Skip to main content

Schema Attributes

This topic defines the attributes in CSE Schema v3. 

accountId

DescriptionA unique identifier tied to an organizational account, such as a tenant. Common with cloud services where sub-accounts or multiple tenants can be present. Not to be used as a user account identifier.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

action

DescriptionAction summarizes an operation undertaken by a device or user and recorded in a log.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

application

DescriptionA service or software application referenced in a log indicating its execution, presence, or as context for a given event.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

authProvider

DescriptionThe SSO provider for an authentication attempt. Often found in cloud authentication events and is expected to be NULL if SSO was not used for the authentication attempt.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

baseImage

DescriptionThe name of an executable process. Often found in process auditing and malware detection events.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

bytesIn

DescriptionAmount of data received in bytes
Typelong
Can be set by mappingTrue
Enrichment fieldFalse

bytesOut

DescriptionAmount of data sent in bytes
Typelong
Can be set by mappingTrue
Enrichment fieldFalse

cause

DescriptionComplementary to Cause, this field describes the reason for any particular outcome in a record in a common way.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

changeTarget

DescriptionThe user, group, policy or other resource which is to be or has been modified, deleted, or created.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

changeType

DescriptionThe nature of the modification (modify, delete, create) and often the category of the object to be acted upon (user, group, policy, or other resource).
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

commandLine

DescriptionThe instruction or set of instructions inputted into a text interface such as the command prompt (cmd.exe) or PowerShell in Windows, or terminal on Unix based systems.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

cseSignal

DescriptionUsed for signals received via log path e.g. scheduled search alert from CIP.
Typemap[string]string
Can be set by mappingFalse
Enrichment fieldFalse

day

DescriptionDay pulled from the timestamp.
Typeint
Can be set by mappingFalse
Enrichment fieldFalse

description

DescriptionThe summary conveying the high level meaning of a log message in a human readable form. In some circumstances no summary is provided in the log, this field is often manually defined in the mapping as a constant or as a lookup based on event IDs in the log message.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

device_hostname

DescriptionThe computer name that generated the log message. Common examples include, but are not limited to, the endpoint reporting an infection or the network appliance reporting allowed or blocked network traffic. In cases where the log data has a source or destination context, there are situations where identical data is populated in one of those fields and this field. An example would be authentication logs from a firewall. The device_hostname would be the same as the dstDevice_hostname because the firewall is reporting a network authentication log about itself.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

device_hostname_raw

DescriptionThe device hostname before any enrichments are applied. As the hostname appears in the original log message.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip

DescriptionThe internet protocol (IP) address of a computer that generated the log message. Common examples include, but are not limited to, the endpoint reporting an infection or the network appliance reporting allowed or blocked network traffic. In cases where the log data has a source or destination context, there are situations where identical data is populated in one of those fields and this field. An example would be authentication logs from a firewall. The device_ip would be the same as the dstDevice_ip because the firewall is reporting a network authentication log about itself.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

device_ip_asnNumber

DescriptionThe autonomous system number for the device IP address based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_asnOrg

DescriptionThe organzation associated with the ASN based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_city

DescriptionCity for the device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_countryCode

DescriptionCountry code (e.g. US, CA, DE) for the device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_countryName

DescriptionName of the country for the device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_isInternal

DescriptionSignifies whether the device IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_isp

DescriptionInternet Service Provider for the device IP based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_latitude

DescriptionGeographic latitude coordinate for the device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_location

DescriptionThis value is populated based on uploaded Network Blocks. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_longitude

DescriptionLongitude coordinate for the device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_region

DescriptionState or Territory for the device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_ip_version

DescriptionVersion of the IP protocol of the device IP.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

device_mac

DescriptionThe media access control (MAC) ID of the device that generated the log message. Common examples include, but are not limited to, the endpoint reporting an infection or the network appliance reporting allowed or blocked network traffic. In cases where the log data has a source or destination context, there are situations where identical data is populated in one of those fields and this field. An example would be authentication logs from a firewall. The device_mac would be the same as the dstDevice_mac because the firewall is reporting a network authentication log about itself.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

device_natIp

DescriptionThe external network address translated (NAT) IP address of the device that generated the log message. Common examples include, but are not limited to, the endpoint reporting an infection or the network appliance reporting allowed or blocked network traffic. In cases where the log data has a source or destination context, there are situations where identical data is populated in one of those fields and this field. An example would be authentication logs from a firewall. The device_natIp would be the same as the dstDevice_natIp because the firewall is reporting a network authentication log about itself.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

device_natIp_asnNumber

DescriptionThe autonomous system number for the NAT device IP address based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_asnOrg

DescriptionThe organzation associated with the ASN based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_city

DescriptionCity for the NAT device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_countryCode

DescriptionCountry code (e.g. US, CA, DE) for the NAT device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_countryName

DescriptionName of the country for the NAT device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_isInternal

DescriptionSignifies whether the NAT device IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_isp

DescriptionInternet Service Provider for the NAT device IP based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_latitude

DescriptionGeographic latitude coordinate for the NAT device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_location

DescriptionThis value is populated based on uploaded Network Blocks. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_longitude

DescriptionLongitude coordinate for the NAT device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_region

DescriptionState or Territory for the NAT device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

device_natIp_version

DescriptionVersion of the IP protocol of the NAT device IP.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

device_osName

DescriptionThe operating system name present on the computer that generated the log message. Common examples include, but are not limited to, the endpoint reporting an infection or the network appliance reporting allowed or blocked network traffic. In cases where the log data has a source or destination context, there are situations where identical data is populated in one of those fields and this field. An example would be authentication logs from a firewall. The device_osName would be the same as the dstDevice_osName because the firewall is reporting a network authentication log about itself.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

device_uniqueId

DescriptionThe vendor or product specific identifier for a computer that generated the log message. Common examples include, but are not limited to, the endpoint reporting an infection or the network appliance reporting allowed or blocked network traffic. This field is also frequently used by cloud providers to identify instances. In cases where the log data has a source or destination context, there are situations where identical data is populated in one of those fields and this field. An example would be authentication logs from a firewall. The device_mac would be the same as the dstDevice_mac because the firewall is reporting a network authentication log about itself.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_query

DescriptionThe entire DNS request made from the client machine to the DNS server.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_queryDomain

DescriptionThe fully qualified domain name being queried for in a DNS request if present
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_queryDomain_alexaRank

DescriptionDomain ranking in the alexa top 10k sites. NULL if not in the list.
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_entropyFqdn

DescriptionThe entropy calculation of the fqdn field.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_entropyRootDomain

DescriptionThe entropy calculation of the rootDomain field.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_entropySubDomain

DescriptionEntropy is the measure of disorder. If this case on the sub domain.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_fqdn

DescriptionThe fully qualified domain name (e.g. somehost.sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_possibleDga

DescriptionWhether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_possibleDynDns

DescriptionA likely dynamically (not static) IP address associated with this domain.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_rootDomain

DescriptionThe root domain of hostname in the domain (e.g. sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryDomain_tld

DescriptionThe top-level-domain field of the domain name (e.g. com, net, org)
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_queryType

DescriptionThe type of DNS record which is being queried for by the client
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_reply

DescriptionThe DNS reply which can be a single record or multiple records concatenated into a string.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_replyDomain

DescriptionThe domain contained within the DNS if the reply contains a domain.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_replyDomain_alexaRank

DescriptionDomain ranking in the alexa top 10k sites. NULL if not in the list.
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_entropyFqdn

DescriptionThe entropy calculation of the fqdn field.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_entropyRootDomain

DescriptionThe entropy calculation of the rootDomain field.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_entropySubDomain

DescriptionEntropy is the measure of disorder. If this case on the sub domain.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_fqdn

DescriptionThe fully qualified domain name (e.g. somehost.sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_possibleDga

DescriptionWhether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_possibleDynDns

DescriptionA likely dynamically (not static) IP address associated with this domain.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_rootDomain

DescriptionThe root domain of hostname in the domain (e.g. sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyDomain_tld

DescriptionThe top-level-domain field of the domain name (e.g. com, net, org)
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp

DescriptionThe IP address contained within the DNS if the reply contains an IP address.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dns_replyIp_asnNumber

DescriptionThe autonomous system number for the DNS Reply IP address based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_asnOrg

DescriptionThe organzation associated with the ASN based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_city

DescriptionCity for the DNS Reply IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_countryCode

DescriptionCountry code (e.g. US, CA, DE) for the DNS Reply IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_countryName

DescriptionName of the country for the DNS Reply IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_isInternal

DescriptionSignifies whether the DNS Reply IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_isp

DescriptionInternet Service Provider for the DNS Reply IP based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_latitude

DescriptionGeographic latitude coordinate for the DNS Reply IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_location

DescriptionThis value is populated based on uploaded Network Blocks. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_longitude

DescriptionLongitude coordinate for the DNS Reply IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_region

DescriptionState or Territory for the DNS Reply IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dns_replyIp_version

DescriptionVersion of the IP protocol of the DNS Reply IP.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

dns_returnCode

Description-| The code or message indicating the outcome of a DNS request.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstDevice_hostname

DescriptionThe name of the host for which network traffic is destined.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstDevice_hostname_raw

DescriptionThe destination device hostname before any enrichments are applied. As the hostname appears in the original log message.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip

DescriptionThe IP address of the host for which network traffic is destined.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstDevice_ip_asnNumber

DescriptionThe autonomous system number for the destination device IP address based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_asnOrg

DescriptionThe organzation associated with the ASN based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_city

DescriptionCity for the destination device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_countryCode

DescriptionCountry code (e.g. US, CA, DE) for the destination device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_countryName

DescriptionName of the country for the destination device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_isInternal

DescriptionSignifies whether the destination device IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_isp

DescriptionInternet Service Provider for the destination device IP based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_latitude

DescriptionGeographic latitude coordinate for the destination device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_location

DescriptionThis value is populated based on uploaded Network Blocks. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_longitude

DescriptionLongitude coordinate for the destination device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_region

DescriptionState or Territory for the destination device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_ip_version

DescriptionVersion of the IP protocol of the destination device IP.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_mac

DescriptionThe media access control (MAC) address of the host for which network traffic is destined.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstDevice_natIp

DescriptionThe external IP in cases where the internal IP goes through network address translation.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstDevice_natIp_asnNumber

DescriptionAn autonomous system number for the IP address based on the MaxMind GeoIP database.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_asnOrg

DescriptionOrganization associated with the IP address address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_city

DescriptionCity for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_countryCode

DescriptionCountry Code for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_countryName

DescriptionCountry Code for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_isInternal

DescriptionSignifies whether the IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_isp

DescriptionInternet Service Provider for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_latitude

DescriptionLatitude for the IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_location

DescriptionThis value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_longitude

DescriptionLongitude for the IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_region

DescriptionState or Territory for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_natIp_version

DescriptionThe version of IP protocol (e.g. 4 or 6)
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

dstDevice_osName

DescriptionThe operating system running on the host for which network traffic is destined.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstDevice_uniqueId

DescriptionThe source specific identifier for device (if available). This is frequently an instance id in cloud environments.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

dstPort

DescriptionThe port number for which the network traffic is destined
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

email_messageId

DescriptionA semi-unique identifier for an e-mail message generated by the sending mail system often ending with the fully qualified domain name of the sending system. It is not completely unique as copies of the same e-mail message, such as one sent to multiple recipients, may have the same message ID. Different mail systems may form message IDs in different ways.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

email_sender

DescriptionAddress of the e-mail sender. To be used only for logs related specifically to e-mail activity (spam filtering, message tracking, etc).
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

email_subject

DescriptionSubject line of an e-mail
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

errorCode

DescriptionMachine code or shortform message that represents a specific error.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

errorText

DescriptionHuman readable description of a specific error.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

fieldTags

DescriptionA map of entity fields to a list of tags for that entity.
Typemap[string]array[string]
Can be set by mappingFalse
Enrichment fieldFalse

fields

DescriptionThis is a general purpose container for all un-mapped data from the log line.
Typemap[string]string
Can be set by mappingFalse
Enrichment fieldFalse

file_basename

DescriptionThe name and extension (if applicable) of a file without the path.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_hash_imphash

DescriptionFile hash created using the Import Hash (Imphash) algorithm.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_hash_md5

DescriptionFile hash created using the 128 bit MD5 algorithm.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_hash_pehash

DescriptionHash value for Portable Executable (PE) file binaries created using the PEHash algorithm.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_hash_sha1

DescriptionHash of the file generated using the SHA1 algorithm
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_hash_sha256

DescriptionHash of the file generated using the SHA256 algorithm
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_hash_ssdeep

DescriptionThe fuzzy hash of the file generated using ssdeep.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_mimeType

DescriptionTwo-part media type (MIME type/subtype) indicating the nature and format of a file transmitted over the internet.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_path

DescriptionThe full path (if possible) of the file. This field may contain partial paths and serves as the general placeholder for file/process path fields.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

file_size

DescriptionCount of bytes taken up by the file.
Typelong
Can be set by mappingTrue
Enrichment fieldFalse

file_uid

DescriptionThe data source specific unique identifier for the file, often a GUID.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

flowState

DescriptionValue indicating the state (e.g. begin, end, or continue) of a network traffic flow as it enters or exits an interface.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

friendlyName

DescriptionName of the table the data is mapped to. Always Record for V3.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_authDomain

DescriptionThe domain associated with this particular user. (e.g. sumologic.com, sumologic.local)
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_email

DescriptionThe associated email address assigned to this user.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_role

DescriptionThe role of the user account in question. Typically, this shows up in CloudTrail logs as an assumed role, but can be broadly applied to other logs.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_userId

DescriptionThe source unique identifier for the user account.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_username

DescriptionThe name commonly used to identify the user. May include the domain. If name normalization occurs, this will be the normalized name.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_username_raw

DescriptionThe raw (un-normalized) version of a username.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

fromUser_username_role

DescriptionThe role that is parsed out of the normalized username (usually from an AWS assumed role ARN).
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

hour

DescriptionHour pulled from the timestamp.
Typeint
Can be set by mappingFalse
Enrichment fieldFalse

http_category

DescriptionThe high level category determined by a service based on the url or domain.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_contentLength

DescriptionThe number of bytes of data in the body of the request.
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

http_hostname

DescriptionName of the host within an HTTP request
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_method

DescriptionType of HTTP request being made (e.g. GET, POST)
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_referer

DescriptionIdentifies the address of the webpage (i.e. the URI or IRI) which is linked to the resource being requested to determine the origin of the request.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_referer_alexaRank

DescriptionThe HTTP referer domain's rank among the top 10k sites by Alexa traffic rank. NULL if not in the list.
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_entropyFqdn

DescriptionThe entropy calculation of the Fully Qualified Domain Name (FQDN) of the HTTP referer.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_entropyRootDomain

DescriptionThe entropy calculation of the root domain of the HTTP referer.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_fqdn

DescriptionThe fully qualified domain name in the HTTP referer URL (e.g. somehost.sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_path

DescriptionThe path component of the HTTP referer URL (e.g. somepath/something)
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_possibleDga

DescriptionWhether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_possibleDynDns

DescriptionA likely dynamically (not static) IP address associated with this domain.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_protocol

DescriptionThe HTTP referer URL protocol (e.g. https).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_rootDomain

DescriptionThe root domain of hostname in the HTTP referer URL (e.g. sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_referer_tld

DescriptionThe top-level-domain field of the domain name in the HTTP referer URL (e.g. com, net, org)
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_requestHeaders

DescriptionA map of the HTTP request headers.
Typemap[string]string
Can be set by mappingTrue
Enrichment fieldFalse

http_response_contentLength

DescriptionThe number of bytes of data in the body of the response.
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

http_response_contentType

DescriptionTwo-part media type (MIME type/subtype) indicating the nature and format of data contained within an HTTP response.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_response_statusCode

DescriptionThe numeric response code for an HTTP request
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

http_response_statusText

DescriptionThe response text for an HTTP request corresponding to an HTTP status code.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_url

DescriptionThe Uniform Resource Locator (URL) of an HTTP resource (a web page).
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

http_url_alexaRank

DescriptionThe HTTP referer domain's rank among the top 10k sites by Alexa traffic rank. NULL if not in the list.
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

http_url_entropyFqdn

DescriptionThe entropy calculation of the Fully Qualified Domain Name (FQDN) of the HTTP referer.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

http_url_entropyRootDomain

DescriptionThe entropy calculation of the root domain of the HTTP referer.
Typedouble
Can be set by mappingFalse
Enrichment fieldTrue

http_url_fqdn

DescriptionThe fully qualified domain name in the HTTP URL (e.g. somehost.sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_url_path

DescriptionThe path component of the HTTP URL (e.g. somepath/something)
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_url_possibleDga

DescriptionWhether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

http_url_possibleDynDns

DescriptionA likely dynamically (not static) IP address associated with this domain.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

http_url_protocol

DescriptionThe HTTP URL protocol (e.g. https).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_url_rootDomain

DescriptionThe root domain of hostname in the HTTP URL (e.g. sumologic.com).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_url_tld

DescriptionThe top-level-domain field of the domain name in the HTTP URL (e.g. com, net, org)
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

http_userAgent

DescriptionSoftware agent that is acting on behalf of a user in an HTTP request.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

ipProtocol

DescriptionThe transport layer internet protocol used in the traffic that generated the log event. This should be the IP protocol keyword or the protocol number, such as ICMP or 1, TCP or 6, UDP or 17 as defined by the Internet Assigned Numbers Authority (IANA).
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

listMatches

DescriptionName(s) of the match list(s) that a value in the log matched on.
Typearray[string]
Can be set by mappingFalse
Enrichment fieldFalse

logonType

DescriptionThe method of authentication or type of user session initiated.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

matchedItems

DescriptionValue(s) in the match list(s) that an a value in the log matched on.
Typearray[MatchedItem]
Can be set by mappingFalse
Enrichment fieldFalse

metadata_defaultTz

DescriptionDefault timezone for timestamp parsing
Typeint
Can be set by mappingFalse
Enrichment fieldFalse

metadata_deviceEventId

DescriptionVendor specific event identifier. Is provided in the parser output and determines which mapping will be used.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_mapperName

DescriptionCSE mapper name which normalizes the record.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_mapperUid

DescriptionUniversally unique identifier for CSE normalization mappers.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_orgId

DescriptionThe Sumo Customer Org ID that originated the raw log message.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_parseTime

DescriptionThe time at which the log line was parsed into a record by the parser and mapper service in milliseconds since epoch
Typelong
Can be set by mappingFalse
Enrichment fieldFalse

metadata_parser

DescriptionName of the parser which extracted fields from the original log message.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_product

DescriptionThe specific product name of the data source.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_productGuid

DescriptionGlobally unique identifier for the combined vendor and product.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_receiptTime

DescriptionThe time at which the log line was received by the collector in milliseconds since epoch
Typelong
Can be set by mappingFalse
Enrichment fieldFalse

metadata_schemaVersion

DescriptionThe current schema version (3).
Typeint
Can be set by mappingFalse
Enrichment fieldFalse

metadata_sensorId

DescriptionUID of the Sumo Logic sensor used to ingest the log.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_sensorZone

DescriptionA name propagated from the sensors. In the case where sensors are installed in environments with overlapping IP address spaces, this is used to distinguish two identical IP addresses from each other.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_sourceCategory

DescriptionThe Sumologic source category of the data.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_sourceMessageId

DescriptionThe _messageID of the original source log message (from SumoLogic CIP).
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

metadata_vendor

DescriptionThe name of the company responsible for the data source.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

mfa

DescriptionTrue or false showing whether or not an authentication event was performed with multi-factor authentication.
Typeboolean
Can be set by mappingTrue
Enrichment fieldFalse

moduleType

DescriptionAttribute of a file loaded by a process to extend functionality which identifies its file type or otherwise indicating how it is to behave.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

month

DescriptionMonth pulled from the timestamp.
Typeint
Can be set by mappingFalse
Enrichment fieldFalse

normalizedAction

DescriptionComplementary to the Action field, this field describes the initiation of an activity in a common way across records. normalizedAction is meant to describe the attempt of an action, using the success boolean as a modifier indicating whether or not the action was successful. Further, normalizedAction should be paired with normalizedResource to indicate where or upon what the initiated action was attempted against.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

normalizedCause

DescriptionComplementary to Cause, this field describes the reason for any particular outcome in a record in a common way.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

normalizedResource

DescriptionComplementary to Resource, this field describes the resource being acted upon or otherwise referenced within a record in a common way across records. Intended to be used to provide further normalized context to a record, particularly in tandem with normalizedAction.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

normalizedSeverity

DescriptionSeverity score on a scale of 0 to 10 with 0 being informational and 10 being critical. This is defined either explicitly per mapping or by a lookup to normalize a vendor specific severity level. Certain normalized threat rules will use normalizedSeverity to pass a dynamic severity into the signal. normalizedSeverity is an enforced output value field, this means that the output value must be an integer between 0 and 1.
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

normalizedSeverity_description

DescriptionA string representing the severity.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

objectType

DescriptionThe name of the top level schema object type. (e.g. Authentication, Audit, Endpoint, Network, Notification, etc.). Displayed as Record Type in the UI.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

packetsIn

DescriptionThe count of packets received in a network connection.
Typelong
Can be set by mappingTrue
Enrichment fieldFalse

packetsOut

DescriptionThe count of packets sent in a network connection.
Typelong
Can be set by mappingTrue
Enrichment fieldFalse

parentBaseImage

DescriptionThe name of an executable process which has spawned a child process. Often found in process auditing and malware detection events.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

parentCommandLine

DescriptionThe instruction or set of instructions inputted into a text interface such as the command prompt (cmd.exe) or PowerShell in Windows, or terminal on Unix based systems associated with a parent process.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

parentPid

DescriptionThe process id of the program that initiated a process (typically the parentBaseImage).
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

pid

DescriptionThe process id of a process (typically the baseImage).
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

processUid

DescriptionA data source specific unique identifier for a process, often a GUID.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

resource

DescriptionGeneralized field to capture an object referenced within a log that does not have a more specific field currently specified in the mapping schema. (e.g. a file is a resource, however file_basename and file_path both exist to capture this value)
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

severity

DescriptionThe source specific severity level with no normalization.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

sourceUid

DescriptionA UID that is defined by the record itself. Each record is assigned a UID during mapping, but this is the unique identifier field that may exist within an originating record.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcDevice_hostname

DescriptionThe name of the host which network traffic originated from.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcDevice_hostname_raw

DescriptionThe source device hostname before any enrichments are applied. As the hostname appears in the original log message.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip

DescriptionThe IP address of the host which network traffic originated from.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcDevice_ip_asnNumber

DescriptionThe autonomous system number for the source device IP address based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_asnOrg

DescriptionThe organzation associated with the ASN based on the MaxMind GeoIP database, typically assigned to internet service providers.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_city

DescriptionCity for the source device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_countryCode

DescriptionCountry code (e.g. US, CA, DE) for the source device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_countryName

DescriptionName of the country for the source device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_isInternal

DescriptionSignifies whether the source device IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_isp

DescriptionInternet Service Provider for the source device IP based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_latitude

DescriptionGeographic latitude coordinate for the source device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_location

DescriptionThis value is populated based on uploaded Network Blocks. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_longitude

DescriptionLongitude coordinate for the source device IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_region

DescriptionState or Territory for the source device IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_ip_version

DescriptionVersion of the IP protocol of the source device IP.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_mac

DescriptionThe media access control (MAC) address of the host which network traffic originated from.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcDevice_natIp

DescriptionThe external IP in cases where the internal IP goes through network address translation.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcDevice_natIp_asnNumber

DescriptionAn autonomous system number for the IP address based on the MaxMind GeoIP database.
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_asnOrg

DescriptionOrganization associated with the IP address address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_city

DescriptionCity for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_countryCode

DescriptionCountry Code for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_countryName

DescriptionCountry Code for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_ipv4IntValue

DescriptionThe ipv4 address stored as an unsigned 64-bit integer value
Typelong
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_isInternal

DescriptionSignifies whether the IP address is internal or external. True if internal, False if external.
Typeboolean
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_isp

DescriptionInternet Service Provider for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_latitude

DescriptionLatitude for the IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_location

DescriptionThis value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_longitude

DescriptionLongitude for the IP address based on the MaxMind GeoIP database.
Typefloat
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_region

DescriptionState or Territory for the IP address based on the MaxMind GeoIP database.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_natIp_version

DescriptionThe version of IP protocol (e.g. 4 or 6)
Typeint
Can be set by mappingFalse
Enrichment fieldTrue

srcDevice_osName

DescriptionThe operating system running on the host which network traffic originated from.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcDevice_uniqueId

DescriptionThe unique ID of the host which network traffic originated from. This field is frequently used by cloud providers to identify instances.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

srcPort

DescriptionThe port number which the network traffic originated from.
Typeint
Can be set by mappingTrue
Enrichment fieldFalse

success

DescriptionTrue or false showing whether or not an action or event recorded in a log was successful. This field is either defined as a constant or based on a lookup in a mapping.
Typeboolean
Can be set by mappingTrue
Enrichment fieldFalse

targetUser_authDomain

DescriptionThe authentication domain of a user which is subject to or is otherwise impacted by activity undertaken by another user. Such as the Active Directory domain to which a new user account being created belongs.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

targetUser_email

DescriptionE-Mail address associated with the user which is subject to activity undertaken by another account. Such as an E-Mail address which was created for a new user account.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

targetUser_role

DescriptionA privileged persona assumed by a user which is subject to activity undertaken by another user. Such as in CloudTrail logs as well as similar cases where a user is recorded taking on a different role for specific privileged activity.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

targetUser_userId

DescriptionThe semi-unique identifier associated with a user account which is subject to activity undertaken by another user account.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

targetUser_username

DescriptionThe name commonly used to identify the user. May include the domain. If name normalization occurs, this will be the normalized name.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

targetUser_username_raw

DescriptionThe raw (un-normalized) version of a username.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

targetUser_username_role

DescriptionThe role that is parsed out of the normalized username (usually from an AWS assumed role ARN).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

tcpProtocol

DescriptionApplication layer protocol used to establish the connection as defined by the Internet protocol Suite (TCP/IP).
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_category

DescriptionThe type of threat determined by a service based on the signature or threat name.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_identifier

DescriptionThe identifier or indicator specific to a threat (not a vulnerability). Generally speaking this should be populated with an indicator value.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_name

DescriptionName of a specific threat (not a vulnerability), such as malware or an exploit. Often a threat signature.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_referenceUrl

DescriptionAn external URL that can provide more information about the threat. This should NOT be the URL that represents an observed HTTP request.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_ruleType

DescriptionThis field should be used with logs that indicate detection of a security event has already occurred. These logs are produced by a security product's own detection capabilities like signatures or rule sets. As an example, if a log has a severity, risk, or impact in the message, it should have threat_ruleType included and populated in its mapper. The logs using this field will all be a form of pass through content. Messages that do not include security event detection must leave this field out of the mapper or leave it blank.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_signalName

DescriptionThis field is used in conjunction with normalized rules designed to directly pass through security alerts from other security products, appliances, and services. Those rules will use the text populated in this field as an element of the signal name, allowing different signal names for different products while retaining the normalized rule logic.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

threat_signalSummary

DescriptionThis field is used in conjunction with normalized rules. Those rules will use the text populated in this field as an element of the signal summary, allowing different signal summaries for different products while retaining the normalized rule logic.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

timestamp

DescriptionThe timestamp of the event stored as milliseconds since epoch. Time can be directly mapped if the log contains epoch time, however other time formats can be mapped if the format is provided. If no timestamp is defined in the mapping, ingest time will be used by default.
Typelong
Can be set by mappingTrue
Enrichment fieldFalse

uid

DescriptionUID for the parsed record in Sumo Logic CSE.
Typestring
Can be set by mappingFalse
Enrichment fieldFalse

user_authDomain

DescriptionThe authentication domain associated with an acting user. Such as an Active Directory domain of a user logging in or is performing an action.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

user_email

DescriptionE-Mail address associated with the acting user.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

user_role

DescriptionA privileged persona which is assumed by an acting user. Such as in CloudTrail logs as well as similar cases where a user is recorded taking on a different role for specific privileged activity.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

user_userId

DescriptionThe semi-unique identifier associated with an acting user account.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

user_username

DescriptionThe name commonly used to identify the user. May include the domain. If name normalization occurs, this will be the normalized name.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

user_username_raw

DescriptionThe actor username before any enrichments are applied. As the username appears in the original log message.
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

user_username_role

DescriptionThe role that is extracted from the normalized actor username (such as from an AWS assumed role ARN).
Typestring
Can be set by mappingFalse
Enrichment fieldTrue

vuln_bugtraq

DescriptionBugtraq identifier assigned by SecurityFocus. BugTraq is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

vuln_cert

DescriptionNumeric identifier for a vulnerability assigned by the United States Computer Emergency Readiness Team Coordination Center (US CERT/CC).
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

vuln_cve

DescriptionCommon Vulnerabilities and Exposures identifier for the vulnerability. Follows the format CVE- -
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

vuln_cvss

DescriptionCommon Vulnerability Scoring System (CVSS) score designed to help responders to prioritize their response and resources to a vulnerability.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

vuln_name

DescriptionName that briefly summarizes the nature of a vulnerability.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

vuln_reference

DescriptionAdditional information on a vulnerability in the form of a link, a specific vendor ID (e.g. MS14-068), or further description.
Typestring
Can be set by mappingTrue
Enrichment fieldFalse

year

DescriptionYear pulled from the timestamp.
Typeint
Can be set by mappingFalse
Enrichment fieldFalse