network_activity.attributes.activity_id.enum.4.description The network connection failed. For example a connection... UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.10.caption UPDATE
UPDATE events.network_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
IGNORE events.network_activity.extends UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.5.caption UPDATE
UPDATE events.network_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
UPDATE events.network_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.4.caption UPDATE
UPDATE events.network_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.network_activity.attributes.malware.requirement optional UPDATE
REMOVE events.network_activity.attributes.disposition_id.requirement UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.2.caption UPDATE
UPDATE events.network_activity.attributes.device.description An addressable device, computer system or host. UPDATE
UPDATE events.network_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.1.caption UPDATE
IGNORE events.network_activity.attributes.type_uid.enum.400104.caption UPDATE
DEPRECATE events.network_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.network_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.7.caption UPDATE
UPDATE events.network_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.network_activity.attributes.proxy.description The proxy (server) in a network connection. UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.3.caption UPDATE
DEPRECATE events.network_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
UPDATE events.network_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
IGNORE events.network_activity.profiles UPDATE
UPDATE events.network_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
DEPRECATE events.network_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
REMOVE events.network_activity.attributes.disposition_id.enum.15.caption UPDATE
UPDATE events.network_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
REMOVE events.network_activity.attributes.attacks.caption UPDATE
IGNORE events.network_activity.attributes.type_uid.description UPDATE
UPDATE events.network_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
REMOVE events.network_activity.attributes.disposition_id.description UPDATE
IGNORE events.network_activity.attributes.type_uid.type UPDATE
UPDATE events.network_activity.attributes.actor.description The actor object describes details about the... UPDATE
UPDATE events.network_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
ADD events.dns_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.dns_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.dns_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.dns_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.dns_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.dns_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.dns_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.dns_activity.attributes.cloud.group primary ADD
ADD events.dns_activity.attributes.count.requirement optional ADD
ADD events.dns_activity.attributes.status_detail.requirement optional ADD
ADD events.dns_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.dns_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.dns_activity.attributes.status_code.requirement optional ADD
ADD events.dns_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.dns_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.dns_activity.attributes.enrichments.requirement optional ADD
ADD events.dns_activity.attributes.duration.requirement optional ADD
ADD events.dns_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.dns_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.dns_activity.attributes.type_uid.enum.400306 {'caption': 'DNS Activity: Traffic'} ADD
ADD events.dns_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.dns_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.dns_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.dns_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.dns_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.dns_activity.attributes.start_time.requirement optional ADD
ADD events.dns_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.dns_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.dns_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.dns_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.dns_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.dns_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
ADD events.dns_activity.attributes.raw_data.requirement optional ADD
ADD events.dns_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.dns_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.dns_activity.attributes.proxy.@deprecated {'message': 'Use the <code> proxy_endpoint </code>... ADD
ADD events.dns_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.dns_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.dns_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.dns_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.dns_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.dns_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.dns_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.dns_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.dns_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.dns_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.dns_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.dns_activity.attributes.end_time.requirement optional ADD
ADD events.dns_activity.attributes.type_uid.enum.400399 {'caption': 'DNS Activity: Other'} ADD
ADD events.dns_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.dns_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.dns_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.dns_activity.attributes.unmapped.requirement optional ADD
ADD events.dns_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.dns_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.dns_activity.attributes.activity_id.enum.6 {'caption': 'Traffic', 'description': 'Bidirectional DNS... ADD
ADD events.dns_activity.attributes.rcode_id.enum.99 {'caption': 'Other', 'description': 'The dns response... ADD
UPDATE events.dns_activity.attributes.severity_id.enum.-1 REMOVE
REMOVE events.dns_activity.attributes.activity_id.$include REMOVE
UPDATE events.dns_activity.attributes.rcode_id.enum.-1 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400303 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400101 REMOVE
IGNORE events.dns_activity.attributes.class_uid.default REMOVE
DEPRECATE events.dns_activity.attributes.count.default 1 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400099 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400100 REMOVE
UPDATE events.dns_activity.attributes.disposition_id.enum.-1 REMOVE
UPDATE events.dns_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400102 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400304 REMOVE
UPDATE events.dns_activity.attributes.activity_id.enum.3 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400299 REMOVE
UPDATE events.dns_activity.attributes.activity_id.enum.4 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400104 REMOVE
UPDATE events.dns_activity.attributes.activity_id.enum.-1 REMOVE
IGNORE events.dns_activity.attributes.type_uid.enum.400103 REMOVE
IGNORE events.dns_activity.attributes.category_uid.default REMOVE
DEPRECATE events.dns_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.dns_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
REMOVE events.dns_activity.attributes.disposition_id.enum.5.caption UPDATE
DEPRECATE events.dns_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.dns_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.dns_activity.attributes.device.description An addressable device, computer system or host. UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.12.caption UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.3.caption UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.14.caption UPDATE
IGNORE events.dns_activity.attributes.type_uid.type UPDATE
UPDATE events.dns_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.1.caption UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.2.caption UPDATE
UPDATE events.dns_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.dns_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.dns_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
REMOVE events.dns_activity.attributes.disposition_id.requirement UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.11.caption UPDATE
UPDATE events.dns_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
IGNORE events.dns_activity.extends UPDATE
UPDATE events.dns_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.dns_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.dns_activity.attributes.activity_id.enum.2.caption Response UPDATE
DEPRECATE events.dns_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
IGNORE events.dns_activity.profiles UPDATE
REMOVE events.dns_activity.attributes.attacks.caption UPDATE
UPDATE events.dns_activity.attributes.actor.description The actor object describes details about the... UPDATE
UPDATE events.dns_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.4.caption UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.6.caption UPDATE
IGNORE events.dns_activity.attributes.type_uid.enum.400302.caption UPDATE
UPDATE events.dns_activity.attributes.malware.requirement optional UPDATE
UPDATE events.dns_activity.attributes.dst_endpoint.requirement recommended UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.7.caption UPDATE
UPDATE events.dns_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.dns_activity.attributes.proxy.description The proxy (server) in a network connection. UPDATE
DEPRECATE events.dns_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
UPDATE events.dns_activity.attributes.activity_id.enum.1.description The DNS query request. UPDATE
UPDATE events.dns_activity.attributes.activity_id.enum.2.description The DNS query response. UPDATE
REMOVE events.dns_activity.attributes.disposition_id.description UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.8.caption UPDATE
UPDATE events.dns_activity.attributes.activity_id.enum.1.caption Query UPDATE
UPDATE events.dns_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
UPDATE events.dns_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.dns_activity.attributes.rcode.description The DNS server response code, normalized to the caption... UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.13.caption UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.15.caption UPDATE
REMOVE events.dns_activity.attributes.disposition_id.enum.10.caption UPDATE
DEPRECATE events.dns_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
UPDATE events.dns_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
IGNORE events.dns_activity.attributes.type_uid.enum.400301.caption UPDATE
IGNORE events.dns_activity.attributes.type_uid.description UPDATE
UPDATE events.dns_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
ADD events.http_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.http_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.http_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.http_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.http_activity.attributes.start_time.requirement optional ADD
ADD events.http_activity.attributes.type_uid.enum.400206 {'caption': 'HTTP Activity: Post'} ADD
ADD events.http_activity.attributes.proxy_tls {'description': 'The TLS protocol negotiated between the... ADD
ADD events.http_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.http_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.http_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.http_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.http_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.http_activity.attributes.status_code.requirement optional ADD
ADD events.http_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.http_activity.attributes.unmapped.requirement optional ADD
ADD events.http_activity.attributes.activity_id.enum.8 {'caption': 'Trace', 'description': 'The TRACE method... ADD
ADD events.http_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.http_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.http_activity.attributes.raw_data.requirement optional ADD
ADD events.http_activity.attributes.cloud.group primary ADD
ADD events.http_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.http_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.http_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.http_activity.attributes.status_detail.requirement optional ADD
ADD events.http_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.http_activity.attributes.load_balancer {'requirement': 'recommended', 'caption': 'Load... ADD
ADD events.http_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.http_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.http_activity.attributes.http_response.group primary ADD
ADD events.http_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.http_activity.attributes.type_uid.enum.400299 {'caption': 'HTTP Activity: Other'} ADD
ADD events.http_activity.attributes.proxy_connection_info {'description': 'The connection information from the... ADD
ADD events.http_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.http_activity.attributes.count.requirement optional ADD
ADD events.http_activity.attributes.duration.requirement optional ADD
ADD events.http_activity.attributes.proxy_http_response {'description': 'The HTTP Response from the remote... ADD
ADD events.http_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.http_activity.attributes.http_status.@deprecated {'message': 'Use the <code> http_response.code </code>... ADD
ADD events.http_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.http_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.http_activity.attributes.type_uid.enum.400208 {'caption': 'HTTP Activity: Trace'} ADD
ADD events.http_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.http_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.http_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.http_activity.attributes.proxy_traffic {'description': 'The network traffic refers to the... ADD
ADD events.http_activity.attributes.activity_id.enum.5 {'caption': 'Options', 'description': 'The OPTIONS... ADD
ADD events.http_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.http_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.http_activity.attributes.activity_id.enum.6 {'caption': 'Post', 'description': 'The POST method... ADD
ADD events.http_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.http_activity.attributes.http_cookies {'group': 'primary', 'requirement': 'optional',... ADD
ADD events.http_activity.attributes.end_time.requirement optional ADD
ADD events.http_activity.attributes.proxy_http_request {'description': 'The HTTP Request from the proxy server... ADD
ADD events.http_activity.attributes.activity_id.enum.7 {'caption': 'Put', 'description': 'The PUT method... ADD
ADD events.http_activity.attributes.proxy_endpoint {'description': 'The proxy (server) in a network... ADD
ADD events.http_activity.attributes.http_request.group primary ADD
ADD events.http_activity.attributes.type_uid.enum.400205 {'caption': 'HTTP Activity: Options'} ADD
ADD events.http_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.http_activity.attributes.proxy.@deprecated {'message': 'Use the <code> proxy_endpoint </code>... ADD
ADD events.http_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.http_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.http_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.http_activity.attributes.type_uid.enum.400207 {'caption': 'HTTP Activity: Put'} ADD
ADD events.http_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.http_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.http_activity.attributes.enrichments.requirement optional ADD
IGNORE events.http_activity.attributes.type_uid.enum.400199 REMOVE
UPDATE events.http_activity.attributes.activity_id.enum.-1 REMOVE
IGNORE events.http_activity.attributes.type_uid.enum.400102 REMOVE
IGNORE events.http_activity.attributes.type_uid.enum.400101 REMOVE
IGNORE events.http_activity.attributes.type_uid.enum.400103 REMOVE
UPDATE events.http_activity.attributes.status_id.enum.-1 REMOVE
UPDATE events.http_activity.attributes.disposition_id.enum.-1 REMOVE
DEPRECATE events.http_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
DEPRECATE events.http_activity.attributes.count.default 1 REMOVE
DEPRECATE events.http_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
IGNORE events.http_activity.attributes.class_uid.default REMOVE
IGNORE events.http_activity.attributes.type_uid.enum.400100 REMOVE
IGNORE events.http_activity.attributes.category_uid.default REMOVE
IGNORE events.http_activity.attributes.type_uid.enum.400099 REMOVE
REMOVE events.http_activity.attributes.activity_id.$include REMOVE
IGNORE events.http_activity.attributes.type_uid.enum.400104 REMOVE
UPDATE events.http_activity.attributes.severity_id.enum.-1 REMOVE
UPDATE events.http_activity.attributes.actor.description The actor object describes details about the... UPDATE
REMOVE events.http_activity.attributes.attacks.caption UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.8.caption UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.7.caption UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.10.caption UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.11.caption UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.2.caption Delete UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.6.caption UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.3.caption Get UPDATE
UPDATE events.http_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.http_activity.attributes.http_request.description The HTTP Request Object documents attributes of a... UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.4.caption UPDATE
UPDATE events.http_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.3.caption UPDATE
DEPRECATE events.http_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.5.caption UPDATE
UPDATE events.http_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
IGNORE events.http_activity.attributes.type_uid.enum.400202.caption UPDATE
UPDATE events.http_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.http_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
UPDATE events.http_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
UPDATE events.http_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
UPDATE events.http_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.3.description The GET method requests a representation of the... UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.2.caption UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.http_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.1.description The CONNECT method establishes a tunnel to the server... UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.15.caption UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.1.caption Connect UPDATE
UPDATE events.http_activity.attributes.device.description An addressable device, computer system or host. UPDATE
IGNORE events.http_activity.attributes.type_uid.description UPDATE
UPDATE events.http_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.4.description The HEAD method asks for a response identical to a GET... UPDATE
UPDATE events.http_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.4.caption Head UPDATE
IGNORE events.http_activity.attributes.type_uid.type UPDATE
UPDATE events.http_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.1.caption UPDATE
IGNORE events.http_activity.extends UPDATE
REMOVE events.http_activity.attributes.disposition_id.requirement UPDATE
REMOVE events.http_activity.attributes.disposition_id.description UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.14.caption UPDATE
UPDATE events.http_activity.attributes.activity_id.enum.2.description The DELETE method deletes the specified resource. UPDATE
IGNORE events.http_activity.attributes.type_uid.enum.400201.caption UPDATE
UPDATE events.http_activity.attributes.malware.requirement optional UPDATE
REMOVE events.http_activity.attributes.disposition_id.enum.12.caption UPDATE
IGNORE events.http_activity.profiles UPDATE
DEPRECATE events.http_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
UPDATE events.http_activity.attributes.proxy.description The proxy (server) in a network connection. UPDATE
DEPRECATE events.http_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
IGNORE events.http_activity.attributes.type_uid.enum.400204.caption UPDATE
UPDATE events.http_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
DEPRECATE events.http_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
IGNORE events.http_activity.attributes.type_uid.enum.400203.caption UPDATE
UPDATE events.http_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
ADD events.email_file_activity.attributes.type_uid.enum.401199 {'caption': 'Email File Activity: Other'} ADD
ADD events.email_file_activity.attributes.type_uid.enum.401101 {'caption': 'Email File Activity: Send'} ADD
ADD events.email_file_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD
ADD events.email_file_activity.attributes.type_uid.enum.401100 {'caption': 'Email File Activity: Unknown'} ADD
ADD events.email_file_activity.attributes.category_uid.enum.4 {'caption': 'Network Activity', 'description': 'Network... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.email_file_activity.attributes.count.requirement optional ADD
ADD events.email_file_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.email_file_activity.attributes.activity_id.enum.2 {'caption': 'Receive'} ADD
ADD events.email_file_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.email_file_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.email_file_activity.attributes.type_uid.enum.401103 {'caption': 'Email File Activity: Scan'} ADD
ADD events.email_file_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.email_file_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.email_file_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.email_file_activity.attributes.start_time.requirement optional ADD
ADD events.email_file_activity.attributes.raw_data.requirement optional ADD
ADD events.email_file_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.email_file_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.email_file_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.email_file_activity.attributes.status_detail.requirement optional ADD
ADD events.email_file_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.email_file_activity.attributes.status_code.requirement optional ADD
ADD events.email_file_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.email_file_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.email_file_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.email_file_activity.attributes.duration.requirement optional ADD
ADD events.email_file_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.email_file_activity.attributes.enrichments.requirement optional ADD
ADD events.email_file_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.email_file_activity.attributes.class_uid.enum.4011 {'caption': 'Email File Activity', 'description': 'Email... ADD
ADD events.email_file_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.email_file_activity.attributes.unmapped.requirement optional ADD
ADD events.email_file_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.email_file_activity.attributes.activity_id.enum.3 {'caption': 'Scan', 'description': 'Email file being... ADD
ADD events.email_file_activity.attributes.cloud.group primary ADD
ADD events.email_file_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.email_file_activity.attributes.disposition_id.enum.7.description A custom action was executed such as running of a... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.email_file_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.email_file_activity.attributes.end_time.requirement optional ADD
ADD events.email_file_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.email_file_activity.attributes.type_uid.enum.401102 {'caption': 'Email File Activity: Receive'} ADD
DEPRECATE events.email_file_activity.attributes.actor.group primary REMOVE
PRESERVE events.email_file_activity.associations {'device': ['actor.user'], 'actor.user': ['device']} REMOVE
REMOVE events.email_file_activity.attributes.activity_id.$include REMOVE
IGNORE events.email_file_activity.attributes.class_uid.enum.1001 REMOVE
REMOVE events.email_file_activity.attributes.$include REMOVE
IGNORE events.email_file_activity.attributes.category_uid.default REMOVE
UPDATE events.email_file_activity.attributes.disposition_id.enum.-1 REMOVE
IGNORE events.email_file_activity.attributes.class_uid.default REMOVE
DEPRECATE events.email_file_activity.attributes.device.group primary REMOVE
IGNORE events.email_file_activity.attributes.type_uid.enum.100100 REMOVE
DEPRECATE events.email_file_activity.attributes.confidence {'group': 'classification', 'requirement': 'optional',... REMOVE
IGNORE events.email_file_activity.attributes.category_uid.enum.1 REMOVE
UPDATE events.email_file_activity.attributes.status_id.enum.-1 REMOVE
IGNORE events.email_file_activity.extension REMOVE
UPDATE events.email_file_activity.attributes.severity_id.enum.-1 REMOVE
DEPRECATE events.email_file_activity.attributes.connection_uid {'requirement': 'optional', 'group': 'context',... REMOVE
DEPRECATE events.email_file_activity.attributes.count.default 1 REMOVE
IGNORE events.email_file_activity.attributes.type_uid.enum.100099 REMOVE
UPDATE events.email_file_activity.attributes.activity_id.enum.-1 REMOVE
IGNORE events.email_file_activity.attributes.type_uid.enum.100101 REMOVE
DEPRECATE events.email_file_activity.attributes.data {'description': 'Additional data that is associated with... REMOVE
UPDATE events.email_file_activity.attributes.severity.description The event/finding severity, normalized to the caption of... UPDATE
IGNORE events.email_file_activity.profiles UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.8.caption UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.14.caption UPDATE
UPDATE events.email_file_activity.attributes.device.description An addressable device, computer system or host. UPDATE
DEPRECATE events.email_file_activity.attributes.severity_id.enum.0.description The event severity is not known. UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.7.caption UPDATE
UPDATE events.email_file_activity.attributes.metadata.description The metadata associated with the event or a finding. UPDATE
UPDATE events.email_file_activity.attributes.actor.description The actor object describes details about the... UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.11.caption UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.3.caption UPDATE
UPDATE events.email_file_activity.attributes.malware.description A list of Malware objects, describing details about the... UPDATE
IGNORE events.email_file_activity.attributes.type_uid.type UPDATE
UPDATE events.email_file_activity.attributes.message.description The description of the event/finding, as defined by the source. UPDATE
UPDATE events.email_file_activity.attributes.activity_id.requirement optional UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.description UPDATE
IGNORE events.email_file_activity.extends UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.15.caption UPDATE
UPDATE events.email_file_activity.attributes.severity_id.description <p>The normalized identifier of the event/finding... UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.5.caption UPDATE
UPDATE events.email_file_activity.description Email File Activity events report files within emails. UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.6.caption UPDATE
UPDATE events.email_file_activity.attributes.time.description The normalized event occurrence time or the finding... UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.1.caption UPDATE
UPDATE events.email_file_activity.category network UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.13.caption UPDATE
UPDATE events.email_file_activity.attributes.status_detail.description The status details contains additional information about... UPDATE
UPDATE events.email_file_activity.attributes.email_uid.requirement required UPDATE
REMOVE events.email_file_activity.attributes.attacks.caption UPDATE
UPDATE events.email_file_activity.attributes.status.description The event status, normalized to the caption of the... UPDATE
DEPRECATE events.email_file_activity.attributes.disposition_id.enum.14.description No longer suspicious (re-scored). UPDATE
UPDATE events.email_file_activity.attributes.observables.description The observables associated with the event or a finding. UPDATE
UPDATE events.email_file_activity.attributes.cloud.description Describes details about the Cloud environment where the... UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.2.caption UPDATE
DEPRECATE events.email_file_activity.attributes.disposition_id.enum.15.description Marked with extended attributes. UPDATE
IGNORE events.email_file_activity.uid UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.4.caption UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.10.caption UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.enum.12.caption UPDATE
UPDATE events.email_file_activity.attributes.enrichments.description The additional information from an external data source,... UPDATE
DEPRECATE events.email_file_activity.attributes.disposition_id.enum.10.description Requires reboot to finish the operation. UPDATE
UPDATE events.email_file_activity.attributes.activity_id.enum.1.caption Send UPDATE
UPDATE events.email_file_activity.attributes.malware.requirement optional UPDATE
UPDATE events.email_file_activity.attributes.disposition.description The disposition name, normalized to the caption of the... UPDATE
IGNORE events.email_file_activity.attributes.type_uid.description UPDATE
REMOVE events.email_file_activity.attributes.disposition_id.requirement UPDATE
UPDATE events.email_file_activity.attributes.type_name.description The event/finding type name, as defined by the type_uid. UPDATE
UPDATE events.email_file_activity.attributes.attacks.description An array of <a target='_blank'... UPDATE
ADD events.email_activity.attributes.disposition_id.enum.26 {'caption': 'Unauthorized', 'description': "An attempt... ADD
ADD events.email_activity.attributes.disposition_id.enum.16 {'caption': 'No Action', 'description': 'The outcome of... ADD
ADD events.email_activity.attributes.src_endpoint {'description': 'The initiator (client) sending the... ADD
ADD events.email_activity.attributes.status_detail.requirement optional ADD
ADD events.email_activity.attributes.disposition_id.enum.23 {'caption': 'Challenge', 'description': "Ran a silent... ADD
ADD events.email_activity.attributes.activity_id.enum.3 {'caption': 'Scan', 'description': 'Email being scanned... ADD
ADD events.email_activity.attributes.disposition_id.enum.9 {'caption': 'Restored', 'description': 'A quarantined... ADD
ADD events.email_activity.attributes.action {'caption': 'Action', 'description': 'The normalized... ADD
ADD events.email_activity.attributes.activity_id.enum.99 {'caption': 'Other', 'description': 'The event activity... ADD
ADD events.email_activity.attributes.disposition_id.enum.13.description A corrupt file or configuration was not corrected. ADD
ADD events.email_activity.attributes.status_id.enum.99 {'caption': 'Other', 'description': 'The event status is... ADD
ADD events.email_activity.attributes.enrichments.requirement optional ADD
ADD events.email_activity.attributes.severity_id.enum.99 {'caption': 'Other', 'description': 'The event/finding... ADD
ADD events.email_activity.attributes.attempt {'requirement': 'optional', 'description': 'The attempt... ADD
ADD events.email_activity.attributes.action_id {'caption': 'Action ID', 'description': "The action... ADD
ADD events.email_activity.attributes.disposition_id.enum.27 {'caption': 'Error', 'description': 'An error occurred... ADD
ADD events.email_activity.attributes.status_id.enum.0.description The status is unknown. ADD
ADD events.email_activity.attributes.type_uid.enum {'400901': {'caption': 'Email Activity: Send'},... ADD
ADD events.email_activity.attributes.authorizations {'requirement': 'optional', 'caption': 'Authorization... ADD
ADD events.email_activity.attributes.direction {'description': 'The direction of the email, as defined... ADD
ADD events.email_activity.attributes.disposition_id.enum.18 {'caption': 'Tagged', 'description': 'A file or other... ADD
ADD events.email_activity.attributes.disposition_id.enum.22 {'caption': 'Captcha', 'description': 'Required the end... ADD
ADD events.email_activity.uid 9 ADD
ADD events.email_activity.attributes.cloud.group primary ADD
ADD events.email_activity.attributes.banner {'requirement': 'optional', 'group': 'context',... ADD
ADD events.email_activity.attributes.disposition_id.enum.2.description Denied access or blocked the action to the protected resource. ADD
ADD events.email_activity.attributes.raw_data.requirement optional ADD
ADD events.email_activity.attributes.start_time.requirement optional ADD
ADD events.email_activity.attributes.disposition_id.enum.25 {'caption': 'Rejected', 'description': "A request or... ADD
ADD events.email_activity.attributes.email_auth {'requirement': 'recommended', 'group': 'primary',... ADD
ADD events.email_activity.attributes.duration.requirement optional ADD
ADD events.email_activity.attributes.count.requirement optional ADD
ADD events.email_activity.attributes.dst_endpoint {'description': 'The responder (server) receiving the... ADD
ADD events.email_activity.attributes.disposition_id.enum.11.description A corrupt file or configuration was corrected. ADD
ADD events.email_activity.attributes.disposition_id.enum.99 {'caption': 'Other', 'description': 'The disposition is... ADD
ADD events.email_activity.attributes.category_uid.enum.4 {'caption': 'Network Activity', 'description': 'Network... ADD
ADD events.email_activity.attributes.api {'requirement': 'optional', 'group': 'context',... ADD
ADD events.email_activity.attributes.disposition_id.enum.21 {'caption': 'Reset', 'description': 'The request was... ADD
ADD events.email_activity.attributes.disposition_id.enum.24 {'caption': 'Access Revoked', 'description': "The... ADD
ADD events.email_activity.attributes.disposition_id.enum.17 {'caption': 'Logged', 'description': 'The operation or... ADD
ADD events.email_activity.attributes.disposition_id.enum.20 {'caption': 'Count', 'description': 'Counted the request... ADD
ADD events.email_activity.attributes.email {'requirement': 'required', 'group': 'primary',... ADD
ADD events.email_activity.attributes.disposition_id.enum.12.description A corrupt file or configuration was partially corrected. ADD
ADD events.email_activity.attributes.end_time.requirement optional ADD
ADD events.email_activity.attributes.disposition_id.enum.8.description A request or submission was approved. For example, when... ADD
ADD events.email_activity.attributes.class_uid.enum.4009 {'caption': 'Email Activity', 'description': 'Email... ADD
ADD events.email_activity.attributes.disposition_id.enum.1.description Granted access or allowed the action to the protected resource. ADD
ADD events.email_activity.attributes.status_code.requirement optional ADD
ADD events.email_activity.attributes.activity_id.enum.2 {'caption': 'Receive'} ADD
ADD events.email_activity.attributes.disposition_id.enum.0.description The disposition was not known. ADD
ADD events.email_activity.attributes.disposition_id.enum.4.description A session was isolated on the network or within a browser. ADD
ADD events.email_activity.attributes.disposition_id.enum.5.description A file or other content was deleted. ADD
ADD events.email_activity.attributes.direction_id {'description': '<p>The direction of the email relative... ADD
ADD events.email_activity.attributes.disposition_id.enum.3.description A suspicious file or other content was moved to a benign... ADD
ADD events.email_activity.attributes.disposition_id.enum.19 {'caption': 'Alert', 'description': 'The request or... ADD
ADD events.email_activity.attributes.unmapped.requirement optional ADD
ADD events.email_activity.attributes.firewall_rule {'requirement': 'optional', 'caption': 'Firewall Rule',... ADD
ADD events.email_activity.attributes.smtp_hello {'description': 'The value of the SMTP HELO or EHLO... ADD
ADD events.email_activity.attributes.disposition_id.enum.6.description The request was detected as a threat and resulted in the... ADD