# Alert Data Version 3.5 | **Field Name** | **Data Type** | | --------------------------------------- | :-----------: | | ads.token.id | string | | ads.token.id.keyword | string | | ads.token.reminder\_text | string | | ads.token.type | string | | ads.token.useragent | string | | agent.type | text | | alert.level | string | | alert.level.keyword | string | | alert.timestamp | date | | clientID | string | | clientID.keyword | string | | cloud.account.id | text | | cloud.instance.name | text | | cloud.provider | text | | cloud.region | text | | cloud.service.name | text | | destination.as.organization.name | text | | destination.bytes | int | | destination.domain | text | | destination.geo.city\_name | text | | destination.geo.continent\_code | text | | destination.geo.country\_code | text | | destination.geo.country\_name | text | | destination.geo.location.lat | geopoint | | destination.geo.location.lon | geopoint | | destination.geo.region\_name | text | | destination.ip | ip | | destination.locality | text | | destination.port | int | | destination.user.email | text | | destination.user.name | text | | dns.question.name | | | dns.response\_code | text | | dns.type | text | | email.attachments | text | | email.attachments.file.hash.md5 | text | | email.attachments.file.hash.sha1 | text | | email.attachments.file.hash.sha256 | text | | email.attachments.file.mime\_type | text | | email.attachments.file.name | text | | email.attachments.file.size | int | | email.from.address | text | | email.subject | text | | email.to.address | text | | event.action | text | | event.action.keyword | string | | event.category | text | | event.channel | text | | event.code | int | | event.created | date | | event.dataset | text | | event.id | text | | event.kind | text | | event.kind.keyword | string | | event.module | text | | event.original | text | | event.outcome | text | | event.reason | text | | event.severity | text | | event.type | text | | events.event.created | date | | events.event\_host | string | | events.event\_host.keyword | string | | events.index | string | | events.index.keyword | string | | events.observer.type | string | | events.observer.type.keyword | string | | events.record\_number | string | | events.record\_number.keyword | string | | events.uuid | string | | events.uuid.keyword | string | | falsepositives | string | | falsepositives.keyword | string | | file.hash.imphash | text | | file.hash.md5 | text | | file.hash.sha1 | text | | file.hash.sha256 | text | | file.name | text | | file.owner | text | | file.path | text | | file.size | int | | host.ip | ip | | host.name | text | | http.request.bytes | int | | http.request.method | text | | http.request.mime\_type | text | | http.request.referrer | text | | http.response.bytes | int | | http.response.mime\_type | text | | http.response.status\_code | int | | log.type | text | | network.application | text | | network.bytes | int | | network.community.id | text | | network.community\_id | text | | network.direction | text | | network.packets | int | | network.protocol | text | | network.transport | text | | observer.type | text | | organisation.id | text | | process.command\_line | text | | process.executable | text | | process.hash.imphash | text | | process.hash.md5 | text | | process.hash.sha1 | text | | process.hash.sha256 | text | | process.name | text | | process.parent.command\_line | text | | process.parent.executable | text | | process.parent.hash.md5 | text | | process.parent.hash.sha1 | text | | process.parent.hash.sha256 | text | | process.parent.name | text | | process.parent.pid | int | | process.pe.company | text | | process.pe.description | text | | process.pe.original\_file\_name | text | | process.pe.product | text | | process.pid | int | | process.working\_directory | text | | registry.hive | text | | registry.key | text | | registry.path | text | | registry.value | text | | related.hash | text | | related.hosts | text | | related.ip | text | | related.user | text | | rule.author | text | | rule.category | text | | rule.description | text | | rule.id | text | | rule.license | text | | rule.name | text | | rule.reference | text | | rule.ruleset | text | | rule.uuid | text | | sensor.id | text | | source.as.number | text | | source.as.organization.name | text | | source.bytes | int | | source.domain | text | | source.geo.city\_name | text | | source.geo.continent\_code | text | | source.geo.country\_code | text | | source.geo.country\_name | text | | source.geo.location.lat | geopoint | | source.geo.location.lon | geopoint | | source.geo.region\_name | text | | source.ip | ip | | source.locality | text | | source.port | int | | source.user.email | text | | source.user.name | text | | threat.software.id | text | | threat.software.name | text | | threat.software.platforms | text | | threat.software.reference | text | | threat.software.type | text | | threat.tactic.id | text | | threat.tactic.name | text | | threat.tactic.reference | text | | threat.technique.id | text | | threat.technique.name | text | | threat.technique.reference | text | | threat.technique.subtechnique.id | text | | threat.technique.subtechnique.name | text | | threat.technique.subtechnique.reference | text | | threatintel.days | int | | threatintel.entity | array | | threatintel.event\_data | text | | threatintel.lookup | text | | threatintel.malware.malware | text | | threatintel.malware.timestamp | date/time | | threatintel.severity | text | | threatintel.tags | text | | threatintel.white\_list | text | | url.original | text | | user.domain | | | user.name | text | | user\_agent.original | text | | uuid | text | | winlog.consumer | | | winlog.eventtype | | | winlog.grantedaccess | | | winlog.initiated | | | winlog.integritylevel | | | winlog.state | | | winlog.targetimage | | | winlog.user | | | winlog.wmi\_filter\_path | | | winlog.wmi\_name | | | winlog.wmi\_namespace | | | winlog.wmi\_operation | |