Skip to main content

Attributes You Can Map to Records

This topic lists the schema attributes that you can map to Records. Note that you can map any of the attributes defined below to any record type. For information about all schema attributes, including those that cannot be mapped to Records, for example enrichment fields, see Schema Attributes.  

FieldTypeDescription
accountIdstringAccount identifiers used in logs from environments where multiple accounts can be used. This is common for cloud providers like AWS.
actionstringIndicates the action taken by the monitored product (the log producer) when something harmful occurred. For example, when a firewall log indicated a bad network packet, the firewall blocked the connection.
applicationstringThe name of the software that is the subject of this message.   Of interest to those who write mappers: Sometimes this software is the source of the message. In other cases a single source may produce messages related to many different applications and must name them explicitly.
baseImagestringThe base image of a process (ie notepad.exe)
bytesInlongAmount of the data received in bytes.
bytesOutlongAmount of the data sent in bytes.
changeTargetstringThe user account that was affected by a change.
changeTypestringCategory of change the user made.
commandLinestringThe command run by the user using a shell.
descriptionstringThe description of the log event.
device_hostnamestringFully Qualified Domain Name that uniquely and absolutely names a computer. If name normalization occurs this will be the normalized name.
device_ipstringThe native assigned IP address of the device.
device_macstringThe hardware identification number that uniquely identifies the device on a network
device_natIpstringThe external IP in cases where the internal IP goes through network address translation.
device_osNamestringOperating system controlling on this device.
device_uniqueIdstringThe source specific identifier for device (if available). This is frequently an instance id in cloud environments.
dns_querystringThe entire request made from the client machine to the DNS server.
dns_queryDomainstringThis should be conditionally populated if the DNS request contains a domain.
dns_queryTypestringThe type of query that was made by the client machine.
dns_replystringThe DNS reply which can be a single record or multiple records concatenated into a string.
dns_replyDomainstringThis should be conditionally populated if the DNS reply is a domain.
dns_replyIpstringThis should be conditionally populated if the DNS reply is an IP address.
dns_returnCodestringCode indicating the outcome of a DNS request.
dstDevice_hostnamestringFully Qualified Domain Name that uniquely and absolutely names a computer. If name normalization occurs this will be the normalized name.
dstDevice_ipstringThe native assigned IP address of the device.
dstDevice_macstringThe hardware identification number that uniquely identifies the device on a network
dstDevice_natIpstringThe external IP in cases where the internal IP goes through network address translation.
dstDevice_osNamestringOperating system controlling on this device.
dstDevice_uniqueIdstringThe source specific identifier for device (if available). This is frequently an instance id in cloud environments.
dstPortintThe destination port for the network transaction.
email_messageIdstringUnique identifier of the email.
email_senderstringEmail of the user that sent the email.
email_subjectstringSubject of the email.
file_basenamestringThe base file name plus extension (if present) minus any path components.
file_hash_imphashstringFile hash created using the IMPHASH algorithm.
file_hash_md5stringFile hash created using the MD5 algorithm.
file_hash_pehashstringFile hash created using the PEHASH algorithm.
file_hash_sha1stringFile hash created using the SHA1 algorithm.
file_hash_sha256stringFile hash created using the SHA256 algorithm.
file_hash_ssdeepstringFile hash created using the SSDEEP algorithm.
file_mimeTypestringTwo-part identifier for file formats and format contents transmitted on the Internet.
file_pathstringThe full path (if possible) of the file. This field may contain partial paths and serves as the general place holder for path fields.
file_sizelongCount of bytes taken up by the file.
file_uidstringThe data source specific unique identifier for the file.
flowStatestringThe state of the flow when the netflow log was generated.
fromUser_authDomainstringThe domain associated with this particular user. (e.g. sumologic.com, sumologic.local)
fromUser_emailstringThe associated email address assigned to this user.
fromUser_userIdstringThe source unique identifier for the user account.
fromUser_usernamestringThe name commonly used to identify the user. Does not include domain. If name normalization occurs, this will be the normalized name.
http_contentLengthintThe number of bytes of data in the body of the response.
http_hostnamestringHostname from the client request
http_methodstringType of request being made. (e.g. GET or POST)
http_refererstringIdentifies the address of the webpage (i.e. the URI or IRI) which is linked to the resource being requested.
http_response_contentLengthintThe number of bytes of data in the body of the response
http_response_contentTypestringThe format of the data in the HTTP response.
http_response_statusCodeintThe HTTP response code for a request.
http_response_statusTextstringContains the status message corresponding to the status code.
http_urlstringURL that the request is being made to.
http_userAgentstringSoftware agent that is acting on behalf of a user.
ipProtocolstringThe internet protocol used in the traffic that generated the log event. This should be the IP protocol keyword or the protocol number, such as ICMP or 1, TCP or 6, UDP or 1.
logonTypestringThe type of authentication or logon that occurred.
moduleTypestringThe type of files loaded by a process to extend functionally such as DLLs.
normalizedSeverityintA normalized severity score, on a 1-5 scale with 1 being Informational and 5 being Critical.
packetsInlongThe count of packets received in a network connection.
packetsOutlongThe count of packets sent in a network connection.
parentBaseImagestringThe base image name of a parent process (ie notepad.exe)
parentCommandLinestringThe command line of a parent process
parentPidintThe process id of the program that initiated a process.
pidintThe process id of the process itself.
processUidstringA unique process identifier provided by the source record.
resourcestringA generic place holder for the resource being accessed within a log.
severitystringThe source specific severity level with no normalization.
sourceUidstringA UID that is defined by the record itself. Each record is assigned a UID during mapping, but this is the unique identifier field that may exist within an originating record.
srcDevice_hostnamestringFully Qualified Domain Name that uniquely and absolutely names a computer. If name normalization occurs this will be the normalized name.
srcDevice_ipstringThe native assigned IP address of the device.
srcDevice_macstringThe hardware identification number that uniquely identifies the device on a network
srcDevice_natIpstringThe external IP in cases where the internal IP goes through network address translation.
srcDevice_osNamestringOperating system controlling on this device.
srcDevice_uniqueIdstringThe source specific identifier for device (if available). This is frequently an instance id in cloud environments.
srcPortintThe port used to initiate a network connection.
successbooleanBoolean value to show whether or not an action was successful.
tcpProtocolstringApplication layer protocol used to establish the connection.
threat_identifierstringThe identifier or indicator specific to a threat. Generally speaking this should be populated with an indicator value.
threat_namestringName of the threat.
threat_referenceUrlstringA external URL that can provide more information about the threat. This should NOT be the URL that represents an observed HTTP request.
timestamplongThe timestamp of the event in milliseconds since epoch.
user_authDomainstringThe domain associated with this particular user. (e.g. sumologic.com, sumologic.local)
user_emailstringThe associated email address assigned to this user.
user_userIdstringThe source unique identifier for the user account.
user_usernamestringThe name commonly used to identify the user. Does not include domain. If name normalization occurs, this will be the normalized name.
vuln_bugtraqstringBugTraq is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities.
vuln_certstringCERT Coordination Center (CERT/CC) prioritizes coordination efforts on vulnerabilities.
vuln_cvestringCommon Vulnerabilities and Exposures identifier for the vulnerability.
vuln_cvssstringCVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.
vuln_namestringName of the vulnerability.
vuln_referencestringLocation to find more information on the vulnerability.