Alert Data

Field Name

ads.token.id

ads.token.id.keyword

ads.token.reminder_text

ads.token.type

ads.token.useragent

agent.type

alert.level

alert.level.keyword

alert.timestamp

clientID

clientID.keyword

cloud.account.id

cloud.instance.name

cloud.provider

cloud.region

cloud.service.name

destination.as.organization.name

destination.bytes

destination.domain

destination.geo.city_name

destination.geo.continent_code

destination.geo.country_code

destination.geo.country_name

destination.geo.location.lat

destination.geo.location.lon

destination.geo.region_name

destination.ip

destination.locality

destination.port

destination.user.email

destination.user.name

dns.question.name

dns.response_code

dns.type

email.attachments

email.attachments.file.hash.md5

email.attachments.file.hash.sha1

email.attachments.file.hash.sha256

email.attachments.file.mime_type

email.attachments.file.name

email.attachments.file.size

email.from.address

email.subject

email.to.address

event.action

event.action.keyword

event.category

event.channel

event.code

event.created

event.dataset

event.id

event.kind

event.kind.keyword

event.module

event.original

event.outcome

event.reason

event.severity

event.type

events.event.created

events.event_host

events.event_host.keyword

events.index

events.index.keyword

events.observer.type

events.observer.type.keyword

events.record_number

events.record_number.keyword

events.uuid

events.uuid.keyword

falsepositives

falsepositives.keyword

file.hash.imphash

file.hash.md5

file.hash.sha1

file.hash.sha256

file.name

file.owner

file.path

file.size

host.ip

host.name

http.request.bytes

http.request.method

http.request.mime_type

http.request.referrer

http.response.bytes

http.response.mime_type

http.response.status_code

log.type

network.application

network.bytes

network.community.id

network.community_id

network.direction

network.packets

network.protocol

network.transport

observer.type

organisation.id

process.command_line

process.executable

process.hash.imphash

process.hash.md5

process.hash.sha1

process.hash.sha256

process.name

process.parent.command_line

process.parent.executable

process.parent.hash.md5

process.parent.hash.sha1

process.parent.hash.sha256

process.parent.name

process.parent.pid

process.pe.company

process.pe.description

process.pe.original_file_name

process.pe.product

process.pid

process.working_directory

registry.hive

registry.key

registry.path

registry.value

related.hash

related.hosts

related.ip

related.user

rule.author

rule.category

rule.description

rule.id

rule.license

rule.name

rule.reference

rule.ruleset

rule.uuid

sensor.id

source.as.number

source.as.organization.name

source.bytes

source.domain

source.geo.city_name

source.geo.continent_code

source.geo.country_code

source.geo.country_name

source.geo.location.lat

source.geo.location.lon

source.geo.region_name

source.ip

source.locality

source.port

source.user.email

source.user.name

threat.software.id

threat.software.name

threat.software.platforms

threat.software.reference

threat.software.type

threat.tactic.id

threat.tactic.name

threat.tactic.reference

threat.technique.id

threat.technique.name

threat.technique.reference

threat.technique.subtechnique.id

threat.technique.subtechnique.name

threat.technique.subtechnique.reference

threatintel.days

threatintel.entity

threatintel.event_data

threatintel.lookup

threatintel.malware.malware

threatintel.malware.timestamp

threatintel.severity

threatintel.tags

threatintel.white_list

url.original

user.domain

user.name

user_agent.original

uuid

winlog.consumer

winlog.eventtype

winlog.grantedaccess

winlog.initiated

winlog.integritylevel

winlog.state

winlog.targetimage

winlog.user

winlog.wmi_filter_path

winlog.wmi_name

winlog.wmi_namespace

winlog.wmi_operation