diff --git a/.DS_Store b/.DS_Store
index c194e38..e49b472 100644
Binary files a/.DS_Store and b/.DS_Store differ
diff --git a/ActivityTypes/ActivityType_Interface.md b/ActivityTypes/ActivityType_Interface.md
index 2aba379..184d5b0 100644
--- a/ActivityTypes/ActivityType_Interface.md
+++ b/ActivityTypes/ActivityType_Interface.md
@@ -6,6 +6,10 @@
This secondary interface defines the activity type element. It describes the specific fields required for a given activity when it's performed on the subject. This interface is also minimalist by design.
+ * [alert-create](alert-create.md)
+ * [alert-delete](alert-delete.md)
+ * [alert-modify](alert-modify.md)
+ * [alert-read](alert-read.md)
* [alert-trigger](alert-trigger.md)
* [app-activity](app-activity.md)
* [app-authentication](app-authentication.md)
@@ -18,6 +22,7 @@ This secondary interface defines the activity type element. It describes the spe
* [app-time-modify](app-time-modify.md)
* [arp-traffic](arp-traffic.md)
* [audit_policy-modify](audit_policy-modify.md)
+ * [branch-create](branch-create.md)
* [branch-modify](branch-modify.md)
* [branch-protection-disable](branch-protection-disable.md)
* [branch-protection-enable](branch-protection-enable.md)
@@ -30,6 +35,10 @@ This secondary interface defines the activity type element. It describes the spe
* [bucket-write](bucket-write.md)
* [call-receive](call-receive.md)
* [call-send](call-send.md)
+ * [case-create](case-create.md)
+ * [case-delete](case-delete.md)
+ * [case-modify](case-modify.md)
+ * [case-read](case-read.md)
* [certificate-create](certificate-create.md)
* [certificate-exchange](certificate-exchange.md)
* [certificate-expire](certificate-expire.md)
@@ -52,6 +61,9 @@ This secondary interface defines the activity type element. It describes the spe
* [configuration-read](configuration-read.md)
* [configuration-routing-modify](configuration-routing-modify.md)
* [configuration-save](configuration-save.md)
+ * [context_source-create](context_source-create.md)
+ * [context_source-delete](context_source-delete.md)
+ * [context_source-modify](context_source-modify.md)
* [database-activity](database-activity.md)
* [database-create](database-create.md)
* [database-delete](database-delete.md)
@@ -119,6 +131,7 @@ This secondary interface defines the activity type element. It describes the spe
* [endpoint-command](endpoint-command.md)
* [endpoint-create](endpoint-create.md)
* [endpoint-delete](endpoint-delete.md)
+ * [endpoint-domain-join](endpoint-domain-join.md)
* [endpoint-enable](endpoint-enable.md)
* [endpoint-key-create](endpoint-key-create.md)
* [endpoint-key-write](endpoint-key-write.md)
@@ -140,6 +153,7 @@ This secondary interface defines the activity type element. It describes the spe
* [endpoint-write](endpoint-write.md)
* [file-close](file-close.md)
* [file-copy](file-copy.md)
+ * [file-create](file-create.md)
* [file-delete](file-delete.md)
* [file-download](file-download.md)
* [file-list](file-list.md)
@@ -179,6 +193,7 @@ This secondary interface defines the activity type element. It describes the spe
* [group-modify](group-modify.md)
* [group-permission-modify](group-permission-modify.md)
* [group-policy-attach](group-policy-attach.md)
+ * [group-read](group-read.md)
* [group-repository-add](group-repository-add.md)
* [group-repository-remove](group-repository-remove.md)
* [group-role-assign](group-role-assign.md)
@@ -202,9 +217,6 @@ This secondary interface defines the activity type element. It describes the spe
* [image-list](image-list.md)
* [image-modify](image-modify.md)
* [image-write](image-write.md)
- * [incident-create](incident-create.md)
- * [incident-delete](incident-delete.md)
- * [incident-modify](incident-modify.md)
* [ip-assign](ip-assign.md)
* [ip-free](ip-free.md)
* [key-create](key-create.md)
@@ -218,9 +230,15 @@ This secondary interface defines the activity type element. It describes the spe
* [log-disable](log-disable.md)
* [log-download](log-download.md)
* [log-enable](log-enable.md)
+ * [log-export](log-export.md)
* [log-read](log-read.md)
* [log-search](log-search.md)
+ * [log_account-create](log_account-create.md)
+ * [log_account-delete](log_account-delete.md)
+ * [log_account-modify](log_account-modify.md)
* [log_source-add](log_source-add.md)
+ * [log_source-disable](log_source-disable.md)
+ * [log_source-enable](log_source-enable.md)
* [log_source-modify](log_source-modify.md)
* [log_source-remove](log_source-remove.md)
* [mailbox-create](mailbox-create.md)
@@ -230,6 +248,7 @@ This secondary interface defines the activity type element. It describes the spe
* [mailbox-item-modify](mailbox-item-modify.md)
* [mailbox-item-move](mailbox-item-move.md)
* [mailbox-item-read](mailbox-item-read.md)
+ * [mailbox-list](mailbox-list.md)
* [mailbox-modify](mailbox-modify.md)
* [mailbox-permission-modify](mailbox-permission-modify.md)
* [meeting-create](meeting-create.md)
@@ -245,6 +264,12 @@ This secondary interface defines the activity type element. It describes the spe
* [network-session](network-session.md)
* [network-start](network-start.md)
* [network-traffic](network-traffic.md)
+ * [parser-create](parser-create.md)
+ * [parser-delete](parser-delete.md)
+ * [parser-disable](parser-disable.md)
+ * [parser-enable](parser-enable.md)
+ * [parser-import](parser-import.md)
+ * [parser-modify](parser-modify.md)
* [password-checkin](password-checkin.md)
* [password-checkout](password-checkout.md)
* [password-copy](password-copy.md)
@@ -274,6 +299,7 @@ This secondary interface defines the activity type element. It describes the spe
* [process-close](process-close.md)
* [process-create](process-create.md)
* [process-memory-allocate](process-memory-allocate.md)
+ * [process-memory-protect](process-memory-protect.md)
* [process-memory-read](process-memory-read.md)
* [process-modify](process-modify.md)
* [process-open](process-open.md)
@@ -281,15 +307,18 @@ This secondary interface defines the activity type element. It describes the spe
* [process-thread-create](process-thread-create.md)
* [process-token-assign](process-token-assign.md)
* [process-token-modify](process-token-modify.md)
- * [radius-session ](radius-session.md)
+ * [radius-session](radius-session.md)
* [radius-traffic](radius-traffic.md)
* [rdp-traffic](rdp-traffic.md)
* [registry-create](registry-create.md)
* [registry-delete](registry-delete.md)
* [registry-modify](registry-modify.md)
+ * [registry-read](registry-read.md)
* [registry-rename](registry-rename.md)
* [report-create](report-create.md)
+ * [report-delete](report-delete.md)
* [report-download](report-download.md)
+ * [report-execute](report-execute.md)
* [report-export](report-export.md)
* [report-read](report-read.md)
* [repository-create](repository-create.md)
@@ -298,6 +327,9 @@ This secondary interface defines the activity type element. It describes the spe
* [repository-member-remove](repository-member-remove.md)
* [repository-modify](repository-modify.md)
* [repository-move](repository-move.md)
+ * [repository-pull](repository-pull.md)
+ * [repository-push](repository-push.md)
+ * [repository-read](repository-read.md)
* [role-assume](role-assume.md)
* [role-create](role-create.md)
* [role-delete](role-delete.md)
@@ -308,6 +340,10 @@ This secondary interface defines the activity type element. It describes the spe
* [role-write](role-write.md)
* [rule-create](rule-create.md)
* [rule-delete](rule-delete.md)
+ * [rule-disable](rule-disable.md)
+ * [rule-enable](rule-enable.md)
+ * [rule-modify](rule-modify.md)
+ * [rule-trigger-beta](rule-trigger-beta.md)
* [rule-trigger](rule-trigger.md)
* [scheduled_task-create](scheduled_task-create.md)
* [scheduled_task-delete](scheduled_task-delete.md)
diff --git a/ActivityTypes/alert-create.md b/ActivityTypes/alert-create.md
new file mode 100644
index 0000000..b63e7fd
--- /dev/null
+++ b/ActivityTypes/alert-create.md
@@ -0,0 +1,33 @@
+alert-create
+============
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------ |
+| Subject | alert |
+| Activity | create |
+| Activity Type | alert-create |
+| Pretty Name | Alert Create |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#alert-createsuccess) or a [fail](#alert-createfail).
+
+
+alert-create:success
+--------------------
+
+There are no fields for this activity type.
+
+
+alert-create:fail
+-----------------
+
+There are no fields for this activity type.
diff --git a/ActivityTypes/alert-delete.md b/ActivityTypes/alert-delete.md
new file mode 100644
index 0000000..7e92d7e
--- /dev/null
+++ b/ActivityTypes/alert-delete.md
@@ -0,0 +1,33 @@
+alert-delete
+============
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------ |
+| Subject | alert |
+| Activity | delete |
+| Activity Type | alert-delete |
+| Pretty Name | Alert Delete |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#alert-deletesuccess) or a [fail](#alert-deletefail).
+
+
+alert-delete:success
+--------------------
+
+There are no fields for this activity type.
+
+
+alert-delete:fail
+-----------------
+
+There are no fields for this activity type.
diff --git a/ActivityTypes/alert-modify.md b/ActivityTypes/alert-modify.md
new file mode 100644
index 0000000..294c999
--- /dev/null
+++ b/ActivityTypes/alert-modify.md
@@ -0,0 +1,33 @@
+alert-modify
+============
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------ |
+| Subject | alert |
+| Activity | modify |
+| Activity Type | alert-modify |
+| Pretty Name | Alert Modify |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#alert-modifysuccess) or a [fail](#alert-modifyfail).
+
+
+alert-modify:success
+--------------------
+
+There are no fields for this activity type.
+
+
+alert-modify:fail
+-----------------
+
+There are no fields for this activity type.
diff --git a/ActivityTypes/alert-read.md b/ActivityTypes/alert-read.md
new file mode 100644
index 0000000..a7c64ca
--- /dev/null
+++ b/ActivityTypes/alert-read.md
@@ -0,0 +1,33 @@
+alert-read
+==========
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ---------- |
+| Subject | alert |
+| Activity | read |
+| Activity Type | alert-read |
+| Pretty Name | Alert Read |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#alert-readsuccess) or a [fail](#alert-readfail).
+
+
+alert-read:success
+------------------
+
+There are no fields for this activity type.
+
+
+alert-read:fail
+---------------
+
+There are no fields for this activity type.
diff --git a/ActivityTypes/alert-trigger.md b/ActivityTypes/alert-trigger.md
index a1885e3..2f3e235 100644
--- a/ActivityTypes/alert-trigger.md
+++ b/ActivityTypes/alert-trigger.md
@@ -29,7 +29,22 @@ The possible fields for this activity type will vary depending on whether the ac
alert-trigger:success
---------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| alert_severity | ✓ | | |
+| local_user_name | | | |
+| alert_subject | | ✓ | ✓ |
+| src_host | | ✓ | |
+| alert_type | ✓ | | |
+| protocol | | ✓ | |
+| top_domain | | ✓ | |
+| process_name | | ✓ | |
+| bytes | | ✓ | |
+| dest_ip | | ✓ | |
+| alert_source | ✓ | | |
+| dest_host | | ✓ | |
+| user | | ✓ | |
+| dest_port | | ✓ | |
+| cid | | | ✓ |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/app-activity.md b/ActivityTypes/app-activity.md
index cb8df8b..d445d41 100644
--- a/ActivityTypes/app-activity.md
+++ b/ActivityTypes/app-activity.md
@@ -29,15 +29,37 @@ The possible fields for this activity type will vary depending on whether the ac
app-activity:success
--------------------
-| Field | Core | Detection | Informational |
-| --------- | ---- | --------- | ------------- |
-| operation | | | |
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| os | | ✓ | |
+| browser | | ✓ | |
+| mime | | ✓ | |
+| local_user_name | | | |
+| fingerprint | | ✓ | |
+| src_host | | ✓ | |
+| operation | | ✓ | |
+| user | | ✓ | |
+| user_agent | | ✓ | |
+| object | | ✓ | |
+| cid | | | ✓ |
app-activity:fail
-----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| operation | | | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| os | | ✓ | |
+| mime | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| src_ip | | ✓ | |
+| browser | | ✓ | |
+| fingerprint | | ✓ | |
+| operation | | ✓ | |
+| user | | ✓ | |
+| user_agent | | ✓ | |
+| object | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/app-authentication.md b/ActivityTypes/app-authentication.md
index 9788264..e8672f2 100644
--- a/ActivityTypes/app-authentication.md
+++ b/ActivityTypes/app-authentication.md
@@ -29,17 +29,41 @@ The possible fields for this activity type will vary depending on whether the ac
app-authentication:success
--------------------------
-| Field | Core | Detection | Informational |
-| ------------------- | -------- | --------- | ------------- |
-| user | ✓ | | |
-| authentication_type | | | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| auth_type | | | |
+| os | | ✓ | |
+| mfa_country | | ✓ | |
+| mime | | ✓ | |
+| local_user_name | | | |
+| src_host | | ✓ | |
+| src_ip | | ✓ | |
+| browser | | ✓ | |
+| fingerprint | | ✓ | |
+| mfa_device | | ✓ | |
+| user | ✓ | ✓ | |
+| operation | | ✓ | |
+| user_agent | | ✓ | |
+| object | | ✓ | |
app-authentication:fail
-----------------------
-| Field | Core | Detection | Informational |
-| ------------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | | |
-| authentication_type | | | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| auth_type | | | |
+| failure_code | | ✓ | |
+| os | | ✓ | |
+| mfa_country | | ✓ | |
+| mime | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| src_ip | | ✓ | |
+| browser | | ✓ | |
+| fingerprint | | ✓ | |
+| mfa_device | | ✓ | |
+| user | ✓ | ✓ | |
+| operation | | ✓ | |
+| user_agent | | ✓ | |
+| object | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/app-login.md b/ActivityTypes/app-login.md
index 3f3ddbe..97e9f0b 100644
--- a/ActivityTypes/app-login.md
+++ b/ActivityTypes/app-login.md
@@ -29,15 +29,45 @@ The possible fields for this activity type will vary depending on whether the ac
app-login:success
-----------------
-| Field | Core | Detection | Informational |
-| ----- | -------- | --------- | ------------- |
-| user | ✓ | | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| os | | ✓ | |
+| login_type | | ✓ | |
+| mime | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| src_ip | | ✓ | |
+| browser | | ✓ | |
+| dest_ip | | ✓ | |
+| domain | | ✓ | |
+| fingerprint | | ✓ | |
+| dest_host | | ✓ | |
+| user | ✓ | ✓ | |
+| operation | | ✓ | |
+| user_agent | | ✓ | |
+| object | | ✓ | |
+| cid | | | ✓ |
app-login:fail
--------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| failure_code | | ✓ | |
+| os | | ✓ | |
+| login_type | | ✓ | |
+| mime | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| src_ip | | ✓ | |
+| browser | | ✓ | |
+| dest_ip | | ✓ | |
+| domain | | ✓ | |
+| fingerprint | | ✓ | |
+| dest_host | | ✓ | |
+| user | ✓ | ✓ | |
+| operation | | ✓ | |
+| user_agent | | ✓ | |
+| object | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/app-logout.md b/ActivityTypes/app-logout.md
index 21412c6..9636645 100644
--- a/ActivityTypes/app-logout.md
+++ b/ActivityTypes/app-logout.md
@@ -24,15 +24,19 @@ The possible fields for this activity type will vary depending on whether the ac
app-logout:success
------------------
-| Field | Core | Detection | Informational |
-| ----- | -------- | --------- | ------------- |
-| user | ✓ | | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| local_user_name | | | |
+| user | ✓ | | |
+| cid | | | ✓ |
app-logout:fail
---------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | ✓ | | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/app-notification.md b/ActivityTypes/app-notification.md
index 55b978d..4968a92 100644
--- a/ActivityTypes/app-notification.md
+++ b/ActivityTypes/app-notification.md
@@ -24,7 +24,8 @@ The possible fields for this activity type will vary depending on whether the ac
app-notification:success
------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/app-register.md b/ActivityTypes/app-register.md
index 114bfee..20c5e69 100644
--- a/ActivityTypes/app-register.md
+++ b/ActivityTypes/app-register.md
@@ -24,15 +24,17 @@ The possible fields for this activity type will vary depending on whether the ac
app-register:success
--------------------
-| Field | Core | Detection | Informational |
-| ----- | -------- | --------- | ------------- |
-| user | ✓ | | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| local_user_name | | | |
+| user | ✓ | | |
app-register:fail
-----------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | ✓ | | |
\ No newline at end of file
diff --git a/ActivityTypes/branch-create.md b/ActivityTypes/branch-create.md
new file mode 100644
index 0000000..d87d89d
--- /dev/null
+++ b/ActivityTypes/branch-create.md
@@ -0,0 +1,36 @@
+branch-create
+=============
+
+Description
+-----------
+A git branch was created
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | branch |
+| Activity | create |
+| Activity Type | branch-create |
+| Pretty Name | Branch Create |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#branch-createsuccess) or a [fail](#branch-createfail).
+
+
+branch-create:success
+---------------------
+
+There are no fields for this activity type.
+
+
+branch-create:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/call-receive.md b/ActivityTypes/call-receive.md
index 001bcca..d156809 100644
--- a/ActivityTypes/call-receive.md
+++ b/ActivityTypes/call-receive.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
call-receive:success
--------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
call-receive:fail
-----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/call-send.md b/ActivityTypes/call-send.md
index 0736f9f..be8d2da 100644
--- a/ActivityTypes/call-send.md
+++ b/ActivityTypes/call-send.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
call-send:success
-----------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
call-send:fail
--------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/case-create.md b/ActivityTypes/case-create.md
new file mode 100644
index 0000000..3b05bc2
--- /dev/null
+++ b/ActivityTypes/case-create.md
@@ -0,0 +1,36 @@
+case-create
+===========
+
+Description
+-----------
+A security incident was created on a security product
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------- |
+| Subject | case |
+| Activity | create |
+| Activity Type | case-create |
+| Pretty Name | Case Create |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#case-createsuccess) or a [fail](#case-createfail).
+
+
+case-create:success
+-------------------
+
+There are no fields for this activity type.
+
+
+case-create:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/case-delete.md b/ActivityTypes/case-delete.md
new file mode 100644
index 0000000..38f62b3
--- /dev/null
+++ b/ActivityTypes/case-delete.md
@@ -0,0 +1,36 @@
+case-delete
+===========
+
+Description
+-----------
+A security incident was deleted on a security product
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------- |
+| Subject | case |
+| Activity | delete |
+| Activity Type | case-delete |
+| Pretty Name | Case Delete |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#case-deletesuccess) or a [fail](#case-deletefail).
+
+
+case-delete:success
+-------------------
+
+There are no fields for this activity type.
+
+
+case-delete:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/case-modify.md b/ActivityTypes/case-modify.md
new file mode 100644
index 0000000..9a16047
--- /dev/null
+++ b/ActivityTypes/case-modify.md
@@ -0,0 +1,36 @@
+case-modify
+===========
+
+Description
+-----------
+The properties or content of a security incident were changed on a security product
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------- |
+| Subject | case |
+| Activity | modify |
+| Activity Type | case-modify |
+| Pretty Name | Case Modify |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#case-modifysuccess) or a [fail](#case-modifyfail).
+
+
+case-modify:success
+-------------------
+
+There are no fields for this activity type.
+
+
+case-modify:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/case-read.md b/ActivityTypes/case-read.md
new file mode 100644
index 0000000..fc942ac
--- /dev/null
+++ b/ActivityTypes/case-read.md
@@ -0,0 +1,33 @@
+case-read
+=========
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | --------- |
+| Subject | case |
+| Activity | read |
+| Activity Type | case-read |
+| Pretty Name | Case Read |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#case-readsuccess) or a [fail](#case-readfail).
+
+
+case-read:success
+-----------------
+
+There are no fields for this activity type.
+
+
+case-read:fail
+--------------
+
+There are no fields for this activity type.
diff --git a/ActivityTypes/configuration-modify.md b/ActivityTypes/configuration-modify.md
index c1edde8..37f020a 100644
--- a/ActivityTypes/configuration-modify.md
+++ b/ActivityTypes/configuration-modify.md
@@ -29,8 +29,9 @@ The possible fields for this activity type will vary depending on whether the ac
configuration-modify:success
----------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
configuration-modify:fail
-------------------------
@@ -38,4 +39,5 @@ configuration-modify:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/context_source-create.md b/ActivityTypes/context_source-create.md
new file mode 100644
index 0000000..6b55a25
--- /dev/null
+++ b/ActivityTypes/context_source-create.md
@@ -0,0 +1,36 @@
+context_source-create
+=====================
+
+Description
+-----------
+Context source was created
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | --------------------- |
+| Subject | context_source |
+| Activity | create |
+| Activity Type | context_source-create |
+| Pretty Name | Context Source Create |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#context_source-createsuccess) or a [fail](#context_source-createfail).
+
+
+context_source-create:success
+-----------------------------
+
+There are no fields for this activity type.
+
+
+context_source-create:fail
+--------------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/context_source-delete.md b/ActivityTypes/context_source-delete.md
new file mode 100644
index 0000000..b4c5d02
--- /dev/null
+++ b/ActivityTypes/context_source-delete.md
@@ -0,0 +1,36 @@
+context_source-delete
+=====================
+
+Description
+-----------
+Context source was deleted
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | --------------------- |
+| Subject | context_source |
+| Activity | delete |
+| Activity Type | context_source-delete |
+| Pretty Name | Context Source Delete |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#context_source-deletesuccess) or a [fail](#context_source-deletefail).
+
+
+context_source-delete:success
+-----------------------------
+
+There are no fields for this activity type.
+
+
+context_source-delete:fail
+--------------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/context_source-modify.md b/ActivityTypes/context_source-modify.md
new file mode 100644
index 0000000..8dec224
--- /dev/null
+++ b/ActivityTypes/context_source-modify.md
@@ -0,0 +1,36 @@
+context_source-modify
+=====================
+
+Description
+-----------
+Context source was Modified
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | --------------------- |
+| Subject | context_source |
+| Activity | modify |
+| Activity Type | context_source-modify |
+| Pretty Name | Context Source Modify |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#context_source-modifysuccess) or a [fail](#context_source-modifyfail).
+
+
+context_source-modify:success
+-----------------------------
+
+There are no fields for this activity type.
+
+
+context_source-modify:fail
+--------------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/database-login.md b/ActivityTypes/database-login.md
index d302f60..49dcc73 100644
--- a/ActivityTypes/database-login.md
+++ b/ActivityTypes/database-login.md
@@ -29,17 +29,29 @@ The possible fields for this activity type will vary depending on whether the ac
database-login:success
----------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| login_type | | ✓ | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_host | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
database-login:fail
-------------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| failure_code | | ✓ | |
+| login_type | | ✓ | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_host | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/database-logout.md b/ActivityTypes/database-logout.md
index 2c8baa9..35d2b06 100644
--- a/ActivityTypes/database-logout.md
+++ b/ActivityTypes/database-logout.md
@@ -24,17 +24,17 @@ The possible fields for this activity type will vary depending on whether the ac
database-logout:success
-----------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
database-logout:fail
--------------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/database-query.md b/ActivityTypes/database-query.md
index a735fda..d0b4cb3 100644
--- a/ActivityTypes/database-query.md
+++ b/ActivityTypes/database-query.md
@@ -29,9 +29,10 @@ The possible fields for this activity type will vary depending on whether the ac
database-query:success
----------------------
-| Field | Core | Detection | Informational |
-| -------- | ---- | --------- | ------------- |
-| db_query | | ✓ | |
+| Field | Core | Detection | Informational |
+| ------------- | ---- | --------- | ------------- |
+| db_query | | ✓ | |
+| response_size | | ✓ | |
database-query:fail
-------------------
@@ -40,4 +41,5 @@ database-query:fail
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
| db_query | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| response_size | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/dhcp-session.md b/ActivityTypes/dhcp-session.md
index e054a3e..2bffb0f 100644
--- a/ActivityTypes/dhcp-session.md
+++ b/ActivityTypes/dhcp-session.md
@@ -16,9 +16,9 @@ Parameters
Legacy Names
------------
-| Success | Fail |
-| ------------------ | ---- |
-| computer-logon
| |
+| Success | Fail |
+| ------------------ | ------------------ |
+| computer-logon
| computer-logon
|
Fields
------
@@ -32,4 +32,10 @@ dhcp-session:success
There are no fields for this activity type.
-A failure activity is not currently supported for this activity-type.
\ No newline at end of file
+dhcp-session:fail
+-----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/dll-load.md b/ActivityTypes/dll-load.md
index c150e2b..f018c64 100644
--- a/ActivityTypes/dll-load.md
+++ b/ActivityTypes/dll-load.md
@@ -29,8 +29,9 @@ The possible fields for this activity type will vary depending on whether the ac
dll-load:success
----------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
dll-load:fail
-------------
@@ -38,4 +39,5 @@ dll-load:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/dns-request.md b/ActivityTypes/dns-request.md
index c5d11c6..ccfadd3 100644
--- a/ActivityTypes/dns-request.md
+++ b/ActivityTypes/dns-request.md
@@ -29,8 +29,10 @@ The possible fields for this activity type will vary depending on whether the ac
dns-request:success
-------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| -------- | ---- | --------- | ------------- |
+| bytes | | ✓ | |
+| src_host | | ✓ | |
dns-request:fail
----------------
@@ -38,4 +40,6 @@ dns-request:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| bytes | | ✓ | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/dns-response.md b/ActivityTypes/dns-response.md
index 5c4b4ac..7333954 100644
--- a/ActivityTypes/dns-response.md
+++ b/ActivityTypes/dns-response.md
@@ -34,6 +34,7 @@ dns-response:success
| dns_response | ✓ | ✓ | |
| dns_response_code | | ✓ | |
| dns_response_flags | | ✓ | |
+| dest_host | | ✓ | |
dns-response:fail
-----------------
@@ -44,4 +45,5 @@ dns-response:fail
| dns_response | ✓ | ✓ | |
| dns_response_code | | ✓ | |
| dns_response_flags | | ✓ | |
+| dest_host | | ✓ | |
| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/email-receive.md b/ActivityTypes/email-receive.md
index 7abd0fc..7650962 100644
--- a/ActivityTypes/email-receive.md
+++ b/ActivityTypes/email-receive.md
@@ -29,39 +29,51 @@ The possible fields for this activity type will vary depending on whether the ac
email-receive:success
---------------------
-| Field | Core | Detection | Informational |
-| ------------------ | -------- | --------- | ------------- |
-| email_recipients | | | ✓ |
-| email_attachment | | | ✓ |
-| dest_email_user | | | ✓ |
-| dest_user | ✓ | | |
-| email_attachments | | | ✓ |
-| dest_email_domain | | | ✓ |
-| email_address | ✓ | | |
-| file_ext | | | ✓ |
-| email_user | | | ✓ |
-| dest_email_address | ✓ | | |
-| dest_domain | | | ✓ |
-| email_domain | | | ✓ |
-| email_subject | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| email_recipients | | | ✓ |
+| email_attachment | | | ✓ |
+| dest_email_user | | | ✓ |
+| dest_user_full_name | | | ✓ |
+| dest_user | ✓ | | |
+| email_attachments | | | ✓ |
+| dest_email_domain | | | ✓ |
+| email_address | ✓ | | |
+| file_ext | | | ✓ |
+| email_user | | | ✓ |
+| dest_domain_user_name | | | |
+| bytes | | ✓ | |
+| dest_email_address | ✓ | | |
+| dest_domain | | | ✓ |
+| email_domain | | | ✓ |
+| src_email_address | ✓ | | |
+| src_email_domain | | | ✓ |
+| email_subject | | | ✓ |
+| user | | ✓ | |
email-receive:fail
------------------
-| Field | Core | Detection | Informational |
-| ------------------ | -------- | --------- | ------------- |
-| email_recipients | | | ✓ |
-| email_attachment | | | ✓ |
-| dest_email_user | | | ✓ |
-| failure_code | | ✓ | |
-| dest_user | ✓ | | |
-| failure_reason | | ✓ | |
-| email_attachments | | | ✓ |
-| dest_email_domain | | | ✓ |
-| email_address | ✓ | | |
-| file_ext | | | ✓ |
-| email_user | | | ✓ |
-| dest_email_address | ✓ | | |
-| dest_domain | | | ✓ |
-| email_domain | | | ✓ |
-| email_subject | | | ✓ |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| email_recipients | | | ✓ |
+| email_attachment | | | ✓ |
+| dest_email_user | | | ✓ |
+| failure_code | | ✓ | |
+| dest_user_full_name | | | ✓ |
+| dest_user | ✓ | | |
+| failure_reason | | ✓ | |
+| email_attachments | | | ✓ |
+| dest_email_domain | | | ✓ |
+| email_address | ✓ | | |
+| file_ext | | | ✓ |
+| email_user | | | ✓ |
+| dest_domain_user_name | | | |
+| bytes | | ✓ | |
+| dest_email_address | ✓ | | |
+| dest_domain | | | ✓ |
+| email_domain | | | ✓ |
+| src_email_address | ✓ | | |
+| src_email_domain | | | ✓ |
+| email_subject | | | ✓ |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/email-recipient-add.md b/ActivityTypes/email-recipient-add.md
index 2671c75..8fd44d4 100644
--- a/ActivityTypes/email-recipient-add.md
+++ b/ActivityTypes/email-recipient-add.md
@@ -24,23 +24,31 @@ The possible fields for this activity type will vary depending on whether the ac
email-recipient-add:success
---------------------------
-| Field | Core | Detection | Informational |
-| ------------------ | ---- | --------- | ------------- |
-| dest_email_domain | | | ✓ |
-| dest_email_user | | | ✓ |
-| dest_email_address | | | ✓ |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| dest_email_domain | | | ✓ |
+| dest_email_user | | | ✓ |
+| dest_user_full_name | | | ✓ |
+| dest_domain_user_name | | | |
+| dest_email_address | | | ✓ |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
+| src_email_address | ✓ | | |
+| src_email_domain | | | ✓ |
email-recipient-add:fail
------------------------
-| Field | Core | Detection | Informational |
-| ------------------ | ---- | --------- | ------------- |
-| dest_email_domain | | | ✓ |
-| dest_email_user | | | ✓ |
-| failure_code | | ✓ | |
-| dest_email_address | | | ✓ |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| dest_email_domain | | | ✓ |
+| dest_email_user | | | ✓ |
+| failure_code | | ✓ | |
+| dest_user_full_name | | | ✓ |
+| dest_domain_user_name | | | |
+| dest_email_address | | | ✓ |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
+| src_email_address | ✓ | | |
+| failure_reason | | ✓ | |
+| src_email_domain | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/email-recipient-remove.md b/ActivityTypes/email-recipient-remove.md
index c696968..68dd7c5 100644
--- a/ActivityTypes/email-recipient-remove.md
+++ b/ActivityTypes/email-recipient-remove.md
@@ -24,23 +24,31 @@ The possible fields for this activity type will vary depending on whether the ac
email-recipient-remove:success
------------------------------
-| Field | Core | Detection | Informational |
-| ------------------ | ---- | --------- | ------------- |
-| dest_email_domain | | | ✓ |
-| dest_email_user | | | ✓ |
-| dest_email_address | | | ✓ |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| dest_email_domain | | | ✓ |
+| dest_email_user | | | ✓ |
+| dest_user_full_name | | | ✓ |
+| dest_domain_user_name | | | |
+| dest_email_address | | | ✓ |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
+| src_email_address | ✓ | | |
+| src_email_domain | | | ✓ |
email-recipient-remove:fail
---------------------------
-| Field | Core | Detection | Informational |
-| ------------------ | ---- | --------- | ------------- |
-| dest_email_domain | | | ✓ |
-| dest_email_user | | | ✓ |
-| failure_code | | ✓ | |
-| dest_email_address | | | ✓ |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| dest_email_domain | | | ✓ |
+| dest_email_user | | | ✓ |
+| failure_code | | ✓ | |
+| dest_user_full_name | | | ✓ |
+| dest_domain_user_name | | | |
+| dest_email_address | | | ✓ |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
+| src_email_address | ✓ | | |
+| failure_reason | | ✓ | |
+| src_email_domain | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/email-send.md b/ActivityTypes/email-send.md
index 9236dbe..20ec3e0 100644
--- a/ActivityTypes/email-send.md
+++ b/ActivityTypes/email-send.md
@@ -29,39 +29,59 @@ The possible fields for this activity type will vary depending on whether the ac
email-send:success
------------------
-| Field | Core | Detection | Informational |
-| ------------------ | -------- | --------- | ------------- |
-| email_recipients | | | ✓ |
-| email_attachment | | | ✓ |
-| dest_email_user | | | ✓ |
-| dest_user | ✓ | | |
-| email_attachments | | | ✓ |
-| dest_email_domain | | | ✓ |
-| email_address | ✓ | | |
-| file_ext | | | ✓ |
-| email_user | | | ✓ |
-| dest_email_address | ✓ | | |
-| dest_domain | | | ✓ |
-| email_domain | | | ✓ |
-| email_subject | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| email_recipients | | | ✓ |
+| email_attachment | | | ✓ |
+| dest_email_user | | | ✓ |
+| dest_user_full_name | | | ✓ |
+| file_name | | ✓ | |
+| dest_user | ✓ | | |
+| email_attachments | | | ✓ |
+| num_recipients | | ✓ | |
+| dest_email_domain | | | ✓ |
+| email_address | ✓ | | |
+| file_ext | | ✓ | ✓ |
+| email_user | | | ✓ |
+| attachment | | ✓ | |
+| dest_domain_user_name | | | |
+| bytes | | ✓ | |
+| dest_email_address | ✓ | | |
+| dest_ip | | ✓ | |
+| dest_domain | | | ✓ |
+| email_domain | | | ✓ |
+| src_email_address | ✓ | | |
+| src_email_domain | | | ✓ |
+| email_subject | | ✓ | ✓ |
+| user | | ✓ | |
email-send:fail
---------------
-| Field | Core | Detection | Informational |
-| ------------------ | -------- | --------- | ------------- |
-| email_recipients | | | ✓ |
-| email_attachment | | | ✓ |
-| dest_email_user | | | ✓ |
-| failure_code | | ✓ | |
-| dest_user | ✓ | | |
-| failure_reason | | ✓ | |
-| email_attachments | | | ✓ |
-| dest_email_domain | | | ✓ |
-| email_address | ✓ | | |
-| file_ext | | | ✓ |
-| email_user | | | ✓ |
-| dest_email_address | ✓ | | |
-| dest_domain | | | ✓ |
-| email_domain | | | ✓ |
-| email_subject | | | ✓ |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| dest_email_user | | | ✓ |
+| dest_email_domain | | | ✓ |
+| email_user | | | ✓ |
+| attachment | | ✓ | |
+| dest_domain_user_name | | | |
+| dest_email_address | ✓ | | |
+| src_email_domain | | | ✓ |
+| email_recipients | | | ✓ |
+| email_attachment | | | ✓ |
+| failure_code | | ✓ | |
+| dest_user_full_name | | | ✓ |
+| file_name | | ✓ | |
+| dest_user | ✓ | | |
+| failure_reason | | ✓ | |
+| email_attachments | | | ✓ |
+| num_recipients | | ✓ | |
+| email_address | ✓ | | |
+| file_ext | | ✓ | ✓ |
+| bytes | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_domain | | | ✓ |
+| email_domain | | | ✓ |
+| src_email_address | ✓ | | |
+| email_subject | | ✓ | ✓ |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/email_rule-create.md b/ActivityTypes/email_rule-create.md
index a836434..c426bf2 100644
--- a/ActivityTypes/email_rule-create.md
+++ b/ActivityTypes/email_rule-create.md
@@ -14,6 +14,11 @@ Parameters
| Activity Type | email_rule-create |
| Pretty Name | Email_rule Create |
+Legacy Names
+------------
+| Success | Fail |
+| ---------------- | ---- |
+| app-activity
| |
Fields
------
@@ -24,13 +29,23 @@ The possible fields for this activity type will vary depending on whether the ac
email_rule-create:success
-------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ------------------- | ---- | --------- | ------------- |
+| dest_email_domain | | ✓ | |
+| dest_user_full_name | | | ✓ |
+| email_domain | | ✓ | |
+| src_email_domain | | | ✓ |
+| operation | | ✓ | |
email_rule-create:fail
----------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ------------------- | ---- | --------- | ------------- |
+| dest_email_domain | | ✓ | |
+| failure_code | | ✓ | |
+| dest_user_full_name | | | ✓ |
+| email_domain | | ✓ | |
+| failure_reason | | ✓ | |
+| src_email_domain | | | ✓ |
+| operation | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/endpoint-authentication.md b/ActivityTypes/endpoint-authentication.md
index bab39ce..274718a 100644
--- a/ActivityTypes/endpoint-authentication.md
+++ b/ActivityTypes/endpoint-authentication.md
@@ -29,19 +29,21 @@ The possible fields for this activity type will vary depending on whether the ac
endpoint-authentication:success
-------------------------------
-| Field | Core | Detection | Informational |
-| ------------------- | -------- | --------- | ------------- |
-| domain | | | |
-| user | ✓ | ✓ | |
-| authentication_type | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| auth_type | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
endpoint-authentication:fail
----------------------------
-| Field | Core | Detection | Informational |
-| ------------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
-| authentication_type | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| auth_type | | ✓ | |
+| failure_code | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| user | ✓ | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/endpoint-domain-join.md b/ActivityTypes/endpoint-domain-join.md
new file mode 100644
index 0000000..65214c6
--- /dev/null
+++ b/ActivityTypes/endpoint-domain-join.md
@@ -0,0 +1,40 @@
+endpoint-domain-join
+====================
+
+Description
+-----------
+An endpoint added to a domain
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | -------------------- |
+| Subject | endpoint |
+| Activity | domain-join |
+| Activity Type | endpoint-domain-join |
+| Pretty Name | Endpoint Domain Join |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#endpoint-domain-joinsuccess) or a [fail](#endpoint-domain-joinfail).
+
+
+endpoint-domain-join:success
+----------------------------
+
+| Field | Core | Detection | Informational |
+| --------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| dest_host | | ✓ | |
+
+endpoint-domain-join:fail
+-------------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| domain | | | ✓ |
+| dest_host | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/endpoint-login.md b/ActivityTypes/endpoint-login.md
index 658aeab..6d548ea 100644
--- a/ActivityTypes/endpoint-login.md
+++ b/ActivityTypes/endpoint-login.md
@@ -29,19 +29,42 @@ The possible fields for this activity type will vary depending on whether the ac
endpoint-login:success
----------------------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| login_type | | ✓ | |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ----------------- | -------- | --------- | ------------- |
+| src_mac | | ✓ | |
+| login_type | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| subject_sid | | | ✓ |
+| logon_type | | ✓ | |
+| src_ip | | ✓ | |
+| account_user_name | | | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| result_code | | ✓ | |
+| location | | ✓ | |
+| user | ✓ | ✓ | |
+| account | | ✓ | |
+| cid | | | ✓ |
endpoint-login:fail
-------------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| login_type | | ✓ | |
-| domain | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ----------------- | -------- | --------- | ------------- |
+| src_mac | | ✓ | |
+| failure_code | | ✓ | |
+| login_type | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| subject_sid | | | ✓ |
+| src_ip | | ✓ | |
+| account_user_name | | | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| result_code | | ✓ | |
+| location | | ✓ | |
+| user | ✓ | ✓ | |
+| account | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/endpoint-logout.md b/ActivityTypes/endpoint-logout.md
index 4cabd96..763f832 100644
--- a/ActivityTypes/endpoint-logout.md
+++ b/ActivityTypes/endpoint-logout.md
@@ -29,10 +29,12 @@ The possible fields for this activity type will vary depending on whether the ac
endpoint-logout:success
-----------------------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| login_type | | ✓ | |
-| domain | | | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| login_type | | ✓ | |
+| domain | | | |
+| domain_user_name | | | |
+| logon_type | | ✓ | |
+| user | ✓ | ✓ | |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/file-copy.md b/ActivityTypes/file-copy.md
index dd385ec..9ece18f 100644
--- a/ActivityTypes/file-copy.md
+++ b/ActivityTypes/file-copy.md
@@ -28,7 +28,7 @@ file-copy:success
| ------------- | ---- | --------- | ------------- |
| src_file_name | | ✓ | |
| src_file_ext | | ✓ | |
-| src_file_dir | | | ✓ |
+| src_file_dir | | ✓ | ✓ |
| src_file_path | | ✓ | |
file-copy:fail
@@ -39,6 +39,6 @@ file-copy:fail
| src_file_name | | ✓ | |
| failure_code | | ✓ | |
| src_file_ext | | ✓ | |
-| src_file_dir | | | ✓ |
+| src_file_dir | | ✓ | ✓ |
| failure_reason | | ✓ | |
| src_file_path | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/file-create.md b/ActivityTypes/file-create.md
new file mode 100644
index 0000000..e970813
--- /dev/null
+++ b/ActivityTypes/file-create.md
@@ -0,0 +1,43 @@
+file-create
+===========
+
+Description
+-----------
+A file was created
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------- |
+| Subject | file |
+| Activity | create |
+| Activity Type | file-create |
+| Pretty Name | File Create |
+
+Legacy Names
+------------
+| Success | Fail |
+| -------------- | -------------- |
+| file-write
| file-write
|
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#file-createsuccess) or a [fail](#file-createfail).
+
+
+file-create:success
+-------------------
+
+| Field | Core | Detection | Informational |
+| ------ | ---- | --------- | ------------- |
+| is_dok | | ✓ | |
+
+file-create:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| is_dok | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/file-download.md b/ActivityTypes/file-download.md
index b9ba181..91fb102 100644
--- a/ActivityTypes/file-download.md
+++ b/ActivityTypes/file-download.md
@@ -36,6 +36,7 @@ file-download:success
| src_file_ext | | ✓ | |
| src_file_dir | | | ✓ |
| src_file_path | | ✓ | |
+| cid | | | ✓ |
file-download:fail
------------------
@@ -48,4 +49,5 @@ file-download:fail
| src_file_ext | | ✓ | |
| src_file_dir | | | ✓ |
| failure_reason | | ✓ | |
-| src_file_path | | ✓ | |
\ No newline at end of file
+| src_file_path | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/file-read.md b/ActivityTypes/file-read.md
index 8a9fa76..5827083 100644
--- a/ActivityTypes/file-read.md
+++ b/ActivityTypes/file-read.md
@@ -32,6 +32,7 @@ file-read:success
| Field | Core | Detection | Informational |
| ------ | ---- | --------- | ------------- |
| is_dok | | ✓ | |
+| cid | | | ✓ |
file-read:fail
--------------
@@ -40,4 +41,5 @@ file-read:fail
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
| is_dok | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/file-write.md b/ActivityTypes/file-write.md
index 2aa63ad..dc2576c 100644
--- a/ActivityTypes/file-write.md
+++ b/ActivityTypes/file-write.md
@@ -32,6 +32,7 @@ file-write:success
| Field | Core | Detection | Informational |
| ------ | ---- | --------- | ------------- |
| is_dok | | ✓ | |
+| cid | | | ✓ |
file-write:fail
---------------
@@ -40,4 +41,5 @@ file-write:fail
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
| is_dok | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/group-member-add.md b/ActivityTypes/group-member-add.md
index ed6c5ee..d2a5306 100644
--- a/ActivityTypes/group-member-add.md
+++ b/ActivityTypes/group-member-add.md
@@ -29,15 +29,29 @@ The possible fields for this activity type will vary depending on whether the ac
group-member-add:success
------------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| member | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| -------------------- | -------- | --------- | ------------- |
+| user_ou | | ✓ | |
+| dest_local_user_name | | | |
+| group_id | | ✓ | |
+| local_user_name | | | |
+| member | ✓ | ✓ | |
+| dest_user | | ✓ | |
+| src_host | | ✓ | |
+| user | | ✓ | |
group-member-add:fail
---------------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| member | ✓ | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| -------------------- | -------- | --------- | ------------- |
+| user_ou | | ✓ | |
+| dest_local_user_name | | | |
+| failure_code | | ✓ | |
+| group_id | | ✓ | |
+| local_user_name | | | |
+| member | ✓ | ✓ | |
+| dest_user | | ✓ | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/group-member-remove.md b/ActivityTypes/group-member-remove.md
index bee476e..71e78d1 100644
--- a/ActivityTypes/group-member-remove.md
+++ b/ActivityTypes/group-member-remove.md
@@ -29,8 +29,11 @@ The possible fields for this activity type will vary depending on whether the ac
group-member-remove:success
---------------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| member | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| local_user_name | | | |
+| member | ✓ | ✓ | |
+| dest_user | | ✓ | |
+| user | | ✓ | |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/group-read.md b/ActivityTypes/group-read.md
new file mode 100644
index 0000000..cd27f57
--- /dev/null
+++ b/ActivityTypes/group-read.md
@@ -0,0 +1,36 @@
+group-read
+==========
+
+Description
+-----------
+A request was made to read the content of a group
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ---------- |
+| Subject | group |
+| Activity | read |
+| Activity Type | group-read |
+| Pretty Name | Group Read |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#group-readsuccess) or a [fail](#group-readfail).
+
+
+group-read:success
+------------------
+
+There are no fields for this activity type.
+
+
+group-read:fail
+---------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log-clear.md b/ActivityTypes/log-clear.md
index b8fc423..b149d47 100644
--- a/ActivityTypes/log-clear.md
+++ b/ActivityTypes/log-clear.md
@@ -29,13 +29,19 @@ The possible fields for this activity type will vary depending on whether the ac
log-clear:success
-----------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
log-clear:fail
--------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log-export.md b/ActivityTypes/log-export.md
new file mode 100644
index 0000000..12ecd61
--- /dev/null
+++ b/ActivityTypes/log-export.md
@@ -0,0 +1,36 @@
+log-export
+==========
+
+Description
+-----------
+An audit log was exported from a remote site
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ---------- |
+| Subject | log |
+| Activity | export |
+| Activity Type | log-export |
+| Pretty Name | Log Export |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#log-exportsuccess) or a [fail](#log-exportfail).
+
+
+log-export:success
+------------------
+
+There are no fields for this activity type.
+
+
+log-export:fail
+---------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log_account-create.md b/ActivityTypes/log_account-create.md
new file mode 100644
index 0000000..4d06a9e
--- /dev/null
+++ b/ActivityTypes/log_account-create.md
@@ -0,0 +1,36 @@
+log_account-create
+==================
+
+Description
+-----------
+A log account was created
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------------ |
+| Subject | log_account |
+| Activity | create |
+| Activity Type | log_account-create |
+| Pretty Name | Log Account Create |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#log_account-createsuccess) or a [fail](#log_account-createfail).
+
+
+log_account-create:success
+--------------------------
+
+There are no fields for this activity type.
+
+
+log_account-create:fail
+-----------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log_account-delete.md b/ActivityTypes/log_account-delete.md
new file mode 100644
index 0000000..8015632
--- /dev/null
+++ b/ActivityTypes/log_account-delete.md
@@ -0,0 +1,36 @@
+log_account-delete
+==================
+
+Description
+-----------
+A log account was Deleted
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------------ |
+| Subject | log_account |
+| Activity | delete |
+| Activity Type | log_account-delete |
+| Pretty Name | Log Account Delete |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#log_account-deletesuccess) or a [fail](#log_account-deletefail).
+
+
+log_account-delete:success
+--------------------------
+
+There are no fields for this activity type.
+
+
+log_account-delete:fail
+-----------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log_account-modify.md b/ActivityTypes/log_account-modify.md
new file mode 100644
index 0000000..0f3fa62
--- /dev/null
+++ b/ActivityTypes/log_account-modify.md
@@ -0,0 +1,36 @@
+log_account-modify
+==================
+
+Description
+-----------
+A log account was Modified
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------------ |
+| Subject | log_account |
+| Activity | modify |
+| Activity Type | log_account-modify |
+| Pretty Name | Log Account Modify |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#log_account-modifysuccess) or a [fail](#log_account-modifyfail).
+
+
+log_account-modify:success
+--------------------------
+
+There are no fields for this activity type.
+
+
+log_account-modify:fail
+-----------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log_source-disable.md b/ActivityTypes/log_source-disable.md
new file mode 100644
index 0000000..ee116fc
--- /dev/null
+++ b/ActivityTypes/log_source-disable.md
@@ -0,0 +1,36 @@
+log_source-disable
+==================
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------------ |
+| Subject | log_source |
+| Activity | disable |
+| Activity Type | log_source-disable |
+| Pretty Name | Log Source Disable |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#log_source-disablesuccess) or a [fail](#log_source-disablefail).
+
+
+log_source-disable:success
+--------------------------
+
+There are no fields for this activity type.
+
+
+log_source-disable:fail
+-----------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/log_source-enable.md b/ActivityTypes/log_source-enable.md
new file mode 100644
index 0000000..cef0a92
--- /dev/null
+++ b/ActivityTypes/log_source-enable.md
@@ -0,0 +1,36 @@
+log_source-enable
+=================
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------------- |
+| Subject | log_source |
+| Activity | enable |
+| Activity Type | log_source-enable |
+| Pretty Name | Log Source Enable |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#log_source-enablesuccess) or a [fail](#log_source-enablefail).
+
+
+log_source-enable:success
+-------------------------
+
+There are no fields for this activity type.
+
+
+log_source-enable:fail
+----------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/mailbox-list.md b/ActivityTypes/mailbox-list.md
new file mode 100644
index 0000000..b809543
--- /dev/null
+++ b/ActivityTypes/mailbox-list.md
@@ -0,0 +1,36 @@
+mailbox-list
+============
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------ |
+| Subject | mailbox |
+| Activity | list |
+| Activity Type | mailbox-list |
+| Pretty Name | Mailbox List |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#mailbox-listsuccess) or a [fail](#mailbox-listfail).
+
+
+mailbox-list:success
+--------------------
+
+There are no fields for this activity type.
+
+
+mailbox-list:fail
+-----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/mailbox-permission-modify.md b/ActivityTypes/mailbox-permission-modify.md
index 56ea175..2fba283 100644
--- a/ActivityTypes/mailbox-permission-modify.md
+++ b/ActivityTypes/mailbox-permission-modify.md
@@ -14,6 +14,11 @@ Parameters
| Activity Type | mailbox-permission-modify |
| Pretty Name | Mailbox Permission Modify |
+Legacy Names
+------------
+| Success | Fail |
+| ---------------- | ---- |
+| app-activity
| |
Fields
------
@@ -24,13 +29,19 @@ The possible fields for this activity type will vary depending on whether the ac
mailbox-permission-modify:success
---------------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| dest_user | | ✓ | |
+| user | | ✓ | |
mailbox-permission-modify:fail
------------------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| dest_user | | ✓ | |
+| failure_reason | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/meeting-modify.md b/ActivityTypes/meeting-modify.md
index 6e5ba5b..e5aa288 100644
--- a/ActivityTypes/meeting-modify.md
+++ b/ActivityTypes/meeting-modify.md
@@ -29,8 +29,10 @@ The possible fields for this activity type will vary depending on whether the ac
meeting-modify:success
----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ------------ | ---- | --------- | ------------- |
+| old_password | | ✓ | |
+| new_password | | ✓ | |
meeting-modify:fail
-------------------
@@ -38,4 +40,6 @@ meeting-modify:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
+| old_password | | ✓ | |
+| new_password | | ✓ | |
| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/message-receive.md b/ActivityTypes/message-receive.md
index ab366c9..aa65982 100644
--- a/ActivityTypes/message-receive.md
+++ b/ActivityTypes/message-receive.md
@@ -24,17 +24,19 @@ The possible fields for this activity type will vary depending on whether the ac
message-receive:success
-----------------------
-| Field | Core | Detection | Informational |
-| ----------- | ---- | --------- | ------------- |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------------- | ---- | --------- | ------------- |
+| dest_domain_user_name | | | |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
message-receive:fail
--------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| dest_domain_user_name | | | |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/message-send.md b/ActivityTypes/message-send.md
index 819973a..5f110e2 100644
--- a/ActivityTypes/message-send.md
+++ b/ActivityTypes/message-send.md
@@ -24,17 +24,19 @@ The possible fields for this activity type will vary depending on whether the ac
message-send:success
--------------------
-| Field | Core | Detection | Informational |
-| ----------- | ---- | --------- | ------------- |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------------- | ---- | --------- | ------------- |
+| dest_domain_user_name | | | |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
message-send:fail
-----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| dest_domain | | | ✓ |
-| dest_user | | | ✓ |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| dest_domain_user_name | | | |
+| dest_domain | | | ✓ |
+| dest_user | | | ✓ |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/network-session.md b/ActivityTypes/network-session.md
index 8c4e9f6..212903e 100644
--- a/ActivityTypes/network-session.md
+++ b/ActivityTypes/network-session.md
@@ -29,8 +29,9 @@ The possible fields for this activity type will vary depending on whether the ac
network-session:success
-----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
network-session:fail
--------------------
diff --git a/ActivityTypes/network-traffic.md b/ActivityTypes/network-traffic.md
index 301684f..6d70423 100644
--- a/ActivityTypes/network-traffic.md
+++ b/ActivityTypes/network-traffic.md
@@ -29,8 +29,9 @@ The possible fields for this activity type will vary depending on whether the ac
network-traffic:success
-----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
network-traffic:fail
--------------------
@@ -38,4 +39,5 @@ network-traffic:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/parser-create.md b/ActivityTypes/parser-create.md
new file mode 100644
index 0000000..8926297
--- /dev/null
+++ b/ActivityTypes/parser-create.md
@@ -0,0 +1,36 @@
+parser-create
+=============
+
+Description
+-----------
+A parser was created on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | parser |
+| Activity | create |
+| Activity Type | parser-create |
+| Pretty Name | Parser Create |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#parser-createsuccess) or a [fail](#parser-createfail).
+
+
+parser-create:success
+---------------------
+
+There are no fields for this activity type.
+
+
+parser-create:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/parser-delete.md b/ActivityTypes/parser-delete.md
new file mode 100644
index 0000000..31b6ae4
--- /dev/null
+++ b/ActivityTypes/parser-delete.md
@@ -0,0 +1,36 @@
+parser-delete
+=============
+
+Description
+-----------
+A parser was deleted on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | parser |
+| Activity | delete |
+| Activity Type | parser-delete |
+| Pretty Name | Parser Delete |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#parser-deletesuccess) or a [fail](#parser-deletefail).
+
+
+parser-delete:success
+---------------------
+
+There are no fields for this activity type.
+
+
+parser-delete:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/parser-disable.md b/ActivityTypes/parser-disable.md
new file mode 100644
index 0000000..3c71c73
--- /dev/null
+++ b/ActivityTypes/parser-disable.md
@@ -0,0 +1,36 @@
+parser-disable
+==============
+
+Description
+-----------
+A parser was disabled on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | -------------- |
+| Subject | parser |
+| Activity | disable |
+| Activity Type | parser-disable |
+| Pretty Name | Parser Disable |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#parser-disablesuccess) or a [fail](#parser-disablefail).
+
+
+parser-disable:success
+----------------------
+
+There are no fields for this activity type.
+
+
+parser-disable:fail
+-------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/parser-enable.md b/ActivityTypes/parser-enable.md
new file mode 100644
index 0000000..207de6b
--- /dev/null
+++ b/ActivityTypes/parser-enable.md
@@ -0,0 +1,36 @@
+parser-enable
+=============
+
+Description
+-----------
+A parser was enabled on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | parser |
+| Activity | enable |
+| Activity Type | parser-enable |
+| Pretty Name | Parser Enable |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#parser-enablesuccess) or a [fail](#parser-enablefail).
+
+
+parser-enable:success
+---------------------
+
+There are no fields for this activity type.
+
+
+parser-enable:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/parser-import.md b/ActivityTypes/parser-import.md
new file mode 100644
index 0000000..4e10db3
--- /dev/null
+++ b/ActivityTypes/parser-import.md
@@ -0,0 +1,36 @@
+parser-import
+=============
+
+Description
+-----------
+A parser was imported on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | parser |
+| Activity | import |
+| Activity Type | parser-import |
+| Pretty Name | Parser Import |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#parser-importsuccess) or a [fail](#parser-importfail).
+
+
+parser-import:success
+---------------------
+
+There are no fields for this activity type.
+
+
+parser-import:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/parser-modify.md b/ActivityTypes/parser-modify.md
new file mode 100644
index 0000000..fc48878
--- /dev/null
+++ b/ActivityTypes/parser-modify.md
@@ -0,0 +1,36 @@
+parser-modify
+=============
+
+Description
+-----------
+A parser was modified on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | parser |
+| Activity | modify |
+| Activity Type | parser-modify |
+| Pretty Name | Parser Modify |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#parser-modifysuccess) or a [fail](#parser-modifyfail).
+
+
+parser-modify:success
+---------------------
+
+There are no fields for this activity type.
+
+
+parser-modify:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-checkin.md b/ActivityTypes/password-checkin.md
index 994f732..e7630fa 100644
--- a/ActivityTypes/password-checkin.md
+++ b/ActivityTypes/password-checkin.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
password-checkin:success
------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
password-checkin:fail
---------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-checkout.md b/ActivityTypes/password-checkout.md
index 5334943..5a24aeb 100644
--- a/ActivityTypes/password-checkout.md
+++ b/ActivityTypes/password-checkout.md
@@ -24,13 +24,19 @@ The possible fields for this activity type will vary depending on whether the ac
password-checkout:success
-------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| src_host | | ✓ | |
+| safe_value | | ✓ | |
password-checkout:fail
----------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| safe_value | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-copy.md b/ActivityTypes/password-copy.md
index 5a4607d..59c92c4 100644
--- a/ActivityTypes/password-copy.md
+++ b/ActivityTypes/password-copy.md
@@ -24,15 +24,17 @@ The possible fields for this activity type will vary depending on whether the ac
password-copy:success
---------------------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| src_password | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| src_password | | | ✓ |
password-copy:fail
------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| src_password | | | ✓ |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| src_password | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/password-create.md b/ActivityTypes/password-create.md
index 74cadec..b2e90fb 100644
--- a/ActivityTypes/password-create.md
+++ b/ActivityTypes/password-create.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
password-create:success
-----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
password-create:fail
--------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-download.md b/ActivityTypes/password-download.md
index 8911a44..1e92176 100644
--- a/ActivityTypes/password-download.md
+++ b/ActivityTypes/password-download.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
password-download:success
-------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
password-download:fail
----------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-modify.md b/ActivityTypes/password-modify.md
index 1fa2e99..5d84e57 100644
--- a/ActivityTypes/password-modify.md
+++ b/ActivityTypes/password-modify.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
password-modify:success
-----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
password-modify:fail
--------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-read.md b/ActivityTypes/password-read.md
index d1d7ae4..48b284d 100644
--- a/ActivityTypes/password-read.md
+++ b/ActivityTypes/password-read.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
password-read:success
---------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
password-read:fail
------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/password-use.md b/ActivityTypes/password-use.md
index 1b8f2f6..8e87eef 100644
--- a/ActivityTypes/password-use.md
+++ b/ActivityTypes/password-use.md
@@ -24,13 +24,15 @@ The possible fields for this activity type will vary depending on whether the ac
password-use:success
--------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
password-use:fail
-----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/peripheral_storage-activity.md b/ActivityTypes/peripheral_storage-activity.md
index e680b77..6511eca 100644
--- a/ActivityTypes/peripheral_storage-activity.md
+++ b/ActivityTypes/peripheral_storage-activity.md
@@ -32,6 +32,7 @@ peripheral_storage-activity:success
| Field | Core | Detection | Informational |
| --------- | -------- | --------- | ------------- |
| operation | ✓ | ✓ | |
+| cid | | | ✓ |
peripheral_storage-activity:fail
--------------------------------
@@ -40,4 +41,5 @@ peripheral_storage-activity:fail
| -------------- | -------- | --------- | ------------- |
| failure_code | | ✓ | |
| failure_reason | | ✓ | |
-| operation | ✓ | ✓ | |
\ No newline at end of file
+| operation | ✓ | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/physical_location-access.md b/ActivityTypes/physical_location-access.md
index b4014de..42cf93b 100644
--- a/ActivityTypes/physical_location-access.md
+++ b/ActivityTypes/physical_location-access.md
@@ -29,15 +29,17 @@ The possible fields for this activity type will vary depending on whether the ac
physical_location-access:success
--------------------------------
-| Field | Core | Detection | Informational |
-| ----- | -------- | --------- | ------------- |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| local_user_name | | | |
+| user | ✓ | ✓ | |
physical_location-access:fail
-----------------------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | ✓ | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/printer-activity.md b/ActivityTypes/printer-activity.md
index 7f7d18c..b0fbd44 100644
--- a/ActivityTypes/printer-activity.md
+++ b/ActivityTypes/printer-activity.md
@@ -29,8 +29,13 @@ The possible fields for this activity type will vary depending on whether the ac
printer-activity:success
------------------------
-| Field | Core | Detection | Informational |
-| --------- | -------- | --------- | ------------- |
-| operation | ✓ | | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| bytes | | ✓ | |
+| num_pages | | ✓ | |
+| local_user_name | | | |
+| printer_name | | ✓ | |
+| operation | ✓ | | |
+| user | | ✓ | |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/process-create.md b/ActivityTypes/process-create.md
index 6d82b18..f29e84b 100644
--- a/ActivityTypes/process-create.md
+++ b/ActivityTypes/process-create.md
@@ -34,8 +34,17 @@ process-create:success
| parent_process_id | | ✓ | |
| parent_process_command_line | | ✓ | |
| parent_process_name | | ✓ | |
+| domain_user_name | | | |
| parent_process_dir | | ✓ | |
+| hash_sha256 | | ✓ | |
+| process_guid | | ✓ | |
+| domain | | ✓ | |
+| process_integrity | | ✓ | |
+| dest_host | | ✓ | |
+| parent_process_guid | | ✓ | |
| parent_process_path | | ✓ | |
+| user | | ✓ | |
+| cid | | | ✓ |
process-create:fail
-------------------
@@ -46,6 +55,15 @@ process-create:fail
| failure_code | | ✓ | |
| parent_process_command_line | | ✓ | |
| parent_process_name | | ✓ | |
+| domain_user_name | | | |
| failure_reason | | ✓ | |
| parent_process_dir | | ✓ | |
-| parent_process_path | | ✓ | |
\ No newline at end of file
+| hash_sha256 | | ✓ | |
+| process_guid | | ✓ | |
+| domain | | ✓ | |
+| process_integrity | | ✓ | |
+| dest_host | | ✓ | |
+| parent_process_guid | | ✓ | |
+| parent_process_path | | ✓ | |
+| user | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/process-memory-protect.md b/ActivityTypes/process-memory-protect.md
new file mode 100644
index 0000000..739420b
--- /dev/null
+++ b/ActivityTypes/process-memory-protect.md
@@ -0,0 +1,42 @@
+process-memory-protect
+======================
+
+Description
+-----------
+Virtual memory was protected
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ---------------------- |
+| Subject | process |
+| Activity | memory-protect |
+| Activity Type | process-memory-protect |
+| Pretty Name | Process Memory Protect |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#process-memory-protectsuccess) or a [fail](#process-memory-protectfail).
+
+
+process-memory-protect:success
+------------------------------
+
+| Field | Core | Detection | Informational |
+| ----------------- | ---- | --------- | ------------- |
+| memory_address | | | ✓ |
+| memory_size | | | ✓ |
+| memory_protection | | | ✓ |
+
+process-memory-protect:fail
+---------------------------
+
+| Field | Core | Detection | Informational |
+| ----------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| memory_address | | | ✓ |
+| failure_reason | | ✓ | |
+| memory_size | | | ✓ |
+| memory_protection | | | ✓ |
\ No newline at end of file
diff --git "a/ActivityTypes/radius-session\t.md" "b/ActivityTypes/radius-session\t.md"
deleted file mode 100644
index 44ec631..0000000
--- "a/ActivityTypes/radius-session\t.md"
+++ /dev/null
@@ -1,27 +0,0 @@
-radius-session
-===============
-
-Description
------------
-A summary of a complete RADIUS network session
-
-The possible fields for this activity type will vary depending on whether the activity was a [success](#radius-session success) or a [fail](#radius-session fail).
-
-| Parameter | Value |
-| ------------- | --------------- |
-| Subject | radius |
-| Activity | session |
-| Activity Type | radius-session |
-| Pretty Name | Radius Session |
-| Legacy Name | |
-
-radius-session :success
------------------------
-
-There are no fields for this activity type.
-
-
-radius-session :fail
---------------------
-
-There are no fields for this activity type.
diff --git a/ActivityTypes/radius-session.md b/ActivityTypes/radius-session.md
index d58a109..e7e0717 100644
--- a/ActivityTypes/radius-session.md
+++ b/ActivityTypes/radius-session.md
@@ -7,30 +7,24 @@ A summary of a complete RADIUS network session
Parameters
----------
-| Parameter | Value |
-| ------------- | --------------- |
-| Subject | radius |
-| Activity | session |
-| Activity Type | radius-session |
-| Pretty Name | Radius Session |
+| Parameter | Value |
+| ------------- | -------------- |
+| Subject | radius |
+| Activity | session |
+| Activity Type | radius-session |
+| Pretty Name | Radius Session |
Fields
------
-The possible fields for this activity type will vary depending on whether the activity was a [success](#radius-session success) or a [fail](#radius-session fail).
+The possible fields for this activity type will vary depending on whether the activity was a [success](#radius-sessionsuccess) or a [fail](#radius-sessionfail).
-radius-session :success
------------------------
+radius-session:success
+----------------------
There are no fields for this activity type.
-radius-session :fail
---------------------
-
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/registry-modify.md b/ActivityTypes/registry-modify.md
index 903e4c2..6dc9ac1 100644
--- a/ActivityTypes/registry-modify.md
+++ b/ActivityTypes/registry-modify.md
@@ -29,8 +29,9 @@ The possible fields for this activity type will vary depending on whether the ac
registry-modify:success
-----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
registry-modify:fail
--------------------
@@ -38,4 +39,5 @@ registry-modify:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/registry-read.md b/ActivityTypes/registry-read.md
new file mode 100644
index 0000000..1d86c06
--- /dev/null
+++ b/ActivityTypes/registry-read.md
@@ -0,0 +1,36 @@
+registry-read
+=============
+
+Description
+-----------
+A registry key or value were read
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | registry |
+| Activity | read |
+| Activity Type | registry-read |
+| Pretty Name | Registry Read |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#registry-readsuccess) or a [fail](#registry-readfail).
+
+
+registry-read:success
+---------------------
+
+There are no fields for this activity type.
+
+
+registry-read:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/report-delete.md b/ActivityTypes/report-delete.md
new file mode 100644
index 0000000..2288ed6
--- /dev/null
+++ b/ActivityTypes/report-delete.md
@@ -0,0 +1,36 @@
+report-delete
+=============
+
+Description
+-----------
+A report was deleted on an app
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------- |
+| Subject | report |
+| Activity | delete |
+| Activity Type | report-delete |
+| Pretty Name | Report Delete |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#report-deletesuccess) or a [fail](#report-deletefail).
+
+
+report-delete:success
+---------------------
+
+There are no fields for this activity type.
+
+
+report-delete:fail
+------------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/report-execute.md b/ActivityTypes/report-execute.md
new file mode 100644
index 0000000..b2a31b3
--- /dev/null
+++ b/ActivityTypes/report-execute.md
@@ -0,0 +1,33 @@
+report-execute
+==============
+
+Description
+-----------
+A report was Execute on an app
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | -------------- |
+| Subject | report |
+| Activity | execute |
+| Activity Type | report-execute |
+| Pretty Name | Report Execute |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#report-executesuccess) or a [fail](#report-executefail).
+
+
+report-execute:success
+----------------------
+
+There are no fields for this activity type.
+
+
+report-execute:fail
+-------------------
+
+There are no fields for this activity type.
diff --git a/ActivityTypes/incident-create.md b/ActivityTypes/repository-pull.md
similarity index 59%
rename from ActivityTypes/incident-create.md
rename to ActivityTypes/repository-pull.md
index 4ed47d1..8590b63 100644
--- a/ActivityTypes/incident-create.md
+++ b/ActivityTypes/repository-pull.md
@@ -1,33 +1,33 @@
-incident-create
+repository-pull
===============
Description
-----------
-A security incident was created on a security product
+A git repository was Pulled
Parameters
----------
| Parameter | Value |
| ------------- | --------------- |
-| Subject | incident |
-| Activity | create |
-| Activity Type | incident-create |
-| Pretty Name | Incident Create |
+| Subject | repository |
+| Activity | pull |
+| Activity Type | repository-pull |
+| Pretty Name | Repository Pull |
Fields
------
-The possible fields for this activity type will vary depending on whether the activity was a [success](#incident-createsuccess) or a [fail](#incident-createfail).
+The possible fields for this activity type will vary depending on whether the activity was a [success](#repository-pullsuccess) or a [fail](#repository-pullfail).
-incident-create:success
+repository-pull:success
-----------------------
There are no fields for this activity type.
-incident-create:fail
+repository-pull:fail
--------------------
| Field | Core | Detection | Informational |
diff --git a/ActivityTypes/incident-delete.md b/ActivityTypes/repository-push.md
similarity index 59%
rename from ActivityTypes/incident-delete.md
rename to ActivityTypes/repository-push.md
index 166a99c..559b0f9 100644
--- a/ActivityTypes/incident-delete.md
+++ b/ActivityTypes/repository-push.md
@@ -1,33 +1,33 @@
-incident-delete
+repository-push
===============
Description
-----------
-A security incident was deleted on a security product
+A git repository was Pushed
Parameters
----------
| Parameter | Value |
| ------------- | --------------- |
-| Subject | incident |
-| Activity | delete |
-| Activity Type | incident-delete |
-| Pretty Name | Incident Delete |
+| Subject | repository |
+| Activity | push |
+| Activity Type | repository-push |
+| Pretty Name | Repository Push |
Fields
------
-The possible fields for this activity type will vary depending on whether the activity was a [success](#incident-deletesuccess) or a [fail](#incident-deletefail).
+The possible fields for this activity type will vary depending on whether the activity was a [success](#repository-pushsuccess) or a [fail](#repository-pushfail).
-incident-delete:success
+repository-push:success
-----------------------
There are no fields for this activity type.
-incident-delete:fail
+repository-push:fail
--------------------
| Field | Core | Detection | Informational |
diff --git a/ActivityTypes/incident-modify.md b/ActivityTypes/repository-read.md
similarity index 57%
rename from ActivityTypes/incident-modify.md
rename to ActivityTypes/repository-read.md
index 9775c36..8232aef 100644
--- a/ActivityTypes/incident-modify.md
+++ b/ActivityTypes/repository-read.md
@@ -1,33 +1,33 @@
-incident-modify
+repository-read
===============
Description
-----------
-The properties or content of a security incident were changed on a security product
+A git repository read
Parameters
----------
| Parameter | Value |
| ------------- | --------------- |
-| Subject | incident |
-| Activity | modify |
-| Activity Type | incident-modify |
-| Pretty Name | Incident Modify |
+| Subject | repository |
+| Activity | read |
+| Activity Type | repository-read |
+| Pretty Name | Repository Read |
Fields
------
-The possible fields for this activity type will vary depending on whether the activity was a [success](#incident-modifysuccess) or a [fail](#incident-modifyfail).
+The possible fields for this activity type will vary depending on whether the activity was a [success](#repository-readsuccess) or a [fail](#repository-readfail).
-incident-modify:success
+repository-read:success
-----------------------
There are no fields for this activity type.
-incident-modify:fail
+repository-read:fail
--------------------
| Field | Core | Detection | Informational |
diff --git a/ActivityTypes/rule-disable.md b/ActivityTypes/rule-disable.md
new file mode 100644
index 0000000..0149c2f
--- /dev/null
+++ b/ActivityTypes/rule-disable.md
@@ -0,0 +1,36 @@
+rule-disable
+============
+
+Description
+-----------
+A security rule was disabled on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ------------ |
+| Subject | rule |
+| Activity | disable |
+| Activity Type | rule-disable |
+| Pretty Name | Rule Disable |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#rule-disablesuccess) or a [fail](#rule-disablefail).
+
+
+rule-disable:success
+--------------------
+
+There are no fields for this activity type.
+
+
+rule-disable:fail
+-----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/rule-enable.md b/ActivityTypes/rule-enable.md
new file mode 100644
index 0000000..bc81b5e
--- /dev/null
+++ b/ActivityTypes/rule-enable.md
@@ -0,0 +1,36 @@
+rule-enable
+===========
+
+Description
+-----------
+A security rule was enabled on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------- |
+| Subject | rule |
+| Activity | enable |
+| Activity Type | rule-enable |
+| Pretty Name | Rule Enable |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#rule-enablesuccess) or a [fail](#rule-enablefail).
+
+
+rule-enable:success
+-------------------
+
+There are no fields for this activity type.
+
+
+rule-enable:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/rule-modify.md b/ActivityTypes/rule-modify.md
new file mode 100644
index 0000000..3cfb189
--- /dev/null
+++ b/ActivityTypes/rule-modify.md
@@ -0,0 +1,36 @@
+rule-modify
+===========
+
+Description
+-----------
+
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------- |
+| Subject | rule |
+| Activity | modify |
+| Activity Type | rule-modify |
+| Pretty Name | Rule Modify |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#rule-modifysuccess) or a [fail](#rule-modifyfail).
+
+
+rule-modify:success
+-------------------
+
+There are no fields for this activity type.
+
+
+rule-modify:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/rule-trigger-beta.md b/ActivityTypes/rule-trigger-beta.md
new file mode 100644
index 0000000..45ceb23
--- /dev/null
+++ b/ActivityTypes/rule-trigger-beta.md
@@ -0,0 +1,75 @@
+rule-trigger-beta
+=================
+
+Description
+-----------
+A trigger of a security rule was recorded on a security product or program
+
+Parameters
+----------
+| Parameter | Value |
+| ------------- | ----------------- |
+| Subject | rule |
+| Activity | trigger-beta |
+| Activity Type | rule-trigger-beta |
+| Pretty Name | Rule Trigger Beta |
+
+
+Fields
+------
+
+The possible fields for this activity type will vary depending on whether the activity was a [success](#rule-trigger-betasuccess) or a [fail](#rule-trigger-betafail).
+
+
+rule-trigger-beta:success
+-------------------------
+
+| Field | Core | Detection | Informational |
+| ---------------------- | ---- | --------- | ------------- |
+| observed_activity | | | ✓ |
+| rarity_raw_score | | | ✓ |
+| event_field | | | ✓ |
+| local_user_name | | | |
+| rarity_percentile | | | ✓ |
+| rule | | | ✓ |
+| technique | | | ✓ |
+| rules | | | ✓ |
+| rule_usecases | | | ✓ |
+| type | | | ✓ |
+| tactic | | | ✓ |
+| src_ip | | ✓ | |
+| subscription_code | | | ✓ |
+| src_product | | | ✓ |
+| trigger_time | | | ✓ |
+| field_value | | | ✓ |
+| src_vendor | | | ✓ |
+| event_filter | | | ✓ |
+| create_case | | | ✓ |
+| rule_severity | | | ✓ |
+| rule_source | | | ✓ |
+| entity_key | | | ✓ |
+| recoverability | | | ✓ |
+| risk_score | | | ✓ |
+| business_criticality | | | ✓ |
+| previous_id | | | ✓ |
+| event_to_time_millis | | | ✓ |
+| src_host | | ✓ | |
+| case_description | | | ✓ |
+| log_time | | | ✓ |
+| event_url | | | ✓ |
+| tactic_key | | | ✓ |
+| technique_key | | | ✓ |
+| event_id | | | ✓ |
+| entity_type | | | ✓ |
+| rule_reason | | | ✓ |
+| entities | | | ✓ |
+| dest_ip | | ✓ | |
+| event_from_time_millis | | | ✓ |
+| dest_host | | ✓ | |
+| mitre_labels | | | ✓ |
+| asset_labels | | | ✓ |
+| user | | ✓ | |
+| rarity_score | | | ✓ |
+| event_time | | | ✓ |
+
+A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/rule-trigger.md b/ActivityTypes/rule-trigger.md
index 0ba8d4d..03feed6 100644
--- a/ActivityTypes/rule-trigger.md
+++ b/ActivityTypes/rule-trigger.md
@@ -24,13 +24,103 @@ The possible fields for this activity type will vary depending on whether the ac
rule-trigger:success
--------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ---------------------- | ---- | --------- | ------------- |
+| observed_activity | | | ✓ |
+| rarity_raw_score | | | ✓ |
+| event_field | | | ✓ |
+| local_user_name | | | |
+| rarity_percentile | | | ✓ |
+| rule | | | ✓ |
+| technique | | | ✓ |
+| rules | | | ✓ |
+| rule_usecases | | | ✓ |
+| type | | | ✓ |
+| tactic | | | ✓ |
+| src_ip | | ✓ | |
+| subscription_code | | | ✓ |
+| src_product | | | ✓ |
+| trigger_time | | | ✓ |
+| field_value | | | ✓ |
+| src_vendor | | | ✓ |
+| event_filter | | | ✓ |
+| create_case | | | ✓ |
+| rule_severity | | | ✓ |
+| rule_source | | | ✓ |
+| entity_key | | | ✓ |
+| recoverability | | | ✓ |
+| risk_score | | | ✓ |
+| business_criticality | | | ✓ |
+| previous_id | | | ✓ |
+| event_to_time_millis | | | ✓ |
+| src_host | | ✓ | |
+| case_description | | | ✓ |
+| log_time | | | ✓ |
+| event_url | | | ✓ |
+| tactic_key | | | ✓ |
+| technique_key | | | ✓ |
+| event_id | | | ✓ |
+| entity_type | | | ✓ |
+| rule_reason | | | ✓ |
+| entities | | | ✓ |
+| dest_ip | | ✓ | |
+| event_from_time_millis | | | ✓ |
+| dest_host | | ✓ | |
+| mitre_labels | | | ✓ |
+| asset_labels | | | ✓ |
+| user | | ✓ | |
+| rarity_score | | | ✓ |
+| event_time | | | ✓ |
rule-trigger:fail
-----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------------- | ---- | --------- | ------------- |
+| observed_activity | | | ✓ |
+| rarity_raw_score | | | ✓ |
+| event_field | | | ✓ |
+| local_user_name | | | |
+| rarity_percentile | | | ✓ |
+| rule | | | ✓ |
+| technique | | | ✓ |
+| rules | | | ✓ |
+| rule_usecases | | | ✓ |
+| type | | | ✓ |
+| tactic | | | ✓ |
+| src_ip | | ✓ | |
+| subscription_code | | | ✓ |
+| src_product | | | ✓ |
+| trigger_time | | | ✓ |
+| field_value | | | ✓ |
+| src_vendor | | | ✓ |
+| event_filter | | | ✓ |
+| create_case | | | ✓ |
+| rule_severity | | | ✓ |
+| rule_source | | | ✓ |
+| failure_code | | ✓ | |
+| entity_key | | | ✓ |
+| recoverability | | | ✓ |
+| risk_score | | | ✓ |
+| business_criticality | | | ✓ |
+| previous_id | | | ✓ |
+| event_to_time_millis | | | ✓ |
+| src_host | | ✓ | |
+| failure_reason | | ✓ | |
+| case_description | | | ✓ |
+| log_time | | | ✓ |
+| event_url | | | ✓ |
+| tactic_key | | | ✓ |
+| technique_key | | | ✓ |
+| event_id | | | ✓ |
+| entity_type | | | ✓ |
+| rule_reason | | | ✓ |
+| entities | | | ✓ |
+| dest_ip | | ✓ | |
+| event_from_time_millis | | | ✓ |
+| dest_host | | ✓ | |
+| mitre_labels | | | ✓ |
+| asset_labels | | | ✓ |
+| user | | ✓ | |
+| rarity_score | | | ✓ |
+| event_time | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/scheduled_task-create.md b/ActivityTypes/scheduled_task-create.md
index 86e80a6..7447f04 100644
--- a/ActivityTypes/scheduled_task-create.md
+++ b/ActivityTypes/scheduled_task-create.md
@@ -29,13 +29,23 @@ The possible fields for this activity type will vary depending on whether the ac
scheduled_task-create:success
-----------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| process_name | | ✓ | |
+| local_user_name | | | |
+| process_path | | ✓ | |
+| user | | ✓ | |
+| cid | | | ✓ |
scheduled_task-create:fail
--------------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| process_name | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| process_path | | ✓ | |
+| user | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/scheduled_task-modify.md b/ActivityTypes/scheduled_task-modify.md
index 18b374b..a90ad23 100644
--- a/ActivityTypes/scheduled_task-modify.md
+++ b/ActivityTypes/scheduled_task-modify.md
@@ -24,8 +24,9 @@ The possible fields for this activity type will vary depending on whether the ac
scheduled_task-modify:success
-----------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ----- | ---- | --------- | ------------- |
+| cid | | | ✓ |
scheduled_task-modify:fail
--------------------------
@@ -33,4 +34,5 @@ scheduled_task-modify:fail
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| failure_reason | | ✓ | |
+| cid | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/script-execute.md b/ActivityTypes/script-execute.md
index e22e59f..0b8c065 100644
--- a/ActivityTypes/script-execute.md
+++ b/ActivityTypes/script-execute.md
@@ -24,13 +24,21 @@ The possible fields for this activity type will vary depending on whether the ac
script-execute:success
----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| scriptblock_text | | | ✓ |
+| command_invocation | | ✓ | |
+| local_user_name | | | |
+| user | | ✓ | |
script-execute:fail
-------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| scriptblock_text | | | ✓ |
+| command_invocation | | ✓ | |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/service-create.md b/ActivityTypes/service-create.md
index fc3f78f..52a240b 100644
--- a/ActivityTypes/service-create.md
+++ b/ActivityTypes/service-create.md
@@ -29,7 +29,11 @@ The possible fields for this activity type will vary depending on whether the ac
service-create:success
----------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| -------------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| process_path | | ✓ | |
+| process_command_line | | ✓ | |
+| user | | ✓ | |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/ActivityTypes/share-access.md b/ActivityTypes/share-access.md
index a00d64a..4b1ed39 100644
--- a/ActivityTypes/share-access.md
+++ b/ActivityTypes/share-access.md
@@ -29,13 +29,17 @@ The possible fields for this activity type will vary depending on whether the ac
share-access:success
--------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------- | ---- | --------- | ------------- |
+| src_port | | ✓ | |
+| file_path | | ✓ | |
share-access:fail
-----------------
| Field | Core | Detection | Informational |
| -------------- | ---- | --------- | ------------- |
+| src_port | | ✓ | |
+| file_path | | ✓ | |
| failure_code | | ✓ | |
| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/share_link-open.md b/ActivityTypes/share_link-open.md
index 7dbafb1..d62cedd 100644
--- a/ActivityTypes/share_link-open.md
+++ b/ActivityTypes/share_link-open.md
@@ -24,17 +24,19 @@ The possible fields for this activity type will vary depending on whether the ac
share_link-open:success
-----------------------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
share_link-open:fail
--------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | | ✓ |
-| failure_reason | | ✓ | |
-| user | | | ✓ |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| user | | | ✓ |
\ No newline at end of file
diff --git a/ActivityTypes/user-create.md b/ActivityTypes/user-create.md
index 6717241..abb372a 100644
--- a/ActivityTypes/user-create.md
+++ b/ActivityTypes/user-create.md
@@ -29,13 +29,19 @@ The possible fields for this activity type will vary depending on whether the ac
user-create:success
-------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
user-create:fail
----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-delete.md b/ActivityTypes/user-delete.md
index 21f87de..dfec682 100644
--- a/ActivityTypes/user-delete.md
+++ b/ActivityTypes/user-delete.md
@@ -29,13 +29,17 @@ The possible fields for this activity type will vary depending on whether the ac
user-delete:success
-------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| user | | ✓ | |
user-delete:fail
----------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-disable.md b/ActivityTypes/user-disable.md
index de2c36a..0f46dd2 100644
--- a/ActivityTypes/user-disable.md
+++ b/ActivityTypes/user-disable.md
@@ -16,9 +16,9 @@ Parameters
Legacy Names
------------
-| Success | Fail |
-| -------------------- | ---- |
-| account-disabled
| |
+| Success | Fail |
+| -------------------- | -------------------- |
+| account-disabled
| account-disabled
|
Fields
------
@@ -32,4 +32,10 @@ user-disable:success
There are no fields for this activity type.
-A failure activity is not currently supported for this activity-type.
\ No newline at end of file
+user-disable:fail
+-----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-enable.md b/ActivityTypes/user-enable.md
index 011b95b..d484938 100644
--- a/ActivityTypes/user-enable.md
+++ b/ActivityTypes/user-enable.md
@@ -16,9 +16,9 @@ Parameters
Legacy Names
------------
-| Success | Fail |
-| ------------------- | ---- |
-| account-enabled
| |
+| Success | Fail |
+| ------------------- | ------------------- |
+| account-enabled
| account-enabled
|
Fields
------
@@ -32,4 +32,10 @@ user-enable:success
There are no fields for this activity type.
-A failure activity is not currently supported for this activity-type.
\ No newline at end of file
+user-enable:fail
+----------------
+
+| Field | Core | Detection | Informational |
+| -------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| failure_reason | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-lock.md b/ActivityTypes/user-lock.md
index 91d4af0..66e4ac4 100644
--- a/ActivityTypes/user-lock.md
+++ b/ActivityTypes/user-lock.md
@@ -29,13 +29,17 @@ The possible fields for this activity type will vary depending on whether the ac
user-lock:success
-----------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| user | | ✓ | |
user-lock:fail
--------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-password-modify.md b/ActivityTypes/user-password-modify.md
index 8cf2249..120b1fb 100644
--- a/ActivityTypes/user-password-modify.md
+++ b/ActivityTypes/user-password-modify.md
@@ -29,13 +29,17 @@ The possible fields for this activity type will vary depending on whether the ac
user-password-modify:success
----------------------------
-There are no fields for this activity type.
-
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| user | | ✓ | |
user-password-modify:fail
-------------------------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| failure_code | | ✓ | |
-| failure_reason | | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| failure_code | | ✓ | |
+| local_user_name | | | |
+| failure_reason | | ✓ | |
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-privilege-use.md b/ActivityTypes/user-privilege-use.md
index 841b4cd..dbc220c 100644
--- a/ActivityTypes/user-privilege-use.md
+++ b/ActivityTypes/user-privilege-use.md
@@ -3,7 +3,7 @@ user-privilege-use
Description
-----------
-A user called his privilege to access to an oject
+A user called his privilege to access to an object
Parameters
----------
@@ -29,8 +29,19 @@ The possible fields for this activity type will vary depending on whether the ac
user-privilege-use:success
--------------------------
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| privileges | | | |
+| process_name | | ✓ | |
+| local_user_name | | | |
+| process_dir | | ✓ | |
+| src_host | | ✓ | |
+| user | | ✓ | |
+
+user-privilege-use:fail
+-----------------------
+
| Field | Core | Detection | Informational |
| ---------- | ---- | --------- | ------------- |
| privileges | | | |
-
-A failure activity is not currently supported for this activity-type.
\ No newline at end of file
+| user | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/user-switch.md b/ActivityTypes/user-switch.md
index 5bd3c6f..ad3974f 100644
--- a/ActivityTypes/user-switch.md
+++ b/ActivityTypes/user-switch.md
@@ -29,17 +29,25 @@ The possible fields for this activity type will vary depending on whether the ac
user-switch:success
-------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| dest_user_type | | ✓ | |
+| user_type | | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | ✓ | ✓ | |
user-switch:fail
----------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | | ✓ |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| dest_user_type | | ✓ | |
+| failure_code | | ✓ | |
+| user_type | | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| user | ✓ | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/vpn-authentication.md b/ActivityTypes/vpn-authentication.md
index 7d8c917..9b3efe2 100644
--- a/ActivityTypes/vpn-authentication.md
+++ b/ActivityTypes/vpn-authentication.md
@@ -16,9 +16,9 @@ Parameters
Legacy Names
------------
-| Success | Fail |
-| ----------------------------- | ---- |
-| authentication-successful
| |
+| Success | Fail |
+| ----------------------------- | ------------------------- |
+| authentication-successful
| authentication-failed
|
Fields
------
@@ -29,10 +29,25 @@ The possible fields for this activity type will vary depending on whether the ac
vpn-authentication:success
--------------------------
-| Field | Core | Detection | Informational |
-| ------------------- | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
-| authentication_type | ✓ | ✓ | |
-
-A failure activity is not currently supported for this activity-type.
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| auth_type | ✓ | ✓ | |
+| domain | | ✓ | |
+| mfa_country | | ✓ | |
+| domain_user_name | | | |
+| mfa_device | | ✓ | |
+| user | ✓ | ✓ | |
+
+vpn-authentication:fail
+-----------------------
+
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| auth_type | ✓ | ✓ | |
+| failure_code | | ✓ | |
+| domain | | ✓ | |
+| mfa_country | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| mfa_device | | ✓ | |
+| user | ✓ | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/vpn-login.md b/ActivityTypes/vpn-login.md
index 89265d7..b398391 100644
--- a/ActivityTypes/vpn-login.md
+++ b/ActivityTypes/vpn-login.md
@@ -29,17 +29,31 @@ The possible fields for this activity type will vary depending on whether the ac
vpn-login:success
-----------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| os | | ✓ | |
+| login_type | | ✓ | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_host | | ✓ | |
+| realm | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | ✓ | ✓ | |
vpn-login:fail
--------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| failure_code | | ✓ | |
+| os | | ✓ | |
+| login_type | | ✓ | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_host | | ✓ | |
+| realm | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| src_host | | ✓ | |
+| user | ✓ | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/vpn-logout.md b/ActivityTypes/vpn-logout.md
index dc04955..ba78106 100644
--- a/ActivityTypes/vpn-logout.md
+++ b/ActivityTypes/vpn-logout.md
@@ -29,17 +29,23 @@ The possible fields for this activity type will vary depending on whether the ac
vpn-logout:success
------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| bytes_out | ✓ | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
+| session_duration | | ✓ | |
vpn-logout:fail
---------------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| failure_code | | ✓ | |
-| domain | | ✓ | |
-| failure_reason | | ✓ | |
-| user | ✓ | ✓ | |
\ No newline at end of file
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| failure_code | | ✓ | |
+| bytes_out | ✓ | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| failure_reason | | ✓ | |
+| user | ✓ | ✓ | |
+| session_duration | | ✓ | |
\ No newline at end of file
diff --git a/ActivityTypes/vpn-session.md b/ActivityTypes/vpn-session.md
index d690dd5..8da8157 100644
--- a/ActivityTypes/vpn-session.md
+++ b/ActivityTypes/vpn-session.md
@@ -29,9 +29,10 @@ The possible fields for this activity type will vary depending on whether the ac
vpn-session:success
-------------------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
A failure activity is not currently supported for this activity-type.
\ No newline at end of file
diff --git a/CIM.json b/CIM.json
index fd3b967..65df6f4 100644
--- a/CIM.json
+++ b/CIM.json
@@ -6,42 +6,57 @@
"time": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"product": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"product_category": {
"core": "0",
"detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"vendor": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"platform": {
"core": "0",
"detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"landscape": {
"core": "0",
"detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"outcome": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"subject": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
},
"host": {
"core": "0",
@@ -51,12 +66,29 @@
"activity_type": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
+ },
+ "activity": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1",
+ "reserved": "1"
}
}
}
},
"Subjects": {
+ "log_account": {
+ "description": "A log account represents a container of resources within a cloud vendor, and is used to connect and transfer logs into an application",
+ "fields": {}
+ },
+ "context_source": {
+ "description": "A context source normalizes contextual data collected from external sources, which can then be used to enrich events or provide context in investigations",
+ "fields": {}
+ },
"file": {
"description": "A file is a storage object on endpoints and applications, that contains content, data or settings that can be written into it or read from it.",
"fields": {
@@ -79,6 +111,37 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -87,7 +150,7 @@
"fields": {
"process_name": {
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"process_path": {
@@ -147,13 +210,19 @@
"fields": {
"dest_user": {
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"dest_domain": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -162,7 +231,7 @@
"fields": {
"group_name": {
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"group_domain": {
@@ -189,6 +258,22 @@
"core": "1",
"detection": "0",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -199,12 +284,12 @@
"dcom": {
"description": "DCOM (Distributed Component Object Model) objects are Windows endpoint components that allow COM objects to communicate with each other over the network",
"fields": {
- "clsid": {
+ "cls_id": {
"core": "1",
"detection": "0",
"informational": "0"
},
- "appid": {
+ "app_id": {
"core": "0",
"detection": "1",
"informational": "0"
@@ -223,6 +308,12 @@
"core": "1",
"detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -238,6 +329,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -264,6 +361,11 @@
"detection": "1",
"informational": "0"
},
+ "ds_object_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"ds_name": {
"core": "0",
"detection": "1",
@@ -273,6 +375,37 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "attribute": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "properties": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "access_list":{
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
@@ -286,12 +419,12 @@
},
"location_building": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"location_city": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"direction": {
@@ -328,6 +461,17 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -512,6 +656,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -557,6 +707,36 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
@@ -625,7 +805,7 @@
},
"dest_port": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"uri_path": {
@@ -652,6 +832,77 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "http_response_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "category": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "categories": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "method": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -732,6 +983,36 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
@@ -757,6 +1038,36 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
@@ -786,7 +1097,39 @@
},
"database": {
"description": "The database subject represents a database interface and the resources it contains",
- "fields": {}
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "db_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "db_operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"ftp": {
"description": "File transfer protocel (FTP) is a network protocol used to transmitting files over the network. This subject represents FTP traffic related activities.",
@@ -840,6 +1183,12 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -927,10 +1276,10 @@
}
}
},
- "incident": {
+ "case": {
"description": "A security incident represents an open case in security products, which are interacted on and expanded by users.",
"fields": {
- "incident_name": {
+ "case_name": {
"core": "1",
"detection": "1",
"informational": "0"
@@ -959,6 +1308,12 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -1130,27 +1485,7 @@
"fields": {
"alert_name": {
"core": "1",
- "detection": "0",
- "informational": "0"
- },
- "alert_type": {
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "alert_subject": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_severity": {
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "alert_source": {
- "core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
@@ -1277,7 +1612,19 @@
},
"script": {
"description": "A script is a human readable representation of a coding langauge, which is executed by interpretes or compilers rather the directly by a machine.",
- "fields": {}
+ "fields": {
+ "script_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "script_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
},
"link": {
"description": "A link (shell link\\hard link\\soft link...) is an endpoint object used to redirect to another endpoint object whenever accessed. For example - a file shortcut.",
@@ -1286,9 +1633,187 @@
"function": {
"description": "An automation function is a cloud object, allowing for automated resource management with cloud commands in the form of a function code",
"fields": {}
+ },
+ "parser": {
+ "description": "A parser is an Exabeam configuration that defines log value extractions and mappings.",
+ "fields": {}
}
},
"EventTypes": {
+ "context_source-create:success": {
+ "subject": "context_source",
+ "activity": "create",
+ "activity_type": "context_source-create",
+ "outcome": "success",
+ "pretty_name": "Context Source Create",
+ "description": "Context source was created",
+ "fields": {}
+ },
+ "context_source-create:fail": {
+ "subject": "context_source",
+ "activity": "create",
+ "activity_type": "context_source-create",
+ "outcome": "fail",
+ "pretty_name": "Context Source Create",
+ "description": "Context source creation failed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "context_source-modify:success": {
+ "subject": "context_source",
+ "activity": "modify",
+ "activity_type": "context_source-modify",
+ "outcome": "success",
+ "pretty_name": "Context Source Modify",
+ "description": "Context source was Modified",
+ "fields": {}
+ },
+ "context_source-modify:fail": {
+ "subject": "context_source",
+ "activity": "modify",
+ "activity_type": "context_source-modify",
+ "outcome": "fail",
+ "pretty_name": "Context Source Modify",
+ "description": "Context source modification failed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "context_source-delete:success": {
+ "subject": "context_source",
+ "activity": "delete",
+ "activity_type": "context_source-delete",
+ "outcome": "success",
+ "pretty_name": "Context Source Delete",
+ "description": "Context source was deleted",
+ "fields": {}
+ },
+ "context_source-delete:fail": {
+ "subject": "context_source",
+ "activity": "delete",
+ "activity_type": "context_source-delete",
+ "outcome": "fail",
+ "pretty_name": "Context Source Delete",
+ "description": "Context source delete failed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "log_account-create:success": {
+ "subject": "log_account",
+ "activity": "create",
+ "activity_type": "log_account-create",
+ "outcome": "success",
+ "pretty_name": "Log Account Create",
+ "description": "A log account was created",
+ "fields": {}
+ },
+ "log_account-create:fail": {
+ "subject": "log_account",
+ "activity": "create",
+ "activity_type": "log_account-create",
+ "outcome": "fail",
+ "pretty_name": "Log Account Create",
+ "description": "A log account creation failed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "log_account-modify:success": {
+ "subject": "log_account",
+ "activity": "modify",
+ "activity_type": "log_account-modify",
+ "outcome": "success",
+ "pretty_name": "Log Account Modify",
+ "description": "A log account was Modified",
+ "fields": {}
+ },
+ "log_account-modify:fail": {
+ "subject": "log_account",
+ "activity": "modify",
+ "activity_type": "log_account-modify",
+ "outcome": "fail",
+ "pretty_name": "Log Account Modify",
+ "description": "A log account modification failed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "log_account-delete:success": {
+ "subject": "log_account",
+ "activity": "delete",
+ "activity_type": "log_account-delete",
+ "outcome": "success",
+ "pretty_name": "Log Account Delete",
+ "description": "A log account was Deleted",
+ "fields": {}
+ },
+ "log_account-delete:fail": {
+ "subject": "log_account",
+ "activity": "delete",
+ "activity_type": "log_account-delete",
+ "outcome": "fail",
+ "pretty_name": "Log Account Delete",
+ "description": "A log account delete failed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"file-write:success": {
"subject": "file",
"activity": "write",
@@ -1300,7 +1825,14 @@
"is_dok": {
"core": "0",
"detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -1330,6 +1862,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -1348,7 +1886,14 @@
"is_dok": {
"core": "0",
"detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -1378,6 +1923,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -1417,6 +1968,11 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -1465,6 +2021,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -1582,7 +2143,7 @@
},
"src_file_dir": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
}
}
@@ -1612,7 +2173,7 @@
},
"src_file_dir": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"failure_reason": {
@@ -2211,6 +2772,53 @@
}
}
},
+ "file-create:success": {
+ "subject": "file",
+ "activity": "create",
+ "activity_type": "file-create",
+ "outcome": "success",
+ "pretty_name": "File Create",
+ "description": "A file was created",
+ "fields": {
+ "is_dok": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "legacy_event_name": [
+ "file-write"
+ ]
+ },
+ "file-create:fail": {
+ "subject": "file",
+ "activity": "create",
+ "activity_type": "file-create",
+ "outcome": "fail",
+ "pretty_name": "File Create",
+ "description": "A file was created",
+ "fields": {
+ "is_dok": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "legacy_event_name": [
+ "file-write"
+ ]
+ },
"user-create:success": {
"subject": "user",
"activity": "create",
@@ -2218,7 +2826,24 @@
"outcome": "success",
"pretty_name": "User Create",
"description": "A user account was created",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"legacy_event_name": [
"account-creation"
]
@@ -2240,6 +2865,22 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -2253,7 +2894,19 @@
"outcome": "success",
"pretty_name": "User Delete",
"description": "A user account was deleted",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"legacy_event_name": [
"account-deleted"
]
@@ -2275,6 +2928,17 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -2293,6 +2957,29 @@
"account-disabled"
]
},
+ "user-disable:fail": {
+ "subject": "user",
+ "activity": "disable",
+ "activity_type": "user-disable",
+ "outcome": "fail",
+ "pretty_name": "User Disable",
+ "description": "A user account was disabled",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "legacy_event_name": [
+ "account-disabled"
+ ]
+ },
"user-enable:success": {
"subject": "user",
"activity": "enable",
@@ -2305,6 +2992,29 @@
"account-enabled"
]
},
+ "user-enable:fail": {
+ "subject": "user",
+ "activity": "enable",
+ "activity_type": "user-enable",
+ "outcome": "fail",
+ "pretty_name": "User Enable",
+ "description": "A user account was enabled",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "legacy_event_name": [
+ "account-enabled"
+ ]
+ },
"user-list:success": {
"subject": "user",
"activity": "list",
@@ -2341,7 +3051,19 @@
"outcome": "success",
"pretty_name": "User Lock",
"description": "A user account was locked",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"legacy_event_name": [
"account-lockout"
]
@@ -2363,6 +3085,17 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -2376,7 +3109,19 @@
"outcome": "success",
"pretty_name": "User Password Modify",
"description": "A user accounts' password was changed",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"legacy_event_name": [
"account-password-change"
]
@@ -2398,6 +3143,17 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -2549,12 +3305,34 @@
"user": {
"core": "1",
"detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"domain": {
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "dest_user_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -2588,6 +3366,27 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_user_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -3192,6 +3991,53 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_guid": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_integrity": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -3240,6 +4086,53 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_guid": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_integrity": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -3424,6 +4317,66 @@
}
}
},
+ "process-memory-protect:success": {
+ "subject": "process",
+ "activity": "memory-protect",
+ "activity_type": "process-memory-protect",
+ "outcome": "success",
+ "pretty_name": "Process Memory Protect",
+ "description": "Virtual memory was protected",
+ "fields": {
+ "memory_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "memory_size": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "memory_protection": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "process-memory-protect:fail": {
+ "subject": "process",
+ "activity": "memory-protect",
+ "activity_type": "process-memory-protect",
+ "outcome": "fail",
+ "pretty_name": "Process Memory Protect",
+ "description": "Virtual memory was protected",
+ "fields": {
+ "memory_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "memory_size": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "memory_protection": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"process-open:success": {
"subject": "process",
"activity": "open",
@@ -3587,7 +4540,13 @@
"outcome": "success",
"pretty_name": "Dll Load",
"description": "A dll module was loaded into a process",
- "fields": {},
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"legacy_event_name": [
"image-loaded"
]
@@ -3609,6 +4568,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -3654,8 +4618,85 @@
"fields": {
"user": {
"core": "1",
- "detection": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "fingerprint": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "login_type": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -3673,7 +4714,7 @@
"fields": {
"user": {
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"failure_reason": {
@@ -3685,6 +4726,83 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "fingerprint": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "login_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -3704,6 +4822,18 @@
"core": "1",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
}
},
@@ -3729,7 +4859,20 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
+
}
},
"app-notification:success": {
@@ -3739,7 +4882,14 @@
"outcome": "success",
"pretty_name": "App Notification",
"description": "An app notification is an entirely informational notification that has popped up on an app. This activity only represents informational events that are not \"activities\".",
- "fields": {}
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
+ }
+ }
},
"app-activity:success": {
"subject": "app",
@@ -3751,8 +4901,65 @@
"fields": {
"operation": {
"core": "0",
- "detection": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "fingerprint": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -3770,7 +4977,7 @@
"fields": {
"operation": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"failure_reason": {
@@ -3782,6 +4989,63 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "fingerprint": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -3799,13 +5063,75 @@
"fields": {
"user": {
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "authentication_type": {
+ "auth_type": {
"core": "0",
"detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "mfa_device": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mfa_country": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "fingerprint": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -3823,10 +5149,10 @@
"fields": {
"user": {
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "authentication_type": {
+ "auth_type": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -3840,6 +5166,67 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "mfa_device": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mfa_country": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "browser": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "fingerprint": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -3859,6 +5246,12 @@
"core": "1",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -3884,6 +5277,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -3996,6 +5395,70 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "logon_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "account": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "location": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_mac": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
+ },
+ "subject_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -4043,6 +5506,64 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "account": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "location": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_mac": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
+ },
+ "subject_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -4059,55 +5580,42 @@
"authentication-failed"
]
},
- "endpoint-authentication:success": {
+ "endpoint-domain-join:success": {
"subject": "endpoint",
- "activity": "authentication",
- "activity_type": "endpoint-authentication",
+ "activity": "domain-join",
+ "activity_type": "endpoint-domain-join",
"outcome": "success",
- "pretty_name": "Endpoint Authentication",
- "description": "A part of an identification process to an endpoint that is not the login",
+ "pretty_name": "Endpoint Domain Join",
+ "description": "An endpoint added to a domain",
"fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "authentication_type": {
+ "dest_host": {
"core": "0",
"detection": "1",
"informational": "0"
}
- },
- "legacy_event_name": [
- "authentication-successful",
- "kerberos-logon",
- "nac-logon"
- ]
+ }
},
- "endpoint-authentication:fail": {
+ "endpoint-domain-join:fail": {
"subject": "endpoint",
- "activity": "authentication",
- "activity_type": "endpoint-authentication",
+ "activity": "domain-join",
+ "activity_type": "endpoint-domain-join",
"outcome": "fail",
- "pretty_name": "Endpoint Authentication",
- "description": "A part of an identification process to an endpoint that is not the login",
+ "pretty_name": "Endpoint Domain Join",
+ "description": "An endpoint added to a domain",
"fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "authentication_type": {
+ "dest_host": {
"core": "0",
"detection": "1",
"informational": "0"
@@ -4122,6 +5630,84 @@
"detection": "1",
"informational": "0"
}
+ }
+ },
+ "endpoint-authentication:success": {
+ "subject": "endpoint",
+ "activity": "authentication",
+ "activity_type": "endpoint-authentication",
+ "outcome": "success",
+ "pretty_name": "Endpoint Authentication",
+ "description": "A part of an identification process to an endpoint that is not the login",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "legacy_event_name": [
+ "authentication-successful",
+ "kerberos-logon",
+ "nac-logon"
+ ]
+ },
+ "endpoint-authentication:fail": {
+ "subject": "endpoint",
+ "activity": "authentication",
+ "activity_type": "endpoint-authentication",
+ "outcome": "fail",
+ "pretty_name": "Endpoint Authentication",
+ "description": "A part of an identification process to an endpoint that is not the login",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
},
"legacy_event_name": [
"authentication-failed",
@@ -4151,6 +5737,18 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "logon_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -4651,15 +6249,46 @@
"pretty_name": "Database Login",
"description": "A user logged in to a database",
"fields": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_host": {
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "login_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -4674,25 +6303,56 @@
"pretty_name": "Database Login",
"description": "A user logged in to a database",
"fields": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_host": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_reason": {
+ "src_host": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "login_type": {
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -4707,15 +6367,16 @@
"pretty_name": "Database Logout",
"description": "A user logged out of a database",
"fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"domain": {
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -4727,11 +6388,6 @@
"pretty_name": "Database Logout",
"description": "A user logged out of a database",
"fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"domain": {
"core": "0",
"detection": "1",
@@ -4746,6 +6402,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -4807,6 +6469,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "response_size": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -4835,6 +6502,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "response_size": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -4963,6 +6635,42 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "login_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "realm": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -4998,6 +6706,42 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "login_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "realm": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5024,16 +6768,87 @@
"detection": "1",
"informational": "0"
},
- "authentication_type": {
+ "auth_type": {
"core": "1",
"detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "mfa_device": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
+ },
+ "mfa_country": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
"authentication-successful"
]
},
+ "vpn-authentication:fail": {
+ "subject": "vpn",
+ "activity": "authentication",
+ "activity_type": "vpn-authentication",
+ "outcome": "fail",
+ "pretty_name": "Vpn Authentication",
+ "description": "A part of an identification process to a VPN that is not the login",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth_type": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mfa_device": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mfa_country": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "legacy_event_name": [
+ "authentication-failed"
+ ]
+ },
"vpn-session:success": {
"subject": "vpn",
"activity": "session",
@@ -5051,6 +6866,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5074,6 +6895,22 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "bytes_out": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_duration": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5107,6 +6944,22 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "bytes_out": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_duration": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5124,7 +6977,8 @@
"dest_user": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"dest_domain": {
"core": "0",
@@ -5134,7 +6988,8 @@
"email_address": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"email_user": {
"core": "0",
@@ -5151,6 +7006,11 @@
"detection": "0",
"informational": "0"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5161,6 +7021,16 @@
"detection": "0",
"informational": "1"
},
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"email_recipients": {
"core": "0",
"detection": "0",
@@ -5168,7 +7038,7 @@
},
"email_subject": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"email_attachment": {
@@ -5183,8 +7053,45 @@
},
"file_ext": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "attachment": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "num_recipients": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5202,7 +7109,8 @@
"dest_user": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"dest_domain": {
"core": "0",
@@ -5212,7 +7120,8 @@
"email_address": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"email_user": {
"core": "0",
@@ -5229,6 +7138,11 @@
"detection": "0",
"informational": "0"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5239,6 +7153,16 @@
"detection": "0",
"informational": "1"
},
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"email_recipients": {
"core": "0",
"detection": "0",
@@ -5246,7 +7170,7 @@
},
"email_subject": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"email_attachment": {
@@ -5261,7 +7185,7 @@
},
"file_ext": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "1"
},
"failure_reason": {
@@ -5273,6 +7197,43 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "attachment": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "num_recipients": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5290,7 +7251,8 @@
"dest_user": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"dest_domain": {
"core": "0",
@@ -5300,7 +7262,8 @@
"email_address": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"email_user": {
"core": "0",
@@ -5317,6 +7280,11 @@
"detection": "0",
"informational": "0"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5327,6 +7295,16 @@
"detection": "0",
"informational": "1"
},
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"email_recipients": {
"core": "0",
"detection": "0",
@@ -5351,6 +7329,23 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5368,7 +7363,8 @@
"dest_user": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"dest_domain": {
"core": "0",
@@ -5378,7 +7374,8 @@
"email_address": {
"core": "1",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"email_user": {
"core": "0",
@@ -5395,6 +7392,11 @@
"detection": "0",
"informational": "0"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5405,6 +7407,16 @@
"detection": "0",
"informational": "1"
},
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"email_recipients": {
"core": "0",
"detection": "0",
@@ -5439,6 +7451,23 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -5645,6 +7674,11 @@
"detection": "0",
"informational": "1"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5654,6 +7688,22 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -5680,6 +7730,11 @@
"detection": "0",
"informational": "1"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5690,6 +7745,16 @@
"detection": "0",
"informational": "1"
},
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"failure_reason": {
"core": "0",
"detection": "1",
@@ -5699,6 +7764,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -5725,6 +7796,11 @@
"detection": "0",
"informational": "1"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5734,6 +7810,22 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -5760,6 +7852,11 @@
"detection": "0",
"informational": "1"
},
+ "src_email_address": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_email_user": {
"core": "0",
"detection": "0",
@@ -5770,6 +7867,16 @@
"detection": "0",
"informational": "1"
},
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"failure_reason": {
"core": "0",
"detection": "1",
@@ -5779,6 +7886,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -5789,7 +7902,36 @@
"outcome": "success",
"pretty_name": "Email_rule Create",
"description": "An email rule was created",
- "fields": {}
+ "fields": {
+ "email_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_email_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "legacy_event_name": [
+ "app-activity"
+ ]
},
"email_rule-create:fail": {
"subject": "email_rule",
@@ -5808,6 +7950,31 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "email_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_email_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_email_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
@@ -5876,7 +8043,18 @@
"outcome": "success",
"pretty_name": "Dns Request",
"description": "A DNS query was sent",
- "fields": {},
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
"legacy_event_name": [
"dns-query"
]
@@ -5898,6 +8076,16 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -5926,6 +8114,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -5964,6 +8157,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -6167,6 +8365,11 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -6195,6 +8398,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -6283,6 +8491,43 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "group_id": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -6311,6 +8556,43 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "group_id": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -6329,6 +8611,22 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -6474,6 +8772,35 @@
"NA"
]
},
+ "group-read:success": {
+ "subject": "group",
+ "activity": "read",
+ "activity_type": "group-read",
+ "outcome": "success",
+ "pretty_name": "Group Read",
+ "description": "A request was made to read the content of a group",
+ "fields": {}
+ },
+ "group-read:fail": {
+ "subject": "group",
+ "activity": "read",
+ "activity_type": "group-read",
+ "outcome": "fail",
+ "pretty_name": "Group Read",
+ "description": "A request was made to read the content of a group",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"group-modify:success": {
"subject": "group",
"activity": "modify",
@@ -6767,6 +9094,93 @@
}
}
},
+ "repository-read:success": {
+ "subject": "repository",
+ "activity": "read",
+ "activity_type": "repository-read",
+ "outcome": "success",
+ "pretty_name": "Repository Read",
+ "description": "A git repository read",
+ "fields": {}
+ },
+ "repository-read:fail": {
+ "subject": "repository",
+ "activity": "read",
+ "activity_type": "repository-read",
+ "outcome": "fail",
+ "pretty_name": "Repository Read",
+ "description": "A git repository read",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "repository-pull:success": {
+ "subject": "repository",
+ "activity": "pull",
+ "activity_type": "repository-pull",
+ "outcome": "success",
+ "pretty_name": "Repository Pull",
+ "description": "A git repository was Pulled",
+ "fields": {}
+ },
+ "repository-pull:fail": {
+ "subject": "repository",
+ "activity": "pull",
+ "activity_type": "repository-pull",
+ "outcome": "fail",
+ "pretty_name": "Repository Pull",
+ "description": "A git repository was Pulled",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "repository-push:success": {
+ "subject": "repository",
+ "activity": "push",
+ "activity_type": "repository-push",
+ "outcome": "success",
+ "pretty_name": "Repository Push",
+ "description": "A git repository was Pushed",
+ "fields": {}
+ },
+ "repository-push:fail": {
+ "subject": "repository",
+ "activity": "push",
+ "activity_type": "repository-push",
+ "outcome": "fail",
+ "pretty_name": "Repository Push",
+ "description": "A git repository was Pushed",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"group-list:success": {
"subject": "group",
"activity": "list",
@@ -6803,7 +9217,13 @@
"outcome": "success",
"pretty_name": "Network Traffic",
"description": "A representation of a single network packet",
- "fields": {},
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"legacy_event_name": [
"netflow-connection",
"network-connection-successful"
@@ -6826,6 +9246,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -6840,7 +9265,13 @@
"outcome": "success",
"pretty_name": "Network Session",
"description": "A representation of an entire network session",
- "fields": {},
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"legacy_event_name": [
"netflow-connection",
"network-connection-successful",
@@ -7402,12 +9833,38 @@
"activity_type": "user-privilege-use",
"outcome": "success",
"pretty_name": "User Privilege Use",
- "description": "A user called his privilege to access to an oject",
+ "description": "A user called his privilege to access to an object",
"fields": {
"privileges": {
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -7415,6 +9872,29 @@
"privileged-object-access"
]
},
+ "user-privilege-use:fail": {
+ "subject": "user",
+ "activity": "privilege-use",
+ "activity_type": "user-privilege-use",
+ "outcome": "fail",
+ "pretty_name": "User Privilege Use",
+ "description": "A user called his privilege to access to an object",
+ "fields": {
+ "privileges": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "legacy_event_name": [
+
+ ]
+ },
"registry-create:success": {
"subject": "registry",
"activity": "create",
@@ -7486,7 +9966,13 @@
"outcome": "success",
"pretty_name": "Registry Modify",
"description": "The content or configuration of a registry object was modified",
- "fields": {},
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"legacy_event_name": [
"registry-write"
]
@@ -7508,6 +9994,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -7543,6 +10034,35 @@
}
}
},
+ "registry-read:success": {
+ "subject": "registry",
+ "activity": "read",
+ "activity_type": "registry-read",
+ "outcome": "success",
+ "pretty_name": "Registry Read",
+ "description": "A registry key or value were read",
+ "fields": {}
+ },
+ "registry-read:fail": {
+ "subject": "registry",
+ "activity": "read",
+ "activity_type": "registry-read",
+ "outcome": "fail",
+ "pretty_name": "Registry Read",
+ "description": "A registry key or value were read",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"service-create:success": {
"subject": "service",
"activity": "create",
@@ -7550,7 +10070,29 @@
"outcome": "success",
"pretty_name": "Service Create",
"description": "A service was created",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"legacy_event_name": [
"service-created"
]
@@ -7689,7 +10231,18 @@
"outcome": "success",
"pretty_name": "Share Access",
"description": "A network share was accessed",
- "fields": {},
+ "fields": {
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
"legacy_event_name": [
"share-access"
]
@@ -7711,6 +10264,16 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -7789,7 +10352,35 @@
"outcome": "success",
"pretty_name": "Scheduled_task Create",
"description": "A scheduled task was created",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
+ }
+ },
"legacy_event_name": [
"task-created"
]
@@ -7811,6 +10402,33 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
},
"legacy_event_name": [
@@ -7940,7 +10558,13 @@
"outcome": "success",
"pretty_name": "Scheduled_task Modify",
"description": "The configuration of a scheduled task was changed",
- "fields": {}
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
"scheduled_task-modify:fail": {
"subject": "scheduled_task",
@@ -7959,6 +10583,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
@@ -8081,7 +10710,18 @@
"outcome": "success",
"pretty_name": "Meeting Modify",
"description": "A web meeting's information was updated",
- "fields": {},
+ "fields": {
+ "old_password": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "new_password": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
"legacy_event_name": [
"web-meeting-updated"
]
@@ -8103,6 +10743,16 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "old_password": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "new_password": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"legacy_event_name": [
@@ -8145,7 +10795,24 @@
"outcome": "success",
"pretty_name": "Log Clear",
"description": "An audit log was cleared",
- "fields": {},
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"legacy_event_name": [
"audit-log-clear"
]
@@ -8167,6 +10834,22 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -8231,6 +10914,35 @@
}
}
},
+ "log-export:success": {
+ "subject": "log",
+ "activity": "export",
+ "activity_type": "log-export",
+ "outcome": "success",
+ "pretty_name": "Log Export",
+ "description": "An audit log was exported from a remote site",
+ "fields": {}
+ },
+ "log-export:fail": {
+ "subject": "log",
+ "activity": "export",
+ "activity_type": "log-export",
+ "outcome": "fail",
+ "pretty_name": "Log Export",
+ "description": "An audit log was exported from a remote site",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"log-enable:success": {
"subject": "log",
"activity": "enable",
@@ -8360,7 +11072,13 @@
"outcome": "success",
"pretty_name": "Configuration Modify",
"description": "The global configuration of an application or a program was modified",
- "fields": {},
+ "fields": {
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"legacy_event_name": [
"config-change"
]
@@ -8382,6 +11100,11 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"legacy_event_name": [
@@ -8696,6 +11419,12 @@
"core": "1",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -8724,6 +11453,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -8771,6 +11506,32 @@
"core": "1",
"detection": "0",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "printer_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "num_pages": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"legacy_event_name": [
@@ -8876,6 +11637,29 @@
"computer-logon"
]
},
+ "dhcp-session:fail": {
+ "subject": "dhcp",
+ "activity": "session",
+ "activity_type": "dhcp-session",
+ "outcome": "fail",
+ "pretty_name": "Dhcp Session",
+ "description": "A summary of a DHCP session",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "legacy_event_name": [
+ "computer-logon"
+ ]
+ },
"dhcp-traffic:success": {
"subject": "dhcp",
"activity": "traffic",
@@ -9010,22 +11794,43 @@
"nac-failed-logon"
]
},
- "radius-session\t:success": {
+ "radius-session:success": {
"subject": "radius",
- "activity": "session\t",
- "activity_type": "radius-session\t",
+ "activity": "session",
+ "activity_type": "radius-session",
"outcome": "success",
- "pretty_name": "Radius Session\t",
+ "pretty_name": "Radius Session",
"description": "A summary of a complete RADIUS network session",
"fields": {}
},
- "radius-session\t:fail": {
- "subject": "radius",
- "activity": "session\t",
- "activity_type": "radius-session\t",
+ "rdp-traffic:success": {
+ "subject": "rdp",
+ "activity": "traffic",
+ "activity_type": "rdp-traffic",
+ "outcome": "success",
+ "pretty_name": "Rdp Traffic",
+ "description": "A representation of a single RDP packet",
+ "fields": {},
+ "legacy_event_name": [
+ "remote-logon"
+ ]
+ },
+ "branch-create:success": {
+ "subject": "branch",
+ "activity": "create",
+ "activity_type": "branch-create",
+ "outcome": "success",
+ "pretty_name": "Branch Create",
+ "description": "A git branch was created",
+ "fields": {}
+ },
+ "branch-create:fail": {
+ "subject": "branch",
+ "activity": "create",
+ "activity_type": "branch-create",
"outcome": "fail",
- "pretty_name": "Radius Session\t",
- "description": "A summary of a complete RADIUS network session",
+ "pretty_name": "Branch Create",
+ "description": "A git branch was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -9039,18 +11844,6 @@
}
}
},
- "rdp-traffic:success": {
- "subject": "rdp",
- "activity": "traffic",
- "activity_type": "rdp-traffic",
- "outcome": "success",
- "pretty_name": "Rdp Traffic",
- "description": "A representation of a single RDP packet",
- "fields": {},
- "legacy_event_name": [
- "remote-logon"
- ]
- },
"branch-modify:success": {
"subject": "branch",
"activity": "modify",
@@ -9174,7 +11967,14 @@
"outcome": "success",
"pretty_name": "Call Receive",
"description": "A user has recived a call from another user",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"call-receive:fail": {
"subject": "call",
@@ -9193,6 +11993,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -9203,7 +12009,14 @@
"outcome": "success",
"pretty_name": "Call Send",
"description": "A user has called another user",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"call-send:fail": {
"subject": "call",
@@ -9222,6 +12035,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -10436,21 +13255,21 @@
}
}
},
- "incident-create:success": {
- "subject": "incident",
+ "case-create:success": {
+ "subject": "case",
"activity": "create",
- "activity_type": "incident-create",
+ "activity_type": "case-create",
"outcome": "success",
- "pretty_name": "Incident Create",
+ "pretty_name": "Case Create",
"description": "A security incident was created on a security product",
"fields": {}
},
- "incident-create:fail": {
- "subject": "incident",
+ "case-create:fail": {
+ "subject": "case",
"activity": "create",
- "activity_type": "incident-create",
+ "activity_type": "case-create",
"outcome": "fail",
- "pretty_name": "Incident Create",
+ "pretty_name": "Case Create",
"description": "A security incident was created on a security product",
"fields": {
"failure_reason": {
@@ -10465,21 +13284,21 @@
}
}
},
- "incident-delete:success": {
- "subject": "incident",
+ "case-delete:success": {
+ "subject": "case",
"activity": "delete",
- "activity_type": "incident-delete",
+ "activity_type": "case-delete",
"outcome": "success",
- "pretty_name": "Incident Delete",
+ "pretty_name": "Case Delete",
"description": "A security incident was deleted on a security product",
"fields": {}
},
- "incident-delete:fail": {
- "subject": "incident",
+ "case-delete:fail": {
+ "subject": "case",
"activity": "delete",
- "activity_type": "incident-delete",
+ "activity_type": "case-delete",
"outcome": "fail",
- "pretty_name": "Incident Delete",
+ "pretty_name": "Case Delete",
"description": "A security incident was deleted on a security product",
"fields": {
"failure_reason": {
@@ -10494,21 +13313,21 @@
}
}
},
- "incident-modify:success": {
- "subject": "incident",
+ "case-modify:success": {
+ "subject": "case",
"activity": "modify",
- "activity_type": "incident-modify",
+ "activity_type": "case-modify",
"outcome": "success",
- "pretty_name": "Incident Modify",
+ "pretty_name": "Case Modify",
"description": "The properties or content of a security incident were changed on a security product",
"fields": {}
},
- "incident-modify:fail": {
- "subject": "incident",
+ "case-modify:fail": {
+ "subject": "case",
"activity": "modify",
- "activity_type": "incident-modify",
+ "activity_type": "case-modify",
"outcome": "fail",
- "pretty_name": "Incident Modify",
+ "pretty_name": "Case Modify",
"description": "The properties or content of a security incident were changed on a security product",
"fields": {
"failure_reason": {
@@ -10704,7 +13523,27 @@
"outcome": "success",
"pretty_name": "Mailbox Permission Modify",
"description": "The permissions that apply to an email mailbox were changed",
- "fields": {}
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "legacy_event_name": [
+ "app-activity"
+ ]
},
"mailbox-permission-modify:fail": {
"subject": "mailbox",
@@ -10723,6 +13562,22 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -10909,6 +13764,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -10939,6 +13800,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -10959,6 +13826,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -10989,6 +13862,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -10999,7 +13878,14 @@
"outcome": "success",
"pretty_name": "Password Checkin",
"description": "A password was checked in from a vault, finishing the checkout process. a checkout is a one timed access of a password, that blocks other users from accessing it at that time",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-checkin:fail": {
"subject": "password",
@@ -11018,6 +13904,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11028,7 +13920,24 @@
"outcome": "success",
"pretty_name": "Password Checkout",
"description": "A password was checked out from a vault, a checkout is a one timed access of a password, that blocks other users from accessing it at that time",
- "fields": {}
+ "fields": {
+ "safe_value": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-checkout:fail": {
"subject": "password",
@@ -11047,6 +13956,22 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "safe_value": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11062,6 +13987,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11087,6 +14018,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11097,7 +14034,14 @@
"outcome": "success",
"pretty_name": "Password Create",
"description": "A stored password was created",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-create:fail": {
"subject": "password",
@@ -11116,6 +14060,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11126,7 +14076,14 @@
"outcome": "success",
"pretty_name": "Password Read",
"description": "The value of a stored password was read",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-read:fail": {
"subject": "password",
@@ -11145,6 +14102,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11155,7 +14118,14 @@
"outcome": "success",
"pretty_name": "Password Use",
"description": "A stored password was used by a user",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-use:fail": {
"subject": "password",
@@ -11174,6 +14144,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11184,7 +14160,14 @@
"outcome": "success",
"pretty_name": "Password Modify",
"description": "The value of a stored password was changed",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-modify:fail": {
"subject": "password",
@@ -11203,6 +14186,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11213,7 +14202,14 @@
"outcome": "success",
"pretty_name": "Password Download",
"description": "A stored password object was downloaded",
- "fields": {}
+ "fields": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
"password-download:fail": {
"subject": "password",
@@ -11232,6 +14228,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -11496,6 +14498,35 @@
}
}
},
+ "report-delete:success": {
+ "subject": "report",
+ "activity": "delete",
+ "activity_type": "report-delete",
+ "outcome": "success",
+ "pretty_name": "Report Delete",
+ "description": "A report was deleted on an app",
+ "fields": {}
+ },
+ "report-delete:fail": {
+ "subject": "report",
+ "activity": "delete",
+ "activity_type": "report-delete",
+ "outcome": "fail",
+ "pretty_name": "Report Delete",
+ "description": "A report was delete on an app",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
"report-download:success": {
"subject": "report",
"activity": "download",
@@ -11604,6 +14635,24 @@
}
}
},
+ "report-execute:success": {
+ "subject": "report",
+ "activity": "execute",
+ "activity_type": "report-execute",
+ "outcome": "success",
+ "pretty_name": "Report Execute",
+ "description": "A report was Execute on an app",
+ "fields": {}
+ },
+ "report-execute:fail": {
+ "subject": "report",
+ "activity": "execute",
+ "activity_type": "report-execute",
+ "outcome": "success",
+ "pretty_name": "Report Execute",
+ "description": "A report was Execute on an app",
+ "fields": {}
+ },
"repository-create:success": {
"subject": "repository",
"activity": "create",
@@ -12068,298 +15117,599 @@
"outcome": "success",
"pretty_name": "Rule Trigger",
"description": "A trigger of a security rule was recorded on a security product or program",
- "fields": {}
- },
- "rule-trigger:fail": {
- "subject": "rule",
- "activity": "trigger",
- "activity_type": "rule-trigger",
- "outcome": "fail",
- "pretty_name": "Rule Trigger",
- "description": "A trigger of a security rule was recorded on a security product or program",
"fields": {
- "failure_reason": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "secret-create:success": {
- "subject": "secret",
- "activity": "create",
- "activity_type": "secret-create",
- "outcome": "success",
- "pretty_name": "Secret Create",
- "description": "Secret credentials were created",
- "fields": {}
- },
- "secret-create:fail": {
- "subject": "secret",
- "activity": "create",
- "activity_type": "secret-create",
- "outcome": "fail",
- "pretty_name": "Secret Create",
- "description": "Secret credentials were created",
- "fields": {
- "failure_reason": {
+ },
+ "rule": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "failure_code": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "secret-delete:success": {
- "subject": "secret",
- "activity": "delete",
- "activity_type": "secret-delete",
- "outcome": "success",
- "pretty_name": "Secret Delete",
- "description": "Secret credentials were deleted",
- "fields": {}
- },
- "secret-delete:fail": {
- "subject": "secret",
- "activity": "delete",
- "activity_type": "secret-delete",
- "outcome": "fail",
- "pretty_name": "Secret Delete",
- "description": "Secret credentials were deleted",
- "fields": {
- "failure_reason": {
+ },
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "trigger_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_reason": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mitre_labels": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_usecases": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "asset_labels": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_severity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "log_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "business_criticality": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "observed_activity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "recoverability": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_filter": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_from_time_millis": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_to_time_millis": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "previous_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "create_case": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "case_description": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_source": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "technique_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "technique": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tactic": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tactic_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entity_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entity_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_field": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "field_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rules": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entities": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_percentile": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_raw_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "risk_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_product": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_vendor": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "subscription_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "secret-modify:success": {
- "subject": "secret",
- "activity": "modify",
- "activity_type": "secret-modify",
+ "rule-trigger-beta:success": {
+ "subject": "rule",
+ "activity": "trigger-beta",
+ "activity_type": "rule-trigger-beta",
"outcome": "success",
- "pretty_name": "Secret Modify",
- "description": "The vaule of secret credentails was changed",
- "fields": {}
- },
- "secret-modify:fail": {
- "subject": "secret",
- "activity": "modify",
- "activity_type": "secret-modify",
- "outcome": "fail",
- "pretty_name": "Secret Modify",
- "description": "The vaule of secret credentails was changed",
+ "pretty_name": "Rule Trigger Beta",
+ "description": "A trigger of a security rule was recorded on a security product or program",
"fields": {
- "failure_reason": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "secret-copy:success": {
- "subject": "secret",
- "activity": "copy",
- "activity_type": "secret-copy",
- "outcome": "success",
- "pretty_name": "Secret Copy",
- "description": "A secret credentials object was copied",
- "fields": {}
- },
- "secret-copy:fail": {
- "subject": "secret",
- "activity": "copy",
- "activity_type": "secret-copy",
- "outcome": "fail",
- "pretty_name": "Secret Copy",
- "description": "A secret credentials object was copied",
- "fields": {
- "failure_reason": {
+ },
+ "rule": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "failure_code": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "secret-read:success": {
- "subject": "secret",
- "activity": "read",
- "activity_type": "secret-read",
- "outcome": "success",
- "pretty_name": "Secret Read",
- "description": "The content of a secret credentials object was read",
- "fields": {}
- },
- "secret-read:fail": {
- "subject": "secret",
- "activity": "read",
- "activity_type": "secret-read",
- "outcome": "fail",
- "pretty_name": "Secret Read",
- "description": "The content of a secret credentials object was read",
- "fields": {
- "failure_reason": {
+ },
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "share_link-open:success": {
- "subject": "share_link",
- "activity": "open",
- "activity_type": "share_link-open",
- "outcome": "success",
- "pretty_name": "Share_link Open",
- "description": "A shared link that was sent to a user was opened",
- "fields": {
- "user": {
+ },
+ "trigger_time": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "rule_reason": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "share_link-open:fail": {
- "subject": "share_link",
- "activity": "open",
- "activity_type": "share_link-open",
- "outcome": "fail",
- "pretty_name": "Share_link Open",
- "description": "A shared link that was sent to a user was opened",
- "fields": {
- "user": {
+ },
+ "mitre_labels": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "rule_usecases": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "failure_reason": {
+ "asset_labels": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "failure_code": {
+ "rule_severity": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "log_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "business_criticality": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "observed_activity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "recoverability": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_filter": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_from_time_millis": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_to_time_millis": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "previous_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "create_case": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "case_description": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_source": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "technique_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "technique": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tactic": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tactic_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entity_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entity_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_field": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "field_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rules": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entities": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_percentile": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_raw_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "risk_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_product": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_vendor": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "subscription_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "vm_host-create:success": {
- "subject": "vm_host",
- "activity": "create",
- "activity_type": "vm_host-create",
- "outcome": "success",
- "pretty_name": "Vm_host Create",
- "description": "A VM host was created",
- "fields": {}
- },
- "vm_host-create:fail": {
- "subject": "vm_host",
- "activity": "create",
- "activity_type": "vm_host-create",
+ "rule-trigger:fail": {
+ "subject": "rule",
+ "activity": "trigger",
+ "activity_type": "rule-trigger",
"outcome": "fail",
- "pretty_name": "Vm_host Create",
- "description": "A VM host was created",
+ "pretty_name": "Rule Trigger",
+ "description": "A trigger of a security rule was recorded on a security product or program",
"fields": {
- "failure_reason": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "vm_host-delete:success": {
- "subject": "vm_host",
- "activity": "delete",
- "activity_type": "vm_host-delete",
- "outcome": "success",
- "pretty_name": "Vm_host Delete",
- "description": "A VM host was deleted",
- "fields": {}
- },
- "vm_host-delete:fail": {
- "subject": "vm_host",
- "activity": "delete",
- "activity_type": "vm_host-delete",
- "outcome": "fail",
- "pretty_name": "Vm_host Delete",
- "description": "A VM host was deleted",
- "fields": {
- "failure_reason": {
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "vm_host-modify:success": {
- "subject": "vm_host",
- "activity": "modify",
- "activity_type": "vm_host-modify",
- "outcome": "success",
- "pretty_name": "Vm_host Modify",
- "description": "The properties or configuration of a VM host were changed",
- "fields": {}
- },
- "vm_host-modify:fail": {
- "subject": "vm_host",
- "activity": "modify",
- "activity_type": "vm_host-modify",
- "outcome": "fail",
- "pretty_name": "Vm_host Modify",
- "description": "The properties or configuration of a VM host were changed",
- "fields": {
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "trigger_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_reason": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mitre_labels": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_usecases": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "asset_labels": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_severity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "log_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"failure_reason": {
"core": "0",
"detection": "1",
@@ -12369,25 +15719,176 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "business_criticality": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "observed_activity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "recoverability": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_filter": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_from_time_millis": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_to_time_millis": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "previous_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "create_case": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "case_description": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_source": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "technique_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "technique": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tactic": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tactic_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entity_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entity_key": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_field": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "field_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rules": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "entities": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_percentile": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_raw_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rarity_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "risk_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_product": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_vendor": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "subscription_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "vm_host-enable:success": {
- "subject": "vm_host",
+ "rule-enable:success": {
+ "subject": "rule",
"activity": "enable",
- "activity_type": "vm_host-enable",
+ "activity_type": "rule-enable",
"outcome": "success",
- "pretty_name": "Vm_host Enable",
- "description": "The usage configuration of a VM host was set to enabled",
+ "pretty_name": "Rule Enable",
+ "description": "A security rule was enabled on a security product or program",
"fields": {}
},
- "vm_host-enable:fail": {
- "subject": "vm_host",
+ "rule-enable:fail": {
+ "subject": "rule",
"activity": "enable",
- "activity_type": "vm_host-enable",
+ "activity_type": "rule-enable",
"outcome": "fail",
- "pretty_name": "Vm_host Enable",
- "description": "The usage configuration of a VM host was set to enabled",
+ "pretty_name": "Rule Enable",
+ "description": "A security rule was enabled on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12401,22 +15902,22 @@
}
}
},
- "vm_host-disabled:success": {
- "subject": "vm_host",
- "activity": "disabled",
- "activity_type": "vm_host-disabled",
+ "rule-disable:success": {
+ "subject": "rule",
+ "activity": "disable",
+ "activity_type": "rule-disable",
"outcome": "success",
- "pretty_name": "Vm_host Disabled",
- "description": "The usage configuration of a VM host was set to disabled",
+ "pretty_name": "Rule Disable",
+ "description": "A security rule was disabled on a security product or program",
"fields": {}
},
- "vm_host-disabled:fail": {
- "subject": "vm_host",
- "activity": "disabled",
- "activity_type": "vm_host-disabled",
+ "rule-disable:fail": {
+ "subject": "rule",
+ "activity": "disable",
+ "activity_type": "rule-disable",
"outcome": "fail",
- "pretty_name": "Vm_host Disabled",
- "description": "The usage configuration of a VM host was set to disabled",
+ "pretty_name": "Rule Disable",
+ "description": "A security rule was disabled on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12430,22 +15931,22 @@
}
}
},
- "workspace-create:success": {
- "subject": "workspace",
+ "parser-create:success": {
+ "subject": "parser",
"activity": "create",
- "activity_type": "workspace-create",
+ "activity_type": "parser-create",
"outcome": "success",
- "pretty_name": "Workspace Create",
- "description": "A workspace was created",
+ "pretty_name": "Parser Create",
+ "description": "A parser was created on a security product or program",
"fields": {}
},
- "workspace-create:fail": {
- "subject": "workspace",
+ "parser-create:fail": {
+ "subject": "parser",
"activity": "create",
- "activity_type": "workspace-create",
+ "activity_type": "parser-create",
"outcome": "fail",
- "pretty_name": "Workspace Create",
- "description": "A workspace was created",
+ "pretty_name": "Parser Create",
+ "description": "A parser creation failed on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12459,22 +15960,22 @@
}
}
},
- "workspace-delete:success": {
- "subject": "workspace",
+ "parser-delete:success": {
+ "subject": "parser",
"activity": "delete",
- "activity_type": "workspace-delete",
+ "activity_type": "parser-delete",
"outcome": "success",
- "pretty_name": "Workspace Delete",
- "description": "A workspace was deleted",
+ "pretty_name": "Parser Delete",
+ "description": "A parser was deleted on a security product or program",
"fields": {}
},
- "workspace-delete:fail": {
- "subject": "workspace",
+ "parser-delete:fail": {
+ "subject": "parser",
"activity": "delete",
- "activity_type": "workspace-delete",
+ "activity_type": "parser-delete",
"outcome": "fail",
- "pretty_name": "Workspace Delete",
- "description": "A workspace was deleted",
+ "pretty_name": "Parser Delete",
+ "description": "A parser deletion failed on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12488,22 +15989,22 @@
}
}
},
- "workspace-member-add:success": {
- "subject": "workspace",
- "activity": "member-add",
- "activity_type": "workspace-member-add",
+ "parser-modify:success": {
+ "subject": "parser",
+ "activity": "modify",
+ "activity_type": "parser-modify",
"outcome": "success",
- "pretty_name": "Workspace Member Add",
- "description": "A member was added to a workspace",
+ "pretty_name": "Parser Modify",
+ "description": "A parser was modified on a security product or program",
"fields": {}
},
- "workspace-member-add:fail": {
- "subject": "workspace",
- "activity": "member-add",
- "activity_type": "workspace-member-add",
+ "parser-modify:fail": {
+ "subject": "parser",
+ "activity": "modify",
+ "activity_type": "parser-modify",
"outcome": "fail",
- "pretty_name": "Workspace Member Add",
- "description": "A member was added to a workspace",
+ "pretty_name": "Parser Modify",
+ "description": "A parser modification failed on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12517,22 +16018,22 @@
}
}
},
- "driver-load:success": {
- "subject": "driver",
- "activity": "load",
- "activity_type": "driver-load",
+ "parser-import:success": {
+ "subject": "parser",
+ "activity": "import",
+ "activity_type": "parser-import",
"outcome": "success",
- "pretty_name": "Driver Load",
- "description": "A driver object was loaded into the systems' kernel",
+ "pretty_name": "Parser Import",
+ "description": "A parser was imported on a security product or program",
"fields": {}
},
- "driver-load:fail": {
- "subject": "driver",
- "activity": "load",
- "activity_type": "driver-load",
+ "parser-import:fail": {
+ "subject": "parser",
+ "activity": "import",
+ "activity_type": "parser-import",
"outcome": "fail",
- "pretty_name": "Driver Load",
- "description": "A driver object was loaded into the systems' kernel",
+ "pretty_name": "Parser Import",
+ "description": "A parser import failed on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12546,22 +16047,22 @@
}
}
},
- "driver-unload:success": {
- "subject": "driver",
- "activity": "unload",
- "activity_type": "driver-unload",
+ "parser-enable:success": {
+ "subject": "parser",
+ "activity": "enable",
+ "activity_type": "parser-enable",
"outcome": "success",
- "pretty_name": "Driver Unload",
- "description": "A driver object was unloaded from the system's kernel",
+ "pretty_name": "Parser Enable",
+ "description": "A parser was enabled on a security product or program",
"fields": {}
},
- "driver-unload:fail": {
- "subject": "driver",
- "activity": "unload",
- "activity_type": "driver-unload",
+ "parser-enable:fail": {
+ "subject": "parser",
+ "activity": "enable",
+ "activity_type": "parser-enable",
"outcome": "fail",
- "pretty_name": "Driver Unload",
- "description": "A driver object was unloaded from the system's kernel",
+ "pretty_name": "Parser Enable",
+ "description": "A parser enable failed on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12575,40 +16076,22 @@
}
}
},
- "alert-trigger:success": {
- "subject": "alert",
- "activity": "trigger",
- "activity_type": "alert-trigger",
- "outcome": "success",
- "pretty_name": "Alert Trigger",
- "description": "An instance of an alert was triggered on the security product",
- "fields": {},
- "legacy_event_name": [
- "security-alert",
- "process-alert",
- "file-alert",
- "network-alert",
- "dlp-alert",
- "database-alert",
- "alert-iot"
- ]
- },
- "arp-traffic:success": {
- "subject": "arp",
- "activity": "traffic",
- "activity_type": "arp-traffic",
+ "parser-disable:success": {
+ "subject": "parser",
+ "activity": "disable",
+ "activity_type": "parser-disable",
"outcome": "success",
- "pretty_name": "Arp Traffic",
- "description": "A representation of a single ARP packet",
+ "pretty_name": "Parser Disable",
+ "description": "A parser was disabled on a security product or program",
"fields": {}
},
- "arp-traffic:fail": {
- "subject": "arp",
- "activity": "traffic",
- "activity_type": "arp-traffic",
+ "parser-disable:fail": {
+ "subject": "parser",
+ "activity": "disable",
+ "activity_type": "parser-disable",
"outcome": "fail",
- "pretty_name": "Arp Traffic",
- "description": "A representation of a single ARP packet",
+ "pretty_name": "Parser Disable",
+ "description": "A parser disable failed on a security product or program",
"fields": {
"failure_reason": {
"core": "0",
@@ -12622,22 +16105,22 @@
}
}
},
- "bucket-create:success": {
- "subject": "bucket",
+ "secret-create:success": {
+ "subject": "secret",
"activity": "create",
- "activity_type": "bucket-create",
+ "activity_type": "secret-create",
"outcome": "success",
- "pretty_name": "Bucket Create",
- "description": "A bucket was created on the cloud application",
+ "pretty_name": "Secret Create",
+ "description": "Secret credentials were created",
"fields": {}
},
- "bucket-create:fail": {
- "subject": "bucket",
+ "secret-create:fail": {
+ "subject": "secret",
"activity": "create",
- "activity_type": "bucket-create",
+ "activity_type": "secret-create",
"outcome": "fail",
- "pretty_name": "Bucket Create",
- "description": "A bucket was created on the cloud application",
+ "pretty_name": "Secret Create",
+ "description": "Secret credentials were created",
"fields": {
"failure_reason": {
"core": "0",
@@ -12651,22 +16134,22 @@
}
}
},
- "bucket-list:success": {
- "subject": "bucket",
- "activity": "list",
- "activity_type": "bucket-list",
+ "secret-delete:success": {
+ "subject": "secret",
+ "activity": "delete",
+ "activity_type": "secret-delete",
"outcome": "success",
- "pretty_name": "Bucket List",
- "description": "Buckets were enumerated on the application",
+ "pretty_name": "Secret Delete",
+ "description": "Secret credentials were deleted",
"fields": {}
},
- "bucket-list:fail": {
- "subject": "bucket",
- "activity": "list",
- "activity_type": "bucket-list",
+ "secret-delete:fail": {
+ "subject": "secret",
+ "activity": "delete",
+ "activity_type": "secret-delete",
"outcome": "fail",
- "pretty_name": "Bucket List",
- "description": "Buckets were enumerated on the application",
+ "pretty_name": "Secret Delete",
+ "description": "Secret credentials were deleted",
"fields": {
"failure_reason": {
"core": "0",
@@ -12680,34 +16163,23 @@
}
}
},
- "bucket-policy-modify:success": {
- "subject": "bucket",
- "activity": "policy-modify",
- "activity_type": "bucket-policy-modify",
+ "secret-modify:success": {
+ "subject": "secret",
+ "activity": "modify",
+ "activity_type": "secret-modify",
"outcome": "success",
- "pretty_name": "Bucket Policy Modify",
- "description": "The security policy linked to the bucket was updated",
- "fields": {
- "policy_content": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
+ "pretty_name": "Secret Modify",
+ "description": "The vaule of secret credentails was changed",
+ "fields": {}
},
- "bucket-policy-modify:fail": {
- "subject": "bucket",
- "activity": "policy-modify",
- "activity_type": "bucket-policy-modify",
+ "secret-modify:fail": {
+ "subject": "secret",
+ "activity": "modify",
+ "activity_type": "secret-modify",
"outcome": "fail",
- "pretty_name": "Bucket Policy Modify",
- "description": "The security policy linked to the bucket was updated",
+ "pretty_name": "Secret Modify",
+ "description": "The vaule of secret credentails was changed",
"fields": {
- "policy_content": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
"failure_reason": {
"core": "0",
"detection": "1",
@@ -12720,22 +16192,22 @@
}
}
},
- "bucket-permission-modify:success": {
- "subject": "bucket",
- "activity": "permission-modify",
- "activity_type": "bucket-permission-modify",
+ "secret-copy:success": {
+ "subject": "secret",
+ "activity": "copy",
+ "activity_type": "secret-copy",
"outcome": "success",
- "pretty_name": "Bucket Permission Modify",
- "description": "The ACL or any other passive permission configuration applied to the bucket was updated",
+ "pretty_name": "Secret Copy",
+ "description": "A secret credentials object was copied",
"fields": {}
},
- "bucket-permission-modify:fail": {
- "subject": "bucket",
- "activity": "permission-modify",
- "activity_type": "bucket-permission-modify",
+ "secret-copy:fail": {
+ "subject": "secret",
+ "activity": "copy",
+ "activity_type": "secret-copy",
"outcome": "fail",
- "pretty_name": "Bucket Permission Modify",
- "description": "The ACL or any other passive permission configuration applied to the bucket was updated",
+ "pretty_name": "Secret Copy",
+ "description": "A secret credentials object was copied",
"fields": {
"failure_reason": {
"core": "0",
@@ -12749,22 +16221,22 @@
}
}
},
- "bucket-accessblock-modify:success": {
- "subject": "bucket",
- "activity": "accessblock-modify",
- "activity_type": "bucket-accessblock-modify",
+ "secret-read:success": {
+ "subject": "secret",
+ "activity": "read",
+ "activity_type": "secret-read",
"outcome": "success",
- "pretty_name": "Bucket Accessblock Modify",
- "description": "The public access block configuration of a bucket was changed",
+ "pretty_name": "Secret Read",
+ "description": "The content of a secret credentials object was read",
"fields": {}
},
- "bucket-accessblock-modify:fail": {
- "subject": "bucket",
- "activity": "accessblock-modify",
- "activity_type": "bucket-accessblock-modify",
+ "secret-read:fail": {
+ "subject": "secret",
+ "activity": "read",
+ "activity_type": "secret-read",
"outcome": "fail",
- "pretty_name": "Bucket Accessblock Modify",
- "description": "The public access block configuration of a bucket was changed",
+ "pretty_name": "Secret Read",
+ "description": "The content of a secret credentials object was read",
"fields": {
"failure_reason": {
"core": "0",
@@ -12778,52 +16250,50 @@
}
}
},
- "certificate-create:success": {
- "subject": "certificate",
- "activity": "create",
- "activity_type": "certificate-create",
+ "share_link-open:success": {
+ "subject": "share_link",
+ "activity": "open",
+ "activity_type": "share_link-open",
"outcome": "success",
- "pretty_name": "Certificate Create",
- "description": "A digital certificate object was created",
- "fields": {}
- },
- "certificate-create:fail": {
- "subject": "certificate",
- "activity": "create",
- "activity_type": "certificate-create",
- "outcome": "fail",
- "pretty_name": "Certificate Create",
- "description": "A digital certificate object was created",
+ "pretty_name": "Share_link Open",
+ "description": "A shared link that was sent to a user was opened",
"fields": {
- "failure_reason": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "failure_code": {
+ "domain": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "certificate-exchange:success": {
- "subject": "certificate",
- "activity": "exchange",
- "activity_type": "certificate-exchange",
- "outcome": "success",
- "pretty_name": "Certificate Exchange",
- "description": "A digital certificate was exchanged with another in the process of an end to end authenticity check",
- "fields": {}
- },
- "certificate-exchange:fail": {
- "subject": "certificate",
- "activity": "exchange",
- "activity_type": "certificate-exchange",
+ "share_link-open:fail": {
+ "subject": "share_link",
+ "activity": "open",
+ "activity_type": "share_link-open",
"outcome": "fail",
- "pretty_name": "Certificate Exchange",
- "description": "A digital certificate was exchanged with another in the process of an end to end authenticity check",
+ "pretty_name": "Share_link Open",
+ "description": "A shared link that was sent to a user was opened",
"fields": {
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"failure_reason": {
"core": "0",
"detection": "1",
@@ -12833,25 +16303,31 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "certificate-expire:success": {
- "subject": "certificate",
- "activity": "expire",
- "activity_type": "certificate-expire",
+ "vm_host-create:success": {
+ "subject": "vm_host",
+ "activity": "create",
+ "activity_type": "vm_host-create",
"outcome": "success",
- "pretty_name": "Certificate Expire",
- "description": "A digital certificate has timed out and expired",
+ "pretty_name": "Vm_host Create",
+ "description": "A VM host was created",
"fields": {}
},
- "certificate-expire:fail": {
- "subject": "certificate",
- "activity": "expire",
- "activity_type": "certificate-expire",
+ "vm_host-create:fail": {
+ "subject": "vm_host",
+ "activity": "create",
+ "activity_type": "vm_host-create",
"outcome": "fail",
- "pretty_name": "Certificate Expire",
- "description": "A digital certificate has timed out and expired",
+ "pretty_name": "Vm_host Create",
+ "description": "A VM host was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -12865,22 +16341,22 @@
}
}
},
- "certificate-request:success": {
- "subject": "certificate",
- "activity": "request",
- "activity_type": "certificate-request",
+ "vm_host-delete:success": {
+ "subject": "vm_host",
+ "activity": "delete",
+ "activity_type": "vm_host-delete",
"outcome": "success",
- "pretty_name": "Certificate Request",
- "description": "A digital certificate enrollment or creation was requested by an entity",
+ "pretty_name": "Vm_host Delete",
+ "description": "A VM host was deleted",
"fields": {}
},
- "certificate-request:fail": {
- "subject": "certificate",
- "activity": "request",
- "activity_type": "certificate-request",
+ "vm_host-delete:fail": {
+ "subject": "vm_host",
+ "activity": "delete",
+ "activity_type": "vm_host-delete",
"outcome": "fail",
- "pretty_name": "Certificate Request",
- "description": "A digital certificate enrollment or creation was requested by an entity",
+ "pretty_name": "Vm_host Delete",
+ "description": "A VM host was deleted",
"fields": {
"failure_reason": {
"core": "0",
@@ -12894,22 +16370,22 @@
}
}
},
- "certificate-validate:success": {
- "subject": "certificate",
- "activity": "validate",
- "activity_type": "certificate-validate",
+ "vm_host-modify:success": {
+ "subject": "vm_host",
+ "activity": "modify",
+ "activity_type": "vm_host-modify",
"outcome": "success",
- "pretty_name": "Certificate Validate",
- "description": "The authenticity of a digital certificate was validated",
+ "pretty_name": "Vm_host Modify",
+ "description": "The properties or configuration of a VM host were changed",
"fields": {}
},
- "certificate-validate:fail": {
- "subject": "certificate",
- "activity": "validate",
- "activity_type": "certificate-validate",
+ "vm_host-modify:fail": {
+ "subject": "vm_host",
+ "activity": "modify",
+ "activity_type": "vm_host-modify",
"outcome": "fail",
- "pretty_name": "Certificate Validate",
- "description": "The authenticity of a digital certificate was validated",
+ "pretty_name": "Vm_host Modify",
+ "description": "The properties or configuration of a VM host were changed",
"fields": {
"failure_reason": {
"core": "0",
@@ -12923,22 +16399,22 @@
}
}
},
- "dns_record-create:success": {
- "subject": "dns_record",
- "activity": "create",
- "activity_type": "dns_record-create",
+ "vm_host-enable:success": {
+ "subject": "vm_host",
+ "activity": "enable",
+ "activity_type": "vm_host-enable",
"outcome": "success",
- "pretty_name": "Dns_record Create",
- "description": "A DNS record was created",
+ "pretty_name": "Vm_host Enable",
+ "description": "The usage configuration of a VM host was set to enabled",
"fields": {}
},
- "dns_record-create:fail": {
- "subject": "dns_record",
- "activity": "create",
- "activity_type": "dns_record-create",
+ "vm_host-enable:fail": {
+ "subject": "vm_host",
+ "activity": "enable",
+ "activity_type": "vm_host-enable",
"outcome": "fail",
- "pretty_name": "Dns_record Create",
- "description": "A DNS record was created",
+ "pretty_name": "Vm_host Enable",
+ "description": "The usage configuration of a VM host was set to enabled",
"fields": {
"failure_reason": {
"core": "0",
@@ -12952,22 +16428,22 @@
}
}
},
- "dns_record-delete:success": {
- "subject": "dns_record",
- "activity": "delete",
- "activity_type": "dns_record-delete",
+ "vm_host-disabled:success": {
+ "subject": "vm_host",
+ "activity": "disabled",
+ "activity_type": "vm_host-disabled",
"outcome": "success",
- "pretty_name": "Dns_record Delete",
- "description": "A DNS record was deleted",
+ "pretty_name": "Vm_host Disabled",
+ "description": "The usage configuration of a VM host was set to disabled",
"fields": {}
},
- "dns_record-delete:fail": {
- "subject": "dns_record",
- "activity": "delete",
- "activity_type": "dns_record-delete",
+ "vm_host-disabled:fail": {
+ "subject": "vm_host",
+ "activity": "disabled",
+ "activity_type": "vm_host-disabled",
"outcome": "fail",
- "pretty_name": "Dns_record Delete",
- "description": "A DNS record was deleted",
+ "pretty_name": "Vm_host Disabled",
+ "description": "The usage configuration of a VM host was set to disabled",
"fields": {
"failure_reason": {
"core": "0",
@@ -12981,22 +16457,22 @@
}
}
},
- "dns_record-modify:success": {
- "subject": "dns_record",
- "activity": "modify",
- "activity_type": "dns_record-modify",
+ "workspace-create:success": {
+ "subject": "workspace",
+ "activity": "create",
+ "activity_type": "workspace-create",
"outcome": "success",
- "pretty_name": "Dns_record Modify",
- "description": "The content of a DNS record was modified",
+ "pretty_name": "Workspace Create",
+ "description": "A workspace was created",
"fields": {}
},
- "dns_record-modify:fail": {
- "subject": "dns_record",
- "activity": "modify",
- "activity_type": "dns_record-modify",
+ "workspace-create:fail": {
+ "subject": "workspace",
+ "activity": "create",
+ "activity_type": "workspace-create",
"outcome": "fail",
- "pretty_name": "Dns_record Modify",
- "description": "The content of a DNS record was modified",
+ "pretty_name": "Workspace Create",
+ "description": "A workspace was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -13010,22 +16486,22 @@
}
}
},
- "handle-close:success": {
- "subject": "handle",
- "activity": "close",
- "activity_type": "handle-close",
+ "workspace-delete:success": {
+ "subject": "workspace",
+ "activity": "delete",
+ "activity_type": "workspace-delete",
"outcome": "success",
- "pretty_name": "Handle Close",
- "description": "A windows handle was closed",
+ "pretty_name": "Workspace Delete",
+ "description": "A workspace was deleted",
"fields": {}
},
- "handle-close:fail": {
- "subject": "handle",
- "activity": "close",
- "activity_type": "handle-close",
+ "workspace-delete:fail": {
+ "subject": "workspace",
+ "activity": "delete",
+ "activity_type": "workspace-delete",
"outcome": "fail",
- "pretty_name": "Handle Close",
- "description": "A windows handle was closed",
+ "pretty_name": "Workspace Delete",
+ "description": "A workspace was deleted",
"fields": {
"failure_reason": {
"core": "0",
@@ -13039,22 +16515,22 @@
}
}
},
- "handle-copy:success": {
- "subject": "handle",
- "activity": "copy",
- "activity_type": "handle-copy",
+ "workspace-member-add:success": {
+ "subject": "workspace",
+ "activity": "member-add",
+ "activity_type": "workspace-member-add",
"outcome": "success",
- "pretty_name": "Handle Copy",
- "description": "A windows handle was copied",
+ "pretty_name": "Workspace Member Add",
+ "description": "A member was added to a workspace",
"fields": {}
},
- "handle-copy:fail": {
- "subject": "handle",
- "activity": "copy",
- "activity_type": "handle-copy",
+ "workspace-member-add:fail": {
+ "subject": "workspace",
+ "activity": "member-add",
+ "activity_type": "workspace-member-add",
"outcome": "fail",
- "pretty_name": "Handle Copy",
- "description": "A windows handle was copied",
+ "pretty_name": "Workspace Member Add",
+ "description": "A member was added to a workspace",
"fields": {
"failure_reason": {
"core": "0",
@@ -13068,22 +16544,22 @@
}
}
},
- "handle-open:success": {
- "subject": "handle",
- "activity": "open",
- "activity_type": "handle-open",
+ "driver-load:success": {
+ "subject": "driver",
+ "activity": "load",
+ "activity_type": "driver-load",
"outcome": "success",
- "pretty_name": "Handle Open",
- "description": "A windows handle was opened, giving access to the linked object",
+ "pretty_name": "Driver Load",
+ "description": "A driver object was loaded into the systems' kernel",
"fields": {}
},
- "handle-open:fail": {
- "subject": "handle",
- "activity": "open",
- "activity_type": "handle-open",
+ "driver-load:fail": {
+ "subject": "driver",
+ "activity": "load",
+ "activity_type": "driver-load",
"outcome": "fail",
- "pretty_name": "Handle Open",
- "description": "A windows handle was opened, giving access to the linked object",
+ "pretty_name": "Driver Load",
+ "description": "A driver object was loaded into the systems' kernel",
"fields": {
"failure_reason": {
"core": "0",
@@ -13097,22 +16573,22 @@
}
}
},
- "handle-request:success": {
- "subject": "handle",
- "activity": "request",
- "activity_type": "handle-request",
+ "driver-unload:success": {
+ "subject": "driver",
+ "activity": "unload",
+ "activity_type": "driver-unload",
"outcome": "success",
- "pretty_name": "Handle Request",
- "description": "A request was made to get access to a windows handle",
+ "pretty_name": "Driver Unload",
+ "description": "A driver object was unloaded from the system's kernel",
"fields": {}
},
- "handle-request:fail": {
- "subject": "handle",
- "activity": "request",
- "activity_type": "handle-request",
+ "driver-unload:fail": {
+ "subject": "driver",
+ "activity": "unload",
+ "activity_type": "driver-unload",
"outcome": "fail",
- "pretty_name": "Handle Request",
- "description": "A request was made to get access to a windows handle",
+ "pretty_name": "Driver Unload",
+ "description": "A driver object was unloaded from the system's kernel",
"fields": {
"failure_reason": {
"core": "0",
@@ -13126,109 +16602,208 @@
}
}
},
- "ip-assign:success": {
- "subject": "ip",
- "activity": "assign",
- "activity_type": "ip-assign",
+ "alert-trigger:success": {
+ "subject": "alert",
+ "activity": "trigger",
+ "activity_type": "alert-trigger",
"outcome": "success",
- "pretty_name": "Ip Assign",
- "description": "An IP was dispensed and is in use",
- "fields": {}
- },
- "ip-assign:fail": {
- "subject": "ip",
- "activity": "assign",
- "activity_type": "ip-assign",
- "outcome": "fail",
- "pretty_name": "Ip Assign",
- "description": "An IP was dispensed and is in use",
+ "pretty_name": "Alert Trigger",
+ "description": "An instance of an alert was triggered on the security product",
"fields": {
- "failure_reason": {
- "core": "0",
- "detection": "1",
+ "alert_type": {
+ "core": "1",
+ "detection": "0",
"informational": "0"
},
- "failure_code": {
+ "alert_subject": {
"core": "0",
"detection": "1",
+ "informational": "1"
+ },
+ "alert_severity": {
+ "core": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "ip-free:success": {
- "subject": "ip",
- "activity": "free",
- "activity_type": "ip-free",
- "outcome": "success",
- "pretty_name": "Ip Free",
- "description": "An IP was freed from use and is now available to reassign",
- "fields": {}
- },
- "ip-free:fail": {
- "subject": "ip",
- "activity": "free",
- "activity_type": "ip-free",
- "outcome": "fail",
- "pretty_name": "Ip Free",
- "description": "An IP was freed from use and is now available to reassign",
- "fields": {
- "failure_reason": {
+ },
+ "alert_source": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "dest_host": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "key-create:success": {
- "subject": "key",
- "activity": "create",
- "activity_type": "key-create",
- "outcome": "success",
- "pretty_name": "Key Create",
- "description": "A global key object was created",
- "fields": {}
- },
- "key-create:fail": {
- "subject": "key",
- "activity": "create",
- "activity_type": "key-create",
- "outcome": "fail",
- "pretty_name": "Key Create",
- "description": "A global key object was created",
- "fields": {
- "failure_reason": {
+ },
+ "src_host": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "failure_code": {
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "top_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1",
+ "enriched": "0"
}
- }
+ },
+ "legacy_event_name": [
+ "security-alert",
+ "process-alert",
+ "file-alert",
+ "network-alert",
+ "dlp-alert",
+ "database-alert",
+ "alert-iot"
+ ]
},
- "key-delete:success": {
- "subject": "key",
+ "alert-modify:success": {
+ "subject": "alert",
+ "activity": "modify",
+ "activity_type": "alert-modify",
+ "outcome": "success",
+ "pretty_name": "Alert Modify",
+ "description": "",
+ "fields": {}
+ },
+ "alert-modify:fail": {
+ "subject": "alert",
+ "activity": "modify",
+ "activity_type": "alert-modify",
+ "outcome": "fail",
+ "pretty_name": "Alert Modify",
+ "description": "",
+ "fields": {}
+ },
+ "alert-create:success": {
+ "subject": "alert",
+ "activity": "create",
+ "activity_type": "alert-create",
+ "outcome": "success",
+ "pretty_name": "Alert Create",
+ "description": "",
+ "fields": {}
+ },
+ "alert-create:fail": {
+ "subject": "alert",
+ "activity": "create",
+ "activity_type": "alert-create",
+ "outcome": "fail",
+ "pretty_name": "Alert Create",
+ "description": "",
+ "fields": {}
+ },
+ "alert-read:success": {
+ "subject": "alert",
+ "activity": "read",
+ "activity_type": "alert-read",
+ "outcome": "success",
+ "pretty_name": "Alert Read",
+ "description": "",
+ "fields": {}
+ },
+ "alert-read:fail": {
+ "subject": "alert",
+ "activity": "read",
+ "activity_type": "alert-read",
+ "outcome": "fail",
+ "pretty_name": "Alert Read",
+ "description": "",
+ "fields": {}
+ },
+ "alert-delete:success": {
+ "subject": "alert",
"activity": "delete",
- "activity_type": "key-delete",
+ "activity_type": "alert-delete",
"outcome": "success",
- "pretty_name": "Key Delete",
- "description": "A global key object was deleted",
+ "pretty_name": "Alert Delete",
+ "description": "",
"fields": {}
},
- "key-delete:fail": {
- "subject": "key",
+ "alert-delete:fail": {
+ "subject": "alert",
"activity": "delete",
- "activity_type": "key-delete",
+ "activity_type": "alert-delete",
"outcome": "fail",
- "pretty_name": "Key Delete",
- "description": "A global key object was deleted",
+ "pretty_name": "Alert Delete",
+ "description": "",
+ "fields": {}
+ },
+ "case-read:success": {
+ "subject": "case",
+ "activity": "read",
+ "activity_type": "case-read",
+ "outcome": "success",
+ "pretty_name": "Case Read",
+ "description": "",
+ "fields": {}
+ },
+ "case-read:fail": {
+ "subject": "case",
+ "activity": "read",
+ "activity_type": "case-read",
+ "outcome": "fail",
+ "pretty_name": "Case Read",
+ "description": "",
+ "fields": {}
+ },
+ "arp-traffic:success": {
+ "subject": "arp",
+ "activity": "traffic",
+ "activity_type": "arp-traffic",
+ "outcome": "success",
+ "pretty_name": "Arp Traffic",
+ "description": "A representation of a single ARP packet",
+ "fields": {}
+ },
+ "arp-traffic:fail": {
+ "subject": "arp",
+ "activity": "traffic",
+ "activity_type": "arp-traffic",
+ "outcome": "fail",
+ "pretty_name": "Arp Traffic",
+ "description": "A representation of a single ARP packet",
"fields": {
"failure_reason": {
"core": "0",
@@ -13242,22 +16817,22 @@
}
}
},
- "key-migrate:success": {
- "subject": "key",
- "activity": "migrate",
- "activity_type": "key-migrate",
+ "bucket-create:success": {
+ "subject": "bucket",
+ "activity": "create",
+ "activity_type": "bucket-create",
"outcome": "success",
- "pretty_name": "Key Migrate",
- "description": "A global key object was migrated between vaults",
+ "pretty_name": "Bucket Create",
+ "description": "A bucket was created on the cloud application",
"fields": {}
},
- "key-migrate:fail": {
- "subject": "key",
- "activity": "migrate",
- "activity_type": "key-migrate",
+ "bucket-create:fail": {
+ "subject": "bucket",
+ "activity": "create",
+ "activity_type": "bucket-create",
"outcome": "fail",
- "pretty_name": "Key Migrate",
- "description": "A global key object was migrated between vaults",
+ "pretty_name": "Bucket Create",
+ "description": "A bucket was created on the cloud application",
"fields": {
"failure_reason": {
"core": "0",
@@ -13271,22 +16846,22 @@
}
}
},
- "key-read:success": {
- "subject": "key",
- "activity": "read",
- "activity_type": "key-read",
+ "bucket-list:success": {
+ "subject": "bucket",
+ "activity": "list",
+ "activity_type": "bucket-list",
"outcome": "success",
- "pretty_name": "Key Read",
- "description": "A request was made to read the content or properties of a key",
+ "pretty_name": "Bucket List",
+ "description": "Buckets were enumerated on the application",
"fields": {}
},
- "key-read:fail": {
- "subject": "key",
- "activity": "read",
- "activity_type": "key-read",
+ "bucket-list:fail": {
+ "subject": "bucket",
+ "activity": "list",
+ "activity_type": "bucket-list",
"outcome": "fail",
- "pretty_name": "Key Read",
- "description": "A request was made to read the content or properties of a key",
+ "pretty_name": "Bucket List",
+ "description": "Buckets were enumerated on the application",
"fields": {
"failure_reason": {
"core": "0",
@@ -13300,52 +16875,34 @@
}
}
},
- "port-block:success": {
- "subject": "port",
- "activity": "block",
- "activity_type": "port-block",
+ "bucket-policy-modify:success": {
+ "subject": "bucket",
+ "activity": "policy-modify",
+ "activity_type": "bucket-policy-modify",
"outcome": "success",
- "pretty_name": "Port Block",
- "description": "A port was blocked, dropping traffic that comes throug",
- "fields": {}
- },
- "port-block:fail": {
- "subject": "port",
- "activity": "block",
- "activity_type": "port-block",
- "outcome": "fail",
- "pretty_name": "Port Block",
- "description": "A port was blocked, dropping traffic that comes throug",
+ "pretty_name": "Bucket Policy Modify",
+ "description": "The security policy linked to the bucket was updated",
"fields": {
- "failure_reason": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "failure_code": {
+ "policy_content": {
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "port-disable:success": {
- "subject": "port",
- "activity": "disable",
- "activity_type": "port-disable",
- "outcome": "success",
- "pretty_name": "Port Disable",
- "description": "A port was disabled",
- "fields": {}
- },
- "port-disable:fail": {
- "subject": "port",
- "activity": "disable",
- "activity_type": "port-disable",
+ "bucket-policy-modify:fail": {
+ "subject": "bucket",
+ "activity": "policy-modify",
+ "activity_type": "bucket-policy-modify",
"outcome": "fail",
- "pretty_name": "Port Disable",
- "description": "A port was disabled",
+ "pretty_name": "Bucket Policy Modify",
+ "description": "The security policy linked to the bucket was updated",
"fields": {
+ "policy_content": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"failure_reason": {
"core": "0",
"detection": "1",
@@ -13358,22 +16915,22 @@
}
}
},
- "port-enable:success": {
- "subject": "port",
- "activity": "enable",
- "activity_type": "port-enable",
+ "bucket-permission-modify:success": {
+ "subject": "bucket",
+ "activity": "permission-modify",
+ "activity_type": "bucket-permission-modify",
"outcome": "success",
- "pretty_name": "Port Enable",
- "description": "A port was enabled",
+ "pretty_name": "Bucket Permission Modify",
+ "description": "The ACL or any other passive permission configuration applied to the bucket was updated",
"fields": {}
},
- "port-enable:fail": {
- "subject": "port",
- "activity": "enable",
- "activity_type": "port-enable",
+ "bucket-permission-modify:fail": {
+ "subject": "bucket",
+ "activity": "permission-modify",
+ "activity_type": "bucket-permission-modify",
"outcome": "fail",
- "pretty_name": "Port Enable",
- "description": "A port was enabled",
+ "pretty_name": "Bucket Permission Modify",
+ "description": "The ACL or any other passive permission configuration applied to the bucket was updated",
"fields": {
"failure_reason": {
"core": "0",
@@ -13387,22 +16944,22 @@
}
}
},
- "smtp-close:success": {
- "subject": "smtp",
- "activity": "close",
- "activity_type": "smtp-close",
+ "bucket-accessblock-modify:success": {
+ "subject": "bucket",
+ "activity": "accessblock-modify",
+ "activity_type": "bucket-accessblock-modify",
"outcome": "success",
- "pretty_name": "Smtp Close",
- "description": "A SMTP session was terminated",
+ "pretty_name": "Bucket Accessblock Modify",
+ "description": "The public access block configuration of a bucket was changed",
"fields": {}
},
- "smtp-close:fail": {
- "subject": "smtp",
- "activity": "close",
- "activity_type": "smtp-close",
+ "bucket-accessblock-modify:fail": {
+ "subject": "bucket",
+ "activity": "accessblock-modify",
+ "activity_type": "bucket-accessblock-modify",
"outcome": "fail",
- "pretty_name": "Smtp Close",
- "description": "A SMTP session was terminated",
+ "pretty_name": "Bucket Accessblock Modify",
+ "description": "The public access block configuration of a bucket was changed",
"fields": {
"failure_reason": {
"core": "0",
@@ -13416,22 +16973,22 @@
}
}
},
- "smtp-start:success": {
- "subject": "smtp",
- "activity": "start",
- "activity_type": "smtp-start",
+ "certificate-create:success": {
+ "subject": "certificate",
+ "activity": "create",
+ "activity_type": "certificate-create",
"outcome": "success",
- "pretty_name": "Smtp Start",
- "description": "A SMTP sesssion was initiated",
+ "pretty_name": "Certificate Create",
+ "description": "A digital certificate object was created",
"fields": {}
},
- "smtp-start:fail": {
- "subject": "smtp",
- "activity": "start",
- "activity_type": "smtp-start",
+ "certificate-create:fail": {
+ "subject": "certificate",
+ "activity": "create",
+ "activity_type": "certificate-create",
"outcome": "fail",
- "pretty_name": "Smtp Start",
- "description": "A SMTP sesssion was initiated",
+ "pretty_name": "Certificate Create",
+ "description": "A digital certificate object was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -13445,22 +17002,22 @@
}
}
},
- "snapshot-create:success": {
- "subject": "snapshot",
- "activity": "create",
- "activity_type": "snapshot-create",
+ "certificate-exchange:success": {
+ "subject": "certificate",
+ "activity": "exchange",
+ "activity_type": "certificate-exchange",
"outcome": "success",
- "pretty_name": "Snapshot Create",
- "description": "A snapshot was created",
+ "pretty_name": "Certificate Exchange",
+ "description": "A digital certificate was exchanged with another in the process of an end to end authenticity check",
"fields": {}
},
- "snapshot-create:fail": {
- "subject": "snapshot",
- "activity": "create",
- "activity_type": "snapshot-create",
+ "certificate-exchange:fail": {
+ "subject": "certificate",
+ "activity": "exchange",
+ "activity_type": "certificate-exchange",
"outcome": "fail",
- "pretty_name": "Snapshot Create",
- "description": "A snapshot was created",
+ "pretty_name": "Certificate Exchange",
+ "description": "A digital certificate was exchanged with another in the process of an end to end authenticity check",
"fields": {
"failure_reason": {
"core": "0",
@@ -13474,22 +17031,22 @@
}
}
},
- "snapshot-list:success": {
- "subject": "snapshot",
- "activity": "list",
- "activity_type": "snapshot-list",
+ "certificate-expire:success": {
+ "subject": "certificate",
+ "activity": "expire",
+ "activity_type": "certificate-expire",
"outcome": "success",
- "pretty_name": "Snapshot List",
- "description": "An enumeration of snapshot resources took place",
+ "pretty_name": "Certificate Expire",
+ "description": "A digital certificate has timed out and expired",
"fields": {}
},
- "snapshot-list:fail": {
- "subject": "snapshot",
- "activity": "list",
- "activity_type": "snapshot-list",
+ "certificate-expire:fail": {
+ "subject": "certificate",
+ "activity": "expire",
+ "activity_type": "certificate-expire",
"outcome": "fail",
- "pretty_name": "Snapshot List",
- "description": "An enumeration of snapshot resources took place",
+ "pretty_name": "Certificate Expire",
+ "description": "A digital certificate has timed out and expired",
"fields": {
"failure_reason": {
"core": "0",
@@ -13503,22 +17060,22 @@
}
}
},
- "snapshot-modify:success": {
- "subject": "snapshot",
- "activity": "modify",
- "activity_type": "snapshot-modify",
+ "certificate-request:success": {
+ "subject": "certificate",
+ "activity": "request",
+ "activity_type": "certificate-request",
"outcome": "success",
- "pretty_name": "Snapshot Modify",
- "description": "The configuration or properties of a snapshot were modified",
+ "pretty_name": "Certificate Request",
+ "description": "A digital certificate enrollment or creation was requested by an entity",
"fields": {}
},
- "snapshot-modify:fail": {
- "subject": "snapshot",
- "activity": "modify",
- "activity_type": "snapshot-modify",
+ "certificate-request:fail": {
+ "subject": "certificate",
+ "activity": "request",
+ "activity_type": "certificate-request",
"outcome": "fail",
- "pretty_name": "Snapshot Modify",
- "description": "The configuration or properties of a snapshot were modified",
+ "pretty_name": "Certificate Request",
+ "description": "A digital certificate enrollment or creation was requested by an entity",
"fields": {
"failure_reason": {
"core": "0",
@@ -13532,22 +17089,22 @@
}
}
},
- "snapshot-read:success": {
- "subject": "snapshot",
- "activity": "read",
- "activity_type": "snapshot-read",
+ "certificate-validate:success": {
+ "subject": "certificate",
+ "activity": "validate",
+ "activity_type": "certificate-validate",
"outcome": "success",
- "pretty_name": "Snapshot Read",
- "description": "A request to read the content of a snapshot was made",
+ "pretty_name": "Certificate Validate",
+ "description": "The authenticity of a digital certificate was validated",
"fields": {}
},
- "snapshot-read:fail": {
- "subject": "snapshot",
- "activity": "read",
- "activity_type": "snapshot-read",
+ "certificate-validate:fail": {
+ "subject": "certificate",
+ "activity": "validate",
+ "activity_type": "certificate-validate",
"outcome": "fail",
- "pretty_name": "Snapshot Read",
- "description": "A request to read the content of a snapshot was made",
+ "pretty_name": "Certificate Validate",
+ "description": "The authenticity of a digital certificate was validated",
"fields": {
"failure_reason": {
"core": "0",
@@ -13561,22 +17118,22 @@
}
}
},
- "clipboard-read:success": {
- "subject": "clipboard",
- "activity": "read",
- "activity_type": "clipboard-read",
+ "dns_record-create:success": {
+ "subject": "dns_record",
+ "activity": "create",
+ "activity_type": "dns_record-create",
"outcome": "success",
- "pretty_name": "Clipboard Read",
- "description": "A request was made to read the content of the clipboard",
+ "pretty_name": "Dns_record Create",
+ "description": "A DNS record was created",
"fields": {}
},
- "clipboard-read:fail": {
- "subject": "clipboard",
- "activity": "read",
- "activity_type": "clipboard-read",
+ "dns_record-create:fail": {
+ "subject": "dns_record",
+ "activity": "create",
+ "activity_type": "dns_record-create",
"outcome": "fail",
- "pretty_name": "Clipboard Read",
- "description": "A request was made to read the content of the clipboard",
+ "pretty_name": "Dns_record Create",
+ "description": "A DNS record was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -13590,22 +17147,22 @@
}
}
},
- "ds-replication:success": {
- "subject": "ds",
- "activity": "replication",
- "activity_type": "ds-replication",
+ "dns_record-delete:success": {
+ "subject": "dns_record",
+ "activity": "delete",
+ "activity_type": "dns_record-delete",
"outcome": "success",
- "pretty_name": "Ds Replication",
- "description": "A part of a directory service replication process is taking place",
+ "pretty_name": "Dns_record Delete",
+ "description": "A DNS record was deleted",
"fields": {}
},
- "ds-replication:fail": {
- "subject": "ds",
- "activity": "replication",
- "activity_type": "ds-replication",
+ "dns_record-delete:fail": {
+ "subject": "dns_record",
+ "activity": "delete",
+ "activity_type": "dns_record-delete",
"outcome": "fail",
- "pretty_name": "Ds Replication",
- "description": "A part of a directory service replication process is taking place",
+ "pretty_name": "Dns_record Delete",
+ "description": "A DNS record was deleted",
"fields": {
"failure_reason": {
"core": "0",
@@ -13619,22 +17176,22 @@
}
}
},
- "ds-replication-modify:success": {
- "subject": "ds",
- "activity": "replication-modify",
- "activity_type": "ds-replication-modify",
+ "dns_record-modify:success": {
+ "subject": "dns_record",
+ "activity": "modify",
+ "activity_type": "dns_record-modify",
"outcome": "success",
- "pretty_name": "Ds Replication Modify",
- "description": "The configuration of the replication process of the directory service was modified",
+ "pretty_name": "Dns_record Modify",
+ "description": "The content of a DNS record was modified",
"fields": {}
},
- "ds-replication-modify:fail": {
- "subject": "ds",
- "activity": "replication-modify",
- "activity_type": "ds-replication-modify",
+ "dns_record-modify:fail": {
+ "subject": "dns_record",
+ "activity": "modify",
+ "activity_type": "dns_record-modify",
"outcome": "fail",
- "pretty_name": "Ds Replication Modify",
- "description": "The configuration of the replication process of the directory service was modified",
+ "pretty_name": "Dns_record Modify",
+ "description": "The content of a DNS record was modified",
"fields": {
"failure_reason": {
"core": "0",
@@ -13648,22 +17205,22 @@
}
}
},
- "ds-replication-start:success": {
- "subject": "ds",
- "activity": "replication-start",
- "activity_type": "ds-replication-start",
+ "handle-close:success": {
+ "subject": "handle",
+ "activity": "close",
+ "activity_type": "handle-close",
"outcome": "success",
- "pretty_name": "Ds Replication Start",
- "description": "A directory service replication has started",
+ "pretty_name": "Handle Close",
+ "description": "A windows handle was closed",
"fields": {}
},
- "ds-replication-start:fail": {
- "subject": "ds",
- "activity": "replication-start",
- "activity_type": "ds-replication-start",
+ "handle-close:fail": {
+ "subject": "handle",
+ "activity": "close",
+ "activity_type": "handle-close",
"outcome": "fail",
- "pretty_name": "Ds Replication Start",
- "description": "A directory service replication has started",
+ "pretty_name": "Handle Close",
+ "description": "A windows handle was closed",
"fields": {
"failure_reason": {
"core": "0",
@@ -13677,22 +17234,22 @@
}
}
},
- "ds-replication-stop:success": {
- "subject": "ds",
- "activity": "replication-stop",
- "activity_type": "ds-replication-stop",
+ "handle-copy:success": {
+ "subject": "handle",
+ "activity": "copy",
+ "activity_type": "handle-copy",
"outcome": "success",
- "pretty_name": "Ds Replication Stop",
- "description": "A directory service replication has ended",
+ "pretty_name": "Handle Copy",
+ "description": "A windows handle was copied",
"fields": {}
},
- "ds-replication-stop:fail": {
- "subject": "ds",
- "activity": "replication-stop",
- "activity_type": "ds-replication-stop",
+ "handle-copy:fail": {
+ "subject": "handle",
+ "activity": "copy",
+ "activity_type": "handle-copy",
"outcome": "fail",
- "pretty_name": "Ds Replication Stop",
- "description": "A directory service replication has ended",
+ "pretty_name": "Handle Copy",
+ "description": "A windows handle was copied",
"fields": {
"failure_reason": {
"core": "0",
@@ -13706,22 +17263,22 @@
}
}
},
- "script-execute:success": {
- "subject": "script",
- "activity": "execute",
- "activity_type": "script-execute",
+ "handle-open:success": {
+ "subject": "handle",
+ "activity": "open",
+ "activity_type": "handle-open",
"outcome": "success",
- "pretty_name": "Script Execute",
- "description": "Scripting commands were executed on the system",
+ "pretty_name": "Handle Open",
+ "description": "A windows handle was opened, giving access to the linked object",
"fields": {}
},
- "script-execute:fail": {
- "subject": "script",
- "activity": "execute",
- "activity_type": "script-execute",
+ "handle-open:fail": {
+ "subject": "handle",
+ "activity": "open",
+ "activity_type": "handle-open",
"outcome": "fail",
- "pretty_name": "Script Execute",
- "description": "Scripting commands were executed on the system",
+ "pretty_name": "Handle Open",
+ "description": "A windows handle was opened, giving access to the linked object",
"fields": {
"failure_reason": {
"core": "0",
@@ -13735,22 +17292,22 @@
}
}
},
- "ssl-start:success": {
- "subject": "ssl",
- "activity": "start",
- "activity_type": "ssl-start",
+ "handle-request:success": {
+ "subject": "handle",
+ "activity": "request",
+ "activity_type": "handle-request",
"outcome": "success",
- "pretty_name": "Ssl Start",
- "description": "A SSL session was initiated",
+ "pretty_name": "Handle Request",
+ "description": "A request was made to get access to a windows handle",
"fields": {}
},
- "ssl-start:fail": {
- "subject": "ssl",
- "activity": "start",
- "activity_type": "ssl-start",
+ "handle-request:fail": {
+ "subject": "handle",
+ "activity": "request",
+ "activity_type": "handle-request",
"outcome": "fail",
- "pretty_name": "Ssl Start",
- "description": "A SSL session was initiated",
+ "pretty_name": "Handle Request",
+ "description": "A request was made to get access to a windows handle",
"fields": {
"failure_reason": {
"core": "0",
@@ -13764,22 +17321,22 @@
}
}
},
- "ssl-traffic:success": {
- "subject": "ssl",
- "activity": "traffic",
- "activity_type": "ssl-traffic",
+ "ip-assign:success": {
+ "subject": "ip",
+ "activity": "assign",
+ "activity_type": "ip-assign",
"outcome": "success",
- "pretty_name": "Ssl Traffic",
- "description": "A representation of a single SSL packet",
+ "pretty_name": "Ip Assign",
+ "description": "An IP was dispensed and is in use",
"fields": {}
},
- "ssl-traffic:fail": {
- "subject": "ssl",
- "activity": "traffic",
- "activity_type": "ssl-traffic",
+ "ip-assign:fail": {
+ "subject": "ip",
+ "activity": "assign",
+ "activity_type": "ip-assign",
"outcome": "fail",
- "pretty_name": "Ssl Traffic",
- "description": "A representation of a single SSL packet",
+ "pretty_name": "Ip Assign",
+ "description": "An IP was dispensed and is in use",
"fields": {
"failure_reason": {
"core": "0",
@@ -13793,22 +17350,22 @@
}
}
},
- "ssl-close:success": {
- "subject": "ssl",
- "activity": "close",
- "activity_type": "ssl-close",
+ "ip-free:success": {
+ "subject": "ip",
+ "activity": "free",
+ "activity_type": "ip-free",
"outcome": "success",
- "pretty_name": "Ssl Close",
- "description": "A SSL session was terminated",
+ "pretty_name": "Ip Free",
+ "description": "An IP was freed from use and is now available to reassign",
"fields": {}
},
- "ssl-close:fail": {
- "subject": "ssl",
- "activity": "close",
- "activity_type": "ssl-close",
+ "ip-free:fail": {
+ "subject": "ip",
+ "activity": "free",
+ "activity_type": "ip-free",
"outcome": "fail",
- "pretty_name": "Ssl Close",
- "description": "A SSL session was terminated",
+ "pretty_name": "Ip Free",
+ "description": "An IP was freed from use and is now available to reassign",
"fields": {
"failure_reason": {
"core": "0",
@@ -13822,22 +17379,22 @@
}
}
},
- "link-create:success": {
- "subject": "link",
+ "key-create:success": {
+ "subject": "key",
"activity": "create",
- "activity_type": "link-create",
+ "activity_type": "key-create",
"outcome": "success",
- "pretty_name": "Link Create",
- "description": "A link was created between two endpoint objects",
+ "pretty_name": "Key Create",
+ "description": "A global key object was created",
"fields": {}
},
- "link-create:fail": {
- "subject": "link",
+ "key-create:fail": {
+ "subject": "key",
"activity": "create",
- "activity_type": "link-create",
+ "activity_type": "key-create",
"outcome": "fail",
- "pretty_name": "Link Create",
- "description": "A link was created between two endpoint objects",
+ "pretty_name": "Key Create",
+ "description": "A global key object was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -13851,22 +17408,22 @@
}
}
},
- "policy-write:success": {
- "subject": "policy",
- "activity": "write",
- "activity_type": "policy-write",
+ "key-delete:success": {
+ "subject": "key",
+ "activity": "delete",
+ "activity_type": "key-delete",
"outcome": "success",
- "pretty_name": "Policy Write",
- "description": "A policy document was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Key Delete",
+ "description": "A global key object was deleted",
"fields": {}
},
- "policy-write:fail": {
- "subject": "policy",
- "activity": "write",
- "activity_type": "policy-write",
+ "key-delete:fail": {
+ "subject": "key",
+ "activity": "delete",
+ "activity_type": "key-delete",
"outcome": "fail",
- "pretty_name": "Policy Write",
- "description": "A policy document was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Key Delete",
+ "description": "A global key object was deleted",
"fields": {
"failure_reason": {
"core": "0",
@@ -13880,22 +17437,22 @@
}
}
},
- "endpoint-key-create:success": {
- "subject": "endpoint",
- "activity": "key-create",
- "activity_type": "endpoint-key-create",
+ "key-migrate:success": {
+ "subject": "key",
+ "activity": "migrate",
+ "activity_type": "key-migrate",
"outcome": "success",
- "pretty_name": "Endpoint Key Create",
- "description": "An endpoint security key was created",
+ "pretty_name": "Key Migrate",
+ "description": "A global key object was migrated between vaults",
"fields": {}
},
- "endpoint-key-create:fail": {
- "subject": "endpoint",
- "activity": "key-create",
- "activity_type": "endpoint-key-create",
+ "key-migrate:fail": {
+ "subject": "key",
+ "activity": "migrate",
+ "activity_type": "key-migrate",
"outcome": "fail",
- "pretty_name": "Endpoint Key Create",
- "description": "An endpoint security key was created",
+ "pretty_name": "Key Migrate",
+ "description": "A global key object was migrated between vaults",
"fields": {
"failure_reason": {
"core": "0",
@@ -13909,22 +17466,22 @@
}
}
},
- "endpoint-key-write:success": {
- "subject": "endpoint",
- "activity": "key-write",
- "activity_type": "endpoint-key-write",
+ "key-read:success": {
+ "subject": "key",
+ "activity": "read",
+ "activity_type": "key-read",
"outcome": "success",
- "pretty_name": "Endpoint Key Write",
- "description": "An endpoint security key was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Key Read",
+ "description": "A request was made to read the content or properties of a key",
"fields": {}
},
- "endpoint-key-write:fail": {
- "subject": "endpoint",
- "activity": "key-write",
- "activity_type": "endpoint-key-write",
+ "key-read:fail": {
+ "subject": "key",
+ "activity": "read",
+ "activity_type": "key-read",
"outcome": "fail",
- "pretty_name": "Endpoint Key Write",
- "description": "An endpoint security key was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Key Read",
+ "description": "A request was made to read the content or properties of a key",
"fields": {
"failure_reason": {
"core": "0",
@@ -13938,22 +17495,22 @@
}
}
},
- "user-key-create:success": {
- "subject": "user",
- "activity": "key-create",
- "activity_type": "user-key-create",
+ "port-block:success": {
+ "subject": "port",
+ "activity": "block",
+ "activity_type": "port-block",
"outcome": "success",
- "pretty_name": "User Key Create",
- "description": "A user security key was created",
+ "pretty_name": "Port Block",
+ "description": "A port was blocked, dropping traffic that comes throug",
"fields": {}
},
- "user-key-create:fail": {
- "subject": "user",
- "activity": "key-create",
- "activity_type": "user-key-create",
+ "port-block:fail": {
+ "subject": "port",
+ "activity": "block",
+ "activity_type": "port-block",
"outcome": "fail",
- "pretty_name": "User Key Create",
- "description": "A user security key was created",
+ "pretty_name": "Port Block",
+ "description": "A port was blocked, dropping traffic that comes throug",
"fields": {
"failure_reason": {
"core": "0",
@@ -13967,22 +17524,22 @@
}
}
},
- "role-write:success": {
- "subject": "role",
- "activity": "write",
- "activity_type": "role-write",
+ "port-disable:success": {
+ "subject": "port",
+ "activity": "disable",
+ "activity_type": "port-disable",
"outcome": "success",
- "pretty_name": "Role Write",
- "description": "A role identity was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Port Disable",
+ "description": "A port was disabled",
"fields": {}
},
- "role-write:fail": {
- "subject": "role",
- "activity": "write",
- "activity_type": "role-write",
+ "port-disable:fail": {
+ "subject": "port",
+ "activity": "disable",
+ "activity_type": "port-disable",
"outcome": "fail",
- "pretty_name": "Role Write",
- "description": "A role identity was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Port Disable",
+ "description": "A port was disabled",
"fields": {
"failure_reason": {
"core": "0",
@@ -13996,22 +17553,22 @@
}
}
},
- "function-create:success": {
- "subject": "function",
- "activity": "create",
- "activity_type": "function-create",
+ "port-enable:success": {
+ "subject": "port",
+ "activity": "enable",
+ "activity_type": "port-enable",
"outcome": "success",
- "pretty_name": "Function Create",
- "description": "An automation cloud function was created",
+ "pretty_name": "Port Enable",
+ "description": "A port was enabled",
"fields": {}
},
- "function-create:fail": {
- "subject": "function",
- "activity": "create",
- "activity_type": "function-create",
+ "port-enable:fail": {
+ "subject": "port",
+ "activity": "enable",
+ "activity_type": "port-enable",
"outcome": "fail",
- "pretty_name": "Function Create",
- "description": "An automation cloud function was created",
+ "pretty_name": "Port Enable",
+ "description": "A port was enabled",
"fields": {
"failure_reason": {
"core": "0",
@@ -14025,22 +17582,22 @@
}
}
},
- "function-modify:success": {
- "subject": "function",
- "activity": "modify",
- "activity_type": "function-modify",
+ "smtp-close:success": {
+ "subject": "smtp",
+ "activity": "close",
+ "activity_type": "smtp-close",
"outcome": "success",
- "pretty_name": "Function Modify",
- "description": "An automation cloud function's code or configuration was modified",
+ "pretty_name": "Smtp Close",
+ "description": "A SMTP session was terminated",
"fields": {}
},
- "function-modify:fail": {
- "subject": "function",
- "activity": "modify",
- "activity_type": "function-modify",
+ "smtp-close:fail": {
+ "subject": "smtp",
+ "activity": "close",
+ "activity_type": "smtp-close",
"outcome": "fail",
- "pretty_name": "Function Modify",
- "description": "An automation cloud function's code or configuration was modified",
+ "pretty_name": "Smtp Close",
+ "description": "A SMTP session was terminated",
"fields": {
"failure_reason": {
"core": "0",
@@ -14054,22 +17611,22 @@
}
}
},
- "function-write:success": {
- "subject": "function",
- "activity": "write",
- "activity_type": "function-write",
+ "smtp-start:success": {
+ "subject": "smtp",
+ "activity": "start",
+ "activity_type": "smtp-start",
"outcome": "success",
- "pretty_name": "Function Write",
- "description": "An automation cloud function was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Smtp Start",
+ "description": "A SMTP sesssion was initiated",
"fields": {}
},
- "function-write:fail": {
- "subject": "function",
- "activity": "write",
- "activity_type": "function-write",
+ "smtp-start:fail": {
+ "subject": "smtp",
+ "activity": "start",
+ "activity_type": "smtp-start",
"outcome": "fail",
- "pretty_name": "Function Write",
- "description": "An automation cloud function was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Smtp Start",
+ "description": "A SMTP sesssion was initiated",
"fields": {
"failure_reason": {
"core": "0",
@@ -14083,22 +17640,22 @@
}
}
},
- "key-write:success": {
- "subject": "key",
- "activity": "write",
- "activity_type": "key-write",
+ "snapshot-create:success": {
+ "subject": "snapshot",
+ "activity": "create",
+ "activity_type": "snapshot-create",
"outcome": "success",
- "pretty_name": "Key Write",
- "description": "A global security key object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot Create",
+ "description": "A snapshot was created",
"fields": {}
},
- "key-write:fail": {
- "subject": "key",
- "activity": "write",
- "activity_type": "key-write",
+ "snapshot-create:fail": {
+ "subject": "snapshot",
+ "activity": "create",
+ "activity_type": "snapshot-create",
"outcome": "fail",
- "pretty_name": "Key Write",
- "description": "A global security key object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot Create",
+ "description": "A snapshot was created",
"fields": {
"failure_reason": {
"core": "0",
@@ -14112,22 +17669,22 @@
}
}
},
- "snapshot-write:success": {
+ "snapshot-list:success": {
"subject": "snapshot",
- "activity": "write",
- "activity_type": "snapshot-write",
+ "activity": "list",
+ "activity_type": "snapshot-list",
"outcome": "success",
- "pretty_name": "Snapshot Write",
- "description": "A snapshot object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot List",
+ "description": "An enumeration of snapshot resources took place",
"fields": {}
},
- "snapshot-write:fail": {
+ "snapshot-list:fail": {
"subject": "snapshot",
- "activity": "write",
- "activity_type": "snapshot-write",
+ "activity": "list",
+ "activity_type": "snapshot-list",
"outcome": "fail",
- "pretty_name": "Snapshot Write",
- "description": "A snapshot object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot List",
+ "description": "An enumeration of snapshot resources took place",
"fields": {
"failure_reason": {
"core": "0",
@@ -14141,22 +17698,22 @@
}
}
},
- "bucket-write:success": {
- "subject": "bucket",
- "activity": "write",
- "activity_type": "bucket-write",
+ "snapshot-modify:success": {
+ "subject": "snapshot",
+ "activity": "modify",
+ "activity_type": "snapshot-modify",
"outcome": "success",
- "pretty_name": "Bucket Write",
- "description": "A cloud bucket was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot Modify",
+ "description": "The configuration or properties of a snapshot were modified",
"fields": {}
},
- "bucket-write:fail": {
- "subject": "bucket",
- "activity": "write",
- "activity_type": "bucket-write",
+ "snapshot-modify:fail": {
+ "subject": "snapshot",
+ "activity": "modify",
+ "activity_type": "snapshot-modify",
"outcome": "fail",
- "pretty_name": "Bucket Write",
- "description": "A cloud bucket was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot Modify",
+ "description": "The configuration or properties of a snapshot were modified",
"fields": {
"failure_reason": {
"core": "0",
@@ -14170,22 +17727,22 @@
}
}
},
- "disk-write:success": {
- "subject": "disk",
- "activity": "write",
- "activity_type": "disk-write",
+ "snapshot-read:success": {
+ "subject": "snapshot",
+ "activity": "read",
+ "activity_type": "snapshot-read",
"outcome": "success",
- "pretty_name": "Disk Write",
- "description": "A disk volume object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot Read",
+ "description": "A request to read the content of a snapshot was made",
"fields": {}
},
- "disk-write:fail": {
- "subject": "disk",
- "activity": "write",
- "activity_type": "disk-write",
+ "snapshot-read:fail": {
+ "subject": "snapshot",
+ "activity": "read",
+ "activity_type": "snapshot-read",
"outcome": "fail",
- "pretty_name": "Disk Write",
- "description": "A disk volume object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Snapshot Read",
+ "description": "A request to read the content of a snapshot was made",
"fields": {
"failure_reason": {
"core": "0",
@@ -14199,22 +17756,22 @@
}
}
},
- "endpoint-write:success": {
- "subject": "endpoint",
- "activity": "write",
- "activity_type": "endpoint-write",
+ "clipboard-read:success": {
+ "subject": "clipboard",
+ "activity": "read",
+ "activity_type": "clipboard-read",
"outcome": "success",
- "pretty_name": "Endpoint Write",
- "description": "An endpoint object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Clipboard Read",
+ "description": "A request was made to read the content of the clipboard",
"fields": {}
},
- "endpoint-write:fail": {
- "subject": "endpoint",
- "activity": "write",
- "activity_type": "endpoint-write",
+ "clipboard-read:fail": {
+ "subject": "clipboard",
+ "activity": "read",
+ "activity_type": "clipboard-read",
"outcome": "fail",
- "pretty_name": "Endpoint Write",
- "description": "An endpoint object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Clipboard Read",
+ "description": "A request was made to read the content of the clipboard",
"fields": {
"failure_reason": {
"core": "0",
@@ -14228,22 +17785,22 @@
}
}
},
- "image-write:success": {
- "subject": "image",
- "activity": "write",
- "activity_type": "image-write",
+ "ds-replication:success": {
+ "subject": "ds",
+ "activity": "replication",
+ "activity_type": "ds-replication",
"outcome": "success",
- "pretty_name": "Image Write",
- "description": "A VM image object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Ds Replication",
+ "description": "A part of a directory service replication process is taking place",
"fields": {}
},
- "image-write:fail": {
- "subject": "image",
- "activity": "write",
- "activity_type": "image-write",
+ "ds-replication:fail": {
+ "subject": "ds",
+ "activity": "replication",
+ "activity_type": "ds-replication",
"outcome": "fail",
- "pretty_name": "Image Write",
- "description": "A VM image object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "pretty_name": "Ds Replication",
+ "description": "A part of a directory service replication process is taking place",
"fields": {
"failure_reason": {
"core": "0",
@@ -14256,70 +17813,7450 @@
"informational": "0"
}
}
- }
- },
- "Extensions": {
- "sysmon": {
- "expression": "product = \"sysmon\"",
+ },
+ "ds-replication-modify:success": {
+ "subject": "ds",
+ "activity": "replication-modify",
+ "activity_type": "ds-replication-modify",
+ "outcome": "success",
+ "pretty_name": "Ds Replication Modify",
+ "description": "The configuration of the replication process of the directory service was modified",
+ "fields": {}
+ },
+ "ds-replication-modify:fail": {
+ "subject": "ds",
+ "activity": "replication-modify",
+ "activity_type": "ds-replication-modify",
+ "outcome": "fail",
+ "pretty_name": "Ds Replication Modify",
+ "description": "The configuration of the replication process of the directory service was modified",
"fields": {
- "user": {
- "core": "1",
+ "failure_reason": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "core": "1",
+ "failure_code": {
+ "core": "0",
"detection": "1",
"informational": "0"
- },
- "log_name": {
- "core": "1",
- "detection": "0",
+ }
+ }
+ },
+ "ds-replication-start:success": {
+ "subject": "ds",
+ "activity": "replication-start",
+ "activity_type": "ds-replication-start",
+ "outcome": "success",
+ "pretty_name": "Ds Replication Start",
+ "description": "A directory service replication has started",
+ "fields": {}
+ },
+ "ds-replication-start:fail": {
+ "subject": "ds",
+ "activity": "replication-start",
+ "activity_type": "ds-replication-start",
+ "outcome": "fail",
+ "pretty_name": "Ds Replication Start",
+ "description": "A directory service replication has started",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "event_code": {
+ "failure_code": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
- },
- "activity_type": {
- "file-write": {
+ }
+ },
+ "ds-replication-stop:success": {
+ "subject": "ds",
+ "activity": "replication-stop",
+ "activity_type": "ds-replication-stop",
+ "outcome": "success",
+ "pretty_name": "Ds Replication Stop",
+ "description": "A directory service replication has ended",
+ "fields": {}
+ },
+ "ds-replication-stop:fail": {
+ "subject": "ds",
+ "activity": "replication-stop",
+ "activity_type": "ds-replication-stop",
+ "outcome": "fail",
+ "pretty_name": "Ds Replication Stop",
+ "description": "A directory service replication has ended",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "script-execute:success": {
+ "subject": "script",
+ "activity": "execute",
+ "activity_type": "script-execute",
+ "outcome": "success",
+ "pretty_name": "Script Execute",
+ "description": "Scripting commands were executed on the system",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "command_invocation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "scriptblock_text": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "script-execute:fail": {
+ "subject": "script",
+ "activity": "execute",
+ "activity_type": "script-execute",
+ "outcome": "fail",
+ "pretty_name": "Script Execute",
+ "description": "Scripting commands were executed on the system",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "command_invocation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "scriptblock_text": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "ssl-start:success": {
+ "subject": "ssl",
+ "activity": "start",
+ "activity_type": "ssl-start",
+ "outcome": "success",
+ "pretty_name": "Ssl Start",
+ "description": "A SSL session was initiated",
+ "fields": {}
+ },
+ "ssl-start:fail": {
+ "subject": "ssl",
+ "activity": "start",
+ "activity_type": "ssl-start",
+ "outcome": "fail",
+ "pretty_name": "Ssl Start",
+ "description": "A SSL session was initiated",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "ssl-traffic:success": {
+ "subject": "ssl",
+ "activity": "traffic",
+ "activity_type": "ssl-traffic",
+ "outcome": "success",
+ "pretty_name": "Ssl Traffic",
+ "description": "A representation of a single SSL packet",
+ "fields": {}
+ },
+ "ssl-traffic:fail": {
+ "subject": "ssl",
+ "activity": "traffic",
+ "activity_type": "ssl-traffic",
+ "outcome": "fail",
+ "pretty_name": "Ssl Traffic",
+ "description": "A representation of a single SSL packet",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "ssl-close:success": {
+ "subject": "ssl",
+ "activity": "close",
+ "activity_type": "ssl-close",
+ "outcome": "success",
+ "pretty_name": "Ssl Close",
+ "description": "A SSL session was terminated",
+ "fields": {}
+ },
+ "ssl-close:fail": {
+ "subject": "ssl",
+ "activity": "close",
+ "activity_type": "ssl-close",
+ "outcome": "fail",
+ "pretty_name": "Ssl Close",
+ "description": "A SSL session was terminated",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "link-create:success": {
+ "subject": "link",
+ "activity": "create",
+ "activity_type": "link-create",
+ "outcome": "success",
+ "pretty_name": "Link Create",
+ "description": "A link was created between two endpoint objects",
+ "fields": {}
+ },
+ "link-create:fail": {
+ "subject": "link",
+ "activity": "create",
+ "activity_type": "link-create",
+ "outcome": "fail",
+ "pretty_name": "Link Create",
+ "description": "A link was created between two endpoint objects",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "policy-write:success": {
+ "subject": "policy",
+ "activity": "write",
+ "activity_type": "policy-write",
+ "outcome": "success",
+ "pretty_name": "Policy Write",
+ "description": "A policy document was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "policy-write:fail": {
+ "subject": "policy",
+ "activity": "write",
+ "activity_type": "policy-write",
+ "outcome": "fail",
+ "pretty_name": "Policy Write",
+ "description": "A policy document was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-key-create:success": {
+ "subject": "endpoint",
+ "activity": "key-create",
+ "activity_type": "endpoint-key-create",
+ "outcome": "success",
+ "pretty_name": "Endpoint Key Create",
+ "description": "An endpoint security key was created",
+ "fields": {}
+ },
+ "endpoint-key-create:fail": {
+ "subject": "endpoint",
+ "activity": "key-create",
+ "activity_type": "endpoint-key-create",
+ "outcome": "fail",
+ "pretty_name": "Endpoint Key Create",
+ "description": "An endpoint security key was created",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-key-write:success": {
+ "subject": "endpoint",
+ "activity": "key-write",
+ "activity_type": "endpoint-key-write",
+ "outcome": "success",
+ "pretty_name": "Endpoint Key Write",
+ "description": "An endpoint security key was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "endpoint-key-write:fail": {
+ "subject": "endpoint",
+ "activity": "key-write",
+ "activity_type": "endpoint-key-write",
+ "outcome": "fail",
+ "pretty_name": "Endpoint Key Write",
+ "description": "An endpoint security key was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "user-key-create:success": {
+ "subject": "user",
+ "activity": "key-create",
+ "activity_type": "user-key-create",
+ "outcome": "success",
+ "pretty_name": "User Key Create",
+ "description": "A user security key was created",
+ "fields": {}
+ },
+ "user-key-create:fail": {
+ "subject": "user",
+ "activity": "key-create",
+ "activity_type": "user-key-create",
+ "outcome": "fail",
+ "pretty_name": "User Key Create",
+ "description": "A user security key was created",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "role-write:success": {
+ "subject": "role",
+ "activity": "write",
+ "activity_type": "role-write",
+ "outcome": "success",
+ "pretty_name": "Role Write",
+ "description": "A role identity was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "role-write:fail": {
+ "subject": "role",
+ "activity": "write",
+ "activity_type": "role-write",
+ "outcome": "fail",
+ "pretty_name": "Role Write",
+ "description": "A role identity was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "function-create:success": {
+ "subject": "function",
+ "activity": "create",
+ "activity_type": "function-create",
+ "outcome": "success",
+ "pretty_name": "Function Create",
+ "description": "An automation cloud function was created",
+ "fields": {}
+ },
+ "function-create:fail": {
+ "subject": "function",
+ "activity": "create",
+ "activity_type": "function-create",
+ "outcome": "fail",
+ "pretty_name": "Function Create",
+ "description": "An automation cloud function was created",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "function-modify:success": {
+ "subject": "function",
+ "activity": "modify",
+ "activity_type": "function-modify",
+ "outcome": "success",
+ "pretty_name": "Function Modify",
+ "description": "An automation cloud function's code or configuration was modified",
+ "fields": {}
+ },
+ "function-modify:fail": {
+ "subject": "function",
+ "activity": "modify",
+ "activity_type": "function-modify",
+ "outcome": "fail",
+ "pretty_name": "Function Modify",
+ "description": "An automation cloud function's code or configuration was modified",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "function-write:success": {
+ "subject": "function",
+ "activity": "write",
+ "activity_type": "function-write",
+ "outcome": "success",
+ "pretty_name": "Function Write",
+ "description": "An automation cloud function was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "function-write:fail": {
+ "subject": "function",
+ "activity": "write",
+ "activity_type": "function-write",
+ "outcome": "fail",
+ "pretty_name": "Function Write",
+ "description": "An automation cloud function was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "key-write:success": {
+ "subject": "key",
+ "activity": "write",
+ "activity_type": "key-write",
+ "outcome": "success",
+ "pretty_name": "Key Write",
+ "description": "A global security key object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "key-write:fail": {
+ "subject": "key",
+ "activity": "write",
+ "activity_type": "key-write",
+ "outcome": "fail",
+ "pretty_name": "Key Write",
+ "description": "A global security key object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "snapshot-write:success": {
+ "subject": "snapshot",
+ "activity": "write",
+ "activity_type": "snapshot-write",
+ "outcome": "success",
+ "pretty_name": "Snapshot Write",
+ "description": "A snapshot object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "snapshot-write:fail": {
+ "subject": "snapshot",
+ "activity": "write",
+ "activity_type": "snapshot-write",
+ "outcome": "fail",
+ "pretty_name": "Snapshot Write",
+ "description": "A snapshot object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "bucket-write:success": {
+ "subject": "bucket",
+ "activity": "write",
+ "activity_type": "bucket-write",
+ "outcome": "success",
+ "pretty_name": "Bucket Write",
+ "description": "A cloud bucket was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "bucket-write:fail": {
+ "subject": "bucket",
+ "activity": "write",
+ "activity_type": "bucket-write",
+ "outcome": "fail",
+ "pretty_name": "Bucket Write",
+ "description": "A cloud bucket was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "disk-write:success": {
+ "subject": "disk",
+ "activity": "write",
+ "activity_type": "disk-write",
+ "outcome": "success",
+ "pretty_name": "Disk Write",
+ "description": "A disk volume object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "disk-write:fail": {
+ "subject": "disk",
+ "activity": "write",
+ "activity_type": "disk-write",
+ "outcome": "fail",
+ "pretty_name": "Disk Write",
+ "description": "A disk volume object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-write:success": {
+ "subject": "endpoint",
+ "activity": "write",
+ "activity_type": "endpoint-write",
+ "outcome": "success",
+ "pretty_name": "Endpoint Write",
+ "description": "An endpoint object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "endpoint-write:fail": {
+ "subject": "endpoint",
+ "activity": "write",
+ "activity_type": "endpoint-write",
+ "outcome": "fail",
+ "pretty_name": "Endpoint Write",
+ "description": "An endpoint object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "image-write:success": {
+ "subject": "image",
+ "activity": "write",
+ "activity_type": "image-write",
+ "outcome": "success",
+ "pretty_name": "Image Write",
+ "description": "A VM image object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {}
+ },
+ "image-write:fail": {
+ "subject": "image",
+ "activity": "write",
+ "activity_type": "image-write",
+ "outcome": "fail",
+ "pretty_name": "Image Write",
+ "description": "A VM image object was created or modified, only used as a catch all if create or modify cannot be determined",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "mailbox-list:success": {
+ "subject": "mailbox",
+ "activity": "list",
+ "activity_type": "mailbox-list",
+ "outcome": "success",
+ "pretty_name": "Mailbox List",
+ "description": "",
+ "fields": {}
+ },
+ "mailbox-list:fail": {
+ "subject": "mailbox",
+ "activity": "list",
+ "activity_type": "mailbox-list",
+ "outcome": "fail",
+ "pretty_name": "Mailbox List",
+ "description": "",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "rule-modify:success": {
+ "subject": "rule",
+ "activity": "modify",
+ "activity_type": "rule-modify",
+ "outcome": "success",
+ "pretty_name": "Rule Modify",
+ "description": "",
+ "fields": {}
+ },
+ "rule-modify:fail": {
+ "subject": "rule",
+ "activity": "modify",
+ "activity_type": "rule-modify",
+ "outcome": "fail",
+ "pretty_name": "Rule Modify",
+ "description": "",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "log_source-enable:success": {
+ "subject": "log_source",
+ "activity": "enable",
+ "activity_type": "log_source-enable",
+ "outcome": "success",
+ "pretty_name": "Log Source Enable",
+ "description": "",
+ "fields": {}
+ },
+ "log_source-enable:fail": {
+ "subject": "log_source",
+ "activity": "enable",
+ "activity_type": "log_source-enable",
+ "outcome": "fail",
+ "pretty_name": "Log Source Enable",
+ "description": "",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "log_source-disable:success": {
+ "subject": "log_source",
+ "activity": "disable",
+ "activity_type": "log_source-disable",
+ "outcome": "success",
+ "pretty_name": "Log Source Disable",
+ "description": "",
+ "fields": {}
+ },
+ "log_source-disable:fail": {
+ "subject": "log_source",
+ "activity": "disable",
+ "activity_type": "log_source-disable",
+ "outcome": "fail",
+ "pretty_name": "Log Source Disable",
+ "description": "",
+ "fields": {
+ "failure_reason": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "failure_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ },
+ "Extensions": {
+ "sysmon": {
+ "expression": "product = \"sysmon\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "log_name": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "file-write": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "time_created": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_integrity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_command_line": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha1": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dll-load": {
+ "fields": {
+ "process_guid": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha1": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_signed": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_signature": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_signature_status": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "driver-load": {
+ "fields": {
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha1": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_signed": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_signature": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_signature_status": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ipv6": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ipv6": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha1": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "is_executable": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "is_archived": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "registry-modify": {
+ "fields": {
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dns-request": {
+ "fields": {
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dns_response": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {}
+ }
+ }
+ },
+ "event viewer - security": {
+ "expression": "product = \"event viewer - security\"",
+ "fields": {
+ "src_host": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "log_name": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "login_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "process-create": {
+ "fields": {
+ "elevation_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_integrity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-domain-join": {
+ "fields": {
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_user_sid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-create": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "log-clear": {
+ "fields": {}
+ },
+ "group-member-remove": {
+ "fields": {
+ "group_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "group_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "member_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-disable": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "kerberos_service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "ticket_options": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "ticket_encryption_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "group-member-add": {
+ "fields": {
+ "group_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "member_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-lock": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-privilege-assign": {
+ "fields": {}
+ },
+ "endpoint-login": {
+ "fields": {
+ "auth_process": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_package": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sub_status": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-privilege-use": {
+ "fields": {
+ "object_server": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object_handle": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "audit_policy-modify": {
+ "fields": {
+ "audit_category": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "audit_subcategory": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy_changes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "user-unlock": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "service-create": {
+ "fields": {
+ "file_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "service_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "service_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "service_start_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "scheduled_task-create": {
+ "fields": {
+ "file_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "triggers": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "run_level": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "description": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "user-switch": {
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_login_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "user-password-modify": {
+ "fields": {
+ "dest_user_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-password-reset": {
+ "fields": {}
+ },
+ "user-enable": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-modify": {
+ "fields": {
+ "old_attribute": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "new_attribute": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "attribute": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "peripheral_storage-insert": {
+ "fields": {
+ "device_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "class_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "class_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "1"
+ },
+ "vendor_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "compatible_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_information": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "handle_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_mask": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "handle_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_mask": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "handle_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_mask": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "login_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_class": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_server": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-lock": {
+ "fields": {
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-unlock": {
+ "fields": {
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-logout": {
+ "fields": {
+ "session_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "share-create": {
+ "fields": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "d_parent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "d_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "aid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "share-modify": {
+ "fields": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "share-delete": {
+ "fields": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-name-modify": {
+ "fields": {
+ "new_user_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "old_user_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "share-access": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_sid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_server": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_user_sid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_process": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "key_length": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_package": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "thread_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "login_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "task_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "provider_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "privileges": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sid_history": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_ext": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-delete": {
+ "fields": {}
+ },
+ "endpoint-modify": {
+ "fields": {
+ "old_attribute": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "new_attribute": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "attribute": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "ds_object-modify": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access_mask": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "attribute": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "attribute_value": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "ds_object-create": {
+ "fields": {}
+ },
+ "ds_object-restore": {
+ "fields": {}
+ },
+ "ds_object-move": {
+ "fields": {}
+ },
+ "ds_object-delete": {
+ "fields": {}
+ }
+ }
+ },
+ "bitglass casb": {
+ "expression": "product = \"bitglass casb\"",
+ "fields": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_group_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_url": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_url": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "email-send": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_group_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "blue coat proxysg": {
+ "expression": "product = \"blue coat proxysg\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {
+ "proxy_action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "categories": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "browser": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "country": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "proxy_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "proxy_action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "categories": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "referrer": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "method": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mime": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "box cloud content management": {
+ "expression": "product = \"box cloud content management\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "file-delete": {
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "owned_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "owned_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "owned_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "owned_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "cid": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-upload": {
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "owned_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "app": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "zeek": {
+ "expression": "product = zeek",
+ "fields": {
+ "connection_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "endpoint-login": {
+ "fields": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "email-receive": {
+ "fields": {
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "trans_depth": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mailfrom": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rcptto": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "cc": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "reply_to": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "message_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "in_reply_to": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dhcp-session": {
+ "fields": {
+ "duration": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dhcp_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "lease_time": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_mac": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_uids": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "trans_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "status_msg": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tags": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "proxied": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "orig_filenames": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sensor_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "orig_pkts": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resp_pkts": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "country": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mbps": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_uid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resp_cc": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "orig_cc": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "duration": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "connection_state": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_resp": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_orig": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "missed_bytes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "history": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "orig_bytes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resp_bytes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tunnel_parents": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "connection_age": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dns-request": {
+ "fields": {
+ "query_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dns-response": {
+ "fields": {
+ "user_uid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "trans_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rtt": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "qclass": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "qclass_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "AA": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "TC": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "RD": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "RA": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "Z": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "TTLs": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "event_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "share_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "connection_uid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "analyzers": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha1": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "log_source": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "depth": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "duration": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_orig": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "is_orig": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "missed_bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "overflow_bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "timedout": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "extracted": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "extracted_size": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "extracted_cutoff": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "event_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "share_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "event_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "share_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "cipher_method": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "server": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "request_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "ticket_encryption_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "issue_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "expiry_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "ticket_options": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "client_cert_subject": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "share-access": {
+ "fields": {
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "native_file_system": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "share_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "ssh-traffic": {
+ "fields": {
+ "version": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "client_ssh_version": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "server_ssh_version": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "cipher": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mac_alg": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "compression_alg": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "kex_alg": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "host_key_alg": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "host_key": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "remote_location_country_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "remote_location_region": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "remote_location_city": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "remote_location_latitude": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "remote_location_longitude": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "client": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "server": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "ftp-traffic": {
+ "fields": {
+ "mime": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "radius-traffic": {
+ "fields": {
+ "result": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "framed_addr": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "response_ttl": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "bromium secure platform": {
+ "expression": "product = \"bromium secure platform\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-download": {
+ "fields": {}
+ },
+ "file-upload": {
+ "fields": {}
+ },
+ "alert-trigger": {
+ "fields": {}
+ }
+ }
+ },
+ "carbon black app control": {
+ "expression": "product = \"carbon black app control\"",
+ "fields": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "endpoint-login": {
+ "fields": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-lock": {
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-unlock": {
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_command_line": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sensor_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "web_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sensor_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "arg": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "policy": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "peripheral_storage-insert": {
+ "fields": {
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "activity_details": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "peripheral_storage-remove": {
+ "fields": {
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "activity_details": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "email_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "carbon black edr": {
+ "expression": "product = \"carbon black edr\"",
+ "fields": {
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "device_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "process-create": {
+ "fields": {
+ "parent_process_guid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "device_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "sensor_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "parent_process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_dir": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_command_line": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "parent_process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_command_line": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "carbon black ces": {
+ "expression": "product = \"carbon black ces\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "file-read": {
+ "fields": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "web_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_md5hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target_hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target_md5hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "selected_md5hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "selected_hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "web_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_md5hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target_hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target_md5hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "selected_md5hash": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "selected_hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_md5hash": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "target_hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "target_md5hash": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "selected_md5hash": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "selected_hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_severity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "web_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_md5hash": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "parent_hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "target_hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "target_md5hash": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "selected_md5hash": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "selected_hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_sha256": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "check point ngfw": {
+ "expression": "product = \"check point ngfw\"",
+ "fields": {
+ "dest_ip": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "network-traffic": {
+ "fields": {
+ "result": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "outzone": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "inzone": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "log_uid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "peer_gateway": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "users": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "interface_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "community": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_uid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_ou": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_severity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "department": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "company": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "users": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "interface_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "email-receive": {
+ "fields": {
+ "app_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "interface_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-login": {
+ "fields": {
+ "auth_method": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_ou": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_severity": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "department": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "company": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tunnel_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "interface_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "department": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "company": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_ou": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "department": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "company": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_ou": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "department": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "company": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "product_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "rule": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_translated_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_translated_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_translated_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "origin_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "user_agent": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "full_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "product_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "interface_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "email-send": {
+ "fields": {
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "message_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "check point security gateway": {
+ "expression": "product = \"check point security gateway\"",
+ "fields": {
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_country_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "src_translated_ipnum": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_ou": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "realm": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "session_duration": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "vpn-authentication": {
+ "fields": {
+ "auth_method": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "check point identity awareness": {
+ "expression": "product = \"check point identity awareness\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "log_uid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "origin_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_group_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_method": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_duration": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_ou": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
"fields": {
- "process_name": {
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_group_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth_method": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_duration": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_uid": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "cisco umbrella": {
+ "expression": "product = \"cisco umbrella\"",
+ "fields": {
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "category": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "dns-response": {
+ "fields": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "identities": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "categories": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "result_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sha": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "identity_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "categories": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-traffic": {
+ "fields": {}
+ }
+ }
+ },
+ "cisco adaptive security appliance": {
+ "expression": "product = \"cisco adaptive security appliance\"",
+ "fields": {
+ "event_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "app-authentication": {
+ "fields": {
+ "src_mac": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-login": {
+ "fields": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_mac": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "realm": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "priority": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "group_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "client_system": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "client_system_version": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "priority": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-authentication": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "group_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "realm": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "priority": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_hour": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_min": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_sec": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
"Status": "Legacy",
"core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_day": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "direction": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "connection_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "duration": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dns-response": {
+ "fields": {
+ "priority": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_dir": {
- "Status": "Legacy",
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_guid": {
+ "priority": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "thread_id": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "database-login": {
+ "fields": {
+ "priority": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "time_created": {
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
@@ -14328,43 +25265,336 @@
},
"process-create": {
"fields": {
- "process_guid": {
+ "priority": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_integrity": {
+ "user": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_guid": {
+ "process_command_line": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_command_line": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "priority": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "web_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "policy": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "cisco unified communications manager": {
+ "expression": "product = \"cisco unified communications manager\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "cisco firepower": {
+ "expression": "product = cisco firepower",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "network-session": {
+ "fields": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha256": {
+ "network_app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha1": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "ingress_zone": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "egress_zone": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "connection_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "initiator_packets": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "responder_packets": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "nap_policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "response_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tcp_flags": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "reputation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "connection_duration": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "packets_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "packets_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "device_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "url": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -14372,96 +25602,241 @@
}
}
},
- "dll-load": {
+ "dns-request": {
"fields": {
- "process_guid": {
+ "dns_record_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dns_response_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "response_ttl": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
"Status": "Legacy",
"core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_interface": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_interface": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "policy": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "rule": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "category": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "priority": {
+ "Status": "Default",
+ "core": "0",
"detection": "0",
"informational": "1"
},
- "thread_id": {
+ "app_protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "dns-response": {
+ "fields": {
+ "result": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "ingress_zone": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "egress_zone": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_type": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "hash_sha256": {
+ "src_interface": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "hash_sha1": {
+ "dest_interface": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "hash_md5": {
+ "protocol": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_signed": {
+ "bytes_out": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_signature": {
+ "bytes_in": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_signature_status": {
+ "policy": {
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "driver-load": {
+ "vpn-authentication": {
"fields": {
- "process_id": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "thread_id": {
+ "priority": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha256": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "hash_sha1": {
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "priority": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_signed": {
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-login": {
+ "fields": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_signature": {
+ "priority": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_signature_status": {
+ "group_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -14469,1149 +25844,1240 @@
}
}
},
- "network-session": {
+ "alert-trigger": {
"fields": {
- "process_name": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_path": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
- "Status": "Default",
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_id": {
- "Status": "Default",
+ "file_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_guid": {
- "Status": "Default",
+ "malware_file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "thread_id": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ipv6": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_ipv6": {
- "Status": "Default",
+ "process": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "file-delete": {
- "fields": {
+ "informational": "0"
+ },
"process_name": {
"Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_path": {
+ "rule": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "user": {
"Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_description": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_id": {
+ "app_protocol": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_guid": {
+ "app_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "thread_id": {
+ "blocked": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "hash_sha256": {
+ "block_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "hash_sha1": {
+ "bytes_in": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "bytes_out": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "is_executable": {
+ "classification_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "is_archived": {
+ "connection_counter": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "registry-modify": {
- "fields": {
- "process_name": {
+ "informational": "0"
+ },
+ "dest_country": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_path": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_dir": {
+ "device_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_id": {
+ "egress_security_zone": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_guid": {
+ "impact": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "thread_id": {
+ "ingress_interface": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "dns-request": {
- "fields": {
- "process_name": {
+ "informational": "0"
+ },
+ "ingress_security_zone": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_path": {
+ "ioc_number": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_dir": {
+ "ip_protocl_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "policy": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "record_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_guid": {
+ "rule_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "thread_id": {
+ "sensor": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dns_response": {
+ "src_country": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_id": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
- },
- "alert-trigger": {
- "fields": {}
}
}
},
- "event viewer - security": {
- "expression": "product = \"event viewer - security\"",
+ "cisco acs": {
+ "expression": "product = \"cisco acs\"",
"fields": {
- "src_host": {
- "core": "1",
+ "device_vendor": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "core": "1",
+ "device_version": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "operation": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "log_name": {
+ "event_category": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_code": {
+ "dest_port": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
+ "src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "login_id": {
+ "alert_severity": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_id": {
+ "service_name": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_id": {
+ "dest_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "correlation_id": {
+ "dtz": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"activity_type": {
- "endpoint-delete": {
+ "app-login": {
"fields": {}
- },
- "endpoint-modify": {
+ }
+ }
+ },
+ "cisco ios": {
+ "expression": "product = \"cisco ios\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "configuration-modify": {
"fields": {
- "old_attribute": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "new_attribute": {
+ "event_category": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "attribute": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "ds_object-modify": {
- "fields": {
- "operation": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "access": {
- "Status": "Default",
+ "user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "access_mask": {
- "Status": "Default",
+ "src_host": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "attribute": {
- "Status": "Default",
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "attribute_value": {
- "Status": "Default",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "share-access": {
+ "network-session": {
"fields": {
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_dir": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_path": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
+ "src_interface": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "packets": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user_sid": {
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "ds_object-create": {
- "fields": {}
- },
- "ds_object-restore": {
- "fields": {}
- },
- "ds_object-move": {
- "fields": {}
- },
- "ds_object-delete": {
- "fields": {}
}
}
},
- "bitglass casb": {
- "expression": "product = \"bitglass casb\"",
- "fields": {},
+ "cisco dhcp": {
+ "expression": "product = \"cisco dhcp\"",
+ "fields": {
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
"activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_ext": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "target": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
+ "dhcp-session": {
+ "fields": {}
}
}
},
- "symantec blue coat proxysg": {
- "expression": "product = \"blue coat proxysg\"",
+ "anyconnect": {
+ "expression": "product = \"anyconnect\"",
"fields": {
- "src_host": {
+ "dest_host": {
"core": "0",
"detection": "1",
"informational": "0"
}
},
"activity_type": {
- "http-session": {
+ "vpn-login": {
"fields": {
- "proxy_action": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "categories": {
+ "priority": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "browser": {
+ "realm": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "country": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "proxy_ip": {
- "Status": "Default",
+ "session_duration": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "app_user": {
- "Status": "Default",
+ "realm": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "resource_id": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "network-traffic": {
+ "network-session": {
"fields": {
- "action": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "proxy_action": {
+ "bytes_out": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "category": {
+ "packet_rate": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "categories": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "referrer": {
+ "parent_process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "result_code": {
+ "parent_process_hash": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "process_hash": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "mime": {
+ "udid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "module_hash_names": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "virtual_station_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "os_version": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "box cloud content management": {
- "expression": "product = \"box cloud content\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "file-delete": {
- "fields": {
- "object": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "file_type": {
- "Status": "Legacy",
+ "os_environment": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "owned_user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access_type": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "object": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "file_type": {
- "Status": "Legacy",
+ "system_manufacturer": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "Status": "Legacy",
+ "system_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "owned_user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access_type": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-download": {
- "fields": {
- "object": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "owned_user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access_type": {
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
- },
- "file-write": {
+ }
+ }
+ },
+ "cisco meraki mx appliance": {
+ "expression": "product = \"cisco meraki mx appliance\"",
+ "fields": {},
+ "activity_type": {
+ "network-traffic": {
"fields": {
- "object": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "file_type": {
- "Status": "Legacy",
+ "result": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access_type": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "process_name": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "owned_user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-upload": {
- "fields": {
- "object": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "file_type": {
- "Status": "Legacy",
+ "aid": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access_type": {
+ "channel": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "duration": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "dhcp_ip": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "application": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "service_name": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "resource": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "owned_user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "application": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
+ "dest_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "src_translated_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "dest_translated_port": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "app-login": {
+ "http-session": {
"fields": {
- "process_name": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "zeek": {
- "expression": "product = zeek",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "vpn-login": {
"fields": {
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
+ "src_translated_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "protocol": {
- "Status": "Legacy",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "src_translated_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
}
}
},
- "bromium secure platform": {
- "expression": "product = \"bromium secure platform\"",
+ "cisco secure web appliance": {
+ "expression": "product = \"cisco secure web appliance\"",
+ "fields": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "proxy_action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "method": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "category": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "cisco cloud web security": {
+ "expression": "product = \"cisco cloud web security\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "method": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "category": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "proxy_action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "cisco netflow": {
+ "expression": "product = \"cisco netflow\"",
"fields": {
- "src_host": {
+ "result": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "core": "1",
+ "src_interface": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "packets": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_ip": {
+ "bytes_in": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_name": {
+ "bytes_out": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "additional_info": {
+ "flow_end_time": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "flow_start_time": {
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "packets_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "packets_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "tcp_flags": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"activity_type": {
- "file-download": {
+ "network-session": {
"fields": {}
+ }
+ }
+ },
+ "cisco adc": {
+ "expression": "product = \"cisco adc\"",
+ "fields": {
+ "dest_translated_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "file-upload": {
- "fields": {}
+ "dest_translated_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "alert-trigger": {
+ "method": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "http-session": {
"fields": {}
}
}
},
- "carbon black app control": {
- "expression": "product = \"carbon black app control\"",
+ "cisco secure email": {
+ "expression": "product = \"cisco secure email\"",
"fields": {
- "domain": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "core": "1",
- "detection": "0",
+ "alert_id": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_type": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
}
},
"activity_type": {
- "endpoint-login": {
+ "email-send": {
+ "fields": {}
+ },
+ "email-receive": {
+ "fields": {}
+ }
+ }
+ },
+ "aci": {
+ "expression": "product = \"aci\"",
+ "fields": {},
+ "activity_type": {
+ "app-login": {
"fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_code": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "endpoint-lock": {
+ "configuration-modify": {
"fields": {
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_code": {
- "core": "0",
+ "user": {
+ "core": "1",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "endpoint-unlock": {
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "event_code": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
+ }
+ }
+ },
+ "citrix sharefile": {
+ "expression": "product = \"citrix sharefile\"",
+ "fields": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "network-session": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "country_code": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "uri_path": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "company": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "file-upload": {
+ "fields": {}
+ },
+ "file-download": {
+ "fields": {}
+ },
+ "app-login": {
+ "fields": {}
+ },
+ "file-share": {
"fields": {
- "process_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "target": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_command_line": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_command_line": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "parent_process_id": {
+ }
+ }
+ }
+ }
+ },
+ "citrix gateway": {
+ "expression": "product = \"citrix gateway\"",
+ "fields": {},
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_guid": {
+ "realm": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_guid": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "alert_id": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "sensor_id": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "hash_md5": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "web_domain": {
+ "vpn_client_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -15619,399 +27085,301 @@
}
}
},
- "process-create": {
+ "vpn-logout": {
"fields": {
- "action": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_guid": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "sensor_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "hash_md5": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "arg": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "policy": {
- "Status": "Default",
+ "src_port": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "duration": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_dir": {
+ "bytes_out": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "process_command_line": {
+ "bytes_in": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "source_connection_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_command_line": {
+ "src_host": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_guid": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "parent_process_guid": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_type": {
- "Status": "Legacy",
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
+ "vpn_client_type": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_hash": {
+ "src_translated_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "policy": {
+ }
+ }
+ },
+ "vpn-session": {
+ "fields": {
+ "event_name": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "alert_severity": {
+ "src_port": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "dest_translated_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "dest_port": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_dir": {
- "Status": "Legacy",
+ "duration": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "process_command_line": {
+ "bytes_out": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "bytes_in": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"action": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_command_line": {
+ "access_group": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_id": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_guid": {
+ "src_translated_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "parent_process_guid": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "alert_id": {
+ "process_command_line": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "file-delete": {
+ "vpn-authentication": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "event_category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "action": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
- "Status": "Legacy",
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_command_line": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "process_id": {
+ "session_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_command_line": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_id": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_guid": {
+ "method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_guid": {
+ "uri": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_id": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "peripheral_storage-insert": {
+ "http-session": {
"fields": {
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "activity_details": {
+ "protocol": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "result_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "dest_translated_ip": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "dest_translated_port": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "src_translated_ip": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "peripheral_storage-remove": {
- "fields": {
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "activity_details": {
+ "src_translated_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "bytes_out": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "dest_ip": {
+ },
+ "bytes_in": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "email_domain": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -16021,933 +27389,1168 @@
}
}
},
- "carbon black edr": {
- "expression": "product = \"carbon black edr\"",
+ "citrix virtual apps": {
+ "expression": "product = \"citrix virtual apps\"",
"fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"alert_id": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "citrix virtual desktop": {
+ "expression": "product = \"citrix virtual desktop\"",
+ "fields": {
"dest_ip": {
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "process_guid": {
+ "src_host": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "process_name": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_path": {
+ "login_type_text": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_dir": {
+ "catalog": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "user_sid": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "endpoint-login": {
+ "fields": {}
+ }
+ }
+ },
+ "citrix endpoint management": {
+ "expression": "product = \"citrix endpoint management\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "parent_process_guid": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "device_id": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "citrix web app firewall": {
+ "expression": "product = \"citrix web app firewall\"",
+ "fields": {
+ "interface_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "src_host": {
+ "event_name": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_command_line": {
+ "event_code": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "alert_id": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
+ "rule": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_name": {
"core": "0",
"detection": "1",
"informational": "0"
}
},
"activity_type": {
- "process-create": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "falcon": {
+ "expression": "product = falcon",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "aid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-write": {
"fields": {
- "parent_process_guid": {
- "Status": "Default",
+ "device_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "new_hash": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "device_id": {
- "Status": "Default",
+ "alert_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_command_line": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "dest_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "sensor_id": {
- "Status": "Default",
+ "src_host": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
"hash_md5": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "falcon_host_link": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "old_hash": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_guid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "file-write": {
+ "file-read": {
"fields": {
- "parent_process_name": {
+ "alert_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "parent_process_path": {
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "category": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "parent_process_dir": {
+ "protocol": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "parent_process_command_line": {
+ "alert_severity": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "parent_process_id": {
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "network-session": {
- "fields": {
- "parent_process_name": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "os": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "parent_process_path": {
- "Status": "Default",
+ "user_sid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "parent_process_dir": {
- "Status": "Default",
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "parent_process_command_line": {
- "Status": "Default",
+ "process_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "parent_process_id": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "carbon black cloud endpoint standard": {
- "expression": "product = \"carbon black ces\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "1",
- "detection": "0",
- "informational": "0"
- }
- },
- "activity_type": {
- "file-read": {
- "fields": {
- "src_host": {
+ "informational": "0"
+ },
+ "bytes": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "alert_name": {
+ "falcon_host_link": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "alert_severity": {
+ "old_hash": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "alert_type": {
+ "src_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "process_guid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_path": {
- "Status": "Legacy",
+ "event_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_dir": {
- "Status": "Legacy",
+ "hash_sha256": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "web_domain": {
+ "event_code": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- },
- "dest_ip": {
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "src_port": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "alert_id": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_md5hash": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "parent_hash_sha256": {
+ "old_hash": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "target_hash_sha256": {
+ "new_hash": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "target_md5hash": {
+ "dest_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "selected_md5hash": {
+ "process_guid": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "selected_hash_sha256": {
+ "event_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"hash_sha256": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "event_code": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "file-write": {
+ "file-delete": {
"fields": {
- "src_host": {
+ "alert_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "alert_name": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "alert_severity": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "alert_type": {
+ "alert_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_path": {
- "Status": "Legacy",
+ "os": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_dir": {
- "Status": "Legacy",
+ "user_sid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "web_domain": {
+ "session_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "process_command_line": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "alert_id": {
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "parent_md5hash": {
+ "bytes": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "parent_hash_sha256": {
+ "falcon_host_link": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "target_hash_sha256": {
+ "old_hash": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "target_md5hash": {
+ "src_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "selected_md5hash": {
+ "process_guid": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "selected_hash_sha256": {
+ "event_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"hash_sha256": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "event_code": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "process-create": {
+ "app-login": {
"fields": {
- "dest_ip": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_path": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "activity_details": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "parent_md5hash": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_hash_sha256": {
+ "process_command_line": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "target_hash_sha256": {
+ "process_guid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "target_md5hash": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "selected_md5hash": {
+ "parent_process_guid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "selected_hash_sha256": {
+ "user_sid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha256": {
+ "log_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "hash_sha256": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "network-session": {
- "fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "alert_name": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_severity": {
+ "grandparent_process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_type": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "web_domain": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
+ "old_hash": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "falcon_host_link": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_id": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_md5hash": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_hash_sha256": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "target_hash_sha256": {
- "Status": "Default",
+ }
+ }
+ },
+ "scheduled_task-create": {
+ "fields": {
+ "event_code": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "target_md5hash": {
- "Status": "Default",
+ "file_path": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "selected_md5hash": {
- "Status": "Default",
+ "file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "selected_hash_sha256": {
- "Status": "Default",
+ "file_ext": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "hash_sha256": {
- "Status": "Default",
+ "file_dir": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "hash_md5": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "app-login": {
- "fields": {}
- }
- }
- },
- "check point ngfw": {
- "expression": "product = \"check point ngfw\"",
- "fields": {
- "dest_ip": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "configuration-modify": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
},
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "network-traffic": {
+ "peripheral_storage-insert": {
"fields": {
- "result": {
- "Status": "Default",
+ "vendor_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "outzone": {
- "Status": "Default",
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "inzone": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "log_uid": {
- "Status": "Default",
+ "file_path": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "service_id": {
- "Status": "Default",
+ "file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "peer_gateway": {
- "Status": "Default",
+ "file_ext": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "users": {
- "Status": "Default",
+ "file_dir": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "policy": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule_id": {
- "Status": "Default",
+ "alert_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "app_protocol": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "interface_name": {
- "Status": "Default",
+ "activity_details": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "peripheral_storage-remove": {
+ "fields": {
+ "event_code": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
- "Status": "Default",
+ "file_path": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "product_name": {
- "Status": "Default",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_ext": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule": {
- "Status": "Default",
+ "file_dir": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "direction": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "activity_details": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "dns-request": {
+ "fields": {
+ "aip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "process_guid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "dns_response": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_ip": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_port": {
- "Status": "Default",
+ "category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "protocol": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "origin_ip": {
- "Status": "Default",
+ "file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_name": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_severity": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "community": {
- "Status": "Default",
+ "alert_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule_uid": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "network-session": {
+ "endpoint-login": {
"fields": {
- "bytes_in": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_out": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_interface": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_ou": {
+ "user_sid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_severity": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "department": {
+ "aip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "company": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "auth_package": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "users": {
+ "auth_server": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "policy": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "rule_id": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "app_protocol": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "hash_sha256": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "product_name": {
+ "process_command_line": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
+ "process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_port": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_ip": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_port": {
+ "old_hash": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "origin_ip": {
+ "process_guid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "origin_name": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "interface_name": {
+ "falcon_host_link": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -16955,105 +28558,129 @@
}
}
},
- "email-receive": {
+ "app-activity": {
"fields": {
- "app_protocol": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "interface_name": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "product_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_port": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "rule": {
+ "src_ip": {
"Status": "Default",
"core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "group-member-add": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Legacy",
+ "core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_translated_ip": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ },
+ "user-role-assign": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "dest_translated_ip": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_port": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "origin_ip": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "origin_name": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule_id": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -17061,1190 +28688,1191 @@
}
}
},
- "vpn-login": {
+ "user-role-revoke": {
"fields": {
- "auth_method": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "policy": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "bytes_out": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_interface": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_ou": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_severity": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "department": {
- "Status": "Default",
- "core": "0",
+ }
+ }
+ },
+ "user-modify": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "company": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "rule_id": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "app_protocol": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "action": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "product_name": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ },
+ "user-create": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "src_port": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "protocol": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "direction": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_ip": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_translated_port": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "origin_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "origin_name": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "tunnel_protocol": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "interface_name": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "endpoint-login": {
+ "network-traffic": {
"fields": {
- "bytes_in": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "department": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "company": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operating_system": {
+ "alert_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_ou": {
+ "alert_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "product_name": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "process_guid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "direction": {
- "Status": "Default",
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "grandparent_image_filename": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "grandparent_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "parent_image_filename": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_ip": {
- "Status": "Default",
+ "parent_process_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_port": {
- "Status": "Default",
+ "image_file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_ip": {
- "Status": "Default",
+ "process_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_name": {
- "Status": "Default",
+ "falcon_host_link": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "hash_sha256": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "endpoint-authentication": {
- "fields": {
- "bytes_in": {
- "Status": "Default",
+ "pattern_disposition_description": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "bytes_out": {
- "Status": "Default",
+ "quarantine_file": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "department": {
- "Status": "Default",
+ "quarantine_machine": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "company": {
- "Status": "Default",
+ "detect": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
+ "operation_blocked": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_ou": {
- "Status": "Default",
+ "kill_parent": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "action": {
- "Status": "Default",
+ "indicator": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "product_name": {
- "Status": "Default",
+ "kill_process": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_port": {
- "Status": "Default",
+ "process_blocked": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_port": {
- "Status": "Default",
+ "policy_disabled": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "sensor_only": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule": {
- "Status": "Default",
+ "kill_sub_process": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "direction": {
- "Status": "Default",
+ "inddet_mask": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "rooting": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "critical_process_disabled": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_ip": {
- "Status": "Default",
+ "fs_operation_blocked": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_port": {
- "Status": "Default",
+ "registry_operation_blocked": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_ip": {
- "Status": "Default",
+ "bootup_safeguard_enabled": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "bytes_in": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "bytes_out": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operating_system": {
- "core": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "user_ou": {
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "department": {
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "company": {
- "core": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "action": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "product_name": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_port": {
+ "aid": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_port": {
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "protocol": {
+ "event_code": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "rule": {
+ "file_ext": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "direction": {
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_translated_ip": {
+ "target": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_translated_port": {
+ "new_hash": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_translated_ip": {
+ "old_hash": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_translated_port": {
+ "os": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
+ "alert_id": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "origin_ip": {
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "origin_name": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "app-login": {
- "fields": {
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "http-session": {
- "fields": {
- "protocol": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "full_name": {
- "Status": "Default",
+ "parent_process_guid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "direction": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_ip": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "origin_name": {
- "Status": "Default",
+ "process_guid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "product_name": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "rule_id": {
- "Status": "Default",
+ "sensor_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "interface_name": {
- "Status": "Default",
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
- "Status": "Default",
+ "user_sid": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "rule": {
- "Status": "Default",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "cyberark endpoint privilege manager": {
+ "expression": "product = \"cyberark endpoint privilege manager\"",
+ "fields": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "user-privilege-use": {
+ "fields": {}
+ },
+ "alert-trigger": {
+ "fields": {
+ "process_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_ip": {
- "Status": "Default",
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_port": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "email-send": {
- "fields": {
- "direction": {
- "Status": "Default",
+ "detection": "1",
+ "informational": "0"
+ },
+ "parent_process_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_interface": {
- "Status": "Default",
+ "hash_sha256": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "message_id": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "check point security gateway": {
- "expression": "product = \"check point security gateway\"",
+ "cyberark privilege access manager": {
+ "expression": "product = \"cyberark privilege access manager\"",
"fields": {
- "action": {
+ "event_code": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "src_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_host": {
+ "safe_value": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
+ "dest_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_country_code": {
+ "dest_host": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_translated_ip": {
+ "dest_service_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "dest_port": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "vpn-login": {
+ "user-password-read": {
"fields": {
- "src_translated_ipnum": {
- "Status": "Default",
+ "gateway_station": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
- "Status": "Default",
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_port": {
- "Status": "Default",
+ "command": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "authentication_type": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_ou": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "realm": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_port": {
- "Status": "Default",
+ "event_code": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "vpn-logout": {
+ "app-login": {
"fields": {
- "session_duration": {
- "Status": "Legacy",
+ "event_subtype": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_ou": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "vpn-authentication": {
- "fields": {
- "auth_method": {
+ },
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "check point identity awareness": {
- "expression": "product = \"check point identity awareness\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "protocol": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "direction": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "event_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-password-modify": {
+ "fields": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
},
- "log_uid": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-password-reset": {
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "origin_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "file-delete": {
+ "fields": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "record_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "safe_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "device_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "action": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "vpn-login": {
+ "file-read": {
"fields": {
- "operation": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_group_name": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "auth_method": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_host": {
- "Status": "Default",
+ "record_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "session_duration": {
- "Status": "Default",
+ "safe_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user_ou": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "vpn-logout": {
+ "file-write": {
"fields": {
- "operation": {
+ "src_host": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user_group_name": {
+ "domain": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "auth_method": {
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "session_duration": {
- "Status": "Legacy",
+ "record_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "additional_info": {
+ "safe_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user_ou": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "network-traffic": {
+ "file-permission-modify": {
"fields": {
- "src_interface": {
- "Status": "Default",
+ "src_host": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_uid": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"user": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "cisco umbrella": {
- "expression": "product = \"cisco umbrella\"",
- "fields": {
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "category": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "dns-response": {
- "fields": {
- "src_host": {
- "Status": "Legacy",
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "identities": {
+ "record_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "categories": {
+ "safe_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "device_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "domain": {
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
},
- "http-session": {
+ "endpoint-login": {
"fields": {
- "result_code": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "sha": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "identity_type": {
+ "command": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "categories": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "network-traffic": {
- "fields": {}
- }
- }
- },
- "cisco adaptive security appliance": {
- "expression": "product = \"cisco asa\"",
- "fields": {
- "event_code": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "app-authentication": {
- "fields": {
- "src_mac": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_interface": {
+ "file_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "result": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "vpn-login": {
- "fields": {
- "dest_host": {
+ },
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_mac": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_interface": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "result": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "realm": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
+ "app_group": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "event_subtype": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "priority": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "app-notification": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "group_name": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "client_system": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "client_system_version": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -18252,67 +29880,45 @@
}
}
},
- "app-login": {
+ "password-use": {
"fields": {
- "priority": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "auth": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "command": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "vpn-authentication": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "dest_host": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -18320,280 +29926,649 @@
}
}
},
- "vpn-logout": {
+ "password-create": {
"fields": {
- "group_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "realm": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "priority": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "session_hour": {
+ "command": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_min": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_sec": {
+ "protocol": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes_out": {
- "Status": "Legacy",
+ "session_id": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-property-delete": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "src_translated_ip": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "session_day": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "network-traffic": {
+ "app-logout": {
"fields": {
- "direction": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "connection_id": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "dest_interface": {
- "Status": "Default",
+ }
+ }
+ }
+ }
+ },
+ "zoom": {
+ "expression": "product = \"zoom\"",
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "meeting-start": {
+ "fields": {
+ "meeting_topic": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_translated_ip": {
- "Status": "Default",
+ "meeting_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_host": {
- "Status": "Default",
+ "meeting_timezone": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_port": {
- "Status": "Default",
+ "meeting_number": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_interface": {
- "Status": "Default",
+ }
+ }
+ },
+ "meeting-create": {
+ "fields": {
+ "meeting_topic": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
+ "meeting_type": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_translated_ip": {
- "Status": "Default",
+ "meeting_timezone": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_host": {
- "Status": "Default",
+ "meeting_duration": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_port": {
- "Status": "Default",
+ "meeting_number": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
+ }
+ }
+ },
+ "meeting-member-join": {
+ "fields": {
+ "meeting_topic": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
- "Status": "Default",
+ "meeting_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "duration": {
- "Status": "Default",
+ "meeting_timezone": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
- "Status": "Default",
+ "member_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "meeting_number": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "dns-response": {
+ "meeting-modify": {
"fields": {
- "priority": {
+ "old_password": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "new_password": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "meeting_number": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "http-session": {
+ "meeting-end": {
"fields": {
- "domain": {
- "Status": "Default",
+ "meeting_topic": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "meeting_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
- "Status": "Default",
+ "meeting_timezone": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "meeting_duration": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "meeting_number": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "endpoint-authentication": {
+ "app-login": {
"fields": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "priority": {
+ "client_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "app_version": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
+ }
+ }
+ },
+ "zebra wlan management": {
+ "expression": "product = \"zebra wlan management\"",
+ "fields": {
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "database-login": {
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "xsuite": {
+ "expression": "product = \"xsuite\"",
+ "fields": {
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_dn": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "xps": {
+ "expression": "product = \"xps\"",
+ "fields": {
+ "printer_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "printer-activity": {
+ "fields": {}
+ }
+ }
+ },
+ "xerox": {
+ "expression": "product = \"xerox\"",
+ "fields": {
+ "printer_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "printer_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "printer_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "num_pages": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "department": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "document_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "printer-activity": {
+ "fields": {}
+ }
+ }
+ },
+ "xceedium": {
+ "expression": "product = \"xceedium\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
"fields": {
- "priority": {
+ "result_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "event_name": {
+ }
+ }
+ }
+ }
+ },
+ "websense security gateway": {
+ "expression": "product = \"websense security gateway\"",
+ "fields": {
+ "user_ou": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "disposition": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sub_category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "weblogin": {
+ "expression": "product = \"weblogin\"",
+ "fields": {
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "sub_status": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "request_cookie": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "private_cookie": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "microsoft web application proxy": {
+ "expression": "product = \"microsoft web Application proxy\"",
+ "fields": {
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "airlock waf": {
+ "expression": "product = \"airlock waf\"",
+ "fields": {
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "result_code": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "process-create": {
+ "app-login": {
"fields": {
- "priority": {
+ "alert_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "event_name": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_command_line": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -18604,405 +30579,290 @@
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-download": {
- "fields": {
- "priority": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "src_port": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"dest_ip": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "web_domain": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "action": {
+ "event_code": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "protocol": {
+ "file_path": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes": {
- "Status": "Legacy",
+ "file_name": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "policy": {
+ "file_ext": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "direction": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "cisco unified communications manager": {
- "expression": "product = \"cisco unified cm\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "target": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "cisco firepower": {
- "expression": "product = cisco firepower",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ "file_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-write": {
"fields": {
- "additional_info": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_description": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "src_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "app_protocol": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "application_id": {
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "blocked": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "block_type": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"bytes": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "alert_severity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "bytes_in": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes_out": {
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "classification_name": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "connection_counter": {
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_country": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "event_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "dest_port": {
- "Status": "Legacy",
+ "domain": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "device_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "egress_security_zone": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "impact": {
+ }
+ }
+ },
+ "file-upload": {
+ "fields": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "ingress_interface": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "ingress_security_zone": {
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "ioc_number": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "ip_protocl_id": {
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "policy": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "event_code": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "protocol": {
+ "user": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "record_type": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "rule_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "sensor": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "src_country": {
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "session_id": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"src_port": {
- "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "src_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user_id": {
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "cisco acs": {
- "expression": "product = \"cisco acs\"",
- "fields": {
- "device_vendor": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "device_version": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_category": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "alert_severity": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "service_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dtz": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "result": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "cisco ios": {
- "expression": "product = \"cisco ios\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "configuration-modify": {
- "fields": {
- "event_category": {
+ },
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -19012,349 +30872,495 @@
"detection": "0",
"informational": "0"
},
- "user": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "event_code": {
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
"informational": "0"
}
}
},
"network-session": {
"fields": {
- "src_interface": {
+ "alert_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "packets": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "process-create": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "event_code": {
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "cisco dhcp": {
- "expression": "product = \"cisco dhcp\"",
- "fields": {
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "dhcp-session": {
- "fields": {}
- }
- }
- },
- "anyconnect": {
- "expression": "product = \"any connect\"",
- "fields": {
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "vpn-login": {
- "fields": {
- "src_translated_ip": {
+ },
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "priority": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "realm": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "file_dir": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
"vpn-logout": {
"fields": {
- "src_host": {
+ "alert_severity": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "session_duration": {
- "Status": "Legacy",
+ "session_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "realm": {
- "Status": "Legacy",
+ "src_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"dest_port": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"dest_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "network-session": {
- "fields": {
- "bytes_in": {
- "Status": "Default",
+ },
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "bytes_out": {
- "Status": "Default",
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "packet_rate": {
- "Status": "Default",
+ "bytes": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
+ "file_path": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_dir": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "watchguard": {
+ "expression": "product = \"watchguard\"",
+ "fields": {
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {
+ "proxy_action": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "parent_process_name": {
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_hash": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_hash": {
+ "web_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "vormetric": {
+ "expression": "product = \"vormetric\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-read": {
+ "fields": {}
+ },
+ "alert-trigger": {
+ "fields": {
+ "access": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "udid": {
- "Status": "Default",
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "module_hash_names": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "virtual_station_name": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system_version": {
- "Status": "Default",
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system_environment": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "system_manufacturer": {
- "Status": "Default",
+ "process_dir": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "system_type": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"user": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "cisco meraki mx appliances": {
- "expression": "product = \"cisco meraki mx appliance\"",
- "fields": {},
+ "vmware nsx": {
+ "expression": "product = \"vmware nsx\"",
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "direction": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"activity_type": {
- "network-traffic": {
+ "network-session": {
"fields": {
- "result": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "dest_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "aid": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "channel": {
- "Status": "Default",
+ }
+ }
+ }
+ }
+ },
+ "identiv": {
+ "expression": "product = \"identiv\"",
+ "fields": {
+ "full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "vectra cognito stream": {
+ "expression": "product = \"vectra cognito stream\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "ssh-traffic": {
+ "fields": {
+ "server_version": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "duration": {
- "Status": "Default",
+ "client_version": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dhcp_ip": {
- "Status": "Default",
+ "cipher_algorithm": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "domain": {
- "Status": "Default",
+ "compression_algotithm": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user": {
+ "informational": "0"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_translated_ip": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_translated_port": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_port": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -19362,285 +31368,465 @@
}
}
},
- "http-session": {
- "fields": {
- "protocol": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_mac": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "rdp-traffic": {
+ "fields": {}
+ }
+ }
+ },
+ "vanderbilt": {
+ "expression": "product = \"vanderbilt\"",
+ "fields": {
+ "first_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "vpn-login": {
- "fields": {
- "src_translated_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "last_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "vpn-logout": {
- "fields": {
- "src_translated_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
+ "result_reason": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_building": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
}
}
},
- "cisco secure web appliance": {
- "expression": "product = \"cisco secure web appliance\"",
+ "usb": {
+ "expression": "product = \"usb\"",
"fields": {
- "domain": {
+ "device_type": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes_out": {
+ "file_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes_in": {
+ "bytes": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "peripheral_storage-activity": {
+ "fields": {}
+ }
+ }
+ },
+ "unix sendmail": {
+ "expression": "product = \"unix sendmail\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "result_code": {
+ "bytes": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "proxy_action": {
+ "bytes_unit": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "method": {
+ "alert_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "protocol": {
+ "num_recipients": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "category": {
+ "dest_host": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "mime": {
+ "dest_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "protocol": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "action": {
+ "return_path": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "http-session": {
+ "email-send": {
+ "fields": {}
+ },
+ "email-receive": {
"fields": {}
}
}
},
- "cisco cloud web security": {
- "expression": "product = \"cisco cloud web security\"",
+ "access it universal.net": {
+ "expression": "product =\"access it universal.net\"",
"fields": {
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
+ "last_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "first_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "action": {
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "huawei unified security gateway": {
+ "expression": "product = huawei unified security gateway",
+ "fields": {
+ "src_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
},
- "method": {
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "vpn-login": {
+ "fields": {
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "bytes_out": {
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "process-create": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
},
- "bytes_in": {
+ "alert-trigger": {
+ "fields": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "policy": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "protocol": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "trapx": {
+ "expression": "product = \"trapx\"",
+ "fields": {
+ "event_code": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "result_code": {
+ "src_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"protocol": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "dest_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "category": {
+ "domain": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "mime": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "proxy_action": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "http-session": {
- "fields": {}
+ "file-read": {
+ "fields": {
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
}
}
},
- "cisco netflow": {
- "expression": "product = \"cisco netflow\"",
+ "titanftp": {
+ "expression": "product = \"titanftp\"",
"fields": {
- "result": {
+ "dest_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_interface": {
+ "dest_port": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "packets": {
+ "src_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes_in": {
+ "src_port": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes_out": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "flow_end_time": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "flow_start_time": {
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-read": {
+ "fields": {}
},
- "packets_in": {
+ "file-delete": {
+ "fields": {}
+ },
+ "ftp-traffic": {
+ "fields": {
+ "file_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_ext": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "timelox": {
+ "expression": "product = \"timelox\"",
+ "fields": {
+ "door_group_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "packets_out": {
+ "registration_no": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "tcp_flags": {
+ "user_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_host": {
+ "blocking_group_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
+ "version": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_group_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "network-session": {
+ "physical_location-access": {
"fields": {}
}
}
},
- "cisco adc": {
- "expression": "product = \"cisco adc\"",
+ "terraform": {
+ "expression": "product = \"terraform\"",
"fields": {
- "dest_translated_ip": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_translated_port": {
+ "domain": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "method": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "protocol": {
+ "bytes": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "method": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
@@ -19649,186 +31835,280 @@
}
}
},
- "cisco secure email": {
- "expression": "product = \"cisco secure email\"",
+ "teradata rdbms": {
+ "expression": "product = \"teradata rdbms\"",
"fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "alert_id": {
+ "task_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "alert_severity": {
+ "site_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "alert_type": {
+ "src_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "alert_name": {
+ "session_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "direction": {
+ "query_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "email-send": {
- "fields": {}
- },
- "email-receive": {
- "fields": {}
- }
- }
- },
- "aci": {
- "expression": "product = \"aci\"",
- "fields": {},
- "activity_type": {
- "app-login": {
+ "database-query": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "configuration-modify": {
- "fields": {
- "user": {
+ },
+ "db_operation": {
+ "Status": "Legacy",
"core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "db_name": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "db_object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "error_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "error_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "database-login": {
+ "fields": {
+ "db_query": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "citrix sharefile": {
- "expression": "product = \"citrix sharefile\"",
+ "mimecast targeted threat protection - url": {
+ "expression": "product = \"mimecast targeted threat protection - url\"",
"fields": {
- "domain": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
+ "domain": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_code": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "country_code": {
+ "action": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user": {
+ "category": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "synology nas": {
+ "expression": "product = \"synology nas\"",
+ "fields": {
+ "share_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "uri_path": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "src_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "company": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "file-upload": {
- "fields": {}
- },
- "file-download": {
- "fields": {}
- },
- "app-login": {
- "fields": {}
- },
- "file-share": {
+ "file-read": {
"fields": {
- "operation": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "bytes": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "target": {
- "Status": "Default",
+ "bytes_unit": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "app-activity": {
+ "file-write": {
"fields": {
- "file_path": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_name": {
- "Status": "Default",
+ "bytes_unit": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "file_dir": {
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "bytes_unit": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "share-access": {
+ "fields": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "file_ext": {
+ }
+ }
+ }
+ }
+ },
+ "symmetry access control": {
+ "expression": "product = \"symmetry access control\"",
+ "fields": {
+ "full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "employee_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "symantec email security": {
+ "expression": "product = \"symantec email security\"",
+ "fields": {
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "message_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "email-receive": {
+ "fields": {}
+ },
+ "email-send": {
+ "fields": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -19838,31 +32118,58 @@
}
}
},
- "citrix gateway": {
- "expression": "product = \"citrix gateway\"",
+ "smg": {
+ "expression": "product = \"smg\"",
"fields": {},
"activity_type": {
- "vpn-login": {
+ "email-receive": {
+ "fields": {}
+ },
+ "email-send": {
+ "fields": {}
+ }
+ }
+ },
+ "sybase": {
+ "expression": "product = \"sybase\"",
+ "fields": {
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "database-login": {
"fields": {
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "realm": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
@@ -19874,157 +32181,90 @@
"detection": "1",
"informational": "0"
},
- "session_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "vpn_client_type": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_translated_ip": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "vpn-logout": {
+ "database-query": {
"fields": {
- "event_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "duration": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_out": {
+ "dest_host": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_in": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "source_connection_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
"dest_ip": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
+ "user": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "vpn_client_type": {
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_translated_ip": {
- "core": "0",
+ "db_operation": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
}
}
},
- "vpn-session": {
+ "database-activity": {
"fields": {
- "event_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_translated_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "duration": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_out": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_in": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "action": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "access_group": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "session_id": {
+ "db_operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_translated_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
+ }
+ }
+ },
+ "pinsafe": {
+ "expression": "product = \"PINsafe\"",
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "process-create": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ },
+ "app-activity": {
"fields": {
"user": {
"Status": "Default",
@@ -20032,41 +32272,122 @@
"detection": "1",
"informational": "0"
},
- "process_command_line": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "src_port": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
+ }
+ }
+ },
+ "swipes": {
+ "expression": "product = \"swipes\"",
+ "fields": {
+ "department": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "vpn-authentication": {
+ "last_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "first_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_area": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "swift": {
+ "expression": "product = \"swift\"",
+ "fields": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
"fields": {
- "event_category": {
+ "profiles": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "action": {
+ }
+ }
+ },
+ "user-password-modify": {
+ "fields": {}
+ }
+ }
+ },
+ "open vpn": {
+ "expression": "product = \"open vpn\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -20078,298 +32399,223 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "group_info": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_port": {
+ "login_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "uri": {
+ "duration": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
"src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "http-session": {
- "fields": {
- "protocol": {
+ },
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "result_code": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "network-session": {
+ "vpn-logout": {
"fields": {
"event_name": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_ip": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_translated_port": {
- "Status": "Default",
+ "src_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_translated_port": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "bytes_out": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
- "Status": "Default",
+ "group_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "login_method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "result": {
- "Status": "Default",
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "duration": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
}
},
- "citrix virtual apps": {
- "expression": "product = \"citrix virtual apps\"",
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "alert_id": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operating_system": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "protocol": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_translated_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "citrix virtual desktop": {
- "expression": "product = \"citrix virtual desktop\"",
+ "squid": {
+ "expression": "product = \"squid\"",
"fields": {
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "login_type_text": {
+ "duration": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "catalog": {
+ "result_code": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_sid": {
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "endpoint-login": {
- "fields": {}
- }
- }
- },
- "citrix endpoint management": {
- "expression": "product = \"citrix endpoint management\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "src_host": {
+ "method": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "hierarchy_code": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "session_id": {
+ "proxy_action": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "mime": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "citrix web app firewall": {
- "expression": "product = \"citrix appfw\"",
- "fields": {
- "interface_in": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "event_name": {
+ "categories": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_code": {
+ "category": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "alert_id": {
+ "scan_type": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"rule": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "result": {
+ "action": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "action": {
+ "result": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "alert_name": {
+ "bytes_in": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
@@ -20378,483 +32624,728 @@
}
}
},
- "falcon": {
- "expression": "product = \"falcon\"",
+ "splunk stream": {
+ "expression": "product = \"splunk stream\"",
"fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "aid": {
+ "dest_mac": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_mac": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "file-write": {
+ "dns-response": {
"fields": {
- "device_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "new_hash": {
+ "time_taken": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_name": {
+ "response_ttl": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "file_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
+ }
+ }
+ },
+ "dhcp-session": {
+ "fields": {
+ "dns_ip_flow": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_port": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "access": {
- "Status": "Legacy",
+ "event_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
+ "router_ip_flow": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
+ "router_subnet": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "trans_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "ip_lease_time": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "src_port": {
+ }
+ }
+ }
+ }
+ },
+ "specops password": {
+ "expression": "product = \"specops password\"",
+ "fields": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "user-unlock": {
+ "fields": {}
+ },
+ "user-password-reset": {
+ "fields": {}
+ }
+ }
+ },
+ "sonicwall": {
+ "expression": "product = \"sonicwall\"",
+ "fields": {
+ "src_interface": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_interface": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "category": {
+ "src_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "protocol": {
+ "src_translated_ip": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "alert_severity": {
+ "realm": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "hash_md5": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "operating_system": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user_sid": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "session_id": {
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_command_line": {
+ "session_duration": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "process_id": {
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "src_translated_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "session_duration": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "falcon_host_link": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "old_hash": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_guid": {
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_sha256": {
+ "realm": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_code": {
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "file-read": {
+ "endpoint-login": {
"fields": {
- "alert_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
+ "login_type_text": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_port": {
+ "session_duration": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "access": {
- "Status": "Legacy",
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "object": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_host": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "alert_id": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_ip": {
+ "realm": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_port": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_severity": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "hash_md5": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operating_system": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_sid": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_command_line": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "falcon_host_link": {
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "old_hash": {
+ "category_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
+ "message_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_guid": {
+ "src_mac": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "dest_mac": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "hash_sha256": {
+ "firewall": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_code": {
+ "rule": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
+ }
+ }
+ },
+ "sonarg": {
+ "expression": "product = \"sonarg\"",
+ "fields": {
+ "db_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "file-download": {
- "fields": {
- "src_port": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "old_hash": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "new_hash": {
+ "db_user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "database-login": {
+ "fields": {}
+ }
+ }
+ },
+ "solaris": {
+ "expression": "product = \"solaris\"",
+ "fields": {
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "login_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_permission": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_zone": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "process-create": {
+ "fields": {}
+ }
+ }
+ },
+ "snowflake": {
+ "expression": "product = \"snowflake\"",
+ "fields": {
+ "db_user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "query_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "database-query": {
+ "fields": {
+ "db_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
- "core": "0",
- "detection": "0",
+ "db_operation": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "process_guid": {
+ "db_schema": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "event_name": {
+ }
+ }
+ },
+ "database-login": {
+ "fields": {}
+ }
+ }
+ },
+ "slack": {
+ "expression": "product = \"slack\"",
+ "fields": {
+ "user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-download": {
+ "fields": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_sha256": {
- "core": "0",
- "detection": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "event_code": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "file-delete": {
+ "file-upload": {
"fields": {
- "alert_name": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "access": {
+ "user": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-share": {
+ "fields": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "alert_id": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "hash_md5": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "operating_system": {
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "channel-create": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "user_sid": {
+ "informational": "1"
+ }
+ }
+ },
+ "channel-member-join": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "session_id": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_command_line": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "process_id": {
+ "informational": "1"
+ }
+ }
+ },
+ "channel-member-leave": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "bytes": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "falcon_host_link": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "old_hash": {
+ "informational": "1"
+ }
+ }
+ },
+ "user-disable": {
+ "fields": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "core": "0",
- "detection": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "process_guid": {
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "hash_sha256": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "app-login": {
+ "app-logout": {
"fields": {
- "src_ip": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "activity_details": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -20862,135 +33353,147 @@
}
}
},
- "process-create": {
+ "workspace-create": {
"fields": {
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_code": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_command_line": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "process_guid": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "hash_md5": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_guid": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_sid": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "log_severity": {
+ }
+ }
+ },
+ "workspace-delete": {
+ "fields": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "hash_sha256": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "grandparent_process_path": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "service_name": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
+ }
+ }
+ },
+ "channel-delete": {
+ "fields": {
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "session_id": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "old_hash": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "falcon_host_link": {
+ }
+ }
+ },
+ "channel-modify": {
+ "fields": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "file_path": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_ext": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -20998,421 +33501,234 @@
}
}
},
- "scheduled_task-create": {
- "fields": {
- "event_code": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_ext": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_dir": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "configuration-modify": {
+ "user-role-modify": {
"fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "peripheral_storage-insert": {
- "fields": {
- "vendor_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_path": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_ext": {
- "core": "0",
- "detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_dir": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "activity_details": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "peripheral_storage-remove": {
- "fields": {
- "event_code": {
- "Status": "Legacy",
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "file_ext": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_dir": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "activity_details": {
- "core": "0",
- "detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "dns-request": {
+ "user-role-assign": {
"fields": {
- "aip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_guid": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dns_response": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "alert_severity": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "hash_md5": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "user_sid": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "aip": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "authentication_package": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_server": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_ip": {
+ }
+ }
+ },
+ "user-role-revoke": {
+ "fields": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "session_id": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "hash_sha256": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "process_command_line": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "file_name": {
- "Status": "Default",
- "core": "0",
+ }
+ }
+ },
+ "user-permission-modify": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_ext": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "old_hash": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_guid": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "bytes": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "falcon_host_link": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "app-activity": {
+ "user-create": {
"fields": {
- "resource": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "additional_info": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "group-member-add": {
+ "user-modify": {
"fields": {
"user": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"domain": {
@@ -21421,11 +33737,27 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"operation": {
"core": "0",
"detection": "0",
@@ -21433,47 +33765,49 @@
}
}
},
- "user-role-assign": {
+ "user-enable": {
"fields": {
"user": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
"domain": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
- "Status": "Default",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "user-role-revoke": {
+ "workspace-member-add": {
"fields": {
"user": {
"Status": "Default",
@@ -21487,25 +33821,31 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -21513,12 +33853,12 @@
}
}
},
- "user-modify": {
+ "group-member-add": {
"fields": {
"user": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"domain": {
@@ -21527,29 +33867,35 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "application": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "user-create": {
+ "group-member-remove": {
"fields": {
"user": {
"Status": "Legacy",
@@ -21563,133 +33909,181 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "application": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "user-delete": {
+ "group-role-assign": {
"fields": {
"user": {
- "Status": "Legacy",
- "core": "1",
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
"domain": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "operation": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "application": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "network-traffic": {
+ "group-role-revoke": {
"fields": {
- "domain": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "category": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "alert_severity": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_name": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "group-role-modify": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "hash_md5": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_guid": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -21699,102 +34093,309 @@
}
}
},
- "cyberark endpoint privilege management": {
- "expression": "product = \"cyberark endpoint privilege management\"",
- "fields": {},
+ "symantec siteminder": {
+ "expression": "product = \"symantec siteminder\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "group_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "web_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "uri": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_level": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"activity_type": {
- "alert-trigger": {
+ "app-authentication": {
+ "fields": {}
+ }
+ }
+ },
+ "silverfort authentication platform": {
+ "expression": "product = \"silverfort authentication platform\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ },
+ "endpoint-authentication": {
"fields": {
- "process_command_line": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Legacy",
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "file_path": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_dir": {
- "Status": "Legacy",
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_name": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "app-authentication": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_path": {
- "Status": "Legacy",
+ "auth_method": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "parent_process_name": {
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "sigsci": {
+ "expression": "product = \"sigsci\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "siemens access control": {
+ "expression": "product = \"siemens access control\"",
+ "fields": {
+ "employee_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_building": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_city": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "shibboleth": {
+ "expression": "product = \"shibboleth\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ },
+ "app-authentication": {
+ "fields": {
+ "request_binding": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "hash_sha256": {
+ "relying_party_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "principal_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
+ },
+ "user-password-modify": {
+ "fields": {}
}
}
},
- "cyberark privilege access management": {
- "expression": "product = \"cyberark vault\"",
+ "logbinder for sharepoint": {
+ "expression": "product = \"logbinder for sharepoint\"",
"fields": {
- "event_code": {
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "safe_value": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-read": {
+ "fields": {}
},
- "dest_host": {
+ "file-write": {
+ "fields": {}
+ },
+ "file-search": {
+ "fields": {}
+ }
+ }
+ },
+ "sftp": {
+ "expression": "product = \"sftp\"",
+ "fields": {
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_service_name": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -21803,308 +34404,153 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "user-password-read": {
+ "file-download": {
"fields": {
- "gateway_station": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "command": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_name": {
+ "user": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "event_subtype": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "user-password-modify": {
- "fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
}
}
},
- "user-password-reset": {
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "file-delete": {
+ "file-read": {
"fields": {
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- },
- "record_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "safe_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "device_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
},
- "file-read": {
+ "file-upload": {
"fields": {
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- },
- "record_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "safe_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "device_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
},
"file-write": {
"fields": {
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- },
- "record_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "safe_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "device_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
},
- "file-permission-modify": {
+ "file-delete": {
"fields": {
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- },
- "record_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "safe_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "device_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
},
- "endpoint-login": {
+ "app-login": {
+ "fields": {}
+ }
+ }
+ },
+ "servicenow": {
+ "expression": "product = \"servicenow\"",
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ },
+ "app-activity": {
"fields": {
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_name": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "command": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "file_path": {
+ "informational": "0",
+ "enriched": "1"
+ },
+ "table_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "new_value": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_type": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -22116,37 +34562,31 @@
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
+ "table": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "file_dir": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "file_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "dproc": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -22154,759 +34594,530 @@
}
}
},
- "app-notification": {
+ "file-delete": {
"fields": {
"user": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
"domain": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "password-use": {
- "fields": {
- "domain": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "table": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "table_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "command": {
- "Status": "Default",
+ "action": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "bytes": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
+ "dproc": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "session_id": {
- "Status": "Default",
+ "old_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "password-create": {
+ "file-download": {
"fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
"domain": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "command": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "table": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "table_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "session_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "file-property-delete": {
- "fields": {
- "operation": {
- "Status": "Default",
+ "action": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "app-logout": {
- "fields": {
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "zoom": {
- "expression": "product = \"zoom\"",
- "fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "meeting-start": {
- "fields": {
- "meeting_topic": {
+ "file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "meeting_type": {
- "Status": "Legacy",
+ "dproc": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_timezone": {
- "Status": "Legacy",
+ "old_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_number": {
- "Status": "Legacy",
+ "new_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "meeting-create": {
+ "file-read": {
"fields": {
- "meeting_topic": {
+ "user": {
"Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_type": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "meeting_timezone": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_duration": {
- "Status": "Legacy",
+ "table": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_number": {
- "Status": "Legacy",
+ "table_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "meeting-member-join": {
- "fields": {
- "meeting_topic": {
- "Status": "Legacy",
+ "informational": "0"
+ },
+ "action": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_type": {
+ "bytes": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "meeting_timezone": {
+ "file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "member_id": {
+ "dproc": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "meeting_number": {
- "Status": "Legacy",
+ "old_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "meeting-modify": {
+ "file-upload": {
"fields": {
- "old_password": {
+ "user": {
"Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "new_password": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "meeting_number": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "meeting-end": {
- "fields": {
- "meeting_topic": {
- "Status": "Legacy",
+ "informational": "0"
+ },
+ "table": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_type": {
- "Status": "Legacy",
+ "table_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_timezone": {
- "Status": "Legacy",
+ "action": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_duration": {
- "Status": "Legacy",
+ "bytes": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "meeting_number": {
+ "file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "src_ip": {
- "Status": "Default",
+ "dproc": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "client_type": {
- "Status": "Default",
+ "old_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "app_version": {
- "Status": "Default",
+ "new_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
}
}
},
- "zebra wireless lan management": {
- "expression": "product = \"zebra wlan management\"",
- "fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "xsuite": {
- "expression": "product = \"xsuite\"",
- "fields": {
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_dn": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "xps": {
- "expression": "product = \"xps\"",
- "fields": {
- "printer_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "printer-activity": {
- "fields": {}
- }
- }
- },
- "xerox": {
- "expression": "product = \"xerox\"",
+ "singularity platform": {
+ "expression": "product = \"singularity platform\"",
"fields": {
- "printer_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "printer_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "printer_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "num_pages": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "department": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "document_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "printer-activity": {
- "fields": {}
- }
- }
- },
- "xceedium": {
- "expression": "product = \"xceedium\"",
- "fields": {
- "src_ip": {
+ "user_sid": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "app-login": {
+ "file-read": {
"fields": {
- "result_code": {
- "Status": "Default",
+ "alert_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "agent_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
- }
- }
- },
- "websense security gateway": {
- "expression": "product = \"websense security gateway\"",
- "fields": {
- "user_ou": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "method": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_in": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_out": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "result_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "disposition": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "sub_category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "weblogin": {
- "expression": "product = \"weblogin\"",
- "fields": {
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "sub_status": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "request_cookie": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "private_cookie": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "microsoft web application proxy": {
- "expression": "product = \"microsoft web application proxy\"",
- "fields": {
- "bytes_in": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "bytes_out": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "method": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "airlock web application firewall": {
- "expression": "product = \"airlock waf\"",
- "fields": {
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
+ "dns-request": {
"fields": {
- "additional_info": {
- "Status": "Default",
+ "alert_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_severity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "agent_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_dir": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "result_code": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "hash_sha1": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "hash_sha256": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "app-login": {
+ "network-traffic": {
"fields": {
+ "alert_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"alert_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "alert_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "agent_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "alert_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "process_name": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "file_path": {
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "agent_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "file_ext": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -22914,29 +35125,29 @@
}
}
},
- "file-write": {
+ "registry-modify": {
"fields": {
- "alert_severity": {
+ "alert_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "session_id": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_port": {
+ "alert_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "agent_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_port": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -22946,168 +35157,134 @@
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "alert_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "file-delete": {
+ "http-session": {
"fields": {
- "alert_severity": {
+ "agent_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "session_id": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_port": {
+ "alert_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_port": {
+ "malware_url": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "dest_ip": {
+ "informational": "1"
+ }
+ }
+ },
+ "dns-response": {
+ "fields": {
+ "alert_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "alert_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "agent_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "file-upload": {
- "fields": {
- "alert_severity": {
+ "alert_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "session_id": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_port": {
+ "process_path": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "process_dir": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_port": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "hash_sha1": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "hash_sha256": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "file-download": {
+ "file-write": {
"fields": {
- "alert_severity": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_port": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -23117,446 +35294,437 @@
"detection": "0",
"informational": "0"
},
- "dest_port": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- },
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
"event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "network-session": {
+ "app-activity": {
"fields": {
- "alert_severity": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_id": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "scheduled_task-create": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_name": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_ext": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_dir": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "alert_severity": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "session_id": {
+ "hash_sha1": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_port": {
+ "hash_sha256": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_port": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "process_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "process_command_line": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "event_code": {
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "agent_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
- "file_path": {
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_name": {
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
}
}
},
- "watchguard": {
- "expression": "product = \"watchguard\"",
+ "sensormatik": {
+ "expression": "product = \"sensormatik\"",
"fields": {
- "bytes_in": {
+ "last_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "first_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "category": {
+ "direction": {
"core": "0",
"detection": "0",
"informational": "1"
- },
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "securityiq": {
+ "expression": "product = \"securityiq\"",
+ "fields": {
"user": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
}
},
"activity_type": {
- "http-session": {
- "fields": {
- "proxy_action": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "network-session": {
+ "file-read": {
"fields": {
- "operation": {
- "Status": "Default",
+ "user_sid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_code": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "web_domain": {
- "Status": "Default",
+ "account_id": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "vormetric": {
- "expression": "product = \"vormetric\"",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "access": {
+ "informational": "0"
+ },
+ "sid_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "action": {
- "Status": "Legacy",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
+ "access": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "file-permission-modify": {
+ "fields": {
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
"domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "account_id": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
- "Status": "Legacy",
+ "sid_domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "access": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "process_dir": {
+ }
+ }
+ },
+ "group-member-remove": {
+ "fields": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_path": {
+ "group_id": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "user-create": {
+ "fields": {
+ "user_sid": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {
+ "user_sid": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "vmware nsx": {
- "expression": "product = \"vmware nsx\"",
- "fields": {},
- "activity_type": {
- "network-session": {
+ },
+ "user-password-reset": {
+ "fields": {
+ "user_sid": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-lock": {
"fields": {
- "operation": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_country": {
- "Status": "Default",
+ "user_sid": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
- }
- }
- },
- "identiv": {
- "expression": "product = \"identiv\"",
- "fields": {
- "full_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "vectra cognito stream": {
- "expression": "product = \"vectra cognito stream\"",
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "ssh-traffic": {
+ "file-write": {
"fields": {
- "server_version": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "client_version": {
+ "user_sid": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "cipher_algorithm": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "compression_algotithm": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "app-activity": {
+ "file-delete": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Default",
+ "user_sid": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "result": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "rdp-traffic": {
+ "file-download": {
"fields": {}
+ },
+ "file-upload": {
+ "fields": {
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
}
}
},
- "vanderbilt": {
- "expression": "product = \"vanderbilt\"",
+ "securityexpert": {
+ "expression": "product = \"securityexpert\"",
"fields": {
- "first_name": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "last_name": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "result_reason": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "location_building": {
+ "device_name": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -23568,376 +35736,254 @@
}
}
},
- "usb": {
- "expression": "product = \"usb\"",
- "fields": {
- "device_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "tufin securetrack": {
+ "expression": "product = \"tufin securetrack\"",
+ "fields": {},
"activity_type": {
- "peripheral_storage-activity": {
+ "app-login": {
"fields": {}
}
}
},
- "unix sendmail": {
- "expression": "product = \"unix sendmail\"",
+ "securenet": {
+ "expression": "product = \"securenet\"",
"fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_unit": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "num_recipients": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "return_path": {
+ "src_translated_ip": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "email-send": {
- "fields": {}
- },
- "email-receive": {
+ "vpn-login": {
"fields": {}
- }
- }
- },
- "access it! universal.net": {
- "expression": "product =\"access it universal.net\"",
- "fields": {
- "last_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "first_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
+ "vpn-logout": {
"fields": {}
}
}
},
- "huawei unified security gateway": {
- "expression": "product = huawei unified security gateway",
+ "securelink": {
+ "expression": "product = \"securelink\"",
"fields": {},
"activity_type": {
- "alert-trigger": {
+ "app-login": {
"fields": {
- "application": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_port": {
- "Status": "Legacy",
+ "event_name": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "policy": {
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "duration": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "protocol": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
+ "user": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "email_address": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
}
}
},
- "trapx": {
- "expression": "product = \"trapx\"",
+ "secureauth login": {
+ "expression": "product = \"secureauth login\"",
"fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "realm": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-read": {
- "fields": {
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "titanftp": {
- "expression": "product = \"titanftp\"",
- "fields": {
- "dest_ip": {
+ "dest_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "priority": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "severity": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "file-read": {
- "fields": {}
- },
- "file-delete": {
+ "app-login": {
"fields": {}
- },
- "ftp-traffic": {
- "fields": {
- "file_path": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
}
}
},
- "timelox": {
- "expression": "product = \"timelox\"",
+ "iboss cloud": {
+ "expression": "product = \"iboss cloud\"",
"fields": {
- "door_group_name": {
+ "categories": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "registration_no": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "action": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "blocking_group_name": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "version": {
+ "method": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_group_name": {
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "mime": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "physical_location-access": {
+ "http-session": {
"fields": {}
}
}
},
- "terraform": {
- "expression": "product = \"terraform\"",
+ "secureenvoy multi-factor authentication": {
+ "expression": "product = \"secureenvoy multi-factor authentication\"",
"fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
+ "server_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "http-session": {
+ "endpoint-authentication": {
"fields": {}
}
}
},
- "teradata rdbms": {
- "expression": "product = \"teradata rdbms\"",
+ "secure computing safeword": {
+ "expression": "product = \"secure computing safeword\"",
"fields": {
- "task_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "site_id": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -23946,58 +35992,156 @@
"core": "0",
"detection": "0",
"informational": "1"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "query_id": {
+ }
+ },
+ "activity_type": {
+ "app-authentication": {
+ "fields": {}
+ }
+ }
+ },
+ "thycotic software secret server": {
+ "expression": "product = \"thycotic software secret server\"",
+ "fields": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "database-query": {
+ "app-login": {
+ "fields": {}
+ },
+ "password-copy": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "db_operation": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "db_name": {
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-password-modify": {
+ "fields": {
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "policy-modify": {
+ "fields": {
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "db_object": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "error_info": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "error_code": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "database-login": {
+ "policy-create": {
"fields": {
- "db_query": {
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -24008,272 +36152,160 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "mimecast targeted threat protection - url": {
- "expression": "product = \"mimecast targeted threat protection - url\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "synology nas": {
- "expression": "product = \"synology nas\"",
- "fields": {
- "share_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-read": {
+ "group-member-add": {
"fields": {
- "access": {
+ "domain": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "bytes": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes_unit": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "access": {
+ },
+ "user": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "bytes": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "bytes_unit": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "file-delete": {
+ "group-member-remove": {
"fields": {
- "access": {
+ "domain": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "bytes": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes_unit": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "share-access": {
- "fields": {
- "protocol": {
- "Status": "Default",
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "symmetry access control": {
- "expression": "product = \"symmetry access control\"",
- "fields": {
- "full_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "employee_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "symantec email security": {
- "expression": "product = \"symantec email security\"",
- "fields": {
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "message_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "email-receive": {
- "fields": {}
},
- "email-send": {
+ "user-create": {
"fields": {
- "file_name": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "symantec messaging gateway": {
- "expression": "product = \"smg\"",
- "fields": {},
- "activity_type": {
- "email-receive": {
- "fields": {}
- },
- "email-send": {
- "fields": {}
- }
- }
- },
- "sybase": {
- "expression": "product = \"sybase\"",
- "fields": {
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "database-login": {
- "fields": {
- "src_host": {
- "Status": "Default",
+ },
+ "resource": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "object": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "database-query": {
+ "user-modify": {
"fields": {
- "dest_host": {
+ "domain": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -24281,263 +36313,203 @@
"user": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "db_operation": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "object": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "database-activity": {
+ "user-disable": {
"fields": {
- "dest_host": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "db_operation": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "pinsafe": {
- "expression": "product = \"PINsafe\"",
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
},
- "app-activity": {
+ "secret-create": {
"fields": {
- "user": {
+ "domain": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "application": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "swipes": {
- "expression": "product = \"swipes\"",
- "fields": {
- "department": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "last_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "first_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "location_area": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "swift": {
- "expression": "product = \"swift\"",
- "fields": {
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_severity": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {
- "profiles": {
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "user-password-modify": {
- "fields": {}
- }
- }
- },
- "open vpn": {
- "expression": "product = \"open vpn\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "vpn-login": {
+ "secret-copy": {
"fields": {
- "dest_ip": {
+ "domain": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "group_info": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "login_method": {
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "secret-modify": {
+ "fields": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "duration": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
+ },
"user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes": {
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "password-checkin": {
+ "fields": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"additional_info": {
"Status": "Default",
@@ -24547,112 +36519,126 @@
}
}
},
- "vpn-logout": {
+ "password-checkout": {
"fields": {
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_port": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_id": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_port": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "group_info": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "login_method": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "session_id": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "duration": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_translated_ip": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "squid": {
- "expression": "product = \"squid\"",
+ "seclore": {
+ "expression": "product = \"seclore\"",
"fields": {
- "duration": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "result_code": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "user": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "hierarchy_code": {
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-read": {
+ "fields": {}
},
- "proxy_action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-permission-modify": {
+ "fields": {}
},
- "mime": {
+ "file-write": {
+ "fields": {}
+ }
+ }
+ },
+ "sap": {
+ "expression": "product = \"sap\"",
+ "fields": {
+ "activity_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "categories": {
+ "severity": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -24662,454 +36648,225 @@
"detection": "0",
"informational": "1"
},
- "scan_type": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "aid": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "result": {
+ "server": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "splunk stream": {
- "expression": "product = \"splunk stream\"",
- "fields": {
- "bytes": {
+ "user_sid": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_mac": {
+ "client": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_mac": {
+ "transaction": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "result_code": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "src_mac": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "dns-response": {
+ "app-login": {
"fields": {
- "time_taken": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "response_ttl": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "dhcp-session": {
- "fields": {
- "dns_ip_flow": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "router_ip_flow": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "router_subnet": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "trans_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "ip_lease_time": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "file-download": {
+ "fields": {}
+ },
+ "user-create": {
+ "fields": {}
+ },
+ "user-delete": {
+ "fields": {}
+ },
+ "user-lock": {
+ "fields": {}
+ },
+ "user-unlock": {
+ "fields": {}
+ },
+ "app-activity": {
+ "fields": {}
}
}
},
- "specops password": {
- "expression": "product = \"specops password\"",
+ "safesend": {
+ "expression": "product = \"safesend\"",
"fields": {
- "event_name": {
+ "num_recipients": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "num_internal_recipients": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "num_external_recipients": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "user-unlock": {
- "fields": {}
- },
- "user-password-reset": {
+ "email-send": {
"fields": {}
}
}
},
- "sonicwall": {
- "expression": "product = \"sonicwall\"",
+ "ruid": {
+ "expression": "product = \"ruid\"",
"fields": {
- "src_interface": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_interface": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "admin_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "dest_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "vpn-login": {
- "fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_translated_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "realm": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_duration": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "src_translated_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "session_duration": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_port": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "realm": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_port": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "login_type_text": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_duration": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "realm": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "http-session": {
- "fields": {
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "message_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_mac": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_mac": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "firewall": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "rule": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "endpoint-authentication": {
+ "fields": {}
}
}
},
- "sonarg": {
- "expression": "product = \"sonarg\"",
+ "rsa netwitness platform": {
+ "expression": "product = \"rsa netwitness platform\"",
"fields": {
- "db_domain": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "role": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_user": {
+ "external_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
+ "group_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "action_type": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "method": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_name": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "query_string": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "uri": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "database-login": {
+ "app-login": {
"fields": {}
}
}
},
- "solaris": {
- "expression": "product = \"solaris\"",
+ "rs2 technologies": {
+ "expression": "product = \"rs2 technologies\"",
"fields": {
"event_code": {
"core": "0",
@@ -25121,27 +36878,57 @@
"detection": "0",
"informational": "1"
},
- "operation": {
+ "last_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "login_id": {
+ "first_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "location_building": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "rightcrowd": {
+ "expression": "product = \"rightcrowd\"",
+ "fields": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_permission": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_zone": {
+ "badge_reader": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "last_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "first_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "site_state": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -25150,836 +36937,176 @@
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "process-create": {
- "fields": {}
- }
- }
- },
- "snowflake": {
- "expression": "product = \"snowflake\"",
- "fields": {
- "db_user": {
+ },
+ "area_classification": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "query_id": {
+ "site_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "site_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "badge_status": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "database-query": {
- "fields": {
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "db_operation": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "db_schema": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "database-login": {
+ "physical_location-access": {
"fields": {}
}
}
},
- "slack": {
- "expression": "product = \"slack\"",
+ "ricoh printer": {
+ "expression": "product = \"ricoh printer\"",
"fields": {
- "user_id": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_type": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "num_pages": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "printer_name": {
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "file-download": {
- "fields": {
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-upload": {
- "fields": {
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-share": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "channel-create": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "channel-member-join": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "channel-member-leave": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-disable": {
- "fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "app-logout": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "workspace-create": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "workspace-delete": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "channel-delete": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "channel-modify": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-role-modify": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-role-assign": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "printer-activity": {
+ "fields": {}
+ }
+ }
+ },
+ "remotelyanywhere": {
+ "expression": "product = \"remotelyanywhere\"",
+ "fields": {
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user-role-revoke": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user-permission-modify": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "description": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user-create": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "rule": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user-modify": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user-enable": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "alert_severity": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "workspace-member-add": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "priority": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "group-member-add": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "policy": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "group-member-remove": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "process_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "endpoint-login": {
+ "fields": {}
+ }
+ }
+ },
+ "aviglion acm": {
+ "expression": "product = \"aviglion acm\"",
+ "fields": {
+ "category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "group-role-assign": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "last_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "group-role-revoke": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "first_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "group-role-modify": {
+ "location_building": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "radius": {
+ "expression": "product = \"radius\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "radius-session": {
"fields": {
"user": {
"Status": "Default",
@@ -25987,31 +37114,13 @@
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
+ "network": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -26019,15 +37128,9 @@
}
}
},
- "app-login": {
+ "endpoint-authentication": {
"fields": {
- "file_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -26037,10 +37140,55 @@
}
}
},
- "symantec siteminder": {
- "expression": "product = \"siteminder\"",
+ "quest intrust": {
+ "expression": "product = \"quest intrust\"",
"fields": {
- "src_host": {
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "dhcp-session": {
+ "fields": {}
+ }
+ }
+ },
+ "proxysg": {
+ "expression": "product = \"proxysg\"",
+ "fields": {
+ "user_ou": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "realm": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "endpoint-authentication": {
+ "fields": {}
+ }
+ }
+ },
+ "targeted attack platform": {
+ "expression": "product = \"targeted attack platform\"",
+ "fields": {
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "message_id": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -26050,280 +37198,182 @@
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "rule": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "return_path": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_name": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "web_domain": {
+ "num_recipients": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "uri": {
+ "auth_method": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "direction": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_level": {
+ "spam_score": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "authentication_type": {
+ "phishing_score": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "app-authentication": {
- "fields": {}
- }
- }
- },
- "silverfort authentication platform": {
- "expression": "product = \"silverfort\"",
- "fields": {
- "src_host": {
+ },
+ "malware_score": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "alert_type": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "alert_id": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
},
- "endpoint-authentication": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "auth_method": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "app-authentication": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "auth_method": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "sigsci": {
- "expression": "product = \"sigsci\"",
- "fields": {
- "src_host": {
+ "hash_sha256": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "threat_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "result_code": {
+ "mime": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
+ "query_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "mime": {
+ "alert_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "is_consolidated": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "siemens access control": {
- "expression": "product = \"siemens access control\"",
- "fields": {
- "employee_id": {
+ },
+ "creator": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "location_building": {
+ "country": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "location_city": {
+ "page_count": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "full_name": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "shibboleth": {
- "expression": "product = \"shibboleth\"",
- "fields": {
- "src_ip": {
+ },
+ "log_source": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "app-login": {
+ "email-send": {
"fields": {}
},
- "app-authentication": {
+ "email-receive": {
"fields": {
- "request_binding": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "relying_party_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "principal_name": {
+ "folder_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "user-password-modify": {
- "fields": {}
}
}
},
- "logbinder for sharepoint": {
- "expression": "product = \"logbinder for sharepoint\"",
+ "hp print server": {
+ "expression": "product = \"hp print server\"",
"fields": {
- "access": {
+ "printer_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "printer_sn": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "file-read": {
- "fields": {}
- },
- "file-write": {
- "fields": {}
},
- "file-search": {
- "fields": {}
- }
- }
- },
- "sftp": {
- "expression": "product = \"sftp\"",
- "fields": {
- "access": {
+ "num_pages": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -26333,102 +37383,43 @@
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "printer_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "dest_host": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "file-download": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-upload": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "app-login": {
+ "printer-activity": {
"fields": {}
}
}
},
- "servicenow": {
- "expression": "product = \"servicenow\"",
+ "powersentry": {
+ "expression": "product = \"powersentry\"",
"fields": {
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -26436,89 +37427,14 @@
},
"activity_type": {
"app-login": {
- "fields": {}
- },
- "app-activity": {
"fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "table_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "new_value": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "table": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_type": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dproc": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -26526,15 +37442,9 @@
}
}
},
- "file-delete": {
+ "configuration-modify": {
"fields": {
"user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -26543,175 +37453,112 @@
"core": "0",
"detection": "0",
"informational": "0"
- },
- "table": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "table_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dproc": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "old_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "new_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
+ }
+ }
+ },
+ "postscript": {
+ "expression": "product = \"postscript\"",
+ "fields": {
+ "printer_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "file-download": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "table": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "table_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "file_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dproc": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "old_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "new_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "printer-activity": {
+ "fields": {}
+ }
+ }
+ },
+ "postgresql": {
+ "expression": "product = \"postgresql\"",
+ "fields": {
+ "db_user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "file-read": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dtz": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "database-login": {
+ "fields": {}
+ },
+ "database-delete": {
"fields": {
"user": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "table": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "table_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dproc": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "old_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "new_value": {
- "core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "file-upload": {
+ "database-query": {
"fields": {
"user": {
"Status": "Legacy",
@@ -26719,109 +37566,63 @@
"detection": "1",
"informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "table": {
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "table_name": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "action": {
+ "transaction_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dproc": {
+ "db_object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "old_value": {
+ "object_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "new_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "singularity platform": {
- "expression": "product = \"singularity platform\"",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "agent_id": {
+ "severity": {
"core": "0",
"detection": "0",
"informational": "0"
},
"dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_ext": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "process_name": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "database-activity": {
+ "fields": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
@@ -26830,345 +37631,397 @@
}
}
},
- "sensormatik": {
- "expression": "product = sensormatik\"",
+ "postfix": {
+ "expression": "product = \"postfix\"",
"fields": {
- "last_name": {
+ "msg_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "first_name": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "num_recipients": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "physical_location-access": {
+ "email-send": {
+ "fields": {}
+ },
+ "email-receive": {
"fields": {}
}
}
},
- "securityiq": {
- "expression": "product = \"securityiq\"",
+ "ping identity": {
+ "expression": "product = \"ping identity\"",
"fields": {
- "user": {
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "connection_id": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "file-read": {
+ "vpn-login": {
"fields": {
- "user_sid": {
+ "requested_app_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "requested_app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "account_id": {
+ "country": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "sid_domain": {
+ "device": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "os": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
}
}
},
- "file-permission-modify": {
+ "app-authentication": {
"fields": {
- "user_sid": {
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "role": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "account_id": {
+ "response_time": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "sid_domain": {
+ "adopter_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "tracking_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "access": {
- "Status": "Legacy",
+ "local_user_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "attributes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "group-member-remove": {
- "fields": {
- "event_name": {
+ },
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "group_id": {
- "Status": "Legacy",
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "user-create": {
- "fields": {
- "user_sid": {
- "Status": "Legacy",
+ },
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "user-delete": {
- "fields": {
- "user_sid": {
- "Status": "Legacy",
+ "informational": "1"
+ },
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "browser": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "user-password-reset": {
- "fields": {
- "user_sid": {
- "Status": "Legacy",
+ "informational": "1"
+ },
+ "device": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "os": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-lock": {
+ "app-login": {
"fields": {
- "dest_host": {
- "Status": "Legacy",
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "requested_app_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_sid": {
- "Status": "Legacy",
+ "requested_app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "country": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "user_sid": {
+ "informational": "1"
+ },
+ "os": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
"event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "user_sid": {
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name": {
+ "alert_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "file-download": {
- "fields": {}
- },
- "file-upload": {
- "fields": {
- "domain": {
+ "informational": "1"
+ },
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
+ },
+ "url": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
- }
- }
- },
- "securityexpert": {
- "expression": "product = \"securityexpert\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "full_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "device_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "tufin securetrack": {
- "expression": "product = \"tufin securetrack\"",
- "fields": {},
- "activity_type": {
- "app-login": {
- "fields": {}
- }
- }
- },
- "securenet": {
- "expression": "product = \"securenet\"",
- "fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_translated_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "vpn-login": {
- "fields": {}
},
- "vpn-logout": {
- "fields": {}
- }
- }
- },
- "securelink": {
- "expression": "product = \"securelink\"",
- "fields": {},
- "activity_type": {
- "app-login": {
+ "user-password-modify": {
"fields": {
- "src_ip": {
+ "role": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "response_time": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "adopter_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tracking_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "attributes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "user-password-reset": {
+ "fields": {
+ "role": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "response_time": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "adopter_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "tracking_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "local_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "attributes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
"app-activity": {
"fields": {
- "duration": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "category": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -27186,7 +38039,25 @@
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "url": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -27196,45 +38067,30 @@
}
}
},
- "secureauth login": {
- "expression": "product = \"secureauth login\"",
+ "pharos": {
+ "expression": "product = \"pharos\"",
"fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "realm": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "priority": {
+ "num_pages": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "severity": {
+ "printer_name": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -27244,120 +38100,65 @@
"detection": "0",
"informational": "1"
},
- "process_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "app-login": {
+ "printer-activity": {
"fields": {}
}
}
},
- "iboss cloud": {
- "expression": "product = iboss secure web gateway\"",
+ "phantom": {
+ "expression": "product = \"phantom\"",
"fields": {
- "categories": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "method": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_out": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "http-session": {
+ "email-receive": {
"fields": {}
}
}
},
- "secureenvoy multi-factor authentication": {
- "expression": "product = \"secure envoy\"",
+ "pfsense": {
+ "expression": "product = \"pfsense\"",
"fields": {
- "server_name": {
+ "dest_interface": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-authentication": {
- "fields": {}
- }
- }
- },
- "secure computing safeword": {
- "expression": "product = \"secure computing safeword\"",
- "fields": {
- "src_host": {
+ "direction": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "bytes_in": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "app-authentication": {
+ "network-traffic": {
"fields": {}
}
}
},
- "thycotic software secret server": {
- "expression": "product = \"thycotic software secret server\"",
+ "cisco ise": {
+ "expression": "product = \"cisco ise\"",
"fields": {
"src_ip": {
"core": "0",
@@ -27366,340 +38167,191 @@
}
},
"activity_type": {
- "app-login": {
- "fields": {}
- },
- "password-copy": {
+ "endpoint-authentication": {
"fields": {
- "domain": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "auth_server": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "user_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "computer_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "access_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-password-modify": {
- "fields": {
- "domain": {
+ },
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "location": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "dest_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "policy-modify": {
- "fields": {
- "domain": {
+ },
+ "ssid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "nas_ip_address": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "policy-create": {
- "fields": {
- "domain": {
+ "network": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "user_dn": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "calling_station_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "acs_session_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "group-member-add": {
- "fields": {
- "domain": {
- "Status": "Legacy",
- "core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
+ "identity_group": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "object": {
+ "radius_flow_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "group-member-remove": {
+ "app-activity": {
"fields": {
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "user-create": {
- "fields": {
- "domain": {
- "Status": "Legacy",
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
- "Status": "Legacy",
- "core": "1",
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "user-modify": {
- "fields": {
- "domain": {
- "Status": "Legacy",
+ "privileges": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
},
- "user-disable": {
+ "endpoint-login": {
"fields": {
- "domain": {
- "Status": "Legacy",
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "secret-create": {
- "fields": {
- "domain": {
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -27711,131 +38363,126 @@
"detection": "0",
"informational": "1"
},
- "user": {
+ "admin_interface": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "secret-copy": {
+ "configuration-modify": {
"fields": {
- "domain": {
- "Status": "Default",
+ "user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "admin_interface": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "secret-modify": {
- "fields": {
- "domain": {
- "Status": "Default",
+ },
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "severity": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "object": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "password-checkin": {
+ "vpn-login": {
"fields": {
- "domain": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "password-checkout": {
- "fields": {
- "domain": {
+ },
+ "os_version": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "realm": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "badge_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -27843,221 +38490,104 @@
}
}
},
- "app-activity": {
+ "vpn-logout": {
"fields": {
- "domain": {
- "Status": "Default",
+ "src_translated_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "session_duration": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
}
},
- "seclore": {
- "expression": "product = \"seclore\"",
+ "google virtual private cloud": {
+ "expression": "product = \"google virtual private cloud\"",
"fields": {
- "dest_ip": {
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "packets": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "dest_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "reporter": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "file-read": {
- "fields": {}
- },
- "file-permission-modify": {
- "fields": {}
- },
- "file-write": {
+ "network-traffic": {
"fields": {}
}
}
},
- "sap": {
- "expression": "product = \"sap\"",
+ "ruckus": {
+ "expression": "product = \"ruckus\"",
"fields": {
- "activity_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "severity": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "aid": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "server": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_sid": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "client": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "transaction": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "result_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"src_mac": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "file-download": {
- "fields": {}
- },
- "user-create": {
- "fields": {}
- },
- "user-delete": {
- "fields": {}
- },
- "user-lock": {
- "fields": {}
- },
- "user-unlock": {
- "fields": {}
- },
- "app-activity": {
- "fields": {}
- }
- }
- },
- "safesend": {
- "expression": "product = \"safesend\"",
- "fields": {
- "num_recipients": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "num_internal_recipients": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "num_external_recipients": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "email-send": {
- "fields": {}
- }
- }
- },
- "ruid": {
- "expression": "product = \"ruid\"",
- "fields": {
"src_host": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "admin_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
+ "wifiap": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "ssid": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -28069,30 +38599,10 @@
}
}
},
- "rsa netwitness platform": {
- "expression": "product = \"rsa netwitness\"",
+ "portnox clear": {
+ "expression": "product = \"portnox clear\"",
"fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_port": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "role": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -28102,162 +38612,148 @@
"detection": "0",
"informational": "1"
},
- "external_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "group_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "action_type": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "method": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "auth_method": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "query_string": {
+ "policy": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "uri": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "app-login": {
+ "endpoint-policy-verify": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
"fields": {}
}
}
},
- "rs2 technologies": {
- "expression": "product = \"rs2 technologies\"",
+ "sterling b2b integrator": {
+ "expression": "product = \"Sterling B2B Integrator\"",
"fields": {
- "event_code": {
+ "sub_category": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "last_name": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "first_name": {
+ "description": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "location_building": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "physical_location-access": {
+ "group-member-add": {
+ "fields": {}
+ },
+ "group-member-remove": {
"fields": {}
}
}
},
- "rightcrowd": {
- "expression": "product = \"rightcrowd\"",
+ "guardium": {
+ "expression": "product =\"guardium\"",
"fields": {
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "badge_reader": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "last_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "first_name": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "site_state": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "area_classification": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "site_id": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "site_name": {
+ "db_object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "badge_status": {
+ "sql_count": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "physical_location-access": {
+ "database-activity": {
"fields": {}
}
}
},
- "ricoh printer": {
- "expression": "product = \"ricoh printer\"",
+ "ibm db2": {
+ "expression": "product = ibm db2",
"fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -28266,139 +38762,360 @@
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "database-login": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "db_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_schema": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "database-modify": {
+ "fields": {
+ "db_user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "db_schema": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "num_pages": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-read": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
},
- "printer_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
}
- },
+ }
+ },
+ "hcl notes": {
+ "expression": "product = \"hcl notes\"",
+ "fields": {},
"activity_type": {
- "printer-activity": {
- "fields": {}
+ "network-session": {
+ "fields": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "database-modify": {
+ "fields": {
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
}
}
},
- "remotelyanywhere": {
- "expression": "product = \"remotelyanywhere\"",
+ "ibm resource access control facility": {
+ "expression": "product = \"ibm resource access control facility\"",
"fields": {
"dest_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "description": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "rule": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
+ "db_user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_severity": {
+ "database_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "priority": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "policy": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "endpoint-login": {
- "fields": {}
- }
- }
- },
- "avigilon access control manager": {
- "expression": "product = \"aviglion acm\"",
- "fields": {
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "last_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "first_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "database-activity": {
+ "fields": {
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "command": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "location_building": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "radius": {
- "expression": "product = \"radius\"",
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "radius-session": {
+ "app-login": {
"fields": {
- "user": {
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "network": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_mac": {
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "group_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "terminal": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "environment": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "manager_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "manager": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "identifier": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -28406,9 +39123,99 @@
}
}
},
- "endpoint-authentication": {
+ "app-activity": {
"fields": {
- "src_port": {
+ "terminal": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "environment": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "group_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "manager_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "manager_email": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "identifier": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -28418,1209 +39225,1535 @@
}
}
},
- "quest intrust": {
- "expression": "product = \"quest intrust\"",
+ "m365 audit logs": {
+ "expression": "product = \"m365 audit logs\"",
"fields": {
- "dest_host": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- },
- "activity_type": {
- "dhcp-session": {
- "fields": {}
- }
- }
- },
- "proxysg": {
- "expression": "product = \"proxysg\"",
- "fields": {
- "user_ou": {
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "realm": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_ip": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "endpoint-authentication": {
+ "app-login": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_city": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_state": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result_code": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_country": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-modify": {
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "group-create": {
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "group-delete": {
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "policy-create": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "policy-modify": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "policy-delete": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "policy-read": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "share_link-open": {
+ "fields": {}
+ },
+ "file-download": {
"fields": {}
}
}
},
- "targeted attack platform": {
- "expression": "product = proofpoint tap\"",
+ "skyhigh networks casb": {
+ "expression": "product = \"skyhigh networks casb\"",
"fields": {
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "message_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "return_path": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-notification": {
+ "fields": {}
},
- "num_recipients": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-modify": {
+ "fields": {}
},
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "app-activity": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "auth_method": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-create": {
+ "fields": {}
},
- "direction": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-download": {
+ "fields": {}
},
- "spam_score": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "report-download": {
+ "fields": {}
},
- "phishing_score": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-delete": {
+ "fields": {}
},
- "malware_score": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "case-modify": {
+ "fields": {}
},
- "alert_type": {
+ "report-create": {
+ "fields": {}
+ }
+ }
+ },
+ "microsoft cas": {
+ "expression": "product = \"microsoft cas\"",
+ "fields": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_id": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha256": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "result": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "threat_id": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-activity": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "malware_url": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-read": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "mime": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "group-member-add": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "query_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-role-assign": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "alert_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "mailbox-permission-modify": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "is_consolidated": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "group-modify": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "creator": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user-modify": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "country": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-write": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "page_count": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "email-create": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "mailbox-item-create": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "log_source": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "email-send": {
- "fields": {}
+ "user-create": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "email-receive": {
- "fields": {}
- }
- }
- },
- "hp print server": {
- "expression": "product = \"hp print server\"",
- "fields": {
- "printer_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-delete": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "printer_sn": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "email-delete": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "mailbox-item-delete": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-move": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "num_pages": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "email-move": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "mailbox-item-move": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "group-member-remove": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "file-rename": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "email-send": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
},
- "printer_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "alert-trigger": {
+ "fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
},
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "email-modify": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "mailbox-item-modify": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
- },
+ }
+ },
+ "filesite": {
+ "expression": "product = \"filesite\"",
+ "fields": {},
"activity_type": {
- "printer-activity": {
- "fields": {}
+ "app-activity": {
+ "fields": {
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
- "powersentry": {
- "expression": "product = \"powersentry\"",
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "abnormal inbound email protection": {
+ "expression": "product = abnormal inbound email protection",
+ "fields": {},
"activity_type": {
- "app-login": {
+ "alert-trigger": {
"fields": {
- "src_ip": {
- "Status": "Default",
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "message_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "recipient": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "recipients": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_subject": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
- },
- "configuration-modify": {
+ }
+ }
+ },
+ "absolute": {
+ "expression": "product = absolute",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "user": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
"informational": "0"
}
}
}
}
},
- "postscript": {
- "expression": "product = \"postscript\"",
- "fields": {
- "printer_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "printer-activity": {
- "fields": {}
- }
- }
- },
- "postgresql": {
- "expression": "product = \"postgresql\"",
- "fields": {
- "db_user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dtz": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "vmware airwatch": {
+ "expression": "product = vmware airwatch",
+ "fields": {},
"activity_type": {
- "database-login": {
- "fields": {}
- },
- "database-delete": {
+ "alert-trigger": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
+ "additional_info": {
+ "core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "database-query": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "process_id": {
+ "device_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_port": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "session_id": {
+ "failure_reason": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "transaction_id": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "db_object": {
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "akamai technologies": {
+ "expression": "product = akamai technologies",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object_type": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "severity": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "assetview assetview": {
+ "expression": "product = assetview assetview",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "asset_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "dest_ip": {
+ "usb_serial_number": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "database-activity": {
- "fields": {
- "user": {
- "Status": "Default",
+ },
+ "usb_vendor": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "postfix": {
- "expression": "product = \"postfix\"",
+ "auth0": {
+ "expression": "product = auth0",
"fields": {
- "msg_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "num_recipients": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
"src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_host": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "email-send": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "auth_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-password-modify": {
"fields": {}
},
- "email-receive": {
+ "app-login": {
"fields": {}
}
}
},
- "ping identity": {
- "expression": "product = \"ping identity\"",
- "fields": {
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "connection_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "amazon aws guardduty": {
+ "expression": "product = amazon aws guardduty",
+ "fields": {},
"activity_type": {
- "vpn-login": {
+ "alert-trigger": {
"fields": {
- "requested_app_id": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "requested_app": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "country": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "device": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
- },
- "app-authentication": {
+ }
+ }
+ },
+ "bitdefender gravityzone": {
+ "expression": "product = bitdefender gravityzone",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "auth_method": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "role": {
- "Status": "Default",
+ "bitdefender_operation_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "response_time": {
- "Status": "Default",
+ "category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "adopter_id": {
- "Status": "Default",
+ "count": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "tracking_id": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "detection_level": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "local_user_id": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "attributes": {
- "Status": "Default",
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
+ "file_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Default",
+ "url": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "last_blocked_time": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "malware_file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_agent": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "browser": {
- "Status": "Default",
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "device": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "src_host": {
- "Status": "Default",
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
"src_ip": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "requested_app_id": {
- "Status": "Default",
+ "suid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "requested_app": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "country": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "hp sure click enterprise": {
+ "expression": "product = hp sure click enterprise",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "auth_method": {
- "Status": "Default",
+ "process": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "centrylink adaptive threat intelligence": {
+ "expression": "product = centrylink adaptive threat intelligence",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "category": {
- "Status": "Default",
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "alert_name": {
- "Status": "Default",
+ "event_category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_agent": {
- "Status": "Default",
+ "priority": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "url": {
- "Status": "Default",
+ "protocol": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "user-password-modify": {
+ }
+ }
+ },
+ "check point endpoint security": {
+ "expression": "product = check point endpoint security",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "role": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "response_time": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "adopter_id": {
- "Status": "Default",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "tracking_id": {
- "Status": "Default",
+ "malware_file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "local_user_id": {
- "Status": "Default",
+ "malware_file_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "attributes": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
"user": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- },
- "user-password-reset": {
+ }
+ }
+ },
+ "cisco advanced malware protection (amp) for networks": {
+ "expression": "product = cisco advanced malware protection (amp) for networks",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "role": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "response_time": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "adopter_id": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "tracking_id": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "local_user_id": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "attributes": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
- },
- "app-activity": {
+ }
+ }
+ },
+ "cisco advanced malware protection (amp) for endpoints": {
+ "expression": "product = cisco advanced malware protection (amp) for endpoints",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
- "Status": "Default",
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "url": {
- "Status": "Default",
+ "category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "alert_name": {
- "Status": "Default",
+ "connector_guid": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "pharos": {
- "expression": "product = \"pharos\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "num_pages": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "printer_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "printer-activity": {
- "fields": {}
- }
- }
- },
- "phantom": {
- "expression": "product = \"phantom\"",
- "fields": {
- "alert_severity": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "email-receive": {
- "fields": {}
- }
- }
- },
- "pfsense": {
- "expression": "product = \"pfsense\"",
- "fields": {
- "dest_interface": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "direction": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_in": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "network-traffic": {
- "fields": {}
- }
- }
- },
- "cisco ise": {
- "expression": "product = \"cisco ise\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-authentication": {
- "fields": {
"dest_ip": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "auth_server": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_type": {
- "Status": "Default",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "computer_name": {
- "Status": "Default",
+ "src_mac": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "access_type": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_mac": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "location": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_port": {
- "Status": "Default",
+ "process": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "product_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_mac": {
- "Status": "Default",
+ "hash_sha1": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "ssid": {
- "Status": "Default",
+ "hash_sha256": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"src_host": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "nas_ip_address": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "severity": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "network": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "session_id": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user_dn": {
- "Status": "Default",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "contrast security secure code platform": {
+ "expression": "product = contrast security secure code platform",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "calling_station_id": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "acs_session_id": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "identity_group": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "radius_flow_type": {
- "Status": "Default",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "app-activity": {
+ }
+ }
+ },
+ "cyberark privileged access manager": {
+ "expression": "product = cyberark privileged access manager",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "application": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "privileges": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
}
}
- },
- "endpoint-login": {
+ }
+ }
+ },
+ "cybereason xdr": {
+ "expression": "product = cybereason xdr",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "event_code": {
- "Status": "Default",
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "category": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "severity": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "threat_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "admin_interface": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
- },
- "configuration-modify": {
+ }
+ }
+ },
+ "blackberry protect": {
+ "expression": "product = blackberry protect",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "user": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -29630,614 +40763,492 @@
"detection": "0",
"informational": "0"
},
- "additional_info": {
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
- "admin_interface": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "severity": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "process_dir": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "object": {
+ "hash_sha256": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "vpn-login": {
- "fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "session_id": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "event_name": {
- "Status": "Default",
+ "device_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
- "Status": "Default",
+ "device_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system_version": {
- "Status": "Default",
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "realm": {
- "Status": "Default",
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "badge_id": {
- "Status": "Default",
+ "hash_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_code": {
- "Status": "Default",
+ "old_hash": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "src_translated_ip": {
+ "informational": "0"
+ },
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
+ "file_hash": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes_in": {
+ "name_at": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes_out": {
- "Status": "Legacy",
+ "process_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "session_duration": {
+ "process_path": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "additional_info": {
+ "hash_sha256_at": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "group_name": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "google virtual private cloud": {
- "expression": "product = \"google virtual private cloud\"",
- "fields": {
- "bytes_out": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "packets": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "reporter": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "network-traffic": {
- "fields": {}
- }
- }
- },
- "ruckus": {
- "expression": "product = \"ruckus\"",
- "fields": {
- "src_mac": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "wifiap": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "ssid": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-authentication": {
- "fields": {}
- }
- }
- },
- "portnox clear": {
- "expression": "product = \"portnox clear\"",
- "fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "auth_method": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "policy": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-policy-verify": {
+ "app-activity": {
"fields": {
- "user": {
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "login_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "endpoint-authentication": {
- "fields": {}
}
}
},
- "cyberark privileged session manager": {
- "expression": "product = \"cyberark psm\"",
+ "damballa failsafe": {
+ "expression": "product = damballa failsafe",
"fields": {},
"activity_type": {
- "app-login": {
+ "alert-trigger": {
"fields": {
- "event_code": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "protocol": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "url": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_subtype": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "user-password-read": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
"informational": "0"
},
- "domain": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "event_code": {
+ "src_ip": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
}
}
- },
- "app-activity": {
+ }
+ }
+ },
+ "darktrace enterprise immune system": {
+ "expression": "product = darktrace enterprise immune system",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "app_group": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_subtype": {
- "Status": "Default",
+ "category_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "sterling b2b integrator": {
- "expression": "product = \"Sterling B2B Integrator\"",
- "fields": {
- "sub_category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "description": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "group-member-add": {
- "fields": {}
- },
- "group-member-remove": {
- "fields": {}
- }
- }
- },
- "guardium": {
- "expression": "product =\"guardium\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "sql_count": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "database-activity": {
- "fields": {}
- }
- }
- },
- "ibm db2": {
- "expression": "product = ibm db2",
- "fields": {
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "elastic endpoint security": {
+ "expression": "product = elastic endpoint security",
+ "fields": {},
"activity_type": {
- "database-login": {
+ "alert-trigger": {
"fields": {
- "operation": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_name_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "opcode": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "os": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "db_user": {
- "Status": "Default",
+ "parent_process": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "db_name": {
- "Status": "Default",
+ "parent_process_path": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "process": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "authentication_type": {
- "Status": "Default",
+ "rule_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "db_schema": {
- "Status": "Default",
+ "hash_sha256": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_code": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
- },
- "database-modify": {
+ }
+ }
+ },
+ "fortinet fortiedr": {
+ "expression": "product = fortinet fortiedr",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "db_user": {
+ "alert_id": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_name": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
+ "event_name_code": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "authentication_type": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "db_schema": {
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "object": {
+ "process_type": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "operation": {
+ },
+ "rule_count": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "src_mac": {
"core": "0",
"detection": "0",
"informational": "0"
},
"user": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- },
+ }
+ }
+ },
+ "eset protect": {
+ "expression": "product = eset protect",
+ "fields": {},
+ "activity_type": {
"alert-trigger": {
"fields": {
+ "action": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "circumstances": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"dest_host": {
"Status": "Legacy",
@@ -30251,12 +41262,48 @@
"detection": "1",
"informational": "0"
},
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "engine_version": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "firstseen": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "more_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -30267,33 +41314,83 @@
"detection": "1",
"informational": "0"
},
+ "threat_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "threat_handled": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "hcl notes": {
- "expression": "product = \"hcl notes\"",
+ "extrahop reveal(x) 360": {
+ "expression": "product = extrahop reveal(x) 360",
"fields": {},
"activity_type": {
- "network-session": {
+ "alert-trigger": {
"fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_host": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "database-modify": {
- "fields": {
- "db_name": {
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "query": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sub_domain": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -30302,395 +41399,353 @@
}
}
},
- "ibm resource access control facility": {
- "expression": "product = \"ibm racf\"",
- "fields": {
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "f-secure elements": {
+ "expression": "product = f-secure elements",
+ "fields": {},
"activity_type": {
- "database-activity": {
+ "alert-trigger": {
"fields": {
- "event_name": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "command": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "dest_host": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "malware_url": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"src_host": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "user_id": {
- "Status": "Default",
+ "threat_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "group_name": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "terminal": {
- "Status": "Default",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "fidelis cybersecurity elevate": {
+ "expression": "product = fidelis cybersecurity elevate",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "environment": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "manager_name": {
- "Status": "Default",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "manager": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "identifier": {
- "Status": "Default",
+ "tag": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "alert_type": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
- },
- "app-activity": {
+ }
+ }
+ },
+ "fireeye (trellix) email security (ex)": {
+ "expression": "product = fireeye (trellix) email security (ex)",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "terminal": {
- "Status": "Default",
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "environment": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_id": {
- "Status": "Default",
- "core": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_user": {
- "Status": "Default",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "fireeye (trellix) helix": {
+ "expression": "product = fireeye (trellix) helix",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "src_host": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_code": {
- "Status": "Default",
- "core": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "alert_type": {
- "Status": "Default",
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_name": {
- "Status": "Default",
+ "malware_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "manager_name": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "manager_email": {
- "Status": "Default",
+ "process": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "identifier": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "microsoft 365 audit logs": {
- "expression": "product = \"m365 audit logs\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "fireeye (trellix) endpoint security (hx)": {
+ "expression": "product = fireeye (trellix) endpoint security (hx)",
+ "fields": {},
"activity_type": {
- "app-login": {
+ "alert-trigger": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "location_city": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "location_state": {
- "Status": "Default",
+ "dest_user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "result_code": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "location_country": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-modify": {
- "fields": {
- "src_ip": {
+ "dest_domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "group-create": {
- "fields": {
- "src_ip": {
+ "informational": "0",
+ "enriched": "1"
+ },
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "group-delete": {
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
- }
- }
- },
- "policy-create": {
- "fields": {
+ },
"src_ip": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "policy-modify": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "policy-delete": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "email_address": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "policy-read": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ },
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ },
+ "process": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "share_link-open": {
- "fields": {}
- },
- "file-download": {
- "fields": {}
- }
- }
- },
- "skyhigh networks casb": {
- "expression": "product = \"skyhigh networks casb\"",
- "fields": {},
- "activity_type": {
- "app-activity": {
- "fields": {
- "user": {
- "Status": "Default",
+ },
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
@@ -30699,252 +41754,142 @@
}
}
},
- "microsoft cas": {
- "expression": "product = \"microsoft cas\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "fireeye (trellix) network security (nx)": {
+ "expression": "product = fireeye (trellix) network security (nx)",
+ "fields": {},
"activity_type": {
- "app-activity": {
+ "alert-trigger": {
"fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "object": {
- "Status": "Default",
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "file-read": {
- "fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "group-member-add": {
- "fields": {
- "operation": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "user-role-assign": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "mailbox-permission-modify": {
- "fields": {
- "operation": {
- "Status": "Default",
+ },
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "group-modify": {
- "fields": {
- "operation": {
+ },
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "user-modify": {
- "fields": {
- "operation": {
+ },
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "operation": {
+ },
+ "src_user": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "email-create": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "mailbox-item-create": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-create": {
- "fields": {
- "operation": {
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "operation": {
+ },
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
+ }
+ }
+ },
+ "forcepoint casb": {
+ "expression": "product = \"forcepoint casb\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "email-delete": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "mailbox-item-delete": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "file-move": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "email-move": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "mailbox-item-move": {
- "fields": {
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "group-member-remove": {
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "operation": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-rename": {
- "fields": {
- "operation": {
- "Status": "Default",
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "email-send": {
- "fields": {
- "operation": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "alert-trigger": {
- "fields": {
- "operation": {
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "email-modify": {
+ "app-login": {
"fields": {
- "operation": {
+ "privileges": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -30952,9 +41897,15 @@
}
}
},
- "mailbox-item-modify": {
+ "app-activity": {
"fields": {
- "operation": {
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "privileges": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -30964,66 +41915,81 @@
}
}
},
- "filesite": {
- "expression": "product = \"filesite\"",
+ "fortinet fortigate ngfw": {
+ "expression": "product = fortinet fortigate ngfw",
"fields": {},
"activity_type": {
- "app-activity": {
+ "alert-trigger": {
"fields": {
- "resource": {
- "Status": "Default",
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Default",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "malware_file_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Default",
- "core": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "file_dir": {
- "Status": "Default",
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "abnormal inbound email protection": {
- "expression": "product = abnormal inbound email protection",
+ "gamma dlp": {
+ "expression": "product = gamma dlp",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31039,38 +42005,93 @@
"detection": "0",
"informational": "1"
},
- "message_id": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "event_name_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipient": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipients": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "hornet security 365 total protection": {
+ "expression": "product = hornet security 365 total protection",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "sender": {
+ "email_attachments": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "email_subject": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "recipient": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "email_subject": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31079,8 +42100,8 @@
}
}
},
- "absolute": {
- "expression": "product = absolute",
+ "ibm endpoint manager": {
+ "expression": "product = ibm endpoint manager",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31101,13 +42122,47 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "vmware airwatch": {
- "expression": "product = vmware airwatch",
+ "ibm sense": {
+ "expression": "product = ibm sense",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31117,22 +42172,40 @@
"detection": "0",
"informational": "0"
},
- "device_name": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "event_name": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "failure_reason": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "sense_score": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sense_value": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31143,35 +42216,49 @@
"detection": "1",
"informational": "0"
},
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "akamai technologies": {
- "expression": "product = akamai technologies",
+ "imperva data security": {
+ "expression": "product = imperva data security",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "category": {
+ "data": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_ip": {
@@ -31180,33 +42267,60 @@
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "user": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "assetview assetview": {
- "expression": "product = assetview assetview",
+ "Imperva Web application Firewall": {
+ "expression": "product = imperva web application firewall",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "asset_id": {
+ "email_attachments": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "usb_serial_number": {
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "external_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "usb_vendor": {
+ "recipient": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "recipients": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_subject": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31215,46 +42329,8 @@
}
}
},
- "auth0": {
- "expression": "product = \"auth0\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "user-password-modify": {
- "fields": {}
- },
- "app-login": {
- "fields": {}
- }
- }
- },
- "amazon aws guardduty": {
- "expression": "product = amazon aws guardduty",
+ "inky anti-phishing": {
+ "expression": "product = inky anti-phishing",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31270,17 +42346,64 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "recipient": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
+ "email_subject": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "threat_level": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "juniper networks srx gateway": {
+ "expression": "product = juniper networks srx gateway",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_ip": {
"Status": "Legacy",
"core": "1",
@@ -31293,7 +42416,7 @@
"detection": "1",
"informational": "0"
},
- "result": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31304,6 +42427,11 @@
"detection": "1",
"informational": "0"
},
+ "src_network_zone": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"src_port": {
"Status": "Legacy",
"core": "0",
@@ -31320,28 +42448,75 @@
}
}
},
- "bitdefender gravityzone": {
- "expression": "product = bitdefender gravityzone",
+ "juniper networks advanced threat prevention": {
+ "expression": "product = juniper networks advanced threat prevention",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "operation": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "bitdefender_operation_type": {
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "category": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "kaspersky enterprise security": {
+ "expression": "product = kaspersky enterprise security",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "action": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "count": {
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31349,62 +42524,143 @@
"dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_name_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "kaspersky endpoint security for business": {
+ "expression": "product = kaspersky endpoint security for business",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "detection_level": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "domain": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "file_path": {
+ "action": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "url": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "last_blocked_time": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_file_name": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "malware_url": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "hash_md5": {
+ "device_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "method": {
+ "device_type": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31413,31 +42669,23 @@
"core": "0",
"detection": "0",
"informational": "0"
- },
- "protocol": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
+ }
+ }
+ },
+ "peripheral_storage-insert": {
+ "fields": {
"src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "suid": {
"core": "0",
"detection": "0",
"informational": "0"
},
"user": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31446,8 +42694,8 @@
}
}
},
- "hp sure click enterprise": {
- "expression": "product = hp sure click enterprise",
+ "kemp virtual loadmaster load balancer": {
+ "expression": "product = kemp virtual loadmaster load balancer",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31462,44 +42710,39 @@
"detection": "0",
"informational": "0"
},
- "process": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
}
}
},
- "centrylink adaptive threat intelligence": {
- "expression": "product = centrylink adaptive threat intelligence",
+ "lastline (vmware) lastline defender": {
+ "expression": "product = lastline (vmware) lastline defender",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"dest_ip": {
"Status": "Legacy",
"core": "1",
@@ -31512,12 +42755,13 @@
"detection": "1",
"informational": "0"
},
- "event_category": {
+ "file_hash": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "priority": {
+ "hash_type": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31528,61 +42772,56 @@
"detection": "1",
"informational": "0"
},
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
"src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "user": {
"Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "check point endpoint security": {
- "expression": "product = check point endpoint security",
+ "malwarebytes endpoint protection": {
+ "expression": "product = malwarebytes endpoint protection",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "process": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_port": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "malware_file_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "malware_file_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"src_host": {
"Status": "Legacy",
"core": "1",
@@ -31595,48 +42834,59 @@
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "action": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "cisco advanced malware protection (amp) for networks": {
- "expression": "product = cisco advanced malware protection (amp) for networks",
+ "malwarebytes endpoint detection and response": {
+ "expression": "product = malwarebytes endpoint detection and response",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_ip": {
+ "process_name": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "malware_url": {
- "core": "0",
- "detection": "0",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
"src_ip": {
@@ -31645,50 +42895,45 @@
"detection": "1",
"informational": "0"
},
+ "src_mac": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "cisco advanced malware protection (amp) for endpoints": {
- "expression": "product = cisco advanced malware protection (amp) for endpoints",
+ "mcafee (trellix) endpoint security": {
+ "expression": "product = mcafee (trellix) endpoint security",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "category": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "connector_guid": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31699,13 +42944,7 @@
"detection": "0",
"informational": "0"
},
- "file_path": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_mac": {
+ "malware_file_name": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31720,29 +42959,25 @@
"detection": "0",
"informational": "0"
},
- "result": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "product_name": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_sha1": {
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_sha256": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_host": {
@@ -31751,10 +42986,9 @@
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "threat_type": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"user": {
@@ -31763,17 +42997,18 @@
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "contrast security secure code platform": {
- "expression": "product = contrast security secure code platform",
+ "microsoft advanced threat protection": {
+ "expression": "product = microsoft advanced threat protection",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31783,6 +43018,12 @@
"detection": "0",
"informational": "0"
},
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"malware_url": {
"core": "0",
"detection": "0",
@@ -31793,9 +43034,14 @@
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "service_name": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
@@ -31805,18 +43051,24 @@
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "user": {
"Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "crowdstrike falcon": {
- "expression": "product = \"crowdstrike falcon\"",
+ "microsoft azure active directory identity protection": {
+ "expression": "product = microsoft azure active directory identity protection",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -31826,78 +43078,66 @@
"detection": "0",
"informational": "0"
},
- "aid": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_code": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_ext": {
+ "location": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "file_path": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "user": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "target": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "user": {
- "Status": "Legacy",
+ "email_address": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "new_hash": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "old_hash": {
+ "user_upn": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "operating_system": {
+ }
+ }
+ }
+ }
+ },
+ "microsoft defender advanced threat protection": {
+ "expression": "product = microsoft defender advanced threat protection",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -31908,99 +43148,135 @@
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "dest_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "process_command_line": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "file_name": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "falcon_host_link": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "image_file_name": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "user_upn": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "parent_process_guid": {
+ }
+ }
+ }
+ }
+ },
+ "microsoft azure advanced threat protection": {
+ "expression": "product = microsoft azure advanced threat protection",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_path": {
+ "dest_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "process_guid": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "sensor_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "hash_sha256": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "full_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_sid": {
+ "user_upn": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -32009,8 +43285,8 @@
}
}
},
- "cyberark privileged access manager": {
- "expression": "product = cyberark privileged access manager",
+ "microsoft cloud app security": {
+ "expression": "product = microsoft cloud app security",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -32032,6 +43308,17 @@
"detection": "1",
"informational": "0"
},
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"src_host": {
"Status": "Legacy",
"core": "1",
@@ -32043,86 +43330,53 @@
"core": "1",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "cybereason xdr": {
- "expression": "product = cybereason xdr",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
},
- "dest_host": {
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "threat_type": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "blackberry protect": {
- "expression": "product = \"blackberry protect\"",
- "fields": {},
- "activity_type": {
- "app-activity": {
- "fields": {
- "object": {
- "Status": "Default",
+ "full_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "login_type": {
- "Status": "Default",
+ "user_upn": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "hash_sha1": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
- },
+ }
+ }
+ },
+ "microsoft azure security center": {
+ "expression": "product = microsoft azure security center",
+ "fields": {},
+ "activity_type": {
"alert-trigger": {
"fields": {
"additional_info": {
@@ -32130,17 +43384,13 @@
"detection": "0",
"informational": "0"
},
- "device_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "device_type": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
@@ -32157,26 +43407,16 @@
"detection": "0",
"informational": "0"
},
- "file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "hash_type": {
- "core": "0",
- "detection": "0",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "old_hash": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
"user": {
@@ -32185,80 +43425,75 @@
"detection": "1",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "file_hash": {
- "Status": "Legacy",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_ext": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "name_at": {
+ "user_upn": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "db_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "server_group": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_path": {
- "Status": "Legacy",
+ "email_user": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_name": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "process_dir": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "hash_sha256": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "hash_sha256_at": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "group_name": {
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
}
}
},
- "damballa failsafe": {
- "expression": "product = damballa failsafe",
+ "microsoft advanced threat analytics (ata)": {
+ "expression": "product = microsoft advanced threat analytics (ata)",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"alert_id": {
"Status": "Legacy",
"core": "0",
@@ -32277,12 +43512,12 @@
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -32298,56 +43533,50 @@
"core": "1",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "darktrace enterprise immune system": {
- "expression": "product = darktrace enterprise immune system",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "alert_id": {
+ },
+ "user": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "category_id": {
+ "first_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "last_name": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "elastic endpoint security": {
- "expression": "product = elastic endpoint security",
+ "microsoft azure": {
+ "expression": "product = microsoft azure",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "action": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"alert_id": {
"Status": "Legacy",
"core": "0",
@@ -32359,97 +43588,156 @@
"detection": "0",
"informational": "0"
},
+ "dns_domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_name": {
+ "domain_join": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "end_time": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "is_incident": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "opcode": {
+ "login_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "parent_process": {
+ "nt_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "parent_process_path": {
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "processing_end_time": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "remediation_steps": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_directory": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "start_time": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "rule_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "hash_sha256": {
+ "user_sid": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_hub_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_hub_namespace": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
+ "src_port": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "user_sid": {
+ "full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_upn": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -32458,61 +43746,69 @@
}
}
},
- "fortinet fortiedr": {
- "expression": "product = fortinet fortiedr",
+ "microsoft azure eventhub": {
+ "expression": "product = microsoft azure eventhub",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"alert_id": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "category": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "azure_category": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "domain": {
+ "azure_resource_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_code": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "event_name_hub_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "event_name_hub_namespace": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "last_known_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_type": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "rule_count": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -32523,9 +43819,10 @@
"detection": "1",
"informational": "0"
},
- "src_mac": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
"user": {
@@ -32533,13 +43830,29 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_upn": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
}
},
- "eset protect": {
- "expression": "product = eset protect",
+ "microsoft graph": {
+ "expression": "product = microsoft graph",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -32550,71 +43863,60 @@
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "circumstances": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "alert_id": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "engine_version": {
+ "country": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "firstseen": {
+ "email_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "city": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "more_info": {
+ "state": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object_type": {
+ "more_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "sender": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "hash_sha256": {
- "core": "0",
+ "core": "1",
"detection": "0",
"informational": "0"
},
@@ -32624,12 +43926,17 @@
"detection": "1",
"informational": "0"
},
+ "email_subject": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"threat_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "threat_handled": {
+ "token_issuer_type": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -32639,13 +43946,28 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
}
},
- "extrahop reveal(x) 360": {
- "expression": "product = extrahop reveal(x) 360",
+ "microsoft office 365": {
+ "expression": "product = microsoft office 365",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -32655,6 +43977,12 @@
"detection": "0",
"informational": "0"
},
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"dest_host": {
"Status": "Legacy",
"core": "0",
@@ -32672,65 +44000,106 @@
"detection": "0",
"informational": "0"
},
- "query": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "user": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "result": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "sub_domain": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "f-secure elements": {
- "expression": "product = f-secure elements",
+ "microsoft windows": {
+ "expression": "product = microsoft windows",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "operation_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "auth_process": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "event_name_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_name_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "login_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "threat_type": {
+ "provider_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "event_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "threat_id": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -32740,46 +44109,69 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "f5 application security manager (asm)": {
- "expression": "product = f5 application security manager (asm)",
+ "microsoft applocker": {
+ "expression": "product = microsoft applocker",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "domain": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "error_code": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_port": {
- "Status": "Legacy",
+ "execution_status": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "result": {
+ "malicious_file_count": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "malware_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "1",
@@ -32791,34 +44183,42 @@
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "threat_type": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "threat_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "user_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "version": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "fidelis cybersecurity elevate": {
- "expression": "product = fidelis cybersecurity elevate",
+ "microsoft defender antivirus": {
+ "expression": "product = microsoft defender antivirus",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "action": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
@@ -32836,23 +44236,37 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "domain": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_port": {
+ "file_path": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"process_name": {
"Status": "Legacy",
"core": "0",
@@ -32871,54 +44285,47 @@
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "user": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "tag": {
- "core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "email_address": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "fireeye (trellix) email security (ex)": {
- "expression": "product = fireeye (trellix) email security (ex)",
+ "ivanti mobileiron": {
+ "expression": "product = ivanti mobileiron",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "domain": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "file_name": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_ip": {
@@ -32933,17 +44340,18 @@
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "fireeye (trellix) helix": {
- "expression": "product = fireeye (trellix) helix",
+ "morphisec guard": {
+ "expression": "product = morphisec guard",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -32953,54 +44361,73 @@
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "dest_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "from_user_at": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "shared_with_at": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
- "Status": "Legacy",
+ "site_at": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_path": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "malware_name": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "result": {
+ }
+ }
+ }
+ }
+ },
+ "netskope netskope": {
+ "expression": "product = netskope netskope",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
@@ -33009,13 +44436,19 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "fireeye (trellix) endpoint security (hx)": {
- "expression": "product = fireeye (trellix) endpoint security (hx)",
+ "nexthink nexthink experience": {
+ "expression": "product = nexthink nexthink experience",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -33032,12 +44465,7 @@
"detection": "1",
"informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -33054,6 +44482,12 @@
"detection": "1",
"informational": "0"
},
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
"src_ip": {
"Status": "Legacy",
"core": "1",
@@ -33066,27 +44500,30 @@
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Legacy",
+ "full_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "fireeye (trellix) network security (nx)": {
- "expression": "product = fireeye (trellix) network security (nx)",
+ "netiq edirectory": {
+ "expression": "product = netiq edirectory",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"additional_info": {
"core": "0",
@@ -33099,149 +44536,125 @@
"detection": "0",
"informational": "1"
},
- "malware_url": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_user": {
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "malware_url": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "email_address": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "forcepoint casb": {
- "expression": "product = \"forcepoint casb\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_agent": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "result": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {
- "privileges": {
- "Status": "Default",
+ },
+ "os": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "object": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "privileges": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "fortinet fortigate ngfw": {
- "expression": "product = fortinet fortigate ngfw",
+ "proofpoint insider threat management": {
+ "expression": "product = proofpoint insider threat management",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "failure_reason": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "city": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_port": {
- "Status": "Legacy",
+ "country": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "malware_file_name": {
+ "state": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
- "Status": "Legacy",
+ "object_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result_at": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"src_ip": {
@@ -33250,55 +44663,33 @@
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "gamma dlp": {
- "expression": "product = gamma dlp",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "user_agent": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_name": {
+ "first_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "last_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -33307,19 +44698,18 @@
}
}
},
- "hornet security 365 total protection": {
- "expression": "product = hornet security 365 total protection",
+ "okta multi-factor authentication": {
+ "expression": "product = okta multi-factor authentication",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "alert_id": {
- "Status": "Legacy",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "email_attachments": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -33336,25 +44726,26 @@
"detection": "1",
"informational": "0"
},
- "direction": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "domain": {
+ "event_name_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipient": {
+ "failure_reason": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sender": {
+ "protocol": {
"Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
"src_host": {
@@ -33369,32 +44760,39 @@
"detection": "1",
"informational": "0"
},
- "email_subject": {
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "tag": {
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "ibm endpoint manager": {
- "expression": "product = ibm endpoint manager",
+ "onapsis onapsis": {
+ "expression": "product = onapsis onapsis",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"dest_host": {
"Status": "Legacy",
"core": "0",
@@ -33407,40 +44805,45 @@
"detection": "1",
"informational": "0"
},
- "malware_url": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "file_dir": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
+ "file_path": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "hash_sha1": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "ibm sense": {
- "expression": "product = ibm sense",
+ "ossec ossec+": {
+ "expression": "product = ossec ossec+",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -33456,42 +44859,61 @@
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "file_hash": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "full_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "palo alto networks aperture": {
+ "expression": "product = palo alto networks aperture",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "sense_score": {
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sense_value": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "policy_id": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"src_ip": {
@@ -33510,27 +44932,48 @@
}
}
},
- "imperva data security": {
- "expression": "product = imperva data security",
+ "palo alto networks prisma cloud": {
+ "expression": "product = palo alto networks prisma cloud",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "data": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_name": {
+ "file_dir": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "malware_file_name": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"src_ip": {
@@ -33544,73 +44987,95 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
}
},
- "imperva web application firewall": {
- "expression": "product = imperva web application firewall",
+ "palo alto networks cortex": {
+ "expression": "product = palo alto networks cortex",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "email_attachments": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "external_address": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipient": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "recipients": {
- "core": "0",
- "detection": "0",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "sender": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "email_subject": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "email_address": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "inky anti-phishing": {
- "expression": "product = inky anti-phishing",
+ "palo alto networks magnifier": {
+ "expression": "product = palo alto networks magnifier",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"alert_id": {
"Status": "Legacy",
@@ -33618,25 +45083,29 @@
"detection": "0",
"informational": "1"
},
+ "category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "malware_url": {
+ "direction": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipient": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sender": {
- "Status": "Legacy",
- "core": "1",
+ "malware_url": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
@@ -33646,27 +45115,50 @@
"detection": "1",
"informational": "0"
},
- "email_subject": {
+ "src_location": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "threat_level": {
+ "target_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "dest_user": {
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "threat_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "juniper networks srx gateway": {
- "expression": "product = juniper networks srx gateway",
+ "palo alto networks ngfw": {
+ "expression": "product = palo alto networks ngfw",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -33676,6 +45168,17 @@
"detection": "0",
"informational": "0"
},
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_ip": {
"Status": "Legacy",
"core": "1",
@@ -33688,6 +45191,11 @@
"detection": "1",
"informational": "0"
},
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"malware_url": {
"core": "0",
"detection": "0",
@@ -33699,11 +45207,6 @@
"detection": "1",
"informational": "0"
},
- "src_network_zone": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"src_port": {
"Status": "Legacy",
"core": "0",
@@ -33715,270 +45218,195 @@
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "juniper networks advanced threat prevention": {
- "expression": "product = juniper networks advanced threat prevention",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "alert_id": {
- "Status": "Legacy",
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "user_agent": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "web_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "action": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
+ "file_name": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "kaspersky enterprise security": {
- "expression": "product = kaspersky enterprise security",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "action": {
+ },
+ "file_dir": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
+ "file_path": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "email_address": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
+ "bytes_in": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_code": {
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_ext": {
+ "dest_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
+ "dest_host": {
"Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "file_dir": {
- "Status": "Legacy",
+ "dest_network_zone": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "result": {
+ "dest_translated_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
+ "dest_translated_port": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "kaspersky endpoint security for business": {
- "expression": "product = \"kaspersky endpoint security for business\"",
- "fields": {},
- "activity_type": {
- "peripheral_storage-insert": {
- "fields": {
- "src_ip": {
+ },
+ "direction": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "event_time": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "operation": {
+ "event_category": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "alert-trigger": {
- "fields": {
- "action": {
- "Status": "Legacy",
+ },
+ "miscellaneous": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
+ "network_app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "profile": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "protocol": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "device_ip": {
+ "rule_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "device_type": {
+ "sequence": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "src_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "src_network_zone": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "src_translated_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "kemp virtual loadmaster load balancer": {
- "expression": "product = kemp virtual loadmaster load balancer",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ },
+ "src_user": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "subtype": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "threat_category": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "lastline (vmware) lastline defender": {
- "expression": "product = lastline (vmware) lastline defender",
+ "palo alto networks traps": {
+ "expression": "product = palo alto networks traps",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"alert_id": {
"Status": "Legacy",
@@ -33986,10 +45414,9 @@
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"dest_ip": {
@@ -34004,13 +45431,17 @@
"detection": "1",
"informational": "0"
},
- "file_hash": {
- "Status": "Legacy",
+ "dest_translated_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "hash_type": {
+ "direction": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -34021,16 +45452,26 @@
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "src_location": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_port": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"user": {
@@ -34038,87 +45479,67 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
}
},
- "malwarebytes endpoint protection": {
- "expression": "product = malwarebytes endpoint protection",
+ "palo alto networks wildfire": {
+ "expression": "product = palo alto networks wildfire",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
+ "email_address": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "malwarebytes endpoint detection and response": {
- "expression": "product = malwarebytes endpoint detection and response",
+ "cofense phishme": {
+ "expression": "product = cofense phishme",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "malware_url": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "event_name_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"src_ip": {
@@ -34127,108 +45548,119 @@
"detection": "1",
"informational": "0"
},
- "src_mac": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "full_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "mcafee (trellix) endpoint security": {
- "expression": "product = mcafee (trellix) endpoint security",
+ "proofpoint casb": {
+ "expression": "product = proofpoint casb",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "file_ext": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_name": {
+ "alert_id": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "malware_file_name": {
+ "email_attachment": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "email_attachments": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "email_user": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "recipients": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "recipient": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
+ "sender": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "threat_type": {
+ "email_subject": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "target": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "microsoft advanced threat protection": {
- "expression": "product = microsoft advanced threat protection",
+ "verizon network detection & response": {
+ "expression": "product = verizon network detection & response",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -34238,23 +45670,25 @@
"detection": "0",
"informational": "0"
},
- "alert_id": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "malware_url": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "service_name": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -34271,18 +45705,18 @@
"detection": "1",
"informational": "0"
},
- "user": {
+ "src_port": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "microsoft azure active directory identity protection": {
- "expression": "product = microsoft azure active directory identity protection",
+ "qualys vulnerability management, detection, and response": {
+ "expression": "product = qualys vulnerability management, detection, and response",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -34292,55 +45726,36 @@
"detection": "0",
"informational": "0"
},
- "alert_id": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "location": {
- "core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_ip": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "full_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_upn": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
}
}
}
}
},
- "microsoft defender advanced threat protection": {
- "expression": "product = microsoft defender advanced threat protection",
+ "rapid7 nexpose": {
+ "expression": "product = rapid7 nexpose",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -34350,26 +45765,29 @@
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "domain": {
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
+ "process_name": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "sensor_id": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
@@ -34391,27 +45809,18 @@
"detection": "1",
"informational": "0"
},
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "full_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_upn": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "microsoft azure advanced threat protection": {
- "expression": "product = microsoft azure advanced threat protection",
+ "red canary managed detection and response (mdr)": {
+ "expression": "product = red canary managed detection and response (mdr)",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -34421,11 +45830,11 @@
"detection": "0",
"informational": "0"
},
- "alert_id": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"dest_ip": {
"Status": "Legacy",
@@ -34433,15 +45842,15 @@
"detection": "1",
"informational": "0"
},
- "domain": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
+ "process_name": {
"Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
"src_host": {
@@ -34456,23 +45865,7 @@
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "full_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_upn": {
+ "threat_type": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -34481,17 +45874,12 @@
}
}
},
- "microsoft cloud app security": {
- "expression": "product = microsoft cloud app security",
+ "rsa netwitness endpoint": {
+ "expression": "product = rsa netwitness endpoint",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"alert_id": {
"Status": "Legacy",
"core": "0",
@@ -34504,72 +45892,77 @@
"detection": "1",
"informational": "0"
},
- "domain": {
+ "target_host": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "target_uri": {
+ "core": "0",
"detection": "0",
"informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
+ }
+ }
+ }
+ }
+ },
+ "secureworks isensor ips": {
+ "expression": "product = secureworks isensor ips",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
+ "dest_port": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "direction": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "location": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_upn": {
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "hash_sha1": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "process_name": {
+ "src_port": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "microsoft azure security center": {
- "expression": "product = microsoft azure security center",
+ "sentinel ips outpost": {
+ "expression": "product = sentinel ips outpost",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
+ "agent_id": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -34580,9 +45973,10 @@
"detection": "0",
"informational": "1"
},
- "db_name": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"dest_ip": {
@@ -34591,7 +45985,7 @@
"detection": "1",
"informational": "0"
},
- "domain": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -34602,134 +45996,77 @@
"detection": "0",
"informational": "0"
},
- "server_group": {
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "user": {
+ "file_path": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "email_user": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "full_name": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_upn": {
+ "os_revision": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "microsoft advanced threat analytics (ata)": {
- "expression": "product = microsoft advanced threat analytics (ata)",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ "src_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "src_fqdn": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "malware_url": {
+ "src_host_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "service_name": {
+ "src_interface": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "first_name": {
+ "src_mac": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "last_name": {
+ "src_net_status": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -34738,18 +46075,33 @@
}
}
},
- "microsoft azure": {
- "expression": "product = microsoft azure",
+ "sentinelone singularity": {
+ "expression": "product = sentinelone singularity",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_host": {
"Status": "Legacy",
"core": "0",
@@ -34762,224 +46114,254 @@
"detection": "1",
"informational": "0"
},
+ "dest_mac": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"dest_port": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_hub_name": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_hub_namespace": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "url": {
+ "process_dir": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_ip": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
+ "src_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "src_mac": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user_upn": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "microsoft azure eventhub": {
- "expression": "product = microsoft azure eventhub",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "operation": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "additional_info": {
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "alert_id": {
+ "file_path": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "query": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "azure_category": {
+ "response": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "azure_resource_type": {
+ "src_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "src_fqdn": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_hub_name": {
+ "src_host_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_hub_namespace": {
+ "src_interface": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "last_known_ip": {
+ "src_net_status": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "skysea clientview": {
+ "expression": "product = skysea clientview",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "dest_port": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
+ "protocol": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "src_interface": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_upn": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
- }
- }
- },
- "microsoft graph": {
- "expression": "product = microsoft graph",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "app-activity": {
"fields": {
- "action": {
- "Status": "Legacy",
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "additional_info": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "country": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "email_domain": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "city": {
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "snort ids": {
+ "expression": "product = snort ids",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "state": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "more_info": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"result": {
@@ -34987,10 +46369,10 @@
"detection": "0",
"informational": "0"
},
- "sender": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_ip": {
@@ -34999,20 +46381,11 @@
"detection": "1",
"informational": "0"
},
- "email_subject": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "threat_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "token_issuer_type": {
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"user": {
"Status": "Legacy",
@@ -35020,27 +46393,34 @@
"detection": "1",
"informational": "0"
},
- "user_agent": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "microsoft office 365": {
- "expression": "product = microsoft office 365",
+ "sophos intercept x endpoint": {
+ "expression": "product = sophos intercept x endpoint",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -35056,19 +46436,30 @@
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "file_name": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
+ "core": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "file_dir": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "malware_file_name": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "domain": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35079,207 +46470,176 @@
"detection": "1",
"informational": "0"
},
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "microsoft windows": {
- "expression": "product = microsoft windows",
+ "suricata ids": {
+ "expression": "product = suricata ids",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "operation_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "authentication_process": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_name_code": {
+ "bytes_to_client": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name_name": {
+ "bytes_to_server": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "login_id": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "malware_url": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "interface": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "pkts_toclient": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "pkts_toserver": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "protocol": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "provider_name": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "event_id": {
+ "threat_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "threat_id": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
+ "alert_id": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_sid": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "microsoft applocker": {
- "expression": "product = microsoft applocker",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "result": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "app_protocol": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "error_code": {
+ "bytes_in": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "execution_status": {
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malicious_file_count": {
+ "category": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_id": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "malware_url": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "failure_reason": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "result": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "threat_type": {
+ "payload_printable": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "threat_id": {
+ "rule": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "rule_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "version": {
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
}
}
},
- "microsoft defender antivirus": {
- "expression": "product = microsoft defender antivirus",
+ "symamtec (broadcom) advanced threat protection": {
+ "expression": "product = symamtec (broadcom) advanced threat protection",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"additional_info": {
"core": "0",
"detection": "0",
@@ -35297,18 +46657,19 @@
"detection": "1",
"informational": "0"
},
- "domain": {
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
- "file_path": {
+ "file_dir": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "malware_url": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35318,16 +46679,6 @@
"detection": "0",
"informational": "0"
},
- "process": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_directory": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"process_name": {
"Status": "Legacy",
"core": "0",
@@ -35351,27 +46702,33 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "full_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "ivanti mobileiron": {
- "expression": "product = ivanti mobileiron",
+ "symamtec (broadcom) cloud analysis and sandboxing": {
+ "expression": "product = symamtec (broadcom) cloud analysis and sandboxing",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"malware_url": {
"core": "0",
"detection": "0",
@@ -35388,35 +46745,68 @@
"core": "1",
"detection": "1",
"informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
}
}
},
- "morphisec guard": {
- "expression": "product = morphisec guard",
+ "symamtec (broadcom) email security.cloud": {
+ "expression": "product = symamtec (broadcom) email security.cloud",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
+ "action": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "email_attachment": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "from_user_at": {
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "is_outbound": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35427,88 +46817,134 @@
"detection": "1",
"informational": "0"
},
- "shared_with_at": {
+ "recipient": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "site_at": {
+ "recipients": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
"src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
+ "email_subject": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "threat_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "netskope netskope": {
- "expression": "product = netskope netskope",
+ "symamtec (broadcom) endpoint security": {
+ "expression": "product = symamtec (broadcom) endpoint security",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "domain": {
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operating_system": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "alert_id": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "category": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "user": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "nexthink nexthink experience": {
- "expression": "product = nexthink nexthink experience",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
+ },
"dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "file_ext": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_dir": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "result": {
+ "process": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_dir": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35519,10 +46955,9 @@
"detection": "1",
"informational": "0"
},
- "protocol": {
- "Status": "Legacy",
+ "hash_sha256": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"src_host": {
@@ -35537,37 +46972,38 @@
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "threat_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
"full_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_ou": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "netiq edirectory": {
- "expression": "product = netiq edirectory",
+ "symamtec (broadcom) mobile threat defense": {
+ "expression": "product = symamtec (broadcom) mobile threat defense",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"additional_info": {
"core": "0",
"detection": "0",
@@ -35579,43 +47015,106 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "device_model": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "device_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "hash_md5": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "product_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "symamtec (broadcom) managed security services": {
+ "expression": "product = symamtec (broadcom) managed security services",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "object": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "tanium tanium endpoint platform": {
+ "expression": "product = tanium tanium endpoint platform",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_command_line": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "path": {
"core": "0",
"detection": "0",
"informational": "0"
},
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"src_host": {
"Status": "Legacy",
"core": "1",
@@ -35633,13 +47132,19 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "proofpoint insider threat management": {
- "expression": "product = proofpoint insider threat management",
+ "tenable vulnerability management": {
+ "expression": "product = tenable vulnerability management",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -35649,47 +47154,43 @@
"detection": "0",
"informational": "0"
},
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "failure_reason": {
+ "cve_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "city": {
+ "cvss_base_score": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "country": {
+ "cvss_impact_score": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "state": {
+ "exploit_code_maturity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object_type": {
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "see_also": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result_at": {
+ "remediation_steps": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35699,34 +47200,50 @@
"core": "1",
"detection": "1",
"informational": "0"
- },
- "user": {
- "Status": "Legacy",
+ }
+ }
+ }
+ }
+ },
+ "trend micro cloud app security": {
+ "expression": "product = trend micro cloud app security",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user_agent": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
- "first_name": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "last_name": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35735,18 +47252,25 @@
}
}
},
- "okta multi-factor authentication": {
- "expression": "product = okta multi-factor authentication",
+ "trend micro deep discovery inspector": {
+ "expression": "product = trend micro deep discovery inspector",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "application": {
+ "action": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "category": {
+ "alert_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -35769,22 +47293,6 @@
"detection": "1",
"informational": "0"
},
- "event_name_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "failure_reason": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "protocol": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
"src_host": {
"Status": "Legacy",
"core": "1",
@@ -35803,157 +47311,127 @@
"detection": "0",
"informational": "1"
},
- "tag": {
+ "threat_type": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
}
}
},
- "onapsis onapsis": {
- "expression": "product = onapsis onapsis",
+ "trend micro officescan": {
+ "expression": "product = trend micro officescan",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "dest_host": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "alert_id": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_ext": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "app": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "file_path": {
+ "dest_ip": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "hash_md5": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "hash_sha1": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "ossec ossec+": {
- "expression": "product = ossec ossec+",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ },
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_hash": {
- "Status": "Legacy",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "malware_url": {
+ "process": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "full_name": {
- "core": "0",
- "detection": "0",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "palo alto networks aperture": {
- "expression": "product = palo alto networks aperture",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "alert_id": {
+ "src_port": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "threat_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "url": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "policy_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "email_address": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "user": {
+ "protocol": {
"Status": "Legacy",
"core": "0",
"detection": "1",
@@ -35963,8 +47441,8 @@
}
}
},
- "palo alto networks prisma cloud": {
- "expression": "product = palo alto networks prisma cloud",
+ "trend micro scanmail": {
+ "expression": "product = trend micro scanmail",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -35974,52 +47452,29 @@
"detection": "0",
"informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_ext": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"file_name": {
"Status": "Legacy",
"core": "1",
"detection": "0",
"informational": "0"
},
- "file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
- "Status": "Legacy",
+ "malware_url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "malware_file_name": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_sid": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -36028,44 +47483,33 @@
}
}
},
- "palo alto networks cortex": {
- "expression": "product = palo alto networks cortex",
+ "trend micro intrusion prevention (ips)": {
+ "expression": "product = trend micro intrusion prevention (ips)",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"alert_id": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "dest_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "malware_url": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_name": {
+ "dest_port": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "event_name_code": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"src_ip": {
@@ -36074,140 +47518,99 @@
"detection": "1",
"informational": "0"
},
- "user": {
+ "src_port": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "palo alto networks magnifier": {
- "expression": "product = palo alto networks magnifier",
+ "unix": {
+ "expression": "product = unix",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
+ "operation_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "arg": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "category": {
+ "process_command_line": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "dest_host": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "direction": {
+ "file_owner": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "malware_url": {
+ "group_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "event_category": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_location": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "target_domain": {
+ "parent_process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_user": {
+ "path": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "threat_type": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "palo alto networks ngfw": {
- "expression": "product = palo alto networks ngfw",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "domain": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
- "informational": "0"
- },
- "file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
- "core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_ip": {
@@ -36216,1177 +47619,932 @@
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "email_address": {
+ "event_subtype": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "bytes_in": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "bytes_out": {
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "category": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_domain": {
+ "process_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_network_zone": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_translated_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_translated_port": {
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "direction": {
+ "group_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_time": {
+ "process_command_line": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"event_category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "malware_url": {
+ "operation_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "miscellaneous": {
+ "file_owner": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "network_application": {
+ "informational": "1"
+ }
+ }
+ },
+ "group-member-add": {
+ "fields": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "result": {
+ }
+ }
+ },
+ "email-receive": {
+ "fields": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "profile": {
+ "protocol": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "protocol": {
- "Status": "Legacy",
+ "num_recipients": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "rule_id": {
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "email-send": {
+ "fields": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "sequence": {
+ "informational": "1"
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_domain": {
+ "operation_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_network_zone": {
+ "group_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_port": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
+ "session_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_user": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "subtype": {
+ "group_id": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "threat_category": {
+ "src_ip": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "palo alto networks traps": {
- "expression": "product = palo alto networks traps",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "action": {
- "Status": "Legacy",
+ },
+ "process_command_line": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_id": {
+ "bytes": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "event_category": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "dest_translated_ip": {
+ "operation_type": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "direction": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "file_owner": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "protocol": {
+ "src_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_location": {
+ "account": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "palo alto networks wildfire": {
- "expression": "product = palo alto networks wildfire",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ "process_id": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "malware_url": {
+ "service_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "email_address": {
+ "parent_process_id": {
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "cofense phishme": {
- "expression": "product = cofense phishme",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ "informational": "1"
+ },
+ "event_subtype": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "alert_id": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name_name": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "email_address": {
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "user-create": {
+ "fields": {
+ "group_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "process_command_line": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "proofpoint casb": {
- "expression": "product = \"proofpoint casb\"",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "alert_id": {
- "Status": "Legacy",
+ },
+ "event_category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "email_attachment": {
+ "operation_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_attachments": {
+ "file_owner": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "src_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "email_user": {
+ "dest_user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_address": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
+ "user": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "file_path": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipients": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipient": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sender": {
- "Status": "Legacy",
- "core": "1",
+ "parent_process_id": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "email_subject": {
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "target": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "local_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "verizon network detection & response": {
- "expression": "product = verizon network detection & response",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "user-delete": {
"fields": {
- "additional_info": {
+ "group_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "process_command_line": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "event_category": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_port": {
- "Status": "Legacy",
+ "operation_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "operating_system": {
+ "file_owner": {
"core": "0",
"detection": "0",
"informational": "0"
},
"src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "qualys vulnerability management, detection, and response": {
- "expression": "product = qualys vulnerability management, detection, and response",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "dest_user_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "user_id": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "rapid7 nexpose": {
- "expression": "product = rapid7 nexpose",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ "file_path": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "parent_process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
"process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "sensor_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "local_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "red canary managed detection and response (mdr)": {
- "expression": "product = red canary managed detection and response (mdr)",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "group-member-remove": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_host": {
+ "group_id": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "process_command_line": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "malware_url": {
+ "event_category": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "operation_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "file_owner": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
+ "src_host": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "threat_type": {
+ "dest_user_id": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "rsa netwitness endpoint": {
- "expression": "product = rsa netwitness endpoint",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "alert_id": {
- "Status": "Legacy",
+ },
+ "user_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_ip": {
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "target_host": {
+ "file_path": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "target_uri": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "secureworks isensor ips": {
- "expression": "product = secureworks isensor ips",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "direction": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "location": {
+ "parent_process_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
- "Status": "Legacy",
+ "process_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "sentinel ips outpost": {
- "expression": "product = sentinel ips outpost",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "user-password-modify": {
"fields": {
- "agent_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
- "Status": "Legacy",
+ "group_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_ext": {
+ "process_command_line": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_dir": {
- "Status": "Legacy",
+ "event_category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "Status": "Legacy",
+ "operation_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "file_owner": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "operating_system_revision": {
+ "dest_user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process": {
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_domain": {
+ "file_path": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_fqdn": {
+ "process_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "src_host_type": {
+ "parent_process_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_interface": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_ip": {
- "Status": "Legacy",
- "core": "1",
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_mac": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_net_status": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "sentinelone singularity": {
- "expression": "product = sentinelone singularity",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "endpoint-login": {
"fields": {
- "alert_id": {
- "Status": "Legacy",
+ "process_dir": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
+ "group_id": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "file_dir": {
- "Status": "Legacy",
+ "process_command_line": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "Status": "Legacy",
+ "event_category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "operation_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "query": {
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "response": {
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_domain": {
+ "file_owner": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_fqdn": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_host_type": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_interface": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "src_mac": {
+ "login_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_net_status": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_port": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "skysea clientview": {
- "expression": "product = \"skysea clientview\"",
- "fields": {},
- "activity_type": {
- "app-activity": {
- "fields": {
- "user": {
+ "auth": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "process_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "session_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "application": {
+ "parent_process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
- }
- }
- },
- "snort ids": {
- "expression": "product = snort ids",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "file-write": {
+ "fields": {}
+ },
+ "file-delete": {
"fields": {
- "additional_info": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "alert_id": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "file-permission-modify": {
+ "fields": {
+ "group_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_code": {
+ "process_command_line": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "protocol": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "src_port": {
- "Status": "Legacy",
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "sophos intercept x endpoint": {
- "expression": "product = sophos intercept x endpoint",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "event_category": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "operation_type": {
+ "core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_dir": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "Status": "Legacy",
+ "file_owner": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "malware_file_name": {
+ "src_host": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "malware_url": {
+ "account": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "access": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "process_id": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "suricata ids": {
- "expression": "product = suricata ids",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "action": {
- "Status": "Legacy",
+ },
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "parent_process_id": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "alert_id": {
- "Status": "Legacy",
+ "event_subtype": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "application_protocol": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "bytes_in": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "bytes_out": {
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "user-lock": {
+ "fields": {
+ "auth_method": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "category": {
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "dest_port": {
- "Status": "Legacy",
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "event_code": {
+ }
+ }
+ }
+ }
+ },
+ "vbcorp vbcorp+a1228:a1254": {
+ "expression": "product = vbcorp vbcorp+A1228:A1254",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "failure_reason": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -37396,45 +48554,69 @@
"detection": "0",
"informational": "0"
},
- "payload_printable": {
- "core": "0",
- "detection": "0",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "protocol": {
+ "src_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "rule": {
+ "src_mac": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "rule_id": {
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "vectra cognito": {
+ "expression": "product = vectra cognito",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "src_ip": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "src_ip": {
"Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "symamtec (broadcom) advanced threat protection": {
- "expression": "product = symamtec (broadcom) advanced threat protection",
+ "vmware carbon black app control": {
+ "expression": "product = vmware carbon black app control",
"fields": {},
"activity_type": {
"alert-trigger": {
@@ -37456,24 +48638,34 @@
"detection": "1",
"informational": "0"
},
- "file_name": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "direction": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_path": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "malware_url_path": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -37502,130 +48694,123 @@
"detection": "1",
"informational": "0"
},
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "full_name": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "symamtec (broadcom) cloud analysis and sandboxing": {
- "expression": "product = symamtec (broadcom) cloud analysis and sandboxing",
+ "vmware carbon black endpoint": {
+ "expression": "product = vmware carbon black endpoint",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "malware_url": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "alert_id": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "symamtec (broadcom) email security.cloud": {
- "expression": "product = symamtec (broadcom) email security.cloud",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "action": {
- "Status": "Legacy",
+ },
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_attachment": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "is_outbound": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "result": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "process": {
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "vmware carbon black edr": {
+ "expression": "product = vmware carbon black edr",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "process_name": {
+ "dest_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "recipient": {
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "recipients": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sender": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
"src_host": {
"Status": "Legacy",
"core": "1",
@@ -37638,111 +48823,84 @@
"detection": "1",
"informational": "0"
},
- "email_subject": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "threat_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "symamtec (broadcom) endpoint security": {
- "expression": "product = symamtec (broadcom) endpoint security",
+ "wazuh siem": {
+ "expression": "product = wazuh siem",
"fields": {},
"activity_type": {
"alert-trigger": {
"fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
+ "agent_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "agent_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "file_ext": {
+ "data": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "decoder_name": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
- "Status": "Legacy",
+ "description": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_path": {
- "Status": "Legacy",
+ "dest_user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "malware_url": {
+ "event_name_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process": {
+ "log_location": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_directory": {
+ "log_path": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "result": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "hash_sha256": {
+ "rule_id": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -37759,156 +48917,201 @@
"detection": "1",
"informational": "0"
},
- "threat_type": {
+ "wazuh_manager": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "full_name": {
+ "dest_local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "symamtec (broadcom) mobile threat defense": {
- "expression": "product = symamtec (broadcom) mobile threat defense",
- "fields": {},
+ "event viewer - system": {
+ "expression": "product = \"event viewer - system\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "log_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
"activity_type": {
- "alert-trigger": {
+ "service-create": {
"fields": {
- "additional_info": {
+ "file_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "file_path": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "device_model": {
+ "file_dir": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "device_name": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "service_command_line": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "service_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "product_name": {
+ "service_start_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "dest_user": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "email_address": {
+ "dest_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "dest_domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "symamtec (broadcom) managed security services": {
- "expression": "product = symamtec (broadcom) managed security services",
- "fields": {},
+ "event viewer - printservice": {
+ "expression": "product = \"event viewer - printservice\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_host": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "log_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"activity_type": {
- "alert-trigger": {
+ "printer-activity": {
"fields": {
- "alert_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
+ "file_name": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "tanium tanium endpoint platform": {
- "expression": "product = tanium tanium endpoint platform",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "process_command_line": {
+ "file_path": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "path": {
+ "file_dir": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "file_ext": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "printer_name": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
+ "printer_port": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
+ "bytes_out": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "num_pages": {
"Status": "Legacy",
"core": "0",
"detection": "1",
@@ -37918,250 +49121,359 @@
}
}
},
- "tenable vulnerability management": {
- "expression": "product = tenable vulnerability management",
+ "event viewer - powershell": {
+ "expression": "product = \"event viewer - powershell\"",
"fields": {},
"activity_type": {
- "alert-trigger": {
+ "printer-activity": {
+ "fields": {}
+ }
+ }
+ },
+ "mssql": {
+ "expression": "product = \"mssql\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_name": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "database-login": {
+ "fields": {}
+ },
+ "database-query": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "cve_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "cvss_base_score": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "cvss_impact_score": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "exploit_code_maturity": {
+ "schema_name": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "table_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "protocol": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "see_also": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "remediation_steps": {
+ }
+ }
+ },
+ "database-delete": {
+ "fields": {
+ "operation": {
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
}
}
}
- }
- },
- "trend micro cloud app security": {
- "expression": "product = trend micro cloud app security",
- "fields": {},
+ }
+ },
+ "event viewer - dnsserver": {
+ "expression": "product = \"event viewer - dnsserver\"",
+ "fields": {
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dns_query_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "result": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "dns-request": {
+ "fields": {}
+ },
+ "dns-response": {
+ "fields": {}
+ }
+ }
+ },
+ "event viewer - adfs": {
+ "expression": "product = \"event viewer - adfs\"",
+ "fields": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "dns-response": {
+ "fields": {}
+ },
+ "endpoint-authentication": {
+ "fields": {}
+ }
+ }
+ },
+ "event viewer - nps": {
+ "expression": "product = \"event viewer - nps\"",
+ "fields": {
+ "auth_server": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_method": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_mac": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "location": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "network": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "auth_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"activity_type": {
- "alert-trigger": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "malware_url": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "result": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "endpoint-authentication": {
+ "fields": {}
}
}
},
- "trend micro deep discovery inspector": {
- "expression": "product = trend micro deep discovery inspector",
- "fields": {},
+ "event viewer - terminalservices-gateway": {
+ "expression": "product = \"event viewer - terminalservices-gateway\"",
+ "fields": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"activity_type": {
- "alert-trigger": {
+ "endpoint-login": {
"fields": {
- "action": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_id": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Legacy",
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
"dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "Status": "Legacy",
+ "protocol": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "threat_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
}
}
},
- "trend micro officescan": {
- "expression": "product = \"trend micro officescan\"",
+ "event viewer - dhcp-server": {
+ "expression": "product = \"event viewer - dhcp-server\"",
"fields": {},
"activity_type": {
- "alert-trigger": {
- "fields": {
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "protocol": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
+ "endpoint-login": {
+ "fields": {}
}
}
},
- "trend micro scanmail": {
- "expression": "product = trend micro scanmail",
+ "event viewer - dhcp-client": {
+ "expression": "product = \"event viewer - dhcp-client\"",
"fields": {},
"activity_type": {
- "alert-trigger": {
+ "endpoint-login": {
+ "fields": {}
+ }
+ }
+ },
+ "microsoft rras": {
+ "expression": "product = \"microsoft rras\"",
+ "fields": {
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "vpn-authentication": {
+ "fields": {}
+ },
+ "vpn-login": {
+ "fields": {}
+ },
+ "vpn-logout": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "malware_url": {
+ "session_min": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "session_sec": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "bytes_out": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "email_address": {
+ "bytes_in": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -38170,56 +49482,63 @@
}
}
},
- "trend micro intrusion prevention (ips)": {
- "expression": "product = trend micro intrusion prevention (ips)",
- "fields": {},
+ "zscaler internet access": {
+ "expression": "product = \"zscaler internet access\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
"activity_type": {
- "alert-trigger": {
+ "dns-response": {
"fields": {
- "alert_id": {
- "Status": "Legacy",
+ "duration": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
+ "category": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name_code": {
+ "department": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "location": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
- "Status": "Legacy",
+ "rule": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "unix": {
- "expression": "product = \"unix\"",
- "fields": {},
- "activity_type": {
- "endpoint-authentication": {
+ },
+ "app-login": {
"fields": {
"src_ip": {
"Status": "Default",
@@ -38227,142 +49546,137 @@
"detection": "1",
"informational": "0"
},
- "process_name": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "bytes_out": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "client_type": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "policy_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "session_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "auth_method": {
+ "connection_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_id": {
+ "src_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_command_line": {
+ "src_zen_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_category": {
+ "host_zen_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation_type": {
+ "host_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_owner": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "group-member-add": {
- "fields": {
- "src_ip": {
+ },
+ "app_group": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "email-receive": {
- "fields": {
- "bytes": {
+ "informational": "1"
+ },
+ "session_start": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "session_end": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "num_recipients": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "email-send": {
- "fields": {
- "bytes": {
+ },
+ "bytes_out": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "process-create": {
- "fields": {
- "user_id": {
+ },
+ "host_bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation_type": {
+ "host_bytes_out": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_id": {
+ "policy_runtime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "ca_runtime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "app_learntime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -38370,393 +49684,547 @@
}
}
},
- "file-read": {
+ "http-session": {
"fields": {
- "access": {
- "Status": "Legacy",
+ "risk_level": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "group_id": {
+ "location": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_ip": {
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_command_line": {
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "browser": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_category": {
+ "department": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "dlp_dict": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_owner": {
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_host": {
+ "file_name": {
"Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "hash_md5": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "account": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "policy": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
+ "protocol": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "process_id": {
- "core": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "service_name": {
+ "target": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "parent_process_id": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_subtype": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "user_agent": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
+ }
+ }
+ },
+ "zscaler private access": {
+ "expression": "product = \"zscaler private access\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "user-create": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
"fields": {
- "group_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_command_line": {
+ "bytes_in": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_category": {
+ "bytes_out": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation_type": {
+ "connection_status": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "file_owner": {
+ "informational": "1"
+ }
+ }
+ },
+ "vpn-logout": {
+ "fields": {
+ "bytes_in": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_host": {
+ "bytes_out": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_user_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_id": {
+ "connection_status": {
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
- },
- "file_path": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_id": {
+ }
+ }
+ }
+ }
+ },
+ "forcepoint dlp": {
+ "expression": "product = \"forcepoint dlp\"",
+ "fields": {},
+ "activity_type": {
+ "peripheral_storage-activity": {
+ "fields": {
+ "operation_details": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "service_name": {
+ "file_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "parent_process_id": {
+ "file_path": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_name": {
+ "file_dir": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
+ "file_ext": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-delete": {
+ "alert-trigger": {
"fields": {
- "group_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "process_command_line": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_category": {
+ "email_attachment": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation_type": {
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_owner": {
+ "bytes_unit": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_user_id": {
+ "extension": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "external_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
+ "file_name": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_path": {
- "core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "service_name": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "parent_process_id": {
+ "recipients": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "core": "0",
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "group-member-remove": {
- "fields": {
- "group_id": {
+ "src_host": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "process_command_line": {
- "core": "0",
- "detection": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "event_category": {
+ "email_subject": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation_type": {
+ "target": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_owner": {
+ "target_domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_user_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "user_id": {
+ "full_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_path": {
+ "first_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "last_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "service_name": {
+ "web_domain": {
"core": "0",
"detection": "0",
"informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "vmware identity manager": {
+ "expression": "product = \"vmware identity manager\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "device_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "auth_method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "redirect_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os_version": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ },
+ "app-activity": {
+ "fields": {
+ "app": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "parent_process_id": {
+ "result": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_name": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-password-modify": {
+ "app-authentication": {
"fields": {
- "group_id": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_command_line": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_category": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation_type": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "vmware horizon": {
+ "expression": "product = \"vmware horizon\"",
+ "fields": {},
+ "activity_type": {
+ "app-authentication": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "file_owner": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_host": {
+ }
+ }
+ },
+ "vm_pool-delete": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_user_id": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -38768,1014 +50236,856 @@
"detection": "1",
"informational": "0"
},
- "file_path": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "service_name": {
+ }
+ }
+ },
+ "vm_pool-create": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_id": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "endpoint-login": {
+ "user-permission-modify": {
"fields": {
- "process_dir": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "group_id": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_command_line": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_category": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation_type": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "user_id": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_owner": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "vm_pool-endpoint-add": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "additional_info": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "login_id": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_port": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "auth": {
+ }
+ }
+ },
+ "vm_pool-endpoint-remove": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "session_id": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_id": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "process_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "file-write": {
- "fields": {}
- },
- "file-delete": {
+ "configuration-modify": {
"fields": {
- "dest_ip": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "file-permission-modify": {
+ "vm_pool-modify": {
"fields": {
- "group_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "process_command_line": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_category": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation_type": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_owner": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_host": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "account": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
+ }
+ }
+ },
+ "folder-create": {
+ "fields": {
+ "app": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "access": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_id": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
"user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "process_id": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "service_name": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_id": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "event_subtype": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "user-lock": {
+ "folder-modify": {
"fields": {
- "auth_method": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "vbcorp vbcorp+a1228:a1254": {
- "expression": "product = vbcorp vbcorp+A1228:A1254",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "domain": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "malware_url": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "src_mac": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "user": {
- "Status": "Legacy",
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "vectra cognito": {
- "expression": "product = vectra cognito",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
- }
- }
- },
- "vmware carbon black app control": {
- "expression": "product = vmware carbon black app control",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "folder-delete": {
"fields": {
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "alert_id": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "direction": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_path": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "malware_url": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "malware_url_path": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
- }
- }
- },
- "vmware carbon black endpoint": {
- "expression": "product = vmware carbon black endpoint",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "policy-modify": {
"fields": {
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "alert_id": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
+ "user": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
"domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "malware_url": {
- "core": "0",
- "detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operating_system": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
- }
- }
- },
- "vmware carbon black edr": {
- "expression": "product = vmware carbon black edr",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "policy-delete": {
"fields": {
- "dest_host": {
- "Status": "Legacy",
+ "app": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "dest_port": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "malware_url": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
- }
- }
- },
- "wazuh siem": {
- "expression": "product = wazuh siem",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
+ },
+ "role-create": {
"fields": {
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "agent_id": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "agent_name": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "data": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "decoder_name": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "description": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_user": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "event_name_name": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "log_location": {
+ "informational": "1"
+ }
+ }
+ },
+ "role-modify": {
+ "fields": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "log_path": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "result": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "rule_id": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "wazuh_manager": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "event viewer - system": {
- "expression": "product = \"event viewer - system\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "log_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "service-create": {
- "fields": {
- "file_name": {
+ "informational": "1"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "file_path": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_dir": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "file_ext": {
+ "informational": "1"
+ }
+ }
+ },
+ "role-delete": {
+ "fields": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "service_command_line": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "service_type": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "service_start_type": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_domain": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
- }
- }
- },
- "event viewer - printservice": {
- "expression": "product = \"event viewer - printservice\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "log_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "printer-activity": {
+ "user-modify": {
"fields": {
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_path": {
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "file_dir": {
+ "object": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "file_ext": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "printer_name": {
+ "user": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "printer_port": {
+ "domain": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes_out": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "num_pages": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "event viewer - powershell": {
- "expression": "product = \"event viewer - powershell\"",
- "fields": {},
- "activity_type": {
- "printer-activity": {
- "fields": {}
- }
- }
- },
- "mssql": {
- "expression": "product = \"mssql\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_user_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "result": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_name": {
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "database-login": {
- "fields": {}
- },
- "database-query": {
+ "endpoint-login": {
"fields": {
- "schema_name": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "table_name": {
- "Status": "Legacy",
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "resource": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "vmware view": {
+ "expression": "product = \"vmware view\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-login": {
+ "fields": {
+ "user_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "database-delete": {
+ "app-login": {
"fields": {
- "operation": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
}
}
- }
- }
- },
- "event viewer - dnsserver": {
- "expression": "product = \"event viewer - dnsserver\"",
- "fields": {
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dns_query_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "result": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_out": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "process_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "dns-request": {
+ "user-password-modify": {
"fields": {}
},
- "dns-response": {
- "fields": {}
+ "app-activity": {
+ "fields": {
+ "object_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
- "event viewer - adfs": {
- "expression": "product = \"event viewer - adfs\"",
+ "vmware esxi": {
+ "expression": "product = \"vmware esxi\"",
"fields": {
"event_name": {
"core": "0",
@@ -39784,105 +51094,29 @@
}
},
"activity_type": {
- "dns-response": {
- "fields": {}
- },
- "endpoint-authentication": {
- "fields": {}
- }
- }
- },
- "event viewer - nps": {
- "expression": "product = \"microsoft nps\"",
- "fields": {
- "auth_server": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "auth_method": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_mac": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "location": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "network": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "authentication_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "access_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-authentication": {
- "fields": {}
+ "endpoint-login": {
+ "fields": {
+ "user_agent": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
- "event viewer - terminalservices-gateway": {
- "expression": "product = \"event viewer - terminalservices-gateway\"",
- "fields": {
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "vmware vcenter": {
+ "expression": "product = \"vmware vcenter\"",
+ "fields": {},
"activity_type": {
- "endpoint-login": {
+ "app-activity": {
"fields": {
"src_ip": {
"Status": "Default",
@@ -39890,13 +51124,17 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "protocol": {
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -39906,69 +51144,65 @@
}
}
},
- "event viewer - dhcp-server": {
- "expression": "product = \"event viewer - dhcp-server\"",
+ "trend micro interscan web security": {
+ "expression": "product = \"trend micro interscan web security\"",
"fields": {},
"activity_type": {
- "endpoint-login": {
+ "http-session": {
"fields": {}
}
}
},
- "event viewer - dhcp-client": {
- "expression": "product = \"event viewer - dhcp-client\"",
+ "officescan": {
+ "expression": "product = \"officescan\"",
"fields": {},
"activity_type": {
- "endpoint-login": {
+ "peripheral_storage-activity": {
"fields": {}
+ },
+ "http-session": {
+ "fields": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
- "microsoft rras": {
- "expression": "product = \"microsoft rras\"",
+ "deep discovery inspector": {
+ "expression": "product = \"deep discovery inspector\"",
"fields": {
- "session_id": {
+ "src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
},
"activity_type": {
- "vpn-authentication": {
+ "app-login": {
"fields": {}
},
- "vpn-login": {
+ "user-password-modify": {
"fields": {}
- },
- "vpn-logout": {
- "fields": {
- "session_min": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "session_sec": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "bytes_out": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_in": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
}
}
},
- "zscaler internet access": {
- "expression": "product = \"zscaler internet access\"",
+ "safend dps": {
+ "expression": "product = \"safend dps\"",
"fields": {
"user": {
"core": "1",
@@ -39980,198 +51214,249 @@
"detection": "1",
"informational": "0"
},
- "result": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "dns-response": {
+ "peripheral_storage-activity": {
+ "fields": {}
+ },
+ "file-write": {
"fields": {
- "duration": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "category": {
+ "device_id": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "department": {
+ "device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "location": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
+ "bytes_in": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "app-login": {
+ "file-read": {
"fields": {
- "src_ip": {
- "Status": "Default",
+ "device_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes_in": {
- "Status": "Default",
+ "device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
- "Status": "Default",
+ "os": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "client_type": {
- "Status": "Default",
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
+ }
+ }
+ },
+ "deep security": {
+ "expression": "product = \"deep security\"",
+ "fields": {},
+ "activity_type": {
"network-session": {
"fields": {
- "policy_name": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "bytes_out": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "connection_id": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_country": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_zen_code": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "host_zen_code": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "host_ip": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "app_group": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_start": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_end": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "hash_sha1": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "hash_sha256": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "host_bytes_in": {
+ }
+ }
+ }
+ }
+ },
+ "symantec virtual secure web gateway": {
+ "expression": "product = \"symantec virtual secure web gateway\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "symantec dlp": {
+ "expression": "product = \"symantec dlp\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_host": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "peripheral_storage-activity": {
+ "fields": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "host_bytes_out": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "policy_runtime": {
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "ca_runtime": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "app_learntime": {
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "http-session": {
- "fields": {
- "risk_level": {
+ },
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "location": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -40179,193 +51464,124 @@
}
}
},
- "alert-trigger": {
+ "file-write": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "browser": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "department": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_ip": {
+ "process_name": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dlp_dict": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_name": {
+ "process_path": {
"Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "hash_md5": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "policy": {
+ "bytes_in": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "protocol": {
+ "device_id": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "device_type": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "target": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_agent": {
+ "informational": "1"
+ }
+ }
+ },
+ "peripheral_storage-insert": {
+ "fields": {
+ "operation_details": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
- }
- }
- },
- "zscaler private access": {
- "expression": "product = \"zscaler private access\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "vpn-login": {
+ "file-delete": {
"fields": {
- "bytes_in": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "connection_status": {
- "Status": "Default",
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
+ },
"bytes_in": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes_out": {
- "Status": "Legacy",
+ "device_id": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "connection_status": {
+ "device_type": {
"core": "0",
"detection": "1",
"informational": "0"
}
}
- }
- }
- },
- "forcepoint dlp": {
- "expression": "product = \"forcepoint dlp\"",
- "fields": {},
- "activity_type": {
- "peripheral_storage-activity": {
+ },
+ "file-read": {
"fields": {
- "operation_details": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "file_path": {
- "Status": "Default",
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
- "Status": "Default",
+ "bytes_in": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "file_ext": {
- "Status": "Default",
+ "device_id": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
@@ -40374,446 +51590,317 @@
},
"alert-trigger": {
"fields": {
- "email_attachment": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "bytes_unit": {
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "email_attachment": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "extension": {
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "external_address": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_name": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "url": {
+ "device_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "device_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recipients": {
+ "direction": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sender": {
- "Status": "Legacy",
- "core": "1",
+ "email_id": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
+ "file_name": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
- "informational": "0"
- },
- "email_subject": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "target": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "target_domain": {
- "core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
+ "file_path": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "full_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "first_name": {
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "last_name": {
+ "external_address": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "web_domain": {
+ "file_ext": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "vmware identity manager": {
- "expression": "product = \"vmware identity manager\"",
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "device_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "resource_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "auth_method": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "redirect_url": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system_version": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
- },
- "app-activity": {
- "fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "result": {
- "Status": "Default",
+ },
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "occured_time": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_id": {
- "Status": "Default",
+ "original_user": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-authentication": {
- "fields": {
- "application": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "os": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"result": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_id": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "vmware horizon": {
- "expression": "product = \"vmware horizon\"",
- "fields": {},
- "activity_type": {
- "app-authentication": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "session_id": {
- "Status": "Default",
+ "recipient": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "vm_pool-delete": {
- "fields": {
- "application": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "recipients": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "recorded_time": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
- "core": "0",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "email_subject": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "target": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "web_domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
+ }
+ }
+ },
+ "symantec vip": {
+ "expression": "product = \"symantec vip\"",
+ "fields": {},
+ "activity_type": {
+ "app-authentication": {
+ "fields": {}
},
- "vm_pool-create": {
+ "app-logout": {
"fields": {
- "application": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "user-permission-modify": {
+ "user-password-forget": {
"fields": {
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
"domain": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
"operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "vm_pool-endpoint-add": {
+ "user-search": {
"fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -40831,6 +51918,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"Status": "Default",
"core": "0",
@@ -40839,21 +51932,15 @@
}
}
},
- "vm_pool-endpoint-remove": {
+ "user-device-remember": {
"fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -40871,6 +51958,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"Status": "Default",
"core": "0",
@@ -40879,37 +51972,35 @@
}
}
},
- "configuration-modify": {
+ "user-modify": {
"fields": {
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "0"
},
"user": {
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
"informational": "0"
},
"domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"operation": {
"core": "0",
@@ -40917,138 +52008,268 @@
"informational": "0"
}
}
+ }
+ }
+ },
+ "symantec critical system protection": {
+ "expression": "product = \"symantec critical system protection\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "rule": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "policy_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "login_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "user-switch": {
+ "fields": {
+ "process_name": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
},
- "vm_pool-modify": {
+ "user-modify": {
"fields": {
- "application": {
- "Status": "Default",
+ "old_attribute": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
- "Status": "Default",
+ "new_attribute": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
- "Status": "Default",
+ }
+ }
+ },
+ "user-create": {
+ "fields": {
+ "group_name": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {}
+ },
+ "group-delete": {
+ "fields": {}
+ },
+ "group-create": {
+ "fields": {}
+ },
+ "group-modify": {
+ "fields": {
+ "old_attribute": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "Status": "Default",
+ "new_attribute": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "folder-create": {
+ "endpoint-login": {
"fields": {
- "application": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "parent_process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "event_name": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "symantec web security service": {
+ "expression": "product = \"symantec web security service\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
+ "fields": {
"domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "user_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "proxy_action": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "folder-modify": {
+ }
+ }
+ },
+ "symantec fireglass": {
+ "expression": "product = \"symantec fireglass\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
"fields": {
- "application": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ }
+ }
+ },
+ "symantec advanced threat protection": {
+ "expression": "product = \"symantec advanced threat protection\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "process-create": {
+ "fields": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -41056,325 +52277,493 @@
}
}
},
- "folder-delete": {
+ "file-write": {
"fields": {
- "application": {
- "Status": "Default",
+ "src_host": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
+ "hash_md5": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "bytes": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "policy-modify": {
+ "alert-trigger": {
"fields": {
- "application": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "process_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "dest_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "policy-delete": {
- "fields": {
- "application": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "file_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
- "Status": "Default",
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "file_ext": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "bytes": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user_sid": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
+ }
+ }
+ },
+ "stealthintercept": {
+ "expression": "product = \"stealthintercept\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "role-create": {
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "user-enable": {
+ "fields": {}
+ },
+ "user-disable": {
+ "fields": {}
+ },
+ "group-member-add": {
+ "fields": {}
+ },
+ "group-member-remove": {
+ "fields": {}
+ },
+ "ds_object-modify": {
"fields": {
- "application": {
+ "old_attribute": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "new_attribute": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
- "Status": "Default",
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "domain": {
- "Status": "Default",
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "operation": {
- "Status": "Default",
+ }
+ }
+ },
+ "file-permission-modify": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "role-modify": {
+ "endpoint-login": {
"fields": {
- "application": {
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "ds_object_out": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ }
+ }
+ },
+ "sophos endpoint protection": {
+ "expression": "product = sophos endpoint protection",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_host": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "alert_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "alert_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "peripheral_storage-activity": {
+ "fields": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "operation": {
- "Status": "Default",
+ }
+ }
+ },
+ "network-session": {
+ "fields": {}
+ },
+ "peripheral_storage-insert": {
+ "fields": {
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "role-delete": {
+ "http-session": {
"fields": {
- "application": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "malware_url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
"dest_host": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "device_id": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "user-modify": {
- "fields": {
- "application": {
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "malware_url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "domain": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
"Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_host": {
+ "access": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "file_dir": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "file_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
+ }
+ }
+ },
+ "sophos xg firewall": {
+ "expression": "product = \"sophos xg firewall\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "endpoint-login": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
"fields": {
"dest_ip": {
"Status": "Default",
@@ -41382,152 +52771,87 @@
"detection": "1",
"informational": "0"
},
- "user_id": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object_id": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "vmware view": {
- "expression": "product = \"vmware view\"",
- "fields": {},
- "activity_type": {
- "endpoint-login": {
- "fields": {
- "user_id": {
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "src_ip": {
+ },
+ "src_interface": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "user-password-modify": {
- "fields": {}
- },
- "app-activity": {
+ "network-session": {
"fields": {
- "object_id": {
+ "device_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "vmware esxi": {
- "expression": "product = \"vmware esxi\"",
- "fields": {
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-login": {
- "fields": {
- "user_agent": {
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_interface": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "vmware vcenter": {
- "expression": "product = \"vmware vcenter\"",
- "fields": {},
- "activity_type": {
- "app-activity": {
- "fields": {
- "src_ip": {
+ },
+ "dest_interface": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user": {
+ "src_country_code": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "operation": {
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_country_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "trend micro interscan web security": {
- "expression": "product = \"interscan web security\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "officescan": {
- "expression": "product = \"officescan\"",
- "fields": {},
- "activity_type": {
- "peripheral_storage-activity": {
- "fields": {}
},
- "http-session": {
- "fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ "http-session": {
+ "fields": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -41537,31 +52861,24 @@
}
}
},
- "deep discovery inspector": {
- "expression": "product = \"deep discovery inspector\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "result": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
+ "sophos utm": {
+ "expression": "product = \"sophos utm\"",
+ "fields": {},
"activity_type": {
- "app-login": {
- "fields": {}
- },
- "user-password-modify": {
- "fields": {}
+ "http-session": {
+ "fields": {
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
- "safend dps": {
- "expression": "product = \"safend dps\"",
+ "salesforce": {
+ "expression": "product = \"salesforce\"",
"fields": {
"user": {
"core": "1",
@@ -41573,95 +52890,132 @@
"detection": "1",
"informational": "0"
},
- "operation": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "peripheral_storage-activity": {
- "fields": {}
- },
- "file-write": {
+ "app-login": {
"fields": {
- "device_id": {
- "Status": "Legacy",
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "device_type": {
- "Status": "Legacy",
+ "browser": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "file-read": {
+ "app-activity": {
"fields": {
- "device_id": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "device_type": {
- "Status": "Legacy",
+ "bytes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "dest_user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes_out": {
+ "new_value": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "deep security": {
- "expression": "product = \"deep security agent\"",
- "fields": {},
- "activity_type": {
- "network-session": {
- "fields": {
- "bytes_in": {
+ },
+ "old_value": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "user-modify": {
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "domain": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "old_value": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-role-assign": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -41673,131 +53027,148 @@
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "role-delete": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "role_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "configuration-modify": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "file_ext": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-password-expire": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha1": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_sha256": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "symantec virtual secure web gateway": {
- "expression": "product = \"symantec secure web gateway\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "symantec dlp": {
- "expression": "product = \"symantec dlp\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "peripheral_storage-activity": {
+ "role-create": {
"fields": {
- "process_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "role_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "role-modify": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
+ "role_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "role-permission-modify": {
+ "fields": {
+ "permission": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_ext": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "role_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -41805,131 +53176,117 @@
}
}
},
- "file-write": {
+ "app-notification": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "resource": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "process_dir": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "device_id": {
- "Status": "Legacy",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-logout": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "device_type": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "peripheral_storage-insert": {
+ "user-create": {
"fields": {
- "operation_details": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "file-delete": {
+ "user-password-modify": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_path": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "dest_user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_dir": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "bytes_in": {
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "device_id": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "device_type": {
- "core": "0",
- "detection": "1",
"informational": "0"
}
}
},
- "file-read": {
+ "user-disable": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "process_path": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "process_dir": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "bytes_in": {
- "core": "0",
- "detection": "1",
"informational": "0"
- },
- "device_id": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "user-password-reset": {
+ "fields": {
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "device_type": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "alert-trigger": {
+ "user-unlock": {
"fields": {
"operation": {
"core": "0",
@@ -41940,387 +53297,654 @@
"core": "0",
"detection": "0",
"informational": "0"
- },
- "alert_id": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "group-member-add": {
+ "fields": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "email_attachment": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-lock": {
+ "fields": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "device_id": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
+ }
+ }
+ },
+ "file-property-modify": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "device_type": {
+ "new_value": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "direction": {
+ "old_value": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-enable": {
+ "fields": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_id": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
+ }
+ }
+ },
+ "group-member-move": {
+ "fields": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "rsa authentication manager": {
+ "expression": "product = \"rsa authentication manager\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-authentication": {
+ "fields": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "file_path": {
- "Status": "Legacy",
+ "auth_method": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "session_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
- "Status": "Legacy",
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "external_address": {
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_ext": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "url": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "occured_time": {
+ "informational": "1"
+ }
+ }
+ },
+ "user-lock": {
+ "fields": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "original_user": {
+ "auth_method": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "operating_system": {
+ }
+ }
+ }
+ }
+ },
+ "securid": {
+ "expression": "product = \"securid\"",
+ "fields": {},
+ "activity_type": {
+ "vpn-logout": {
+ "fields": {
+ "user_agent": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "result": {
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "process_path": {
+ }
+ }
+ }
+ }
+ },
+ "namespace rdirectory": {
+ "expression": "product = \"namespace rdirectory\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "user-enable": {
+ "fields": {}
+ },
+ "user-disable": {
+ "fields": {}
+ },
+ "user-create": {
+ "fields": {
+ "user_type": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "process_dir": {
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {}
+ },
+ "user-password-modify": {
+ "fields": {}
+ },
+ "group-member-add": {
+ "fields": {
+ "dest_user_ou": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "protocol": {
- "Status": "Legacy",
+ "dest_user_dn": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-modify": {
+ "fields": {
+ "old_attribute": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "recipient": {
+ "new_attribute": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "recipients": {
+ }
+ }
+ }
+ }
+ },
+ "rangeraudit": {
+ "expression": "product = \"rangeraudit\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "database-query": {
+ "fields": {
+ "db_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "recorded_time": {
+ "resource": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "sender": {
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "access": {
"Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "src_host": {
+ "dest_host": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
- },
- "src_ip": {
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "access": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "email_subject": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "target": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"user": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "web_domain": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
}
}
+ },
+ "app-login": {
+ "fields": {
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
- "symantec vip": {
- "expression": "product = \"symantec vip\"",
- "fields": {},
- "activity_type": {
- "app-authentication": {
- "fields": {}
+ "password manager pro": {
+ "expression": "product = \"password manager pro\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "app-logout": {
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "user-password-read": {
"fields": {
- "src_ip": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "safe_value": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user_agent": {
+ }
+ }
+ },
+ "user-password-modify": {
+ "fields": {
+ "safe_value": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "app-activity": {
+ }
+ }
+ },
+ "palo alto ngfw": {
+ "expression": "product = \"palo alto ngfw\"",
+ "fields": {},
+ "activity_type": {
+ "network-session": {
"fields": {
- "src_ip": {
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user_agent": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-password-forget": {
- "fields": {
- "src_ip": {
+ },
+ "network_app": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "src_network_zone": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "dest_network_zone": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "action": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-search": {
- "fields": {
- "src_ip": {
+ },
+ "bytes_out": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "src_country": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "dest_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "user-device-remember": {
+ "configuration-modify": {
"fields": {
"src_ip": {
- "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Default",
+ "src_host": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "user-modify": {
+ "app-login": {
"fields": {
"src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user_agent": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "network_app": {
+ "Status": "Default",
+ "core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
- "Status": "Legacy",
+ "src_network_zone": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "dest_network_zone": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
}
}
},
- "symantec critical system protection": {
- "expression": "product = \"symantec critical system protection\"",
+ "globalprotect": {
+ "expression": "product = \"globalprotect\"",
"fields": {
"user": {
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
@@ -42329,180 +53953,120 @@
"detection": "1",
"informational": "0"
},
- "rule": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "policy_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "login_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_ip": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "src_country": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "result": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "1"
}
},
"activity_type": {
- "user-switch": {
- "fields": {
- "process_name": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "user-modify": {
- "fields": {
- "old_attribute": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "new_attribute": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-create": {
+ "vpn-login": {
"fields": {
- "group_name": {
+ "vpn_client": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "user-delete": {
- "fields": {}
- },
- "group-delete": {
+ "vpn-authentication": {
"fields": {}
},
- "group-create": {
+ "app-login": {
"fields": {}
},
- "group-modify": {
+ "configuration-modify": {
"fields": {
- "old_attribute": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "new_attribute": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "endpoint-login": {
+ "vpn-logout": {
"fields": {
- "process_path": {
- "Status": "Default",
+ "vpn_client": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_name": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "parent_process_path": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "symantec web security service": {
- "expression": "product = \"symantec wss\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {
- "domain": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "device_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "proxy_action": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "vpn_client": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "symantec fireglass": {
- "expression": "product = \"symantec fireglass\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {
- "domain": {
+ },
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -42512,87 +54076,71 @@
}
}
},
- "symantec advanced threat protection": {
- "expression": "product = \"symantec edr\"",
+ "palo alto aperture": {
+ "expression": "product = \"palo alto aperture\"",
"fields": {
"user": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"domain": {
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_code": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "process-create": {
+ "app-login": {
"fields": {
- "src_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "hash_md5": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "file-write": {
+ "file-read": {
"fields": {
- "src_host": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_port": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "hash_md5": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
@@ -42601,28 +54149,27 @@
},
"file-delete": {
"fields": {
- "src_host": {
- "Status": "Legacy",
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_port": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "audit_policy-modify": {
+ "fields": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
@@ -42636,7 +54183,7 @@
"detection": "0",
"informational": "0"
},
- "process_command_line": {
+ "collaborators": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -42647,46 +54194,17 @@
"detection": "1",
"informational": "0"
},
- "dest_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
+ "item_creator": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "bytes": {
+ "item_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "item_type": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -42697,19 +54215,18 @@
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "user": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Legacy",
+ "first_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_sid": {
+ "last_name": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -42718,476 +54235,426 @@
}
}
},
- "stealthintercept": {
- "expression": "product = \"stealthintercept\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
+ "ovirt": {
+ "expression": "product = \"ovirt\"",
+ "fields": {},
"activity_type": {
- "user-enable": {
- "fields": {}
- },
- "user-disable": {
- "fields": {}
- },
- "group-member-add": {
- "fields": {}
- },
- "group-member-remove": {
- "fields": {}
- },
- "ds_object-modify": {
+ "app-login": {
"fields": {
- "old_attribute": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "new_attribute": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "file-read": {
+ "endpoint-authentication": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "process_name": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "file-permission-modify": {
+ "endpoint-login": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "auth_method": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "ds_object_out": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "sophos endpoint protection": {
- "expression": "product = sophos endpoint protection",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "alert_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "alert_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "alert_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "peripheral_storage-activity": {
+ "endpoint-start": {
"fields": {
- "bytes": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "network-session": {
- "fields": {}
- },
- "peripheral_storage-insert": {
+ "endpoint-logout": {
"fields": {
- "src_ip": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "http-session": {
- "fields": {
- "src_host": {
- "Status": "Default",
+ },
+ "object": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "malware_url": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "alert-trigger": {
+ "endpoint-modify": {
"fields": {
- "additional_info": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "user": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "device_id": {
+ "resource": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "domain": {
+ }
+ }
+ },
+ "peripheral_storage-insert": {
+ "fields": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "malware_url": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "disk-attach": {
+ "fields": {
+ "app": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "vm_pool-modify": {
+ "fields": {
+ "app": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
"user": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "log-clear": {
+ "fields": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "access": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "operation": {
+ "core": "0",
"detection": "0",
"informational": "0"
},
- "file_dir": {
+ "user": {
"Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "datacenter-modify": {
+ "fields": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_path": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "sophos xg firewall": {
- "expression": "product = \"sophos xg firewall\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "vpn-login": {
- "fields": {
- "dest_ip": {
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "protocol": {
+ }
+ }
+ },
+ "datastore-create": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "datastore-enable": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_interface": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_interface": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "network-session": {
+ "disk-modify": {
"fields": {
- "device_id": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_interface": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_interface": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-stop": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_country_code": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_country_code": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "http-session": {
- "fields": {
- "file_name": {
+ },
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "sophos utm": {
- "expression": "product = \"sophos utm\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {
- "domain": {
+ "detection": "1",
+ "informational": "0"
+ },
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "salesforce": {
- "expression": "product = \"salesforce\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "app-login": {
+ "endpoint-create": {
"fields": {
- "dest_host": {
+ "app": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "browser": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43195,51 +54662,55 @@
}
}
},
- "app-activity": {
+ "image-import": {
"fields": {
- "object": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "new_value": {
+ }
+ }
+ },
+ "vm_host-enable": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "old_value": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
@@ -43247,129 +54718,149 @@
}
}
},
- "user-modify": {
+ "vm_host-modify": {
"fields": {
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "new_value": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "old_value": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "user-role-assign": {
+ "datastore-modify": {
"fields": {
- "additional_info": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "role-delete": {
+ "cluster-modify": {
"fields": {
- "additional_info": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "role_type": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "configuration-modify": {
+ "policy-modify": {
"fields": {
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "object": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "user-password-expire": {
+ "disk-scan": {
"fields": {
- "additional_info": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "role-create": {
+ "vm_template-delete": {
"fields": {
- "additional_info": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43381,45 +54872,51 @@
"detection": "0",
"informational": "1"
},
- "role_type": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "role-modify": {
+ "datastore-delete": {
"fields": {
- "additional_info": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "role_type": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "role-permission-modify": {
+ "disk-remove": {
"fields": {
- "permission": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43431,7 +54928,13 @@
"detection": "0",
"informational": "1"
},
- "role_type": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43439,21 +54942,40 @@
}
}
},
- "app-notification": {
+ "peripheral_storage-remove": {
"fields": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"object": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "vm_host-create": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43464,165 +54986,284 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "app-logout": {
+ "app-activity": {
"fields": {
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
+ }
+ }
+ },
+ "oracle database": {
+ "expression": "product = \"oracle database\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "user-create": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "user-password-modify": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "db_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "database-login": {
"fields": {
- "operation": {
+ "dest_user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "file-delete": {
+ "database-query": {
"fields": {
"dest_user": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "operation": {
+ "db_object": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "db_schema": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-disable": {
+ "database-modify": {
"fields": {
- "operation": {
+ "db_object": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "db_schema": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-password-reset": {
+ "database-delete": {
"fields": {
- "operation": {
+ "db_object": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "db_schema": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-unlock": {
+ "database-activity": {
"fields": {
- "operation": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
+ },
+ "service_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
- },
- "group-member-add": {
+ }
+ }
+ },
+ "oracle public cloud": {
+ "expression": "product = \"oracle public cloud\"",
+ "fields": {},
+ "activity_type": {
+ "network-session": {
"fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
+ "bytes_out": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
+ }
+ }
+ },
+ "oracle access management": {
+ "expression": "product = \"oracle access management\"",
+ "fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "user-lock": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "target": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-authentication": {
"fields": {
- "operation": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "file_path": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "file_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "src_ip": {
+ "file_ext": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "file-property-modify": {
- "fields": {
- "operation": {
+ "informational": "1"
+ },
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "new_value": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "old_value": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43630,29 +55271,41 @@
}
}
},
- "user-enable": {
+ "app-notification": {
"fields": {
- "operation": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "group-member-move": {
+ "app-login": {
"fields": {
- "operation": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ },
+ "app-logout": {
+ "fields": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43662,8 +55315,8 @@
}
}
},
- "rsa authentication manager": {
- "expression": "product = \"rsa authentication manager\"",
+ "okta adaptive mfa": {
+ "expression": "product = \"okta adaptive mfa\"",
"fields": {
"user": {
"core": "1",
@@ -43675,55 +55328,86 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
}
},
"activity_type": {
+ "app-login": {
+ "fields": {
+ "user_agent": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
"app-authentication": {
"fields": {
- "dest_host": {
+ "location_city": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "auth_method": {
+ "location_state": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "location_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "session_id": {
+ },
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_method": {
+ "uri": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -43743,215 +55427,189 @@
}
}
},
- "user-lock": {
+ "app-activity": {
"fields": {
- "dest_host": {
- "Status": "Legacy",
+ "location_city": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_method": {
+ "location_state": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "securid": {
- "expression": "product = \"securid\"",
- "fields": {},
- "activity_type": {
- "vpn-logout": {
- "fields": {
+ "informational": "1"
+ },
+ "location_country": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"user_agent": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "session_id": {
+ "url": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "uri": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "namespace rdirectory": {
- "expression": "product = \"namespace rdirectory\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "user-enable": {
- "fields": {}
- },
- "user-disable": {
- "fields": {}
- },
- "user-create": {
- "fields": {
- "user_type": {
- "Status": "Legacy",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "user-delete": {
- "fields": {}
- },
- "user-password-modify": {
- "fields": {}
- },
- "group-member-add": {
- "fields": {
- "dest_user_ou": {
+ },
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user_dn": {
+ "assigned_apps": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "members": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "group_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "user-modify": {
+ "user-password-reset": {
"fields": {
- "old_attribute": {
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "new_attribute": {
+ "user_agent": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "rangeraudit": {
- "expression": "product = \"rangeraudit\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "database-query": {
- "fields": {
- "db_name": {
+ },
+ "uri": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "resource": {
+ "object_type": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ },
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "object": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ },
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "browser": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "app-activity": {
+ "user-create": {
"fields": {
- "application": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "user_agent": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "uri": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_type": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"object": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "browser": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "app-login": {
+ "group-member-add": {
"fields": {
- "resource": {
- "Status": "Default",
+ "group_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "user-lock": {
+ "fields": {
+ "group_name": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -43960,8 +55618,8 @@
}
}
},
- "password manager pro": {
- "expression": "product = \"password manager pro\"",
+ "workday": {
+ "expression": "product = \"workday\"",
"fields": {
"user": {
"core": "1",
@@ -43973,197 +55631,84 @@
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "src_host": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
}
},
"activity_type": {
- "user-password-read": {
- "fields": {
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "safe_value": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-password-modify": {
- "fields": {
- "safe_value": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "palo alto ngfw": {
- "expression": "product = \"palo alto ngfw\"",
- "fields": {},
- "activity_type": {
- "network-session": {
+ "app-login": {
"fields": {
- "rule": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "device_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "dest_domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "network_app": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_network_zone": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_network_zone": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "action": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_in": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes_out": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "category": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_country": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_country": {
+ "device_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "configuration-modify": {
- "fields": {
"src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "app-login": {
+ "app-authentication": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "http-session": {
- "fields": {
- "network_app": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_network_zone": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "dest_network_zone": {
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44173,73 +55718,111 @@
}
}
},
- "globalprotect": {
- "expression": "product = \"palo alto global protect\"",
+ "observeit": {
+ "expression": "product = \"observeit\"",
"fields": {
- "user": {
- "core": "1",
+ "session_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "core": "0",
+ "user": {
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "domain": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_country": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "operating_system": {
+ "src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
},
"activity_type": {
- "vpn-login": {
- "fields": {
- "vpn_client": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "process-create": {
+ "fields": {}
},
- "vpn-authentication": {
+ "endpoint-login": {
"fields": {}
},
"app-login": {
"fields": {}
},
- "configuration-modify": {
+ "database-activity": {
"fields": {
- "object": {
+ "db_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "vpn_client": {
+ },
+ "dest_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "db_object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "dest_local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
"app-activity": {
"fields": {
- "application": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44250,147 +55833,144 @@
"core": "0",
"detection": "0",
"informational": "1"
- },
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_mac": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "device_type": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_host": {
- "Status": "Default",
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "vpn_client": {
- "Status": "Default",
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "auth_method": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "target": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "palo alto aperture": {
- "expression": "product = \"palo alto aperture\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "mcafee endpoint security": {
+ "expression": "product = \"mcafee endpoint security\"",
+ "fields": {},
"activity_type": {
- "app-login": {
+ "peripheral_storage-insert": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ },
+ "domain": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "src_ip": {
+ },
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "access": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "file-write": {
+ "printer-activity": {
"fields": {
- "src_ip": {
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "access": {
- "Status": "Legacy",
+ "domain": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "src_ip": {
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "access": {
+ "printer_name": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "audit_policy-modify": {
- "fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "src_ip": {
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
@@ -44399,14 +55979,10 @@
},
"alert-trigger": {
"fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "collaborators": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"dest_ip": {
@@ -44415,24 +55991,30 @@
"detection": "1",
"informational": "0"
},
- "item_creator": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "item_name": {
+ "result": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "item_type": {
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "process_name": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
@@ -44442,93 +56024,125 @@
"detection": "1",
"informational": "0"
},
- "first_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "last_name": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "ovirt": {
- "expression": "product = \"ovirt\"",
+ "lanscope cat": {
+ "expression": "product = \"lanscope cat\"",
"fields": {},
"activity_type": {
- "app-login": {
+ "peripheral_storage-activity": {
"fields": {
- "src_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "endpoint-authentication": {
- "fields": {
- "application": {
+ },
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "src_ip": {
"Status": "Default",
"core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "printer-activity": {
+ "fields": {
+ "printer_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "num_pages": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
"detection": "0",
"informational": "1"
}
}
},
+ "http-session": {
+ "fields": {}
+ },
"endpoint-login": {
"fields": {
- "application": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
"object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "file_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "endpoint-start": {
- "fields": {
- "application": {
+ },
+ "file_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "file_ext": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "file_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44540,7 +56154,13 @@
"detection": "1",
"informational": "0"
},
- "resource": {
+ "bytes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44548,282 +56168,239 @@
}
}
},
- "endpoint-logout": {
+ "file-write": {
"fields": {
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "endpoint-modify": {
+ "file-read": {
"fields": {
- "application": {
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "object": {
+ "informational": "1"
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user": {
+ "dest_ip": {
"Status": "Legacy",
"core": "1",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "resource": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "peripheral_storage-insert": {
- "fields": {
- "application": {
+ },
+ "num_pages": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "printer_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
- "core": "0",
- "detection": "0",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "user": {
+ "src_ip": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "disk-attach": {
- "fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "object": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Default",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "kiteworks": {
+ "expression": "product = \"kiteworks\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "file-read": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "vm_pool-modify": {
+ "file-write": {
"fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "log-clear": {
+ "file-delete": {
"fields": {
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
+ "access": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "datacenter-modify": {
+ "file-upload": {
"fields": {
- "application": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "operation": {
- "Status": "Default",
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
+ }
+ }
+ },
+ "file-permission-modify": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "datastore-create": {
+ "app-activity": {
"fields": {
- "application": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "access": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "datastore-enable": {
- "fields": {
- "application": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "disk-modify": {
+ "email-send": {
"fields": {
- "application": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "endpoint-stop": {
- "fields": {
- "application": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44834,64 +56411,36 @@
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "resource": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "endpoint-create": {
+ "email-read": {
"fields": {
- "application": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "resource": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "image-import": {
- "fields": {
- "application": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44903,7 +56452,7 @@
"detection": "0",
"informational": "1"
},
- "user": {
+ "dest_user": {
"Status": "Default",
"core": "0",
"detection": "1",
@@ -44911,43 +56460,33 @@
}
}
},
- "vm_host-enable": {
+ "email-modify": {
"fields": {
- "application": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "vm_host-modify": {
- "fields": {
- "application": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -44959,51 +56498,41 @@
"detection": "0",
"informational": "1"
},
- "user": {
+ "attachment": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "datastore-modify": {
+ "email-create": {
"fields": {
- "application": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "cluster-modify": {
- "fields": {
- "application": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -45015,51 +56544,41 @@
"detection": "0",
"informational": "1"
},
- "user": {
+ "attachment": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "policy-modify": {
+ "email-recipient-add": {
"fields": {
- "application": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "disk-scan": {
- "fields": {
- "application": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -45070,92 +56589,70 @@
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "vm_template-delete": {
+ "email-delete": {
"fields": {
- "application": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "datastore-delete": {
- "fields": {
- "application": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "disk-remove": {
+ "app-login": {
"fields": {
- "application": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "mime": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "access": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "resource": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -45163,14 +56660,14 @@
}
}
},
- "peripheral_storage-remove": {
+ "configuration-modify": {
"fields": {
- "application": {
+ "proxy_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -45180,355 +56677,138 @@
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "vm_host-create": {
- "fields": {
- "application": {
- "Status": "Default",
+ "mime": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "user_agent": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
}
}
},
- "app-activity": {
+ "user-password-modify": {
"fields": {
- "application": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "mime": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "object": {
+ "access": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "oracle database": {
- "expression": "product = \"oracle db\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_port": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "database-login": {
- "fields": {
- "dest_user": {
+ },
+ "url": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "database-query": {
+ "user-password-reset": {
"fields": {
- "dest_user": {
+ "user_agent": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "db_object": {
+ "mime": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_schema": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "database-modify": {
- "fields": {
- "db_object": {
+ "access": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_schema": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "database-delete": {
+ "user-modify": {
"fields": {
- "db_object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "db_schema": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "database-activity": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "process_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "service_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "oracle public cloud": {
- "expression": "product = \"oracle public cloud\"",
- "fields": {},
- "activity_type": {
- "network-session": {
- "fields": {
- "bytes_out": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "oracle access management": {
- "expression": "product = \"oracle access management\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "resource": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "target": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-authentication": {
+ "user-delete": {
"fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "file_path": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_dir": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_ext": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "service_name": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_code": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "app-notification": {
- "fields": {
- "user": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "domain": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "mime": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-logout": {
- "fields": {
- "domain": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "user_agent": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
+ },
+ "user-unlock": {
+ "fields": {}
+ },
+ "user-lock": {
+ "fields": {}
}
}
},
- "okta adaptive mfa": {
- "expression": "product = \"okta adaptive mfa\"",
+ "juniper pulse secure": {
+ "expression": "product = \"juniper pulse secure\"",
"fields": {
"user": {
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
@@ -45537,6 +56817,12 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "1",
@@ -45544,85 +56830,129 @@
}
},
"activity_type": {
- "app-login": {
+ "vpn-login": {
"fields": {
- "user_agent": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "app-authentication": {
+ "vpn-logout": {
"fields": {
- "location_city": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "location_state": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "location_country": {
- "Status": "Default",
+ "session_duration": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_agent": {
+ "bytes_in": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes_out": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "http-request": {
+ "fields": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "url": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "uri": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object_type": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "dest_user": {
+ }
+ }
+ },
+ "vpn-authentication": {
+ "fields": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "realm": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "role": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "firewall": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -45632,19 +56962,19 @@
},
"app-activity": {
"fields": {
- "location_city": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "location_state": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "location_country": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -45656,176 +56986,208 @@
"detection": "0",
"informational": "1"
},
- "url": {
+ "src_host": {
"Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {
+ "realm": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "uri": {
- "Status": "Default",
+ "role": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "object_type": {
+ }
+ }
+ }
+ }
+ },
+ "juniper srx series": {
+ "expression": "product = \"juniper srx series\"",
+ "fields": {},
+ "activity_type": {
+ "network-session": {
+ "fields": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "bytes_out": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
+ "src_zone": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "assigned_apps": {
+ "dest_zone": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "members": {
+ "rule": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_name": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "user-password-reset": {
+ "http-session": {
"fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "uri": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object_type": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
+ "src_zone": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "browser": {
+ "profile": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-create": {
+ "app-login": {
"fields": {
- "operation": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user_agent": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "uri": {
+ "src_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "object_type": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "additional_info": {
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "infowatch dlp": {
+ "expression": "product = \"infowatch dlp\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ },
+ "printer-activity": {
+ "fields": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "object": {
- "core": "0",
- "detection": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "application": {
- "core": "0",
- "detection": "0",
+ "printer_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "browser": {
+ "dest_host": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "group-member-add": {
+ "app-login": {
"fields": {
- "group_type": {
- "Status": "Legacy",
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
},
- "user-lock": {
+ "file-write": {
"fields": {
- "group_name": {
+ "src_host": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "workday": {
- "expression": "product = \"workday\"",
+ "imperva securesphere": {
+ "expression": "product = imperva securesphere",
"fields": {
"user": {
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
@@ -45834,476 +57196,490 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "app-login": {
+ "database-login": {
"fields": {
- "user_agent": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "device_type": {
+ "server_group": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "object": {
+ "db_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "db_schema": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "device_type": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "protocol": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "app-authentication": {
+ "database-query": {
"fields": {
- "dest_ip": {
- "Status": "Default",
+ "service_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "auth_method": {
- "Status": "Default",
+ "server_group": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "observeit": {
- "expression": "product = \"observeit\"",
- "fields": {
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "process-create": {
- "fields": {}
- },
- "endpoint-login": {
- "fields": {}
- },
- "app-login": {
- "fields": {}
- },
- "database-activity": {
- "fields": {
- "db_name": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_user": {
- "Status": "Default",
+ "bytes_out": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Default",
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "db_schema": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "db_object": {
- "Status": "Default",
+ "src_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "dest_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "app-activity": {
+ "database-delete": {
"fields": {
- "src_host": {
- "Status": "Default",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "src_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "alert-trigger": {
+ "database-modify": {
"fields": {
- "additional_info": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "alert_id": {
- "Status": "Legacy",
+ "server_group": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "domain": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "bytes_out": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "session_id": {
+ "db_schema": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "target": {
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "dest_port": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "mcafee endpoint security": {
- "expression": "product = \"mcafee endpoint security\"",
- "fields": {},
- "activity_type": {
- "peripheral_storage-insert": {
+ },
+ "alert-trigger": {
"fields": {
- "user": {
+ "alert_id": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "db_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "printer-activity": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
"dest_ip": {
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "printer_name": {
+ "src_host": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "bytes": {
+ "src_ip": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
- }
- }
- },
- "alert-trigger": {
- "fields": {
- "dest_host": {
- "Status": "Legacy",
+ },
+ "server_group": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "user": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "result": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_path": {
- "Status": "Legacy",
+ "db_schema": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "process_dir": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "src_port": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user": {
- "Status": "Legacy",
+ "local_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "lanscope cat": {
- "expression": "product = \"lanscope cat\"",
+ "imperva file activity monitoring": {
+ "expression": "product = \"imperva file activity monitoring\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "access": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "service_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "server_group": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "file-write": {
+ "fields": {}
+ },
+ "file-read": {
+ "fields": {}
+ },
+ "file-delete": {
+ "fields": {}
+ },
+ "file-permission-modify": {
+ "fields": {}
+ }
+ }
+ },
+ "imperva incapsula": {
+ "expression": "product = \"imperva incapsula\"",
"fields": {},
"activity_type": {
- "peripheral_storage-activity": {
+ "http-session": {
"fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "process_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
+ "country_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
+ }
+ }
+ }
+ }
+ },
+ "microsoft iis": {
+ "expression": "product = \"microsoft iis\"",
+ "fields": {
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "github": {
+ "expression": "product = \"github\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "user_agent": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "printer-activity": {
+ "group-member-add": {
"fields": {
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "num_pages": {
- "Status": "Legacy",
+ "resource": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "object": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "http-session": {
- "fields": {}
- },
- "endpoint-login": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
}
}
},
- "app-activity": {
+ "user-invite": {
"fields": {
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "file_path": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_ext": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46315,13 +57691,7 @@
"detection": "1",
"informational": "0"
},
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "application": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46329,193 +57699,157 @@
}
}
},
- "file-write": {
- "fields": {
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
+ "group-member-remove": {
"fields": {
- "bytes": {
- "Status": "Legacy",
+ "resource": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "alert-trigger": {
- "fields": {
- "operation": {
+ "informational": "0"
+ },
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "object": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "num_pages": {
+ }
+ }
+ },
+ "user-create": {
+ "fields": {
+ "resource": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "printer_name": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
+ "user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "kiteworks": {
- "expression": "product = \"kiteworks\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "file-read": {
+ "branch-protection-enable": {
"fields": {
- "access": {
- "Status": "Legacy",
+ "resource": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ "detection": "0",
+ "informational": "1"
+ },
+ "object": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-upload": {
- "fields": {
- "access": {
+ },
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "file-download": {
+ "user-delete": {
"fields": {
- "access": {
+ "resource": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "file-permission-modify": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ "informational": "0"
+ },
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "app-activity": {
+ "repository-create": {
"fields": {
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "bytes": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46523,61 +57857,45 @@
}
}
},
- "email-send": {
+ "group-modify": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
- "Status": "Default",
+ "resource": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "url": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_agent": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "email-read": {
+ "branch-protection-modify": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46589,41 +57907,29 @@
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "dest_user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "email-modify": {
+ "branch-modify": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46635,41 +57941,29 @@
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "attachment": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "email-create": {
+ "branch-create": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46681,41 +57975,29 @@
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "attachment": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "email-recipient-add": {
+ "repository-member-remove": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46727,11 +58009,11 @@
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"operation": {
"Status": "Default",
@@ -46741,21 +58023,15 @@
}
}
},
- "email-delete": {
+ "repository-member-add": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "mime": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46767,11 +58043,11 @@
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"operation": {
"Status": "Default",
@@ -46781,27 +58057,33 @@
}
}
},
- "app-login": {
+ "repository-delete": {
"fields": {
- "user_agent": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "mime": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46809,9 +58091,14 @@
}
}
},
- "configuration-modify": {
+ "user-modify": {
"fields": {
- "proxy_ip": {
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -46821,49 +58108,76 @@
"detection": "0",
"informational": "0"
},
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"operation": {
"core": "0",
"detection": "0",
"informational": "0"
+ }
+ }
+ },
+ "group-delete": {
+ "fields": {
+ "resource": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "mime": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "url": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_agent": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "user-password-modify": {
+ "log-download": {
"fields": {
- "user_agent": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "mime": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -46871,181 +58185,151 @@
}
}
},
- "user-password-reset": {
+ "group-repository-remove": {
"fields": {
- "user_agent": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "mime": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-modify": {
- "fields": {
- "operation": {
+ },
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "user-delete": {
+ "group-repository-add": {
"fields": {
- "operation": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
"additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "url": {
- "core": "0",
- "detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "mime": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user_agent": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-unlock": {
- "fields": {}
- },
- "user-lock": {
- "fields": {}
- }
- }
- },
- "juniper pulse secure": {
- "expression": "product = \"juniper pulse secure\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "vpn-login": {
+ "repository-read": {
"fields": {
- "dest_ip": {
+ "resource": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "vpn-logout": {
+ "repository-pull": {
"fields": {
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Legacy",
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_duration": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes_in": {
+ "object": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "bytes_out": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "http-request": {
+ "repository-push": {
"fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -47057,7 +58341,13 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -47065,131 +58355,191 @@
}
}
},
- "vpn-authentication": {
+ "branch-protection-disable": {
"fields": {
- "dest_ip": {
+ "resource": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "http-session": {
+ "user-invite-cancel": {
"fields": {
- "realm": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "role": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "firewall": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "dest_host": {
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "hook-modify": {
+ "fields": {
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "bytes": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "user-delete": {
+ "repository-modify": {
"fields": {
- "realm": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "role": {
+ "object": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "juniper srx series": {
- "expression": "product = \"juniper srx series\"",
- "fields": {},
- "activity_type": {
- "network-session": {
+ },
+ "hook-create": {
"fields": {
- "session_id": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_zone": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "repository-move": {
+ "fields": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_zone": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -47200,46 +58550,58 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "http-session": {
+ "configuration-mfa-enable": {
"fields": {
- "src_zone": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "profile": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "src_ip": {
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -47249,19 +58611,9 @@
}
}
},
- "infowatch dlp": {
- "expression": "product = \"infowatch dlp\"",
+ "fortinet vpn": {
+ "expression": "product = \"fortinet vpn\"",
"fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
"src_ip": {
"core": "0",
"detection": "1",
@@ -47269,278 +58621,241 @@
}
},
"activity_type": {
- "http-session": {
- "fields": {}
- },
- "printer-activity": {
+ "vpn-login": {
"fields": {
- "src_host": {
- "Status": "Legacy",
+ "realm": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
+ "src_translated_ip": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "app-login": {
+ "vpn-logout": {
"fields": {
- "dest_ip": {
- "Status": "Default",
+ "realm": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "file-write": {
+ "vpn-authentication": {
"fields": {
- "src_host": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "imperva securesphere": {
- "expression": "product = imperva securesphere",
- "fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "fortinet utm": {
+ "expression": "product = fortinet utm",
+ "fields": {},
"activity_type": {
- "database-login": {
+ "http-session": {
"fields": {
- "service_name": {
+ "group_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "server_group": {
+ "policy_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "db_schema": {
+ }
+ }
+ },
+ "http-request": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "auth_server": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "database-query": {
- "fields": {
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "server_group": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
},
- "bytes_out": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "db_name": {
+ "service_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "db_schema": {
+ "event_subtype": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "src_port": {
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-authentication": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_port": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "database-delete": {
+ "app-activity": {
"fields": {
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "db_name": {
- "core": "0",
- "detection": "0",
+ "user": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "src_port": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_port": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "database-modify": {
- "fields": {
- "service_name": {
+ "src_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "server_group": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "auth_server": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "bytes_out": {
+ "uri": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "db_name": {
+ "web_domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "db_schema": {
+ "category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_port": {
+ "event_subtype": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_port": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
"alert-trigger": {
"fields": {
- "alert_id": {
+ "action": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "db_name": {
- "core": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
- "informational": "0",
- "Status": "Legacy"
+ "informational": "0"
},
- "dest_host": {
+ "dest_port": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "protocol": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
@@ -47556,7 +58871,7 @@
"detection": "1",
"informational": "0"
},
- "server_group": {
+ "target": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -47572,170 +58887,89 @@
"detection": "0",
"informational": "0"
},
- "application": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "database_schema": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"src_port": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "imperva file activity monitoring": {
- "expression": "product = \"imperva file activity monitoring\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "access": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "access_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "service_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "server_group": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-write": {
- "fields": {}
- },
- "file-read": {
- "fields": {}
- },
- "file-delete": {
- "fields": {}
- },
- "file-permission-modify": {
- "fields": {}
- }
- }
- },
- "imperva incapsula": {
- "expression": "product = \"imperva incapsula\"",
+ "fortinet enterprise firewall": {
+ "expression": "product = \"fortinet enterprise firewall\"",
"fields": {},
"activity_type": {
- "http-session": {
+ "network-session": {
"fields": {
- "country_code": {
+ "severity": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "microsoft iis": {
- "expression": "product = \"microsoft iis\"",
- "fields": {
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "github": {
- "expression": "product = \"github\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {
- "src_ip": {
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_in": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_country": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_country": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user_agent": {
+ "src_translated_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -47743,45 +58977,51 @@
}
}
},
- "group-member-add": {
+ "app-activity": {
"fields": {
- "resource": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "object": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "src_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "user-invite": {
- "fields": {
- "resource": {
+ "informational": "1"
+ },
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "event_subtype": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -47792,37 +59032,75 @@
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
+ }
+ }
+ }
+ }
+ },
+ "fortiauthenticator": {
+ "expression": "product = \"fortiauthenticator\"",
+ "fields": {},
+ "activity_type": {
+ "app-authentication": {
+ "fields": {
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "group-member-remove": {
+ }
+ }
+ },
+ "fortinet fortiweb": {
+ "expression": "product = \"fortinet fortiweb\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
"fields": {
- "resource": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "fireeye endpoint security (hx)": {
+ "expression": "product = \"fireeye endpoint security (hx)\"",
+ "fields": {},
+ "activity_type": {
+ "file-write": {
+ "fields": {
+ "dest_ip": {
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "object": {
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"user": {
"Status": "Legacy",
@@ -47830,334 +59108,327 @@
"detection": "1",
"informational": "0"
},
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "user-create": {
- "fields": {
- "resource": {
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "object": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "additional_info": {
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "user": {
+ "process_name": {
"Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "branch-protection-enable": {
+ "http-session": {
+ "fields": {}
+ },
+ "alert-trigger": {
"fields": {
- "resource": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "object": {
- "Status": "Default",
+ "alert_id": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "process_command_line": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
- "core": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "user-delete": {
- "fields": {
- "resource": {
+ "informational": "0"
+ },
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"user": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "f5 big-ip dns": {
+ "expression": "product = \"f5 big-ip dns\"",
+ "fields": {},
+ "activity_type": {
+ "dns-response": {
+ "fields": {
+ "response_ttl": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "repository-create": {
+ "dns-request": {
+ "fields": {}
+ }
+ }
+ },
+ "f5 access policy manager": {
+ "expression": "product = \"f5 access policy manager\"",
+ "fields": {},
+ "activity_type": {
+ "vpn-login": {
"fields": {
- "resource": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "group-modify": {
+ "vpn-logout": {
"fields": {
- "resource": {
+ "src_translated_ip": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "object": {
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "user_agent": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "src_host": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "branch-protection-modify": {
+ "app-authentication": {
"fields": {
- "resource": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "branch-modify": {
+ }
+ }
+ },
+ "f5 big-ip advanced firewall module (afm)": {
+ "expression": "product = \"f5 big-ip advanced firewall module (afm)\"",
+ "fields": {},
+ "activity_type": {
+ "network-session": {
"fields": {
- "resource": {
+ "rule": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "src_translated_port": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "dest_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_translated_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "repository-member-remove": {
+ }
+ }
+ },
+ "f5 big-ip application security manager (asm)": {
+ "expression": "product = \"f5 big-ip application security manager (asm)\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "microsoft exchange": {
+ "expression": "product = \"microsoft exchange\"",
+ "fields": {},
+ "activity_type": {
+ "email-send": {
"fields": {
- "resource": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user": {
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "log_source": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "repository-member-add": {
- "fields": {
- "resource": {
+ },
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "traffic_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "repository-delete": {
- "fields": {
- "resource": {
+ },
+ "return_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_sid": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48165,69 +59436,79 @@
}
}
},
- "user-modify": {
+ "email-receive": {
"fields": {
- "resource": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "object": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "operation": {
+ "log_source": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "group-delete": {
- "fields": {
- "resource": {
+ "informational": "1"
+ },
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "object": {
+ "direction": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "traffic_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
+ "external_address": {
+ "Status": "Default",
+ "core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
+ },
+ "return_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "log-download": {
+ "mailbox-item-delete": {
"fields": {
- "resource": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48251,41 +59532,65 @@
"detection": "1",
"informational": "0"
},
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "email_address": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "email_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "email_user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "group-repository-remove": {
+ "mailbox-item-create": {
"fields": {
- "resource": {
+ "email_address": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "email_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "email_user": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48293,33 +59598,33 @@
}
}
},
- "group-repository-add": {
+ "mailbox-item-modify": {
"fields": {
- "resource": {
+ "email_address": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "email_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "email_user": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48327,67 +59632,62 @@
}
}
},
- "branch-protection-disable": {
+ "user-modify": {
"fields": {
- "resource": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "email_domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "email_user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "user-invite-cancel": {
+ "mailbox-modify": {
"fields": {
- "resource": {
+ "email_address": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "email_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "email_user": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48395,33 +59695,33 @@
}
}
},
- "hook-modify": {
+ "mailbox-create": {
"fields": {
- "resource": {
+ "email_address": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "email_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "email_user": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48429,33 +59729,39 @@
}
}
},
- "repository-modify": {
+ "app-login": {
"fields": {
- "resource": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "bytes_out": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48463,67 +59769,126 @@
}
}
},
- "hook-create": {
+ "alert-trigger": {
"fields": {
- "resource": {
- "Status": "Default",
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "recipients": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user": {
- "Status": "Default",
+ "recipient": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "sender": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "email_subject": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
+ }
+ }
+ },
+ "duo access security": {
+ "expression": "product = \"duo access security\"",
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "repository-move": {
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_city": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_state": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location_country": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "vpn-login": {
"fields": {
- "resource": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ },
+ "app-authentication": {
+ "fields": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ "new_enrollment": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48531,33 +59896,28 @@
}
}
},
- "configuration-mfa-enable": {
+ "user-create": {
"fields": {
- "resource": {
- "Status": "Default",
+ "factor": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "alert_type": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48567,13 +59927,25 @@
},
"app-activity": {
"fields": {
- "object": {
+ "user": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48583,89 +59955,145 @@
}
}
},
- "fortinet vpn": {
- "expression": "product = \"fortinet vpn\"",
+ "dtex intercept": {
+ "expression": "product = \"dtex intercept\"",
"fields": {
- "src_ip": {
- "core": "0",
+ "user": {
+ "core": "1",
"detection": "1",
"informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "vpn-login": {
+ "file-write": {
"fields": {
- "realm": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
- "Status": "Default",
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
},
- "vpn-logout": {
+ "file-read": {
"fields": {
- "realm": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "process_dir": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "access": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "bytes": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "vpn-authentication": {
+ "process-create": {
+ "fields": {}
+ },
+ "endpoint-lock": {
"fields": {
- "additional_info": {
- "Status": "Default",
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "fortinet utm": {
- "expression": "product = fortinet utm",
- "fields": {},
- "activity_type": {
- "http-session": {
+ },
+ "endpoint-unlock": {
"fields": {
- "group_name": {
- "Status": "Default",
+ "event_code": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "policy_id": {
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48673,15 +60101,59 @@
}
}
},
- "http-request": {
+ "printer-activity": {
"fields": {
- "application": {
- "Status": "Default",
+ "printer_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "num_pages": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "dropbox": {
+ "expression": "product = \"dropbox\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "app-activity": {
+ "fields": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -48693,622 +60165,646 @@
"detection": "0",
"informational": "1"
},
- "auth_server": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
- "Status": "Default",
+ "file_dir_uri": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_subtype": {
- "Status": "Default",
+ "src_file_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "endpoint-authentication": {
+ "file-read": {
"fields": {
- "src_ip": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_dir_uri": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_file_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
},
- "app-activity": {
+ "file-permission-modify": {
"fields": {
- "user": {
- "Status": "Default",
- "core": "1",
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
- "Status": "Default",
+ "file_dir_uri": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
- "Status": "Default",
+ "src_file_name": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "dest_port": {
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_server": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "user-modify": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "uri": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "share-mount": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "web_domain": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "category": {
+ }
+ }
+ },
+ "report-export": {
+ "fields": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_subtype": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "event_name": {
- "Status": "Default",
+ }
+ }
+ },
+ "file-download": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "alert-trigger": {
+ "file-delete": {
"fields": {
- "action": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "digital guardian endpoint protection": {
+ "expression": "product = \"digital guardian endpoint protection\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "file-write": {
+ "fields": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "src_file_name": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "src_file_dir": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "protocol": {
+ "bytes": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
+ "dest_ip": {
+ "core": "0",
"detection": "1",
"informational": "0"
},
"src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "target": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "additional_info": {
+ "src_host": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
- }
- }
- },
- "fortinet enterprise firewall": {
- "expression": "product = \"fortinet enterprise firewall\"",
- "fields": {},
- "activity_type": {
- "network-session": {
+ },
+ "file-read": {
"fields": {
- "severity": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "action": {
- "Status": "Default",
+ "src_file_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_interface": {
- "Status": "Default",
+ "src_file_dir": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
- "Status": "Default",
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_interface": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_country": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_country": {
- "Status": "Default",
+ "src_file_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_translated_port": {
- "Status": "Default",
+ "src_file_dir": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_translated_ip": {
- "Status": "Default",
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "src_host": {
- "Status": "Default",
+ },
+ "dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
"src_ip": {
- "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_port": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "file-upload": {
+ "fields": {
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
+ "bytes": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"dest_ip": {
- "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_port": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "service_name": {
- "Status": "Default",
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_subtype": {
- "Status": "Default",
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "fortiauthenticator": {
- "expression": "product = \"fortiauthenticator\"",
- "fields": {},
- "activity_type": {
- "app-authentication": {
+ },
+ "file-download": {
"fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "additional_info": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "fortinet fortiweb": {
- "expression": "product = \"fortinet fortiweb\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {
- "domain": {
- "Status": "Default",
+ "bytes": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "fireeye endpoint security (hx)": {
- "expression": "product = \"fireeye endpoint security (hx)\"",
- "fields": {},
- "activity_type": {
- "file-write": {
- "fields": {
- "dest_ip": {
- "core": "1",
"detection": "1",
"informational": "0"
},
- "event_code": {
+ "dest_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "src_ip": {
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "src_port": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "dest_port": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "http-session": {
- "fields": {}
- },
- "alert-trigger": {
+ "file-copy": {
"fields": {
- "alert_id": {
- "Status": "Legacy",
+ "src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "process_command_line": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "dest_ip": {
+ "informational": "1"
+ }
+ }
+ },
+ "printer-activity": {
+ "fields": {
+ "printer_name": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_name": {
+ "dest_ip": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "hash_md5": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_name": {
+ "bytes": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "object": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
- }
- }
- },
- "f5 big-ip dns": {
- "expression": "product = \"f5 big-ip dns\"",
- "fields": {},
- "activity_type": {
- "dns-response": {
+ },
+ "network-session": {
"fields": {
- "response_ttl": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "dns-request": {
- "fields": {}
- }
- }
- },
- "f5 access policy manager": {
- "expression": "product = \"f5 access policy manager\"",
- "fields": {},
- "activity_type": {
- "vpn-login": {
+ "peripheral_storage-insert": {
"fields": {
- "src_translated_ip": {
- "Status": "Default",
+ "rule": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
- "Status": "Default",
+ "rule_action": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
- "Status": "Default",
+ "policy_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
+ "os": {
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "src_translated_ip": {
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "file_dir": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_agent": {
+ "file_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "bytes": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "app-authentication": {
+ "email-send": {
"fields": {
- "src_ip": {
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "auth_method": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
+ "bytes": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "f5 big-ip advanced firewall module (afm)": {
- "expression": "product = \"f5 big-ip advanced firewall module (afm)\"",
- "fields": {},
- "activity_type": {
- "network-session": {
+ },
+ "endpoint-login": {
"fields": {
- "rule": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "event_name": {
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_translated_ip": {
+ }
+ }
+ },
+ "process-create": {
+ "fields": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_translated_port": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "gallagher access control": {
+ "expression": "product = \"gallagher access control\"",
+ "fields": {},
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "oracle access manager": {
+ "expression": "product = \"oracle access manager\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "app-activity": {
+ "fields": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_translated_ip": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_translated_port": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "f5 big-ip application security manager (asm)": {
- "expression": "product = \"f5 big-ip application security manager (asm)\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "microsoft exchange": {
- "expression": "product = \"microsoft exchange\"",
- "fields": {},
- "activity_type": {
- "email-send": {
+ },
+ "app-login": {
"fields": {
"src_ip": {
"Status": "Default",
@@ -49316,11 +60812,17 @@
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "object": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
+ },
+ "resource": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
"dest_ip": {
"Status": "Default",
@@ -49334,125 +60836,131 @@
"detection": "1",
"informational": "0"
},
- "log_source": {
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "event_code": {
+ }
+ }
+ }
+ }
+ },
+ "adaxes": {
+ "expression": "product = \"adaxes\"",
+ "fields": {},
+ "activity_type": {
+ "app-activity": {
+ "fields": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "traffic_type": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "return_path": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_sid": {
+ "target": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_name": {
+ }
+ }
+ }
+ }
+ },
+ "airwatch": {
+ "expression": "product = \"airwatch\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-authentication": {
+ "fields": {
+ "device_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "email-receive": {
+ }
+ }
+ },
+ "anywhere365": {
+ "expression": "product = \"anywhere365\"",
+ "fields": {
+ "event_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-activity": {
"fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "log_source": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_code": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "direction": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "traffic_type": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "external_address": {
+ "alert_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "return_path": {
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "call-receive": {
+ "fields": {
+ "recipients": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -49460,91 +60968,139 @@
}
}
},
- "mailbox-item-delete": {
+ "app-notification": {
"fields": {
- "application": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "alert_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ }
+ }
+ },
+ "apache guacamole": {
+ "expression": "product = \"apache guacamole\"",
+ "fields": {},
+ "activity_type": {
+ "app-login": {
+ "fields": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
+ }
+ }
+ }
+ }
+ },
+ "apc": {
+ "expression": "product = \"apc\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-login": {
+ "fields": {
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "aruba clearpass policy manager": {
+ "expression": "product = \"aruba clearpass policy manager\"",
+ "fields": {
+ "auth_type": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "endpoint-authentication": {
+ "fields": {
+ "user_type": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_address": {
+ "network": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_domain": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_user": {
+ "dest_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "mailbox-item-create": {
- "fields": {
- "email_address": {
+ },
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_domain": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_user": {
+ "auth_server": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "access_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -49552,96 +61108,107 @@
}
}
},
- "mailbox-item-modify": {
+ "endpoint-login": {
"fields": {
- "email_address": {
+ "user_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_domain": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_user": {
+ "network": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "dest_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-modify": {
- "fields": {
- "email_address": {
- "core": "0",
- "detection": "0",
- "informational": "0"
},
- "email_domain": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "email_user": {
+ "src_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "dest_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "application": {
+ "access_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "mailbox-modify": {
+ "endpoint-policy-verify": {
"fields": {
- "email_address": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "email_domain": {
+ }
+ }
+ }
+ }
+ },
+ "aruba mobility master": {
+ "expression": "product = \"aruba mobility master\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-authentication": {
+ "fields": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_user": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "auth_server": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -49649,184 +61216,103 @@
}
}
},
- "mailbox-create": {
+ "endpoint-login": {
"fields": {
- "email_address": {
+ "src_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_domain": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_user": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "auth_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "auth_server": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "app-login": {
+ }
+ }
+ },
+ "aruba wireless controller": {
+ "expression": "product = \"aruba wireless controller\"",
+ "fields": {},
+ "activity_type": {
+ "app-authentication": {
"fields": {
- "dest_ip": {
+ "domain": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"src_ip": {
"Status": "Default",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "user_agent": {
+ "access_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "user_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_in": {
+ "dest_mac": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "alert-trigger": {
- "fields": {
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
"dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "result": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "recipients": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "recipient": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "0"
- },
- "sender": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "email_subject": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "duo access security": {
- "expression": "product = \"duo access security\"",
- "fields": {
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "result": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "location_city": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "location_state": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "location_country": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "vpn-login": {
- "fields": {
- "service_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
+ "network": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -49834,66 +61320,45 @@
}
}
},
- "app-authentication": {
+ "endpoint-login": {
"fields": {
- "session_id": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "new_enrollment": {
+ "access_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-create": {
- "fields": {
- "factor": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "additional_info": {
+ "user_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_type": {
+ "dest_mac": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "additional_info": {
+ },
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "domain": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "auth_method": {
+ "network": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -49903,8 +61368,8 @@
}
}
},
- "dtex intercept": {
- "expression": "product = \"dtex intercept\"",
+ "assetview": {
+ "expression": "product = \"assetview\"",
"fields": {
"user": {
"core": "1",
@@ -49915,161 +61380,265 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
- "file-write": {
+ "file-download": {
"fields": {
"process_name": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "asset_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "process_dir": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "printer-activity": {
+ "fields": {
+ "printer_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "access": {
+ "num_pages": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "asset_id": {
"core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
}
}
},
- "file-read": {
+ "peripheral_storage-insert": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "usb_serial_number": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
- "Status": "Legacy",
+ "usb_vendor": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
- "Status": "Legacy",
+ "vendor_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "asupim": {
+ "expression": "product = \"asupim\"",
+ "fields": {},
+ "activity_type": {
+ "printer-activity": {
+ "fields": {
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "src_mac": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "file-delete": {
- "fields": {
- "process_name": {
- "Status": "Legacy",
+ },
+ "device_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "num_pages": {
"Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "access": {
+ "file_name": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "bytes": {
+ "file_path": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "process-create": {
- "fields": {}
- },
- "endpoint-lock": {
- "fields": {
- "event_code": {
+ },
+ "file_dir": {
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "endpoint-unlock": {
- "fields": {
- "event_code": {
- "Status": "Legacy",
+ },
+ "file_ext": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "device_type": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
+ }
+ }
+ },
+ "atlassian bitbucket": {
+ "expression": "product = \"atlassian bitbucket\"",
+ "fields": {
+ "user": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "http-session": {
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "app-activity": {
"fields": {
- "operating_system": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "event_code": {
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
+ }
+ }
+ },
+ "avaya ethernet routing switch": {
+ "expression": "product = \"avaya ethernet routing switch\"",
+ "fields": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "printer-activity": {
+ "src_ip": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {}
+ },
+ "app-authentication": {
"fields": {
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
- },
- "num_pages": {
- "Status": "Legacy",
+ }
+ }
+ }
+ }
+ },
+ "avaya vpn": {
+ "expression": "product = \"avaya vpn\"",
+ "fields": {},
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "realm": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "dropbox": {
- "expression": "product = \"dropbox\"",
+ "axway sftp": {
+ "expression": "product = \"axway sftp\"",
"fields": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"user": {
"core": "1",
"detection": "1",
@@ -50080,73 +61649,110 @@
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_dn": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
},
"activity_type": {
- "app-activity": {
+ "file-upload": {
+ "fields": {}
+ },
+ "endpoint-login": {
"fields": {
- "object": {
+ "auth_package": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ }
+ }
+ },
+ "app-authentication": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "file-write": {
+ }
+ }
+ },
+ "badge": {
+ "expression": "product = \"badge\"",
+ "fields": {},
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "egnyte": {
+ "expression": "product = \"egnyte\"",
+ "fields": {},
+ "activity_type": {
+ "app-login": {
"fields": {
- "access": {
- "Status": "Legacy",
+ "event_subtype": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "file_type": {
- "Status": "Legacy",
+ "dproc": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir_uri": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_file_name": {
- "Status": "Legacy",
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
"operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "file-read": {
+ "file-permission-modify": {
"fields": {
"access": {
"Status": "Legacy",
@@ -50154,78 +61760,55 @@
"detection": "1",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
+ "object": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir_uri": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "src_file_name": {
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "file-permission-modify": {
+ "group-member-add": {
"fields": {
- "access": {
+ "user": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "file_type": {
+ "domain": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir_uri": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_file_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "operation": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "user-modify": {
- "fields": {
"additional_info": {
"core": "0",
"detection": "0",
@@ -50238,338 +61821,251 @@
}
}
},
- "share-mount": {
+ "group-member-remove": {
"fields": {
- "additional_info": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "report-export": {
- "fields": {
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "file-download": {
- "fields": {
- "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "file-delete": {
- "fields": {
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
- }
- }
- },
- "digital guardian endpoint protection": {
- "expression": "product = \"digital guardian endpoint protection\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-write": {
+ "user-mfa-disable": {
"fields": {
- "process_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_file_name": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_file_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "process_name": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_file_name": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "src_file_dir": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "file-delete": {
+ "user-mfa-enable": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_file_name": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_file_dir": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "bytes": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
+ "operation": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "file-upload": {
+ "user-permission-modify": {
"fields": {
- "process_name": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_ip": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "app-authentication": {
+ "fields": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "file-download": {
+ "user-disable": {
"fields": {
- "process_name": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "dest_ip": {
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
+ "operation": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "user-enable": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "dest_host": {
+ "domain": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_port": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "file-copy": {
- "fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "printer-activity": {
+ "user-password-modify": {
"fields": {
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
+ "user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
- "Status": "Legacy",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "object": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "network-session": {
- "fields": {
- "process_name": {
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -50577,191 +62073,212 @@
}
}
},
- "peripheral_storage-insert": {
+ "user-password-reset": {
"fields": {
- "rule": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule_action": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "policy_name": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operating_system": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "process_name": {
+ "domain": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_dir": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "file_name": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "bytes": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "email-send": {
+ "user-create": {
"fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "domain": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "bytes": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "endpoint-login": {
+ "user-modify": {
"fields": {
- "process_name": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "application": {
- "Status": "Default",
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "process-create": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "additional_info": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "gallagher access control": {
- "expression": "product = \"gallagher access control\"",
+ "cimtrak": {
+ "expression": "product = \"cimtrak\"",
"fields": {},
"activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "oracle access manager": {
- "expression": "product = \"oracle access manager\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-activity": {
+ "file-write": {
"fields": {
- "src_ip": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "object": {
- "Status": "Default",
+ "process_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_path": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "app-login": {
+ "file-delete": {
"fields": {
- "src_ip": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "object": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "Status": "Default",
+ "process_name": {
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "auth_method": {
- "Status": "Default",
+ "process_dir": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
@@ -50770,311 +62287,218 @@
}
}
},
- "adaxes": {
- "expression": "product = \"adaxes\"",
+ "epic siem": {
+ "expression": "product = \"epic siem\"",
"fields": {},
"activity_type": {
"app-activity": {
"fields": {
- "object": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "target": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "airwatch": {
- "expression": "product = \"airwatch\"",
- "fields": {},
- "activity_type": {
- "endpoint-authentication": {
- "fields": {
- "device_name": {
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "account": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "anywhere365": {
- "expression": "product = \"anywhere365\"",
- "fields": {
- "event_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-activity": {
- "fields": {
- "user": {
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_id": {
+ "event_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "call-receive": {
- "fields": {
- "recipients": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-notification": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "alert_id": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "apache guacamole": {
- "expression": "product = \"apache guacamole\"",
- "fields": {},
- "activity_type": {
- "app-login": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
"dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "apc": {
- "expression": "product = apc",
- "fields": {},
- "activity_type": {
- "endpoint-login": {
- "fields": {
+ },
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "alert-trigger": {
+ "user-switch": {
"fields": {
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "src_host": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "aruba clearpass policy manager": {
- "expression": "product = \"aruba clearpass policy manager\"",
- "fields": {
- "authentication_type": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "endpoint-authentication": {
- "fields": {
- "user_type": {
- "Status": "Default",
+ },
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_mac": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "network": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "event_name": {
+ "informational": "0"
+ }
+ }
+ },
+ "user-password-modify": {
+ "fields": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_mac": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "auth_server": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "access_type": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "user_type": {
+ },
+ "event_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_mac": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "network": {
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_mac": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_port": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "access_type": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -51082,496 +62506,394 @@
}
}
},
- "endpoint-policy-verify": {
+ "app-authentication": {
"fields": {
- "session_id": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
}
}
}
}
},
- "aruba mobility master": {
- "expression": "product = \"aruba mobility master\"",
+ "beyondtrust": {
+ "expression": "product = \"beyondtrust\"",
"fields": {},
"activity_type": {
- "endpoint-authentication": {
+ "app-login": {
"fields": {
- "src_mac": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "operation": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "dest_port": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "auth_server": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "src_mac": {
+ },
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "domain": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "dest_ip": {
+ "dest_user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_port": {
+ "dest_domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "authentication_type": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_server": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "dest_domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "aruba wireless controller": {
- "expression": "product = \"aruba wireless controller\"",
- "fields": {},
- "activity_type": {
- "app-authentication": {
+ },
+ "user-switch": {
"fields": {
- "domain": {
- "Status": "Default",
+ "dest_service_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "access_type": {
- "Status": "Default",
+ "safe_value": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_type": {
- "Status": "Default",
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_mac": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "session_id": {
- "Status": "Default",
+ "dest_host": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "network": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "endpoint-login": {
+ "password-create": {
"fields": {
- "src_ip": {
+ "app": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "access_type": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_type": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_mac": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "session_id": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "dest_ip": {
+ "account": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "network": {
+ "account_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- }
- }
- },
- "assetview": {
- "expression": "product = \"assetview\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-download": {
+ "endpoint-login": {
"fields": {
- "process_name": {
- "Status": "Legacy",
+ "user_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "file-write": {
+ "user-permission-modify": {
"fields": {
- "asset_id": {
+ "dest_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "dest_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "printer-activity": {
- "fields": {
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
"informational": "0"
},
- "num_pages": {
- "Status": "Legacy",
+ "src_user": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "asset_id": {
+ "os": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
"informational": "0"
- }
- }
- },
- "peripheral_storage-insert": {
- "fields": {
- "usb_serial_number": {
+ },
+ "session_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "usb_vendor": {
+ "email_user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "vendor_id": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "asupim": {
- "expression": "product = \"asupim\"",
- "fields": {},
- "activity_type": {
- "printer-activity": {
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "src_mac": {
+ "app": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "device_id": {
+ "full_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "num_pages": {
- "Status": "Legacy",
+ "src_port": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "event_name": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "file_path": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_dir": {
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "file_ext": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "device_type": {
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
}
}
},
- "atlassian bitbucket": {
- "expression": "product = \"atlassian bitbucket\"",
- "fields": {
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "barracuda cloudgen firewall": {
+ "expression": "product = \"barracuda cloudgen firewall\"",
+ "fields": {},
"activity_type": {
- "app-activity": {
+ "vpn-login": {
"fields": {
- "src_ip": {
+ "src_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "object": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_translated_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "avaya ethernet routing switch": {
- "expression": "product = \"avaya ethernet routing switch\"",
- "fields": {
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {}
},
- "app-authentication": {
+ "network-session": {
"fields": {
- "dest_ip": {
+ "dest_interface": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
- "avaya vpn": {
- "expression": "product = \"avaya vpn\"",
- "fields": {},
- "activity_type": {
- "vpn-login": {
- "fields": {
- "dest_ip": {
+ "detection": "0",
+ "informational": "1"
+ },
+ "dest_external_ip": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "realm": {
+ "bytes_in": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "axway sftp": {
- "expression": "product = \"axway sftp\"",
- "fields": {
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_dn": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-upload": {
- "fields": {}
- },
- "endpoint-login": {
- "fields": {
- "authentication_package": {
+ },
+ "src_interface": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "duration": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_translated_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes_out": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -51579,22 +62901,35 @@
}
}
},
- "app-authentication": {
+ "endpoint-login": {
"fields": {
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "bind": {
+ "expression": "product = \"bind\"",
+ "fields": {},
+ "activity_type": {
+ "dns-request": {
+ "fields": {
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "auth_method": {
- "Status": "Default",
+ "triggers": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -51603,143 +62938,157 @@
}
}
},
- "badge": {
- "expression": "product = \"badge\"",
- "fields": {},
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "egnyte": {
- "expression": "product = \"egnyte\"",
+ "auditbeat": {
+ "expression": "product = \"auditbeat\"",
"fields": {},
"activity_type": {
- "app-login": {
+ "app-activity": {
"fields": {
- "event_subtype": {
+ "user": {
+ "Status": "Default",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dproc": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "account": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "parent_process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "process_name": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "process_command_line": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "file-permission-modify": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ },
+ "operation_type": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "object": {
+ "syscall": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "tag": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "service_name": {
+ "os": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "group_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "group-member-add": {
+ "network-session": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "process_path": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "process_dir": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "group-member-remove": {
- "fields": {
+ "informational": "1"
+ },
"user": {
- "Status": "Legacy",
- "core": "1",
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
"domain": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "operation": {
+ "direction": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
+ },
+ "process_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "user-mfa-disable": {
+ "process-create": {
"fields": {
"user": {
"Status": "Default",
@@ -51753,13 +63102,25 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_id": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
"additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -51767,7 +63128,7 @@
}
}
},
- "user-mfa-enable": {
+ "process-modify": {
"fields": {
"user": {
"Status": "Default",
@@ -51775,67 +63136,55 @@
"detection": "1",
"informational": "0"
},
- "domain": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "audit_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-permission-modify": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
},
- "domain": {
- "Status": "Legacy",
+ "operation_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "event_category": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "app-authentication": {
- "fields": {
- "domain": {
+ "informational": "1"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "group_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "tags": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -51843,79 +63192,80 @@
}
}
},
- "user-disable": {
+ "endpoint-authentication": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
- },
- "user-enable": {
+ }
+ }
+ },
+ "bloxone ddi": {
+ "expression": "product = \"bloxone ddi\"",
+ "fields": {},
+ "activity_type": {
+ "dhcp-session": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
+ "dest_mac": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "dest_host": {
"core": "0",
- "detection": "0",
- "informational": "0"
+ "detection": "1",
+ "informational": "1"
},
- "operation": {
+ "dest_interface": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
},
- "user-password-modify": {
+ "network-session": {
"fields": {
- "user": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "rule_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "alert_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "alert_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -51923,263 +63273,287 @@
}
}
},
- "user-password-reset": {
+ "dns-request": {
+ "fields": {}
+ }
+ }
+ },
+ "cds": {
+ "expression": "product = \"cds\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-login": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- },
- "user-delete": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
- "Status": "Legacy",
+ "process_path": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "process_dir": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "operation": {
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "centrify infrastructure services": {
+ "expression": "product = \"centrify infrastructure services\"",
+ "fields": {},
+ "activity_type": {
+ "process-create": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
+ }
+ }
+ },
+ "ftp": {
+ "expression": "product = \"ftp\"",
+ "fields": {
+ "src_ip": {
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "user-create": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "file-write": {
"fields": {
- "user": {
+ "bytes": {
"Status": "Legacy",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
- },
- "domain": {
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "bytes": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
}
}
},
- "user-modify": {
+ "file-delete": {
+ "fields": {}
+ },
+ "app-activity": {
"fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
- "informational": "0"
- },
- "domain": {
- "Status": "Legacy",
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
}
}
}
}
},
- "cimtrak": {
- "expression": "product = \"cimtrak\"",
- "fields": {},
+ "powertech identity & access manager": {
+ "expression": "product = \"powertech identity & access manager\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
"activity_type": {
"file-write": {
"fields": {
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "process_id": {
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "process_name": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
+ "src_ip": {
+ "core": "0",
"detection": "1",
"informational": "0"
- },
- "process_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
"file-delete": {
"fields": {
- "access": {
- "Status": "Legacy",
+ "event_code": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- },
- "process_id": {
+ }
+ }
+ },
+ "user-switch": {
+ "fields": {
+ "event_code": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_path": {
- "Status": "Legacy",
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {}
+ },
+ "process-create": {
+ "fields": {
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
- "Status": "Legacy",
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
- },
- "process_dir": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
}
}
},
- "epic siem": {
- "expression": "product = \"epic siem\"",
+ "unix auditd": {
+ "expression": "product = \"unix auditd\"",
"fields": {},
"activity_type": {
- "app-activity": {
+ "endpoint-login": {
"fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "resource": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "process_path": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "account": {
+ "dest_port": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "result": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_id": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -52191,82 +63565,83 @@
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "event_name": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "user-switch": {
- "fields": {
- "src_host": {
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
+ "src_port": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "operation": {
+ "process_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "result": {
+ "auth_process": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "process_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "user-password-modify": {
+ "process-create": {
"fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "resource": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "account_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -52278,323 +63653,210 @@
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "resource": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-authentication": {
- "fields": {
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "src_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
}
}
- }
- }
- },
- "beyondtrust": {
- "expression": "product = \"beyondtrust\"",
- "fields": {},
- "activity_type": {
- "app-login": {
+ },
+ "endpoint-authentication": {
"fields": {
- "result": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "operation_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "dest_port": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "user": {
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
"Status": "Default",
- "core": "1",
+ "core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "account": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "object": {
+ "account_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "event_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "user-switch": {
- "fields": {
- "dest_service_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "safe_value": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "0"
},
- "src_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- },
- "password-create": {
- "fields": {
- "application": {
+ "src_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "account": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "account_domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "user-permission-modify": {
+ "user-create": {
"fields": {
- "dest_port": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "dest_ip": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_user": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
- },
+ }
+ }
+ },
+ "user-delete": {
+ "fields": {
"session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "email_user": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "application": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "full_name": {
+ "dest_user_id": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "src_port": {
+ }
+ }
+ },
+ "group-member-add": {
+ "fields": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "src_ip": {
+ }
+ }
+ },
+ "group-member-remove": {
+ "fields": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -52603,31 +63865,25 @@
}
}
},
- "barracuda cloudgen firewall": {
- "expression": "product = \"barracuda cloudgen firewall\"",
+ "digital guardian network dlp": {
+ "expression": "product = \"digital guardian network dlp\"",
"fields": {},
"activity_type": {
- "vpn-login": {
+ "email-send": {
"fields": {
- "src_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_translated_ip": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -52635,68 +63891,55 @@
}
}
},
- "network-session": {
+ "alert-trigger": {
"fields": {
- "dest_interface": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_external_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "bytes_in": {
- "Status": "Default",
- "core": "0",
+ "file_name": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_interface": {
- "Status": "Default",
+ "result": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule": {
- "Status": "Default",
+ "protocol": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "duration": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "src_translated_ip": {
- "Status": "Default",
+ "src_port": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes_out": {
- "Status": "Default",
+ "target": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_code": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
@@ -52705,156 +63948,116 @@
}
}
},
- "bind": {
- "expression": "product = \"bind\"",
- "fields": {},
- "activity_type": {
- "dns-request": {
- "fields": {
- "action": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "triggers": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
+ "bluecat networks": {
+ "expression": "product = \"bluecat networks\"",
+ "fields": {
+ "dest_host": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
- }
- },
- "auditbeat": {
- "expression": "product = \"auditbeat\"",
- "fields": {},
+ },
"activity_type": {
- "app-activity": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "account": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "process_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "parent_process_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_path": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_command_line": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operation_type": {
+ "dns-request": {
+ "fields": {}
+ },
+ "dhcp-session": {
+ "fields": {}
+ }
+ }
+ },
+ "botsink": {
+ "expression": "product = \"botsink\"",
+ "fields": {},
+ "activity_type": {
+ "network-session": {
+ "fields": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "syscall": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "tag": {
+ "src_interface": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_id": {
+ "rule": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "network-session": {
+ }
+ }
+ },
+ "brivo": {
+ "expression": "product = \"brivo\"",
+ "fields": {},
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "ca privileged access manager server control": {
+ "expression": "product = \"ca privileged access manager server control\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-authentication": {
"fields": {
- "process_name": {
+ "user_ou": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
+ "group_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "group_ou": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -52862,178 +64065,163 @@
}
}
},
- "process-create": {
+ "endpoint-login": {
"fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
+ "user_ou": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "group_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "group_ou": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "process-modify": {
- "fields": {
- "user": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "audit_id": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "result": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "operation_type": {
- "Status": "Default",
+ }
+ }
+ },
+ "user-switch": {
+ "fields": {
+ "user_ou": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "group_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_category": {
- "Status": "Default",
+ "group_ou": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "group_id": {
- "Status": "Default",
+ "dest_port": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "tags": {
- "Status": "Default",
+ "protocol": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "endpoint-authentication": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "src_host": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
}
}
},
- "bloxone ddi": {
- "expression": "product = \"bloxone ddi\"",
+ "cassandra": {
+ "expression": "product = \"cassandra\"",
"fields": {},
"activity_type": {
- "dhcp-session": {
+ "database-login": {
"fields": {
- "dest_mac": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_host": {
+ "dest_user": {
+ "Status": "Default",
"core": "0",
"detection": "1",
- "informational": "1"
+ "informational": "0"
},
- "dest_interface": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "network-session": {
+ "database-activity": {
"fields": {
- "src_host": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "rule_id": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_name": {
+ "dest_user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "alert_severity": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -53041,593 +64229,474 @@
}
}
},
- "dns-request": {
- "fields": {}
- }
- }
- },
- "cds": {
- "expression": "product = \"cds\"",
- "fields": {},
- "activity_type": {
- "endpoint-login": {
+ "database-modify": {
"fields": {
- "user_id": {
- "Status": "Default",
+ "dest_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "src_ip": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_dir": {
- "Status": "Default",
+ "dest_user": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "centrify infrastructure services": {
- "expression": "product = \"centrify infrastructure services\"",
- "fields": {},
- "activity_type": {
- "process-create": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "db_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "ftp": {
- "expression": "product = \"ftp\"",
- "fields": {
- "src_ip": {
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "cato cloud": {
+ "expression": "product = \"cato cloud\"",
+ "fields": {},
"activity_type": {
- "file-write": {
- "fields": {
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "bytes": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- },
- "file-delete": {
- "fields": {}
- },
- "app-activity": {
+ "http-session": {
"fields": {
- "object": {
+ "src_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "bytes": {
+ "dest_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- }
- }
- },
- "powertech identity & access manager": {
- "expression": "product = \"powertech identity & access manager\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "file-write": {
- "fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "src_ip": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
}
}
},
- "file-read": {
+ "vpn-login": {
"fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "event_code": {
+ },
+ "os": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "user-switch": {
+ "vpn-logout": {
"fields": {
- "event_code": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"dest_ip": {
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {}
- },
- "process-create": {
- "fields": {
- "event_code": {
- "Status": "Default",
+ },
+ "os": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
}
}
},
- "unix auditd": {
- "expression": "product = \"unix auditd\"",
+ "ccure building management system": {
+ "expression": "product = \"ccure building management system\"",
"fields": {},
"activity_type": {
- "endpoint-login": {
+ "physical_location-access": {
"fields": {
- "additional_info": {
+ "employee_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
+ "department": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "employee_status": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "company": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "employee_title": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_id": {
+ "door_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "service_name": {
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "result": {
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ }
+ }
+ }
+ }
+ },
+ "centrify audit and monitoring service": {
+ "expression": "product = \"centrify audit and monitoring service\"",
+ "fields": {},
+ "activity_type": {
+ "file-delete": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_id": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_port": {
- "Status": "Default",
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "authentication_process": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "process-create": {
+ "file-write": {
"fields": {
- "event_code": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "dest_port": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "account_id": {
- "Status": "Default",
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "event_name": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_id": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "src_port": {
- "Status": "Default",
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
- "Status": "Default",
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "1"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Default",
+ },
+ "event_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
- },
+ }
+ }
+ },
+ "centrify authentication service": {
+ "expression": "product = \"centrify authentication service\"",
+ "fields": {},
+ "activity_type": {
"endpoint-authentication": {
"fields": {
- "process_path": {
+ "process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation_type": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_port": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "account": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "account_id": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "service_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {
+ "process_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_id": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_port": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_id": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
+ "user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
}
}
},
- "user-create": {
+ "user-password-reset": {
"fields": {
- "session_id": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
"user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "user-delete": {
- "fields": {
- "session_id": {
+ },
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_user_id": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
+ }
+ }
+ },
+ "centrify zero trust privilege services": {
+ "expression": "product = \"centrify zero trust privilege services\"",
+ "fields": {
+ "object": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
},
- "group-member-add": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "user-switch": {
"fields": {
- "session_id": {
+ "process_dir": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "process_id": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "group-member-remove": {
- "fields": {
- "session_id": {
+ },
+ "process_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "process_path": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "digital guardian network dlp": {
- "expression": "product = \"digital guardian network dlp\"",
- "fields": {},
- "activity_type": {
- "email-send": {
+ },
+ "app-activity": {
"fields": {
- "src_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
@@ -53639,157 +64708,95 @@
"detection": "1",
"informational": "0"
},
- "direction": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "alert-trigger": {
- "fields": {
- "additional_info": {
+ },
+ "os": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "informational": "1"
},
- "file_name": {
- "Status": "Legacy",
- "core": "1",
+ "domain": {
+ "Status": "Default",
+ "core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "result": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "protocol": {
- "Status": "Legacy",
+ "auth_method": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "src_port": {
- "Status": "Legacy",
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "target": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
}
}
- }
- }
- },
- "bluecat networks": {
- "expression": "product = \"bluecat networks\"",
- "fields": {
- "dest_host": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "dns-request": {
- "fields": {}
},
- "dhcp-session": {
- "fields": {}
- }
- }
- },
- "botsink": {
- "expression": "product = \"botsink\"",
- "fields": {},
- "activity_type": {
- "network-session": {
+ "user-password-modify": {
"fields": {
- "src_host": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_interface": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "rule": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "brivo": {
- "expression": "product = \"brivo\"",
- "fields": {},
- "activity_type": {
- "physical_location-access": {
- "fields": {}
- }
- }
- },
- "ca privileged access manager server control": {
- "expression": "product = \"ca privileged access manager server control\"",
- "fields": {},
- "activity_type": {
- "endpoint-authentication": {
- "fields": {
- "user_ou": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "group_name": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "group_ou": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -53801,19 +64808,13 @@
"detection": "1",
"informational": "0"
},
- "dest_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "protocol": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -53821,149 +64822,159 @@
}
}
},
- "endpoint-login": {
+ "user-create": {
"fields": {
- "user_ou": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "group_name": {
- "Status": "Default",
+ "user_agent": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "group_ou": {
- "Status": "Default",
+ "os": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "dest_port": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "user-switch": {
+ "user-delete": {
"fields": {
- "user_ou": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "group_name": {
+ "user_agent": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "group_ou": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_port": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "protocol": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "cassandra": {
- "expression": "product = \"cassandra\"",
- "fields": {},
- "activity_type": {
- "database-login": {
+ },
+ "role-create": {
"fields": {
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "additional_info": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "os": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "event_name": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "database-activity": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
"additional_info": {
"Status": "Default",
@@ -53971,13 +64982,19 @@
"detection": "0",
"informational": "1"
},
- "dest_user": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -53985,341 +65002,376 @@
}
}
},
- "database-modify": {
+ "role-delete": {
"fields": {
- "dest_ip": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "additional_info": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_user": {
+ "user_agent": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "db_name": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "cato cloud": {
- "expression": "product = \"cato cloud\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {
- "src_country": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_country": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "vpn-login": {
- "fields": {
- "dest_ip": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
},
- "operating_system": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "vpn-logout": {
- "fields": {
- "dest_ip": {
+ },
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operating_system": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "ccure building management system": {
- "expression": "product = \"ccure building management system\"",
- "fields": {},
- "activity_type": {
- "physical_location-access": {
- "fields": {
- "employee_type": {
+ "dest_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "event_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "department": {
+ }
+ }
+ },
+ "role-modify": {
+ "fields": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "employee_status": {
+ "dest_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "company": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "employee_title": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "door_name": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-login": {
- "fields": {
- "event_name": {
- "Status": "Default",
+ },
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "object": {
+ "informational": "0",
+ "enriched": "1"
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user": {
+ "dest_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "centrify audit and monitoring service": {
- "expression": "product = \"centrify audit and monitoring service\"",
+ "quest change auditor for active directory": {
+ "expression": "product = \"quest change auditor for active directory\"",
"fields": {},
"activity_type": {
"file-delete": {
"fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "file-write": {
+ "file-read": {
"fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "file-read": {
+ "file-write": {
"fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "1",
"detection": "1",
"informational": "0"
},
- "process_id": {
+ "alert_severity": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "centrify authentication service": {
- "expression": "product = \"centrify authentication service\"",
- "fields": {},
- "activity_type": {
- "endpoint-authentication": {
+ },
+ "ds_object-activity": {
"fields": {
- "process_id": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_id": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "host_ip": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "protocol": {
+ "old_attribute": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "object_ou": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_ip": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "process_id": {
+ },
+ "attribute": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_host": {
+ "new_attribute": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "process_name": {
+ "object_class": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -54331,34 +65383,73 @@
"detection": "1",
"informational": "0"
},
- "protocol": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "operation_type": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
+ "object_dn": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "endpoint-login": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
},
- "user-password-reset": {
+ "group-member-add": {
"fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"user_id": {
"core": "0",
"detection": "0",
@@ -54369,12 +65460,36 @@
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ }
+ }
+ },
+ "group-member-remove": {
+ "fields": {
+ "dest_user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -54385,104 +65500,103 @@
"informational": "0"
}
}
- }
- }
- },
- "centrify zero trust privilege services": {
- "expression": "product = \"centrify zero trust privilege services\"",
- "fields": {
- "object": {
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "event_name": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "user-switch": {
+ "user-lock": {
"fields": {
- "process_dir": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_id": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_name": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "process_path": {
+ "event_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "service_name": {
+ "dest_user_ou": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "app-activity": {
+ "user-password-modify": {
"fields": {
- "user": {
+ "user_id": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user_agent": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "operating_system": {
+ }
+ }
+ }
+ }
+ },
+ "clearsense": {
+ "expression": "product = \"clearsense\"",
+ "fields": {},
+ "activity_type": {
+ "app-login": {
+ "fields": {
+ "method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_method": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "additional_info": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
@@ -54490,7 +65604,7 @@
}
}
},
- "user-password-modify": {
+ "app-activity": {
"fields": {
"user": {
"Status": "Default",
@@ -54498,57 +65612,75 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "method": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "user_agent": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "result": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "resource": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "object": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_host": {
+ "additional_info": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "operation": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
}
}
+ }
+ }
+ },
+ "clearswift secure email gateway": {
+ "expression": "product = \"clearswift secure email gateway\"",
+ "fields": {},
+ "activity_type": {
+ "email-send": {
+ "fields": {}
},
- "user-create": {
+ "email-receive": {
+ "fields": {}
+ }
+ }
+ },
+ "clientview": {
+ "expression": "product = \"clientview\"",
+ "fields": {},
+ "activity_type": {
+ "file-write": {
"fields": {
"user": {
"Status": "Legacy",
@@ -54556,28 +65688,62 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "bytes": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_agent": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "bytes": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -54587,20 +65753,26 @@
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "access": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "operation": {
+ "access_type": {
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "user-delete": {
+ "file-delete": {
"fields": {
"user": {
"Status": "Legacy",
@@ -54608,28 +65780,18 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "user_agent": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "operating_system": {
+ "bytes": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "src_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "additional_info": {
+ "hash_md5": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -54639,78 +65801,75 @@
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "access": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "operation": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "role-create": {
+ "printer-activity": {
"fields": {
"user": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
"dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "domain": {
- "Status": "Default",
+ "object": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "printer_name": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
+ "num_pages": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "file_path": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "operation": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "role-delete": {
+ "app-activity": {
"fields": {
"user": {
"Status": "Default",
@@ -54718,29 +65877,17 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
"additional_info": {
"Status": "Default",
@@ -54748,27 +65895,21 @@
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "dest_host": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
},
- "role-modify": {
+ "process-create": {
"fields": {
"user": {
"Status": "Default",
@@ -54776,68 +65917,57 @@
"detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user_agent": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
+ "session_id": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "additional_info": {
+ }
+ }
+ },
+ "email-send": {
+ "fields": {
+ "src_host": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "dest_host": {
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "src_host": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
}
}
- }
- }
- },
- "quest change auditor for active directory": {
- "expression": "product = \"quest change auditor for active directory\"",
- "fields": {},
- "activity_type": {
- "file-delete": {
+ },
+ "file-upload": {
"fields": {
"access": {
- "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"user": {
@@ -54846,50 +65976,35 @@
"detection": "1",
"informational": "0"
},
- "alert_severity": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
"src_host": {
"Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_id": {
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
+ "domain": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "file-read": {
+ "file-download": {
"fields": {
"access": {
- "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"user": {
@@ -54898,265 +66013,327 @@
"detection": "1",
"informational": "0"
},
- "alert_severity": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "dest_file_dir": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
+ "dest_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"domain": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "user_id": {
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "operation": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "cloud akamai": {
+ "expression": "product = \"cloud akamai\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
+ "fields": {}
+ }
+ }
+ },
+ "cloudflare insights": {
+ "expression": "product = \"cloudflare insights\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ },
+ "activity_type": {
+ "app-login": {
+ "fields": {
"additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
},
- "file-write": {
+ "app-activity": {
"fields": {
- "access": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "alert_severity": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "dest_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "user_id": {
+ "result": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "operation": {
+ }
+ }
+ },
+ "group-member-add": {
+ "fields": {
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
+ "informational": "0"
+ }
+ }
+ },
+ "group-member-remove": {
+ "fields": {
"additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
- },
- "ds_object-activity": {
+ }
+ }
+ },
+ "cloudflare waf": {
+ "expression": "product = \"cloudflare waf\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
"fields": {
- "dest_port": {
+ "edge_response_status": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user": {
+ "device_type": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "dest_ip": {
+ "origin_response_status": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "object": {
+ "src_country": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "host_ip": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "old_attribute": {
+ "event_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object_ou": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "proxy_action": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "src_host": {
+ }
+ }
+ },
+ "network-session": {
+ "fields": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "attribute": {
+ "method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "new_attribute": {
+ "country_code": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object_class": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "src_interface": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "user_agent": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "dest_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation_type": {
+ "log_source": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object_dn": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- },
- "endpoint-login": {
+ }
+ }
+ },
+ "code42 incydr": {
+ "expression": "product = \"code42 incydr\"",
+ "fields": {},
+ "activity_type": {
+ "file-delete": {
"fields": {
- "dest_ip": {
- "Status": "Default",
+ "shared_with": {
"core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "user_id": {
- "Status": "Default",
+ "bytes": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "tab_url": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "device_size": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "group-member-add": {
- "fields": {
- "dest_user_id": {
+ "informational": "0"
+ },
+ "removable_media_serial_number": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "shared": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "time_created": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "time_modified": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "group-member-remove": {
- "fields": {
- "dest_user_id": {
+ },
+ "email_dlp_policy_names": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "additional_info": {
+ "process_name": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "file_owner": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -55166,274 +66343,214 @@
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "user-lock": {
- "fields": {
- "user_id": {
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "service_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "directory_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user_uid": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_name": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "actor": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_user_ou": {
+ "sync_destination": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "user-password-modify": {
- "fields": {
- "user_id": {
- "Status": "Default",
+ },
+ "hash_sha256": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "cloud_drive_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "exposure_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "device_id": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "clearsense": {
- "expression": "product = \"clearsense\"",
- "fields": {},
- "activity_type": {
- "app-login": {
- "fields": {
- "method": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "removable_media_capacity": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "device_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_agent": {
- "Status": "Default",
+ "removable_media_volume_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "process_owner": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "removable_media_bus_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "removable_media_media_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "user": {
- "Status": "Default",
+ },
+ "removable_media_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "method": {
- "Status": "Default",
+ "email_dlp_from": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "src_translated_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "result": {
- "Status": "Default",
+ "tab_title": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "removable_media_partition_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_agent": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "file_category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "sender": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "clearswift secure email gateway": {
- "expression": "product = \"clearswift secure email gateway\"",
- "fields": {},
- "activity_type": {
- "email-send": {
- "fields": {}
- },
- "email-receive": {
- "fields": {}
- }
- }
- },
- "clientview": {
- "expression": "product = \"clientview\"",
- "fields": {},
- "activity_type": {
- "file-write": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ },
+ "event_code": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "bytes": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_host": {
+ "log_source": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "mime": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "removable_media_vendor": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "access": {
- "Status": "Legacy",
+ "device_vendor": {
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "bytes": {
- "Status": "Legacy",
+ "file_id": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "hash_md5": {
+ "file_exposure_changed_to": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "private_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "access": {
- "Status": "Legacy",
+ "device_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "access_type": {
+ "detection_source_alias": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "file-delete": {
+ "file-download": {
"fields": {
+ "shared_with": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
"user": {
"Status": "Legacy",
"core": "1",
@@ -55441,56 +66558,49 @@
"informational": "0"
},
"bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
+ "tab_url": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "hash_md5": {
+ "device_size": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "removable_media_serial_number": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "access": {
- "Status": "Legacy",
+ "shared": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
- }
- }
- },
- "printer-activity": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ },
+ "time_created": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "time_modified": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "email_dlp_policy_names": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"src_host": {
@@ -55499,13 +66609,13 @@
"detection": "0",
"informational": "1"
},
- "num_pages": {
+ "process_name": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "file_path": {
+ "file_owner": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -55514,386 +66624,208 @@
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "app-activity": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
"domain": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "process-create": {
- "fields": {
- "user": {
- "Status": "Default",
+ "service_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "directory_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "session_id": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
- "Status": "Default",
+ "user_uid": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "email-send": {
- "fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "http-session": {
- "fields": {
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-upload": {
- "fields": {
"access": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_host": {
- "Status": "Legacy",
+ "actor": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
+ "sync_destination": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "hash_sha256": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-download": {
- "fields": {
- "access": {
+ },
+ "cloud_drive_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_host": {
- "Status": "Legacy",
+ "exposure_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_file_dir": {
+ "device_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "removable_media_capacity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "device_name": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "cloud akamai": {
- "expression": "product = \"cloud akamai\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {}
- }
- }
- },
- "cloudflare insights": {
- "expression": "product = \"cloudflare insights\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "app-login": {
- "fields": {
- "additional_info": {
- "Status": "Default",
+ },
+ "removable_media_volume_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "additional_info": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "process_owner": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_host": {
- "Status": "Default",
+ "removable_media_bus_type": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "removable_media_media_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "removable_media_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "result": {
- "Status": "Default",
+ "email_dlp_from": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "group-member-add": {
- "fields": {
- "additional_info": {
+ "informational": "0"
+ },
+ "src_translated_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "group-member-remove": {
- "fields": {
- "additional_info": {
+ },
+ "tab_title": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- }
- }
- },
- "cloudflare waf": {
- "expression": "product = \"cloudflare waf\"",
- "fields": {},
- "activity_type": {
- "http-session": {
- "fields": {
- "edge_response_status": {
- "Status": "Default",
+ },
+ "removable_media_partition_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "device_type": {
- "Status": "Default",
+ "additional_info": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "origin_response_status": {
- "Status": "Default",
+ "file_category": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_country": {
- "Status": "Default",
+ "hash_md5": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "sender": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"event_code": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "dest_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "proxy_action": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "network-session": {
- "fields": {
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
},
- "method": {
- "Status": "Default",
+ "log_source": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "country_code": {
- "Status": "Default",
+ "mime": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_name": {
- "Status": "Default",
+ "removable_media_vendor": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_interface": {
- "Status": "Default",
+ "device_vendor": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_agent": {
- "Status": "Default",
+ "file_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "file_exposure_changed_to": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "category": {
- "Status": "Default",
+ "private_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "log_source": {
- "Status": "Default",
+ "device_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "direction": {
- "Status": "Default",
+ "detection_source_alias": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
- }
- }
- },
- "code42 incydr": {
- "expression": "product = \"code42 incydr\"",
- "fields": {},
- "activity_type": {
- "file-delete": {
+ },
+ "file-read": {
"fields": {
"shared_with": {
"core": "0",
@@ -55907,6 +66839,7 @@
"informational": "0"
},
"bytes": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "0"
@@ -55978,6 +66911,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"service_name": {
"core": "0",
"detection": "0",
@@ -56031,8 +66970,9 @@
"informational": "0"
},
"device_id": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"removable_media_capacity": {
@@ -56157,9 +67097,10 @@
"informational": "0"
},
"device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"detection_source_alias": {
"core": "0",
@@ -56168,7 +67109,7 @@
}
}
},
- "file-download": {
+ "file-write": {
"fields": {
"shared_with": {
"core": "0",
@@ -56228,10 +67169,9 @@
"informational": "0"
},
"src_host": {
- "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"process_name": {
"Status": "Legacy",
@@ -56254,6 +67194,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"service_name": {
"core": "0",
"detection": "0",
@@ -56276,8 +67222,9 @@
"informational": "0"
},
"access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"actor": {
@@ -56306,8 +67253,9 @@
"informational": "0"
},
"device_id": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"removable_media_capacity": {
@@ -56393,8 +67341,8 @@
"dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"log_source": {
"core": "0",
@@ -56432,9 +67380,10 @@
"informational": "0"
},
"device_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"detection_source_alias": {
"core": "0",
@@ -56443,7 +67392,7 @@
}
}
},
- "file-read": {
+ "file-upload": {
"fields": {
"shared_with": {
"core": "0",
@@ -56457,7 +67406,6 @@
"informational": "0"
},
"bytes": {
- "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "0"
@@ -56505,8 +67453,8 @@
"src_host": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"process_name": {
"Status": "Legacy",
@@ -56529,6 +67477,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"service_name": {
"core": "0",
"detection": "0",
@@ -56551,9 +67505,8 @@
"informational": "0"
},
"access": {
- "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"actor": {
@@ -56582,9 +67535,8 @@
"informational": "0"
},
"device_id": {
- "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"removable_media_capacity": {
@@ -56670,8 +67622,8 @@
"dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
"log_source": {
"core": "0",
@@ -56709,10 +67661,9 @@
"informational": "0"
},
"device_type": {
- "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"detection_source_alias": {
"core": "0",
@@ -56721,288 +67672,356 @@
}
}
},
- "file-write": {
+ "peripheral_storage-insert": {
"fields": {
- "shared_with": {
+ "drive_letter": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "bytes": {
- "Status": "Legacy",
+ "usb_serial_number": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "tab_url": {
+ "src_translated_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "device_size": {
+ "device_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "removable_media_serial_number": {
+ "vendor_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "shared": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "time_created": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "time_modified": {
+ "usb_vendor": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "url": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
- },
- "email_dlp_policy_names": {
+ }
+ }
+ },
+ "email-send": {
+ "fields": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_host": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "process_name": {
- "Status": "Legacy",
+ "file_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_owner": {
+ "log_source": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_ip": {
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "printer-activity": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "domain": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "service_name": {
+ "object": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "directory_id": {
+ "device_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user_uid": {
+ "event_code": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "access": {
+ "printer_name": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "actor": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sync_destination": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "hash_sha256": {
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "cloud_drive_id": {
+ "log_source": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "exposure_type": {
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "device_id": {
- "Status": "Legacy",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "cognitas crosslink": {
+ "expression": "product = \"cognitas crosslink\"",
+ "fields": {},
+ "activity_type": {
+ "vpn-login": {
+ "fields": {
+ "dest_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "removable_media_capacity": {
+ }
+ }
+ }
+ }
+ },
+ "cohesity dataplatform": {
+ "expression": "product = \"cohesity dataplatform\"",
+ "fields": {},
+ "activity_type": {
+ "app-login": {
+ "fields": {
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "device_name": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "removable_media_volume_name": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_owner": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "darktrace": {
+ "expression": "product = \"darktrace\"",
+ "fields": {},
+ "activity_type": {
+ "app-login": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "removable_media_bus_type": {
+ "method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_media_name": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "data security platform": {
+ "expression": "product = \"data security platform\"",
+ "fields": {},
+ "activity_type": {
+ "file-delete": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "removable_media_name": {
- "core": "0",
- "detection": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "email_dlp_from": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_translated_ip": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "tab_title": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "removable_media_partition_id": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "additional_info": {
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_category": {
- "core": "0",
- "detection": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "hash_md5": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "sender": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
"dest_host": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- },
- "log_source": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "mime": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "removable_media_vendor": {
+ }
+ }
+ },
+ "file-read": {
+ "fields": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "device_vendor": {
- "core": "0",
- "detection": "0",
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "file_id": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_exposure_changed_to": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "private_ip": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "device_type": {
+ "dest_host": {
"Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
- },
- "detection_source_alias": {
- "core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
},
- "file-upload": {
+ "file-permission-modify": {
"fields": {
- "shared_with": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"user": {
@@ -57011,524 +68030,642 @@
"detection": "1",
"informational": "0"
},
- "bytes": {
- "core": "0",
- "detection": "0",
- "informational": "0"
- },
- "tab_url": {
+ "dest_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "device_size": {
+ "domain": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "removable_media_serial_number": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "shared": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "time_created": {
+ }
+ }
+ }
+ }
+ },
+ "datawatch": {
+ "expression": "product = \"datawatch\"",
+ "fields": {},
+ "activity_type": {
+ "physical_location-access": {
+ "fields": {}
+ }
+ }
+ },
+ "digipass for apps": {
+ "expression": "product = \"digipass for apps\"",
+ "fields": {},
+ "activity_type": {
+ "endpoint-authentication": {
+ "fields": {
+ "protocol": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "time_modified": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "url": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "email_dlp_policy_names": {
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
- "Status": "Legacy",
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_name": {
- "Status": "Legacy",
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "protocol": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "file_owner": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "src_ip": {
+ "event_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "auth_method": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "service_name": {
+ "event_code": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "digital arts i-filter for business": {
+ "expression": "product = \"digital arts i-filter for business\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
+ "fields": {
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
- },
- "directory_id": {
+ }
+ }
+ }
+ }
+ },
+ "edgewave iprism": {
+ "expression": "product = \"edgewave iprism\"",
+ "fields": {},
+ "activity_type": {
+ "http-session": {
+ "fields": {
+ "proxy_action": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "edirectory": {
+ "expression": "product = \"edirectory\"",
+ "fields": {
+ "dest_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user_ou": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "protocol": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ },
+ "activity_type": {
+ "user-enable": {
+ "fields": {}
+ },
+ "user-disable": {
+ "fields": {}
+ },
+ "user-unlock": {
+ "fields": {}
+ },
+ "user-password-modify": {
+ "fields": {}
+ },
+ "endpoint-authentication": {
+ "fields": {}
+ }
+ }
+ },
+ "edocs": {
+ "expression": "product = \"edocs\"",
+ "fields": {},
+ "activity_type": {
+ "app-activity": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "user_uid": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "access": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "actor": {
+ "client_name": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "sync_destination": {
+ "client_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "hash_sha256": {
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "mimecast secure email gateway": {
+ "expression": "product = \"mimecast secure email gateway\"",
+ "fields": {},
+ "activity_type": {
+ "email-receive": {
+ "fields": {
+ "bytes": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "cloud_drive_id": {
+ "direction": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "exposure_type": {
+ "attachment_size": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "device_id": {
+ "hash_md5": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_capacity": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "device_name": {
+ "file_type": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_volume_name": {
+ "attachment_count": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_owner": {
+ "message_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_bus_type": {
+ "spam_score": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
- },
- "removable_media_media_name": {
+ "informational": "1"
+ }
+ }
+ },
+ "email-read": {
+ "fields": {
+ "email_address": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_name": {
+ "email_user": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "email_dlp_from": {
+ "email_domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_translated_ip": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "tab_title": {
+ "log_source": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_partition_id": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "additional_info": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_category": {
+ "result": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "hash_md5": {
+ "dest_email": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "sender": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "event_code": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-activity": {
+ "fields": {
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "log_source": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "mime": {
+ "resource": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "removable_media_vendor": {
+ "object": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "device_vendor": {
+ "app": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_id": {
+ "log_source": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_exposure_changed_to": {
+ "target": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "private_ip": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "device_type": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
- },
- "detection_source_alias": {
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "src_ip": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
}
}
- },
- "peripheral_storage-insert": {
+ }
+ }
+ },
+ "emc isilon": {
+ "expression": "product = \"emc isilon\"",
+ "fields": {},
+ "activity_type": {
+ "file-read": {
"fields": {
- "drive_letter": {
+ "access": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "usb_serial_number": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_translated_ip": {
+ "zone_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "device_name": {
+ "server_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "vendor_name": {
+ "file_type": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "inode": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "desire_access": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "usb_vendor": {
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operation": {
+ "create_result": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "email-send": {
+ "file-write": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "file_type": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "log_source": {
- "Status": "Default",
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_code": {
- "Status": "Default",
+ "zone_id": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "printer-activity": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
"informational": "0"
},
- "dest_ip": {
+ "server_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "object": {
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "device_id": {
+ "inode": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "event_code": {
+ "desire_access": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "printer_name": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
"user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_ip": {
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "log_source": {
+ "create_result": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "cognitas crosslink": {
- "expression": "product = \"cognitas crosslink\"",
- "fields": {},
- "activity_type": {
- "vpn-login": {
+ },
+ "file-permission-modify": {
"fields": {
- "dest_ip": {
- "Status": "Default",
+ "access": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
- }
- }
- }
- }
- },
- "cohesity dataplatform": {
- "expression": "product = \"cohesity dataplatform\"",
- "fields": {},
- "activity_type": {
- "app-login": {
- "fields": {
- "user_id": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
"src_ip": {
- "Status": "Default",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "zone_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "server_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "darktrace": {
- "expression": "product = \"darktrace\"",
- "fields": {},
- "activity_type": {
- "app-login": {
- "fields": {
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
"informational": "0"
},
- "method": {
- "Status": "Default",
+ "file_type": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "data security platform": {
- "expression": "product = \"data security platform\"",
- "fields": {},
- "activity_type": {
- "file-delete": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ "inode": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "desire_access": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "create_result": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "file-write": {
+ "file-delete": {
"fields": {
"access": {
"Status": "Legacy",
@@ -57536,136 +68673,169 @@
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "zone_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "server_name": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
+ "file_type": {
"Status": "Legacy",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "file-read": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ "detection": "0",
+ "informational": "1"
+ },
+ "inode": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "desire_access": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
+ "user_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "domain": {
+ "protocol": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "create_result": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
},
- "file-permission-modify": {
+ "endpoint-login": {
"fields": {
- "access": {
- "Status": "Legacy",
+ "src_ip": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
+ "zone_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "domain": {
+ "user_id": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "dest_host": {
- "Status": "Legacy",
+ "src_host": {
+ "Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "protocol": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "datawatch": {
- "expression": "product = \"datawatch\"",
- "fields": {},
- "activity_type": {
- "physical_location-access": {
- "fields": {}
+ "emp": {
+ "expression": "product = \"emp\"",
+ "fields": {
+ "user": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "location": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
}
- }
- },
- "digipass for apps": {
- "expression": "product = \"digipass for apps\"",
- "fields": {},
+ },
"activity_type": {
- "endpoint-authentication": {
+ "app-activity": {
"fields": {
- "protocol": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ },
+ "app-login": {
+ "fields": {
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "tanium core platform": {
+ "expression": "product = \"tanium core platform\"",
+ "fields": {},
+ "activity_type": {
+ "process-create": {
+ "fields": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_method": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "event_code": {
+ "hash_md5": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -57673,65 +68843,74 @@
}
}
},
- "app-login": {
+ "endpoint-authentication": {
"fields": {
- "protocol": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "auth_method": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "auth_method": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_code": {
+ "process_path": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
}
}
- }
- }
- },
- "digital arts i-filter for business": {
- "expression": "product = \"digital arts i-filter for business\"",
- "fields": {},
- "activity_type": {
- "http-session": {
+ },
+ "dns-response": {
"fields": {
"src_host": {
- "Status": "Default",
+ "Status": "Legacy",
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "1"
+ },
+ "process_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_path": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "process_dir": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
}
}
}
}
},
- "edgewave iprism": {
- "expression": "product = \"edgewave iprism\"",
+ "huawei enterprise network firewall": {
+ "expression": "product = \"huawei enterprise network firewall\"",
"fields": {},
"activity_type": {
- "http-session": {
+ "network-session": {
"fields": {
- "proxy_action": {
+ "rule": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -57741,139 +68920,126 @@
}
}
},
- "edirectory": {
- "expression": "product = \"edirectory\"",
- "fields": {
- "dest_port": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user_ou": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "protocol": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
- "activity_type": {
- "user-enable": {
- "fields": {}
- },
- "user-disable": {
- "fields": {}
- },
- "user-unlock": {
- "fields": {}
- },
- "user-password-modify": {
- "fields": {}
- },
- "endpoint-authentication": {
- "fields": {}
- }
- }
- },
- "edocs": {
- "expression": "product = \"edocs\"",
+ "esector defesa logger": {
+ "expression": "product = \"esector defesa logger\"",
"fields": {},
"activity_type": {
- "app-activity": {
+ "file-read": {
"fields": {
"user": {
- "Status": "Default",
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "host_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "user_id": {
- "Status": "Default",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-write": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "object": {
- "Status": "Default",
+ "event_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "resource": {
- "Status": "Default",
+ "host_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "client_name": {
- "Status": "Default",
+ "src_host": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "client_id": {
- "Status": "Default",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "file-delete": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "host_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "mimecast secure email gateway": {
- "expression": "product = \"mimecast secure email gateway\"",
+ "eset endpoint security": {
+ "expression": "product = \"eset endpoint security\"",
"fields": {},
"activity_type": {
- "email-receive": {
+ "endpoint-authentication": {
"fields": {
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "direction": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "attachment_size": {
+ "object": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "hash_md5": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -57885,25 +69051,25 @@
"detection": "1",
"informational": "0"
},
- "file_type": {
+ "service_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "attachment_count": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "message_id": {
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "spam_score": {
+ "alert_severity": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -57911,443 +69077,491 @@
}
}
},
- "email-read": {
+ "app-login": {
"fields": {
- "email_address": {
+ "dest_port": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_user": {
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "email_domain": {
+ "dest_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "hash_sha256": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operation": {
+ "url": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "log_source": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "category": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "result": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "dest_email": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "protocol": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "action": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "app-activity": {
- "fields": {
- "user": {
+ },
+ "src_port": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
},
- "domain": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "resource": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ }
+ }
+ },
+ "http-session": {
+ "fields": {
+ "event_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "object": {
+ "direction": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "application": {
+ "process_name": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "log_source": {
+ "process_path": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "target": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
+ "process_dir": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "hash_sha256": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "app-login": {
- "fields": {
- "src_ip": {
+ "detection": "0",
+ "informational": "1"
+ },
+ "additional_info": {
"Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
}
}
},
- "emc isilon": {
- "expression": "product = \"emc isilon\"",
+ "advanced analytics": {
+ "expression": "product = \"advanced analytics\"",
"fields": {},
"activity_type": {
- "file-read": {
+ "alert-trigger": {
"fields": {
- "access": {
+ "user": {
"Status": "Legacy",
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "zone_id": {
+ "mitre_labels": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "rule_usecases": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "asset_labels": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "server_name": {
+ "event_id": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "file_type": {
- "Status": "Legacy",
+ "event_time": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "inode": {
+ "log_time": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "desire_access": {
+ "original_risk_score": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "trigger_type": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
+ "trigger_entity": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "create_result": {
+ "session_id": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-write": {
- "fields": {
- "access": {
- "Status": "Legacy",
+ },
+ "domain": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "event_category": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "zone_id": {
+ "rule_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "server_name": {
+ "rule": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
+ "rule_description": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "inode": {
+ "rule_reason": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "desire_access": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "container_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
+ "incident_creation_time": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "create_result": {
+ "base_risk_score": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
- },
- "file-permission-modify": {
+ }
+ }
+ },
+ "correlation rule": {
+ "expression": "product = \"correlation rule\"",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
"fields": {
- "access": {
- "Status": "Legacy",
+ "mitre_labels": {
"core": "0",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "rule_usecases": {
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "zone_id": {
+ "rule_severity": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "server_name": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "file_type": {
+ "dest_ip": {
"Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "inode": {
+ "rule_description": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "desire_access": {
+ "rule_id": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "user_id": {
+ "rule": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
+ "rule_reason": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "create_result": {
+ "rule_type": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "access": {
+ },
+ "src_host": {
"Status": "Legacy",
- "core": "0",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "src_ip": {
+ "url": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "zone_id": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "server_name": {
+ "local_user_name": {
"core": "0",
"detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "NG Analytics": {
+ "expression": "product = \"NG Analytics\"",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "mitre_labels": {
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
- "file_type": {
- "Status": "Legacy",
+ "rule_usecases": {
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "rule_severity": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "inode": {
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "desire_access": {
- "core": "0",
- "detection": "0",
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
"informational": "0"
},
- "user_id": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "protocol": {
+ "rule_description": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "create_result": {
+ "rule_id": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "endpoint-login": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ },
+ "rule": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "zone_id": {
- "Status": "Default",
+ "rule_reason": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "user_id": {
- "Status": "Default",
+ "rule_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
"src_host": {
- "Status": "Default",
- "core": "0",
+ "Status": "Legacy",
+ "core": "1",
"detection": "1",
"informational": "0"
},
- "protocol": {
- "Status": "Default",
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_name": {
- "Status": "Default",
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
}
}
},
- "emp": {
- "expression": "product = \"emp\"",
- "fields": {
- "user": {
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "operation": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "location": {
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- },
+ "search": {
+ "expression": "product = \"search\"",
+ "fields": {},
"activity_type": {
- "app-activity": {
+ "app-login": {
"fields": {
- "object": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
"additional_info": {
"Status": "Default",
@@ -58357,23 +69571,7 @@
}
}
},
- "app-login": {
- "fields": {
- "additional_info": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "tanium core platform": {
- "expression": "product = \"tanium core platform\"",
- "fields": {},
- "activity_type": {
- "process-create": {
+ "log_source-add": {
"fields": {
"user": {
"Status": "Default",
@@ -58387,41 +69585,31 @@
"detection": "0",
"informational": "1"
},
- "hash_md5": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- },
- "endpoint-authentication": {
- "fields": {
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "auth_method": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_dir": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -58429,155 +69617,113 @@
}
}
},
- "dns-response": {
+ "log_source-modify": {
"fields": {
- "src_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_name": {
+ "user": {
+ "Status": "Default",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
- "process_path": {
+ "domain": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "process_dir": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
- }
- }
- }
- }
- },
- "huawei enterprise network firewall": {
- "expression": "product = \"huawei enterprise network firewall\"",
- "fields": {},
- "activity_type": {
- "network-session": {
- "fields": {
- "rule": {
+ "informational": "0",
+ "enriched": "1"
+ },
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "esector defesa logger": {
- "expression": "product = \"esector defesa logger\"",
- "fields": {},
- "activity_type": {
- "file-read": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
"detection": "1",
"informational": "0"
},
- "event_name": {
+ "operation": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "host_ip": {
+ "additional_info": {
+ "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "src_host": {
- "Status": "Legacy",
+ "app": {
+ "Status": "Default",
"core": "0",
- "detection": "1",
- "informational": "0"
+ "detection": "0",
+ "informational": "1"
}
}
},
- "file-write": {
+ "group-modify": {
"fields": {
"user": {
"Status": "Legacy",
"core": "1",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "event_name": {
+ "domain": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
- "host_ip": {
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "0",
+ "enriched": "1"
},
- "src_host": {
+ "src_ip": {
"core": "0",
"detection": "0",
"informational": "0"
- }
- }
- },
- "file-delete": {
- "fields": {
- "user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
},
- "event_name": {
+ "operation": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "host_ip": {
+ "additional_info": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
}
}
- }
- }
- },
- "eset endpoint security": {
- "expression": "product = \"eset endpoint security\"",
- "fields": {},
- "activity_type": {
- "endpoint-authentication": {
+ },
+ "role-delete": {
"fields": {
- "operation": {
+ "user": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "object": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "additional_info": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
"src_ip": {
"Status": "Default",
@@ -58585,25 +69731,19 @@
"detection": "1",
"informational": "0"
},
- "service_name": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "event_name": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "category": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "alert_severity": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -58611,175 +69751,136 @@
}
}
},
- "app-login": {
+ "rule-create": {
"fields": {
- "dest_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "process_dir": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "dest_ip": {
+ "user": {
"Status": "Default",
"core": "0",
"detection": "1",
"informational": "0"
},
- "hash_sha256": {
+ "domain": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "url": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
},
- "additional_info": {
+ "src_ip": {
"Status": "Default",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "category": {
+ "operation": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "event_name": {
+ "additional_info": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
- },
- "process_name": {
- "Status": "Default",
+ }
+ }
+ },
+ "alert-trigger": {
+ "fields": {
+ "user": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "protocol": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
},
- "action": {
- "Status": "Default",
+ "dest_host": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
- "informational": "1"
+ "detection": "1",
+ "informational": "0"
},
- "src_port": {
- "Status": "Default",
+ "mitre_labels": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Default",
+ "rule_usecases": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- },
- "http-session": {
- "fields": {
- "event_name": {
- "Status": "Default",
+ "asset_labels": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "direction": {
- "Status": "Default",
+ "event_id": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_name": {
- "Status": "Default",
+ "alert_reason": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "process_path": {
- "Status": "Default",
+ "event_time": {
"core": "0",
"detection": "0",
"informational": "1"
},
- "domain": {
- "Status": "Default",
+ "log_time": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "process_dir": {
- "Status": "Default",
+ "original_risk_score": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "hash_sha256": {
- "Status": "Default",
+ "trigger_type": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "trigger_entity": {
"core": "0",
"detection": "0",
- "informational": "1"
- }
- }
- }
- }
- },
- "exabeam dl": {
- "expression": "product = \"exabeam dl\"",
- "fields": {},
- "activity_type": {
- "app-login": {
- "fields": {
- "src_ip": {
- "Status": "Default",
+ "informational": "0"
+ },
+ "base_risk_score": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "local_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
},
- "log_source-add": {
+ "role-permission-modify": {
"fields": {
"user": {
"Status": "Default",
@@ -58793,6 +69894,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
@@ -58811,7 +69918,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -58819,7 +69926,7 @@
}
}
},
- "log_source-modify": {
+ "app-notification": {
"fields": {
"user": {
"Status": "Default",
@@ -58833,6 +69940,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
@@ -58851,7 +69964,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -58859,21 +69972,59 @@
}
}
},
- "group-modify": {
+ "app-activity": {
"fields": {
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
"user": {
- "Status": "Legacy",
- "core": "1",
- "detection": "0",
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
"informational": "0"
},
"domain": {
- "Status": "Legacy",
+ "Status": "Default",
"core": "0",
"detection": "0",
"informational": "1"
},
- "src_ip": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "additional_info": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
+ }
+ }
+ },
+ "audit log": {
+ "expression": "product = \"audit log\"",
+ "fields": {},
+ "activity_type": {
+ "alert-modify": {
+ "fields": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_id": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -58883,359 +70034,512 @@
"detection": "0",
"informational": "0"
},
- "additional_info": {
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "application": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "role-delete": {
+ "alert-create": {
"fields": {
- "user": {
- "Status": "Default",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "object_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "object_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "rule-create": {
+ "alert-delete": {
"fields": {
- "user": {
- "Status": "Default",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "object_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "object_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "rule-trigger": {
+ "alert-read": {
"fields": {
- "src_host": {
- "Status": "Default",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "object_name": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "rule": {
- "Status": "Default",
+ "object_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "dest_host": {
- "Status": "Default",
+ "operation": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "dest_ip": {
- "Status": "Default",
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
- "detection": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "method": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
"user": {
- "Status": "Default",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "trigger_time": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ }
+ }
+ },
+ "case-modify": {
+ "fields": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
},
- "rule_reason": {
- "Status": "Default",
+ "object_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "mitre_labels": {
- "Status": "Default",
+ "object_id": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "usecases": {
- "Status": "Default",
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "labels": {
- "Status": "Default",
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "rule_severity": {
- "Status": "Default",
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_id": {
- "Status": "Default",
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_time": {
- "Status": "Default",
+ "user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "log_time": {
- "Status": "Default",
+ "email_address": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
}
}
},
- "alert-trigger": {
+ "case-create": {
"fields": {
- "user": {
- "Status": "Legacy",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "src_host": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
+ "object_name": {
+ "core": "0",
+ "detection": "0",
"informational": "0"
},
- "dest_host": {
- "Status": "Legacy",
+ "object_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "mitre_labels": {
+ "operation": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "usecases": {
- "core": "0",
+ "old_value": {
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "labels": {
- "core": "0",
+ "new_value": {
+ "core": "1",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_id": {
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "alert_reason": {
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "event_time": {
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "log_time": {
+ "user": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "original_score": {
+ "email_address": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
},
- "role-permission-modify": {
+ "case-delete": {
"fields": {
- "user": {
- "Status": "Default",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "object_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "object_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
- "app-notification": {
+ "case-read": {
"fields": {
- "user": {
- "Status": "Default",
+ "app": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "object_name": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "src_ip": {
- "Status": "Default",
+ "object_id": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
"operation": {
- "Status": "Default",
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "application": {
- "Status": "Default",
+ "method": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "user": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
},
"app-activity": {
"fields": {
+ "app": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "object_id": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "old_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
+ "new_value": {
+ "core": "1",
+ "detection": "0",
+ "informational": "0"
+ },
"src_ip": {
- "Status": "Default",
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "user": {
- "Status": "Default",
+ "method": {
"core": "0",
- "detection": "1",
+ "detection": "0",
"informational": "0"
},
- "domain": {
- "Status": "Default",
+ "url": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
},
- "additional_info": {
- "Status": "Default",
+ "user": {
"core": "0",
"detection": "0",
- "informational": "1"
+ "informational": "0"
+ },
+ "email_address": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
@@ -59291,6 +70595,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"event_name": {
"core": "0",
"detection": "0",
@@ -59328,6 +70638,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"event_name": {
"core": "0",
"detection": "0",
@@ -59365,6 +70681,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"event_name": {
"core": "0",
"detection": "0",
@@ -59402,6 +70724,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"event_name": {
"core": "0",
"detection": "0",
@@ -59546,6 +70874,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -59573,6 +70907,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -59600,6 +70940,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -59860,6 +71206,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -59886,6 +71238,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -59951,6 +71309,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"Status": "Default",
"core": "0",
@@ -60019,6 +71383,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"Status": "Default",
"core": "0",
@@ -60065,6 +71435,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"Status": "Default",
"core": "0",
@@ -60417,7 +71793,7 @@
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -60798,6 +72174,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -60858,7 +72240,7 @@
"activity_type": {
"app-login": {
"fields": {
- "authentication_type": {
+ "auth_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -60915,6 +72297,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -61197,6 +72585,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -61238,6 +72632,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -61326,6 +72726,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -61426,12 +72832,18 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
"alert-trigger": {
"fields": {
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -61587,9 +72999,10 @@
"detection": "0",
"informational": "1"
},
- "proess_path": {
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
- "detection": "0",
+ "detection": "1",
"informational": "0"
},
"src_host": {
@@ -61601,6 +73014,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -61624,10 +73043,11 @@
"detection": "0",
"informational": "1"
},
- "proess_path": {
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_host": {
"Status": "Legacy",
@@ -61639,6 +73059,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -61662,10 +73088,11 @@
"detection": "0",
"informational": "1"
},
- "proess_path": {
+ "process_path": {
+ "Status": "Legacy",
"core": "0",
"detection": "0",
- "informational": "0"
+ "informational": "1"
},
"src_host": {
"core": "0",
@@ -61676,6 +73103,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -62112,6 +73545,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"download_source": {
"core": "0",
"detection": "0",
@@ -62209,6 +73648,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -62308,7 +73753,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -62326,6 +73771,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
@@ -62424,7 +73875,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -62676,6 +74127,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -62723,6 +74180,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
@@ -63041,6 +74504,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"protocol": {
"core": "0",
"detection": "0",
@@ -63174,7 +74643,7 @@
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -63291,6 +74760,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "1",
@@ -63649,6 +75124,12 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"user_sid": {
"core": "0",
"detection": "0",
@@ -63676,6 +75157,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"cabinet_name": {
"Status": "Default",
"core": "0",
@@ -64035,7 +75522,7 @@
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -64091,7 +75578,7 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64165,7 +75652,7 @@
"activity_type": {
"http-session": {
"fields": {
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -64259,7 +75746,7 @@
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -64335,7 +75822,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -64417,13 +75904,19 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64494,13 +75987,19 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64587,13 +76086,19 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64664,13 +76169,19 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64742,13 +76253,19 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64818,13 +76335,19 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -64907,6 +76430,12 @@
"detection": "1",
"informational": "0"
},
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"Status": "Default",
"core": "0",
@@ -64919,6 +76448,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Default",
"core": "0",
@@ -64931,7 +76466,7 @@
"detection": "1",
"informational": "0"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65019,6 +76554,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"country_code": {
"Status": "Default",
"core": "0",
@@ -65095,7 +76636,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65165,7 +76706,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65227,7 +76768,7 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -65287,7 +76828,7 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -65314,6 +76855,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65367,7 +76914,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65402,6 +76949,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65455,7 +77008,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65490,6 +77043,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65543,7 +77102,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65572,6 +77131,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65625,7 +77190,95 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "bytes": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_host": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ },
+ "log-search": {
+ "fields": {
+ "location": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "action": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "src_ip": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "browser": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "web_domain": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "url": {
+ "Status": "Default",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65654,88 +77307,12 @@
"core": "0",
"detection": "0",
"informational": "1"
- }
- }
- },
- "log-search": {
- "fields": {
- "location": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
},
- "action": {
- "Status": "Default",
+ "domain_user_name": {
"core": "0",
"detection": "0",
- "informational": "1"
- },
- "operation": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_ip": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "browser": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "web_domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "url": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "operating_system": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "bytes": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "src_host": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "user": {
- "Status": "Default",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "domain": {
- "Status": "Default",
- "core": "0",
- "detection": "0",
- "informational": "1"
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65789,7 +77366,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65818,6 +77395,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65871,7 +77454,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65900,6 +77483,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -65953,7 +77542,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system": {
+ "os": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -65988,6 +77577,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66098,7 +77693,7 @@
"detection": "1",
"informational": "0"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -66110,6 +77705,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"Status": "Default",
"core": "0",
@@ -66168,6 +77769,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"Status": "Default",
"core": "0",
@@ -66230,6 +77837,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"core": "0",
"detection": "0",
@@ -66289,6 +77902,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"Status": "Default",
"core": "0",
@@ -66351,6 +77970,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"core": "0",
"detection": "0",
@@ -66411,6 +78036,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"Status": "Default",
"core": "0",
@@ -66473,6 +78104,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"core": "0",
"detection": "0",
@@ -66532,6 +78169,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"operation": {
"Status": "Default",
"core": "0",
@@ -66600,6 +78243,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
@@ -66647,6 +78296,12 @@
"detection": "0",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"file_type": {
"Status": "Legacy",
"core": "0",
@@ -66708,6 +78363,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66768,6 +78429,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66793,6 +78460,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66834,6 +78507,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66861,6 +78540,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66887,6 +78572,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -66931,6 +78622,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -67017,7 +78714,7 @@
"activity_type": {
"app-login": {
"fields": {
- "authentication_type": {
+ "auth_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -67077,6 +78774,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -67285,6 +78988,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"event_code": {
"core": "0",
"detection": "0",
@@ -67645,7 +79354,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -67675,6 +79384,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"object_type": {
"Status": "Default",
"core": "0",
@@ -67753,6 +79468,12 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"user_agent": {
"core": "0",
"detection": "0",
@@ -67785,6 +79506,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"group_name": {
"Status": "Default",
"core": "0",
@@ -67885,12 +79612,18 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "operating_system_revision": {
+ "os_revision": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -67939,7 +79672,7 @@
"detection": "1",
"informational": "0"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -67979,7 +79712,7 @@
"detection": "1",
"informational": "0"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -68020,6 +79753,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
},
@@ -68031,7 +79770,7 @@
"detection": "1",
"informational": "0"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -68066,6 +79805,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -68088,6 +79833,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -68129,7 +79880,13 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -68175,6 +79932,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"group_name": {
"Status": "Default",
"core": "0",
@@ -68291,7 +80054,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -68465,6 +80228,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -68497,6 +80266,12 @@
"core": "0",
"detection": "0",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -68565,6 +80340,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -68834,6 +80615,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69012,12 +80799,42 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"user_id": {
"core": "0",
"detection": "0",
"informational": "0"
}
}
+ },
+ "process-memory-protect": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "action": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "operation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "event_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ }
+ }
}
}
},
@@ -69113,6 +80930,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69216,6 +81039,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69265,6 +81094,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69297,7 +81132,7 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -69324,6 +81159,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69396,6 +81237,12 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"full_name": {
"core": "0",
"detection": "0",
@@ -69486,7 +81333,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -69608,6 +81455,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69624,6 +81477,12 @@
"detection": "0",
"informational": "0"
},
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
@@ -69694,6 +81553,18 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69710,6 +81581,12 @@
"detection": "0",
"informational": "0"
},
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
@@ -69790,6 +81667,18 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "database_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -69874,6 +81763,12 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
@@ -69994,7 +81889,7 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -70021,6 +81916,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -70135,6 +82036,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -70226,7 +82133,7 @@
"detection": "0",
"informational": "0"
},
- "operating_system": {
+ "os": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -70253,6 +82160,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -70368,6 +82281,12 @@
"detection": "0",
"informational": "0"
},
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"action": {
"Status": "Legacy",
"core": "0",
@@ -70379,12 +82298,12 @@
"detection": "0",
"informational": "0"
},
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
},
- "application_protocol": {
+ "app_protocol": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -70551,6 +82470,12 @@
"detection": "1",
"informational": "0"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"first_name": {
"core": "0",
"detection": "0",
@@ -70575,58 +82500,6 @@
}
}
},
- "cloudflare": {
- "expression": "product = cloudflare",
- "fields": {},
- "activity_type": {
- "alert-trigger": {
- "fields": {
- "dest_host": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "dest_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "dest_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "protocol": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- },
- "src_ip": {
- "Status": "Legacy",
- "core": "1",
- "detection": "1",
- "informational": "0"
- },
- "src_port": {
- "Status": "Legacy",
- "core": "0",
- "detection": "0",
- "informational": "1"
- },
- "user": {
- "Status": "Legacy",
- "core": "0",
- "detection": "1",
- "informational": "0"
- }
- }
- }
- }
- },
"eset": {
"expression": "product = ESET",
"fields": {},
@@ -70725,6 +82598,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -70846,7 +82725,7 @@
"activity_type": {
"alert-trigger": {
"fields": {
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -71135,7 +83014,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -71219,7 +83098,7 @@
"detection": "0",
"informational": "1"
},
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -71274,6 +83153,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -71399,7 +83284,7 @@
"detection": "0",
"informational": "0"
},
- "application": {
+ "app": {
"core": "0",
"detection": "0",
"informational": "0"
@@ -71469,6 +83354,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -71485,6 +83376,12 @@
"detection": "0",
"informational": "0"
},
+ "account_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"additional_info": {
"core": "0",
"detection": "0",
@@ -71558,6 +83455,127 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ }
+ }
+ }
+ }
+ },
+ "f5 application security manager (asm)": {
+ "expression": "product = f5 application security manager (asm)",
+ "fields": {},
+ "activity_type": {
+ "alert-trigger": {
+ "fields": {
+ "additional_info": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "dest_host": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "dest_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "result": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "protocol": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_host": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "src_port": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "0",
+ "informational": "1"
+ },
+ "local_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "ip_reputation": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "country": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "domain": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "malware_file_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "malware_url": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "policy_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
+ },
+ "src_ip": {
+ "Status": "Legacy",
+ "core": "1",
+ "detection": "1",
+ "informational": "0"
+ },
+ "user": {
+ "Status": "Legacy",
+ "core": "0",
+ "detection": "1",
+ "informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
+ "user_agent": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0"
}
}
}
@@ -71641,6 +83659,12 @@
"core": "0",
"detection": "1",
"informational": "0"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
}
}
@@ -72048,6 +84072,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"user_type": {
"core": "0",
"detection": "1",
@@ -73229,6 +85259,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "1",
@@ -73616,6 +85652,12 @@
"detection": "0",
"informational": "1"
},
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
+ },
"src_ip": {
"core": "0",
"detection": "1",
@@ -73833,7 +85875,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system_type": {
+ "os_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -73879,7 +85921,7 @@
"detection": "1",
"informational": "0"
},
- "operating_system_type": {
+ "os_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -73919,7 +85961,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system_type": {
+ "os_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -73953,7 +85995,7 @@
"detection": "0",
"informational": "1"
},
- "operating_system_type": {
+ "os_type": {
"Status": "Default",
"core": "0",
"detection": "0",
@@ -74009,7 +86051,7 @@
"detection": "1",
"informational": "0"
},
- "authentication_type": {
+ "auth_type": {
"core": "0",
"detection": "0",
"informational": "1"
@@ -74093,6 +86135,12 @@
"core": "0",
"detection": "0",
"informational": "1"
+ },
+ "domain_user_name": {
+ "core": "0",
+ "detection": "0",
+ "informational": "0",
+ "enriched": "1"
}
},
"activity_type": {
@@ -74219,4 +86267,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/Extensions/Extension_Interface.md b/Extensions/Extension_Interface.md
index affe593..33a559c 100644
--- a/Extensions/Extension_Interface.md
+++ b/Extensions/Extension_Interface.md
@@ -1,17 +1,20 @@
- Extension Interface
-=====================
+Extension Interface
+===================
-### Description
+### Description
This interface defines any additional context elements that help describe the activity. The extension layer preserves fields that were not essential to describing the subject or activity, but are still represented in the log source. Extensions can contain two definitions. One contains schema fields, which are the fields required for any log from a given data source. The other definition contains activity type mapping, which includes the fields required for a specific activity type from a given data source.
-### Data Sources
+### Data Sources
+* [Imperva Web application Firewall](Imperva_Web_application_Firewall.md)
+* [NG Analytics](NG_Analytics.md)
* [abnormal inbound email protection](abnormal_inbound_email_protection.md)
* [absolute](absolute.md)
* [accellion kiteworks](accellion_kiteworks.md)
-* [access it! universal.net](access_it!_universal.net.md)
+* [access it universal.net](access_it_universal.net.md)
* [aci](aci.md)
* [adaxes](adaxes.md)
-* [airlock web application firewall](airlock_web_application_firewall.md)
+* [advanced analytics](advanced_analytics.md)
+* [airlock waf](airlock_waf.md)
* [airwatch](airwatch.md)
* [akamai technologies](akamai_technologies.md)
* [alert logic](alert_logic.md)
@@ -31,11 +34,12 @@ This interface defines any additional context elements that help describe the ac
* [assetview assetview](assetview_assetview.md)
* [asupim](asupim.md)
* [atlassian bitbucket](atlassian_bitbucket.md)
+* [audit log](audit_log.md)
* [auditbeat](auditbeat.md)
* [auth0](auth0.md)
* [avaya ethernet routing switch](avaya_ethernet_routing_switch.md)
* [avaya vpn](avaya_vpn.md)
-* [avigilon access control manager](avigilon_access_control_manager.md)
+* [aviglion acm](aviglion_acm.md)
* [aws cloudtrail](aws_cloudtrail.md)
* [axway sftp](axway_sftp.md)
* [azure activity log](azure_activity_log.md)
@@ -49,6 +53,7 @@ This interface defines any additional context elements that help describe the ac
* [bitglass casb](bitglass_casb.md)
* [blackberry protect](blackberry_protect.md)
* [bloxone ddi](bloxone_ddi.md)
+* [blue coat proxysg](blue_coat_proxysg.md)
* [bluecat networks](bluecat_networks.md)
* [botsink](botsink.md)
* [box cloud content management](box_cloud_content_management.md)
@@ -57,7 +62,7 @@ This interface defines any additional context elements that help describe the ac
* [bromium secure platform](bromium_secure_platform.md)
* [ca privileged access manager server control](ca_privileged_access_manager_server_control.md)
* [carbon black app control](carbon_black_app_control.md)
-* [carbon black cloud endpoint standard](carbon_black_cloud_endpoint_standard.md)
+* [carbon black ces](carbon_black_ces.md)
* [carbon black edr](carbon_black_edr.md)
* [cassandra](cassandra.md)
* [cato cloud](cato_cloud.md)
@@ -88,7 +93,7 @@ This interface defines any additional context elements that help describe the ac
* [cisco ios](cisco_ios.md)
* [cisco ise](cisco_ise.md)
* [cisco meraki mx](cisco_meraki_mx.md)
-* [cisco meraki mx appliances](cisco_meraki_mx_appliances.md)
+* [cisco meraki mx appliance](cisco_meraki_mx_appliance.md)
* [cisco netflow](cisco_netflow.md)
* [cisco secure email](cisco_secure_email.md)
* [cisco secure web appliance](cisco_secure_web_appliance.md)
@@ -106,7 +111,6 @@ This interface defines any additional context elements that help describe the ac
* [clearswift secure email gateway](clearswift_secure_email_gateway.md)
* [clientview](clientview.md)
* [cloud akamai](cloud_akamai.md)
-* [cloudflare](cloudflare.md)
* [cloudflare insights](cloudflare_insights.md)
* [cloudflare waf](cloudflare_waf.md)
* [code42 incydr](code42_incydr.md)
@@ -114,12 +118,11 @@ This interface defines any additional context elements that help describe the ac
* [cognitas crosslink](cognitas_crosslink.md)
* [cohesity dataplatform](cohesity_dataplatform.md)
* [contrast security secure code platform](contrast_security_secure_code_platform.md)
+* [correlation rule](correlation_rule.md)
* [cortex xdr](cortex_xdr.md)
-* [crowdstrike falcon](crowdstrike_falcon.md)
-* [cyberark endpoint privilege management](cyberark_endpoint_privilege_management.md)
-* [cyberark privilege access management](cyberark_privilege_access_management.md)
+* [cyberark endpoint privilege manager](cyberark_endpoint_privilege_manager.md)
+* [cyberark privilege access manager](cyberark_privilege_access_manager.md)
* [cyberark privileged access manager](cyberark_privileged_access_manager.md)
-* [cyberark privileged session manager](cyberark_privileged_session_manager.md)
* [cybereason xdr](cybereason_xdr.md)
* [cylance protect](cylance_protect.md)
* [damballa failsafe](damballa_failsafe.md)
@@ -159,7 +162,6 @@ This interface defines any additional context elements that help describe the ac
* [event viewer - security](event_viewer_-_security.md)
* [event viewer - system](event_viewer_-_system.md)
* [event viewer - terminalservices-gateway](event_viewer_-_terminalservices-gateway.md)
-* [exabeam dl](exabeam_dl.md)
* [extrahop reveal(x) 360](extrahop_reveal(x)_360.md)
* [eyeinspect](eyeinspect.md)
* [f-secure elements](f-secure_elements.md)
@@ -249,7 +251,6 @@ This interface defines any additional context elements that help describe the ac
* [imperva file activity monitoring](imperva_file_activity_monitoring.md)
* [imperva incapsula](imperva_incapsula.md)
* [imperva securesphere](imperva_securesphere.md)
-* [imperva web application firewall](imperva_web_application_firewall.md)
* [imprivata](imprivata.md)
* [imss](imss.md)
* [imsva](imsva.md)
@@ -288,6 +289,7 @@ This interface defines any additional context elements that help describe the ac
* [logrhythm](logrhythm.md)
* [lumension](lumension.md)
* [lyrix](lyrix.md)
+* [m365 audit logs](m365_audit_logs.md)
* [macos](macos.md)
* [malwarebytes endpoint detection and response](malwarebytes_endpoint_detection_and_response.md)
* [malwarebytes endpoint protection](malwarebytes_endpoint_protection.md)
@@ -302,7 +304,6 @@ This interface defines any additional context elements that help describe the ac
* [mcafee network security platform (ips)](mcafee_network_security_platform_(ips).md)
* [mcafee skyhigh networks casb](mcafee_skyhigh_networks_casb.md)
* [megaflex](megaflex.md)
-* [microsoft 365 audit logs](microsoft_365_audit_logs.md)
* [microsoft advanced threat analytics (ata)](microsoft_advanced_threat_analytics_(ata).md)
* [microsoft advanced threat protection](microsoft_advanced_threat_protection.md)
* [microsoft applocker](microsoft_applocker.md)
@@ -420,6 +421,7 @@ This interface defines any additional context elements that help describe the ac
* [salesforce](salesforce.md)
* [sangfor ngaf](sangfor_ngaf.md)
* [sap](sap.md)
+* [search](search.md)
* [seclore](seclore.md)
* [secure computing safeword](secure_computing_safeword.md)
* [secureauth login](secureauth_login.md)
@@ -443,6 +445,7 @@ This interface defines any additional context elements that help describe the ac
* [skyhigh networks casb](skyhigh_networks_casb.md)
* [skysea clientview](skysea_clientview.md)
* [slack](slack.md)
+* [smg](smg.md)
* [snort ids](snort_ids.md)
* [snowflake](snowflake.md)
* [solaris](solaris.md)
@@ -470,14 +473,12 @@ This interface defines any additional context elements that help describe the ac
* [symamtec (broadcom) managed security services](symamtec_(broadcom)_managed_security_services.md)
* [symamtec (broadcom) mobile threat defense](symamtec_(broadcom)_mobile_threat_defense.md)
* [symantec advanced threat protection](symantec_advanced_threat_protection.md)
-* [symantec blue coat proxysg](symantec_blue_coat_proxysg.md)
* [symantec cloudsoc](symantec_cloudsoc.md)
* [symantec critical system protection](symantec_critical_system_protection.md)
* [symantec dlp](symantec_dlp.md)
* [symantec email security](symantec_email_security.md)
* [symantec endpoint protection](symantec_endpoint_protection.md)
* [symantec fireglass](symantec_fireglass.md)
-* [symantec messaging gateway](symantec_messaging_gateway.md)
* [symantec siteminder](symantec_siteminder.md)
* [symantec vip](symantec_vip.md)
* [symantec virtual secure web gateway](symantec_virtual_secure_web_gateway.md)
@@ -541,7 +542,7 @@ This interface defines any additional context elements that help describe the ac
* [xerox](xerox.md)
* [xps](xps.md)
* [xsuite](xsuite.md)
-* [zebra wireless lan management](zebra_wireless_lan_management.md)
+* [zebra wlan management](zebra_wlan_management.md)
* [zeek](zeek.md)
* [zoom](zoom.md)
* [zscaler internet access](zscaler_internet_access.md)
diff --git a/Extensions/imperva_web_application_firewall.md b/Extensions/Imperva_Web_application_Firewall.md
similarity index 96%
rename from Extensions/imperva_web_application_firewall.md
rename to Extensions/Imperva_Web_application_Firewall.md
index b07900e..287ef21 100644
--- a/Extensions/imperva_web_application_firewall.md
+++ b/Extensions/Imperva_Web_application_Firewall.md
@@ -1,4 +1,4 @@
-imperva web application firewall
+Imperva Web application Firewall
================================
Expression
diff --git a/Extensions/NG_Analytics.md b/Extensions/NG_Analytics.md
new file mode 100644
index 0000000..1d1382c
--- /dev/null
+++ b/Extensions/NG_Analytics.md
@@ -0,0 +1,34 @@
+NG Analytics
+============
+
+Expression
+----------
+
+product = "NG Analytics"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | rule_severity | | | | ✓ |
+| | local_user_name | | | | |
+| | rule | | | | |
+| | rule_usecases | | | ✓ | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | url | | | | |
+| | rule_id | | | | |
+| | rule_type | | | | |
+| | rule_reason | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | rule_description | | | | |
+| | mitre_labels | | | ✓ | |
+| | operation | | | | |
+| | user | Legacy | | ✓ | |
+
diff --git a/Extensions/access_it_universal.net.md b/Extensions/access_it_universal.net.md
new file mode 100644
index 0000000..97b0ff9
--- /dev/null
+++ b/Extensions/access_it_universal.net.md
@@ -0,0 +1,23 @@
+access it universal.net
+=======================
+
+Expression
+----------
+
+product ="access it universal.net"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ---------- | ---- | --------- | ------------- |
+| last_name | | | ✓ |
+| first_name | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------ | ----- | ------ | ---- | --------- | ------------- |
+| physical_location-access | | | | | |
+
diff --git a/Extensions/adaxes.md b/Extensions/adaxes.md
index e6b9ce4..907d095 100644
--- a/Extensions/adaxes.md
+++ b/Extensions/adaxes.md
@@ -14,11 +14,12 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------- | ---- | --------- | ------------- |
-| app-activity | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| | target | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| | target | Default | | | ✓ |
diff --git a/Extensions/advanced_analytics.md b/Extensions/advanced_analytics.md
new file mode 100644
index 0000000..0188298
--- /dev/null
+++ b/Extensions/advanced_analytics.md
@@ -0,0 +1,45 @@
+advanced analytics
+==================
+
+Expression
+----------
+
+product = "advanced analytics"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | trigger_type | | | | |
+| | rule | | | | |
+| | domain_user_name | | | | |
+| | rule_usecases | | | | ✓ |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | trigger_entity | | | | |
+| | rule_description | | | | |
+| | incident_creation_time | | | | |
+| | session_id | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | original_risk_score | | | | |
+| | event_category | | | | |
+| | log_time | | | | |
+| | url | | | | |
+| | rule_id | | | | |
+| | base_risk_score | | | | |
+| | event_id | | | | ✓ |
+| | rule_reason | | | | |
+| | domain | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | mitre_labels | | | | ✓ |
+| | asset_labels | | | | ✓ |
+| | user | Legacy | | ✓ | |
+| | event_time | | | | ✓ |
+| | container_id | | | | |
+
diff --git a/Extensions/airlock_waf.md b/Extensions/airlock_waf.md
new file mode 100644
index 0000000..b38e22c
--- /dev/null
+++ b/Extensions/airlock_waf.md
@@ -0,0 +1,108 @@
+airlock waf
+===========
+
+Expression
+----------
+
+product = "airlock waf"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ------ | ---- | --------- | ------------- |
+| action | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-login | file_path | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | file_ext | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| file-delete | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| file-download | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | Legacy | | ✓ | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| file-upload | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| file-write | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | Legacy | | ✓ | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| http-session | additional_info | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| network-session | file_path | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| vpn-logout | src_port | | | | |
+| | file_path | | | | |
+| | file_ext | | | | |
+| | event_code | | | | |
+| | bytes | | | | |
+| | file_name | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | file_dir | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | dest_port | | | | |
+
diff --git a/Extensions/airlock_web_application_firewall.md b/Extensions/airlock_web_application_firewall.md
index a4f06ec..9e58afc 100644
--- a/Extensions/airlock_web_application_firewall.md
+++ b/Extensions/airlock_web_application_firewall.md
@@ -16,88 +16,93 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-login | file_path | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | alert_severity | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | src_port | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | file_ext | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
-| file-delete | src_port | | | | |
-| | src_ip | | | | |
-| | event_code | | | | |
-| | bytes | | | | |
-| | alert_severity | | | | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | session_id | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | dest_port | | | | |
-| file-download | src_port | | | | |
-| | src_ip | | | | |
-| | event_code | | | | |
-| | bytes | Legacy | | ✓ | |
-| | alert_severity | | | | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | session_id | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | dest_port | | | | |
-| file-upload | src_port | | | | |
-| | src_ip | | | | |
-| | event_code | | | | |
-| | bytes | | | | |
-| | alert_severity | | | | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | session_id | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | dest_port | | | | |
-| file-write | src_port | | | | |
-| | src_ip | | | | |
-| | event_code | | | | |
-| | bytes | Legacy | | ✓ | |
-| | alert_severity | | | | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | session_id | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | dest_port | | | | |
-| http-session | additional_info | Default | | | ✓ |
-| | result_code | Default | | | ✓ |
-| network-session | file_path | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | alert_severity | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| vpn-logout | src_port | | | | |
-| | file_path | | | | |
-| | file_ext | | | | |
-| | event_code | | | | |
-| | bytes | | | | |
-| | file_name | | | | |
-| | alert_severity | | | | |
-| | dest_ip | | | | |
-| | file_dir | | | | |
-| | session_id | | | | |
-| | event_name | | | | |
-| | dest_port | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-login | file_path | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | file_ext | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| file-delete | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| file-download | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | Legacy | | ✓ | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| file-upload | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| file-write | src_port | | | | |
+| | src_ip | | | | |
+| | event_code | | | | |
+| | bytes | Legacy | | ✓ | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | dest_port | | | | |
+| http-session | additional_info | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| network-session | file_path | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| vpn-logout | src_port | | | | |
+| | file_path | | | | |
+| | file_ext | | | | |
+| | event_code | | | | |
+| | bytes | | | | |
+| | file_name | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | file_dir | | | | |
+| | session_id | | | | |
+| | event_name | | | | |
+| | dest_port | | | | |
diff --git a/Extensions/amazon_aws_guardduty.md b/Extensions/amazon_aws_guardduty.md
index 79a677c..3266142 100644
--- a/Extensions/amazon_aws_guardduty.md
+++ b/Extensions/amazon_aws_guardduty.md
@@ -16,10 +16,10 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
+| alert-trigger | app | | | | |
+| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
-| | application | | | | |
| | additional_info | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
diff --git a/Extensions/anyconnect.md b/Extensions/anyconnect.md
index c4d12a2..846bcc3 100644
--- a/Extensions/anyconnect.md
+++ b/Extensions/anyconnect.md
@@ -4,7 +4,7 @@ anyconnect
Expression
----------
-product = "any connect"
+product = "anyconnect"
Fields
------
@@ -16,34 +16,35 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | ---------------------------- | ------- | ---- | --------- | ------------- |
-| network-session | system_manufacturer | Default | | | ✓ |
-| | bytes_in | Default | | | ✓ |
-| | module_hash_names | Default | | | ✓ |
-| | parent_process_name | Default | | | ✓ |
-| | parent_process_hash | Default | | | ✓ |
-| | operating_system_environment | Default | | | ✓ |
-| | operating_system_version | Default | | | ✓ |
-| | bytes_out | Default | | | ✓ |
-| | process_hash | Default | | | ✓ |
-| | virtual_station_name | Default | | | ✓ |
-| | system_type | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | packet_rate | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
-| | udid | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| vpn-login | src_translated_ip | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
-| | realm | Default | | | ✓ |
-| | priority | Default | | | ✓ |
-| vpn-logout | dest_ip | | | ✓ | |
-| | realm | Legacy | | | ✓ |
-| | src_host | | | ✓ | |
-| | session_duration | Legacy | | ✓ | |
-| | dest_port | | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | -------------------- | ------- | ---- | --------- | ------------- |
+| network-session | system_manufacturer | Default | | | ✓ |
+| | os | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | module_hash_names | Default | | | ✓ |
+| | parent_process_name | Default | | | ✓ |
+| | parent_process_hash | Default | | | ✓ |
+| | os_version | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | os_environment | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | process_hash | Default | | | ✓ |
+| | virtual_station_name | Default | | | ✓ |
+| | system_type | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | packet_rate | Default | | | ✓ |
+| | udid | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| vpn-login | src_translated_ip | Default | | | ✓ |
+| | os | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | realm | Default | | | ✓ |
+| | priority | Default | | | ✓ |
+| vpn-logout | dest_ip | | | ✓ | |
+| | realm | Legacy | | | ✓ |
+| | src_host | | | ✓ | |
+| | session_duration | Legacy | | ✓ | |
+| | dest_port | | | ✓ | |
diff --git a/Extensions/anywhere365.md b/Extensions/anywhere365.md
index 2570680..8c12b58 100644
--- a/Extensions/anywhere365.md
+++ b/Extensions/anywhere365.md
@@ -16,13 +16,14 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------- | ---------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | alert_id | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| app-notification | src_ip | Default | | ✓ | |
-| | alert_id | Default | | | ✓ |
-| call-receive | recipients | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | alert_id | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| app-notification | src_ip | Default | | ✓ | |
+| | alert_id | Default | | | ✓ |
+| call-receive | recipients | Default | | | ✓ |
diff --git a/Extensions/apache_subversion_(svn).md b/Extensions/apache_subversion_(svn).md
index 9b6c6c0..ba1d2b3 100644
--- a/Extensions/apache_subversion_(svn).md
+++ b/Extensions/apache_subversion_(svn).md
@@ -17,7 +17,7 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------- | ---- | --------- | ------------- |
| http-request | result | Default | | | ✓ |
-| | application | Default | | | ✓ |
+| | app | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | bytes | Default | | | ✓ |
| | domain | Default | | | ✓ |
diff --git a/Extensions/apc.md b/Extensions/apc.md
index 926e1b8..9a427f7 100644
--- a/Extensions/apc.md
+++ b/Extensions/apc.md
@@ -4,7 +4,7 @@ apc
Expression
----------
-product = apc
+product = "apc"
Fields
------
@@ -14,8 +14,7 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------- | ------ | ------- | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| endpoint-login | src_ip | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------- | ------ | ------- | ---- | --------- | ------------- |
+| endpoint-login | src_ip | Default | | ✓ | |
diff --git a/Extensions/appsense_application_manager.md b/Extensions/appsense_application_manager.md
index b1cce6c..45e8580 100644
--- a/Extensions/appsense_application_manager.md
+++ b/Extensions/appsense_application_manager.md
@@ -14,16 +14,17 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------------- | ------ | ---- | --------- | ------------- |
-| alert-trigger | account_id | | | | |
-| | process_name | Legacy | | ✓ | |
-| | domain | | | | |
-| | hash_md5 | | | | |
-| | user_sid | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | process_dir | | | | |
-| | process_path | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | process_vendor | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | ---- | --------- | ------------- |
+| alert-trigger | account_id | | | | |
+| | process_name | Legacy | | ✓ | |
+| | domain | | | | |
+| | hash_md5 | | | | |
+| | user_sid | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | process_vendor | | | | |
diff --git a/Extensions/aruba_clearpass_policy_manager.md b/Extensions/aruba_clearpass_policy_manager.md
index b2c29ba..92ab1a2 100644
--- a/Extensions/aruba_clearpass_policy_manager.md
+++ b/Extensions/aruba_clearpass_policy_manager.md
@@ -9,11 +9,11 @@ product = "aruba clearpass policy manager"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| dest_ip | | ✓ | |
-| authentication_type | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| auth_type | | | ✓ |
+| dest_ip | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/aruba_mobility_master.md b/Extensions/aruba_mobility_master.md
index 5f27300..d7c8f96 100644
--- a/Extensions/aruba_mobility_master.md
+++ b/Extensions/aruba_mobility_master.md
@@ -14,19 +14,19 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------------- | ------------------- | ------- | ---- | --------- | ------------- |
-| endpoint-authentication | src_ip | Default | | ✓ | |
-| | src_port | Default | | | ✓ |
-| | src_mac | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | auth_server | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
-| endpoint-login | src_ip | Default | | ✓ | |
-| | src_port | Default | | | ✓ |
-| | src_mac | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | authentication_type | Default | | | ✓ |
-| | auth_server | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | ----------- | ------- | ---- | --------- | ------------- |
+| endpoint-authentication | src_ip | Default | | ✓ | |
+| | src_port | Default | | | ✓ |
+| | src_mac | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | auth_server | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| endpoint-login | src_ip | Default | | ✓ | |
+| | src_port | Default | | | ✓ |
+| | src_mac | Default | | | ✓ |
+| | auth_type | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | auth_server | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
diff --git a/Extensions/aruba_network_mobility_controller.md b/Extensions/aruba_network_mobility_controller.md
index e5f0eaa..5dbc2cd 100644
--- a/Extensions/aruba_network_mobility_controller.md
+++ b/Extensions/aruba_network_mobility_controller.md
@@ -14,18 +14,19 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | file_path | Legacy | | | ✓ |
-| | file_ext | | | | |
-| | application | | | | |
-| | event_code | | | | |
-| | file_name | Legacy | ✓ | | |
-| | alert_id | Legacy | | | ✓ |
-| | file_dir | Legacy | | | ✓ |
-| | action | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | app | | | | |
+| | file_path | Legacy | | | ✓ |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | local_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | file_ext | | | | |
+| | event_code | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | action | Legacy | | | ✓ |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/assetview.md b/Extensions/assetview.md
index c8e7502..758ea81 100644
--- a/Extensions/assetview.md
+++ b/Extensions/assetview.md
@@ -9,10 +9,11 @@ product = "assetview"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/atlassian_bitbucket.md b/Extensions/atlassian_bitbucket.md
index 88a1392..08376a2 100644
--- a/Extensions/atlassian_bitbucket.md
+++ b/Extensions/atlassian_bitbucket.md
@@ -9,10 +9,11 @@ product = "atlassian bitbucket"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/audit_log.md b/Extensions/audit_log.md
new file mode 100644
index 0000000..5798386
--- /dev/null
+++ b/Extensions/audit_log.md
@@ -0,0 +1,118 @@
+audit log
+=========
+
+Expression
+----------
+
+product = "audit log"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ------------- | ------ | -------- | --------- | ------------- |
+| alert-create | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| alert-delete | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| alert-modify | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| alert-read | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| app-activity | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| case-create | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| case-delete | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| case-modify | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+| case-read | app | | | | |
+| | src_ip | | | | |
+| | email_address | | | | |
+| | method | | | | |
+| | object_name | | | | |
+| | old_value | | ✓ | | |
+| | object_id | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | new_value | | ✓ | | |
+| | url | | | | |
+
diff --git a/Extensions/auditbeat.md b/Extensions/auditbeat.md
index 4011382..d3a4236 100644
--- a/Extensions/auditbeat.md
+++ b/Extensions/auditbeat.md
@@ -20,11 +20,13 @@ Activity Types
| | process_id | Default | | | ✓ |
| | syscall | Default | | | ✓ |
| | operation_type | Default | | | ✓ |
+| | os | Default | | | ✓ |
+| | domain_user_name | | | | |
| | process_command_line | Default | | | ✓ |
+| | account_user_name | | | | |
| | group_id | Default | | | ✓ |
| | process_name | Default | | | ✓ |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | process_path | Default | | | ✓ |
| | tag | Default | | | ✓ |
| | user | Default | ✓ | ✓ | |
@@ -36,6 +38,7 @@ Activity Types
| | process_name | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | process_dir | Default | | | ✓ |
+| | domain_user_name | | | | |
| | process_path | Default | | | ✓ |
| | user | Default | | ✓ | |
| | direction | Default | | | ✓ |
@@ -43,13 +46,14 @@ Activity Types
| | additional_info | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | hash_md5 | Default | | | ✓ |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| process-modify | result | Default | | | ✓ |
+| | app | Default | | | ✓ |
| | audit_id | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | operation_type | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | group_id | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | event_category | Default | | | ✓ |
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
diff --git a/Extensions/auth0.md b/Extensions/auth0.md
index 43909d8..89f7072 100644
--- a/Extensions/auth0.md
+++ b/Extensions/auth0.md
@@ -4,24 +4,32 @@ auth0
Expression
----------
-product = "auth0"
+product = auth0
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| additional_info | | | ✓ |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
-| user_agent | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| additional_info | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
+| user_agent | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | ----- | ------ | ---- | --------- | ------------- |
-| app-login | | | | | |
-| user-password-modify | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | app | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | auth_type | | | | |
+| | email_address | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | user_agent | | | | |
+| app-login | | | | | |
+| user-password-modify | | | | | |
diff --git a/Extensions/aviglion_acm.md b/Extensions/aviglion_acm.md
new file mode 100644
index 0000000..bac74b8
--- /dev/null
+++ b/Extensions/aviglion_acm.md
@@ -0,0 +1,25 @@
+aviglion acm
+============
+
+Expression
+----------
+
+product = "aviglion acm"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ----------------- | ---- | --------- | ------------- |
+| location_building | | | ✓ |
+| last_name | | | ✓ |
+| category | | | ✓ |
+| first_name | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------ | ----- | ------ | ---- | --------- | ------------- |
+| physical_location-access | | | | | |
+
diff --git a/Extensions/aws_cloudtrail.md b/Extensions/aws_cloudtrail.md
index b327042..f740fd1 100644
--- a/Extensions/aws_cloudtrail.md
+++ b/Extensions/aws_cloudtrail.md
@@ -9,24 +9,25 @@ product = "aws cloudtrail"
Fields
------
-| Field | Core | Detection | Informational |
-| -------------- | ---- | --------- | ------------- |
-| service_name | | ✓ | |
-| aws_account | | ✓ | |
-| vpc | | | ✓ |
-| mfa | | ✓ | |
-| user_arn | | | ✓ |
-| src_host | | | ✓ |
-| event_category | | ✓ | |
-| principal_id | | | ✓ |
-| src_ip | | ✓ | |
-| user_type | | ✓ | |
-| readonly | | ✓ | |
-| domain | | | ✓ |
-| region | | ✓ | |
-| operation | | ✓ | |
-| user | | ✓ | |
-| user_agent | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| service_name | | ✓ | |
+| aws_account | | ✓ | |
+| vpc | | | ✓ |
+| mfa | | ✓ | |
+| domain_user_name | | | |
+| user_arn | | | ✓ |
+| src_host | | | ✓ |
+| event_category | | ✓ | |
+| principal_id | | | ✓ |
+| src_ip | | ✓ | |
+| user_type | | ✓ | |
+| readonly | | ✓ | |
+| domain | | | ✓ |
+| region | | ✓ | |
+| operation | | ✓ | |
+| user | | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/axway_sftp.md b/Extensions/axway_sftp.md
index 110490b..628a09d 100644
--- a/Extensions/axway_sftp.md
+++ b/Extensions/axway_sftp.md
@@ -9,23 +9,24 @@ product = "axway sftp"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| user_dn | | | ✓ |
-| dest_ip | | ✓ | |
-| domain | | | ✓ |
-| event_name | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| user_dn | | | ✓ |
+| dest_ip | | ✓ | |
+| domain | | | ✓ |
+| event_name | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------ | ---------------------- | ------- | ---- | --------- | ------------- |
-| app-authentication | src_ip | Default | | ✓ | |
-| | src_port | Default | | | ✓ |
-| | auth_method | Default | | | ✓ |
-| endpoint-login | authentication_package | Default | | | ✓ |
-| file-upload | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | ------------ | ------- | ---- | --------- | ------------- |
+| app-authentication | src_ip | Default | | ✓ | |
+| | src_port | Default | | | ✓ |
+| | auth_method | Default | | | ✓ |
+| endpoint-login | auth_package | Default | | | ✓ |
+| file-upload | | | | | |
diff --git a/Extensions/azure_activity_log.md b/Extensions/azure_activity_log.md
index 4b34e7c..31fbb18 100644
--- a/Extensions/azure_activity_log.md
+++ b/Extensions/azure_activity_log.md
@@ -15,6 +15,7 @@ Fields
| resource | | ✓ | |
| service_name | | ✓ | |
| resource_type | | | ✓ |
+| domain_user_name | | | |
| operation_first | | | ✓ |
| event_category | | | ✓ |
| src_ip | | ✓ | |
@@ -35,50 +36,50 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | --------------------- | ------- | ---- | --------- | ------------- |
-| bucket-write | | | | | |
-| disk-read | | | | | |
-| disk-write | src_resource | Default | | | ✓ |
-| | disk_state | Default | | | ✓ |
-| | operating_system_type | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | disk_size | Default | | | ✓ |
-| | resource_name | Default | | | ✓ |
-| | region | Default | | | ✓ |
-| | src_resource_type | Default | | | ✓ |
-| endpoint-command | | | | | |
-| endpoint-key-write | key_name | Default | | | ✓ |
-| endpoint-write | image_name | Default | | | ✓ |
-| | instance_id | Default | | | ✓ |
-| | interface_id | Default | | | ✓ |
-| | image_publisher | Default | | | ✓ |
-| | os_admin | Default | | | ✓ |
-| | image_release | Default | | | ✓ |
-| | operating_system_type | Default | | | ✓ |
-| | vm_size | Default | | | ✓ |
-| | resource_name | Default | | | ✓ |
-| | region | Default | | | ✓ |
-| | image_version | Default | | | ✓ |
-| | src_resource_type | Default | | | ✓ |
-| image-write | src_resource | Default | | | ✓ |
-| | operating_system_type | Default | | | ✓ |
-| | resource_name | Default | | | ✓ |
-| | region | Default | | | ✓ |
-| role-write | role | Default | | | ✓ |
-| | assignble_scope | Default | | | ✓ |
-| | allowed_data_actions | Default | | | ✓ |
-| | role_definition | Default | | | ✓ |
-| | description | Default | | | ✓ |
-| | allowed_permissions | Default | | | ✓ |
-| | denied_data_actions | Default | | | ✓ |
-| snapshot-read | | | | | |
-| snapshot-write | src_resource | Default | | | ✓ |
-| | operating_system_type | Default | | | ✓ |
-| | region | Default | | | ✓ |
-| | src_resource_type | Default | | | ✓ |
-| user-permission-modify | assignment_id | | | | |
-| | role_definition_id | | | | |
-| | principal_type | | | | |
-| | principal_id | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | -------------------- | ------- | ---- | --------- | ------------- |
+| bucket-write | | | | | |
+| disk-read | | | | | |
+| disk-write | src_resource | Default | | | ✓ |
+| | disk_state | Default | | | ✓ |
+| | os_type | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | disk_size | Default | | | ✓ |
+| | resource_name | Default | | | ✓ |
+| | region | Default | | | ✓ |
+| | src_resource_type | Default | | | ✓ |
+| endpoint-command | | | | | |
+| endpoint-key-write | key_name | Default | | | ✓ |
+| endpoint-write | image_name | Default | | | ✓ |
+| | instance_id | Default | | | ✓ |
+| | interface_id | Default | | | ✓ |
+| | image_publisher | Default | | | ✓ |
+| | os_admin | Default | | | ✓ |
+| | image_release | Default | | | ✓ |
+| | os_type | Default | | | ✓ |
+| | vm_size | Default | | | ✓ |
+| | resource_name | Default | | | ✓ |
+| | region | Default | | | ✓ |
+| | image_version | Default | | | ✓ |
+| | src_resource_type | Default | | | ✓ |
+| image-write | src_resource | Default | | | ✓ |
+| | os_type | Default | | | ✓ |
+| | resource_name | Default | | | ✓ |
+| | region | Default | | | ✓ |
+| role-write | role | Default | | | ✓ |
+| | assignble_scope | Default | | | ✓ |
+| | allowed_data_actions | Default | | | ✓ |
+| | role_definition | Default | | | ✓ |
+| | description | Default | | | ✓ |
+| | allowed_permissions | Default | | | ✓ |
+| | denied_data_actions | Default | | | ✓ |
+| snapshot-read | | | | | |
+| snapshot-write | src_resource | Default | | | ✓ |
+| | os_type | Default | | | ✓ |
+| | region | Default | | | ✓ |
+| | src_resource_type | Default | | | ✓ |
+| user-permission-modify | assignment_id | | | | |
+| | role_definition_id | | | | |
+| | principal_type | | | | |
+| | principal_id | | | | |
diff --git a/Extensions/azure_resource_log_(blob_storage).md b/Extensions/azure_resource_log_(blob_storage).md
index 243033a..1ba92ac 100644
--- a/Extensions/azure_resource_log_(blob_storage).md
+++ b/Extensions/azure_resource_log_(blob_storage).md
@@ -9,30 +9,31 @@ product = "azure resource log (blob storage)"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------------- | ---- | --------- | ------------- |
-| tenant_id | | | ✓ |
-| operation_version | | | ✓ |
-| operation_type | | | ✓ |
-| bytes_in | | ✓ | |
-| event_category | | | ✓ |
-| authentication_type | | | ✓ |
-| url | | | ✓ |
-| result | | | ✓ |
-| src_ip | | ✓ | |
-| schema_version | | | ✓ |
-| referrer | | | ✓ |
-| time_modified | | | ✓ |
-| protocol | | | ✓ |
-| bytes_out | | ✓ | |
-| domain | | | ✓ |
-| correlation_id | | | ✓ |
-| result_code | | | ✓ |
-| storage_account | | ✓ | |
-| region | | ✓ | |
-| operation | | ✓ | |
-| user | | ✓ | |
-| user_agent | | ✓ | |
+| Field | Core | Detection | Informational |
+| ----------------- | ---- | --------- | ------------- |
+| tenant_id | | | ✓ |
+| auth_type | | | ✓ |
+| operation_version | | | ✓ |
+| operation_type | | | ✓ |
+| bytes_in | | ✓ | |
+| domain_user_name | | | |
+| event_category | | | ✓ |
+| url | | | ✓ |
+| result | | | ✓ |
+| src_ip | | ✓ | |
+| schema_version | | | ✓ |
+| referrer | | | ✓ |
+| time_modified | | | ✓ |
+| protocol | | | ✓ |
+| bytes_out | | ✓ | |
+| domain | | | ✓ |
+| correlation_id | | | ✓ |
+| result_code | | | ✓ |
+| storage_account | | ✓ | |
+| region | | ✓ | |
+| operation | | ✓ | |
+| user | | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/beyondtrust.md b/Extensions/beyondtrust.md
index 74decff..df7d357 100644
--- a/Extensions/beyondtrust.md
+++ b/Extensions/beyondtrust.md
@@ -14,48 +14,52 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | ----------------- | ------- | -------- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | dest_user | Default | | ✓ | |
-| | user | Default | ✓ | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | result | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| password-create | account_domain | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | account | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| user-permission-modify | src_user | | | | |
-| | session_id | | | | |
-| | src_host | Legacy | | | ✓ |
-| | src_port | | | | |
-| | src_ip | | | | |
-| | full_name | | | | |
-| | email_user | | | | |
-| | application | | | | |
-| | additional_info | | | | |
-| | dest_ip | | | | |
-| | operating_system | | | | |
-| | dest_host | Legacy | | | ✓ |
-| | event_name | | | | |
-| | operation | | | | |
-| | dest_port | | | | |
-| user-switch | src_ip | | | | |
-| | event_code | | | | |
-| | dest_service_name | | | | |
-| | dest_host | | | | |
-| | event_name | | | | |
-| | safe_value | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | --------------------- | ------- | -------- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | dest_domain_user_name | | | | |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | dest_user | Default | | ✓ | |
+| | user | Default | ✓ | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | result | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| endpoint-login | user_info | Default | | | ✓ |
+| password-create | app | Default | | | ✓ |
+| | account_user_name | | | | |
+| | account_domain | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | account | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| user-permission-modify | app | | | | |
+| | os | | | | |
+| | src_user | | | | |
+| | session_id | | | | |
+| | src_host | Legacy | | | ✓ |
+| | src_port | | | | |
+| | src_ip | | | | |
+| | full_name | | | | |
+| | email_user | | | | |
+| | additional_info | | | | |
+| | dest_ip | | | | |
+| | dest_host | Legacy | | | ✓ |
+| | event_name | | | | |
+| | operation | | | | |
+| | dest_port | | | | |
+| user-switch | src_ip | | | | |
+| | event_code | | | | |
+| | dest_service_name | | | | |
+| | dest_host | | | | |
+| | event_name | | | | |
+| | safe_value | | | | |
diff --git a/Extensions/bitdefender_gravityzone.md b/Extensions/bitdefender_gravityzone.md
index 8bdc08f..c429f90 100644
--- a/Extensions/bitdefender_gravityzone.md
+++ b/Extensions/bitdefender_gravityzone.md
@@ -21,6 +21,7 @@ Activity Types
| | method | | | | |
| | count | | | | |
| | detection_level | | | | |
+| | domain_user_name | | | | |
| | suid | | | | |
| | url | | | | |
| | result | | | | |
diff --git a/Extensions/bitglass_casb.md b/Extensions/bitglass_casb.md
index 9c95534..c53d2ee 100644
--- a/Extensions/bitglass_casb.md
+++ b/Extensions/bitglass_casb.md
@@ -9,17 +9,39 @@ product = "bitglass casb"
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| os | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_ext | | | | |
-| | additional_info | | | | |
-| | file_name | Legacy | ✓ | | |
-| | process_name | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | target | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | file_ext | | | | |
+| | additional_info | | | | |
+| | file_name | Legacy | ✓ | | |
+| | process_name | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | target | | | | |
+| app-login | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | user_group_name | Default | | | ✓ |
+| email-send | src_ip | Default | | ✓ | |
+| file-download | additional_info | | | | ✓ |
+| | dest_ip | | | ✓ | |
+| | event_name | | | | ✓ |
+| | user_group_name | | | ✓ | |
+| file-read | src_ip | | | ✓ | |
+| | file_url | | | ✓ | |
+| | access | Legacy | | ✓ | |
+| file-write | src_ip | | | ✓ | |
+| | file_url | | | ✓ | |
+| | access | Legacy | | ✓ | |
diff --git a/Extensions/blackberry_protect.md b/Extensions/blackberry_protect.md
index 8793387..21e5339 100644
--- a/Extensions/blackberry_protect.md
+++ b/Extensions/blackberry_protect.md
@@ -4,7 +4,7 @@ blackberry protect
Expression
----------
-product = "blackberry protect"
+product = blackberry protect
Fields
------
@@ -14,33 +14,37 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | process_id | | | | |
-| | device_id | | | | |
-| | name_at | | | | |
-| | group_name | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | device_type | | | | |
-| | process_dir | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | result | | | | |
-| | hash_sha256 | | | | |
-| | file_ext | | | | |
-| | file_hash | Legacy | | | ✓ |
-| | additional_info | | | | |
-| | old_hash | | | | |
-| | process_name | Legacy | | ✓ | |
-| | domain | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | process_path | Legacy | | ✓ | |
-| | hash_sha256_at | | | | |
-| | user | Legacy | | ✓ | |
-| | hash_type | | | | |
-| app-activity | src_ip | Default | | ✓ | |
-| | login_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | process_id | | | | |
+| | name_at | | | | |
+| | domain_user_name | | | | |
+| | device_type | | | | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | process_name | Legacy | | ✓ | |
+| | hash_md5 | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | hash_sha256_at | | | | |
+| | device_id | | | | |
+| | group_name | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | process_dir | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | hash_sha256 | | | | |
+| | file_ext | | | | |
+| | file_hash | Legacy | | | ✓ |
+| | additional_info | | | | |
+| | old_hash | | | | |
+| | domain | | | | |
+| | malware_url | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | hash_type | | | | |
+| app-activity | src_ip | Default | | ✓ | |
+| | login_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | object | Default | | | ✓ |
diff --git a/Extensions/blue_coat_proxysg.md b/Extensions/blue_coat_proxysg.md
new file mode 100644
index 0000000..948b5e6
--- /dev/null
+++ b/Extensions/blue_coat_proxysg.md
@@ -0,0 +1,43 @@
+blue coat proxysg
+=================
+
+Expression
+----------
+
+product = "blue coat proxysg"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| -------- | ---- | --------- | ------------- |
+| src_host | | ✓ | |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| http-session | country | Default | | | ✓ |
+| | protocol | Default | | | ✓ |
+| | app_user | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | browser | Default | | | ✓ |
+| | resource_id | Default | | | ✓ |
+| | categories | Default | | | ✓ |
+| | proxy_action | Default | | | ✓ |
+| | proxy_ip | Default | | | ✓ |
+| network-traffic | referrer | Default | | | ✓ |
+| | method | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | mime | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | categories | Default | | | ✓ |
+| | category | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | proxy_action | Default | | | ✓ |
+
diff --git a/Extensions/box_cloud_content_management.md b/Extensions/box_cloud_content_management.md
index c3930ba..2fdcc67 100644
--- a/Extensions/box_cloud_content_management.md
+++ b/Extensions/box_cloud_content_management.md
@@ -4,24 +4,25 @@ box cloud content management
Expression
----------
-product = "box cloud content"
+product = "box cloud content management"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| additional_info | | | ✓ |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| additional_info | | | ✓ |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ------------ | ------- | ---- | --------- | ------------- |
-| app-activity | application | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
| | resource | Default | | | ✓ |
| | service_name | Default | | | ✓ |
| | dest_user | Default | | ✓ | |
@@ -40,16 +41,17 @@ Activity Types
| | bytes | Legacy | | ✓ | |
| | file_dir | Legacy | | | ✓ |
| | object | | | ✓ | |
+| | cid | | | ✓ | |
| file-read | owned_user | | | ✓ | |
| | access_type | | | ✓ | |
| | access | Legacy | | ✓ | |
| | file_type | Legacy | | | ✓ |
| | bytes | Legacy | | | ✓ |
| | object | | | ✓ | |
-| file-upload | owned_user | | | ✓ | |
+| file-upload | app | | | | |
+| | owned_user | | | ✓ | |
| | access_type | | | ✓ | |
| | access | | | ✓ | |
-| | application | | | | |
| | resource | | | | |
| | file_type | Legacy | | | ✓ |
| | bytes | | | ✓ | |
@@ -64,4 +66,5 @@ Activity Types
| | bytes | Legacy | | ✓ | |
| | process_name | Legacy | | | ✓ |
| | object | | | ✓ | |
+| | cid | | | ✓ | |
diff --git a/Extensions/bromium_secure_platform.md b/Extensions/bromium_secure_platform.md
index 4dd47df..76342cd 100644
--- a/Extensions/bromium_secure_platform.md
+++ b/Extensions/bromium_secure_platform.md
@@ -9,14 +9,15 @@ product = "bromium secure platform"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| additional_info | | | ✓ |
-| process_name | | ✓ | |
-| domain | | | ✓ |
-| src_host | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| additional_info | | | ✓ |
+| process_name | | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/carbon_black_app_control.md b/Extensions/carbon_black_app_control.md
index bafeb6d..55ecd16 100644
--- a/Extensions/carbon_black_app_control.md
+++ b/Extensions/carbon_black_app_control.md
@@ -9,10 +9,11 @@ product = "carbon black app control"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | | |
Activity Types
--------------
diff --git a/Extensions/carbon_black_ces.md b/Extensions/carbon_black_ces.md
new file mode 100644
index 0000000..8301923
--- /dev/null
+++ b/Extensions/carbon_black_ces.md
@@ -0,0 +1,93 @@
+carbon black ces
+================
+
+Expression
+----------
+
+product = "carbon black ces"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | | |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | -------------------- | ------- | ---- | --------- | ------------- |
+| app-login | | | | | |
+| file-read | selected_hash_sha256 | | | ✓ | |
+| | target_hash_sha256 | | | ✓ | |
+| | alert_severity | | | ✓ | |
+| | target_md5hash | | | ✓ | |
+| | process_dir | Legacy | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| | alert_type | | | ✓ | |
+| | hash_sha256 | | | ✓ | |
+| | selected_md5hash | | | ✓ | |
+| | web_domain | | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | parent_hash_sha256 | | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | alert_id | | | | ✓ |
+| | hash_md5 | | | ✓ | |
+| | process_path | Legacy | | ✓ | |
+| | parent_md5hash | | | ✓ | |
+| | alert_name | | | ✓ | |
+| file-write | selected_hash_sha256 | | | ✓ | |
+| | target_hash_sha256 | | | ✓ | |
+| | alert_severity | | | ✓ | |
+| | target_md5hash | | | ✓ | |
+| | process_dir | Legacy | | | ✓ |
+| | src_host | | | ✓ | |
+| | alert_type | | | ✓ | |
+| | hash_sha256 | | | ✓ | |
+| | selected_md5hash | | | ✓ | |
+| | web_domain | | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | parent_hash_sha256 | | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | alert_id | | | | ✓ |
+| | hash_md5 | | | ✓ | |
+| | process_path | Legacy | | ✓ | |
+| | parent_md5hash | | | ✓ | |
+| | alert_name | | | ✓ | |
+| network-session | selected_hash_sha256 | Default | | | ✓ |
+| | file_path | Default | | | ✓ |
+| | target_hash_sha256 | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | target_md5hash | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | alert_type | Default | | | ✓ |
+| | hash_sha256 | Default | | | ✓ |
+| | selected_md5hash | Default | | | ✓ |
+| | web_domain | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | parent_hash_sha256 | Default | | | ✓ |
+| | alert_id | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| | parent_md5hash | Default | | | ✓ |
+| | alert_name | Default | | | ✓ |
+| process-create | selected_hash_sha256 | Default | | | ✓ |
+| | hash_sha256 | Default | | | ✓ |
+| | file_path | Default | | | ✓ |
+| | target_hash_sha256 | Default | | | ✓ |
+| | selected_md5hash | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | parent_hash_sha256 | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | file_dir | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| | target_md5hash | Default | | | ✓ |
+| | parent_md5hash | Default | | | ✓ |
+
diff --git a/Extensions/carbon_black_cloud_endpoint_standard.md b/Extensions/carbon_black_cloud_endpoint_standard.md
index bbdf93c..f8c9d0a 100644
--- a/Extensions/carbon_black_cloud_endpoint_standard.md
+++ b/Extensions/carbon_black_cloud_endpoint_standard.md
@@ -9,11 +9,12 @@ product = "carbon black ces"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | ✓ | | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | | |
Activity Types
--------------
diff --git a/Extensions/carbon_black_edr.md b/Extensions/carbon_black_edr.md
index 34f3ef0..4c59531 100644
--- a/Extensions/carbon_black_edr.md
+++ b/Extensions/carbon_black_edr.md
@@ -14,6 +14,7 @@ Fields
| process_id | | | ✓ |
| device_id | | | ✓ |
| process_dir | | ✓ | |
+| domain_user_name | | | |
| src_host | | ✓ | |
| process_command_line | | ✓ | |
| process_guid | | | ✓ |
@@ -46,6 +47,7 @@ Activity Types
| | hash_md5 | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
| | parent_process_guid | Default | | | ✓ |
+| | domain_user_name | | | | |
| | process_command_line | Default | | | ✓ |
| | user | Default | | ✓ | |
diff --git a/Extensions/cato_cloud.md b/Extensions/cato_cloud.md
index dc24176..b181502 100644
--- a/Extensions/cato_cloud.md
+++ b/Extensions/cato_cloud.md
@@ -14,13 +14,13 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
-| http-session | src_country | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | dest_country | Default | | | ✓ |
-| vpn-login | dest_ip | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
-| vpn-logout | dest_ip | | | ✓ | |
-| | operating_system | | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ------------ | ------- | ---- | --------- | ------------- |
+| http-session | src_country | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | dest_country | Default | | | ✓ |
+| vpn-login | os | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| vpn-logout | os | | | | ✓ |
+| | dest_ip | | | ✓ | |
diff --git a/Extensions/centrify_audit_and_monitoring_service.md b/Extensions/centrify_audit_and_monitoring_service.md
index f166c93..4634b28 100644
--- a/Extensions/centrify_audit_and_monitoring_service.md
+++ b/Extensions/centrify_audit_and_monitoring_service.md
@@ -14,21 +14,24 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------- | ------ | -------- | --------- | ------------- |
-| file-delete | process_id | | | | ✓ |
-| | protocol | | | | ✓ |
-| | domain | | | | ✓ |
-| | event_name | | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| file-read | process_id | | | | ✓ |
-| | protocol | | | | ✓ |
-| | domain | | | | ✓ |
-| | event_name | | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | process_id | | | | ✓ |
-| | protocol | | | | ✓ |
-| | domain | | | | ✓ |
-| | event_name | | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| file-delete | process_id | | | | ✓ |
+| | protocol | | | | ✓ |
+| | domain | | | | ✓ |
+| | event_name | | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-read | process_id | | | | ✓ |
+| | protocol | | | | ✓ |
+| | domain | | | | ✓ |
+| | event_name | | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | process_id | | | | ✓ |
+| | protocol | | | | ✓ |
+| | domain | | | | ✓ |
+| | event_name | | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/centrify_zero_trust_privilege_services.md b/Extensions/centrify_zero_trust_privilege_services.md
index f640b6c..cf4e548 100644
--- a/Extensions/centrify_zero_trust_privilege_services.md
+++ b/Extensions/centrify_zero_trust_privilege_services.md
@@ -21,64 +21,71 @@ Activity Types
| -------------------- | ---------------- | ------- | -------- | --------- | ------------- |
| app-activity | src_ip | Default | | ✓ | |
| | auth_method | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| | user_agent | Default | | | ✓ |
| role-create | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | user_agent | Default | | | ✓ |
| role-delete | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | user_agent | Default | | | ✓ |
| role-modify | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | user_agent | Default | | | ✓ |
| user-create | src_ip | | | | |
+| | os | | | | |
| | additional_info | | | | |
| | dest_ip | | | | |
| | domain | Legacy | | | ✓ |
-| | operating_system | | | | |
| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
| | user | Legacy | ✓ | ✓ | |
| | operation | | | | |
| | user_agent | | | | |
| user-delete | src_ip | | | | |
+| | os | | | | |
| | additional_info | | | | |
| | dest_ip | | | | |
| | domain | Legacy | | | ✓ |
-| | operating_system | | | | |
| | dest_host | Legacy | | | ✓ |
+| | domain_user_name | | | | |
| | user | Legacy | ✓ | ✓ | |
| | operation | | | | |
| | user_agent | | | | |
| user-password-modify | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | user_agent | Default | | | ✓ |
diff --git a/Extensions/check_point_endpoint_security.md b/Extensions/check_point_endpoint_security.md
index 342767b..cae0b41 100644
--- a/Extensions/check_point_endpoint_security.md
+++ b/Extensions/check_point_endpoint_security.md
@@ -21,6 +21,7 @@ Activity Types
| | malware_file_name | | | | |
| | additional_info | | | | |
| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
| | dest_host | Legacy | | ✓ | |
| | malware_file_type | | | | |
| | src_host | Legacy | ✓ | ✓ | |
diff --git a/Extensions/check_point_ngfw.md b/Extensions/check_point_ngfw.md
index 4c36960..c68f051 100644
--- a/Extensions/check_point_ngfw.md
+++ b/Extensions/check_point_ngfw.md
@@ -9,12 +9,13 @@ product = "check point ngfw"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | -------- | --------- | ------------- |
-| src_ip | ✓ | ✓ | |
-| dest_ip | ✓ | ✓ | |
-| src_host | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| src_ip | ✓ | ✓ | |
+| dest_ip | ✓ | ✓ | |
+| local_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
Activity Types
--------------
@@ -44,6 +45,7 @@ Activity Types
| | message_id | Default | | | ✓ |
| | direction | Default | | | ✓ |
| endpoint-authentication | user_ou | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | bytes_in | Default | | | ✓ |
| | rule | Default | | | ✓ |
| | product_name | Default | | | ✓ |
@@ -52,7 +54,6 @@ Activity Types
| | src_translated_ip | Default | | | ✓ |
| | protocol | Default | | | ✓ |
| | bytes_out | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | action | Default | | | ✓ |
| | dest_translated_port | Default | | | ✓ |
| | company | Default | | | ✓ |
@@ -63,6 +64,7 @@ Activity Types
| | origin_name | Default | | | ✓ |
| | direction | Default | | | ✓ |
| endpoint-login | user_ou | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | bytes_in | Default | | | ✓ |
| | rule | Default | | | ✓ |
| | product_name | Default | | | ✓ |
@@ -73,7 +75,6 @@ Activity Types
| | bytes_out | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | process_name | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | action | Default | | | ✓ |
| | dest_translated_port | Default | | | ✓ |
| | company | Default | | | ✓ |
@@ -83,7 +84,8 @@ Activity Types
| | origin_ip | Default | | | ✓ |
| | origin_name | Default | | | ✓ |
| | direction | Default | | | ✓ |
-| http-session | service_name | Default | | | ✓ |
+| http-session | os | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
| | interface_name | Default | | | ✓ |
| | rule | Default | | | ✓ |
| | product_name | Default | | | ✓ |
@@ -94,13 +96,13 @@ Activity Types
| | full_name | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_translated_port | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | src_translated_port | Default | | | ✓ |
| | origin_ip | Default | | | ✓ |
| | origin_name | Default | | | ✓ |
| | direction | Default | | | ✓ |
| network-session | user_ou | Default | | | ✓ |
| | src_interface | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | bytes_in | Default | | | ✓ |
| | alert_severity | Default | | | ✓ |
| | interface_name | Default | | | ✓ |
@@ -111,7 +113,6 @@ Activity Types
| | rule_id | Default | | | ✓ |
| | src_translated_ip | Default | | | ✓ |
| | bytes_out | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | app_protocol | Default | | | ✓ |
| | action | Default | | | ✓ |
| | dest_translated_port | Default | | | ✓ |
@@ -156,7 +157,6 @@ Activity Types
| | dest_translated_ip | Default | | | ✓ |
| | src_translated_ip | Default | | | ✓ |
| | protocol | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | app_protocol | Default | | | ✓ |
| | action | Default | | | ✓ |
| | company | Default | | | ✓ |
@@ -167,6 +167,7 @@ Activity Types
| | policy | Default | | | ✓ |
| | direction | Default | | | ✓ |
| | user_ou | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | product_name | Default | | | ✓ |
| | rule_id | Default | | | ✓ |
| | src_port | Default | | | ✓ |
@@ -177,6 +178,7 @@ Activity Types
| | src_translated_port | Default | | | ✓ |
| | origin_ip | Default | | | ✓ |
| vpn-logout | user_ou | | | | ✓ |
+| | os | | | ✓ | |
| | bytes_in | | | ✓ | |
| | rule | | | ✓ | |
| | product_name | | | | ✓ |
@@ -185,7 +187,6 @@ Activity Types
| | src_translated_ip | | | ✓ | |
| | protocol | | | ✓ | |
| | bytes_out | Legacy | | ✓ | |
-| | operating_system | | | ✓ | |
| | action | | | ✓ | |
| | dest_translated_port | | | ✓ | |
| | dest_host | Legacy | | | ✓ |
diff --git a/Extensions/check_point_security_gateway.md b/Extensions/check_point_security_gateway.md
index c4c2a54..828bf68 100644
--- a/Extensions/check_point_security_gateway.md
+++ b/Extensions/check_point_security_gateway.md
@@ -25,14 +25,14 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------------ | -------------------- | ------- | ---- | --------- | ------------- |
| vpn-authentication | auth_method | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
+| | os | Default | | | ✓ |
| vpn-login | user_ou | Default | | | ✓ |
| | src_port | Default | | | ✓ |
+| | auth_type | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | src_translated_ipnum | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | realm | Default | | | ✓ |
| | operation | Default | | | ✓ |
-| | authentication_type | Default | | | ✓ |
| | dest_port | Default | | | ✓ |
| | direction | Default | | | ✓ |
| vpn-logout | user_ou | | | ✓ | |
diff --git a/Extensions/check_point_threat_prevention.md b/Extensions/check_point_threat_prevention.md
index fbcb7bd..2fd362c 100644
--- a/Extensions/check_point_threat_prevention.md
+++ b/Extensions/check_point_threat_prevention.md
@@ -19,6 +19,7 @@ Activity Types
| alert-trigger | dest_dns_hostname | | | | |
| | confidence_level | | | | |
| | rule | | | | |
+| | domain_user_name | | | | |
| | attack_info | | | | |
| | rule_uid | | | | |
| | dest_translated_ip | | | | |
@@ -27,13 +28,14 @@ Activity Types
| | src_ip | Legacy | ✓ | ✓ | |
| | src_translated_ip | | | | |
| | protocol | Legacy | | ✓ | |
-| | application_protocol | | | | |
| | attack | | | | |
| | action | Legacy | | | ✓ |
+| | app_protocol | | | | |
| | first_name | | | | |
| | dest_port | Legacy | | ✓ | |
| | origin_name | | | | |
| | direction | | | | |
+| | app | | | | |
| | user_ou | | | | |
| | smartdefense_profile | | | | |
| | service_name | | | | |
@@ -43,10 +45,10 @@ Activity Types
| | failure_reason | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | product_name | | | | |
+| | account_user_name | | | | |
| | rule_id | | | | |
| | src_port | Legacy | | | ✓ |
| | full_name | | | | |
-| | application | | | | |
| | additional_info | | | | |
| | domain | | | | |
| | protection_name | | | | |
diff --git a/Extensions/cisco_adaptive_security_appliance.md b/Extensions/cisco_adaptive_security_appliance.md
index 18920f6..dbd52a7 100644
--- a/Extensions/cisco_adaptive_security_appliance.md
+++ b/Extensions/cisco_adaptive_security_appliance.md
@@ -4,7 +4,7 @@ cisco adaptive security appliance
Expression
----------
-product = "cisco asa"
+product = "cisco adaptive security appliance"
Fields
------
@@ -57,6 +57,7 @@ Activity Types
| | dest_interface | Default | | | ✓ |
| | dest_translated_host | Default | | | ✓ |
| | src_translated_host | Default | | | ✓ |
+| | domain_user_name | | | | |
| | src_host | Default | | ✓ | |
| | dest_translated_ip | Default | | | ✓ |
| | src_translated_ip | Default | | | ✓ |
diff --git a/Extensions/cisco_advanced_malware_protection_(amp)_for_endpoints.md b/Extensions/cisco_advanced_malware_protection_(amp)_for_endpoints.md
index d36bfa8..fdfceab 100644
--- a/Extensions/cisco_advanced_malware_protection_(amp)_for_endpoints.md
+++ b/Extensions/cisco_advanced_malware_protection_(amp)_for_endpoints.md
@@ -14,26 +14,27 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | src_mac | | | | |
-| | process | | | | |
-| | hash_sha1 | | | | |
-| | file_name | Legacy | ✓ | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | product_name | | | | |
-| | result | | | | |
-| | hash_sha256 | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | email_address | | | | |
-| | connector_guid | | | | |
-| | additional_info | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | hash_md5 | | | | |
-| | action | Legacy | | | ✓ |
-| | malware_url | | | | |
-| | category | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | src_mac | | | | |
+| | process | | | | |
+| | hash_sha1 | | | | |
+| | file_name | Legacy | ✓ | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | product_name | | | | |
+| | result | | | | |
+| | hash_sha256 | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | email_address | | | | |
+| | connector_guid | | | | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | hash_md5 | | | | |
+| | action | Legacy | | | ✓ |
+| | malware_url | | | | |
+| | category | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/cisco_cloud_web_security.md b/Extensions/cisco_cloud_web_security.md
index 5d78700..b32c736 100644
--- a/Extensions/cisco_cloud_web_security.md
+++ b/Extensions/cisco_cloud_web_security.md
@@ -9,21 +9,22 @@ product = "cisco cloud web security"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| method | | ✓ | |
-| bytes_in | | ✓ | |
-| mime | | ✓ | |
-| src_host | | ✓ | |
-| proxy_action | | ✓ | |
-| protocol | | ✓ | |
-| bytes_out | | ✓ | |
-| domain | | ✓ | |
-| action | | ✓ | |
-| result_code | | ✓ | |
-| category | | ✓ | |
-| user | | ✓ | |
-| user_agent | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| method | | ✓ | |
+| bytes_in | | ✓ | |
+| mime | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| proxy_action | | ✓ | |
+| protocol | | ✓ | |
+| bytes_out | | ✓ | |
+| domain | | ✓ | |
+| action | | ✓ | |
+| result_code | | ✓ | |
+| category | | ✓ | |
+| user | | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/cisco_firepower.md b/Extensions/cisco_firepower.md
index dfee277..54b1a85 100644
--- a/Extensions/cisco_firepower.md
+++ b/Extensions/cisco_firepower.md
@@ -9,46 +9,125 @@ product = cisco firepower
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| ------ | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| user | | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | classification_name | | | | |
-| | block_type | | | | |
-| | bytes_in | | | | |
-| | egress_security_zone | | | | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | protocol | Legacy | | ✓ | |
-| | blocked | | | | |
-| | ip_protocl_id | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | app_protocol | | | | |
-| | dest_port | Legacy | | ✓ | |
-| | policy | | | | |
-| | ioc_number | | | | |
-| | device_id | | | | |
-| | alert_description | | | | |
-| | impact | | | | |
-| | application_id | | | | |
-| | record_type | | | | |
-| | rule_id | | | | |
-| | src_port | Legacy | | | ✓ |
-| | bytes_out | | | | |
-| | additional_info | | | | |
-| | src_country | | | | |
-| | user_id | | | | |
-| | bytes | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | ingress_interface | | | | |
-| | sensor | | | | |
-| | user | Legacy | | ✓ | |
-| | connection_counter | | | | |
-| | dest_country | | | | |
-| | ingress_security_zone | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | --------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | classification_name | | | | |
+| | malware_file_name | | | | |
+| | block_type | | | | |
+| | bytes_in | | | | |
+| | rule | | | | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | egress_security_zone | | | | |
+| | protocol | Legacy | | ✓ | |
+| | blocked | | | | |
+| | ip_protocl_id | | | | |
+| | file_type | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | hash_md5 | | | | |
+| | app_protocol | | | | |
+| | app_id | | | | |
+| | dest_port | Legacy | | ✓ | |
+| | direction | | | | |
+| | policy | | | | |
+| | process | | | | |
+| | ioc_number | | | | |
+| | device_id | | | | |
+| | alert_description | | | | |
+| | impact | | | | |
+| | record_type | | | | |
+| | src_port | Legacy | | | ✓ |
+| | rule_id | | | | |
+| | event_id | | | | |
+| | bytes_out | | | | |
+| | additional_info | | | | |
+| | src_country | | | | |
+| | user_id | | | | |
+| | bytes | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | ingress_interface | | | | |
+| | malware_url | | | | |
+| | sensor | | | | |
+| | user | Legacy | | ✓ | |
+| | connection_counter | | | | |
+| | dest_country | | | | |
+| | ingress_security_zone | | | | |
+| dns-request | src_interface | | | ✓ | |
+| | dns_record_type | | | ✓ | |
+| | response_ttl | | | ✓ | |
+| | dest_interface | | | ✓ | |
+| | bytes_in | | | ✓ | |
+| | rule | | | ✓ | |
+| | protocol | | | ✓ | |
+| | bytes_out | | | ✓ | |
+| | bytes | Legacy | | ✓ | |
+| | action | | | ✓ | |
+| | dns_response_type | | | ✓ | |
+| | category | | | ✓ | |
+| | policy | | | ✓ | |
+| dns-response | result | | | ✓ | |
+| | src_interface | | | ✓ | |
+| | egress_zone | | | ✓ | |
+| | protocol | | | ✓ | |
+| | bytes_out | | | ✓ | |
+| | dest_interface | | | ✓ | |
+| | bytes_in | | | ✓ | |
+| | ingress_zone | | | ✓ | |
+| | alert_type | | | ✓ | |
+| | policy | | | ✓ | |
+| endpoint-authentication | event_code | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | priority | Default | | | ✓ |
+| http-session | src_interface | Default | | | ✓ |
+| | protocol | Default | | | ✓ |
+| | dest_interface | Default | | | ✓ |
+| | app_protocol | Default | | | ✓ |
+| | rule | Default | | | ✓ |
+| | priority | Default | | | ✓ |
+| | alert_name | Default | | | ✓ |
+| | policy | Default | | | ✓ |
+| network-session | src_interface | Default | | | ✓ |
+| | egress_zone | Default | | | ✓ |
+| | responder_packets | Default | | | ✓ |
+| | packets_out | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | network_app | Default | | | ✓ |
+| | nap_policy | Default | | | ✓ |
+| | response_type | Default | | | ✓ |
+| | reputation | Default | | | ✓ |
+| | rule | Default | | | ✓ |
+| | result | Default | | | ✓ |
+| | tcp_flags | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | initiator_packets | Default | | | ✓ |
+| | connection_duration | Default | | | ✓ |
+| | app_protocol | Default | | | ✓ |
+| | action | Default | | | ✓ |
+| | policy | Default | | | ✓ |
+| | connection_type | Default | | | ✓ |
+| | device_id | Default | | | ✓ |
+| | dest_interface | Default | | | ✓ |
+| | packets_in | Default | | | ✓ |
+| | ingress_zone | Default | | | ✓ |
+| | url | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | category | Default | | | ✓ |
+| vpn-authentication | event_code | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | priority | Default | | | ✓ |
+| vpn-login | group_name | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | priority | Default | | | ✓ |
diff --git a/Extensions/cisco_ios.md b/Extensions/cisco_ios.md
index b3d8603..d1aab64 100644
--- a/Extensions/cisco_ios.md
+++ b/Extensions/cisco_ios.md
@@ -16,16 +16,17 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | -------------- | ------- | ---- | --------- | ------------- |
-| configuration-modify | event_code | | | | |
-| | event_name | | | | |
-| | src_host | | | ✓ | |
-| | event_category | | | | |
-| | user | | | | |
-| endpoint-login | src_port | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| network-session | src_interface | Default | | | ✓ |
-| | packets | Default | | | ✓ |
-| process-create | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | --------------- | ------- | ---- | --------- | ------------- |
+| configuration-modify | event_code | | | | |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | src_host | | | ✓ | |
+| | event_category | | | | |
+| | user | | | | |
+| endpoint-login | src_port | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| network-session | src_interface | Default | | | ✓ |
+| | packets | Default | | | ✓ |
+| process-create | user | Default | | ✓ | |
diff --git a/Extensions/cisco_ise.md b/Extensions/cisco_ise.md
index 79cd3ce..2055add 100644
--- a/Extensions/cisco_ise.md
+++ b/Extensions/cisco_ise.md
@@ -16,64 +16,65 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------------- | ------------------------ | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | privileges | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| configuration-modify | severity | | | | |
-| | additional_info | | | | |
-| | event_code | | | | |
-| | domain | | | | |
-| | event_name | | | | |
-| | user | | | | |
-| | operation | | | | |
-| | admin_interface | | | | |
-| | object | | | | |
-| endpoint-authentication | severity | Default | | | ✓ |
-| | computer_name | Default | | | ✓ |
-| | src_mac | Default | | | ✓ |
-| | radius_flow_type | Default | | | ✓ |
-| | access_type | Default | | | ✓ |
-| | user_dn | Default | | | ✓ |
-| | dest_mac | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | ssid | Default | | | ✓ |
-| | nas_ip_address | Default | | | ✓ |
-| | network | Default | | | ✓ |
-| | identity_group | Default | | | ✓ |
-| | protocol | Default | | | ✓ |
-| | user_type | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | location | Default | | | ✓ |
-| | acs_session_id | Default | | | ✓ |
-| | auth_server | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
-| | calling_station_id | Default | | | ✓ |
-| endpoint-login | severity | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | category | Default | | | ✓ |
-| | admin_interface | Default | | | ✓ |
-| vpn-login | src_translated_ip | Default | | | ✓ |
-| | operating_system_version | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | badge_id | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | session_id | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
-| | realm | Default | | | ✓ |
-| vpn-logout | src_translated_ip | | | | |
-| | bytes_out | Legacy | | ✓ | |
-| | bytes_in | | | | |
-| | additional_info | | | | |
-| | dest_ip | | | | |
-| | dest_host | Legacy | | | ✓ |
-| | session_duration | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | ------------------ | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | privileges | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| configuration-modify | severity | | | | |
+| | additional_info | | | | |
+| | event_code | | | | |
+| | domain | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | | | | |
+| | operation | | | | |
+| | admin_interface | | | | |
+| | object | | | | |
+| endpoint-authentication | severity | Default | | | ✓ |
+| | computer_name | Default | | | ✓ |
+| | src_mac | Default | | | ✓ |
+| | radius_flow_type | Default | | | ✓ |
+| | access_type | Default | | | ✓ |
+| | user_dn | Default | | | ✓ |
+| | dest_mac | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | ssid | Default | | | ✓ |
+| | nas_ip_address | Default | | | ✓ |
+| | network | Default | | | ✓ |
+| | identity_group | Default | | | ✓ |
+| | protocol | Default | | | ✓ |
+| | user_type | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | location | Default | | | ✓ |
+| | acs_session_id | Default | | | ✓ |
+| | auth_server | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| | calling_station_id | Default | | | ✓ |
+| endpoint-login | severity | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | category | Default | | | ✓ |
+| | admin_interface | Default | | | ✓ |
+| vpn-login | src_translated_ip | Default | | | ✓ |
+| | os | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | os_version | Default | | | ✓ |
+| | badge_id | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | session_id | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | realm | Default | | | ✓ |
+| vpn-logout | src_translated_ip | | | | |
+| | bytes_out | Legacy | | ✓ | |
+| | bytes_in | | | | |
+| | additional_info | | | | |
+| | dest_ip | | | | |
+| | dest_host | Legacy | | | ✓ |
+| | session_duration | Legacy | | ✓ | |
diff --git a/Extensions/cisco_meraki_mx.md b/Extensions/cisco_meraki_mx.md
index 2c28d2d..6368946 100644
--- a/Extensions/cisco_meraki_mx.md
+++ b/Extensions/cisco_meraki_mx.md
@@ -16,14 +16,15 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_mac | | | | |
+| alert-trigger | app | | | | |
+| | src_mac | | | | |
| | process | | | | |
+| | local_user_name | | | | |
| | event_subtype | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | protocol | Legacy | | ✓ | |
-| | application | | | | |
| | additional_info | | | | |
| | dest_ip | Legacy | ✓ | ✓ | |
| | dest_host | Legacy | | ✓ | |
diff --git a/Extensions/cisco_meraki_mx_appliance.md b/Extensions/cisco_meraki_mx_appliance.md
new file mode 100644
index 0000000..7b3912c
--- /dev/null
+++ b/Extensions/cisco_meraki_mx_appliance.md
@@ -0,0 +1,36 @@
+cisco meraki mx appliance
+=========================
+
+Expression
+----------
+
+product = "cisco meraki mx appliance"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | -------------------- | ------- | ---- | --------- | ------------- |
+| http-session | src_mac | Default | | | ✓ |
+| | protocol | Default | | | ✓ |
+| network-traffic | channel | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | dest_translated_ip | Default | | | ✓ |
+| | result | Default | | | ✓ |
+| | duration | Default | | | ✓ |
+| | src_translated_ip | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_translated_port | Default | | | ✓ |
+| | dhcp_ip | Default | | | ✓ |
+| | src_translated_port | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | aid | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| vpn-login | src_translated_ip | Default | | | ✓ |
+| vpn-logout | src_translated_ip | | | ✓ | |
+
diff --git a/Extensions/cisco_meraki_mx_appliances.md b/Extensions/cisco_meraki_mx_appliances.md
index 9c10999..cc4783d 100644
--- a/Extensions/cisco_meraki_mx_appliances.md
+++ b/Extensions/cisco_meraki_mx_appliances.md
@@ -18,18 +18,19 @@ Activity Types
| --------------- | -------------------- | ------- | ---- | --------- | ------------- |
| http-session | src_mac | Default | | | ✓ |
| | protocol | Default | | | ✓ |
-| network-traffic | result | Default | | | ✓ |
+| network-traffic | channel | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | dest_translated_ip | Default | | | ✓ |
+| | result | Default | | | ✓ |
| | duration | Default | | | ✓ |
| | src_translated_ip | Default | | | ✓ |
| | domain | Default | | | ✓ |
-| | channel | Default | | | ✓ |
| | dest_translated_port | Default | | | ✓ |
| | dhcp_ip | Default | | | ✓ |
| | src_translated_port | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | aid | Default | | | ✓ |
| | user | Default | | ✓ | |
-| | dest_translated_ip | Default | | | ✓ |
| vpn-login | src_translated_ip | Default | | | ✓ |
| vpn-logout | src_translated_ip | | | ✓ | |
diff --git a/Extensions/cisco_secure_web_appliance.md b/Extensions/cisco_secure_web_appliance.md
index 47612a9..0c1c1a8 100644
--- a/Extensions/cisco_secure_web_appliance.md
+++ b/Extensions/cisco_secure_web_appliance.md
@@ -9,20 +9,21 @@ product = "cisco secure web appliance"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| protocol | | ✓ | |
-| bytes_out | | ✓ | |
-| method | | ✓ | |
-| bytes_in | | ✓ | |
-| domain | | ✓ | |
-| mime | | ✓ | |
-| action | | ✓ | |
-| result_code | | ✓ | |
-| category | | ✓ | |
-| user | | ✓ | |
-| proxy_action | | ✓ | |
-| user_agent | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| method | | ✓ | |
+| bytes_in | | ✓ | |
+| mime | | ✓ | |
+| domain_user_name | | | |
+| proxy_action | | ✓ | |
+| protocol | | ✓ | |
+| bytes_out | | ✓ | |
+| domain | | ✓ | |
+| action | | ✓ | |
+| result_code | | ✓ | |
+| category | | ✓ | |
+| user | | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/cisco_stealthwatch_(lancope).md b/Extensions/cisco_stealthwatch_(lancope).md
index aa4e1ac..4c78ff4 100644
--- a/Extensions/cisco_stealthwatch_(lancope).md
+++ b/Extensions/cisco_stealthwatch_(lancope).md
@@ -14,20 +14,22 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_mac | | | | |
-| | host_ip | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | account | | | | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_mac | | | | |
+| | host_ip | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | account_user_name | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | account | | | | |
+| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/cisco_umbrella.md b/Extensions/cisco_umbrella.md
index 52c9f50..dcbd1d9 100644
--- a/Extensions/cisco_umbrella.md
+++ b/Extensions/cisco_umbrella.md
@@ -17,18 +17,19 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | ------------- | ------- | ---- | --------- | ------------- |
-| dns-response | identities | | | | ✓ |
-| | domain | | | ✓ | |
-| | src_host | Legacy | | | ✓ |
-| | categories | | | ✓ | |
-| | user | Legacy | | | ✓ |
-| http-session | protocol | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | result_code | Default | | | ✓ |
-| | categories | Default | | | ✓ |
-| | identity_type | Default | | | ✓ |
-| | sha | Default | | | ✓ |
-| network-traffic | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| dns-response | identities | | | | ✓ |
+| | domain | | | ✓ | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | | ✓ |
+| | categories | | | ✓ | |
+| | user | Legacy | | | ✓ |
+| http-session | protocol | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| | categories | Default | | | ✓ |
+| | identity_type | Default | | | ✓ |
+| | sha | Default | | | ✓ |
+| network-traffic | | | | | |
diff --git a/Extensions/cisco_unified_communications_manager.md b/Extensions/cisco_unified_communications_manager.md
index 216f6b9..ddb9708 100644
--- a/Extensions/cisco_unified_communications_manager.md
+++ b/Extensions/cisco_unified_communications_manager.md
@@ -4,7 +4,7 @@ cisco unified communications manager
Expression
----------
-product = "cisco unified cm"
+product = "cisco unified communications manager"
Fields
------
diff --git a/Extensions/citrix_gateway_connector_for_exchange_activesync.md b/Extensions/citrix_gateway_connector_for_exchange_activesync.md
index 9e4281c..bab6e30 100644
--- a/Extensions/citrix_gateway_connector_for_exchange_activesync.md
+++ b/Extensions/citrix_gateway_connector_for_exchange_activesync.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | device_id | Default | | | ✓ |
-| | group_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | device_type | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | user_agent | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | device_id | Default | | | ✓ |
+| | group_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | device_type | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | user_agent | Default | | | ✓ |
diff --git a/Extensions/citrix_sharefile.md b/Extensions/citrix_sharefile.md
index 63cb034..854df72 100644
--- a/Extensions/citrix_sharefile.md
+++ b/Extensions/citrix_sharefile.md
@@ -9,32 +9,33 @@ product = "citrix sharefile"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| country_code | | ✓ | |
-| uri_path | | ✓ | |
-| additional_info | | | ✓ |
-| event_code | | ✓ | |
-| domain | | ✓ | |
-| action | | ✓ | |
-| company | | ✓ | |
-| user | | ✓ | |
-| operation | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| country_code | | ✓ | |
+| uri_path | | ✓ | |
+| additional_info | | | ✓ |
+| event_code | | ✓ | |
+| domain | | ✓ | |
+| action | | ✓ | |
+| domain_user_name | | | |
+| company | | ✓ | |
+| user | | ✓ | |
+| operation | | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------- | ---- | --------- | ------------- |
-| app-activity | file_path | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| app-login | | | | | |
-| file-download | | | | | |
-| file-share | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | target | Default | | | ✓ |
-| file-upload | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------- | ------- | ---- | --------- | ------------- |
+| app-activity | file_path | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| app-login | | | | | |
+| file-download | | | | | |
+| file-share | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | target | Default | | | ✓ |
+| file-upload | | | | | |
diff --git a/Extensions/citrix_virtual_apps.md b/Extensions/citrix_virtual_apps.md
index 4750d35..e22fc48 100644
--- a/Extensions/citrix_virtual_apps.md
+++ b/Extensions/citrix_virtual_apps.md
@@ -14,9 +14,9 @@ Fields
| src_ip | | ✓ | |
| src_translated_ip | | ✓ | |
| protocol | | ✓ | |
+| os | | ✓ | |
| dest_ip | | ✓ | |
| alert_id | | ✓ | |
-| operating_system | | ✓ | |
| event_name | | ✓ | |
| src_host | | ✓ | |
diff --git a/Extensions/citrix_web_app_firewall.md b/Extensions/citrix_web_app_firewall.md
index 42ff175..d885751 100644
--- a/Extensions/citrix_web_app_firewall.md
+++ b/Extensions/citrix_web_app_firewall.md
@@ -4,7 +4,7 @@ citrix web app firewall
Expression
----------
-product = "citrix appfw"
+product = "citrix web app firewall"
Fields
------
diff --git a/Extensions/clearsense.md b/Extensions/clearsense.md
index 650e028..debdf58 100644
--- a/Extensions/clearsense.md
+++ b/Extensions/clearsense.md
@@ -16,10 +16,10 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | result | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | result | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | method | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | resource | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | user | Default | | ✓ | |
diff --git a/Extensions/clientview.md b/Extensions/clientview.md
index b5c1a5e..eab669e 100644
--- a/Extensions/clientview.md
+++ b/Extensions/clientview.md
@@ -14,56 +14,63 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| email-send | src_ip | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| file-delete | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | bytes | | | | |
-| | hash_md5 | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-download | access | | | | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | dest_host | Legacy | | | ✓ |
-| | dest_file_dir | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| file-read | src_ip | | | | |
-| | access_type | | | | |
-| | access | Legacy | | ✓ | |
-| | bytes | Legacy | | | ✓ |
-| | hash_md5 | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-upload | src_ip | | | | |
-| | access | | | | |
-| | domain | | | | |
-| | src_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | bytes | Legacy | | ✓ | |
-| | hash_md5 | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| http-session | src_host | Default | | ✓ | |
-| printer-activity | src_ip | | | | |
-| | file_path | | | | |
-| | dest_ip | | | | |
-| | num_pages | Legacy | | ✓ | |
-| | printer_name | Legacy | ✓ | ✓ | |
-| | src_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| process-create | src_ip | Default | | ✓ | |
-| | hash_md5 | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| email-send | src_ip | Default | | ✓ | |
+| | src_host | Default | | ✓ | |
+| file-delete | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | bytes | | | | |
+| | hash_md5 | | | | |
+| | local_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-download | access | | | | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | dest_host | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | dest_file_dir | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-read | src_ip | | | | |
+| | access_type | | | | |
+| | access | Legacy | | ✓ | |
+| | bytes | Legacy | | | ✓ |
+| | hash_md5 | | | | |
+| | local_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-upload | src_ip | | | | |
+| | access | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | bytes | Legacy | | ✓ | |
+| | hash_md5 | | | | |
+| | local_user_name | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| http-session | src_host | Default | | ✓ | |
+| printer-activity | src_ip | | | | |
+| | file_path | | | | |
+| | dest_ip | | | | |
+| | num_pages | Legacy | | ✓ | |
+| | local_user_name | | | | |
+| | printer_name | Legacy | ✓ | ✓ | |
+| | src_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| process-create | src_ip | Default | | ✓ | |
+| | hash_md5 | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | user | Default | | ✓ | |
diff --git a/Extensions/cloudflare.md b/Extensions/cloudflare.md
deleted file mode 100644
index 6fe4ff9..0000000
--- a/Extensions/cloudflare.md
+++ /dev/null
@@ -1,26 +0,0 @@
-cloudflare
-==========
-
-Expression
-----------
-
-product = cloudflare
-
-Fields
-------
-
-There are no fields for this extension.
-
-Activity Types
---------------
-
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-
diff --git a/Extensions/code42_incydr.md b/Extensions/code42_incydr.md
index 2d61c7e..53b5ff5 100644
--- a/Extensions/code42_incydr.md
+++ b/Extensions/code42_incydr.md
@@ -23,6 +23,7 @@ Activity Types
| | src_host | Default | | ✓ | |
| file-delete | mime | | | | |
| | tab_title | | | | |
+| | domain_user_name | | | | |
| | device_type | | | | |
| | sync_destination | | | | |
| | email_dlp_from | | | | |
@@ -76,6 +77,7 @@ Activity Types
| | user_uid | | | | |
| file-download | mime | | | | |
| | tab_title | | | | |
+| | domain_user_name | | | | |
| | device_type | | | | |
| | sync_destination | | | | |
| | email_dlp_from | | | | |
@@ -129,6 +131,7 @@ Activity Types
| | user_uid | | | | |
| file-read | mime | | | | |
| | tab_title | | | | |
+| | domain_user_name | | | | |
| | device_type | Legacy | | | ✓ |
| | sync_destination | | | | |
| | email_dlp_from | | | | |
@@ -182,6 +185,7 @@ Activity Types
| | user_uid | | | | |
| file-upload | mime | | | | |
| | tab_title | | | | |
+| | domain_user_name | | | | |
| | device_type | | | | |
| | sync_destination | | | | |
| | email_dlp_from | | | | |
@@ -235,6 +239,7 @@ Activity Types
| | user_uid | | | | |
| file-write | mime | | | | |
| | tab_title | | | | |
+| | domain_user_name | | | | |
| | device_type | Legacy | | | ✓ |
| | sync_destination | | | | |
| | email_dlp_from | | | | |
@@ -301,6 +306,7 @@ Activity Types
| | event_code | | | | |
| | dest_ip | | | | |
| | log_source | | | | |
+| | local_user_name | | | | |
| | printer_name | Legacy | ✓ | ✓ | |
| | src_host | Legacy | | | ✓ |
| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/correlation_rule.md b/Extensions/correlation_rule.md
new file mode 100644
index 0000000..4599a3d
--- /dev/null
+++ b/Extensions/correlation_rule.md
@@ -0,0 +1,34 @@
+correlation rule
+================
+
+Expression
+----------
+
+product = "correlation rule"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | rule_severity | | | | ✓ |
+| | local_user_name | | | | |
+| | rule | | | | |
+| | rule_usecases | | | ✓ | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | url | | | | |
+| | rule_id | | | | |
+| | rule_type | | | | |
+| | rule_reason | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | rule_description | | | | |
+| | mitre_labels | | | ✓ | |
+| | operation | | | | |
+| | user | Legacy | | ✓ | |
+
diff --git a/Extensions/cortex_xdr.md b/Extensions/cortex_xdr.md
index c5d7191..86f118b 100644
--- a/Extensions/cortex_xdr.md
+++ b/Extensions/cortex_xdr.md
@@ -14,8 +14,9 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------ | ------- | ---- | --------- | ------------- |
-| app-activity | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
diff --git a/Extensions/crowdstrike_falcon.md b/Extensions/crowdstrike_falcon.md
deleted file mode 100644
index 7dd35d3..0000000
--- a/Extensions/crowdstrike_falcon.md
+++ /dev/null
@@ -1,53 +0,0 @@
-crowdstrike falcon
-==================
-
-Expression
-----------
-
-product = "crowdstrike falcon"
-
-Fields
-------
-
-There are no fields for this extension.
-
-Activity Types
---------------
-
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | process_id | | | | |
-| | falcon_host_link | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | sensor_id | | | | |
-| | process_guid | | | | |
-| | event_code | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | hash_md5 | | | | |
-| | operating_system | | | | |
-| | image_file_name | | | | |
-| | dest_port | Legacy | | ✓ | |
-| | new_hash | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | process_command_line | | | | |
-| | target | | | | |
-| | hash_sha256 | | | | |
-| | src_port | Legacy | | | ✓ |
-| | file_ext | | | | |
-| | application | | | | |
-| | additional_info | | | | |
-| | old_hash | | | | |
-| | bytes | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | user_sid | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | event_name | | | | |
-| | parent_process_guid | | | | |
-| | process_path | Legacy | | ✓ | |
-| | aid | | | | |
-| | user | Legacy | | ✓ | |
-
diff --git a/Extensions/cyberark_endpoint_privilege_management.md b/Extensions/cyberark_endpoint_privilege_management.md
index 025ee8f..3687fab 100644
--- a/Extensions/cyberark_endpoint_privilege_management.md
+++ b/Extensions/cyberark_endpoint_privilege_management.md
@@ -4,26 +4,38 @@ cyberark endpoint privilege management
Expression
----------
-product = "cyberark endpoint privilege management"
+product = "cyberark epm"
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| process_id | | | ✓ |
+| additional_info | | | ✓ |
+| bytes | | | ✓ |
+| process_name | | | ✓ |
+| event_name | | | ✓ |
+| process_dir | | | ✓ |
+| src_host | | | ✓ |
+| process_path | | | ✓ |
+| object_id | | | ✓ |
+| policy | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | hash_sha256 | | | | |
-| | file_path | Legacy | | | ✓ |
-| | file_name | Legacy | ✓ | | |
-| | process_name | Legacy | | ✓ | |
-| | file_dir | Legacy | | | ✓ |
-| | parent_process_name | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | process_command_line | | | | |
-| | process_path | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | -------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | hash_sha256 | | | | |
+| | file_path | Legacy | | | ✓ |
+| | file_name | Legacy | ✓ | | |
+| | process_name | Legacy | | ✓ | |
+| | file_dir | Legacy | | | ✓ |
+| | parent_process_name | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | process_command_line | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| user-privilege-use | | | | | |
diff --git a/Extensions/cyberark_endpoint_privilege_manager.md b/Extensions/cyberark_endpoint_privilege_manager.md
new file mode 100644
index 0000000..87189de
--- /dev/null
+++ b/Extensions/cyberark_endpoint_privilege_manager.md
@@ -0,0 +1,41 @@
+cyberark endpoint privilege manager
+===================================
+
+Expression
+----------
+
+product = "cyberark endpoint privilege manager"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| process_id | | | ✓ |
+| additional_info | | | ✓ |
+| bytes | | | ✓ |
+| process_name | | | ✓ |
+| event_name | | | ✓ |
+| process_dir | | | ✓ |
+| src_host | | | ✓ |
+| process_path | | | ✓ |
+| object_id | | | ✓ |
+| policy | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | -------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | hash_sha256 | | | | |
+| | file_path | Legacy | | | ✓ |
+| | file_name | Legacy | ✓ | | |
+| | process_name | Legacy | | ✓ | |
+| | file_dir | Legacy | | | ✓ |
+| | parent_process_name | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | process_command_line | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| user-privilege-use | | | | | |
+
diff --git a/Extensions/cyberark_privilege_access_management.md b/Extensions/cyberark_privilege_access_management.md
index 93092c6..f3e9b9d 100644
--- a/Extensions/cyberark_privilege_access_management.md
+++ b/Extensions/cyberark_privilege_access_management.md
@@ -22,84 +22,91 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | file_path | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | file_type | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | event_subtype | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| app-logout | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| app-notification | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| endpoint-login | process_name | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | command | Default | | | ✓ |
-| file-delete | db_name | | | | |
-| | additional_info | | | | |
-| | domain | | | | |
-| | device_type | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | record_type | | | | |
-| | safe_name | | | | |
-| file-permission-modify | db_name | | | | |
-| | additional_info | | | | |
-| | domain | | | | |
-| | device_type | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | record_type | | | | |
-| | safe_name | | | | |
-| file-property-delete | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| file-read | db_name | | | | |
-| | additional_info | | | | |
-| | domain | | | | |
-| | device_type | Legacy | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | record_type | | | | |
-| | safe_name | | | | |
-| file-write | db_name | | | | |
-| | additional_info | | | | |
-| | domain | | | | |
-| | device_type | Legacy | | | ✓ |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | record_type | | | | |
-| | safe_name | | | | |
-| password-create | protocol | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | command | Default | | | ✓ |
-| password-use | protocol | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | command | Default | | | ✓ |
-| user-password-modify | src_host | Default | | ✓ | |
-| user-password-read | gateway_station | | | | |
-| | process_name | Legacy | | | ✓ |
-| | session_id | | | | |
-| | src_host | Legacy | | | ✓ |
-| | command | | | | |
-| user-password-reset | src_host | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | file_path | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_type | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | event_subtype | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| app-logout | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| app-notification | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| endpoint-login | process_name | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | command | Default | | | ✓ |
+| file-delete | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| file-permission-modify | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| file-property-delete | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| file-read | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | Legacy | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| file-write | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | Legacy | | | ✓ |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| password-create | protocol | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | command | Default | | | ✓ |
+| password-use | protocol | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | command | Default | | | ✓ |
+| user-password-modify | src_host | Default | | ✓ | |
+| user-password-read | gateway_station | | | | |
+| | process_name | Legacy | | | ✓ |
+| | session_id | | | | |
+| | src_host | Legacy | | | ✓ |
+| | command | | | | |
+| user-password-reset | src_host | | | | |
diff --git a/Extensions/cyberark_privilege_access_manager.md b/Extensions/cyberark_privilege_access_manager.md
new file mode 100644
index 0000000..9383db1
--- /dev/null
+++ b/Extensions/cyberark_privilege_access_manager.md
@@ -0,0 +1,123 @@
+cyberark privilege access manager
+=================================
+
+Expression
+----------
+
+product = "cyberark privilege access manager"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ----------------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| event_code | | | ✓ |
+| dest_ip | | | ✓ |
+| dest_service_name | | | ✓ |
+| dest_host | | | ✓ |
+| safe_value | | | ✓ |
+| dest_port | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | file_path | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | app_group | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | event_subtype | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | file_type | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | protocol | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | event_subtype | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | url | Default | | | ✓ |
+| app-logout | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| app-notification | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| endpoint-login | process_name | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | command | Default | | | ✓ |
+| file-delete | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| file-permission-modify | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| file-property-delete | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| file-read | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | Legacy | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| file-write | db_name | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | device_type | Legacy | | | ✓ |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | record_type | | | | |
+| | safe_name | | | | |
+| password-create | protocol | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | command | Default | | | ✓ |
+| password-use | protocol | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | command | Default | | | ✓ |
+| user-password-modify | src_host | Default | | ✓ | |
+| user-password-read | gateway_station | | | | |
+| | process_name | Legacy | | | ✓ |
+| | event_code | Legacy | | | ✓ |
+| | domain | Legacy | | | ✓ |
+| | session_id | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | | |
+| | command | | | | |
+| user-password-reset | src_host | | | | |
+
diff --git a/Extensions/cyberark_privileged_session_manager.md b/Extensions/cyberark_privileged_session_manager.md
index 3e1a675..5bf6963 100644
--- a/Extensions/cyberark_privileged_session_manager.md
+++ b/Extensions/cyberark_privileged_session_manager.md
@@ -14,18 +14,19 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------ | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | additional_info | Default | | | ✓ |
-| | app_group | Default | | | ✓ |
-| | event_subtype | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| app-login | src_ip | Default | | ✓ | |
-| | protocol | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | event_subtype | Default | | | ✓ |
-| | url | Default | | | ✓ |
-| user-password-read | event_code | Legacy | | | ✓ |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | additional_info | Default | | | ✓ |
+| | app_group | Default | | | ✓ |
+| | event_subtype | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| app-login | src_ip | Default | | ✓ | |
+| | protocol | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | event_subtype | Default | | | ✓ |
+| | url | Default | | | ✓ |
+| user-password-read | event_code | Legacy | | | ✓ |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
diff --git a/Extensions/cybereason_xdr.md b/Extensions/cybereason_xdr.md
index fc484e7..b612e6d 100644
--- a/Extensions/cybereason_xdr.md
+++ b/Extensions/cybereason_xdr.md
@@ -14,12 +14,13 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | ---- | --------- | ------------- |
-| alert-trigger | additional_info | | | | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | threat_type | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | ---- | --------- | ------------- |
+| alert-trigger | additional_info | | | | |
+| | domain | | | | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | threat_type | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/cylance_protect.md b/Extensions/cylance_protect.md
index 8179d54..a2c32f0 100644
--- a/Extensions/cylance_protect.md
+++ b/Extensions/cylance_protect.md
@@ -14,27 +14,29 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | login_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | login_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| app-notification | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | login_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | login_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | login_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| app-notification | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | login_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
diff --git a/Extensions/data_security_platform.md b/Extensions/data_security_platform.md
index 1071323..660b05a 100644
--- a/Extensions/data_security_platform.md
+++ b/Extensions/data_security_platform.md
@@ -14,26 +14,30 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | --------- | ------ | -------- | --------- | ------------- |
-| file-delete | access | Legacy | | ✓ | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-permission-modify | access | Legacy | | ✓ | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-read | access | Legacy | | ✓ | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | access | Legacy | | ✓ | |
-| | dest_ip | | | | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| file-delete | access | Legacy | | ✓ | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-permission-modify | access | Legacy | | ✓ | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-read | access | Legacy | | ✓ | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | access | Legacy | | ✓ | |
+| | dest_ip | | | | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/deep_security.md b/Extensions/deep_security.md
index 54c3ac5..483a567 100644
--- a/Extensions/deep_security.md
+++ b/Extensions/deep_security.md
@@ -4,7 +4,7 @@ deep security
Expression
----------
-product = "deep security agent"
+product = "deep security"
Fields
------
@@ -14,18 +14,19 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | ----------- | ------- | ---- | --------- | ------------- |
-| network-session | hash_sha256 | Default | | | ✓ |
-| | file_path | Default | | | ✓ |
-| | hash_sha1 | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | bytes_out | Default | | | ✓ |
-| | bytes_in | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | hash_md5 | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| network-session | file_path | Default | | | ✓ |
+| | hash_sha1 | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | hash_sha256 | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
diff --git a/Extensions/digital_guardian_endpoint_protection.md b/Extensions/digital_guardian_endpoint_protection.md
index a8ff4b9..eba2a06 100644
--- a/Extensions/digital_guardian_endpoint_protection.md
+++ b/Extensions/digital_guardian_endpoint_protection.md
@@ -9,73 +9,74 @@ product = "digital guardian endpoint protection"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| event_code | | | ✓ |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| event_code | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------------- | ---------------- | ------- | -------- | --------- | ------------- |
-| app-login | application | Default | | | ✓ |
-| email-send | src_ip | Default | | ✓ | |
-| | bytes | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | dest_host | Default | | ✓ | |
-| endpoint-login | process_name | Default | | | ✓ |
-| file-copy | process_name | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| file-delete | src_ip | | | ✓ | |
-| | src_file_name | | | | ✓ |
-| | process_name | Legacy | | | ✓ |
-| | bytes | | | | ✓ |
-| | dest_ip | | | ✓ | |
-| | src_file_dir | | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| file-download | src_ip | | | ✓ | |
-| | src_port | | | | ✓ |
-| | process_name | Legacy | | | ✓ |
-| | bytes | Legacy | | ✓ | |
-| | dest_ip | | | ✓ | |
-| | dest_host | Legacy | | | ✓ |
-| | dest_port | | | | ✓ |
-| file-read | src_ip | | | ✓ | |
-| | src_file_name | | | | ✓ |
-| | process_name | Legacy | | | ✓ |
-| | bytes | Legacy | | | ✓ |
-| | dest_ip | | | ✓ | |
-| | src_file_dir | | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| file-upload | src_ip | | | ✓ | |
-| | src_port | | | | ✓ |
-| | process_name | Legacy | | | ✓ |
-| | bytes | | | | ✓ |
-| | dest_ip | | | ✓ | |
-| | src_host | Legacy | | | ✓ |
-| | dest_port | | | | ✓ |
-| file-write | src_ip | | | ✓ | |
-| | src_file_name | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | bytes | Legacy | | ✓ | |
-| | dest_ip | | | ✓ | |
-| | src_file_dir | Legacy | | ✓ | |
-| | src_host | | | ✓ | |
-| network-session | process_name | Default | | | ✓ |
-| peripheral_storage-insert | rule_action | | | | ✓ |
-| | process_name | Legacy | | | ✓ |
-| | file_name | | | | ✓ |
-| | bytes | | | | ✓ |
-| | file_dir | | | | ✓ |
-| | rule | | | | ✓ |
-| | policy_name | | | | ✓ |
-| | operating_system | | | | ✓ |
-| printer-activity | bytes | Legacy | | ✓ | |
-| | dest_ip | | | ✓ | |
-| | printer_name | Legacy | ✓ | ✓ | |
-| | src_host | Legacy | | | ✓ |
-| | object | | | | ✓ |
-| process-create | dest_ip | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------- | ------------- | ------- | -------- | --------- | ------------- |
+| app-login | app | Default | | | ✓ |
+| email-send | src_ip | Default | | ✓ | |
+| | bytes | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | dest_host | Default | | ✓ | |
+| endpoint-login | process_name | Default | | | ✓ |
+| file-copy | process_name | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| file-delete | src_ip | | | ✓ | |
+| | src_file_name | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | bytes | | | | ✓ |
+| | dest_ip | | | ✓ | |
+| | src_file_dir | | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| file-download | src_ip | | | ✓ | |
+| | src_port | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | bytes | Legacy | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | dest_host | Legacy | | | ✓ |
+| | dest_port | | | | ✓ |
+| file-read | src_ip | | | ✓ | |
+| | src_file_name | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | bytes | Legacy | | | ✓ |
+| | dest_ip | | | ✓ | |
+| | src_file_dir | | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| file-upload | src_ip | | | ✓ | |
+| | src_port | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | bytes | | | | ✓ |
+| | dest_ip | | | ✓ | |
+| | src_host | Legacy | | | ✓ |
+| | dest_port | | | | ✓ |
+| file-write | src_ip | | | ✓ | |
+| | src_file_name | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | bytes | Legacy | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | src_file_dir | Legacy | | ✓ | |
+| | src_host | | | ✓ | |
+| network-session | process_name | Default | | | ✓ |
+| peripheral_storage-insert | rule_action | | | | ✓ |
+| | os | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | file_name | | | | ✓ |
+| | bytes | | | | ✓ |
+| | file_dir | | | | ✓ |
+| | rule | | | | ✓ |
+| | policy_name | | | | ✓ |
+| printer-activity | bytes | Legacy | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | printer_name | Legacy | ✓ | ✓ | |
+| | src_host | Legacy | | | ✓ |
+| | object | | | | ✓ |
+| process-create | dest_ip | Default | | ✓ | |
diff --git a/Extensions/dropbox.md b/Extensions/dropbox.md
index d5b7f32..0ac7b31 100644
--- a/Extensions/dropbox.md
+++ b/Extensions/dropbox.md
@@ -9,11 +9,12 @@ product = "dropbox"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/dtex_intercept.md b/Extensions/dtex_intercept.md
index 7ee5d65..f352a7d 100644
--- a/Extensions/dtex_intercept.md
+++ b/Extensions/dtex_intercept.md
@@ -9,34 +9,35 @@ product = "dtex intercept"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------- | ---------------- | ------- | -------- | --------- | ------------- |
-| endpoint-lock | event_code | | | | ✓ |
-| endpoint-login | event_code | Default | | | ✓ |
-| endpoint-unlock | event_code | Legacy | | | ✓ |
-| file-delete | access | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | bytes | | | | ✓ |
-| | process_dir | Legacy | | | ✓ |
-| file-read | access | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | bytes | Legacy | | | ✓ |
-| | process_dir | Legacy | | | ✓ |
-| file-write | access | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | bytes | Legacy | | ✓ | |
-| | process_dir | Legacy | | | ✓ |
-| http-session | operating_system | Default | | | ✓ |
-| printer-activity | bytes | Legacy | | ✓ | |
-| | num_pages | Legacy | | ✓ | |
-| | printer_name | Legacy | ✓ | ✓ | |
-| process-create | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------- | ------------ | ------- | -------- | --------- | ------------- |
+| endpoint-lock | event_code | | | | ✓ |
+| endpoint-login | event_code | Default | | | ✓ |
+| endpoint-unlock | event_code | Legacy | | | ✓ |
+| file-delete | access | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | bytes | | | | ✓ |
+| | process_dir | Legacy | | | ✓ |
+| file-read | access | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | bytes | Legacy | | | ✓ |
+| | process_dir | Legacy | | | ✓ |
+| file-write | access | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | bytes | Legacy | | ✓ | |
+| | process_dir | Legacy | | | ✓ |
+| http-session | os | Default | | | ✓ |
+| printer-activity | bytes | Legacy | | ✓ | |
+| | num_pages | Legacy | | ✓ | |
+| | printer_name | Legacy | ✓ | ✓ | |
+| process-create | | | | | |
diff --git a/Extensions/duo_access_security.md b/Extensions/duo_access_security.md
index d811b02..312c4f5 100644
--- a/Extensions/duo_access_security.md
+++ b/Extensions/duo_access_security.md
@@ -13,9 +13,9 @@ Fields
| ---------------- | ---- | --------- | ------------- |
| result | | | ✓ |
| src_ip | | ✓ | |
+| os | | | ✓ |
| location_country | | | ✓ |
| location_city | | | ✓ |
-| operating_system | | | ✓ |
| location_state | | | ✓ |
| user_agent | | | ✓ |
| object | | | ✓ |
@@ -23,17 +23,18 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------ | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | auth_method | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | ✓ | ✓ | |
-| app-authentication | new_enrollment | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| app-login | additional_info | Default | | | ✓ |
-| user-create | additional_info | | | | ✓ |
-| | factor | | | | ✓ |
-| | alert_type | | | | ✓ |
-| vpn-login | additional_info | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | auth_method | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | ✓ | ✓ | |
+| app-authentication | new_enrollment | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| app-login | additional_info | Default | | | ✓ |
+| user-create | additional_info | | | | ✓ |
+| | factor | | | | ✓ |
+| | alert_type | | | | ✓ |
+| vpn-login | additional_info | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
diff --git a/Extensions/edirectory.md b/Extensions/edirectory.md
index fb2ac46..150b98e 100644
--- a/Extensions/edirectory.md
+++ b/Extensions/edirectory.md
@@ -9,16 +9,17 @@ product = "edirectory"
Fields
------
-| Field | Core | Detection | Informational |
-| --------- | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| user_ou | | | ✓ |
-| src_port | | | ✓ |
-| protocol | | | ✓ |
-| dest_ip | | ✓ | |
-| src_host | | ✓ | |
-| user | | ✓ | |
-| dest_port | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| user_ou | | | ✓ |
+| src_port | | | ✓ |
+| protocol | | | ✓ |
+| dest_ip | | ✓ | |
+| local_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
+| dest_port | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/egnyte.md b/Extensions/egnyte.md
index b5e7e58..ff22265 100644
--- a/Extensions/egnyte.md
+++ b/Extensions/egnyte.md
@@ -14,68 +14,81 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-authentication | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | event_subtype | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | dproc | Default | | | ✓ |
-| file-permission-modify | access | Legacy | | ✓ | |
-| | service_name | | | | ✓ |
-| | domain | | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | ✓ |
-| group-member-add | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| group-member-remove | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-create | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-delete | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-disable | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-enable | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-mfa-disable | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| user-mfa-enable | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| user-modify | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| user-password-modify | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| user-password-reset | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-permission-modify | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-authentication | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| app-login | app | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | event_subtype | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | dproc | Default | | | ✓ |
+| file-permission-modify | access | Legacy | | ✓ | |
+| | service_name | | | | ✓ |
+| | domain | | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | ✓ |
+| group-member-add | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| group-member-remove | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-create | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-delete | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-disable | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-enable | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-mfa-disable | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| user-mfa-enable | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| user-modify | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| user-password-modify | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| user-password-reset | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-permission-modify | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
diff --git a/Extensions/elastic_endpoint_security.md b/Extensions/elastic_endpoint_security.md
index cff0a75..9749684 100644
--- a/Extensions/elastic_endpoint_security.md
+++ b/Extensions/elastic_endpoint_security.md
@@ -18,8 +18,11 @@ Activity Types
| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | process_id | | | | |
| | process | | | | |
+| | os | | | | |
| | file_name | Legacy | ✓ | | |
| | event_name_name | | | | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
| | process_command_line | | | | |
| | parent_process | | | | |
| | src_host | Legacy | ✓ | ✓ | |
@@ -31,9 +34,7 @@ Activity Types
| | alert_id | Legacy | | | ✓ |
| | domain | | | | |
| | hash_md5 | | | | |
-| | process_directory | | | | |
| | user_sid | | | | |
-| | operating_system | | | | |
| | parent_process_path | | | | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/endpoint.md b/Extensions/endpoint.md
index 107ab9b..60baa80 100644
--- a/Extensions/endpoint.md
+++ b/Extensions/endpoint.md
@@ -24,6 +24,7 @@ Activity Types
| | domain | | | | |
| | action | Legacy | | | ✓ |
| | malware_url | | | | |
+| | domain_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/epic_siem.md b/Extensions/epic_siem.md
index 87ab33e..652d576 100644
--- a/Extensions/epic_siem.md
+++ b/Extensions/epic_siem.md
@@ -16,12 +16,13 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| -------------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | resource | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | local_user_name | | | | |
| | src_host | Default | | ✓ | |
| | result | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | event_id | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | user_id | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
diff --git a/Extensions/esector_defesa_logger.md b/Extensions/esector_defesa_logger.md
index 0f6b1d4..6c9b0aa 100644
--- a/Extensions/esector_defesa_logger.md
+++ b/Extensions/esector_defesa_logger.md
@@ -14,18 +14,21 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------- | ------ | -------- | --------- | ------------- |
-| file-delete | host_ip | | | | |
-| | event_name | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-read | host_ip | | | | |
-| | event_name | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | host_ip | | | | |
-| | event_name | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| file-delete | host_ip | | | | |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-read | host_ip | | | | |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | host_ip | | | | |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/eset.md b/Extensions/eset.md
index 7fcec40..456a9b2 100644
--- a/Extensions/eset.md
+++ b/Extensions/eset.md
@@ -14,23 +14,24 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | process | | | | |
-| | url | | | | |
-| | result | | | | |
-| | hash_sha256 | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | category | | | | |
-| | operation | | | | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | direction | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | process | | | | |
+| | domain_user_name | | | | |
+| | url | | | | |
+| | result | | | | |
+| | hash_sha256 | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | action | Legacy | | | ✓ |
+| | category | | | | |
+| | operation | | | | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | direction | | | | |
diff --git a/Extensions/eset_protect.md b/Extensions/eset_protect.md
index 8093a67..545d71c 100644
--- a/Extensions/eset_protect.md
+++ b/Extensions/eset_protect.md
@@ -14,24 +14,25 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | circumstances | | | | |
-| | process | | | | |
-| | object_type | | | | |
-| | more_info | | | | |
-| | firstseen | | | | |
-| | hash_sha256 | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | threat_handled | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | threat_type | | | | |
-| | malware_url | | | | |
-| | engine_version | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | circumstances | | | | |
+| | process | | | | |
+| | object_type | | | | |
+| | more_info | | | | |
+| | domain_user_name | | | | |
+| | firstseen | | | | |
+| | hash_sha256 | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | threat_handled | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | threat_type | | | | |
+| | malware_url | | | | |
+| | engine_version | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/event_viewer_-_nps.md b/Extensions/event_viewer_-_nps.md
index e3f031c..17c8e80 100644
--- a/Extensions/event_viewer_-_nps.md
+++ b/Extensions/event_viewer_-_nps.md
@@ -4,26 +4,26 @@ event viewer - nps
Expression
----------
-product = "microsoft nps"
+product = "event viewer - nps"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------------- | ---- | --------- | ------------- |
-| src_mac | | ✓ | |
-| access_type | | | ✓ |
-| src_host | | | ✓ |
-| authentication_type | | | ✓ |
-| network | | | ✓ |
-| src_ip | | | ✓ |
-| auth_method | | ✓ | |
-| user_type | | | ✓ |
-| additional_info | | | ✓ |
-| event_code | | | ✓ |
-| dest_ip | | | ✓ |
-| location | | ✓ | |
-| auth_server | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| src_mac | | ✓ | |
+| auth_type | | | ✓ |
+| access_type | | | ✓ |
+| src_host | | | ✓ |
+| network | | | ✓ |
+| src_ip | | | ✓ |
+| auth_method | | ✓ | |
+| user_type | | | ✓ |
+| additional_info | | | ✓ |
+| event_code | | | ✓ |
+| dest_ip | | | ✓ |
+| location | | ✓ | |
+| auth_server | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/event_viewer_-_printservice.md b/Extensions/event_viewer_-_printservice.md
index de192b9..367afd5 100644
--- a/Extensions/event_viewer_-_printservice.md
+++ b/Extensions/event_viewer_-_printservice.md
@@ -9,14 +9,15 @@ product = "event viewer - printservice"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| log_name | | | ✓ |
-| event_code | | | ✓ |
-| domain | | ✓ | |
-| dest_host | ✓ | ✓ | |
-| event_name | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| log_name | | | ✓ |
+| event_code | | | ✓ |
+| domain | | ✓ | |
+| event_name | | | ✓ |
+| domain_user_name | | | |
+| src_host | ✓ | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/event_viewer_-_security.md b/Extensions/event_viewer_-_security.md
index ac52d66..875adda 100644
--- a/Extensions/event_viewer_-_security.md
+++ b/Extensions/event_viewer_-_security.md
@@ -9,45 +9,214 @@ product = "event viewer - security"
Fields
------
-| Field | Core | Detection | Informational |
-| -------------- | -------- | --------- | ------------- |
-| login_id | | | ✓ |
-| event_id | | | ✓ |
-| log_name | | | ✓ |
-| user_id | | | ✓ |
-| event_code | | | ✓ |
-| domain | | ✓ | |
-| event_name | | | ✓ |
-| correlation_id | | | ✓ |
-| src_host | ✓ | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| login_id | | | ✓ |
+| event_id | | | ✓ |
+| log_name | ✓ | | |
+| user_id | | | ✓ |
+| event_code | ✓ | ✓ | |
+| domain | | ✓ | |
+| event_name | | | ✓ |
+| domain_user_name | | | |
+| src_host | ✓ | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------- | --------------- | ------- | ---- | --------- | ------------- |
-| ds_object-create | | | | | |
-| ds_object-delete | | | | | |
-| ds_object-modify | access | Default | | | ✓ |
-| | access_mask | Default | | | ✓ |
-| | attribute | Default | | | ✓ |
-| | attribute_value | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| ds_object-move | | | | | |
-| ds_object-restore | | | | | |
-| endpoint-delete | | | | | |
-| endpoint-modify | old_attribute | | | ✓ | |
-| | new_attribute | | | ✓ | |
-| | attribute | | | | ✓ |
-| share-access | file_ext | Default | | | ✓ |
-| | access | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | user_sid | Default | | | ✓ |
-| | process_dir | Default | | | ✓ |
-| | process_path | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------- | ---------------------- | ------- | -------- | --------- | ------------- |
+| audit_policy-modify | policy_changes | | | ✓ | |
+| | audit_subcategory | Legacy | | | ✓ |
+| | audit_category | Legacy | | | ✓ |
+| ds_object-create | | | | | |
+| ds_object-delete | | | | | |
+| ds_object-modify | access | Default | | | ✓ |
+| | access_mask | Default | | | ✓ |
+| | attribute | Default | | | ✓ |
+| | attribute_value | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| ds_object-move | | | | | |
+| ds_object-restore | | | | | |
+| endpoint-authentication | src_ip | Default | | ✓ | |
+| | src_port | Default | | | ✓ |
+| | ticket_options | Default | | | ✓ |
+| | ticket_encryption_type | Default | | | ✓ |
+| | kerberos_service_name | Default | | | ✓ |
+| endpoint-delete | | | | | |
+| endpoint-domain-join | process_id | | | | ✓ |
+| | dest_user_sid | Default | | | ✓ |
+| | user_sid | | | | |
+| endpoint-lock | session_id | | | | ✓ |
+| endpoint-login | result | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | src_port | Default | | | ✓ |
+| | auth_package | Default | | | ✓ |
+| | process_id | Default | | | ✓ |
+| | sub_status | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| | auth_process | Default | | | ✓ |
+| endpoint-logout | src_ip | | | | |
+| | src_port | | | | |
+| | session_name | | | | |
+| endpoint-modify | old_attribute | | | ✓ | |
+| | new_attribute | | | ✓ | |
+| | attribute | | | | ✓ |
+| endpoint-unlock | session_id | | | | ✓ |
+| file-delete | handle_id | | | | ✓ |
+| | process_id | | | | ✓ |
+| | login_id | | | | |
+| | access | Legacy | | ✓ | |
+| | access_mask | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | process_dir | Legacy | | | ✓ |
+| | process_path | Legacy | | | ✓ |
+| | object_id | | | | |
+| | object_class | | | | |
+| | object_server | | | | |
+| | object | | | | |
+| file-read | handle_id | | | | ✓ |
+| | process_id | | | | ✓ |
+| | access | Legacy | | ✓ | |
+| | access_mask | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | process_dir | Legacy | | | ✓ |
+| | process_path | Legacy | | ✓ | |
+| file-write | handle_id | | | | ✓ |
+| | process_id | | | | ✓ |
+| | access | Legacy | | ✓ | |
+| | access_mask | | | | ✓ |
+| | process_name | Legacy | | | ✓ |
+| | process_dir | Legacy | | | ✓ |
+| | process_path | Legacy | | ✓ | |
+| group-member-add | member_id | | | | ✓ |
+| | group_id | Legacy | | ✓ | |
+| group-member-remove | member_id | | | | ✓ |
+| | group_id | Legacy | | ✓ | |
+| | group_type | Legacy | | | ✓ |
+| log-clear | | | | | |
+| network-session | process_id | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| | direction | Default | | | ✓ |
+| peripheral_storage-insert | device_name | | | ✓ | |
+| | compatible_id | | | | ✓ |
+| | class_id | | | | ✓ |
+| | vendor_id | | | | ✓ |
+| | class_name | | | ✓ | ✓ |
+| | location_information | | | | ✓ |
+| process-create | process_integrity | Default | | | ✓ |
+| | elevation_type | Default | | | ✓ |
+| scheduled_task-create | file_path | | | ✓ | |
+| | file_ext | | | ✓ | |
+| | dest_domain_user_name | | | | |
+| | file_name | | | ✓ | |
+| | file_dir | | | ✓ | |
+| | dest_domain | | | ✓ | |
+| | description | Legacy | | | ✓ |
+| | dest_user | | | ✓ | |
+| | dest_user_id | | | | ✓ |
+| | triggers | Legacy | | | ✓ |
+| | run_level | Legacy | | | ✓ |
+| service-create | file_path | | | ✓ | |
+| | service_command_line | | | ✓ | |
+| | service_type | | | ✓ | |
+| | file_ext | | | ✓ | |
+| | dest_domain_user_name | | | | |
+| | file_name | | | ✓ | |
+| | file_dir | | | ✓ | |
+| | dest_domain | | | ✓ | |
+| | service_start_type | Legacy | | | ✓ |
+| | dest_user | | | | |
+| | dest_user_id | | | | ✓ |
+| share-access | task_name | Default | | | ✓ |
+| | process_id | Default | | | ✓ |
+| | privileges | Default | | | ✓ |
+| | access | Default | | | ✓ |
+| | login_type | Default | | | ✓ |
+| | sid_history | Default | | | ✓ |
+| | dest_user_sid | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | thread_id | Default | | | ✓ |
+| | process_guid | Default | | | ✓ |
+| | dest_domain_user_name | | | | |
+| | file_type | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | key_length | Default | | | ✓ |
+| | operation_id | Default | | | ✓ |
+| | provider_name | Default | | | ✓ |
+| | auth_process | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | dest_user | Default | | ✓ | |
+| | process_command_line | Default | | | ✓ |
+| | object_server | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | auth_package | Default | | | ✓ |
+| | service_type | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | user_sid | Default | | | ✓ |
+| | dest_domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | process_path | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| share-create | src_ip | Legacy | | ✓ | |
+| | src_port | Legacy | | ✓ | |
+| | d_name | | | | |
+| | d_parent | | | | |
+| | dest_ip | | | | |
+| | dest_host | Legacy | ✓ | ✓ | |
+| | aid | | | | |
+| share-delete | src_ip | Legacy | | ✓ | |
+| | src_port | Legacy | | ✓ | |
+| | dest_ip | | | | |
+| | user_sid | | | | |
+| | dest_host | Legacy | ✓ | ✓ | |
+| share-modify | src_ip | Legacy | | ✓ | |
+| | src_port | Legacy | | ✓ | |
+| | dest_ip | | | | |
+| | user_sid | | | | |
+| | dest_host | Legacy | ✓ | ✓ | |
+| user-create | dest_user_type | | | | ✓ |
+| | dest_user_id | | | | ✓ |
+| user-delete | dest_user_id | | | | ✓ |
+| user-disable | dest_user_id | | | | ✓ |
+| user-enable | dest_user_id | | | | ✓ |
+| user-lock | dest_user_id | | | | ✓ |
+| user-modify | old_attribute | | | ✓ | |
+| | new_attribute | | | ✓ | |
+| | attribute | | | ✓ | |
+| user-name-modify | old_user_name | Default | | | ✓ |
+| | new_user_name | Default | | | ✓ |
+| user-password-modify | dest_user_id | Default | | | ✓ |
+| user-password-reset | | | | | |
+| user-privilege-assign | | | | | |
+| user-privilege-use | process_id | Legacy | | | ✓ |
+| | object_type | Legacy | | | ✓ |
+| | object_handle | | | | ✓ |
+| | service_name | | | | ✓ |
+| | process_name | Legacy | ✓ | ✓ | |
+| | object_name | Legacy | ✓ | ✓ | |
+| | process_dir | Legacy | | | ✓ |
+| | process_path | Legacy | | ✓ | |
+| | object_server | Legacy | | | ✓ |
+| user-switch | src_ip | | | ✓ | |
+| | src_port | | | | ✓ |
+| | dest_login_id | | | | ✓ |
+| | process_id | | | ✓ | |
+| | process_name | | | ✓ | |
+| | dest_service_name | | | | ✓ |
+| | dest_host | | | | |
+| | process_dir | | | ✓ | |
+| | dest_user_id | | | | ✓ |
+| | process_path | | | ✓ | |
+| user-unlock | dest_user_id | | | | ✓ |
diff --git a/Extensions/event_viewer_-_system.md b/Extensions/event_viewer_-_system.md
index a2c3d5b..541e1ce 100644
--- a/Extensions/event_viewer_-_system.md
+++ b/Extensions/event_viewer_-_system.md
@@ -9,27 +9,29 @@ product = "event viewer - system"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| log_name | | | ✓ |
-| event_code | | | ✓ |
-| domain | | ✓ | |
-| event_name | | | ✓ |
-| dest_host | ✓ | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| log_name | | | ✓ |
+| event_code | | | ✓ |
+| domain | | ✓ | |
+| event_name | | | ✓ |
+| domain_user_name | | | |
+| src_host | ✓ | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------- | -------------------- | ------ | ---- | --------- | ------------- |
-| service-create | file_path | | | | |
-| | service_command_line | | | | |
-| | service_type | | | | |
-| | file_ext | | | | |
-| | file_name | | | | |
-| | file_dir | | | | |
-| | dest_domain | | | | |
-| | service_start_type | Legacy | | | ✓ |
-| | dest_user | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------- | --------------------- | ------ | ---- | --------- | ------------- |
+| service-create | file_path | | | | |
+| | service_command_line | | | | |
+| | service_type | | | | |
+| | file_ext | | | | |
+| | dest_domain_user_name | | | | |
+| | file_name | | | | |
+| | file_dir | | | | |
+| | dest_domain | | | | |
+| | service_start_type | Legacy | | | ✓ |
+| | dest_user | | | | |
diff --git a/Extensions/exabeam_dl.md b/Extensions/exabeam_dl.md
deleted file mode 100644
index 128e30d..0000000
--- a/Extensions/exabeam_dl.md
+++ /dev/null
@@ -1,93 +0,0 @@
-exabeam dl
-==========
-
-Expression
-----------
-
-product = "exabeam dl"
-
-Fields
-------
-
-There are no fields for this extension.
-
-Activity Types
---------------
-
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | event_id | | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | original_score | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | mitre_labels | | | | ✓ |
-| | alert_reason | | | | ✓ |
-| | usecases | | | | ✓ |
-| | user | Legacy | | ✓ | |
-| | event_time | | | | ✓ |
-| | log_time | | | | |
-| | labels | | | | ✓ |
-| app-activity | src_ip | Default | | ✓ | |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| app-login | src_ip | Default | | ✓ | |
-| | additional_info | Default | | | ✓ |
-| app-notification | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| group-modify | src_ip | | | | |
-| | application | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| log_source-add | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| log_source-modify | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| role-delete | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| role-permission-modify | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| rule-create | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| rule-trigger | rule_severity | Default | | | ✓ |
-| | rule | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | usecases | Default | | | ✓ |
-| | log_time | Default | | | ✓ |
-| | labels | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | trigger_time | Default | | | ✓ |
-| | event_id | Default | | | ✓ |
-| | rule_reason | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | dest_host | Default | | ✓ | |
-| | mitre_labels | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | event_time | Default | | | ✓ |
-
diff --git a/Extensions/f-secure_elements.md b/Extensions/f-secure_elements.md
index 1668f22..d6a56df 100644
--- a/Extensions/f-secure_elements.md
+++ b/Extensions/f-secure_elements.md
@@ -14,12 +14,13 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | additional_info | | | | |
-| | domain | | | | |
-| | threat_type | | | | |
-| | malware_url | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | additional_info | | | | |
+| | domain | | | | |
+| | threat_type | | | | |
+| | malware_url | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/f5_app_security_manager_(asm).md b/Extensions/f5_app_security_manager_(asm).md
new file mode 100644
index 0000000..875a4b2
--- /dev/null
+++ b/Extensions/f5_app_security_manager_(asm).md
@@ -0,0 +1,34 @@
+f5 app security manager (asm)
+=============================
+
+Expression
+----------
+
+product = f5 Application security manager (asm)
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | country | | | | |
+| | malware_file_name | | | | |
+| | policy_name | | | | |
+| | domain_user_name | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | ip_reputation | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | user_agent | | | | |
+
diff --git a/Extensions/f5_application_security_manager_(asm).md b/Extensions/f5_application_security_manager_(asm).md
index c62a262..82e14f6 100644
--- a/Extensions/f5_application_security_manager_(asm).md
+++ b/Extensions/f5_application_security_manager_(asm).md
@@ -14,16 +14,25 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | additional_info | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | country | | | | |
+| | malware_file_name | | | | |
+| | local_user_name | | | | |
+| | policy_name | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_port | Legacy | | | ✓ |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | protocol | Legacy | | ✓ | |
+| | additional_info | | | | |
+| | ip_reputation | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | user_agent | | | | |
diff --git a/Extensions/f5_silverline.md b/Extensions/f5_silverline.md
index 8701119..95d8606 100644
--- a/Extensions/f5_silverline.md
+++ b/Extensions/f5_silverline.md
@@ -14,19 +14,20 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_host | Legacy | ✓ | ✓ | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | uri_path | | | | |
-| | additional_info | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | policy | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | uri_path | | | | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | policy | | | | |
diff --git a/Extensions/falcon.md b/Extensions/falcon.md
index 4125350..405c3ae 100644
--- a/Extensions/falcon.md
+++ b/Extensions/falcon.md
@@ -4,7 +4,7 @@ falcon
Expression
----------
-product = "falcon"
+product = falcon
Fields
------
@@ -17,231 +17,297 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------------- | ------------------------ | ------- | -------- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | activity_details | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| configuration-modify | domain | | | | |
-| | operation | | | | |
-| | user | | | | |
-| | object | | | | |
-| dns-request | file_name | | | | |
-| | alert_severity | | | | |
-| | aip | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | protocol | | | | |
-| | process_guid | | | | |
-| | dns_response | | | | |
-| | additional_info | | | | |
-| | event_code | | | | |
-| | domain | | | | |
-| | hash_md5 | | | | |
-| | category | | | | |
-| | alert_name | | | | |
-| endpoint-login | process_id | Default | | | ✓ |
-| | file_path | Default | | | ✓ |
-| | falcon_host_link | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | aip | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | process_command_line | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | hash_sha256 | Default | | | ✓ |
-| | authentication_package | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | process_guid | Default | | | ✓ |
-| | old_hash | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | hash_md5 | Default | | | ✓ |
-| | user_sid | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | auth_server | Default | | | ✓ |
-| file-delete | process_id | | | | |
-| | access | Legacy | | ✓ | |
-| | falcon_host_link | | | | |
-| | session_id | | | | |
-| | src_host | Legacy | | ✓ | |
-| | process_command_line | | | | |
-| | src_ip | | | | |
-| | hash_sha256 | | | | |
-| | process_guid | | | | |
-| | old_hash | | | | |
-| | bytes | | | | |
-| | event_code | | | | |
-| | alert_id | | | | |
-| | hash_md5 | | | | |
-| | user_sid | | | | |
-| | operating_system | | | | |
-| | event_name | | | | |
-| | alert_name | | | | |
-| file-download | src_port | | | | |
-| | hash_sha256 | | | | |
-| | process_guid | | | | |
-| | old_hash | | | | |
-| | event_code | | | | |
-| | dest_ip | | | | |
-| | event_name | | | | |
-| | src_host | Legacy | | | ✓ |
-| | new_hash | | | | |
-| file-read | process_id | | | | |
-| | access | Legacy | | ✓ | |
-| | falcon_host_link | | | | |
-| | alert_severity | | | | |
-| | src_ip | | | | |
-| | protocol | | | | |
-| | process_guid | | | | |
-| | event_code | | | | |
-| | alert_id | | | | |
-| | hash_md5 | | | | |
-| | operating_system | | | | |
-| | dest_port | | | | |
-| | session_id | | | | |
-| | src_host | Legacy | | ✓ | |
-| | process_command_line | | | | |
-| | src_port | | | | |
-| | hash_sha256 | | | | |
-| | additional_info | | | | |
-| | old_hash | | | | |
-| | bytes | Legacy | | | ✓ |
-| | domain | | | | |
-| | dest_ip | | | | |
-| | user_sid | | | | |
-| | event_name | | | | |
-| | category | | | | |
-| | alert_name | | | | |
-| | object | | | | |
-| file-write | process_id | | | | |
-| | access | Legacy | | ✓ | |
-| | falcon_host_link | | | | |
-| | alert_severity | | | | |
-| | src_ip | | | | |
-| | protocol | | | | |
-| | process_guid | | | | |
-| | file_type | Legacy | | | ✓ |
-| | event_code | | | | |
-| | alert_id | | | | |
-| | hash_md5 | | | | |
-| | operating_system | | | | |
-| | dest_port | | | | |
-| | new_hash | | | | |
-| | device_id | Legacy | | ✓ | |
-| | session_id | | | | |
-| | src_host | | | | |
-| | process_command_line | | | | |
-| | src_port | | | | |
-| | hash_sha256 | | | | |
-| | additional_info | | | | |
-| | old_hash | | | | |
-| | bytes | Legacy | | ✓ | |
-| | domain | | | | |
-| | dest_ip | | | | |
-| | user_sid | | | | |
-| | event_name | | | | |
-| | category | | | | |
-| | alert_name | | | | |
-| group-member-add | src_ip | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| network-traffic | process_guid | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | alert_severity | Default | | | ✓ |
-| | hash_md5 | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | category | Default | | | ✓ |
-| | alert_name | Default | | | ✓ |
-| | direction | Default | | | ✓ |
-| peripheral_storage-insert | src_ip | | | | |
-| | process_id | | | | |
-| | file_path | | | | |
-| | file_ext | | | | |
-| | event_code | | | | |
-| | file_name | | | | |
-| | activity_details | | | | |
-| | vendor_id | | | | |
-| | file_dir | | | | |
-| | alert_id | | | | |
-| | operation | | | | |
-| peripheral_storage-remove | src_ip | | | | |
-| | file_path | | | | |
-| | file_ext | | | | |
-| | event_code | Legacy | | | ✓ |
-| | file_name | Legacy | ✓ | | |
-| | activity_details | | | | |
-| | file_dir | | | | |
-| | alert_id | | | | |
-| | operation | | | | |
-| process-create | file_path | Default | | | ✓ |
-| | falcon_host_link | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | process_command_line | Default | | | ✓ |
-| | hash_sha256 | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | log_severity | Default | | | ✓ |
-| | process_guid | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | grandparent_process_path | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | old_hash | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | hash_md5 | Default | | | ✓ |
-| | user_sid | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
-| | parent_process_guid | Default | | | ✓ |
-| scheduled_task-create | src_ip | | | | |
-| | file_path | | | | |
-| | file_ext | | | | |
-| | event_code | Legacy | | | ✓ |
-| | file_name | | | | |
-| | file_dir | | | | |
-| user-create | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-delete | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-modify | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | event_name | | | | |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| user-role-assign | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| user-role-revoke | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------- | ------------------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | indicator | | | | |
+| | file_path | Legacy | | | ✓ |
+| | grandparent_command_line | | | | |
+| | rooting | | | | |
+| | parent_process_command_line | | | | |
+| | falcon_host_link | | | | |
+| | kill_parent | | | | |
+| | kill_process | | | | |
+| | domain_user_name | | | | |
+| | pattern_disposition_description | | | | |
+| | critical_process_disabled | | | | |
+| | process_guid | | | | |
+| | policy_disabled | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | hash_md5 | | | | |
+| | image_file_name | | | | |
+| | sensor_only | | | | |
+| | dest_port | Legacy | | ✓ | |
+| | process_blocked | | | | |
+| | app | | | | |
+| | registry_operation_blocked | | | | |
+| | bootup_safeguard_enabled | | | | |
+| | process_command_line | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | inddet_mask | | | | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | event_name | | | | |
+| | process_path | Legacy | | ✓ | |
+| | aid | | | | |
+| | process_id | | | | |
+| | quarantine_machine | | | | |
+| | detect | | | | |
+| | fs_operation_blocked | | | | |
+| | quarantine_file | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | sensor_id | | | | |
+| | operation_blocked | | | | |
+| | event_code | | | | |
+| | kill_sub_process | | | | |
+| | new_hash | | | | |
+| | os | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | target | | | | |
+| | hash_sha256 | | | | |
+| | src_port | Legacy | | | ✓ |
+| | file_ext | | | | |
+| | parent_image_filename | | | | |
+| | old_hash | | | | |
+| | bytes | Legacy | | ✓ | |
+| | grandparent_image_filename | | | | |
+| | user_sid | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | parent_process_guid | | | | |
+| | user | Legacy | | ✓ | |
+| app-activity | app | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | activity_details | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| configuration-modify | domain | | | | |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | | | | |
+| | object | | | | |
+| dns-request | file_name | | | | |
+| | alert_severity | | | | |
+| | aip | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | protocol | | | | |
+| | process_guid | | | | |
+| | dns_response | | | | |
+| | additional_info | | | | |
+| | event_code | | | | |
+| | domain | | | | |
+| | hash_md5 | | | | |
+| | category | | | | |
+| | alert_name | | | | |
+| endpoint-login | process_id | Default | | | ✓ |
+| | file_path | Default | | | ✓ |
+| | falcon_host_link | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | aip | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | process_command_line | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | hash_sha256 | Default | | | ✓ |
+| | auth_package | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | process_guid | Default | | | ✓ |
+| | old_hash | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| | user_sid | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | auth_server | Default | | | ✓ |
+| file-delete | process_id | | | | |
+| | access | Legacy | | ✓ | |
+| | os | | | | |
+| | falcon_host_link | | | | |
+| | session_id | | | | |
+| | src_host | Legacy | | ✓ | |
+| | process_command_line | | | | |
+| | src_ip | | | | |
+| | hash_sha256 | | | | |
+| | process_guid | | | | |
+| | old_hash | | | | |
+| | bytes | | | | |
+| | event_code | | | | |
+| | alert_id | | | | |
+| | hash_md5 | | | | |
+| | user_sid | | | | |
+| | event_name | | | | |
+| | alert_name | | | | |
+| file-download | src_port | | | | |
+| | hash_sha256 | | | | |
+| | process_guid | | | | |
+| | old_hash | | | | |
+| | event_code | | | | |
+| | dest_ip | | | | |
+| | event_name | | | | |
+| | src_host | Legacy | | | ✓ |
+| | new_hash | | | | |
+| file-read | process_id | | | | |
+| | access | Legacy | | ✓ | |
+| | falcon_host_link | | | | |
+| | alert_severity | | | | |
+| | src_ip | | | | |
+| | protocol | | | | |
+| | process_guid | | | | |
+| | event_code | | | | |
+| | alert_id | | | | |
+| | hash_md5 | | | | |
+| | dest_port | | | | |
+| | os | | | | |
+| | session_id | | | | |
+| | src_host | Legacy | | ✓ | |
+| | process_command_line | | | | |
+| | src_port | | | | |
+| | hash_sha256 | | | | |
+| | additional_info | | | | |
+| | old_hash | | | | |
+| | bytes | Legacy | | | ✓ |
+| | domain | | | | |
+| | dest_ip | | | | |
+| | user_sid | | | | |
+| | event_name | | | | |
+| | category | | | | |
+| | alert_name | | | | |
+| | object | | | | |
+| file-write | process_id | | | | |
+| | access | Legacy | | ✓ | |
+| | falcon_host_link | | | | |
+| | alert_severity | | | | |
+| | src_ip | | | | |
+| | protocol | | | | |
+| | process_guid | | | | |
+| | file_type | Legacy | | | ✓ |
+| | event_code | | | | |
+| | alert_id | | | | |
+| | hash_md5 | | | | |
+| | dest_port | | | | |
+| | new_hash | | | | |
+| | device_id | Legacy | | ✓ | |
+| | os | | | | |
+| | session_id | | | | |
+| | src_host | | | | |
+| | process_command_line | | | | |
+| | src_port | | | | |
+| | hash_sha256 | | | | |
+| | additional_info | | | | |
+| | old_hash | | | | |
+| | bytes | Legacy | | ✓ | |
+| | domain | | | | |
+| | dest_ip | | | | |
+| | user_sid | | | | |
+| | event_name | | | | |
+| | category | | | | |
+| | alert_name | | | | |
+| group-member-add | src_ip | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| network-traffic | process_guid | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | category | Default | | | ✓ |
+| | alert_name | Default | | | ✓ |
+| | direction | Default | | | ✓ |
+| peripheral_storage-insert | src_ip | | | | |
+| | process_id | | | | |
+| | file_path | | | | |
+| | file_ext | | | | |
+| | event_code | | | | |
+| | file_name | | | | |
+| | activity_details | | | | |
+| | vendor_id | | | | |
+| | file_dir | | | | |
+| | alert_id | | | | |
+| | operation | | | | |
+| peripheral_storage-remove | src_ip | | | | |
+| | file_path | | | | |
+| | file_ext | | | | |
+| | event_code | Legacy | | | ✓ |
+| | file_name | Legacy | ✓ | | |
+| | activity_details | | | | |
+| | file_dir | | | | |
+| | alert_id | | | | |
+| | operation | | | | |
+| process-create | file_path | Default | | | ✓ |
+| | os | Default | | | ✓ |
+| | falcon_host_link | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | process_command_line | Default | | | ✓ |
+| | hash_sha256 | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | log_severity | Default | | | ✓ |
+| | process_guid | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | grandparent_process_path | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | old_hash | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | hash_md5 | Default | | | ✓ |
+| | user_sid | Default | | | ✓ |
+| | parent_process_guid | Default | | | ✓ |
+| scheduled_task-create | src_ip | | | | |
+| | file_path | | | | |
+| | file_ext | | | | |
+| | event_code | Legacy | | | ✓ |
+| | file_name | | | | |
+| | file_dir | | | | |
+| user-create | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-delete | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-modify | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| user-role-assign | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| user-role-revoke | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
diff --git a/Extensions/fileauditor.md b/Extensions/fileauditor.md
index e7d4cce..af608cc 100644
--- a/Extensions/fileauditor.md
+++ b/Extensions/fileauditor.md
@@ -14,18 +14,21 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------- | ------ | -------- | --------- | ------------- |
-| file-delete | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-read | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| file-delete | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | local_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-read | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | local_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | local_user_name | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/fireeye_(trellix)_endpoint_security_(hx).md b/Extensions/fireeye_(trellix)_endpoint_security_(hx).md
index 481d7e9..15cedcf 100644
--- a/Extensions/fireeye_(trellix)_endpoint_security_(hx).md
+++ b/Extensions/fireeye_(trellix)_endpoint_security_(hx).md
@@ -14,15 +14,23 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | process | | | | |
-| | protocol | Legacy | | ✓ | |
-| | process_name | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | process | | | | |
+| | dest_user | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | file_ext | | | | |
+| | email_address | | | | |
+| | dest_domain_user_name | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | domain | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/fireeye_endpoint_security_(hx).md b/Extensions/fireeye_endpoint_security_(hx).md
index 6d24283..08de382 100644
--- a/Extensions/fireeye_endpoint_security_(hx).md
+++ b/Extensions/fireeye_endpoint_security_(hx).md
@@ -22,6 +22,7 @@ Activity Types
| | domain | | | | |
| | hash_md5 | | | | |
| | event_name | | | | |
+| | domain_user_name | | | | |
| | process_command_line | | | | |
| | user | Legacy | | ✓ | |
| file-write | event_code | | | | ✓ |
@@ -29,6 +30,7 @@ Activity Types
| | dest_ip | | ✓ | ✓ | |
| | domain | | | | ✓ |
| | event_name | | | | ✓ |
+| | domain_user_name | | | | |
| | operation | | | | ✓ |
| | user | Legacy | ✓ | ✓ | |
| http-session | | | | | |
diff --git a/Extensions/forcepoint_casb.md b/Extensions/forcepoint_casb.md
index e393917..0f7b7d2 100644
--- a/Extensions/forcepoint_casb.md
+++ b/Extensions/forcepoint_casb.md
@@ -9,21 +9,28 @@ product = "forcepoint casb"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| result | | | ✓ |
-| domain | | ✓ | |
-| dest_ip | | ✓ | |
-| user | ✓ | ✓ | |
-| user_agent | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| result | | | ✓ |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------- | ------- | ---- | --------- | ------------- |
-| app-activity | privileges | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| app-login | privileges | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | | ✓ | |
+| app-activity | privileges | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| app-login | privileges | Default | | | ✓ |
diff --git a/Extensions/forcepoint_dlp.md b/Extensions/forcepoint_dlp.md
index 2fb7e23..b4ef018 100644
--- a/Extensions/forcepoint_dlp.md
+++ b/Extensions/forcepoint_dlp.md
@@ -20,6 +20,7 @@ Activity Types
| | extension | | | | |
| | file_name | Legacy | ✓ | | |
| | last_name | | | | |
+| | domain_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | target_domain | | | | |
| | url | | | | |
diff --git a/Extensions/forcepoint_insider_threat.md b/Extensions/forcepoint_insider_threat.md
index 0897b4b..bb8d41f 100644
--- a/Extensions/forcepoint_insider_threat.md
+++ b/Extensions/forcepoint_insider_threat.md
@@ -14,10 +14,11 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | domain | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
-| | target | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
+| | target | | | | |
diff --git a/Extensions/fortinet_fortiedr.md b/Extensions/fortinet_fortiedr.md
index aa3eeab..f760c79 100644
--- a/Extensions/fortinet_fortiedr.md
+++ b/Extensions/fortinet_fortiedr.md
@@ -14,19 +14,20 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_mac | | | | |
-| | process | | | | |
-| | event_name_code | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | result | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | process_type | | | | |
-| | category | | | | |
-| | user | Legacy | | ✓ | |
-| | rule_count | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_mac | | | | |
+| | process | | | | |
+| | event_name_code | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | process_type | | | | |
+| | category | | | | |
+| | user | Legacy | | ✓ | |
+| | rule_count | | | | |
diff --git a/Extensions/fortinet_utm.md b/Extensions/fortinet_utm.md
index 374d241..802a16a 100644
--- a/Extensions/fortinet_utm.md
+++ b/Extensions/fortinet_utm.md
@@ -21,6 +21,7 @@ Activity Types
| | protocol | Legacy | | ✓ | |
| | additional_info | | | | |
| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
| | action | Legacy | | | ✓ |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
@@ -39,7 +40,7 @@ Activity Types
| | dest_port | Default | | | ✓ |
| endpoint-authentication | src_ip | Default | | ✓ | |
| | dest_ip | Default | | ✓ | |
-| http-request | application | Default | | | ✓ |
+| http-request | app | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | service_name | Default | | | ✓ |
| | event_name | Default | | | ✓ |
diff --git a/Extensions/ftp.md b/Extensions/ftp.md
index 2a4ba8c..b369063 100644
--- a/Extensions/ftp.md
+++ b/Extensions/ftp.md
@@ -9,11 +9,12 @@ product = "ftp"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | ✓ | ✓ | |
-| domain | | | ✓ |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | ✓ | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/gamma_dlp.md b/Extensions/gamma_dlp.md
index b41f3e2..c44a4f2 100644
--- a/Extensions/gamma_dlp.md
+++ b/Extensions/gamma_dlp.md
@@ -16,8 +16,8 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | ---- | --------- | ------------- |
-| alert-trigger | email_address | | | | |
-| | application | | | | |
+| alert-trigger | app | | | | |
+| | email_address | | | | |
| | additional_info | | | | |
| | user_id | | | | |
| | alert_id | Legacy | | | ✓ |
diff --git a/Extensions/gcp_cloud_audit.md b/Extensions/gcp_cloud_audit.md
index ecbf281..8767907 100644
--- a/Extensions/gcp_cloud_audit.md
+++ b/Extensions/gcp_cloud_audit.md
@@ -9,25 +9,26 @@ product = "gcp cloud audit"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| resource | | ✓ | |
-| service_name | | ✓ | |
-| resource_type | | | ✓ |
-| event_category | | | ✓ |
-| operation_first | | | ✓ |
-| src_ip | | ✓ | |
-| project_id | | | ✓ |
-| zone | | | ✓ |
-| domain | | | ✓ |
-| resource_path | | | ✓ |
-| result_code | | | ✓ |
-| resource_name | | | ✓ |
-| region | | ✓ | |
-| operation_last | | | ✓ |
-| user | | ✓ | |
-| operation | | ✓ | |
-| user_agent | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| resource | | ✓ | |
+| service_name | | ✓ | |
+| resource_type | | | ✓ |
+| domain_user_name | | | |
+| event_category | | | ✓ |
+| operation_first | | | ✓ |
+| src_ip | | ✓ | |
+| project_id | | | ✓ |
+| zone | | | ✓ |
+| domain | | | ✓ |
+| resource_path | | | ✓ |
+| result_code | | | ✓ |
+| resource_name | | | ✓ |
+| region | | ✓ | |
+| operation_last | | | ✓ |
+| user | | ✓ | |
+| operation | | ✓ | |
+| user_agent | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/github.md b/Extensions/github.md
index 898e219..ba0ce29 100644
--- a/Extensions/github.md
+++ b/Extensions/github.md
@@ -9,10 +9,11 @@ product = "github"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
@@ -23,6 +24,11 @@ Activity Types
| | object | Default | | | ✓ |
| app-login | src_ip | Default | | ✓ | |
| | user_agent | Default | | | ✓ |
+| branch-create | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
| branch-modify | resource | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | user | Default | | ✓ | |
@@ -123,6 +129,21 @@ Activity Types
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | object | Default | | | ✓ |
+| repository-pull | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| repository-push | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| repository-read | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
| user-create | resource | | | | |
| | additional_info | | | | |
| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/globalprotect.md b/Extensions/globalprotect.md
index 3cf55b2..fc3db09 100644
--- a/Extensions/globalprotect.md
+++ b/Extensions/globalprotect.md
@@ -4,7 +4,7 @@ globalprotect
Expression
----------
-product = "palo alto global protect"
+product = "globalprotect"
Fields
------
@@ -12,9 +12,10 @@ Fields
| Field | Core | Detection | Informational |
| ---------------- | -------- | --------- | ------------- |
| src_ip | | ✓ | |
+| os | | | ✓ |
| src_country | | | ✓ |
| domain | | ✓ | |
-| operating_system | | | ✓ |
+| domain_user_name | | | |
| user | ✓ | ✓ | |
Activity Types
@@ -22,9 +23,9 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| -------------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_mac | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | src_mac | Default | | | ✓ |
| | auth_method | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | vpn_client | Default | | | ✓ |
diff --git a/Extensions/goanywhere_mft.md b/Extensions/goanywhere_mft.md
index 1f089e2..a0e2c79 100644
--- a/Extensions/goanywhere_mft.md
+++ b/Extensions/goanywhere_mft.md
@@ -14,21 +14,23 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------- | ---------- | ------- | -------- | --------- | ------------- |
-| endpoint-login | src_ip | Default | | ✓ | |
-| | dest_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| file-delete | src_ip | | | | |
-| | dest_ip | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-download | src_ip | | | | |
-| | dest_ip | | | | |
-| | dest_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| file-upload | src_ip | | | | |
-| | dest_ip | | | | |
-| | src_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------- | --------------- | ------- | -------- | --------- | ------------- |
+| endpoint-login | src_ip | Default | | ✓ | |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| file-delete | src_ip | | | | |
+| | dest_ip | | | | |
+| | local_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-download | src_ip | | | | |
+| | dest_ip | | | | |
+| | dest_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | ✓ | |
+| file-upload | src_ip | | | | |
+| | dest_ip | | | | |
+| | local_user_name | | | | |
+| | src_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/google.md b/Extensions/google.md
index 39d1b6f..343d11c 100644
--- a/Extensions/google.md
+++ b/Extensions/google.md
@@ -14,16 +14,17 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| user-password-modify | src_ip | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| user-password-modify | src_ip | Default | | ✓ | |
diff --git a/Extensions/google_apps.md b/Extensions/google_apps.md
index e2128e4..0faaee4 100644
--- a/Extensions/google_apps.md
+++ b/Extensions/google_apps.md
@@ -14,12 +14,13 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
diff --git a/Extensions/google_calendar.md b/Extensions/google_calendar.md
index 5b69ce0..8f59838 100644
--- a/Extensions/google_calendar.md
+++ b/Extensions/google_calendar.md
@@ -14,12 +14,13 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
diff --git a/Extensions/gravityzone.md b/Extensions/gravityzone.md
index ee4ebfe..b435a9e 100644
--- a/Extensions/gravityzone.md
+++ b/Extensions/gravityzone.md
@@ -14,10 +14,10 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
-| app-login | src_ip | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
-| http-session | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------- | ------- | ---- | --------- | ------------- |
+| app-login | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| http-session | | | | | |
diff --git a/Extensions/gtb_gtbinspector.md b/Extensions/gtb_gtbinspector.md
index 126398d..f120101 100644
--- a/Extensions/gtb_gtbinspector.md
+++ b/Extensions/gtb_gtbinspector.md
@@ -14,16 +14,17 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | email_subject | | | | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | target | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | email_subject | | | | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | target | | | | |
diff --git a/Extensions/guardium.md b/Extensions/guardium.md
index 6c5ca3e..c7c99f4 100644
--- a/Extensions/guardium.md
+++ b/Extensions/guardium.md
@@ -9,14 +9,15 @@ product ="guardium"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| process_name | | | ✓ |
-| service_name | | | ✓ |
-| domain | | | ✓ |
-| sql_count | | | ✓ |
-| user | | | ✓ |
-| db_object | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| process_name | | | ✓ |
+| service_name | | | ✓ |
+| domain | | | ✓ |
+| sql_count | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
+| db_object | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/hp_laserjet_printer.md b/Extensions/hp_laserjet_printer.md
index 5f64ec4..22bc6dd 100644
--- a/Extensions/hp_laserjet_printer.md
+++ b/Extensions/hp_laserjet_printer.md
@@ -14,14 +14,15 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------- | ------------ | ------ | -------- | --------- | ------------- |
-| printer-activity | src_port | | | | |
-| | src_ip | | | | |
-| | bytes | Legacy | | ✓ | |
-| | num_pages | Legacy | | ✓ | |
-| | printer_name | Legacy | ✓ | ✓ | |
-| | src_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------- | --------------- | ------ | -------- | --------- | ------------- |
+| printer-activity | src_port | | | | |
+| | src_ip | | | | |
+| | bytes | Legacy | | ✓ | |
+| | num_pages | Legacy | | ✓ | |
+| | local_user_name | | | | |
+| | printer_name | Legacy | ✓ | ✓ | |
+| | src_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
diff --git a/Extensions/hp_print_server.md b/Extensions/hp_print_server.md
index 66aa81d..2b9f132 100644
--- a/Extensions/hp_print_server.md
+++ b/Extensions/hp_print_server.md
@@ -9,19 +9,20 @@ product = "hp print server"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| num_pages | | | ✓ |
-| domain | | | ✓ |
-| dest_ip | | | ✓ |
-| dest_host | | | ✓ |
-| printer_sn | | | ✓ |
-| printer_id | | | ✓ |
-| printer_name | | | ✓ |
-| src_host | | | ✓ |
-| user | | | ✓ |
-| object | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| num_pages | | | ✓ |
+| domain | | | ✓ |
+| dest_ip | | | ✓ |
+| dest_host | | | ✓ |
+| printer_sn | | | ✓ |
+| domain_user_name | | | |
+| printer_id | | | ✓ |
+| printer_name | | | ✓ |
+| src_host | | | ✓ |
+| user | | | ✓ |
+| object | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/hp_sure_click_enterprise.md b/Extensions/hp_sure_click_enterprise.md
index 0415e08..90dc322 100644
--- a/Extensions/hp_sure_click_enterprise.md
+++ b/Extensions/hp_sure_click_enterprise.md
@@ -20,6 +20,7 @@ Activity Types
| | process | | | | |
| | email_address | | | | |
| | additional_info | | | | |
+| | local_user_name | | | | |
| | malware_url | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/hp_virtual_connect_enterprise_manager.md b/Extensions/hp_virtual_connect_enterprise_manager.md
index eda5679..b679a9b 100644
--- a/Extensions/hp_virtual_connect_enterprise_manager.md
+++ b/Extensions/hp_virtual_connect_enterprise_manager.md
@@ -14,9 +14,9 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------------- | ------- | ---- | --------- | ------------- |
-| app-login | src_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | authentication_type | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------- | ------- | ---- | --------- | ------------- |
+| app-login | src_ip | Default | | ✓ | |
+| | auth_type | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
diff --git a/Extensions/huawei_unified_security_gateway.md b/Extensions/huawei_unified_security_gateway.md
index 839bee8..4b5ded5 100644
--- a/Extensions/huawei_unified_security_gateway.md
+++ b/Extensions/huawei_unified_security_gateway.md
@@ -9,20 +9,30 @@ product = huawei unified security gateway
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| ------ | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | email_address | | | | |
-| | application | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | policy | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------- | ------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | app | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | email_address | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | policy | | | | |
+| app-login | | | | | |
+| process-create | user | Default | | ✓ | |
+| vpn-login | src_port | Default | | | ✓ |
+| | src_translated_ip | Default | | | ✓ |
+| | protocol | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | src_translated_port | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
diff --git a/Extensions/ibm_db2.md b/Extensions/ibm_db2.md
index 2a3a07a..5493283 100644
--- a/Extensions/ibm_db2.md
+++ b/Extensions/ibm_db2.md
@@ -17,37 +17,39 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | ------------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | malware_url | | | | |
-| | user | Legacy | | ✓ | |
-| database-login | src_ip | Default | | ✓ | |
-| | db_name | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | db_user | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | authentication_type | Default | | | ✓ |
-| | db_schema | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| database-modify | src_ip | Legacy | | | ✓ |
-| | db_name | | | | |
-| | event_code | | | | |
-| | db_user | Legacy | | | ✓ |
-| | event_name | | | | |
-| | authentication_type | | | | |
-| | db_schema | | | | |
-| | object | | | | |
-| file-read | additional_info | | | | |
-| | process_name | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ------------------ | ------- | -------- | --------- | ------------- |
+| alert-trigger | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| database-login | src_ip | Default | | ✓ | |
+| | auth_type | Default | | | ✓ |
+| | db_name | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | db_user | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | db_schema | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| | database_user_name | | | | |
+| database-modify | src_ip | Legacy | | | ✓ |
+| | auth_type | | | | |
+| | db_name | | | | |
+| | event_code | | | | |
+| | db_user | Legacy | | | ✓ |
+| | event_name | | | | |
+| | db_schema | | | | |
+| | database_user_name | | | | |
+| | object | | | | |
+| file-read | additional_info | | | | |
+| | process_name | Legacy | | | ✓ |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/ibm_infosphere_guardium.md b/Extensions/ibm_infosphere_guardium.md
index 3b51608..4b86755 100644
--- a/Extensions/ibm_infosphere_guardium.md
+++ b/Extensions/ibm_infosphere_guardium.md
@@ -14,22 +14,25 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | server_group | | | | |
-| | db_query | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | table_name | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | db_name | | | | |
-| | bytes_out | | | | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | db_user | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | operation | | | | |
-| | user | Legacy | | ✓ | |
-| | account | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ------------------ | ------ | -------- | --------- | ------------- |
+| alert-trigger | server_group | | | | |
+| | db_query | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | table_name | | | | |
+| | account_user_name | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | db_name | | | | |
+| | bytes_out | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | db_user | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | operation | | | | |
+| | user | Legacy | | ✓ | |
+| | account | | | | |
+| | database_user_name | | | | |
diff --git a/Extensions/ibm_resource_access_control_facility.md b/Extensions/ibm_resource_access_control_facility.md
index 4fdd1a9..b4947b1 100644
--- a/Extensions/ibm_resource_access_control_facility.md
+++ b/Extensions/ibm_resource_access_control_facility.md
@@ -4,51 +4,53 @@ ibm resource access control facility
Expression
----------
-product = "ibm racf"
+product = "ibm resource access control facility"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| additional_info | | | ✓ |
-| dest_ip | | | ✓ |
-| db_user | | | ✓ |
-| user | | | ✓ |
-| object | | | ✓ |
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| additional_info | | | ✓ |
+| dest_ip | | | ✓ |
+| db_user | | | ✓ |
+| user | | | ✓ |
+| database_user_name | | | |
+| object | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | identifier | Default | | | ✓ |
-| | group_name | Default | | | ✓ |
-| | dest_user | Default | | ✓ | |
-| | terminal | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | alert_type | Default | | | ✓ |
-| | manager_name | Default | | | ✓ |
-| | environment | Default | | | ✓ |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | manager_email | Default | | | ✓ |
-| app-login | manager_name | Default | | | ✓ |
-| | identifier | Default | | | ✓ |
-| | environment | Default | | | ✓ |
-| | manager | Default | | | ✓ |
-| | user_id | Default | | | ✓ |
-| | group_name | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| | terminal | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | alert_type | Default | | | ✓ |
-| database-activity | event_name | Default | | | ✓ |
-| | command | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------- | --------------------- | ------- | ---- | --------- | ------------- |
+| app-activity | identifier | Default | | | ✓ |
+| | group_name | Default | | | ✓ |
+| | dest_user | Default | | ✓ | |
+| | terminal | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | alert_type | Default | | | ✓ |
+| | manager_name | Default | | | ✓ |
+| | environment | Default | | | ✓ |
+| | dest_domain_user_name | | | | |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | manager_email | Default | | | ✓ |
+| app-login | manager_name | Default | | | ✓ |
+| | identifier | Default | | | ✓ |
+| | environment | Default | | | ✓ |
+| | manager | Default | | | ✓ |
+| | user_id | Default | | | ✓ |
+| | group_name | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | src_host | Default | | ✓ | |
+| | terminal | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | alert_type | Default | | | ✓ |
+| database-activity | event_name | Default | | | ✓ |
+| | command | Default | | | ✓ |
diff --git a/Extensions/ibm_sense.md b/Extensions/ibm_sense.md
index 684732c..c224a43 100644
--- a/Extensions/ibm_sense.md
+++ b/Extensions/ibm_sense.md
@@ -22,6 +22,7 @@ Activity Types
| | additional_info | | | | |
| | process_name | Legacy | | ✓ | |
| | alert_id | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | sense_score | | | | |
| | dest_host | Legacy | | ✓ | |
| | malware_url | | | | |
diff --git a/Extensions/iboss_cloud.md b/Extensions/iboss_cloud.md
index dd7124f..8ad83c7 100644
--- a/Extensions/iboss_cloud.md
+++ b/Extensions/iboss_cloud.md
@@ -4,7 +4,7 @@ iboss cloud
Expression
----------
-product = iboss secure web gateway"
+product = "iboss cloud"
Fields
------
diff --git a/Extensions/icdb.md b/Extensions/icdb.md
index cc2c474..7f841bd 100644
--- a/Extensions/icdb.md
+++ b/Extensions/icdb.md
@@ -18,6 +18,7 @@ Activity Types
| ------------- | --------------- | ------- | ---- | --------- | ------------- |
| app-activity | src_ip | Default | | ✓ | |
| | additional_info | Default | | | ✓ |
+| | local_user_name | | | | |
| | src_host | Default | | ✓ | |
| | user | Default | | ✓ | |
| | object | Default | | | ✓ |
diff --git a/Extensions/identitynow.md b/Extensions/identitynow.md
index 8359057..dd1943e 100644
--- a/Extensions/identitynow.md
+++ b/Extensions/identitynow.md
@@ -41,6 +41,7 @@ Activity Types
| | operation | Default | | | ✓ |
| user-modify | src_ip | | | | |
| | additional_info | | | | |
+| | local_user_name | | | | |
| | fingerprint | | | | |
| | src_host | Legacy | | | ✓ |
| | event_subtype | | | | |
@@ -54,6 +55,7 @@ Activity Types
| | operation | Default | | | ✓ |
| user-unlock | src_ip | | | | |
| | additional_info | | | | |
+| | local_user_name | | | | |
| | fingerprint | | | | |
| | src_host | | | | |
| | event_subtype | | | | |
diff --git a/Extensions/illumio_core.md b/Extensions/illumio_core.md
index a561396..02ff4ad 100644
--- a/Extensions/illumio_core.md
+++ b/Extensions/illumio_core.md
@@ -14,19 +14,20 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | -------------- | ------- | ---- | --------- | ------------- |
-| network-session | process_id | Default | | | ✓ |
-| | alert_severity | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | uri_path | Default | | | ✓ |
-| | web_domain | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | action | Default | | | ✓ |
-| | location | Default | | | ✓ |
-| | category | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | direction | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| network-session | process_id | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | uri_path | Default | | | ✓ |
+| | web_domain | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | action | Default | | | ✓ |
+| | location | Default | | | ✓ |
+| | category | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | direction | Default | | | ✓ |
diff --git a/Extensions/imanage.md b/Extensions/imanage.md
index d7c8ed3..5250733 100644
--- a/Extensions/imanage.md
+++ b/Extensions/imanage.md
@@ -16,13 +16,14 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | application | | | | |
+| alert-trigger | app | | | | |
| | file_name | Legacy | ✓ | | |
| | user | Legacy | | ✓ | |
| app-activity | file_path | Default | | | ✓ |
| | resource | Default | | | ✓ |
| | file_name | Default | | | ✓ |
| | file_dir | Default | | | ✓ |
+| | local_user_name | | | | |
| | src_host | Default | | ✓ | |
| | client_id | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
diff --git a/Extensions/imperva_counterbreach.md b/Extensions/imperva_counterbreach.md
index ab2ee20..e37e534 100644
--- a/Extensions/imperva_counterbreach.md
+++ b/Extensions/imperva_counterbreach.md
@@ -14,20 +14,23 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_name | Legacy | ✓ | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | table_name | | | | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | bytes_out | | | | |
-| | additional_info | | | | |
-| | db_user | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | malware_url | | | | |
-| | user | Legacy | | ✓ | |
-| | account | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ------------------ | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_name | Legacy | ✓ | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | table_name | | | | |
+| | account_user_name | | | | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | bytes_out | | | | |
+| | additional_info | | | | |
+| | db_user | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| | account | | | | |
+| | database_user_name | | | | |
diff --git a/Extensions/imperva_file_activity_monitoring.md b/Extensions/imperva_file_activity_monitoring.md
index 3aeed7c..c7884d5 100644
--- a/Extensions/imperva_file_activity_monitoring.md
+++ b/Extensions/imperva_file_activity_monitoring.md
@@ -9,19 +9,20 @@ product = "imperva file activity monitoring"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| src_port | | | ✓ |
-| protocol | | | ✓ |
-| access_type | | | ✓ |
-| server_group | | | ✓ |
-| access | | | ✓ |
-| service_name | | | ✓ |
-| domain | | ✓ | |
-| dest_ip | | ✓ | |
-| dest_host | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| src_port | | | ✓ |
+| protocol | | | ✓ |
+| access_type | | | ✓ |
+| server_group | | | ✓ |
+| access | | | ✓ |
+| service_name | | | ✓ |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_host | | ✓ | |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/imperva_securesphere.md b/Extensions/imperva_securesphere.md
index 630a9cc..d2b5fca 100644
--- a/Extensions/imperva_securesphere.md
+++ b/Extensions/imperva_securesphere.md
@@ -9,33 +9,35 @@ product = imperva securesphere
Fields
------
-| Field | Core | Detection | Informational |
-| --------- | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| dest_ip | | ✓ | |
-| dest_host | | | ✓ |
-| src_host | | | ✓ |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| dest_host | | | ✓ |
+| domain_user_name | | | |
+| src_host | | | ✓ |
+| user | | ✓ | |
Activity Types
--------------
| Activity Type | Field | Status | Core | Detection | Informational |
| --------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | server_group | | | | |
+| alert-trigger | app | | | | |
+| | server_group | | | | |
| | service_name | | | | |
+| | local_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
-| | db_name | Legacy | | ✓ | |
-| | application | | | | |
+| | db_name | | | | |
| | additional_info | | | | |
-| | database_schema | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | dest_host | Legacy | | ✓ | |
| | user | Legacy | | ✓ | |
+| | db_schema | | | | |
| database-delete | src_port | | | | |
| | db_name | | | | |
| | service_name | | | | |
diff --git a/Extensions/imperva_web_app_firewall.md b/Extensions/imperva_web_app_firewall.md
new file mode 100644
index 0000000..5843a89
--- /dev/null
+++ b/Extensions/imperva_web_app_firewall.md
@@ -0,0 +1,27 @@
+imperva web app firewall
+========================
+
+Expression
+----------
+
+product = imperva web Application firewall
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | external_address | | | | |
+| | email_address | | | | |
+| | sender | Legacy | ✓ | | |
+| | bytes | Legacy | | ✓ | |
+| | recipients | | | | |
+| | recipient | | | | |
+| | email_attachments | | | | |
+| | email_subject | | | | |
+
diff --git a/Extensions/infowatch_dlp.md b/Extensions/infowatch_dlp.md
index de89b35..a722756 100644
--- a/Extensions/infowatch_dlp.md
+++ b/Extensions/infowatch_dlp.md
@@ -9,11 +9,12 @@ product = "infowatch dlp"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/ivanti_mobileiron.md b/Extensions/ivanti_mobileiron.md
index f056b12..c2c1723 100644
--- a/Extensions/ivanti_mobileiron.md
+++ b/Extensions/ivanti_mobileiron.md
@@ -14,12 +14,13 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | domain | | | | |
-| | malware_url | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | malware_url | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/jh.md b/Extensions/jh.md
index d8f6c73..1a42a67 100644
--- a/Extensions/jh.md
+++ b/Extensions/jh.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| file-download | src_ip | | | | |
-| | access | | | | |
-| | download_source | | | | |
-| | domain | | | | |
-| | order_num | | | | |
-| | contact_id | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| file-download | src_ip | | | | |
+| | access | | | | |
+| | download_source | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | order_num | | | | |
+| | contact_id | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/juniper_networks_srx.md b/Extensions/juniper_networks_srx.md
index e5743eb..2625720 100644
--- a/Extensions/juniper_networks_srx.md
+++ b/Extensions/juniper_networks_srx.md
@@ -16,12 +16,12 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
+| alert-trigger | app | | | | |
+| | result | | | | |
| | rule_id | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
| | protocol | Legacy | | ✓ | |
-| | application | | | | |
| | service_name | | | | |
| | dest_ip | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/juniper_pulse_secure.md b/Extensions/juniper_pulse_secure.md
index 016207d..bd9d5bf 100644
--- a/Extensions/juniper_pulse_secure.md
+++ b/Extensions/juniper_pulse_secure.md
@@ -9,11 +9,12 @@ product = "juniper pulse secure"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
@@ -25,7 +26,7 @@ Activity Types
| | dest_host | Default | | ✓ | |
| | src_host | Default | | ✓ | |
| | user_agent | Default | | | ✓ |
-| http-request | application | Default | | | ✓ |
+| http-request | app | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | bytes | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
diff --git a/Extensions/kaspersky_endpoint_security_for_business.md b/Extensions/kaspersky_endpoint_security_for_business.md
index cdf532a..d50da38 100644
--- a/Extensions/kaspersky_endpoint_security_for_business.md
+++ b/Extensions/kaspersky_endpoint_security_for_business.md
@@ -4,7 +4,7 @@ kaspersky endpoint security for business
Expression
----------
-product = "kaspersky endpoint security for business"
+product = kaspersky endpoint security for business
Fields
------
@@ -14,19 +14,22 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | device_ip | | | | |
-| | result | | | | |
-| | additional_info | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | device_type | | | | |
-| | operation | | | | |
-| | user | Legacy | | ✓ | |
-| peripheral_storage-insert | src_ip | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | domain_user_name | | | | |
+| | device_type | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | device_ip | | | | |
+| | result | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| | operation | | | | |
+| peripheral_storage-insert | src_ip | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
diff --git a/Extensions/kaspersky_enterprise_security.md b/Extensions/kaspersky_enterprise_security.md
index 7fc10a1..05202b3 100644
--- a/Extensions/kaspersky_enterprise_security.md
+++ b/Extensions/kaspersky_enterprise_security.md
@@ -14,21 +14,22 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | event_name_code | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | file_ext | | | | |
-| | application | | | | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | app | | | | |
+| | event_name_code | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | file_ext | | | | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/kemp_loadmaster.md b/Extensions/kemp_loadmaster.md
index 5b3efa8..ca5bb48 100644
--- a/Extensions/kemp_loadmaster.md
+++ b/Extensions/kemp_loadmaster.md
@@ -14,22 +14,23 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------ | --------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_port | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | dest_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | dest_port | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| app-authentication | dest_ip | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | dest_ip | Default | | ✓ | |
-| | dest_host | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| http-request | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | dest_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | dest_port | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| app-authentication | dest_ip | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | dest_ip | Default | | ✓ | |
+| | dest_host | Default | | ✓ | |
+| | src_host | Default | | ✓ | |
+| http-request | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
diff --git a/Extensions/kiteworks.md b/Extensions/kiteworks.md
index 7c7b7a4..27376d7 100644
--- a/Extensions/kiteworks.md
+++ b/Extensions/kiteworks.md
@@ -9,11 +9,12 @@ product = "kiteworks"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/lanscope_cat.md b/Extensions/lanscope_cat.md
index ac28d8d..0e7807a 100644
--- a/Extensions/lanscope_cat.md
+++ b/Extensions/lanscope_cat.md
@@ -14,37 +14,38 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------------------- | ------------ | ------- | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | num_pages | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | printer_name | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | user | Legacy | | ✓ | |
-| | object | | | | |
-| app-activity | file_path | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| endpoint-login | src_ip | Default | | ✓ | |
-| file-read | bytes | Legacy | | | ✓ |
-| file-write | bytes | Legacy | | ✓ | |
-| http-session | | | | | |
-| peripheral_storage-activity | src_ip | Default | | ✓ | |
-| | process_name | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| printer-activity | src_ip | | | ✓ | |
-| | num_pages | Legacy | | ✓ | |
-| | dest_ip | | | ✓ | |
-| | dest_host | | | ✓ | |
-| | printer_name | Legacy | ✓ | ✓ | |
-| | src_host | Legacy | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------------------- | --------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | num_pages | | | | |
+| | local_user_name | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | printer_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | user | Legacy | | ✓ | |
+| | object | | | | |
+| app-activity | app | Default | | | ✓ |
+| | file_path | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| endpoint-login | src_ip | Default | | ✓ | |
+| file-read | bytes | Legacy | | | ✓ |
+| file-write | bytes | Legacy | | ✓ | |
+| http-session | | | | | |
+| peripheral_storage-activity | src_ip | Default | | ✓ | |
+| | process_name | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| printer-activity | src_ip | | | ✓ | |
+| | num_pages | Legacy | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | dest_host | | | ✓ | |
+| | printer_name | Legacy | ✓ | ✓ | |
+| | src_host | Legacy | | | ✓ |
diff --git a/Extensions/lastline_(vmware)_lastline_defender.md b/Extensions/lastline_(vmware)_lastline_defender.md
index a64c831..eec9bf1 100644
--- a/Extensions/lastline_(vmware)_lastline_defender.md
+++ b/Extensions/lastline_(vmware)_lastline_defender.md
@@ -22,6 +22,7 @@ Activity Types
| | additional_info | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
| | dest_host | Legacy | | ✓ | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/lastpass.md b/Extensions/lastpass.md
index d465594..94647e6 100644
--- a/Extensions/lastpass.md
+++ b/Extensions/lastpass.md
@@ -14,14 +14,15 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| app-login | src_ip | Default | | ✓ | |
-| | additional_info | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | app | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| app-login | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
diff --git a/Extensions/leap.md b/Extensions/leap.md
index 5b9d6c2..75d694e 100644
--- a/Extensions/leap.md
+++ b/Extensions/leap.md
@@ -16,12 +16,12 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | resource | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
| | secondary_key | Default | | | ✓ |
| | primary_key | Default | | | ✓ |
| | url | Default | | | ✓ |
| | field_name | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | object_name | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
diff --git a/Extensions/logbinder_for_sharepoint.md b/Extensions/logbinder_for_sharepoint.md
index 76d4d2c..61652ce 100644
--- a/Extensions/logbinder_for_sharepoint.md
+++ b/Extensions/logbinder_for_sharepoint.md
@@ -9,12 +9,13 @@ product = "logbinder for sharepoint"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| access | | | ✓ |
-| additional_info | | | ✓ |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| access | | | ✓ |
+| additional_info | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/logrhythm.md b/Extensions/logrhythm.md
index 728e748..68cf209 100644
--- a/Extensions/logrhythm.md
+++ b/Extensions/logrhythm.md
@@ -14,14 +14,15 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------- | ---------- | ------- | ---- | --------- | ------------- |
-| process-create | src_port | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | protocol | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | dest_port | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| process-create | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | protocol | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | dest_port | Default | | | ✓ |
diff --git a/Extensions/lumension.md b/Extensions/lumension.md
index dc0691d..9c1ab02 100644
--- a/Extensions/lumension.md
+++ b/Extensions/lumension.md
@@ -16,6 +16,7 @@ Fields
| bytes | | | ✓ |
| domain | | | ✓ |
| device_type | | | ✓ |
+| domain_user_name | | | |
| user | | | ✓ |
| operation_details | | | ✓ |
| operation | | | ✓ |
diff --git a/Extensions/m365_audit_logs.md b/Extensions/m365_audit_logs.md
new file mode 100644
index 0000000..b56373f
--- /dev/null
+++ b/Extensions/m365_audit_logs.md
@@ -0,0 +1,41 @@
+m365 audit logs
+===============
+
+Expression
+----------
+
+product = "m365 audit logs"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
+| operation | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| app-login | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| | location_country | Default | | | ✓ |
+| | location_city | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | location_state | Default | | | ✓ |
+| file-download | | | | | |
+| group-create | src_ip | | | | |
+| group-delete | src_ip | | | | |
+| policy-create | src_ip | Default | | ✓ | |
+| policy-delete | src_ip | Default | | ✓ | |
+| policy-modify | src_ip | Default | | ✓ | |
+| policy-read | src_ip | Default | | ✓ | |
+| share_link-open | | | | | |
+| user-modify | src_ip | | | | |
+
diff --git a/Extensions/malwarebytes_endpoint_detection_and_response.md b/Extensions/malwarebytes_endpoint_detection_and_response.md
index a3163d1..8a42941 100644
--- a/Extensions/malwarebytes_endpoint_detection_and_response.md
+++ b/Extensions/malwarebytes_endpoint_detection_and_response.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_mac | | | | |
-| | process_name | Legacy | | ✓ | |
-| | malware_url | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_mac | | | | |
+| | process_name | Legacy | | ✓ | |
+| | local_user_name | | | | |
+| | malware_url | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/malwarebytes_endpoint_protection.md b/Extensions/malwarebytes_endpoint_protection.md
index acf6c90..1ba5be0 100644
--- a/Extensions/malwarebytes_endpoint_protection.md
+++ b/Extensions/malwarebytes_endpoint_protection.md
@@ -20,7 +20,9 @@ Activity Types
| | process | | | | |
| | additional_info | | | | |
| | process_name | Legacy | | ✓ | |
+| | local_user_name | | | | |
| | action | Legacy | | | ✓ |
+| | malware_url | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/mastersam_pam.md b/Extensions/mastersam_pam.md
index af16b02..ff286ad 100644
--- a/Extensions/mastersam_pam.md
+++ b/Extensions/mastersam_pam.md
@@ -9,11 +9,12 @@ product = "mastersam pam"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | ---- | --------- | ------------- |
-| protocol | | | ✓ |
-| domain | | | ✓ |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| protocol | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/mcafee_(trellix)_endpoint_security.md b/Extensions/mcafee_(trellix)_endpoint_security.md
index c54121c..6e4c0ee 100644
--- a/Extensions/mcafee_(trellix)_endpoint_security.md
+++ b/Extensions/mcafee_(trellix)_endpoint_security.md
@@ -18,7 +18,9 @@ Activity Types
| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | process | | | | |
| | malware_file_name | | | | |
+| | os | | | | |
| | file_name | Legacy | ✓ | | |
+| | local_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | result | | | | |
| | file_ext | | | | |
@@ -26,7 +28,6 @@ Activity Types
| | process_name | Legacy | | ✓ | |
| | dest_ip | Legacy | ✓ | ✓ | |
| | hash_md5 | | | | |
-| | operating_system | | | | |
| | threat_type | | | | |
| | malware_url | | | | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/mcafee_dlp.md b/Extensions/mcafee_dlp.md
index e65b424..5452782 100644
--- a/Extensions/mcafee_dlp.md
+++ b/Extensions/mcafee_dlp.md
@@ -19,6 +19,7 @@ Activity Types
| alert-trigger | num_pages | | | | |
| | rule | | | | |
| | device_type | | | | |
+| | domain_user_name | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | external_address | | | | |
| | protocol | Legacy | | ✓ | |
diff --git a/Extensions/mcafee_endpoint_security.md b/Extensions/mcafee_endpoint_security.md
index ba1d499..f1360fa 100644
--- a/Extensions/mcafee_endpoint_security.md
+++ b/Extensions/mcafee_endpoint_security.md
@@ -14,22 +14,25 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | process_name | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | process_dir | | | | |
-| | process_path | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| peripheral_storage-insert | domain | | | ✓ | |
-| | dest_ip | | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| printer-activity | bytes | Legacy | | ✓ | |
-| | domain | | | ✓ | |
-| | dest_ip | | | ✓ | |
-| | printer_name | Legacy | ✓ | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | result | | | | |
+| | process_name | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| peripheral_storage-insert | domain | | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| printer-activity | bytes | Legacy | | ✓ | |
+| | domain | | | ✓ | |
+| | dest_ip | | | ✓ | |
+| | domain_user_name | | | | |
+| | printer_name | Legacy | ✓ | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/mcafee_mdam.md b/Extensions/mcafee_mdam.md
index f44f3ee..59005f8 100644
--- a/Extensions/mcafee_mdam.md
+++ b/Extensions/mcafee_mdam.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_365_audit_logs.md b/Extensions/microsoft_365_audit_logs.md
index 276d8dc..6ada10f 100644
--- a/Extensions/microsoft_365_audit_logs.md
+++ b/Extensions/microsoft_365_audit_logs.md
@@ -9,11 +9,12 @@ product = "m365 audit logs"
Fields
------
-| Field | Core | Detection | Informational |
-| --------- | ---- | --------- | ------------- |
-| domain | | | ✓ |
-| user | | | ✓ |
-| operation | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
+| operation | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/microsoft_advanced_threat_analytics_(ata).md b/Extensions/microsoft_advanced_threat_analytics_(ata).md
index 14d3651..b72e475 100644
--- a/Extensions/microsoft_advanced_threat_analytics_(ata).md
+++ b/Extensions/microsoft_advanced_threat_analytics_(ata).md
@@ -21,6 +21,7 @@ Activity Types
| | service_name | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
| | dest_host | Legacy | | ✓ | |
| | last_name | | | | |
| | malware_url | | | | |
diff --git a/Extensions/microsoft_advanced_threat_protection.md b/Extensions/microsoft_advanced_threat_protection.md
index 156a625..3791075 100644
--- a/Extensions/microsoft_advanced_threat_protection.md
+++ b/Extensions/microsoft_advanced_threat_protection.md
@@ -21,6 +21,7 @@ Activity Types
| | additional_info | | | | |
| | service_name | | | | |
| | alert_id | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | malware_url | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_azure.md b/Extensions/microsoft_azure.md
index d878467..6fb8966 100644
--- a/Extensions/microsoft_azure.md
+++ b/Extensions/microsoft_azure.md
@@ -14,20 +14,39 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | url | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | event_hub_namespace | | | | |
-| | event_hub_name | | | | |
-| | email_address | | | | |
-| | full_name | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | user_upn | | | | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | object | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | domain_user_name | | | | |
+| | nt_domain | | | | |
+| | processing_end_time | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | event_hub_namespace | | | | |
+| | event_hub_name | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | is_incident | | | | |
+| | action | Legacy | | | ✓ |
+| | user_upn | | | | |
+| | dest_port | Legacy | | ✓ | |
+| | login_id | | | | |
+| | process | | | | |
+| | end_time | | | | |
+| | process_command_line | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | remediation_steps | | | | |
+| | url | | | | |
+| | src_port | Legacy | | | ✓ |
+| | start_time | | | | |
+| | email_address | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | domain_join | | | | |
+| | domain | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dns_domain | | | | |
+| | user_sid | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| | object | | | | |
diff --git a/Extensions/microsoft_azure_active_directory_identity_protection.md b/Extensions/microsoft_azure_active_directory_identity_protection.md
index 5692090..b34ac87 100644
--- a/Extensions/microsoft_azure_active_directory_identity_protection.md
+++ b/Extensions/microsoft_azure_active_directory_identity_protection.md
@@ -14,15 +14,16 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | email_address | | | | |
-| | full_name | | | | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | domain | | | | |
-| | location | | | | |
-| | user_upn | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | email_address | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | domain | | | | |
+| | location | | | | |
+| | domain_user_name | | | | |
+| | user_upn | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_azure_advanced_threat_protection.md b/Extensions/microsoft_azure_advanced_threat_protection.md
index 1f12b2a..9ec6a15 100644
--- a/Extensions/microsoft_azure_advanced_threat_protection.md
+++ b/Extensions/microsoft_azure_advanced_threat_protection.md
@@ -14,17 +14,18 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | email_address | | | | |
-| | full_name | | | | |
-| | additional_info | | | | |
-| | file_name | Legacy | ✓ | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user_upn | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | email_address | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | file_name | Legacy | ✓ | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user_upn | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_azure_eventhub.md b/Extensions/microsoft_azure_eventhub.md
index 9bdd168..a7b9694 100644
--- a/Extensions/microsoft_azure_eventhub.md
+++ b/Extensions/microsoft_azure_eventhub.md
@@ -16,13 +16,14 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ------------------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | event_name_hub_namespace | | | | |
+| alert-trigger | app | | | | |
+| | event_name_hub_namespace | | | | |
| | azure_category | | | | |
+| | domain_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | email_address | | | | |
-| | application | | | | |
| | additional_info | | | | |
| | azure_resource_type | | | | |
| | alert_id | Legacy | | | ✓ |
diff --git a/Extensions/microsoft_azure_security_center.md b/Extensions/microsoft_azure_security_center.md
index c8b47fb..f150d81 100644
--- a/Extensions/microsoft_azure_security_center.md
+++ b/Extensions/microsoft_azure_security_center.md
@@ -14,23 +14,24 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | server_group | | | | |
-| | file_name | Legacy | ✓ | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | full_name | | | | |
-| | email_address | | | | |
-| | db_name | | | | |
-| | email_user | | | | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user_upn | | | | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | server_group | | | | |
+| | file_name | Legacy | ✓ | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | email_address | | | | |
+| | full_name | | | | |
+| | db_name | | | | |
+| | email_user | | | | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user_upn | | | | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_cas.md b/Extensions/microsoft_cas.md
index 38fa8a2..a554178 100644
--- a/Extensions/microsoft_cas.md
+++ b/Extensions/microsoft_cas.md
@@ -9,13 +9,14 @@ product = "microsoft cas"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| additional_info | | | ✓ |
-| domain | | | ✓ |
-| user | | | ✓ |
-| user_agent | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| additional_info | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
+| user_agent | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/microsoft_cloud_app_security.md b/Extensions/microsoft_cloud_app_security.md
index 80be0e3..c4dfddc 100644
--- a/Extensions/microsoft_cloud_app_security.md
+++ b/Extensions/microsoft_cloud_app_security.md
@@ -14,19 +14,20 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | hash_sha1 | | | | |
-| | file_name | Legacy | ✓ | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | email_address | | | | |
-| | full_name | | | | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | user_upn | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | hash_sha1 | | | | |
+| | file_name | Legacy | ✓ | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | email_address | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | user_upn | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_defender_advanced_threat_protection.md b/Extensions/microsoft_defender_advanced_threat_protection.md
index f7f5469..12c6646 100644
--- a/Extensions/microsoft_defender_advanced_threat_protection.md
+++ b/Extensions/microsoft_defender_advanced_threat_protection.md
@@ -14,17 +14,18 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | email_address | | | | |
-| | full_name | | | | |
-| | additional_info | | | | |
-| | file_name | Legacy | ✓ | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user_upn | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | email_address | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | file_name | Legacy | ✓ | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user_upn | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_defender_antivirus.md b/Extensions/microsoft_defender_antivirus.md
index 06a6414..a8d44ae 100644
--- a/Extensions/microsoft_defender_antivirus.md
+++ b/Extensions/microsoft_defender_antivirus.md
@@ -14,20 +14,21 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | process | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | domain | | | | |
-| | process_directory | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | malware_url | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | process | | | | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | domain | | | | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_exchange.md b/Extensions/microsoft_exchange.md
index 13dd05a..3605d66 100644
--- a/Extensions/microsoft_exchange.md
+++ b/Extensions/microsoft_exchange.md
@@ -54,38 +54,38 @@ Activity Types
| | user_sid | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
| | direction | Default | | | ✓ |
-| mailbox-create | email_address | Default | | | ✓ |
+| mailbox-create | app | Default | | | ✓ |
+| | email_address | Default | | | ✓ |
| | email_user | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | email_domain | Default | | | ✓ |
| | operation | Default | | | ✓ |
-| mailbox-item-create | email_address | Default | | | ✓ |
+| mailbox-item-create | app | Default | | | ✓ |
+| | email_address | Default | | | ✓ |
| | email_user | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | email_domain | Default | | | ✓ |
| | operation | Default | | | ✓ |
-| mailbox-item-delete | src_ip | Default | | ✓ | |
+| mailbox-item-delete | app | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
| | email_address | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | email_user | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | email_domain | Default | | | ✓ |
| | user | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | object | Default | | | ✓ |
-| mailbox-item-modify | email_address | Default | | | ✓ |
+| mailbox-item-modify | app | Default | | | ✓ |
+| | email_address | Default | | | ✓ |
| | email_user | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | email_domain | Default | | | ✓ |
| | operation | Default | | | ✓ |
-| mailbox-modify | email_address | Default | | | ✓ |
+| mailbox-modify | app | Default | | | ✓ |
+| | email_address | Default | | | ✓ |
| | email_user | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | email_domain | Default | | | ✓ |
| | operation | Default | | | ✓ |
-| user-modify | email_address | | | | |
+| user-modify | app | | | | |
+| | email_address | | | | |
| | email_user | | | | |
-| | application | | | | |
| | email_domain | | | | |
| | operation | | | | |
diff --git a/Extensions/microsoft_graph.md b/Extensions/microsoft_graph.md
index 4590c95..37b2f2a 100644
--- a/Extensions/microsoft_graph.md
+++ b/Extensions/microsoft_graph.md
@@ -16,7 +16,8 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | country | | | | |
+| alert-trigger | app | | | | |
+| | country | | | | |
| | city | | | | |
| | more_info | | | | |
| | result | | | | |
@@ -24,7 +25,6 @@ Activity Types
| | token_issuer_type | | | | |
| | email_address | | | | |
| | full_name | | | | |
-| | application | | | | |
| | additional_info | | | | |
| | sender | Legacy | ✓ | | |
| | alert_id | Legacy | | | ✓ |
diff --git a/Extensions/microsoft_iis.md b/Extensions/microsoft_iis.md
index 8b4f7d4..93742e3 100644
--- a/Extensions/microsoft_iis.md
+++ b/Extensions/microsoft_iis.md
@@ -9,11 +9,12 @@ product = "microsoft iis"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | ---- | --------- | ------------- |
-| domain | | ✓ | |
-| src_host | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/microsoft_office_365.md b/Extensions/microsoft_office_365.md
index 6214af7..c656f90 100644
--- a/Extensions/microsoft_office_365.md
+++ b/Extensions/microsoft_office_365.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/microsoft_web_application_proxy.md b/Extensions/microsoft_web_application_proxy.md
index f7036dd..8094415 100644
--- a/Extensions/microsoft_web_application_proxy.md
+++ b/Extensions/microsoft_web_application_proxy.md
@@ -4,7 +4,7 @@ microsoft web application proxy
Expression
----------
-product = "microsoft web application proxy"
+product = "microsoft web Application proxy"
Fields
------
diff --git a/Extensions/microsoft_windows.md b/Extensions/microsoft_windows.md
index c731602..b071d92 100644
--- a/Extensions/microsoft_windows.md
+++ b/Extensions/microsoft_windows.md
@@ -14,23 +14,24 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------------------- | ------ | ---- | --------- | ------------- |
-| alert-trigger | login_id | | | | |
-| | process_id | | | | |
-| | event_name_code | | | | |
-| | event_name_name | | | | |
-| | threat_id | | | | |
-| | result | | | | |
-| | event_id | | | | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | domain | | | | |
-| | hash_md5 | | | | |
-| | user_sid | | | | |
-| | operation_id | | | | |
-| | malware_url | | | | |
-| | provider_name | | | | |
-| | user | Legacy | | ✓ | |
-| | authentication_process | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | ---- | --------- | ------------- |
+| alert-trigger | login_id | | | | |
+| | process_id | | | | |
+| | event_name_code | | | | |
+| | event_name_name | | | | |
+| | threat_id | | | | |
+| | domain_user_name | | | | |
+| | result | | | | |
+| | event_id | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | domain | | | | |
+| | hash_md5 | | | | |
+| | user_sid | | | | |
+| | operation_id | | | | |
+| | malware_url | | | | |
+| | provider_name | | | | |
+| | user | Legacy | | ✓ | |
+| | auth_process | | | | |
diff --git a/Extensions/microsoft_windows_defender.md b/Extensions/microsoft_windows_defender.md
index aac36c5..c845232 100644
--- a/Extensions/microsoft_windows_defender.md
+++ b/Extensions/microsoft_windows_defender.md
@@ -14,26 +14,31 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | file_name | Legacy | ✓ | | |
-| | message_id | | | | |
-| | recipient_count | | | | |
-| | target | | | | |
-| | result | | | | |
-| | additional_info | | | | |
-| | sender | Legacy | ✓ | | |
-| | user_id | | | | |
-| | bytes | Legacy | | ✓ | |
-| | recipients | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | domain | | | | |
-| | recipient | | | | |
-| | event_name | | | | |
-| | operation | | | | |
-| | email_subject | | | | |
-| | user | Legacy | | ✓ | |
-| | apps | | | | |
-| | object | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | file_name | Legacy | ✓ | | |
+| | message_id | | | | |
+| | recipient_count | | | | |
+| | domain_user_name | | | | |
+| | target | | | | |
+| | result | | | | |
+| | additional_info | | | | |
+| | sender | Legacy | ✓ | | |
+| | user_id | | | | |
+| | bytes | Legacy | | ✓ | |
+| | recipients | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | domain | | | | |
+| | recipient | | | | |
+| | event_name | | | | |
+| | operation | | | | |
+| | email_subject | | | | |
+| | user | Legacy | | ✓ | |
+| | apps | | | | |
+| | object | | | | |
+| process-memory-protect | additional_info | | | | |
+| | action | | | | ✓ |
+| | event_name | | | | ✓ |
+| | operation | | | | ✓ |
diff --git a/Extensions/mimecast_secure_email_gateway.md b/Extensions/mimecast_secure_email_gateway.md
index a06ef7f..59a5149 100644
--- a/Extensions/mimecast_secure_email_gateway.md
+++ b/Extensions/mimecast_secure_email_gateway.md
@@ -16,20 +16,21 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
| | resource | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | log_source | Default | | | ✓ |
+| | domain_user_name | | | | |
| | user | Default | | ✓ | |
| | object | Default | | | ✓ |
| | target | Default | | | ✓ |
| app-login | src_ip | Default | | ✓ | |
-| email-read | result | Default | | | ✓ |
+| email-read | app | Default | | | ✓ |
+| | result | Default | | | ✓ |
| | email_address | Default | | | ✓ |
| | email_user | Default | | | ✓ |
-| | application | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | resource | Default | | | ✓ |
| | log_source | Default | | | ✓ |
diff --git a/Extensions/mimecast_targeted_threat_protection_-_url.md b/Extensions/mimecast_targeted_threat_protection_-_url.md
index bca83bb..e7eedb4 100644
--- a/Extensions/mimecast_targeted_threat_protection_-_url.md
+++ b/Extensions/mimecast_targeted_threat_protection_-_url.md
@@ -9,12 +9,13 @@ product = "mimecast targeted threat protection - url"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | ---- | --------- | ------------- |
-| domain | | | ✓ |
-| action | | | ✓ |
-| category | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| action | | | ✓ |
+| domain_user_name | | | |
+| category | | | ✓ |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/mssql.md b/Extensions/mssql.md
index eca20bb..ceda5e6 100644
--- a/Extensions/mssql.md
+++ b/Extensions/mssql.md
@@ -9,21 +9,23 @@ product = "mssql"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | -------- | --------- | ------------- |
-| service_name | | | ✓ |
-| dest_user | | ✓ | |
-| src_host | ✓ | ✓ | |
-| src_ip | | ✓ | |
-| result | | ✓ | |
-| db_name | ✓ | ✓ | |
-| user_id | | | ✓ |
-| event_code | | | ✓ |
-| dest_domain | | ✓ | |
-| dest_host | | ✓ | |
-| event_name | | | ✓ |
-| dest_user_id | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| --------------------- | -------- | --------- | ------------- |
+| service_name | | | ✓ |
+| local_user_name | | | |
+| dest_user | | ✓ | |
+| src_host | ✓ | ✓ | |
+| src_ip | | ✓ | |
+| result | | ✓ | |
+| db_name | ✓ | ✓ | |
+| dest_domain_user_name | | | |
+| user_id | | | ✓ |
+| event_code | | | ✓ |
+| dest_domain | | ✓ | |
+| dest_host | | ✓ | |
+| event_name | | | ✓ |
+| dest_user_id | | | ✓ |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/mvision.md b/Extensions/mvision.md
index b3e1201..c2de438 100644
--- a/Extensions/mvision.md
+++ b/Extensions/mvision.md
@@ -14,22 +14,23 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | rule | | | | |
-| | url | | | | |
-| | target | | | | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | sender | Legacy | ✓ | | |
-| | bytes | Legacy | | ✓ | |
-| | process_name | Legacy | | ✓ | |
-| | recipients | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | printer_name | | | | |
-| | email_subject | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | rule | | | | |
+| | domain_user_name | | | | |
+| | url | | | | |
+| | target | | | | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | sender | Legacy | ✓ | | |
+| | bytes | Legacy | | ✓ | |
+| | process_name | Legacy | | ✓ | |
+| | recipients | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | printer_name | | | | |
+| | email_subject | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/mysql.md b/Extensions/mysql.md
index a182599..aa08d01 100644
--- a/Extensions/mysql.md
+++ b/Extensions/mysql.md
@@ -14,21 +14,21 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------- | ---------------- | ------- | ---- | --------- | ------------- |
-| database-activity | process_id | Default | | | ✓ |
-| | db_query | Default | | | ✓ |
-| | db_name | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | dest_user | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | response_size | Default | | | ✓ |
-| | db_object | Default | | | ✓ |
-| database-query | src_ip | Legacy | | ✓ | |
-| | src_host | Legacy | | ✓ | |
-| | table_name | Legacy | | | ✓ |
-| | db_schema | | | | |
-| | operation | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------- | ------------- | ------- | ---- | --------- | ------------- |
+| database-activity | process_id | Default | | | ✓ |
+| | os | Default | | | ✓ |
+| | db_query | Default | | | ✓ |
+| | db_name | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | dest_host | Default | | ✓ | |
+| | dest_user | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | response_size | Default | | | ✓ |
+| | db_object | Default | | | ✓ |
+| database-query | src_ip | Legacy | | ✓ | |
+| | src_host | Legacy | | ✓ | |
+| | table_name | Legacy | | | ✓ |
+| | db_schema | | | | |
+| | operation | | | | |
diff --git a/Extensions/namespace_rdirectory.md b/Extensions/namespace_rdirectory.md
index 4cb5795..07b4b39 100644
--- a/Extensions/namespace_rdirectory.md
+++ b/Extensions/namespace_rdirectory.md
@@ -9,10 +9,11 @@ product = "namespace rdirectory"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/nasuni.md b/Extensions/nasuni.md
index 6f6533a..84f03de 100644
--- a/Extensions/nasuni.md
+++ b/Extensions/nasuni.md
@@ -9,11 +9,12 @@ product = "nasuni"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | | ✓ |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/netapp.md b/Extensions/netapp.md
index 2928c5b..bb627a9 100644
--- a/Extensions/netapp.md
+++ b/Extensions/netapp.md
@@ -20,6 +20,7 @@ Activity Types
| | access | | | | |
| | file_name | Legacy | ✓ | | |
| | file_dir | Legacy | | | ✓ |
+| | domain_user_name | | | | |
| | object_id | | | | |
| | object_server | | | | |
| | result | | | | |
diff --git a/Extensions/netdocs.md b/Extensions/netdocs.md
index d932e38..bd161b9 100644
--- a/Extensions/netdocs.md
+++ b/Extensions/netdocs.md
@@ -14,63 +14,64 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | file_name | Default | | | ✓ |
-| | corp_client | Default | | | ✓ |
-| | doc_id | Default | | | ✓ |
-| | cabinet_name | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | corp_matter | Default | | | ✓ |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| file-delete | cabinet_name | | | | |
-| | access | Legacy | | ✓ | |
-| | corp_matter | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | bytes | | | | |
-| | corp_client | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | doc_id | | | | |
-| | object | | | | |
-| file-read | cabinet_name | | | | |
-| | access | Legacy | | ✓ | |
-| | corp_matter | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | bytes | Legacy | | | ✓ |
-| | corp_client | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | doc_id | | | | |
-| | object | | | | |
-| file-upload | cabinet_name | | | | |
-| | access | | | | |
-| | corp_matter | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | bytes | | | | |
-| | corp_client | | | | |
-| | dest_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | doc_id | | | | |
-| | object | | | | |
-| file-write | cabinet_name | | | | |
-| | access | Legacy | | ✓ | |
-| | corp_matter | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | bytes | Legacy | | ✓ | |
-| | corp_client | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | doc_id | | | | |
-| | object | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | file_name | Default | | | ✓ |
+| | corp_client | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | doc_id | Default | | | ✓ |
+| | cabinet_name | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | corp_matter | Default | | | ✓ |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| file-delete | cabinet_name | | | | |
+| | access | Legacy | | ✓ | |
+| | corp_matter | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | bytes | | | | |
+| | corp_client | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | doc_id | | | | |
+| | object | | | | |
+| file-read | cabinet_name | | | | |
+| | access | Legacy | | ✓ | |
+| | corp_matter | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | bytes | Legacy | | | ✓ |
+| | corp_client | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | doc_id | | | | |
+| | object | | | | |
+| file-upload | cabinet_name | | | | |
+| | access | | | | |
+| | corp_matter | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | bytes | | | | |
+| | corp_client | | | | |
+| | dest_host | Legacy | | | ✓ |
+| | user | Legacy | ✓ | ✓ | |
+| | doc_id | | | | |
+| | object | | | | |
+| file-write | cabinet_name | | | | |
+| | access | Legacy | | ✓ | |
+| | corp_matter | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | bytes | Legacy | | ✓ | |
+| | corp_client | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | doc_id | | | | |
+| | object | | | | |
diff --git a/Extensions/netiq_edirectory.md b/Extensions/netiq_edirectory.md
index fda043a..7fa2335 100644
--- a/Extensions/netiq_edirectory.md
+++ b/Extensions/netiq_edirectory.md
@@ -16,15 +16,16 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_host | Legacy | ✓ | ✓ | |
+| alert-trigger | app | | | | |
+| | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
| | src_ip | Legacy | ✓ | ✓ | |
-| | application | | | | |
| | additional_info | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | domain | | | | |
| | dest_host | Legacy | | ✓ | |
-| | operating_system | | | | |
| | malware_url | | | | |
| | operation | | | | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/netmotion_wireless.md b/Extensions/netmotion_wireless.md
index 6f1a52f..021cb46 100644
--- a/Extensions/netmotion_wireless.md
+++ b/Extensions/netmotion_wireless.md
@@ -23,8 +23,8 @@ Activity Types
| vpn-login | src_translated_ip | Default | | | ✓ |
| | src_port | Default | | | ✓ |
| | protocol | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
| | event_name | Default | | | ✓ |
| | src_host | Default | | ✓ | |
@@ -32,8 +32,8 @@ Activity Types
| vpn-logout | src_translated_ip | | | | |
| | src_port | | | | |
| | protocol | | | | |
+| | os | | | | |
| | dest_ip | | | | |
-| | operating_system | | | | |
| | dest_host | Legacy | | | ✓ |
| | event_name | | | | |
| | src_host | | | | |
diff --git a/Extensions/netskope_netskope.md b/Extensions/netskope_netskope.md
index 599378b..e48bc03 100644
--- a/Extensions/netskope_netskope.md
+++ b/Extensions/netskope_netskope.md
@@ -16,8 +16,9 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | domain | | | | |
-| | operating_system | | | | |
+| alert-trigger | os | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/netskope_security_cloud.md b/Extensions/netskope_security_cloud.md
index 7a8a151..8cbd823 100644
--- a/Extensions/netskope_security_cloud.md
+++ b/Extensions/netskope_security_cloud.md
@@ -30,29 +30,32 @@ Activity Types
| | target | | | | |
| app-activity | country | Default | | | ✓ |
| | app_type | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_ip | Default | | ✓ | |
+| | src_translated_ip | Default | | | ✓ |
+| | file_type | Default | | | ✓ |
+| | action | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | resource | Default | | | ✓ |
| | file_name | Default | | | ✓ |
| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | src_translated_ip | Default | | | ✓ |
+| | account_user_name | | | | |
| | auth_method | Default | | | ✓ |
| | web_domain | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | bytes | Default | | | ✓ |
-| | file_type | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
-| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
| | location | Default | | | ✓ |
| | user | Default | | ✓ | |
-| | dest_port | Default | | | ✓ |
| | account | Default | | ✓ | |
-| | user_agent | Default | | | ✓ |
| | object | Default | | | ✓ |
-| app-login | src_host | Default | | ✓ | |
+| app-login | os | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | auth_method | Default | | | ✓ |
@@ -61,23 +64,23 @@ Activity Types
| | file_type | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | dest_port | Default | | | ✓ |
| | user_agent | Default | | | ✓ |
| | object | Default | | | ✓ |
| email-receive | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
| | web_domain | Default | | | ✓ |
| | bytes | Default | | | ✓ |
| | browser | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | src_host | Default | | ✓ | |
| | operation | Default | | | ✓ |
| | dest_port | Default | | | ✓ |
| | url | Default | | | ✓ |
-| email-send | src_host | Default | | ✓ | |
+| email-send | os | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -85,12 +88,13 @@ Activity Types
| | file_type | Default | | | ✓ |
| | browser | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | dest_port | Default | | | ✓ |
| | user_agent | Default | | | ✓ |
-| file-copy | src_host | Default | | ✓ | |
+| file-copy | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -99,12 +103,13 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
-| file-delete | src_host | Legacy | | ✓ | |
+| file-delete | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
| | url | | | | |
| | src_ip | | | | |
| | auth_method | | | | |
@@ -112,13 +117,14 @@ Activity Types
| | bytes | | | | |
| | file_type | Legacy | | | ✓ |
| | domain | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | user | Legacy | ✓ | ✓ | |
| | dest_port | | | | |
| | user_agent | | | | |
| | object | | | | |
-| file-download | src_host | Legacy | | | ✓ |
+| file-download | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | | ✓ |
| | url | | | | |
| | src_ip | | | | |
| | auth_method | | | | |
@@ -126,13 +132,14 @@ Activity Types
| | bytes | Legacy | | ✓ | |
| | file_type | Legacy | | | ✓ |
| | domain | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | user | Legacy | ✓ | ✓ | |
| | dest_port | | | | |
| | user_agent | | | | |
| | object | | | | |
-| file-list | src_host | Default | | ✓ | |
+| file-list | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -141,12 +148,13 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
-| file-move | src_host | Default | | ✓ | |
+| file-move | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -155,12 +163,13 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
-| file-permission-modify | src_host | | | | |
+| file-permission-modify | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | | | | |
| | url | | | | |
| | src_ip | | | | |
| | auth_method | | | | |
@@ -168,13 +177,14 @@ Activity Types
| | bytes | | | | |
| | file_type | Legacy | | | ✓ |
| | domain | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | user | Legacy | ✓ | ✓ | |
| | dest_port | | | | |
| | user_agent | | | | |
| | object | | | | |
-| file-read | src_host | Legacy | | ✓ | |
+| file-read | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
| | url | | | | |
| | src_ip | | | | |
| | auth_method | | | | |
@@ -182,13 +192,14 @@ Activity Types
| | bytes | Legacy | | | ✓ |
| | file_type | Legacy | | | ✓ |
| | domain | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | user | Legacy | ✓ | ✓ | |
| | dest_port | | | | |
| | user_agent | | | | |
| | object | | | | |
-| file-upload | src_host | Legacy | | | ✓ |
+| file-upload | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | | ✓ |
| | url | | | | |
| | src_ip | | | | |
| | auth_method | | | | |
@@ -196,13 +207,14 @@ Activity Types
| | bytes | | | | |
| | file_type | Legacy | | | ✓ |
| | domain | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | user | Legacy | ✓ | ✓ | |
| | dest_port | | | | |
| | user_agent | | | | |
| | object | | | | |
-| file-write | src_host | | | | |
+| file-write | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | | | | |
| | url | | | | |
| | src_ip | | | | |
| | auth_method | | | | |
@@ -211,7 +223,6 @@ Activity Types
| | file_type | Legacy | | | ✓ |
| | domain | | | | |
| | browser | | | | |
-| | operating_system | | | | |
| | action | | | | |
| | location | | | | |
| | user | Legacy | ✓ | ✓ | |
@@ -219,7 +230,9 @@ Activity Types
| | dest_port | | | | |
| | user_agent | | | | |
| | object | | | | |
-| group-member-list | src_host | Default | | ✓ | |
+| group-member-list | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -227,12 +240,13 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
-| group-member-remove | src_host | Legacy | | ✓ | |
+| group-member-remove | os | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
| | url | | | | |
| | src_ip | | | | |
| | web_domain | | | | |
@@ -240,18 +254,19 @@ Activity Types
| | browser | | | | |
| | domain | Legacy | | | ✓ |
| | action | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | operation | | | | |
| | user | Legacy | ✓ | ✓ | |
| | dest_port | | | | |
| http-session | src_location | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | src_country | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | domain | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | src_host | Default | | ✓ | |
-| log-search | src_host | Default | | ✓ | |
+| log-search | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -259,17 +274,16 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
| message-send | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
| | web_domain | Default | | | ✓ |
| | bytes | Default | | | ✓ |
| | browser | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | src_host | Default | | ✓ | |
| | operation | Default | | | ✓ |
@@ -279,21 +293,24 @@ Activity Types
| | country_code | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | location_city | Default | | | ✓ |
+| | domain_user_name | | | | |
| | category | Default | | | ✓ |
| | user | Default | | ✓ | |
| | user_agent | Default | | | ✓ |
| user-create | src_ip | | | | |
+| | os | | | | |
| | web_domain | | | | |
| | bytes | | | | |
| | browser | | | | |
| | action | | | | |
-| | operating_system | | | | |
| | location | | | | |
| | src_host | Legacy | | ✓ | |
| | operation | | | | |
| | dest_port | | | | |
| | url | | | | |
-| user-mfa-disable | src_host | Default | | ✓ | |
+| user-mfa-disable | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -301,12 +318,13 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
-| user-password-delete | src_host | Default | | ✓ | |
+| user-password-delete | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -314,12 +332,13 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
| | dest_port | Default | | | ✓ |
-| user-role-modify | src_host | Default | | ✓ | |
+| user-role-modify | os | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | web_domain | Default | | | ✓ |
@@ -327,7 +346,6 @@ Activity Types
| | browser | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | action | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | location | Default | | | ✓ |
| | operation | Default | | | ✓ |
| | user | Default | | ✓ | |
diff --git a/Extensions/netwrix_auditor.md b/Extensions/netwrix_auditor.md
index c54feb8..a8590c6 100644
--- a/Extensions/netwrix_auditor.md
+++ b/Extensions/netwrix_auditor.md
@@ -14,144 +14,161 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | event_id | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | object_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | monitoring_plan | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| app-login | additional_info | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| database-activity | src_ip | Default | | ✓ | |
-| | db_name | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| database-login | src_ip | Default | | ✓ | |
-| | db_name | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| ds_object-activity | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| ds_object-create | event_id | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | monitoring_plan | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| ds_object-delete | event_id | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | monitoring_plan | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| ds_object-modify | event_id | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | monitoring_plan | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| file-delete | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | event_id | | | | |
-| | file_type | Legacy | | | ✓ |
-| | event_code | | | | |
-| | domain | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | event_id | | | | |
-| | file_type | Legacy | | | ✓ |
-| | event_code | | | | |
-| | domain | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| group-member-add | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| group-member-remove | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| role-create | event_id | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | monitoring_plan | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| user-create | event_id | | | | |
-| | resource | | | | |
-| | additional_info | | | | |
-| | event_code | | | | |
-| | domain | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | monitoring_plan | | | | |
-| | object | | | | |
-| user-delete | event_id | | | | |
-| | resource | | | | |
-| | additional_info | | | | |
-| | event_code | | | | |
-| | domain | Legacy | | | ✓ |
-| | dest_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | monitoring_plan | | | | |
-| | object | | | | |
-| user-disable | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| user-lock | additional_info | | | | |
-| | domain | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| user-modify | event_id | | | | |
-| | resource | | | | |
-| | additional_info | | | | |
-| | event_code | Legacy | | | ✓ |
-| | domain | Legacy | | | ✓ |
-| | dest_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| | monitoring_plan | | | | |
-| | object | | | | |
-| user-password-reset | additional_info | | | | |
-| | src_host | | | | |
-| user-unlock | additional_info | | | | |
-| | domain | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | object_type | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | monitoring_plan | Default | | | ✓ |
+| | event_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | additional_info | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| database-activity | src_ip | Default | | ✓ | |
+| | db_name | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| database-login | src_ip | Default | | ✓ | |
+| | db_name | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| ds_object-activity | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| ds_object-create | event_id | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | monitoring_plan | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| ds_object-delete | event_id | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | monitoring_plan | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| ds_object-modify | event_id | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | monitoring_plan | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| file-delete | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | event_id | | | | |
+| | file_type | Legacy | | | ✓ |
+| | event_code | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | event_id | | | | |
+| | file_type | Legacy | | | ✓ |
+| | event_code | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| group-member-add | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| group-member-remove | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| role-create | event_id | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | monitoring_plan | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| user-create | event_id | | | | |
+| | resource | | | | |
+| | additional_info | | | | |
+| | event_code | | | | |
+| | domain | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | monitoring_plan | | | | |
+| | object | | | | |
+| user-delete | event_id | | | | |
+| | resource | | | | |
+| | additional_info | | | | |
+| | event_code | | | | |
+| | domain | Legacy | | | ✓ |
+| | dest_host | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | monitoring_plan | | | | |
+| | object | | | | |
+| user-disable | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| user-lock | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| user-modify | event_id | | | | |
+| | resource | | | | |
+| | additional_info | | | | |
+| | event_code | Legacy | | | ✓ |
+| | domain | Legacy | | | ✓ |
+| | dest_host | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| | monitoring_plan | | | | |
+| | object | | | | |
+| user-password-reset | additional_info | | | | |
+| | src_host | | | | |
+| user-unlock | additional_info | | | | |
+| | domain | | | | |
+| | domain_user_name | | | | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/nnt_changetracker.md b/Extensions/nnt_changetracker.md
index 028ea1a..93286cc 100644
--- a/Extensions/nnt_changetracker.md
+++ b/Extensions/nnt_changetracker.md
@@ -14,11 +14,11 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------------- | ------- | ---- | --------- | ------------- |
-| app-login | src_ip | Default | | ✓ | |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | authentication_type | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------- | ---- | --------- | ------------- |
+| app-login | src_ip | Default | | ✓ | |
+| | auth_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
diff --git a/Extensions/nokia_vitalqip.md b/Extensions/nokia_vitalqip.md
index cea6a7f..1a0ce36 100644
--- a/Extensions/nokia_vitalqip.md
+++ b/Extensions/nokia_vitalqip.md
@@ -14,10 +14,11 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------- | ------ | -------- | --------- | ------------- |
-| dhcp-session | dest_mac | | | | |
-| | domain | | | | |
-| | dest_host | | | | |
-| | user | Legacy | ✓ | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| dhcp-session | dest_mac | | | | |
+| | domain | | | | |
+| | dest_host | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
diff --git a/Extensions/observeit.md b/Extensions/observeit.md
index f33cd2b..1ec2539 100644
--- a/Extensions/observeit.md
+++ b/Extensions/observeit.md
@@ -12,38 +12,41 @@ Fields
| Field | Core | Detection | Informational |
| ---------------- | -------- | --------- | ------------- |
| src_ip | | ✓ | |
+| os | | | ✓ |
| domain | | ✓ | |
| session_id | | | ✓ |
-| operating_system | | | ✓ |
| dest_host | | ✓ | |
+| domain_user_name | | | |
| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------- | ---------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | operating_system | | | | |
-| | session_id | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
-| | target | | | | |
-| app-activity | additional_info | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | | | | | |
-| database-activity | db_name | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | dest_user | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| | db_object | Default | | | ✓ |
-| endpoint-login | | | | | |
-| process-create | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------- | -------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | os | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | session_id | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
+| | target | | | | |
+| app-activity | additional_info | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | src_host | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | | | | | |
+| database-activity | dest_local_user_name | | | | |
+| | db_name | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | dest_user | Default | | ✓ | |
+| | src_host | Default | | ✓ | |
+| | db_object | Default | | | ✓ |
+| endpoint-login | | | | | |
+| process-create | | | | | |
diff --git a/Extensions/okta_adaptive_mfa.md b/Extensions/okta_adaptive_mfa.md
index e352d24..402973a 100644
--- a/Extensions/okta_adaptive_mfa.md
+++ b/Extensions/okta_adaptive_mfa.md
@@ -9,11 +9,12 @@ product = "okta adaptive mfa"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
@@ -47,7 +48,7 @@ Activity Types
| | object | Default | | | ✓ |
| app-login | user_agent | Default | | | ✓ |
| group-member-add | group_type | Legacy | | | ✓ |
-| user-create | application | | | | |
+| user-create | app | | | | |
| | object_type | | | | |
| | additional_info | | | | |
| | browser | | | | |
@@ -56,7 +57,7 @@ Activity Types
| | user_agent | | | | |
| | object | | | | |
| user-lock | group_name | | | | ✓ |
-| user-password-reset | application | | | | |
+| user-password-reset | app | | | | |
| | object_type | | | | |
| | additional_info | | | | |
| | browser | | | | |
diff --git a/Extensions/okta_multi-factor_authentication.md b/Extensions/okta_multi-factor_authentication.md
index 4fd8e4c..454ddfb 100644
--- a/Extensions/okta_multi-factor_authentication.md
+++ b/Extensions/okta_multi-factor_authentication.md
@@ -16,13 +16,14 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | event_name_name | | | | |
+| alert-trigger | app | | | | |
+| | event_name_name | | | | |
+| | local_user_name | | | | |
| | failure_reason | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
| | protocol | Legacy | | ✓ | |
-| | application | | | | |
| | dest_ip | Legacy | ✓ | ✓ | |
| | dest_host | Legacy | | ✓ | |
| | tag | | | | |
diff --git a/Extensions/onelogin.md b/Extensions/onelogin.md
index 647f83e..ac56b9d 100644
--- a/Extensions/onelogin.md
+++ b/Extensions/onelogin.md
@@ -9,13 +9,14 @@ product = "onelogin"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| additional_info | | | ✓ |
-| event_code | | | ✓ |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| additional_info | | | ✓ |
+| event_code | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/open_vpn.md b/Extensions/open_vpn.md
index f3b6482..1384adf 100644
--- a/Extensions/open_vpn.md
+++ b/Extensions/open_vpn.md
@@ -18,10 +18,11 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ----------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
| | additional_info | Default | | | ✓ |
| | bytes | Default | | | ✓ |
+| | local_user_name | | | | |
| | src_host | Default | | ✓ | |
| | user | Default | | ✓ | |
| vpn-login | src_port | Default | | | ✓ |
diff --git a/Extensions/oracle_access_management.md b/Extensions/oracle_access_management.md
index d0969f9..b9f62d1 100644
--- a/Extensions/oracle_access_management.md
+++ b/Extensions/oracle_access_management.md
@@ -21,20 +21,21 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------ | ------------ | ------- | ---- | --------- | ------------- |
-| app-authentication | file_path | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | file_dir | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| app-login | domain | Default | | | ✓ |
-| app-logout | domain | Default | | | ✓ |
-| app-notification | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------ | ---------------- | ------- | ---- | --------- | ------------- |
+| app-authentication | file_path | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | file_dir | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| app-login | domain | Default | | | ✓ |
+| app-logout | domain | Default | | | ✓ |
+| app-notification | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
diff --git a/Extensions/oracle_access_manager.md b/Extensions/oracle_access_manager.md
index a6e1dfb..7cb7625 100644
--- a/Extensions/oracle_access_manager.md
+++ b/Extensions/oracle_access_manager.md
@@ -9,10 +9,11 @@ product = "oracle access manager"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/oracle_database.md b/Extensions/oracle_database.md
index 73a05dc..03077eb 100644
--- a/Extensions/oracle_database.md
+++ b/Extensions/oracle_database.md
@@ -4,22 +4,23 @@ oracle database
Expression
----------
-product = "oracle db"
+product = "oracle database"
Fields
------
-| Field | Core | Detection | Informational |
-| --------- | -------- | --------- | ------------- |
-| src_ip | | | ✓ |
-| db_id | | | ✓ |
-| db_name | | | ✓ |
-| domain | | ✓ | |
-| dest_host | | | ✓ |
-| src_host | | | ✓ |
-| user | ✓ | ✓ | |
-| operation | | | ✓ |
-| dest_port | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | | ✓ |
+| db_id | | | ✓ |
+| db_name | | | ✓ |
+| domain | | ✓ | |
+| dest_host | | | ✓ |
+| domain_user_name | | | |
+| src_host | | | ✓ |
+| user | ✓ | ✓ | |
+| operation | | | ✓ |
+| dest_port | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/ovirt.md b/Extensions/ovirt.md
index 397a0a8..3eae3fd 100644
--- a/Extensions/ovirt.md
+++ b/Extensions/ovirt.md
@@ -14,119 +14,119 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------------------- | ----------- | ------- | -------- | --------- | ------------- |
-| app-activity | application | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| cluster-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| datacenter-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| datastore-create | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| datastore-delete | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| datastore-enable | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| datastore-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| disk-attach | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| disk-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| disk-remove | application | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| disk-scan | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| endpoint-authentication | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| endpoint-create | application | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| endpoint-login | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| endpoint-logout | application | | | | |
-| | operation | | | | |
-| | object | | | | |
-| endpoint-modify | application | | | | |
-| | resource | | | | |
-| | operation | | | | |
-| | user | Legacy | ✓ | | |
-| | object | | | | |
-| endpoint-start | application | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| endpoint-stop | application | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| image-import | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| log-clear | application | | | | |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| peripheral_storage-insert | application | | | | |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| peripheral_storage-remove | application | | | | |
-| | operation | | | | |
-| | user | Legacy | ✓ | | |
-| | object | | | | |
-| policy-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| vm_host-create | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| vm_host-enable | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| vm_host-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| vm_pool-modify | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
-| vm_template-delete | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------------------- | --------- | ------- | -------- | --------- | ------------- |
+| app-activity | app | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| cluster-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| datacenter-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| datastore-create | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| datastore-delete | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| datastore-enable | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| datastore-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| disk-attach | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| disk-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| disk-remove | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| disk-scan | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| endpoint-authentication | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| endpoint-create | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| endpoint-login | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| endpoint-logout | app | | | | |
+| | operation | | | | |
+| | object | | | | |
+| endpoint-modify | app | | | | |
+| | resource | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | | |
+| | object | | | | |
+| endpoint-start | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| endpoint-stop | app | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| image-import | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| log-clear | app | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| peripheral_storage-insert | app | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| peripheral_storage-remove | app | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | | |
+| | object | | | | |
+| policy-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| vm_host-create | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| vm_host-enable | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| vm_host-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| vm_pool-modify | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| vm_template-delete | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
diff --git a/Extensions/palo_alto_aperture.md b/Extensions/palo_alto_aperture.md
index edb69de..e4ad145 100644
--- a/Extensions/palo_alto_aperture.md
+++ b/Extensions/palo_alto_aperture.md
@@ -9,10 +9,11 @@ product = "palo alto aperture"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/palo_alto_networks_aperture.md b/Extensions/palo_alto_networks_aperture.md
index 65d8e52..36b4a47 100644
--- a/Extensions/palo_alto_networks_aperture.md
+++ b/Extensions/palo_alto_networks_aperture.md
@@ -16,8 +16,8 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | application | | | | |
+| alert-trigger | app | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
| | policy_id | | | | |
| | additional_info | | | | |
| | alert_id | Legacy | | | ✓ |
diff --git a/Extensions/palo_alto_networks_cortex.md b/Extensions/palo_alto_networks_cortex.md
index 0f27550..b00edd5 100644
--- a/Extensions/palo_alto_networks_cortex.md
+++ b/Extensions/palo_alto_networks_cortex.md
@@ -20,6 +20,7 @@ Activity Types
| | additional_info | | | | |
| | process_name | Legacy | | ✓ | |
| | alert_id | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | dest_host | Legacy | | ✓ | |
| | malware_url | | | | |
| | src_host | Legacy | ✓ | ✓ | |
diff --git a/Extensions/palo_alto_networks_magnifier.md b/Extensions/palo_alto_networks_magnifier.md
index bc2a6a1..6864e9e 100644
--- a/Extensions/palo_alto_networks_magnifier.md
+++ b/Extensions/palo_alto_networks_magnifier.md
@@ -14,19 +14,21 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | dest_user | | | | |
-| | target_domain | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_location | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | threat_type | | | | |
-| | malware_url | | | | |
-| | category | | | | |
-| | user | Legacy | | ✓ | |
-| | direction | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | dest_user | | | | |
+| | domain_user_name | | | | |
+| | target_domain | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_location | | | | |
+| | dest_domain_user_name | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | action | Legacy | | | ✓ |
+| | threat_type | | | | |
+| | malware_url | | | | |
+| | category | | | | |
+| | user | Legacy | | ✓ | |
+| | direction | | | | |
diff --git a/Extensions/palo_alto_networks_ngfw.md b/Extensions/palo_alto_networks_ngfw.md
index 5d1d67f..1091228 100644
--- a/Extensions/palo_alto_networks_ngfw.md
+++ b/Extensions/palo_alto_networks_ngfw.md
@@ -20,6 +20,8 @@ Activity Types
| | miscellaneous | | | | |
| | bytes_in | | | | |
| | src_user | | | | |
+| | network_app | | | | |
+| | domain_user_name | | | | |
| | dest_translated_ip | | | | |
| | threat_category | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
@@ -32,6 +34,7 @@ Activity Types
| | alert_id | Legacy | | | ✓ |
| | action | Legacy | | | ✓ |
| | dest_port | Legacy | | ✓ | |
+| | user_agent | | | | |
| | direction | | | | |
| | src_network_zone | | | | |
| | file_name | Legacy | ✓ | | |
@@ -39,19 +42,20 @@ Activity Types
| | profile | | | | |
| | dest_network_zone | | | | |
| | event_category | | | | |
-| | rule_id | | | | |
| | src_port | Legacy | | | ✓ |
+| | rule_id | | | | |
| | sequence | | | | |
| | file_ext | | | | |
| | email_address | | | | |
| | bytes_out | | | | |
| | additional_info | | | | |
+| | web_domain | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
| | domain | | | | |
| | dest_domain | | | | |
| | dest_host | Legacy | | ✓ | |
| | dest_translated_port | | | | |
| | malware_url | | | | |
-| | network_application | | | | |
| | category | | | | |
| | user | Legacy | | ✓ | |
| | event_time | | | | |
diff --git a/Extensions/palo_alto_networks_prisma_cloud.md b/Extensions/palo_alto_networks_prisma_cloud.md
index dffb1ee..09f4730 100644
--- a/Extensions/palo_alto_networks_prisma_cloud.md
+++ b/Extensions/palo_alto_networks_prisma_cloud.md
@@ -25,5 +25,6 @@ Activity Types
| | domain | | | | |
| | file_dir | Legacy | | | ✓ |
| | user_sid | | | | |
+| | domain_user_name | | | | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/palo_alto_networks_traps.md b/Extensions/palo_alto_networks_traps.md
index c7d6117..6dfcc61 100644
--- a/Extensions/palo_alto_networks_traps.md
+++ b/Extensions/palo_alto_networks_traps.md
@@ -16,14 +16,15 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ------------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | dest_translated_ip | | | | |
+| alert-trigger | app | | | | |
+| | domain_user_name | | | | |
+| | dest_translated_ip | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | src_location | | | | |
| | src_port | Legacy | | | ✓ |
| | src_translated_ip | | | | |
| | protocol | Legacy | | ✓ | |
| | email_address | | | | |
-| | application | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | domain | | | | |
diff --git a/Extensions/palo_alto_ngfw.md b/Extensions/palo_alto_ngfw.md
index 827aad3..887269f 100644
--- a/Extensions/palo_alto_ngfw.md
+++ b/Extensions/palo_alto_ngfw.md
@@ -14,30 +14,32 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | ----------------- | ------- | ---- | --------- | ------------- |
-| app-login | src_ip | Default | | ✓ | |
-| | src_host | Default | | ✓ | |
-| configuration-modify | src_ip | | | ✓ | |
-| | src_host | | | ✓ | |
-| | operation | | | | ✓ |
-| | object | | | | ✓ |
-| http-session | src_network_zone | Default | | | ✓ |
-| | network_app | Default | | | ✓ |
-| | dest_network_zone | Default | | | ✓ |
-| network-session | src_network_zone | Default | | | ✓ |
-| | bytes_in | Default | | | ✓ |
-| | rule | Default | | | ✓ |
-| | network_app | Default | | | ✓ |
-| | dest_user | Default | | ✓ | |
-| | dest_network_zone | Default | | | ✓ |
-| | bytes_out | Default | | | ✓ |
-| | src_country | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_domain | Default | | | ✓ |
-| | action | Default | | | ✓ |
-| | category | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | dest_country | Default | | | ✓ |
-| | direction | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | --------------------- | ------- | ---- | --------- | ------------- |
+| app-login | src_ip | Default | | ✓ | |
+| | src_host | Default | | ✓ | |
+| configuration-modify | src_ip | | | ✓ | |
+| | src_host | | | ✓ | |
+| | operation | | | | ✓ |
+| | object | | | | ✓ |
+| http-session | src_network_zone | Default | | | ✓ |
+| | network_app | Default | | | ✓ |
+| | dest_network_zone | Default | | | ✓ |
+| network-session | src_network_zone | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | rule | Default | | | ✓ |
+| | network_app | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | dest_user | Default | | ✓ | |
+| | dest_network_zone | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | dest_domain_user_name | | | | |
+| | src_country | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_domain | Default | | | ✓ |
+| | action | Default | | | ✓ |
+| | category | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | dest_country | Default | | | ✓ |
+| | direction | Default | | | ✓ |
diff --git a/Extensions/password_manager_pro.md b/Extensions/password_manager_pro.md
index cfc15cf..b75492b 100644
--- a/Extensions/password_manager_pro.md
+++ b/Extensions/password_manager_pro.md
@@ -9,12 +9,13 @@ product = "password manager pro"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| src_host | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/ping_identity.md b/Extensions/ping_identity.md
index fbf4a80..42d4a5a 100644
--- a/Extensions/ping_identity.md
+++ b/Extensions/ping_identity.md
@@ -23,6 +23,7 @@ Activity Types
| app-activity | additional_info | Default | | | ✓ |
| | domain | Default | | | ✓ |
| | event_name | Default | | | ✓ |
+| | domain_user_name | | | | |
| | category | Default | | | ✓ |
| | user | Default | | ✓ | |
| | user_agent | Default | | | ✓ |
@@ -30,6 +31,7 @@ Activity Types
| | alert_name | Default | | | ✓ |
| app-authentication | local_user_id | Default | | | ✓ |
| | role | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | src_host | Default | | ✓ | |
| | auth_method | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
@@ -37,7 +39,6 @@ Activity Types
| | browser | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
| | event_name | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
| | response_time | Default | | | ✓ |
| | attributes | Default | | | ✓ |
| | device | Default | | | ✓ |
@@ -46,13 +47,13 @@ Activity Types
| | adopter_id | Default | | | ✓ |
| app-login | country | Default | | | ✓ |
| | requested_app | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | src_host | Default | | ✓ | |
| | url | Default | | | ✓ |
| | src_ip | Default | | ✓ | |
| | auth_method | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
| | event_name | Default | | | ✓ |
| | requested_app_id | Default | | | ✓ |
@@ -74,7 +75,7 @@ Activity Types
| | adopter_id | | | | |
| vpn-login | country | Default | | | ✓ |
| | requested_app | Default | | | ✓ |
-| | operating_system | Default | | | ✓ |
+| | os | Default | | | ✓ |
| | requested_app_id | Default | | | ✓ |
| | device | Default | | | ✓ |
diff --git a/Extensions/pinsafe.md b/Extensions/pinsafe.md
index c683223..392253f 100644
--- a/Extensions/pinsafe.md
+++ b/Extensions/pinsafe.md
@@ -17,10 +17,10 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_port | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| app-login | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | -------- | ------- | ---- | --------- | ------------- |
+| app-activity | app | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| app-login | | | | | |
diff --git a/Extensions/portnox_clear.md b/Extensions/portnox_clear.md
index 52fb90d..1e53782 100644
--- a/Extensions/portnox_clear.md
+++ b/Extensions/portnox_clear.md
@@ -22,9 +22,10 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------------- | ------ | ------- | ---- | --------- | ------------- |
-| endpoint-authentication | | | | | |
-| endpoint-policy-verify | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| endpoint-authentication | | | | | |
+| endpoint-policy-verify | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
diff --git a/Extensions/postgresql.md b/Extensions/postgresql.md
index 637f079..191dd40 100644
--- a/Extensions/postgresql.md
+++ b/Extensions/postgresql.md
@@ -9,16 +9,17 @@ product = "postgresql"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| db_name | | | ✓ |
-| additional_info | | | ✓ |
-| db_user | | | ✓ |
-| alert_id | | | ✓ |
-| event_name | | | ✓ |
-| src_host | | | ✓ |
-| dtz | | | ✓ |
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| db_name | | | ✓ |
+| additional_info | | | ✓ |
+| db_user | | | ✓ |
+| alert_id | | | ✓ |
+| event_name | | | ✓ |
+| src_host | | | ✓ |
+| dtz | | | ✓ |
+| database_user_name | | | |
Activity Types
--------------
diff --git a/Extensions/postscript.md b/Extensions/postscript.md
index 2236f31..5c6c3e1 100644
--- a/Extensions/postscript.md
+++ b/Extensions/postscript.md
@@ -9,12 +9,13 @@ product = "postscript"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| printer_name | | | ✓ |
-| src_host | | | ✓ |
-| user | | | ✓ |
-| object | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| local_user_name | | | |
+| printer_name | | | ✓ |
+| src_host | | | ✓ |
+| user | | | ✓ |
+| object | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/powertech_identity_&_access_manager.md b/Extensions/powertech_identity_&_access_manager.md
index a774677..933fd26 100644
--- a/Extensions/powertech_identity_&_access_manager.md
+++ b/Extensions/powertech_identity_&_access_manager.md
@@ -9,10 +9,11 @@ product = "powertech identity & access manager"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| domain | | | ✓ |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/proofpoint_casb.md b/Extensions/proofpoint_casb.md
index 2cc4d48..b1c9255 100644
--- a/Extensions/proofpoint_casb.md
+++ b/Extensions/proofpoint_casb.md
@@ -4,7 +4,7 @@ proofpoint casb
Expression
----------
-product = "proofpoint casb"
+product = proofpoint casb
Fields
------
@@ -20,15 +20,16 @@ Activity Types
| | file_name | Legacy | ✓ | | |
| | email_attachments | | | | |
| | target | | | | |
-| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
+| | result | | | | |
| | email_address | | | | |
| | email_user | | | | |
| | sender | Legacy | ✓ | | |
| | bytes | Legacy | | ✓ | |
| | recipients | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
| | alert_id | Legacy | | | ✓ |
| | recipient | | | | |
-| | email_subject | | | | |
| | user | Legacy | | ✓ | |
+| | email_subject | | | | |
diff --git a/Extensions/proofpoint_enterprise_protection.md b/Extensions/proofpoint_enterprise_protection.md
index 4e21554..cd96058 100644
--- a/Extensions/proofpoint_enterprise_protection.md
+++ b/Extensions/proofpoint_enterprise_protection.md
@@ -18,6 +18,7 @@ Activity Types
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | email_id | | | | |
| | file_name | Legacy | ✓ | | |
+| | local_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | target | | | | |
| | threat_url | | | | |
diff --git a/Extensions/proofpoint_insider_threat_management.md b/Extensions/proofpoint_insider_threat_management.md
index edf86bb..8b20260 100644
--- a/Extensions/proofpoint_insider_threat_management.md
+++ b/Extensions/proofpoint_insider_threat_management.md
@@ -16,7 +16,8 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | country | | | | |
+| alert-trigger | app | | | | |
+| | country | | | | |
| | city | | | | |
| | object_type | | | | |
| | last_name | | | | |
@@ -25,7 +26,6 @@ Activity Types
| | src_ip | Legacy | ✓ | ✓ | |
| | email_address | | | | |
| | full_name | | | | |
-| | application | | | | |
| | additional_info | | | | |
| | state | | | | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/quest_change_auditor_for_active_directory.md b/Extensions/quest_change_auditor_for_active_directory.md
index 520cc9d..80d83ff 100644
--- a/Extensions/quest_change_auditor_for_active_directory.md
+++ b/Extensions/quest_change_auditor_for_active_directory.md
@@ -14,72 +14,76 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| ds_object-activity | host_ip | Default | | | ✓ |
-| | old_attribute | Default | | | ✓ |
-| | operation_type | Default | | | ✓ |
-| | new_attribute | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | object_ou | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | dest_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | attribute | Default | | | ✓ |
-| | object_dn | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object_class | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| endpoint-login | src_ip | Default | | ✓ | |
-| | user_id | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| file-delete | src_ip | | | ✓ | |
-| | access | Legacy | | ✓ | |
-| | user_id | | | | ✓ |
-| | additional_info | | | | ✓ |
-| | alert_severity | | | | ✓ |
-| | domain | | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | ✓ |
-| file-read | src_ip | | | ✓ | |
-| | access | Legacy | | ✓ | |
-| | user_id | | | | ✓ |
-| | additional_info | | | | ✓ |
-| | alert_severity | | | | ✓ |
-| | domain | | | | ✓ |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | ✓ |
-| file-write | src_ip | | | ✓ | |
-| | access | Legacy | | ✓ | |
-| | user_id | | | | ✓ |
-| | additional_info | | | | ✓ |
-| | alert_severity | | | | ✓ |
-| | domain | | | | ✓ |
-| | src_host | | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | ✓ |
-| group-member-add | src_ip | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | event_name | | | | |
-| | dest_user_id | | | | |
-| group-member-remove | src_ip | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | event_name | | | | |
-| | dest_user_id | | | | |
-| user-lock | src_ip | | | | |
-| | dest_user_ou | | | | |
-| | user_id | | | | |
-| | additional_info | | | | |
-| | event_name | | | | |
-| user-password-modify | src_ip | Default | | ✓ | |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| ds_object-activity | host_ip | Default | | | ✓ |
+| | old_attribute | Default | | | ✓ |
+| | operation_type | Default | | | ✓ |
+| | new_attribute | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | object_ou | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | dest_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | attribute | Default | | | ✓ |
+| | object_dn | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | object_class | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| endpoint-login | src_ip | Default | | ✓ | |
+| | user_id | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| file-delete | src_ip | | | ✓ | |
+| | access | Legacy | | ✓ | |
+| | user_id | | | | ✓ |
+| | additional_info | | | | ✓ |
+| | alert_severity | | | | ✓ |
+| | domain | | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | ✓ |
+| file-read | src_ip | | | ✓ | |
+| | access | Legacy | | ✓ | |
+| | user_id | | | | ✓ |
+| | additional_info | | | | ✓ |
+| | alert_severity | | | | ✓ |
+| | domain | | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | ✓ |
+| file-write | src_ip | | | ✓ | |
+| | access | Legacy | | ✓ | |
+| | user_id | | | | ✓ |
+| | additional_info | | | | ✓ |
+| | alert_severity | | | | ✓ |
+| | domain | | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | ✓ |
+| group-member-add | src_ip | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | event_name | | | | |
+| | dest_user_id | | | | |
+| group-member-remove | src_ip | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | event_name | | | | |
+| | dest_user_id | | | | |
+| user-lock | src_ip | | | | |
+| | dest_user_ou | | | | |
+| | user_id | | | | |
+| | additional_info | | | | |
+| | event_name | | | | |
+| user-password-modify | src_ip | Default | | ✓ | |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
diff --git a/Extensions/rangeraudit.md b/Extensions/rangeraudit.md
index c6c7a5b..e582ea0 100644
--- a/Extensions/rangeraudit.md
+++ b/Extensions/rangeraudit.md
@@ -18,7 +18,7 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| -------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | application | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | resource | Default | | | ✓ |
| | dest_host | Default | | ✓ | |
diff --git a/Extensions/rapid7_nexpose.md b/Extensions/rapid7_nexpose.md
index 7f64a19..6d842f2 100644
--- a/Extensions/rapid7_nexpose.md
+++ b/Extensions/rapid7_nexpose.md
@@ -22,6 +22,7 @@ Activity Types
| | additional_info | | | | |
| | process_name | Legacy | | ✓ | |
| | hash_md5 | | | | |
+| | local_user_name | | | | |
| | malware_url | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/ricoh_printer.md b/Extensions/ricoh_printer.md
index d65f13e..e1387cc 100644
--- a/Extensions/ricoh_printer.md
+++ b/Extensions/ricoh_printer.md
@@ -9,14 +9,15 @@ product = "ricoh printer"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| bytes | | | ✓ |
-| num_pages | | | ✓ |
-| src_host | | | ✓ |
-| printer_name | | | ✓ |
-| user | | | ✓ |
-| object | | | ✓ |
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| bytes | | | ✓ |
+| num_pages | | | ✓ |
+| local_user_name | | | |
+| src_host | | | ✓ |
+| printer_name | | | ✓ |
+| user | | | ✓ |
+| object | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/rsa_authentication_manager.md b/Extensions/rsa_authentication_manager.md
index b3fe271..4c086f4 100644
--- a/Extensions/rsa_authentication_manager.md
+++ b/Extensions/rsa_authentication_manager.md
@@ -9,12 +9,13 @@ product = "rsa authentication manager"
Fields
------
-| Field | Core | Detection | Informational |
-| ------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| dest_ip | | | ✓ |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| dest_ip | | | ✓ |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/rsa_dlp.md b/Extensions/rsa_dlp.md
index e79d006..a6ea0db 100644
--- a/Extensions/rsa_dlp.md
+++ b/Extensions/rsa_dlp.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | process_name | Legacy | | ✓ | |
-| | domain | | | | |
-| | process_dir | | | | |
-| | process_path | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | process_name | Legacy | | ✓ | |
+| | domain | | | | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/rsa_netwitness_platform.md b/Extensions/rsa_netwitness_platform.md
index 9d79b55..8ee6155 100644
--- a/Extensions/rsa_netwitness_platform.md
+++ b/Extensions/rsa_netwitness_platform.md
@@ -4,7 +4,7 @@ rsa netwitness platform
Expression
----------
-product = "rsa netwitness"
+product = "rsa netwitness platform"
Fields
------
diff --git a/Extensions/safend_data_protection_suite_(dps).md b/Extensions/safend_data_protection_suite_(dps).md
index c6079b3..b58bc9d 100644
--- a/Extensions/safend_data_protection_suite_(dps).md
+++ b/Extensions/safend_data_protection_suite_(dps).md
@@ -19,10 +19,11 @@ Activity Types
| alert-trigger | result | | | | |
| | protocol | Legacy | | ✓ | |
| | device_id | | | | |
+| | os | | | | |
| | additional_info | | | | |
| | bytes | Legacy | | ✓ | |
| | process_name | Legacy | | ✓ | |
| | domain | | | | |
-| | operating_system | | | | |
+| | domain_user_name | | | | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/safend_dps.md b/Extensions/safend_dps.md
index 7d01e81..9845bc4 100644
--- a/Extensions/safend_dps.md
+++ b/Extensions/safend_dps.md
@@ -9,24 +9,25 @@ product = "safend dps"
Fields
------
-| Field | Core | Detection | Informational |
-| --------- | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
-| operation | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
+| operation | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------------------- | ---------------- | ------ | ---- | --------- | ------------- |
-| file-read | device_id | Legacy | | ✓ | |
-| | bytes_out | | | | ✓ |
-| | operating_system | | | ✓ | |
-| | device_type | Legacy | | | ✓ |
-| file-write | device_id | Legacy | | ✓ | |
-| | bytes_in | | | ✓ | |
-| | operating_system | | | | ✓ |
-| | device_type | Legacy | | | ✓ |
-| peripheral_storage-activity | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------------------- | ----------- | ------ | ---- | --------- | ------------- |
+| file-read | device_id | Legacy | | ✓ | |
+| | os | | | ✓ | |
+| | bytes_out | | | | ✓ |
+| | device_type | Legacy | | | ✓ |
+| file-write | device_id | Legacy | | ✓ | |
+| | os | | | | ✓ |
+| | bytes_in | | | ✓ | |
+| | device_type | Legacy | | | ✓ |
+| peripheral_storage-activity | | | | | |
diff --git a/Extensions/sailpoint_fam.md b/Extensions/sailpoint_fam.md
index 002196c..639d730 100644
--- a/Extensions/sailpoint_fam.md
+++ b/Extensions/sailpoint_fam.md
@@ -14,30 +14,34 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | ---------- | ------ | -------- | --------- | ------------- |
-| file-delete | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| file-permission-modify | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| file-read | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | src_ip | | | | |
-| | access | Legacy | | ✓ | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | event_name | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| file-delete | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-permission-modify | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-read | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | src_ip | | | | |
+| | access | Legacy | | ✓ | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | event_name | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/salesforce.md b/Extensions/salesforce.md
index d99b958..b2acb46 100644
--- a/Extensions/salesforce.md
+++ b/Extensions/salesforce.md
@@ -9,86 +9,87 @@ product = "salesforce"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | ---------------- | ------- | -------- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | additional_info | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | dest_user | Default | | ✓ | |
-| | old_value | Default | | | ✓ |
-| | new_value | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | browser | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | operating_system | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
-| app-logout | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| app-notification | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| configuration-modify | additional_info | | | | |
-| | operation | | | | |
-| | object | | | | |
-| file-delete | additional_info | | | | |
-| | dest_user | | | | |
-| | operation | | | | |
-| file-property-modify | old_value | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | new_value | Default | | | ✓ |
-| group-member-add | additional_info | | | | |
-| | operation | | | | |
-| group-member-move | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| role-create | role_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| role-delete | role_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| role-modify | role_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| role-permission-modify | role_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | permission | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| user-create | additional_info | | | | |
-| user-disable | additional_info | | | | |
-| | operation | | | | |
-| user-enable | additional_info | | | | |
-| | operation | | | | |
-| user-lock | src_ip | | | | |
-| | additional_info | | | | |
-| | dest_host | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| user-modify | additional_info | | | | |
-| | old_value | | | | |
-| | operation | | | | |
-| | new_value | | | | |
-| | object | | | | |
-| user-password-expire | additional_info | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| user-password-modify | operation | Default | | | ✓ |
-| user-password-reset | additional_info | | | | |
-| | operation | | | | |
-| user-role-assign | additional_info | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| user-unlock | additional_info | | | | |
-| | operation | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | --------------- | ------- | -------- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | dest_user | Default | | ✓ | |
+| | old_value | Default | | | ✓ |
+| | new_value | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | os | Default | | | ✓ |
+| | browser | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | user_agent | Default | | | ✓ |
+| app-logout | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| app-notification | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| configuration-modify | additional_info | | | | |
+| | operation | | | | |
+| | object | | | | |
+| file-delete | additional_info | | | | |
+| | dest_user | | | | |
+| | operation | | | | |
+| file-property-modify | old_value | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | new_value | Default | | | ✓ |
+| group-member-add | additional_info | | | | |
+| | operation | | | | |
+| group-member-move | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| role-create | role_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| role-delete | role_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| role-modify | role_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| role-permission-modify | role_type | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | permission | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| user-create | additional_info | | | | |
+| user-disable | additional_info | | | | |
+| | operation | | | | |
+| user-enable | additional_info | | | | |
+| | operation | | | | |
+| user-lock | src_ip | | | | |
+| | additional_info | | | | |
+| | dest_host | Legacy | | | ✓ |
+| | src_host | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| user-modify | additional_info | | | | |
+| | old_value | | | | |
+| | operation | | | | |
+| | new_value | | | | |
+| | object | | | | |
+| user-password-expire | additional_info | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| user-password-modify | operation | Default | | | ✓ |
+| user-password-reset | additional_info | | | | |
+| | operation | | | | |
+| user-role-assign | additional_info | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| user-unlock | additional_info | | | | |
+| | operation | | | | |
diff --git a/Extensions/search.md b/Extensions/search.md
new file mode 100644
index 0000000..b584f92
--- /dev/null
+++ b/Extensions/search.md
@@ -0,0 +1,90 @@
+search
+======
+
+Expression
+----------
+
+product = "search"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | trigger_type | | | | |
+| | local_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | rule_usecases | | | | ✓ |
+| | original_risk_score | | | | |
+| | log_time | | | | |
+| | base_risk_score | | | | |
+| | event_id | | | | ✓ |
+| | trigger_entity | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | mitre_labels | | | | ✓ |
+| | alert_reason | | | | ✓ |
+| | asset_labels | | | | ✓ |
+| | user | Legacy | | ✓ | |
+| | event_time | | | | ✓ |
+| app-activity | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| app-login | src_ip | Default | | ✓ | |
+| | additional_info | Default | | | ✓ |
+| app-notification | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| group-modify | src_ip | | | | |
+| | app | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| log_source-add | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| log_source-modify | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| role-delete | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| role-permission-modify | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| rule-create | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+
diff --git a/Extensions/seclore.md b/Extensions/seclore.md
index b00ede5..1bc3a84 100644
--- a/Extensions/seclore.md
+++ b/Extensions/seclore.md
@@ -9,13 +9,14 @@ product = "seclore"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| access | | | ✓ |
-| additional_info | | | ✓ |
-| dest_ip | | | ✓ |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| access | | | ✓ |
+| additional_info | | | ✓ |
+| dest_ip | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/secureenvoy_multi-factor_authentication.md b/Extensions/secureenvoy_multi-factor_authentication.md
index 8bd53f6..6a99a0e 100644
--- a/Extensions/secureenvoy_multi-factor_authentication.md
+++ b/Extensions/secureenvoy_multi-factor_authentication.md
@@ -4,7 +4,7 @@ secureenvoy multi-factor authentication
Expression
----------
-product = "secure envoy"
+product = "secureenvoy multi-factor authentication"
Fields
------
diff --git a/Extensions/securelink.md b/Extensions/securelink.md
index 19b735d..6c2d111 100644
--- a/Extensions/securelink.md
+++ b/Extensions/securelink.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------- | ------- | ---- | --------- | ------------- |
-| app-activity | duration | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | dest_port | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| app-login | src_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | duration | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | dest_port | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| app-login | src_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
diff --git a/Extensions/sensormatik.md b/Extensions/sensormatik.md
index 48dc2af..ca1a19c 100644
--- a/Extensions/sensormatik.md
+++ b/Extensions/sensormatik.md
@@ -4,7 +4,7 @@ sensormatik
Expression
----------
-product = sensormatik"
+product = "sensormatik"
Fields
------
diff --git a/Extensions/sentinel_ips_outpost.md b/Extensions/sentinel_ips_outpost.md
index 2400eb8..66b6013 100644
--- a/Extensions/sentinel_ips_outpost.md
+++ b/Extensions/sentinel_ips_outpost.md
@@ -14,26 +14,26 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | operating_system_revision | | | | |
-| | file_path | Legacy | | | ✓ |
-| | src_interface | | | | |
-| | src_mac | | | | |
-| | process | | | | |
-| | agent_id | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | src_net_status | | | | |
-| | src_domain | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | file_ext | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | hash_md5 | | | | |
-| | src_fqdn | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | src_host_type | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | -------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | src_interface | | | | |
+| | src_mac | | | | |
+| | process | | | | |
+| | agent_id | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | src_host | Legacy | ✓ | ✓ | |
+| | src_net_status | | | | |
+| | src_domain | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | file_ext | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | hash_md5 | | | | |
+| | os_revision | | | | |
+| | src_fqdn | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | src_host_type | | | | |
diff --git a/Extensions/sentinelone_singularity.md b/Extensions/sentinelone_singularity.md
index b230b5a..254d28a 100644
--- a/Extensions/sentinelone_singularity.md
+++ b/Extensions/sentinelone_singularity.md
@@ -14,24 +14,33 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | src_interface | | | | |
-| | src_mac | | | | |
-| | file_dir | Legacy | | | ✓ |
-| | query | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | src_net_status | | | | |
-| | src_domain | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | response | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | hash_md5 | | | | |
-| | src_fqdn | | | | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | src_host_type | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | src_interface | | | | |
+| | bytes_in | | | | |
+| | domain_user_name | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_domain | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | hash_md5 | | | | |
+| | src_fqdn | | | | |
+| | dest_port | Legacy | | ✓ | |
+| | src_mac | | | | |
+| | dest_mac | | | | |
+| | file_dir | Legacy | | | ✓ |
+| | query | | | | |
+| | process_dir | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | src_net_status | | | | |
+| | src_port | Legacy | | | ✓ |
+| | bytes_out | | | | |
+| | additional_info | | | | |
+| | response | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | src_host_type | | | | |
diff --git a/Extensions/servicenow.md b/Extensions/servicenow.md
index 294b8f9..9c292f2 100644
--- a/Extensions/servicenow.md
+++ b/Extensions/servicenow.md
@@ -19,65 +19,70 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | file_path | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | table_name | Default | | | ✓ |
-| | dproc | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | bytes | Default | | | ✓ |
-| | file_type | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | event_name | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | new_value | Default | | | ✓ |
-| | table | Default | | | ✓ |
-| app-login | | | | | |
-| file-delete | bytes | | | | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | action | | | | |
-| | old_value | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | table_name | | | | |
-| | table | | | | |
-| | new_value | | | | |
-| | dproc | | | | |
-| file-download | bytes | Legacy | | ✓ | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | action | | | | |
-| | old_value | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | table_name | | | | |
-| | table | | | | |
-| | new_value | | | | |
-| | dproc | | | | |
-| file-read | bytes | Legacy | | | ✓ |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | action | | | | |
-| | old_value | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | table_name | | | | |
-| | table | | | | |
-| | new_value | | | | |
-| | dproc | | | | |
-| file-upload | bytes | | | | |
-| | file_type | Legacy | | | ✓ |
-| | domain | | | | |
-| | action | | | | |
-| | old_value | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | table_name | | | | |
-| | table | | | | |
-| | new_value | | | | |
-| | dproc | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | app | Default | | | ✓ |
+| | file_path | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | table_name | Default | | | ✓ |
+| | dproc | Default | | | ✓ |
+| | file_ext | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | bytes | Default | | | ✓ |
+| | file_type | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | new_value | Default | | | ✓ |
+| | table | Default | | | ✓ |
+| app-login | | | | | |
+| file-delete | bytes | | | | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | action | | | | |
+| | domain_user_name | | | | |
+| | old_value | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | table_name | | | | |
+| | table | | | | |
+| | new_value | | | | |
+| | dproc | | | | |
+| file-download | bytes | Legacy | | ✓ | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | action | | | | |
+| | domain_user_name | | | | |
+| | old_value | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | table_name | | | | |
+| | table | | | | |
+| | new_value | | | | |
+| | dproc | | | | |
+| file-read | bytes | Legacy | | | ✓ |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | action | | | | |
+| | domain_user_name | | | | |
+| | old_value | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | table_name | | | | |
+| | table | | | | |
+| | new_value | | | | |
+| | dproc | | | | |
+| file-upload | bytes | | | | |
+| | file_type | Legacy | | | ✓ |
+| | domain | | | | |
+| | action | | | | |
+| | domain_user_name | | | | |
+| | old_value | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | table_name | | | | |
+| | table | | | | |
+| | new_value | | | | |
+| | dproc | | | | |
diff --git a/Extensions/silverfort_authentication_platform.md b/Extensions/silverfort_authentication_platform.md
index f7d3b39..a34d9f5 100644
--- a/Extensions/silverfort_authentication_platform.md
+++ b/Extensions/silverfort_authentication_platform.md
@@ -4,7 +4,7 @@ silverfort authentication platform
Expression
----------
-product = "silverfort"
+product = "silverfort authentication platform"
Fields
------
diff --git a/Extensions/singularity_platform.md b/Extensions/singularity_platform.md
index 24eb7e3..20c2f5b 100644
--- a/Extensions/singularity_platform.md
+++ b/Extensions/singularity_platform.md
@@ -9,19 +9,114 @@ product = "singularity platform"
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| process_name | | | ✓ |
+| bytes | | | ✓ |
+| domain | | | ✓ |
+| user_sid | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | file_ext | | | | |
-| | agent_id | | | | |
-| | file_name | Legacy | ✓ | | |
-| | process_name | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | file_dir | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------------- | -------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | file_ext | | | | |
+| | agent_id | | | | |
+| | file_name | Legacy | ✓ | | |
+| | process_name | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | file_dir | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| app-activity | src_ip | Default | | ✓ | |
+| | src_mac | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| dns-request | process_id | | | | |
+| | hash_sha1 | | | | |
+| | agent_id | | | | |
+| | alert_severity | | | | |
+| | process_dir | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | alert_type | | | | |
+| | hash_sha256 | | | | |
+| | process_name | | | | |
+| | alert_id | | | | |
+| | hash_md5 | | | | |
+| | event_name | | | | |
+| | process_path | | | | |
+| | alert_name | | | | |
+| | user_agent | | | | |
+| dns-response | process_id | | | | |
+| | hash_sha1 | | | | |
+| | agent_id | | | | |
+| | alert_severity | | | | |
+| | process_dir | | | | |
+| | alert_type | | | | |
+| | hash_sha256 | | | | |
+| | process_name | | | | |
+| | alert_id | | | | |
+| | hash_md5 | | | | |
+| | event_name | | | | |
+| | process_path | | | | |
+| | alert_name | | | | |
+| | user_agent | | | | |
+| file-delete | src_ip | | | | |
+| | dest_ip | | | | |
+| | event_name | | | | |
+| file-read | src_ip | | | | |
+| | agent_id | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | alert_id | | | | |
+| | src_host | Legacy | | ✓ | |
+| | alert_name | | | | |
+| | alert_type | | | | |
+| file-write | src_ip | | | | |
+| | dest_ip | | | | |
+| | event_name | | | | |
+| http-session | agent_id | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | alert_id | Default | | | ✓ |
+| | malware_url | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| network-traffic | agent_id | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | alert_severity | Default | | | ✓ |
+| | alert_id | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| | alert_name | Default | | | ✓ |
+| | alert_type | Default | | | ✓ |
+| process-create | src_ip | Default | | ✓ | |
+| | hash_sha256 | Default | | | ✓ |
+| | agent_id | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| registry-modify | src_ip | | | | |
+| | agent_id | | | | |
+| | process_name | | | | |
+| | alert_severity | | | | |
+| | dest_ip | | | | |
+| | alert_id | | | | |
+| | alert_name | | | | |
+| | alert_type | | | | |
+| | object | | | | |
+| scheduled_task-create | src_ip | | | | |
+| | hash_sha256 | | | | |
+| | process_id | Legacy | | | ✓ |
+| | hash_sha1 | | | | |
+| | process_name | Legacy | ✓ | ✓ | |
+| | dest_ip | | | | |
+| | hash_md5 | | | | |
+| | event_name | | | | |
+| | process_dir | Legacy | | | ✓ |
+| | process_path | Legacy | | ✓ | |
+| | process_command_line | | | | |
+| | user_agent | | | | |
diff --git a/Extensions/skyhigh_networks_casb.md b/Extensions/skyhigh_networks_casb.md
index 5ba8ee6..4d7c90f 100644
--- a/Extensions/skyhigh_networks_casb.md
+++ b/Extensions/skyhigh_networks_casb.md
@@ -9,14 +9,28 @@ product = "skyhigh networks casb"
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| --------------- | ---- | --------- | ------------- |
+| additional_info | | | ✓ |
+| user | | | ✓ |
+| operation | | | ✓ |
+| object | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------ | ------- | ---- | --------- | ------------- |
-| app-activity | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
+| app-notification | | | | | |
+| case-modify | | | | | |
+| file-download | | | | | |
+| report-create | | | | | |
+| report-download | | | | | |
+| user-create | | | | | |
+| user-delete | | | | | |
+| user-modify | | | | | |
diff --git a/Extensions/skysea_clientview.md b/Extensions/skysea_clientview.md
index 73b573d..fdaecbe 100644
--- a/Extensions/skysea_clientview.md
+++ b/Extensions/skysea_clientview.md
@@ -4,7 +4,7 @@ skysea clientview
Expression
----------
-product = "skysea clientview"
+product = skysea clientview
Fields
------
@@ -14,13 +14,22 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | src_interface | | | | |
+| | protocol | Legacy | | ✓ | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| app-activity | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | object | Default | | | ✓ |
diff --git a/Extensions/slack.md b/Extensions/slack.md
index e72853a..ff9b546 100644
--- a/Extensions/slack.md
+++ b/Extensions/slack.md
@@ -20,128 +20,147 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | ----------- | ------- | -------- | --------- | ------------- |
-| app-login | file_ext | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| app-logout | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| channel-create | operation | Default | | | ✓ |
-| channel-delete | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| channel-member-join | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| channel-member-leave | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| channel-modify | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| file-download | domain | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| file-share | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| file-upload | domain | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| group-member-add | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | object | | | | |
-| group-member-remove | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | object | | | | |
-| group-role-assign | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| group-role-modify | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| group-role-revoke | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| user-create | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | object | | | | |
-| user-disable | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| user-enable | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | ✓ | |
-| | operation | | | | |
-| | object | | | | |
-| user-modify | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| | object | | | | |
-| user-permission-modify | src_ip | | | | |
-| | application | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| | object | | | | |
-| user-role-assign | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| user-role-modify | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| user-role-revoke | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| workspace-create | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| workspace-delete | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| workspace-member-add | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-login | file_ext | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| app-logout | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| channel-create | operation | Default | | | ✓ |
+| channel-delete | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| channel-member-join | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| channel-member-leave | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| channel-modify | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| file-download | domain | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-share | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| file-upload | domain | | | | |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| group-member-add | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | object | | | | |
+| group-member-remove | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | object | | | | |
+| group-role-assign | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| group-role-modify | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| group-role-revoke | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| user-create | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | object | | | | |
+| user-disable | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| user-enable | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | object | | | | |
+| user-modify | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| | object | | | | |
+| user-permission-modify | src_ip | | | | |
+| | app | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| | object | | | | |
+| user-role-assign | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| user-role-modify | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| user-role-revoke | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| workspace-create | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| workspace-delete | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| workspace-member-add | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
diff --git a/Extensions/smg.md b/Extensions/smg.md
new file mode 100644
index 0000000..ae3dbe9
--- /dev/null
+++ b/Extensions/smg.md
@@ -0,0 +1,21 @@
+smg
+===
+
+Expression
+----------
+
+product = "smg"
+
+Fields
+------
+
+There are no fields for this extension.
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----- | ------ | ---- | --------- | ------------- |
+| email-receive | | | | | |
+| email-send | | | | | |
+
diff --git a/Extensions/snort_ids.md b/Extensions/snort_ids.md
index f4880f0..9528b40 100644
--- a/Extensions/snort_ids.md
+++ b/Extensions/snort_ids.md
@@ -16,12 +16,16 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| alert-trigger | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
| | protocol | Legacy | | ✓ | |
| | additional_info | | | | |
| | event_code | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/snowflake.md b/Extensions/snowflake.md
index 3fb34f2..2313405 100644
--- a/Extensions/snowflake.md
+++ b/Extensions/snowflake.md
@@ -9,10 +9,11 @@ product = "snowflake"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | ---- | --------- | ------------- |
-| query_id | | | ✓ |
-| db_user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| query_id | | | ✓ |
+| db_user | | | ✓ |
+| database_user_name | | | |
Activity Types
--------------
diff --git a/Extensions/sonarg.md b/Extensions/sonarg.md
index f7de5ad..bf7ef64 100644
--- a/Extensions/sonarg.md
+++ b/Extensions/sonarg.md
@@ -9,16 +9,17 @@ product = "sonarg"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| db_name | | | ✓ |
-| service_name | | | ✓ |
-| db_domain | | | ✓ |
-| db_user | | | ✓ |
-| dest_ip | | | ✓ |
-| dest_host | | | ✓ |
-| src_host | | | ✓ |
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| db_name | | | ✓ |
+| service_name | | | ✓ |
+| db_domain | | | ✓ |
+| db_user | | | ✓ |
+| dest_ip | | | ✓ |
+| dest_host | | | ✓ |
+| src_host | | | ✓ |
+| database_user_name | | | |
Activity Types
--------------
diff --git a/Extensions/sophos_endpoint_protection.md b/Extensions/sophos_endpoint_protection.md
index 8de3f73..90bcded 100644
--- a/Extensions/sophos_endpoint_protection.md
+++ b/Extensions/sophos_endpoint_protection.md
@@ -9,40 +9,42 @@ product = sophos endpoint protection
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| alert_id | | | ✓ |
-| src_host | ✓ | | |
-| user | ✓ | ✓ | |
-| alert_type | | | ✓ |
-| alert_name | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| alert_id | | | ✓ |
+| domain_user_name | | | |
+| src_host | ✓ | | |
+| user | ✓ | ✓ | |
+| alert_type | | | ✓ |
+| alert_name | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | access | | | | |
-| | device_id | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | malware_url | | | | |
-| | user | Legacy | | ✓ | |
-| http-session | malware_url | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| network-session | | | | | |
-| peripheral_storage-activity | src_ip | Default | | ✓ | |
-| | bytes | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| peripheral_storage-insert | src_ip | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | access | | | | |
+| | device_id | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| http-session | malware_url | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| network-session | | | | | |
+| peripheral_storage-activity | src_ip | Default | | ✓ | |
+| | bytes | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| peripheral_storage-insert | src_ip | | | | |
diff --git a/Extensions/sophos_intercept_x_endpoint.md b/Extensions/sophos_intercept_x_endpoint.md
index 0fb2e79..d072c28 100644
--- a/Extensions/sophos_intercept_x_endpoint.md
+++ b/Extensions/sophos_intercept_x_endpoint.md
@@ -23,6 +23,7 @@ Activity Types
| | file_name | Legacy | ✓ | | |
| | alert_id | Legacy | | | ✓ |
| | file_dir | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | malware_url | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/sophos_xg_firewall.md b/Extensions/sophos_xg_firewall.md
index 6b349e3..98e7c1c 100644
--- a/Extensions/sophos_xg_firewall.md
+++ b/Extensions/sophos_xg_firewall.md
@@ -9,10 +9,11 @@ product = "sophos xg firewall"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/stealthintercept.md b/Extensions/stealthintercept.md
index 54384b1..d321d17 100644
--- a/Extensions/stealthintercept.md
+++ b/Extensions/stealthintercept.md
@@ -9,13 +9,14 @@ product = "stealthintercept"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| dest_ip | | ✓ | |
-| domain | | ✓ | |
-| src_host | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| dest_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| src_host | | ✓ | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/suricata_ids.md b/Extensions/suricata_ids.md
index 0e64e94..61963ce 100644
--- a/Extensions/suricata_ids.md
+++ b/Extensions/suricata_ids.md
@@ -14,24 +14,31 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | bytes_in | | | | |
-| | rule | | | | |
-| | payload_printable | | | | |
-| | failure_reason | | | | |
-| | result | | | | |
-| | rule_id | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | application_protocol | | | | |
-| | bytes_out | | | | |
-| | additional_info | | | | |
-| | event_code | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | action | Legacy | | | ✓ |
-| | category | | | | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | bytes_in | | | | |
+| | rule | | | | |
+| | interface | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | protocol | Legacy | | ✓ | |
+| | bytes_to_client | | | | |
+| | pkts_toserver | | | | |
+| | event_code | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | action | Legacy | | | ✓ |
+| | threat_type | | | | |
+| | app_protocol | | | | |
+| | dest_port | Legacy | | ✓ | |
+| | payload_printable | | | | |
+| | failure_reason | | | | |
+| | pkts_toclient | | | | |
+| | bytes_to_server | | | | |
+| | rule_id | | | | |
+| | src_port | Legacy | | | ✓ |
+| | bytes_out | | | | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | event_name | | | | |
+| | category | | | | |
diff --git a/Extensions/sybase.md b/Extensions/sybase.md
index 219d130..03b127e 100644
--- a/Extensions/sybase.md
+++ b/Extensions/sybase.md
@@ -9,12 +9,13 @@ product = "sybase"
Fields
------
-| Field | Core | Detection | Informational |
-| --------------- | ---- | --------- | ------------- |
-| db_name | | | ✓ |
-| additional_info | | | ✓ |
-| db_user | | | ✓ |
-| db_object | | | ✓ |
+| Field | Core | Detection | Informational |
+| ------------------ | ---- | --------- | ------------- |
+| db_name | | | ✓ |
+| additional_info | | | ✓ |
+| db_user | | | ✓ |
+| db_object | | | ✓ |
+| database_user_name | | | |
Activity Types
--------------
diff --git a/Extensions/symamtec_(broadcom)_advanced_threat_protection.md b/Extensions/symamtec_(broadcom)_advanced_threat_protection.md
index c02ffd9..f4be02d 100644
--- a/Extensions/symamtec_(broadcom)_advanced_threat_protection.md
+++ b/Extensions/symamtec_(broadcom)_advanced_threat_protection.md
@@ -18,6 +18,7 @@ Activity Types
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | file_name | Legacy | ✓ | | |
| | file_dir | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
diff --git a/Extensions/symamtec_(broadcom)_email_security.cloud.md b/Extensions/symamtec_(broadcom)_email_security.cloud.md
index 009810a..3c49639 100644
--- a/Extensions/symamtec_(broadcom)_email_security.cloud.md
+++ b/Extensions/symamtec_(broadcom)_email_security.cloud.md
@@ -18,6 +18,7 @@ Activity Types
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | email_attachment | | | | |
| | process | | | | |
+| | local_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
diff --git a/Extensions/symamtec_(broadcom)_endpoint_security.md b/Extensions/symamtec_(broadcom)_endpoint_security.md
index 263d332..c3b86f1 100644
--- a/Extensions/symamtec_(broadcom)_endpoint_security.md
+++ b/Extensions/symamtec_(broadcom)_endpoint_security.md
@@ -14,26 +14,27 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | process | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | src_host | Legacy | ✓ | ✓ | |
-| | hash_sha256 | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | file_ext | | | | |
-| | full_name | | | | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | process_directory | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | threat_type | | | | |
-| | malware_url | | | | |
-| | category | | | | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | process | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | local_user_name | | | | |
+| | process_dir | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | hash_sha256 | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | file_ext | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | threat_type | | | | |
+| | malware_url | | | | |
+| | category | | | | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/symamtec_(broadcom)_mobile_threat_defense.md b/Extensions/symamtec_(broadcom)_mobile_threat_defense.md
index 3a7c281..7a34923 100644
--- a/Extensions/symamtec_(broadcom)_mobile_threat_defense.md
+++ b/Extensions/symamtec_(broadcom)_mobile_threat_defense.md
@@ -14,16 +14,16 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | device_name | | | | |
-| | email_address | | | | |
-| | full_name | | | | |
-| | device_model | | | | |
-| | additional_info | | | | |
-| | alert_id | Legacy | | | ✓ |
-| | hash_md5 | | | | |
-| | operating_system | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | product_name | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | device_name | | | | |
+| | email_address | | | | |
+| | full_name | | | | |
+| | device_model | | | | |
+| | os | | | | |
+| | additional_info | | | | |
+| | alert_id | Legacy | | | ✓ |
+| | hash_md5 | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | product_name | | | | |
diff --git a/Extensions/symantec_advanced_threat_protection.md b/Extensions/symantec_advanced_threat_protection.md
index d3cbb58..d54b872 100644
--- a/Extensions/symantec_advanced_threat_protection.md
+++ b/Extensions/symantec_advanced_threat_protection.md
@@ -4,18 +4,19 @@ symantec advanced threat protection
Expression
----------
-product = "symantec edr"
+product = "symantec advanced threat protection"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| event_code | | | ✓ |
-| domain | | ✓ | |
-| dest_ip | | ✓ | |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| event_code | | | ✓ |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/symantec_blue_coat_proxysg.md b/Extensions/symantec_blue_coat_proxysg.md
index e1728a0..81fcd8a 100644
--- a/Extensions/symantec_blue_coat_proxysg.md
+++ b/Extensions/symantec_blue_coat_proxysg.md
@@ -16,28 +16,28 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | --------------- | ------- | ---- | --------- | ------------- |
-| http-session | country | Default | | | ✓ |
-| | protocol | Default | | | ✓ |
-| | app_user | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | browser | Default | | | ✓ |
-| | resource_id | Default | | | ✓ |
-| | categories | Default | | | ✓ |
-| | proxy_action | Default | | | ✓ |
-| | proxy_ip | Default | | | ✓ |
-| network-traffic | referrer | Default | | | ✓ |
-| | method | Default | | | ✓ |
-| | bytes_out | Default | | | ✓ |
-| | bytes_in | Default | | | ✓ |
-| | mime | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | action | Default | | | ✓ |
-| | result_code | Default | | | ✓ |
-| | categories | Default | | | ✓ |
-| | category | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | proxy_action | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| http-session | country | Default | | | ✓ |
+| | protocol | Default | | | ✓ |
+| | app_user | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | browser | Default | | | ✓ |
+| | resource_id | Default | | | ✓ |
+| | categories | Default | | | ✓ |
+| | proxy_action | Default | | | ✓ |
+| | proxy_ip | Default | | | ✓ |
+| network-traffic | referrer | Default | | | ✓ |
+| | method | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | mime | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | categories | Default | | | ✓ |
+| | category | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | proxy_action | Default | | | ✓ |
diff --git a/Extensions/symantec_cloudsoc.md b/Extensions/symantec_cloudsoc.md
index 2504140..ee42912 100644
--- a/Extensions/symantec_cloudsoc.md
+++ b/Extensions/symantec_cloudsoc.md
@@ -14,30 +14,32 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | file_path | Legacy | | | ✓ |
-| | full_name | | | | |
-| | resource | | | | |
-| | file_name | Legacy | ✓ | | |
-| | process_name | Legacy | | ✓ | |
-| | browser | | | | |
-| | domain | | | | |
-| | file_dir | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | | ✓ | |
-| | user_agent | | | | |
-| app-activity | src_ip | Default | | ✓ | |
-| | file_path | Default | | | ✓ |
-| | file_ext | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | object_type | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | file_name | Default | | | ✓ |
-| | file_dir | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | user_agent | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | resource | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | full_name | | | | |
+| | process_name | Legacy | | ✓ | |
+| | browser | | | | |
+| | domain | | | | |
+| | operation | | | | |
+| | user | Legacy | | ✓ | |
+| | user_agent | | | | |
+| app-activity | app | Default | | | ✓ |
+| | file_path | Default | | | ✓ |
+| | object_type | Default | | | ✓ |
+| | file_name | Default | | | ✓ |
+| | file_dir | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_ip | Default | | ✓ | |
+| | file_ext | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | user_agent | Default | | | ✓ |
+| | object | Default | | | ✓ |
diff --git a/Extensions/symantec_critical_system_protection.md b/Extensions/symantec_critical_system_protection.md
index ff48395..c5f1ecd 100644
--- a/Extensions/symantec_critical_system_protection.md
+++ b/Extensions/symantec_critical_system_protection.md
@@ -9,18 +9,19 @@ product = "symantec critical system protection"
Fields
------
-| Field | Core | Detection | Informational |
-| ----------- | ---- | --------- | ------------- |
-| src_ip | | ✓ | |
-| result | | | ✓ |
-| login_type | | | ✓ |
-| event_code | | | ✓ |
-| domain | | ✓ | |
-| dest_ip | | ✓ | |
-| rule | | | ✓ |
-| policy_name | | | ✓ |
-| session_id | | | ✓ |
-| user | | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | ✓ | |
+| result | | | ✓ |
+| login_type | | | ✓ |
+| event_code | | | ✓ |
+| domain | | ✓ | |
+| dest_ip | | ✓ | |
+| rule | | | ✓ |
+| policy_name | | | ✓ |
+| session_id | | | ✓ |
+| domain_user_name | | | |
+| user | | ✓ | |
Activity Types
--------------
diff --git a/Extensions/symantec_dlp.md b/Extensions/symantec_dlp.md
index 6bdc976..5166feb 100644
--- a/Extensions/symantec_dlp.md
+++ b/Extensions/symantec_dlp.md
@@ -9,12 +9,13 @@ product = "symantec dlp"
Fields
------
-| Field | Core | Detection | Informational |
-| -------- | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| src_host | ✓ | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| src_host | ✓ | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
@@ -23,6 +24,7 @@ Activity Types
| --------------------------- | ----------------- | ------- | -------- | --------- | ------------- |
| alert-trigger | email_id | | | | |
| | file_path | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | device_type | | | | |
| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
@@ -31,10 +33,10 @@ Activity Types
| | process_name | Legacy | | ✓ | |
| | alert_id | Legacy | | | ✓ |
| | occured_time | | | | |
-| | operating_system | | | | |
| | direction | | | | |
| | email_attachment | | | | |
| | device_id | | | | |
+| | os | | | | |
| | file_name | Legacy | ✓ | | |
| | file_dir | Legacy | | | ✓ |
| | original_user | | | | |
diff --git a/Extensions/symantec_endpoint_protection.md b/Extensions/symantec_endpoint_protection.md
index 15f9250..c6e94f3 100644
--- a/Extensions/symantec_endpoint_protection.md
+++ b/Extensions/symantec_endpoint_protection.md
@@ -14,32 +14,34 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | operating_system_revision | | | | |
-| | process_id | | | | |
-| | dest_mac | | | | |
-| | process_dir | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | product_name | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | process_guid | | | | |
-| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | operating_system | | | | |
-| | process_path | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
-| | user_agent | | | | |
-| endpoint-scan | src_ip | Default | | ✓ | |
-| | group_name | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | scan_id | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | process_id | | | | |
+| | os | | | | |
+| | dest_mac | | | | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | product_name | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | process_guid | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | os_revision | | | | |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| | user_agent | | | | |
+| endpoint-scan | src_ip | Default | | ✓ | |
+| | group_name | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | scan_id | Default | | | ✓ |
+| | user | Default | | ✓ | |
diff --git a/Extensions/symantec_siteminder.md b/Extensions/symantec_siteminder.md
index a219f0c..a1569c8 100644
--- a/Extensions/symantec_siteminder.md
+++ b/Extensions/symantec_siteminder.md
@@ -4,24 +4,24 @@ symantec siteminder
Expression
----------
-product = "siteminder"
+product = "symantec siteminder"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| method | | | ✓ |
-| group_name | | | ✓ |
-| web_domain | | | ✓ |
-| resource | | | ✓ |
-| auth_level | | | ✓ |
-| dest_ip | | | ✓ |
-| dest_host | | | ✓ |
-| src_host | | | ✓ |
-| uri | | | ✓ |
-| authentication_type | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| auth_type | | | ✓ |
+| method | | | ✓ |
+| group_name | | | ✓ |
+| web_domain | | | ✓ |
+| resource | | | ✓ |
+| auth_level | | | ✓ |
+| dest_ip | | | ✓ |
+| dest_host | | | ✓ |
+| src_host | | | ✓ |
+| uri | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/symantec_vip.md b/Extensions/symantec_vip.md
index d8a8c3a..fb5463e 100644
--- a/Extensions/symantec_vip.md
+++ b/Extensions/symantec_vip.md
@@ -14,34 +14,39 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | ---------- | ------- | -------- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | user_agent | Default | | | ✓ |
-| app-authentication | | | | | |
-| app-logout | src_ip | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
-| user-device-remember | src_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
-| user-modify | src_ip | | | | |
-| | domain | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| | user_agent | | | | |
-| user-password-forget | src_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
-| user-search | src_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | user_agent | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | user_agent | Default | | | ✓ |
+| app-authentication | | | | | |
+| app-logout | src_ip | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| user-device-remember | src_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| user-modify | src_ip | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| | user_agent | | | | |
+| user-password-forget | src_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| user-search | src_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
diff --git a/Extensions/symantec_virtual_secure_web_gateway.md b/Extensions/symantec_virtual_secure_web_gateway.md
index 4315a09..849a9a4 100644
--- a/Extensions/symantec_virtual_secure_web_gateway.md
+++ b/Extensions/symantec_virtual_secure_web_gateway.md
@@ -4,7 +4,7 @@ symantec virtual secure web gateway
Expression
----------
-product = "symantec secure web gateway"
+product = "symantec virtual secure web gateway"
Fields
------
diff --git a/Extensions/symantec_web_security_service.md b/Extensions/symantec_web_security_service.md
index 23e3c36..a7f00ea 100644
--- a/Extensions/symantec_web_security_service.md
+++ b/Extensions/symantec_web_security_service.md
@@ -4,7 +4,7 @@ symantec web security service
Expression
----------
-product = "symantec wss"
+product = "symantec web security service"
Fields
------
diff --git a/Extensions/synology_nas.md b/Extensions/synology_nas.md
index aa5a596..39a54a9 100644
--- a/Extensions/synology_nas.md
+++ b/Extensions/synology_nas.md
@@ -9,12 +9,13 @@ product = "synology nas"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| share_name | | | ✓ |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| share_name | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/sysmon.md b/Extensions/sysmon.md
index 1eb41bc..c7c838a 100644
--- a/Extensions/sysmon.md
+++ b/Extensions/sysmon.md
@@ -9,12 +9,13 @@ product = "sysmon"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | -------- | --------- | ------------- |
-| log_name | ✓ | | |
-| event_code | | | ✓ |
-| src_host | ✓ | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| --------------- | -------- | --------- | ------------- |
+| log_name | ✓ | | |
+| event_code | | | ✓ |
+| local_user_name | | | |
+| src_host | ✓ | ✓ | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/tanium_core_platform.md b/Extensions/tanium_core_platform.md
index 7eb290c..fa552a9 100644
--- a/Extensions/tanium_core_platform.md
+++ b/Extensions/tanium_core_platform.md
@@ -14,18 +14,19 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------------- | ------------ | ------- | ---- | --------- | ------------- |
-| dns-response | process_name | | | | |
-| | process_dir | | | | |
-| | src_host | Legacy | | | ✓ |
-| | process_path | | | | |
-| endpoint-authentication | src_ip | Default | | ✓ | |
-| | auth_method | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | process_dir | Default | | | ✓ |
-| | process_path | Default | | | ✓ |
-| process-create | domain | Default | | | ✓ |
-| | hash_md5 | Default | | | ✓ |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| dns-response | process_name | | | | |
+| | process_dir | | | | |
+| | src_host | Legacy | | | ✓ |
+| | process_path | | | | |
+| endpoint-authentication | src_ip | Default | | ✓ | |
+| | auth_method | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| process-create | domain | Default | | | ✓ |
+| | hash_md5 | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
diff --git a/Extensions/tanium_integrity_monitor.md b/Extensions/tanium_integrity_monitor.md
index 965af16..141b0c8 100644
--- a/Extensions/tanium_integrity_monitor.md
+++ b/Extensions/tanium_integrity_monitor.md
@@ -14,24 +14,27 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ---------------------- | ------------ | ------ | -------- | --------- | ------------- |
-| file-delete | proess_path | | | | |
-| | access | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | event_name | | | | |
-| | src_host | Legacy | | ✓ | |
-| | user | Legacy | ✓ | ✓ | |
-| file-permission-modify | proess_path | | | | |
-| | access | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | event_name | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| file-write | proess_path | | | | |
-| | access | Legacy | | ✓ | |
-| | process_name | Legacy | | | ✓ |
-| | event_name | | | | |
-| | src_host | | | | |
-| | user | Legacy | ✓ | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ---------------------- | --------------- | ------ | -------- | --------- | ------------- |
+| file-delete | access | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | process_path | Legacy | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| file-permission-modify | access | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | process_path | Legacy | | | ✓ |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| file-write | access | Legacy | | ✓ | |
+| | process_name | Legacy | | | ✓ |
+| | local_user_name | | | | |
+| | event_name | | | | |
+| | process_path | Legacy | | ✓ | |
+| | src_host | | | | |
+| | user | Legacy | ✓ | ✓ | |
diff --git a/Extensions/tanium_tanium_endpoint_platform.md b/Extensions/tanium_tanium_endpoint_platform.md
index d5886a7..59964dd 100644
--- a/Extensions/tanium_tanium_endpoint_platform.md
+++ b/Extensions/tanium_tanium_endpoint_platform.md
@@ -21,6 +21,7 @@ Activity Types
| | additional_info | | | | |
| | process_name | Legacy | | ✓ | |
| | alert_id | Legacy | | | ✓ |
+| | local_user_name | | | | |
| | process_command_line | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/tanium_threat_response.md b/Extensions/tanium_threat_response.md
index a72d72c..7701586 100644
--- a/Extensions/tanium_threat_response.md
+++ b/Extensions/tanium_threat_response.md
@@ -16,13 +16,14 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | process_name | Legacy | | ✓ | |
+| alert-trigger | os | | | | |
+| | process_name | Legacy | | ✓ | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | domain | | | | |
| | hash_md5 | | | | |
-| | operating_system | | | | |
| | process_dir | | | | |
+| | domain_user_name | | | | |
| | process_command_line | | | | |
| | process_path | Legacy | | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/targeted_attack_platform.md b/Extensions/targeted_attack_platform.md
index 83f2dd2..0855595 100644
--- a/Extensions/targeted_attack_platform.md
+++ b/Extensions/targeted_attack_platform.md
@@ -4,7 +4,7 @@ targeted attack platform
Expression
----------
-product = proofpoint tap"
+product = "targeted attack platform"
Fields
------
@@ -44,8 +44,8 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----- | ------ | ---- | --------- | ------------- |
-| email-receive | | | | | |
-| email-send | | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----------- | ------- | ---- | --------- | ------------- |
+| email-receive | folder_name | Default | | | ✓ |
+| email-send | | | | | |
diff --git a/Extensions/terraform.md b/Extensions/terraform.md
index 35d95e0..edf9fa9 100644
--- a/Extensions/terraform.md
+++ b/Extensions/terraform.md
@@ -9,13 +9,14 @@ product = "terraform"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | ---- | --------- | ------------- |
-| method | | | ✓ |
-| bytes | | | ✓ |
-| domain | | | ✓ |
-| action | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| method | | | ✓ |
+| bytes | | | ✓ |
+| domain | | | ✓ |
+| action | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/thycotic_software_secret_server.md b/Extensions/thycotic_software_secret_server.md
index cda75db..8c9ee25 100644
--- a/Extensions/thycotic_software_secret_server.md
+++ b/Extensions/thycotic_software_secret_server.md
@@ -16,84 +16,95 @@ Fields
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| -------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-activity | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| app-login | | | | | |
-| group-member-add | resource | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| group-member-remove | resource | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| password-checkin | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| password-checkout | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| password-copy | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| policy-create | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| policy-modify | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| secret-copy | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| secret-create | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| secret-modify | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| user-create | resource | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| user-disable | resource | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | ✓ | |
-| | object | | | | |
-| user-modify | resource | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | operation | | | | |
-| | user | Legacy | ✓ | | |
-| | object | | | | |
-| user-password-modify | resource | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| -------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-activity | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| app-login | | | | | |
+| group-member-add | resource | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| group-member-remove | resource | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| password-checkin | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| password-checkout | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| password-copy | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| policy-create | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| policy-modify | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| secret-copy | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| secret-create | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| secret-modify | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| user-create | resource | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| user-disable | resource | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | object | | | | |
+| user-modify | resource | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | operation | | | | |
+| | user | Legacy | ✓ | | |
+| | object | | | | |
+| user-password-modify | resource | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
diff --git a/Extensions/trapx.md b/Extensions/trapx.md
index 75da954..7212cf8 100644
--- a/Extensions/trapx.md
+++ b/Extensions/trapx.md
@@ -9,14 +9,15 @@ product = "trapx"
Fields
------
-| Field | Core | Detection | Informational |
-| ---------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| protocol | | | ✓ |
-| event_code | | | ✓ |
-| dest_ip | | | ✓ |
-| domain | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| src_ip | | | ✓ |
+| protocol | | | ✓ |
+| event_code | | | ✓ |
+| dest_ip | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/trend_micro_cloud_app_security.md b/Extensions/trend_micro_cloud_app_security.md
index ce6ccef..a66674b 100644
--- a/Extensions/trend_micro_cloud_app_security.md
+++ b/Extensions/trend_micro_cloud_app_security.md
@@ -16,9 +16,9 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
+| alert-trigger | app | | | | |
+| | result | | | | |
| | email_address | | | | |
-| | application | | | | |
| | additional_info | | | | |
| | file_name | Legacy | ✓ | | |
| | malware_url | | | | |
diff --git a/Extensions/trend_micro_deep_discovery_inspector.md b/Extensions/trend_micro_deep_discovery_inspector.md
index 881eed1..81f8724 100644
--- a/Extensions/trend_micro_deep_discovery_inspector.md
+++ b/Extensions/trend_micro_deep_discovery_inspector.md
@@ -16,9 +16,9 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ----------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| alert-trigger | app | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
-| | application | | | | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | action | Legacy | | | ✓ |
diff --git a/Extensions/trend_micro_interscan_web_security.md b/Extensions/trend_micro_interscan_web_security.md
index 51919df..0267102 100644
--- a/Extensions/trend_micro_interscan_web_security.md
+++ b/Extensions/trend_micro_interscan_web_security.md
@@ -4,7 +4,7 @@ trend micro interscan web security
Expression
----------
-product = "interscan web security"
+product = "trend micro interscan web security"
Fields
------
diff --git a/Extensions/trend_micro_officescan.md b/Extensions/trend_micro_officescan.md
index c6f4a4b..7ad374d 100644
--- a/Extensions/trend_micro_officescan.md
+++ b/Extensions/trend_micro_officescan.md
@@ -4,7 +4,7 @@ trend micro officescan
Expression
----------
-product = "trend micro officescan"
+product = trend micro officescan
Fields
------
@@ -14,10 +14,26 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | -------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | protocol | Legacy | | ✓ | |
-| | domain | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | app | | | | |
+| | process | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | email_address | | | | |
+| | additional_info | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | hash_md5 | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | threat_type | | | | |
+| | malware_url | | | | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/trend_micro_tippingpoint_ngips.md b/Extensions/trend_micro_tippingpoint_ngips.md
index df22246..71306b2 100644
--- a/Extensions/trend_micro_tippingpoint_ngips.md
+++ b/Extensions/trend_micro_tippingpoint_ngips.md
@@ -16,12 +16,12 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_host | Legacy | ✓ | ✓ | |
+| alert-trigger | app | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
| | result | | | | |
| | src_ip | Legacy | ✓ | ✓ | |
| | src_port | Legacy | | | ✓ |
| | protocol | Legacy | | ✓ | |
-| | application | | | | |
| | additional_info | | | | |
| | event_code | | | | |
| | alert_id | Legacy | | | ✓ |
diff --git a/Extensions/tripwire_enterprise.md b/Extensions/tripwire_enterprise.md
index 57647c9..f15fdf2 100644
--- a/Extensions/tripwire_enterprise.md
+++ b/Extensions/tripwire_enterprise.md
@@ -18,15 +18,16 @@ Activity Types
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | file_path | Legacy | | | ✓ |
| | access | | | | |
+| | os | | | | |
| | file_name | Legacy | ✓ | | |
| | file_dir | Legacy | | | ✓ |
| | process_dir | | | | |
+| | domain_user_name | | | | |
| | file_ext | | | | |
| | old_hash | | | | |
| | process_name | Legacy | | ✓ | |
| | domain | | | | |
| | dest_host | Legacy | | ✓ | |
-| | operating_system | | | | |
| | process_path | Legacy | | ✓ | |
| | user | Legacy | | ✓ | |
| | hash_type | | | | |
diff --git a/Extensions/unix.md b/Extensions/unix.md
index 4d4a1f0..2b09d43 100644
--- a/Extensions/unix.md
+++ b/Extensions/unix.md
@@ -4,7 +4,7 @@ unix
Expression
----------
-product = "unix"
+product = unix
Fields
------
@@ -16,6 +16,25 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ----------------------- | -------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | parent_process_id | | | | |
+| | file_path | Legacy | | | ✓ |
+| | process_id | | | | |
+| | operation_type | | | | |
+| | service_name | | | | |
+| | local_user_name | | | | |
+| | file_owner | | | | |
+| | process_command_line | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | event_subtype | | | | |
+| | event_category | | | | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | path | | | | |
+| | group_id | | | | |
+| | process_name | Legacy | | ✓ | |
+| | arg | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
| email-receive | protocol | Default | | | ✓ |
| | bytes | Default | | | ✓ |
| | num_recipients | Default | | | ✓ |
@@ -59,6 +78,7 @@ Activity Types
| | access | Legacy | | ✓ | |
| | operation_type | | | | ✓ |
| | service_name | | | | ✓ |
+| | local_user_name | | | | |
| | file_owner | | | | ✓ |
| | process_command_line | | | | ✓ |
| | src_host | | | ✓ | |
@@ -77,6 +97,7 @@ Activity Types
| | access | Legacy | | ✓ | |
| | operation_type | | | | ✓ |
| | service_name | | | | ✓ |
+| | local_user_name | | | | |
| | file_owner | | | | ✓ |
| | process_command_line | | | | ✓ |
| | src_host | Legacy | | ✓ | |
@@ -97,6 +118,7 @@ Activity Types
| | process_id | | | | |
| | operation_type | | | | |
| | service_name | | | | |
+| | local_user_name | | | | |
| | file_owner | | | | |
| | process_command_line | | | | |
| | src_host | Legacy | | ✓ | |
@@ -118,6 +140,7 @@ Activity Types
| | process_id | | | | |
| | operation_type | | | | |
| | service_name | | | | |
+| | local_user_name | | | | |
| | file_owner | | | | |
| | process_command_line | | | | |
| | src_host | Legacy | | ✓ | |
@@ -133,6 +156,7 @@ Activity Types
| | process_id | | | | |
| | operation_type | | | | |
| | service_name | | | | |
+| | local_user_name | | | | |
| | file_owner | | | | |
| | process_command_line | | | | |
| | src_host | | | | |
@@ -151,6 +175,7 @@ Activity Types
| | process_id | Default | | | ✓ |
| | operation_type | Default | | | ✓ |
| | service_name | Default | | | ✓ |
+| | local_user_name | | | | |
| | file_owner | Default | | | ✓ |
| | process_command_line | Default | | | ✓ |
| | src_host | Default | | ✓ | |
diff --git a/Extensions/unix_auditd.md b/Extensions/unix_auditd.md
index 7424694..3045c7b 100644
--- a/Extensions/unix_auditd.md
+++ b/Extensions/unix_auditd.md
@@ -14,64 +14,64 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------------- | ---------------------- | ------- | ---- | --------- | ------------- |
-| endpoint-authentication | process_id | Default | | | ✓ |
-| | operation_type | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
-| | process_dir | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | src_port | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | account_id | Default | | | ✓ |
-| | event_id | Default | | | ✓ |
-| | user_id | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | process_path | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
-| | account | Default | | ✓ | |
-| endpoint-login | process_id | Default | | | ✓ |
-| | service_name | Default | | | ✓ |
-| | process_dir | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | result | Default | | | ✓ |
-| | src_port | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | event_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | user_id | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | process_name | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | process_path | Default | | | ✓ |
-| | operation | Default | | | ✓ |
-| | dest_port | Default | | | ✓ |
-| | authentication_process | Default | | | ✓ |
-| group-member-add | user_id | | | | |
-| | session_id | | | | |
-| group-member-remove | user_id | | | | |
-| | session_id | | | | |
-| process-create | service_name | Default | | | ✓ |
-| | src_port | Default | | | ✓ |
-| | src_ip | Default | | ✓ | |
-| | account_id | Default | | | ✓ |
-| | event_id | Default | | | ✓ |
-| | user_id | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | event_code | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | event_name | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | dest_port | Default | | | ✓ |
-| user-create | process_id | | | | |
-| | user_id | | | | |
-| | session_id | | | | |
-| user-delete | user_id | | | | |
-| | session_id | | | | |
-| | dest_user_id | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | --------------- | ------- | ---- | --------- | ------------- |
+| endpoint-authentication | process_id | Default | | | ✓ |
+| | operation_type | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | account_id | Default | | | ✓ |
+| | event_id | Default | | | ✓ |
+| | user_id | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| | account | Default | | ✓ | |
+| endpoint-login | process_id | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | process_dir | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | result | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | event_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | user_id | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | process_path | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| | auth_process | Default | | | ✓ |
+| group-member-add | user_id | | | | |
+| | session_id | | | | |
+| group-member-remove | user_id | | | | |
+| | session_id | | | | |
+| process-create | service_name | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | src_ip | Default | | ✓ | |
+| | account_id | Default | | | ✓ |
+| | event_id | Default | | | ✓ |
+| | user_id | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | event_name | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | dest_port | Default | | | ✓ |
+| user-create | process_id | | | | |
+| | user_id | | | | |
+| | session_id | | | | |
+| user-delete | user_id | | | | |
+| | session_id | | | | |
+| | dest_user_id | | | | |
diff --git a/Extensions/varonis_data_security_platform.md b/Extensions/varonis_data_security_platform.md
index f7acc9f..27bf1e7 100644
--- a/Extensions/varonis_data_security_platform.md
+++ b/Extensions/varonis_data_security_platform.md
@@ -14,20 +14,21 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
-| | access | | | | |
-| | file_name | Legacy | ✓ | | |
-| | file_dir | Legacy | | | ✓ |
-| | last_name | | | | |
-| | result | | | | |
-| | file_ext | | | | |
-| | full_name | | | | |
-| | additional_info | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | dest_host | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
-| | first_name | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | file_path | Legacy | | | ✓ |
+| | access | | | | |
+| | file_name | Legacy | ✓ | | |
+| | file_dir | Legacy | | | ✓ |
+| | last_name | | | | |
+| | domain_user_name | | | | |
+| | result | | | | |
+| | file_ext | | | | |
+| | full_name | | | | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| | first_name | | | | |
diff --git a/Extensions/vbcorp_vbcorp+a1228:a1254.md b/Extensions/vbcorp_vbcorp+a1228:a1254.md
index 971d37b..9823535 100644
--- a/Extensions/vbcorp_vbcorp+a1228:a1254.md
+++ b/Extensions/vbcorp_vbcorp+a1228:a1254.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | src_mac | | | | |
-| | domain | | | | |
-| | malware_url | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | src_mac | | | | |
+| | domain | | | | |
+| | malware_url | | | | |
+| | domain_user_name | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
diff --git a/Extensions/vectra_cognito_stream.md b/Extensions/vectra_cognito_stream.md
index 35fa69e..8bfcf36 100644
--- a/Extensions/vectra_cognito_stream.md
+++ b/Extensions/vectra_cognito_stream.md
@@ -21,7 +21,7 @@ Activity Types
| ------------- | --------------------- | ------- | ---- | --------- | ------------- |
| app-activity | src_ip | Default | | ✓ | |
| | result | Default | | | ✓ |
-| | application | Default | | | ✓ |
+| | app | Default | | | ✓ |
| | dest_ip | Default | | ✓ | |
| rdp-traffic | | | | | |
| ssh-traffic | cipher_algorithm | | | | |
diff --git a/Extensions/verizon_network_detection_&_response.md b/Extensions/verizon_network_detection_&_response.md
index 3859465..f717a5f 100644
--- a/Extensions/verizon_network_detection_&_response.md
+++ b/Extensions/verizon_network_detection_&_response.md
@@ -14,14 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | additional_info | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | operating_system | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | os | | | | |
+| | additional_info | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/vmware_airwatch.md b/Extensions/vmware_airwatch.md
index f1465e6..24bca0d 100644
--- a/Extensions/vmware_airwatch.md
+++ b/Extensions/vmware_airwatch.md
@@ -19,6 +19,7 @@ Activity Types
| alert-trigger | result | | | | |
| | device_name | | | | |
| | additional_info | | | | |
+| | local_user_name | | | | |
| | event_name | | | | |
| | failure_reason | | | | |
| | src_host | Legacy | ✓ | ✓ | |
diff --git a/Extensions/vmware_app_control.md b/Extensions/vmware_app_control.md
index 6fa84d1..bf368a8 100644
--- a/Extensions/vmware_app_control.md
+++ b/Extensions/vmware_app_control.md
@@ -17,27 +17,28 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | file_path | Legacy | | | ✓ |
-| | host_ip | | | | |
| | access | | | | |
+| | domain_user_name | | | | |
+| | host_type | | | | |
+| | sensor_id | | | | |
+| | process_guid | | | | |
+| | process_name | Legacy | | ✓ | |
+| | alert_id | Legacy | | | ✓ |
+| | hash_md5 | | | | |
+| | new_hash | | | | |
+| | host_ip | | | | |
| | file_name | Legacy | ✓ | | |
| | file_dir | Legacy | | | ✓ |
| | parent_process_name | | | | |
| | process_dir | | | | |
| | process_command_line | | | | |
-| | host_type | | | | |
-| | sensor_id | | | | |
-| | process_guid | | | | |
| | old_hash | | | | |
| | additional_info | | | | |
-| | process_name | Legacy | | ✓ | |
-| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | domain | | | | |
-| | hash_md5 | | | | |
| | dest_host | Legacy | | ✓ | |
| | parent_process_guid | | | | |
| | process_path | Legacy | | ✓ | |
| | ioc | | | | |
| | user | Legacy | | ✓ | |
-| | new_hash | | | | |
diff --git a/Extensions/vmware_carbon_black_app_control.md b/Extensions/vmware_carbon_black_app_control.md
index 08df36a..b16038f 100644
--- a/Extensions/vmware_carbon_black_app_control.md
+++ b/Extensions/vmware_carbon_black_app_control.md
@@ -17,6 +17,7 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | file_path | Legacy | | | ✓ |
+| | domain_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | src_ip | Legacy | ✓ | ✓ | |
| | additional_info | | | | |
diff --git a/Extensions/vmware_carbon_black_edr.md b/Extensions/vmware_carbon_black_edr.md
index eadc9c5..9f130b1 100644
--- a/Extensions/vmware_carbon_black_edr.md
+++ b/Extensions/vmware_carbon_black_edr.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ----------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | dest_host | Legacy | | ✓ | |
-| | malware_url | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | user | Legacy | | ✓ | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | --------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | local_user_name | | | | |
+| | dest_host | Legacy | | ✓ | |
+| | malware_url | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | user | Legacy | | ✓ | |
+| | dest_port | Legacy | | ✓ | |
diff --git a/Extensions/vmware_carbon_black_endpoint.md b/Extensions/vmware_carbon_black_endpoint.md
index 0f2d606..ccd5c37 100644
--- a/Extensions/vmware_carbon_black_endpoint.md
+++ b/Extensions/vmware_carbon_black_endpoint.md
@@ -17,14 +17,15 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | os | | | | |
| | additional_info | | | | |
| | process_name | Legacy | | ✓ | |
| | alert_id | Legacy | | | ✓ |
| | dest_ip | Legacy | ✓ | ✓ | |
| | domain | | | | |
| | dest_host | Legacy | | ✓ | |
-| | operating_system | | | | |
| | malware_url | | | | |
+| | domain_user_name | | | | |
| | src_host | Legacy | ✓ | ✓ | |
| | user | Legacy | | ✓ | |
diff --git a/Extensions/vmware_horizon.md b/Extensions/vmware_horizon.md
index a7cc7c1..276f04b 100644
--- a/Extensions/vmware_horizon.md
+++ b/Extensions/vmware_horizon.md
@@ -14,122 +14,138 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ----------------------- | --------------- | ------- | -------- | --------- | ------------- |
-| app-authentication | src_ip | Default | | ✓ | |
-| | session_id | Default | | | ✓ |
-| configuration-modify | application | | | | |
-| | additional_info | | | | |
-| | domain | | | | |
-| | dest_host | | | | |
-| | user | | | | |
-| | operation | | | | |
-| | object | | | | |
-| endpoint-login | user_id | Default | | | ✓ |
-| | resource | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | object_id | Default | | | ✓ |
-| folder-create | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| folder-delete | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| folder-modify | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| policy-delete | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| policy-modify | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| role-create | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| role-delete | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| role-modify | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| user-modify | application | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | dest_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| | object | | | | |
-| user-permission-modify | application | | | | |
-| | additional_info | | | | |
-| | domain | Legacy | | | ✓ |
-| | dest_host | Legacy | | | ✓ |
-| | user | Legacy | ✓ | | |
-| | operation | | | | |
-| | object | | | | |
-| vm_pool-create | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| vm_pool-delete | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| vm_pool-endpoint-add | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| vm_pool-endpoint-remove | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
-| vm_pool-modify | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | domain | Default | | | ✓ |
-| | dest_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
-| | operation | Default | | | ✓ |
-| | object | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| app-authentication | src_ip | Default | | ✓ | |
+| | session_id | Default | | | ✓ |
+| configuration-modify | app | | | | |
+| | additional_info | | | | |
+| | domain | | | | |
+| | dest_host | | | | |
+| | domain_user_name | | | | |
+| | user | | | | |
+| | operation | | | | |
+| | object | | | | |
+| endpoint-login | user_id | Default | | | ✓ |
+| | resource | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | object_id | Default | | | ✓ |
+| folder-create | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| folder-delete | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| folder-modify | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| policy-delete | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| policy-modify | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| role-create | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| role-delete | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| role-modify | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| user-modify | app | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | dest_host | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| | object | | | | |
+| user-permission-modify | app | | | | |
+| | additional_info | | | | |
+| | domain | Legacy | | | ✓ |
+| | dest_host | Legacy | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Legacy | ✓ | | |
+| | operation | | | | |
+| | object | | | | |
+| vm_pool-create | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| vm_pool-delete | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| vm_pool-endpoint-add | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| vm_pool-endpoint-remove | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| vm_pool-modify | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | domain | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | domain_user_name | | | | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | object | Default | | | ✓ |
diff --git a/Extensions/vmware_identity_manager.md b/Extensions/vmware_identity_manager.md
index f5c29d0..694239d 100644
--- a/Extensions/vmware_identity_manager.md
+++ b/Extensions/vmware_identity_manager.md
@@ -9,38 +9,39 @@ product = "vmware identity manager"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------------------ | -------- | --------- | ------------- |
-| object_type | | | ✓ |
-| resource_type | | | ✓ |
-| device_type | | | ✓ |
-| src_host | | ✓ | |
-| object_id | | | ✓ |
-| src_ip | | ✓ | |
-| auth_method | | | ✓ |
-| operating_system_version | | | ✓ |
-| application | | | ✓ |
-| domain | | ✓ | |
-| object_name | | | ✓ |
-| operating_system_type | | | ✓ |
-| event_name | | | ✓ |
-| operating_system | | | ✓ |
-| user | ✓ | ✓ | |
-| operation | | | ✓ |
-| user_agent | | ✓ | |
-| redirect_url | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| app | | | ✓ |
+| os | | | ✓ |
+| object_type | | | ✓ |
+| os_version | | | ✓ |
+| resource_type | | | ✓ |
+| domain_user_name | | | |
+| device_type | | | ✓ |
+| src_host | | ✓ | |
+| object_id | | | ✓ |
+| src_ip | | ✓ | |
+| auth_method | | | ✓ |
+| domain | | ✓ | |
+| object_name | | | ✓ |
+| os_type | | | ✓ |
+| event_name | | | ✓ |
+| user | ✓ | ✓ | |
+| operation | | | ✓ |
+| user_agent | | ✓ | |
+| redirect_url | | | ✓ |
Activity Types
--------------
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------------ | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | result | Default | | | ✓ |
-| | application | Default | | | ✓ |
+| app-activity | app | Default | | | ✓ |
+| | result | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | user_id | Default | | | ✓ |
-| app-authentication | result | Default | | | ✓ |
-| | application | Default | | | ✓ |
+| app-authentication | app | Default | | | ✓ |
+| | result | Default | | | ✓ |
| | additional_info | Default | | | ✓ |
| | user_id | Default | | | ✓ |
| app-login | | | | | |
diff --git a/Extensions/vmware_nsx.md b/Extensions/vmware_nsx.md
index 1413abd..a874fda 100644
--- a/Extensions/vmware_nsx.md
+++ b/Extensions/vmware_nsx.md
@@ -9,7 +9,12 @@ product = "vmware nsx"
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| --------- | ---- | --------- | ------------- |
+| bytes_out | | | ✓ |
+| bytes_in | | | ✓ |
+| operation | | | ✓ |
+| direction | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/vormetric.md b/Extensions/vormetric.md
index 6781508..b812f38 100644
--- a/Extensions/vormetric.md
+++ b/Extensions/vormetric.md
@@ -9,21 +9,33 @@ product = "vormetric"
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| access | | | ✓ |
+| process_name | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| process_dir | | | ✓ |
+| src_host | | | ✓ |
+| process_path | | | ✓ |
+| user | | | ✓ |
+| alert_name | | | ✓ |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | ------------ | ------ | -------- | --------- | ------------- |
-| alert-trigger | access | | | | |
-| | file_name | Legacy | ✓ | | |
-| | process_name | Legacy | | ✓ | |
-| | domain | | | | |
-| | file_dir | Legacy | | | ✓ |
-| | action | Legacy | | | ✓ |
-| | dest_host | Legacy | | ✓ | |
-| | process_dir | | | | |
-| | process_path | Legacy | | ✓ | |
-| | user | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | access | | | | |
+| | file_name | Legacy | ✓ | | |
+| | process_name | Legacy | | ✓ | |
+| | domain | | | | |
+| | file_dir | Legacy | | | ✓ |
+| | action | Legacy | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | process_dir | | | | |
+| | domain_user_name | | | | |
+| | process_path | Legacy | | ✓ | |
+| | user | Legacy | | ✓ | |
+| file-read | | | | | |
diff --git a/Extensions/watchguard.md b/Extensions/watchguard.md
index 25333b6..c6ad34a 100644
--- a/Extensions/watchguard.md
+++ b/Extensions/watchguard.md
@@ -9,13 +9,14 @@ product = "watchguard"
Fields
------
-| Field | Core | Detection | Informational |
-| --------- | ---- | --------- | ------------- |
-| bytes_out | | | ✓ |
-| bytes_in | | | ✓ |
-| domain | | | ✓ |
-| category | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| bytes_out | | | ✓ |
+| bytes_in | | | ✓ |
+| domain | | | ✓ |
+| domain_user_name | | | |
+| category | | | ✓ |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/wazuh_siem.md b/Extensions/wazuh_siem.md
index 8238a51..73e5b04 100644
--- a/Extensions/wazuh_siem.md
+++ b/Extensions/wazuh_siem.md
@@ -14,21 +14,22 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | agent_id | | | | |
-| | agent_name | | | | |
-| | data | | | | |
-| | log_path | | | | |
-| | event_name_name | | | | |
-| | description | | | | |
-| | dest_user | | | | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | log_location | | | | |
-| | result | | | | |
-| | rule_id | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | additional_info | | | | |
-| | decoder_name | | | | |
-| | wazuh_manager | | | | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | -------------------- | ------ | -------- | --------- | ------------- |
+| alert-trigger | agent_id | | | | |
+| | agent_name | | | | |
+| | data | | | | |
+| | log_path | | | | |
+| | event_name_name | | | | |
+| | description | | | | |
+| | dest_user | | | | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | log_location | | | | |
+| | result | | | | |
+| | rule_id | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | dest_local_user_name | | | | |
+| | additional_info | | | | |
+| | decoder_name | | | | |
+| | wazuh_manager | | | | |
diff --git a/Extensions/webmail_owa.md b/Extensions/webmail_owa.md
index fdd0a96..1f97f0a 100644
--- a/Extensions/webmail_owa.md
+++ b/Extensions/webmail_owa.md
@@ -14,13 +14,14 @@ There are no fields for this extension.
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------------- | ------- | ---- | --------- | ------------- |
-| app-activity | src_ip | Default | | ✓ | |
-| | application | Default | | | ✓ |
-| | additional_info | Default | | | ✓ |
-| | dest_ip | Default | | ✓ | |
-| | domain | Default | | | ✓ |
-| | src_host | Default | | ✓ | |
-| | user | Default | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ---------------- | ------- | ---- | --------- | ------------- |
+| app-activity | src_ip | Default | | ✓ | |
+| | app | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | dest_ip | Default | | ✓ | |
+| | domain | Default | | | ✓ |
+| | domain_user_name | | | | |
+| | src_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
diff --git a/Extensions/websense_security_gateway.md b/Extensions/websense_security_gateway.md
index 2b11df1..0df39c7 100644
--- a/Extensions/websense_security_gateway.md
+++ b/Extensions/websense_security_gateway.md
@@ -9,22 +9,23 @@ product = "websense security gateway"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------ | ---- | --------- | ------------- |
-| user_ou | | | ✓ |
-| method | | | ✓ |
-| bytes_in | | | ✓ |
-| sub_category | | | ✓ |
-| mime | | | ✓ |
-| src_host | | | ✓ |
-| disposition | | | ✓ |
-| bytes_out | | | ✓ |
-| category_id | | | ✓ |
-| domain | | | ✓ |
-| action | | | ✓ |
-| result_code | | | ✓ |
-| category | | | ✓ |
-| user | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| user_ou | | | ✓ |
+| method | | | ✓ |
+| bytes_in | | | ✓ |
+| sub_category | | | ✓ |
+| mime | | | ✓ |
+| domain_user_name | | | |
+| src_host | | | ✓ |
+| disposition | | | ✓ |
+| bytes_out | | | ✓ |
+| category_id | | | ✓ |
+| domain | | | ✓ |
+| action | | | ✓ |
+| result_code | | | ✓ |
+| category | | | ✓ |
+| user | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/windows_defender.md b/Extensions/windows_defender.md
index d90a02d..bf93681 100644
--- a/Extensions/windows_defender.md
+++ b/Extensions/windows_defender.md
@@ -16,13 +16,13 @@ Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
| ------------- | --------------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | file_path | Legacy | | | ✓ |
+| alert-trigger | app | | | | |
+| | file_path | Legacy | | | ✓ |
| | file_name | Legacy | ✓ | | |
| | message_id | | | | |
| | recipient_count | | | | |
| | target | | | | |
| | result | | | | |
-| | application | | | | |
| | additional_info | | | | |
| | user_id | | | | |
| | recipients | | | | |
diff --git a/Extensions/workday.md b/Extensions/workday.md
index ef5b2e2..1e7c05f 100644
--- a/Extensions/workday.md
+++ b/Extensions/workday.md
@@ -9,11 +9,12 @@ product = "workday"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/Extensions/xerox.md b/Extensions/xerox.md
index e08d12e..3b29a79 100644
--- a/Extensions/xerox.md
+++ b/Extensions/xerox.md
@@ -9,20 +9,21 @@ product = "xerox"
Fields
------
-| Field | Core | Detection | Informational |
-| ------------- | ---- | --------- | ------------- |
-| src_ip | | | ✓ |
-| printer_type | | | ✓ |
-| document_name | | | ✓ |
-| domain | | | ✓ |
-| num_pages | | | ✓ |
-| printer_id | | | ✓ |
-| printer_name | | | ✓ |
-| src_host | | | ✓ |
-| department | | | ✓ |
-| object_id | | | ✓ |
-| user | | | ✓ |
-| object | | | ✓ |
+| Field | Core | Detection | Informational |
+| ---------------- | ---- | --------- | ------------- |
+| num_pages | | | ✓ |
+| domain_user_name | | | |
+| src_host | | | ✓ |
+| object_id | | | ✓ |
+| src_ip | | | ✓ |
+| printer_type | | | ✓ |
+| document_name | | | ✓ |
+| domain | | | ✓ |
+| printer_id | | | ✓ |
+| printer_name | | | ✓ |
+| department | | | ✓ |
+| user | | | ✓ |
+| object | | | ✓ |
Activity Types
--------------
diff --git a/Extensions/zebra_wlan_management.md b/Extensions/zebra_wlan_management.md
new file mode 100644
index 0000000..7a9059a
--- /dev/null
+++ b/Extensions/zebra_wlan_management.md
@@ -0,0 +1,23 @@
+zebra wlan management
+=====================
+
+Expression
+----------
+
+product = "zebra wlan management"
+
+Fields
+------
+
+| Field | Core | Detection | Informational |
+| ---------- | ---- | --------- | ------------- |
+| protocol | | | ✓ |
+| event_code | | | ✓ |
+
+Activity Types
+--------------
+
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ------------- | ----- | ------ | ---- | --------- | ------------- |
+| app-login | | | | | |
+
diff --git a/Extensions/zeek.md b/Extensions/zeek.md
index 1f7504a..3b5b9ee 100644
--- a/Extensions/zeek.md
+++ b/Extensions/zeek.md
@@ -9,17 +9,201 @@ product = zeek
Fields
------
-There are no fields for this extension.
+| Field | Core | Detection | Informational |
+| ------------- | -------- | --------- | ------------- |
+| src_ip | ✓ | | |
+| protocol | | ✓ | |
+| connection_id | | | ✓ |
+| dest_ip | ✓ | | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| ------------- | --------- | ------ | -------- | --------- | ------------- |
-| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
-| | src_port | Legacy | | | ✓ |
-| | protocol | Legacy | | ✓ | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | src_host | Legacy | ✓ | ✓ | |
-| | dest_port | Legacy | | ✓ | |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| ----------------------- | ---------------------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | src_ip | Legacy | ✓ | ✓ | |
+| | src_port | Legacy | | | ✓ |
+| | protocol | Legacy | | ✓ | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | src_host | Legacy | ✓ | ✓ | |
+| | dest_port | Legacy | | ✓ | |
+| dhcp-session | duration | | | ✓ | |
+| | src_mac | | | | ✓ |
+| | dhcp_type | | | ✓ | |
+| | lease_time | | | ✓ | |
+| | domain | | | ✓ | |
+| | dest_host | | | ✓ | |
+| | session_id | | | | ✓ |
+| | user_uids | | | | ✓ |
+| | domain_user_name | | | | |
+| | trans_id | | | | ✓ |
+| | user | Legacy | ✓ | | |
+| dns-request | query_id | | | | ✓ |
+| dns-response | AA | | | | ✓ |
+| | TTLs | | | | ✓ |
+| | qclass_name | | | | ✓ |
+| | RD | | | | ✓ |
+| | rtt | | | | ✓ |
+| | trans_id | | | | ✓ |
+| | Z | | | | ✓ |
+| | qclass | | | | ✓ |
+| | user_uid | | | | ✓ |
+| | TC | | | | ✓ |
+| | RA | | | | ✓ |
+| email-receive | rcptto | Default | | | ✓ |
+| | cc | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | mailfrom | Default | | | ✓ |
+| | message_id | Default | | | ✓ |
+| | in_reply_to | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | path | Default | | | ✓ |
+| | trans_depth | Default | | | ✓ |
+| | reply_to | Default | | | ✓ |
+| | event_name | Default | | | ✓ |
+| | dest_host | Default | | ✓ | |
+| | dest_port | Default | | | ✓ |
+| | user_agent | Default | | | ✓ |
+| endpoint-authentication | src_port | Default | | | ✓ |
+| | ticket_encryption_type | Default | | | ✓ |
+| | ticket_options | Default | | | ✓ |
+| | request_type | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | client_cert_subject | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| | issue_time | Default | | | ✓ |
+| | expiry_time | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| endpoint-login | src_port | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | process_name | Default | | | ✓ |
+| | result_code | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | dest_port | Default | | | ✓ |
+| file-delete | app | | | | |
+| | mime | | | | |
+| | local_user_name | | | | |
+| | session_id | | | | |
+| | src_host | Legacy | | ✓ | |
+| | share_path | | | ✓ | |
+| | src_port | | | ✓ | |
+| | event_code | | | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | dest_port | | | ✓ | |
+| | object | | | | |
+| file-read | timedout | | | | ✓ |
+| | mime | | | ✓ | |
+| | local_user_name | | | | |
+| | extracted | | | ✓ | |
+| | duration | | | | ✓ |
+| | analyzers | | | | ✓ |
+| | connection_uid | | | | ✓ |
+| | event_code | | | ✓ | |
+| | hash_md5 | | | | ✓ |
+| | dest_port | | | ✓ | |
+| | app | | | | |
+| | hash_sha1 | | | | ✓ |
+| | local_orig | | | ✓ | |
+| | session_id | | | | |
+| | missed_bytes | | | | ✓ |
+| | src_host | Legacy | | ✓ | |
+| | is_orig | | | ✓ | |
+| | share_path | | | ✓ | |
+| | extracted_cutoff | | | ✓ | |
+| | overflow_bytes | | | ✓ | |
+| | src_port | | | ✓ | |
+| | hash_sha256 | | | ✓ | |
+| | depth | | | | ✓ |
+| | file_dir_id | | | | ✓ |
+| | bytes | Legacy | | ✓ | |
+| | file_id | | | | ✓ |
+| | log_source | | | | ✓ |
+| | dest_host | Legacy | | ✓ | |
+| | operation | | | | |
+| | user | Legacy | ✓ | ✓ | |
+| | extracted_size | | | ✓ | |
+| | object | | | | |
+| file-write | app | | | | |
+| | mime | | | | |
+| | local_user_name | | | | |
+| | session_id | | | | |
+| | src_host | | | | |
+| | share_path | | | ✓ | |
+| | src_port | | | ✓ | |
+| | event_code | | | ✓ | |
+| | dest_host | Legacy | | ✓ | |
+| | user | Legacy | ✓ | ✓ | |
+| | operation | | | | |
+| | dest_port | | | ✓ | |
+| | object | | | | |
+| ftp-traffic | app | Default | | | ✓ |
+| | src_port | Default | | | ✓ |
+| | mime | Default | | | ✓ |
+| | local_user_name | | | | |
+| | dest_host | Default | | ✓ | |
+| | session_id | Default | | | ✓ |
+| | src_host | Default | | ✓ | |
+| | user | Default | | ✓ | |
+| | operation | Default | | | ✓ |
+| | dest_port | Default | | | ✓ |
+| | object | Default | | | ✓ |
+| http-session | orig_filenames | Default | | | ✓ |
+| | additional_info | Default | | | ✓ |
+| | status_msg | Default | | | ✓ |
+| | proxied | Default | | | ✓ |
+| | tags | Default | | | ✓ |
+| network-session | country | Default | | | ✓ |
+| | src_interface | Default | | | ✓ |
+| | resp_pkts | Default | | | ✓ |
+| | connection_age | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | orig_bytes | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | resp_cc | Default | | | ✓ |
+| | local_orig | Default | | | ✓ |
+| | orig_pkts | Default | | | ✓ |
+| | orig_cc | Default | | | ✓ |
+| | mbps | Default | | | ✓ |
+| | missed_bytes | Default | | | ✓ |
+| | history | Default | | | ✓ |
+| | tunnel_parents | Default | | | ✓ |
+| | connection_state | Default | | | ✓ |
+| | duration | Default | | | ✓ |
+| | local_resp | Default | | | ✓ |
+| | resp_bytes | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | operation | Default | | | ✓ |
+| | sensor_name | Default | | | ✓ |
+| | user_uid | Default | | | ✓ |
+| network-traffic | server | Default | | | ✓ |
+| | event_code | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | cipher_method | Default | | | ✓ |
+| radius-traffic | result | Default | | | ✓ |
+| | response_ttl | Default | | | ✓ |
+| | user | Default | | ✓ | |
+| | framed_addr | Default | | | ✓ |
+| share-access | share_type | Default | | | ✓ |
+| | service_name | Default | | | ✓ |
+| | native_file_system | Default | | | ✓ |
+| ssh-traffic | cipher | | | ✓ | |
+| | kex_alg | | | | ✓ |
+| | mac_alg | | | | ✓ |
+| | server | | | ✓ | |
+| | host_key_alg | | | ✓ | |
+| | remote_location_longitude | | | | ✓ |
+| | compression_alg | | | | ✓ |
+| | version | | | ✓ | |
+| | remote_location_region | | | ✓ | |
+| | client_ssh_version | | | ✓ | |
+| | host_key | | | ✓ | |
+| | server_ssh_version | | | ✓ | |
+| | remote_location_city | | | | ✓ |
+| | remote_location_country_code | | | ✓ | |
+| | client | | | ✓ | |
+| | remote_location_latitude | | | | ✓ |
+| | direction | | | ✓ | |
diff --git a/Extensions/zscaler_internet_access.md b/Extensions/zscaler_internet_access.md
index ea19958..f879c1a 100644
--- a/Extensions/zscaler_internet_access.md
+++ b/Extensions/zscaler_internet_access.md
@@ -9,61 +9,63 @@ product = "zscaler internet access"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| result | | | ✓ |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| result | | | ✓ |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
-| Activity Type | Field | Status | Core | Detection | Informational |
-| --------------- | --------------- | ------- | -------- | --------- | ------------- |
-| alert-trigger | file_name | Legacy | ✓ | | |
-| | target | | | | |
-| | result | | | | |
-| | src_ip | Legacy | ✓ | ✓ | |
-| | dlp_dict | | | | |
-| | protocol | Legacy | | ✓ | |
-| | application | | | | |
-| | additional_info | | | | |
-| | browser | | | | |
-| | dest_ip | Legacy | ✓ | ✓ | |
-| | domain | | | | |
-| | hash_md5 | | | | |
-| | department | | | | |
-| | user | Legacy | | ✓ | |
-| | user_agent | | | | |
-| | policy | | | | |
-| app-login | src_ip | Default | | ✓ | |
-| | bytes_out | Default | | | ✓ |
-| | bytes_in | Default | | | ✓ |
-| | client_type | Default | | | ✓ |
-| dns-response | duration | | | | ✓ |
-| | rule | | | | ✓ |
-| | location | | | | ✓ |
-| | category | Legacy | | ✓ | |
-| | department | | | | ✓ |
-| http-session | risk_level | Default | | | ✓ |
-| | location | Default | | | ✓ |
-| network-session | ca_runtime | Default | | | ✓ |
-| | host_ip | Default | | | ✓ |
-| | host_bytes_out | Default | | | ✓ |
-| | bytes_in | Default | | | ✓ |
-| | policy_name | Default | | | ✓ |
-| | session_id | Default | | | ✓ |
-| | app_group | Default | | | ✓ |
-| | host_zen_code | Default | | | ✓ |
-| | session_start | Default | | | ✓ |
-| | src_zen_code | Default | | | ✓ |
-| | application | Default | | | ✓ |
-| | bytes_out | Default | | | ✓ |
-| | connection_id | Default | | | ✓ |
-| | src_country | Default | | | ✓ |
-| | host_bytes_in | Default | | | ✓ |
-| | app_learntime | Default | | | ✓ |
-| | policy_runtime | Default | | | ✓ |
-| | session_end | Default | | | ✓ |
-| | direction | Default | | | ✓ |
+| Activity Type | Field | Status | Core | Detection | Informational |
+| --------------- | ---------------- | ------- | -------- | --------- | ------------- |
+| alert-trigger | app | | | | |
+| | file_name | Legacy | ✓ | | |
+| | domain_user_name | | | | |
+| | target | | | | |
+| | result | | | | |
+| | src_ip | Legacy | ✓ | ✓ | |
+| | dlp_dict | | | | |
+| | protocol | Legacy | | ✓ | |
+| | additional_info | | | | |
+| | browser | | | | |
+| | dest_ip | Legacy | ✓ | ✓ | |
+| | domain | | | | |
+| | hash_md5 | | | | |
+| | department | | | | |
+| | user | Legacy | | ✓ | |
+| | user_agent | | | | |
+| | policy | | | | |
+| app-login | src_ip | Default | | ✓ | |
+| | bytes_out | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | client_type | Default | | | ✓ |
+| dns-response | duration | | | | ✓ |
+| | rule | | | | ✓ |
+| | location | | | | ✓ |
+| | category | Legacy | | ✓ | |
+| | department | | | | ✓ |
+| http-session | risk_level | Default | | | ✓ |
+| | location | Default | | | ✓ |
+| network-session | app | Default | | | ✓ |
+| | ca_runtime | Default | | | ✓ |
+| | host_ip | Default | | | ✓ |
+| | host_bytes_out | Default | | | ✓ |
+| | bytes_in | Default | | | ✓ |
+| | policy_name | Default | | | ✓ |
+| | session_id | Default | | | ✓ |
+| | app_group | Default | | | ✓ |
+| | host_zen_code | Default | | | ✓ |
+| | session_start | Default | | | ✓ |
+| | src_zen_code | Default | | | ✓ |
+| | bytes_out | Default | | | ✓ |
+| | connection_id | Default | | | ✓ |
+| | src_country | Default | | | ✓ |
+| | host_bytes_in | Default | | | ✓ |
+| | app_learntime | Default | | | ✓ |
+| | policy_runtime | Default | | | ✓ |
+| | session_end | Default | | | ✓ |
+| | direction | Default | | | ✓ |
diff --git a/Extensions/zscaler_private_access.md b/Extensions/zscaler_private_access.md
index 822140d..2c0f26f 100644
--- a/Extensions/zscaler_private_access.md
+++ b/Extensions/zscaler_private_access.md
@@ -9,11 +9,12 @@ product = "zscaler private access"
Fields
------
-| Field | Core | Detection | Informational |
-| ------ | -------- | --------- | ------------- |
-| src_ip | | ✓ | |
-| domain | | ✓ | |
-| user | ✓ | ✓ | |
+| Field | Core | Detection | Informational |
+| ---------------- | -------- | --------- | ------------- |
+| src_ip | | ✓ | |
+| domain | | ✓ | |
+| domain_user_name | | | |
+| user | ✓ | ✓ | |
Activity Types
--------------
diff --git a/FieldsMappings.md b/FieldsMappings.md
new file mode 100644
index 0000000..c19efac
--- /dev/null
+++ b/FieldsMappings.md
@@ -0,0 +1,257 @@
+ Field Mapping by Event
+=======================
+
+This table maps old event types to their corresponding new-scale activity types. You can do the following with this table:
+
+ - Click an old event type link to open a page that maps all of the old fields to the corresponding new-scale fields that comply with the Common Information Model.
+ - Click a new-scale activity type link to open a page that provides parameters and CDI information for the selected activity type.
+
+| Old Event Type| New-Scale Activity Type |
+| ----------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| [account-creation](FieldsMappings/account-creation_fields.md) | [user-create:success](ActivityTypes/user-create.md) |
+| [account-deleted](FieldsMappings/account-deleted_fields.md) | [user-delete:fail](ActivityTypes/user-delete.md)|
+| [account-disabled](FieldsMappings/account-disabled_fields.md) | [user-disable:success](ActivityTypes/user-disable.md) |
+| [account-enabled](FieldsMappings/account-enabled_fields.md) | [user-enable:success](ActivityTypes/user-enable.md) |
+| [account-lockout](FieldsMappings/account-lockout_fields.md) | [user-lock:fail](ActivityTypes/user-lock.md)|
+| [account-password-change](FieldsMappings/account-password-change_fields.md) | [user-password-modify:success](ActivityTypes/user-password-modify.md) |
+| [account-password-change-failed](FieldsMappings/account-password-change-failed_fields.md) | [user-password-modify:fail](ActivityTypes/user-password-modify.md)|
+| [account-password-reset](FieldsMappings/account-password-reset_fields.md) | [user-password-reset:fail](ActivityTypes/user-password-reset.md)|
+| [account-switch](FieldsMappings/account-switch_fields.md) | [user-switch:success](ActivityTypes/user-switch.md) |
+| [account-unlocked](FieldsMappings/account-unlocked_fields.md) | [user-unlock:success](ActivityTypes/user-unlock.md) |
+| [alert-iot](FieldsMappings/alert-iot_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [app-activity](FieldsMappings/app-activity_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [app-activity-failed](FieldsMappings/app-activity-failed_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [app-login](FieldsMappings/app-login_fields.md) | [app-authentication:success](ActivityTypes/app-authentication.md) |
+| [app-logout](FieldsMappings/app-logout_fields.md) | [app-logout:fail](ActivityTypes/app-logout.md)|
+| [audit-log-clear](FieldsMappings/audit-log-clear_fields.md) | [endpoint-notification:success](ActivityTypes/endpoint-notification.md) |
+| [audit-policy-change](FieldsMappings/audit-policy-change_fields.md) | [audit_policy-modify:success](ActivityTypes/audit_policy-modify.md) |
+| [authentication-failed](FieldsMappings/authentication-failed_fields.md) | [app-authentication:fail](ActivityTypes/app-authentication.md)|
+| [authentication-successful](FieldsMappings/authentication-successful_fields.md) | [app-authentication:success](ActivityTypes/app-authentication.md) |
+| [aws-bucket-accessblock](FieldsMappings/aws-bucket-accessblock_fields.md) | [bucket-accessblock-modify:success](ActivityTypes/bucket-accessblock-modify.md) |
+| [aws-bucket-accessblock-failed](FieldsMappings/aws-bucket-accessblock-failed_fields.md) | [bucket-accessblock-modify:fail](ActivityTypes/bucket-accessblock-modify.md)|
+| [aws-bucket-cors](FieldsMappings/aws-bucket-cors_fields.md) | [bucket-permission-modify:success](ActivityTypes/bucket-permission-modify.md) |
+| [aws-bucket-cors-failed](FieldsMappings/aws-bucket-cors-failed_fields.md) | [bucket-permission-modify:fail](ActivityTypes/bucket-permission-modify.md)|
+| [aws-bucket-create](FieldsMappings/aws-bucket-create_fields.md) | [bucket-create:success](ActivityTypes/bucket-create.md) |
+| [aws-bucket-create-failed](FieldsMappings/aws-bucket-create-failed_fields.md) | [bucket-create:fail](ActivityTypes/bucket-create.md)|
+| [aws-bucket-policy](FieldsMappings/aws-bucket-policy_fields.md) | [bucket-policy-modify:success](ActivityTypes/bucket-policy-modify.md) |
+| [aws-bucket-policy-failed](FieldsMappings/aws-bucket-policy-failed_fields.md) | [bucket-policy-modify:fail](ActivityTypes/bucket-policy-modify.md)|
+| [aws-compute-list](FieldsMappings/aws-compute-list_fields.md) | [endpoint-list:success](ActivityTypes/endpoint-list.md) |
+| [aws-compute-list-failed](FieldsMappings/aws-compute-list-failed_fields.md) | [endpoint-list:fail](ActivityTypes/endpoint-list.md)|
+| [aws-function-write](FieldsMappings/aws-function-write_fields.md) | [function-write:success](ActivityTypes/function-write.md) |
+| [aws-function-write-failed](FieldsMappings/aws-function-write-failed_fields.md) | [function-write:fail](ActivityTypes/function-write.md)|
+| [aws-general-activity](FieldsMappings/aws-general-activity_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [aws-general-activity-failed](FieldsMappings/aws-general-activity-failed_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [aws-identity-addtogroup](FieldsMappings/aws-identity-addtogroup_fields.md) | [group-member-add:success](ActivityTypes/group-member-add.md) |
+| [aws-identity-addtogroup-failed](FieldsMappings/aws-identity-addtogroup-failed_fields.md) | [group-member-add:fail](ActivityTypes/group-member-add.md)|
+| [aws-identity-creds-write](FieldsMappings/aws-identity-creds-write_fields.md) | [user-key-create:success](ActivityTypes/user-key-create.md) |
+| [aws-identity-creds-write-failed](FieldsMappings/aws-identity-creds-write-failed_fields.md) | [user-key-create:fail](ActivityTypes/user-key-create.md)|
+| [aws-identity-list](FieldsMappings/aws-identity-list_fields.md) | [group-list:success](ActivityTypes/group-list.md) |
+| [aws-identity-list-failed](FieldsMappings/aws-identity-list-failed_fields.md) | [group-list:fail](ActivityTypes/group-list.md)|
+| [aws-identity-loginprofile](FieldsMappings/aws-identity-loginprofile_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [aws-identity-loginprofile-failed](FieldsMappings/aws-identity-loginprofile-failed_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [aws-identity-write](FieldsMappings/aws-identity-write_fields.md) | [user-create:success](ActivityTypes/user-create.md) |
+| [aws-identity-write-failed](FieldsMappings/aws-identity-write-failed_fields.md) | [user-create:fail](ActivityTypes/user-create.md)|
+| [aws-image-create](FieldsMappings/aws-image-create_fields.md) | [image-create:success](ActivityTypes/image-create.md) |
+| [aws-image-create-failed](FieldsMappings/aws-image-create-failed_fields.md) | [image-create:fail](ActivityTypes/image-create.md)|
+| [aws-image-modify](FieldsMappings/aws-image-modify_fields.md) | [image-modify:success](ActivityTypes/image-modify.md) |
+| [aws-image-modify-failed](FieldsMappings/aws-image-modify-failed_fields.md) | [image-modify:fail](ActivityTypes/image-modify.md)|
+| [aws-instance-command](FieldsMappings/aws-instance-command_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [aws-instance-command-failed](FieldsMappings/aws-instance-command-failed_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [aws-instance-create](FieldsMappings/aws-instance-create_fields.md) | [endpoint-create:success](ActivityTypes/endpoint-create.md) |
+| [aws-instance-create-failed](FieldsMappings/aws-instance-create-failed_fields.md) | [endpoint-create:fail](ActivityTypes/endpoint-create.md)|
+| [aws-instance-creds-read](FieldsMappings/aws-instance-creds-read_fields.md) | [key-read:success](ActivityTypes/key-read.md) |
+| [aws-instance-creds-read-failed](FieldsMappings/aws-instance-creds-read-failed_fields.md) | [key-read:fail](ActivityTypes/key-read.md)|
+| [aws-instance-creds-write](FieldsMappings/aws-instance-creds-write_fields.md) | [key-write:success](ActivityTypes/key-write.md) |
+| [aws-instance-creds-write-failed](FieldsMappings/aws-instance-creds-write-failed_fields.md) | [key-write:fail](ActivityTypes/key-write.md)|
+| [aws-instance-login](FieldsMappings/aws-instance-login_fields.md) | [endpoint-login:success](ActivityTypes/endpoint-login.md) |
+| [aws-instance-login-failed](FieldsMappings/aws-instance-login-failed_fields.md) | [endpoint-login:fail](ActivityTypes/endpoint-login.md)|
+| [aws-instance-modify](FieldsMappings/aws-instance-modify_fields.md) | [endpoint-modify:success](ActivityTypes/endpoint-modify.md) |
+| [aws-instance-modify-failed](FieldsMappings/aws-instance-modify-failed_fields.md) | [endpoint-modify:fail](ActivityTypes/endpoint-modify.md)|
+| [aws-instance-screenshot](FieldsMappings/aws-instance-screenshot_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [aws-instance-screenshot-failed](FieldsMappings/aws-instance-screenshot-failed_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [aws-login](FieldsMappings/aws-login_fields.md) | [app-login:success](ActivityTypes/app-login.md) |
+| [aws-login-failed](FieldsMappings/aws-login-failed_fields.md) | [app-login:fail](ActivityTypes/app-login.md)|
+| [aws-policy-attach](FieldsMappings/aws-policy-attach_fields.md) | [group-policy-attach:success](ActivityTypes/group-policy-attach.md) |
+| [aws-policy-list](FieldsMappings/aws-policy-list_fields.md) | [policy-list:success](ActivityTypes/policy-list.md) |
+| [aws-policy-list-failed](FieldsMappings/aws-policy-list-failed_fields.md) | [policy-list:fail](ActivityTypes/policy-list.md)|
+| [aws-policy-setversion](FieldsMappings/aws-policy-setversion_fields.md) | [policy-modify:success](ActivityTypes/policy-modify.md) |
+| [aws-policy-setversion-failed](FieldsMappings/aws-policy-setversion-failed_fields.md) | [policy-modify:fail](ActivityTypes/policy-modify.md)|
+| [aws-policy-write](FieldsMappings/aws-policy-write_fields.md) | [policy-create:fail](ActivityTypes/policy-create.md)|
+| [aws-role-assume](FieldsMappings/aws-role-assume_fields.md) | [role-assume:success](ActivityTypes/role-assume.md) |
+| [aws-role-assume-failed](FieldsMappings/aws-role-assume-failed_fields.md) | [role-assume:fail](ActivityTypes/role-assume.md)|
+| [aws-role-assumepolicy](FieldsMappings/aws-role-assumepolicy_fields.md) | [policy-modify:success](ActivityTypes/policy-modify.md) |
+| [aws-role-switch](FieldsMappings/aws-role-switch_fields.md) | [role-assume:success](ActivityTypes/role-assume.md) |
+| [aws-role-write](FieldsMappings/aws-role-write_fields.md) | [role-create:fail](ActivityTypes/role-create.md)|
+| [aws-snapshot-create](FieldsMappings/aws-snapshot-create_fields.md) | [snapshot-create:success](ActivityTypes/snapshot-create.md) |
+| [aws-snapshot-create-failed](FieldsMappings/aws-snapshot-create-failed_fields.md) | [snapshot-create:fail](ActivityTypes/snapshot-create.md)|
+| [aws-snapshot-modify](FieldsMappings/aws-snapshot-modify_fields.md) | [snapshot-modify:success](ActivityTypes/snapshot-modify.md) |
+| [aws-snapshot-modify-failed](FieldsMappings/aws-snapshot-modify-failed_fields.md) | [snapshot-modify:fail](ActivityTypes/snapshot-modify.md)|
+| [aws-storage-acl](FieldsMappings/aws-storage-acl_fields.md) | [bucket-permission-modify:success](ActivityTypes/bucket-permission-modify.md) |
+| [aws-storage-acl-failed](FieldsMappings/aws-storage-acl-failed_fields.md) | [bucket-permission-modify:fail](ActivityTypes/bucket-permission-modify.md)|
+| [aws-storage-list](FieldsMappings/aws-storage-list_fields.md) | [bucket-list:success](ActivityTypes/bucket-list.md) |
+| [aws-storage-list-failed](FieldsMappings/aws-storage-list-failed_fields.md) | [bucket-list:fail](ActivityTypes/bucket-list.md)|
+| [aws-storageobject-copy](FieldsMappings/aws-storageobject-copy_fields.md) | [file-copy:success](ActivityTypes/file-copy.md) |
+| [aws-storageobject-copy-failed](FieldsMappings/aws-storageobject-copy-failed_fields.md) | [file-copy:fail](ActivityTypes/file-copy.md)|
+| [aws-storageobject-read](FieldsMappings/aws-storageobject-read_fields.md) | [file-read:success](ActivityTypes/file-read.md) |
+| [aws-storageobject-read-failed](FieldsMappings/aws-storageobject-read-failed_fields.md) | [file-read:fail](ActivityTypes/file-read.md)|
+| [aws-storageobject-write](FieldsMappings/aws-storageobject-write_fields.md) | [file-write:success](ActivityTypes/file-write.md) |
+| [aws-storageobject-write-failed](FieldsMappings/aws-storageobject-write-failed_fields.md) | [file-write:fail](ActivityTypes/file-write.md)|
+| [aws-volume-attach](FieldsMappings/aws-volume-attach_fields.md) | [disk-attach:success](ActivityTypes/disk-attach.md) |
+| [aws-volume-attach-failed](FieldsMappings/aws-volume-attach-failed_fields.md) | [disk-attach:fail](ActivityTypes/disk-attach.md)|
+| [aws-volume-create](FieldsMappings/aws-volume-create_fields.md) | [disk-create:success](ActivityTypes/disk-create.md) |
+| [aws-volume-create-failed](FieldsMappings/aws-volume-create-failed_fields.md) | [disk-create:fail](ActivityTypes/disk-create.md)|
+| [aws-volume-modify](FieldsMappings/aws-volume-modify_fields.md) | [disk-modify:success](ActivityTypes/disk-modify.md) |
+| [aws-volume-modify-failed](FieldsMappings/aws-volume-modify-failed_fields.md) | [disk-modify:fail](ActivityTypes/disk-modify.md)|
+| [azure-blob-read](FieldsMappings/azure-blob-read_fields.md) | [file-read:success](ActivityTypes/file-read.md) |
+| [azure-blob-write](FieldsMappings/azure-blob-write_fields.md) | [file-write:success](ActivityTypes/file-write.md) |
+| [azure-container-acl](FieldsMappings/azure-container-acl_fields.md) | [file-permission-modify:success](ActivityTypes/file-permission-modify.md) |
+| [azure-disk-write](FieldsMappings/azure-disk-write_fields.md) | [disk-write:success](ActivityTypes/disk-write.md) |
+| [azure-image-write](FieldsMappings/azure-image-write_fields.md) | [image-write:success](ActivityTypes/image-write.md) |
+| [azure-instance-creds-write](FieldsMappings/azure-instance-creds-write_fields.md) | [key-write:success](ActivityTypes/key-write.md) |
+| [azure-instance-write](FieldsMappings/azure-instance-write_fields.md) | [image-write:success](ActivityTypes/image-write.md) |
+| [azure-keyvault-read](FieldsMappings/azure-keyvault-read_fields.md) | [key-read:success](ActivityTypes/key-read.md) |
+| [azure-keyvault-write](FieldsMappings/azure-keyvault-write_fields.md) | [key-write:success](ActivityTypes/key-write.md) |
+| [azure-role-assign](FieldsMappings/azure-role-assign_fields.md) | [user-role-assign:success](ActivityTypes/user-role-assign.md) |
+| [azure-role-write](FieldsMappings/azure-role-write_fields.md) | [role-write:success](ActivityTypes/role-write.md) |
+| [azure-snapshot-write](FieldsMappings/azure-snapshot-write_fields.md) | [snapshot-write:success](ActivityTypes/snapshot-write.md) |
+| [azure-storage-list](FieldsMappings/azure-storage-list_fields.md) | [file-list:success](ActivityTypes/file-list.md) |
+| [batch-logon](FieldsMappings/batch-logon_fields.md) | [endpoint-login:fail](ActivityTypes/endpoint-login.md)|
+| [cloud-admin-activity](FieldsMappings/cloud-admin-activity_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [cloud-admin-activity-failed](FieldsMappings/cloud-admin-activity-failed_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [computer-logon](FieldsMappings/computer-logon_fields.md) | [dhcp-session:success](ActivityTypes/dhcp-session.md) |
+| [config-change](FieldsMappings/config-change_fields.md) | [configuration-modify:fail](ActivityTypes/configuration-modify.md)|
+| [database-access](FieldsMappings/database-access_fields.md) | [database-activity:success](ActivityTypes/database-activity.md) |
+| [database-activity-failed](FieldsMappings/database-activity-failed_fields.md) | [database-activity:fail](ActivityTypes/database-activity.md)|
+| [database-alert](FieldsMappings/database-alert_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [database-delete](FieldsMappings/database-delete_fields.md) | [database-delete:success](ActivityTypes/database-delete.md) |
+| [database-failed-login](FieldsMappings/database-failed-login_fields.md) | [database-login:fail](ActivityTypes/database-login.md)|
+| [database-login](FieldsMappings/database-login_fields.md) | [database-login:success](ActivityTypes/database-login.md) |
+| [database-query](FieldsMappings/database-query_fields.md) | [database-query:fail](ActivityTypes/database-query.md)|
+| [database-update](FieldsMappings/database-update_fields.md) | [database-modify:success](ActivityTypes/database-modify.md) |
+| [dcom-activation-failed](FieldsMappings/dcom-activation-failed_fields.md) | [dcom-activate:fail](ActivityTypes/dcom-activate.md)|
+| [dlp-alert](FieldsMappings/dlp-alert_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [dlp-email-alert-in](FieldsMappings/dlp-email-alert-in_fields.md) | [email-receive:success](ActivityTypes/email-receive.md) |
+| [dlp-email-alert-in-failed](FieldsMappings/dlp-email-alert-in-failed_fields.md) | [email-receive:fail](ActivityTypes/email-receive.md)|
+| [dlp-email-alert-out](FieldsMappings/dlp-email-alert-out_fields.md) | [email-send:success](ActivityTypes/email-send.md) |
+| [dlp-email-alert-out-failed](FieldsMappings/dlp-email-alert-out-failed_fields.md) | [email-send:fail](ActivityTypes/email-send.md)|
+| [dns-query](FieldsMappings/dns-query_fields.md) | [dns-request:fail](ActivityTypes/dns-request.md)|
+| [dns-response](FieldsMappings/dns-response_fields.md) | [dns-response:fail](ActivityTypes/dns-response.md)|
+| [ds-access](FieldsMappings/ds-access_fields.md) | [ds_object-activity:success](ActivityTypes/ds_object-activity.md) |
+| [email_rule-create](FieldsMappings/email_rule-create_fields.md) | [email_rule-create:success](ActivityTypes/email_rule-create.md) |
+| [email_rule-delete](FieldsMappings/email_rule-delete_fields.md) | [email_rule-delete:success](ActivityTypes/email_rule-delete.md) |
+| [email_rule-disable](FieldsMappings/email_rule-disable_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [email_rule-enable](FieldsMappings/email_rule-enable_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [email_rule-modify](FieldsMappings/email_rule-modify_fields.md) | [email_rule-modify:success](ActivityTypes/email_rule-modify.md) |
+| [failed-app-login](FieldsMappings/failed-app-login_fields.md) | [app-login:fail](ActivityTypes/app-login.md)|
+| [failed-ds-access](FieldsMappings/failed-ds-access_fields.md) | [ds_object-activity:fail](ActivityTypes/ds_object-activity.md)|
+| [failed-logon](FieldsMappings/failed-logon_fields.md) | [endpoint-authentication:fail](ActivityTypes/endpoint-authentication.md)|
+| [failed-physical-access](FieldsMappings/failed-physical-access_fields.md) | [physical_location-access:fail](ActivityTypes/physical_location-access.md)|
+| [failed-usb-activity](FieldsMappings/failed-usb-activity_fields.md) | [peripheral_storage-activity:fail](ActivityTypes/peripheral_storage-activity.md)|
+| [failed-vpn-login](FieldsMappings/failed-vpn-login_fields.md) | [vpn-login:fail](ActivityTypes/vpn-login.md)|
+| [file-alert](FieldsMappings/file-alert_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [file-close](FieldsMappings/file-close_fields.md) | [file-close:success](ActivityTypes/file-close.md) |
+| [file-delete](FieldsMappings/file-delete_fields.md) | [file-delete:fail](ActivityTypes/file-delete.md)|
+| [file-download](FieldsMappings/file-download_fields.md) | [file-download:success](ActivityTypes/file-download.md) |
+| [file-move](FieldsMappings/file-move_fields.md) | [file-move:success](ActivityTypes/file-move.md) |
+| [file-permission-change](FieldsMappings/file-permission-change_fields.md) | [file-permission-modify:success](ActivityTypes/file-permission-modify.md) |
+| [file-read](FieldsMappings/file-read_fields.md) | [file-read:fail](ActivityTypes/file-read.md)|
+| [file-share](FieldsMappings/file-share_fields.md) | [file-share:success](ActivityTypes/file-share.md) |
+| [file-upload](FieldsMappings/file-upload_fields.md) | [file-share:success](ActivityTypes/file-share.md) |
+| [file-write](FieldsMappings/file-write_fields.md) | [file-create:success](ActivityTypes/file-create.md) |
+| [gcp-bucket-create](FieldsMappings/gcp-bucket-create_fields.md) | [bucket-create:success](ActivityTypes/bucket-create.md) |
+| [gcp-compute-list](FieldsMappings/gcp-compute-list_fields.md) | [disk-list:success](ActivityTypes/disk-list.md) |
+| [gcp-disk-attach](FieldsMappings/gcp-disk-attach_fields.md) | [disk-attach:success](ActivityTypes/disk-attach.md) |
+| [gcp-disk-create](FieldsMappings/gcp-disk-create_fields.md) | [disk-create:success](ActivityTypes/disk-create.md) |
+| [gcp-function-write](FieldsMappings/gcp-function-write_fields.md) | [function-write:success](ActivityTypes/function-write.md) |
+| [gcp-general-activity](FieldsMappings/gcp-general-activity_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [gcp-image-create](FieldsMappings/gcp-image-create_fields.md) | [image-create:success](ActivityTypes/image-create.md) |
+| [gcp-instance-create](FieldsMappings/gcp-instance-create_fields.md) | [endpoint-create:success](ActivityTypes/endpoint-create.md) |
+| [gcp-instance-screenshot](FieldsMappings/gcp-instance-screenshot_fields.md) | [endpoint-screenshot:success](ActivityTypes/endpoint-screenshot.md) |
+| [gcp-instance-setmachinetype](FieldsMappings/gcp-instance-setmachinetype_fields.md) | [endpoint-modify:success](ActivityTypes/endpoint-modify.md) |
+| [gcp-instance-setmetadata](FieldsMappings/gcp-instance-setmetadata_fields.md) | [endpoint-modify:success](ActivityTypes/endpoint-modify.md) |
+| [gcp-policy-write](FieldsMappings/gcp-policy-write_fields.md) | [bucket-permission-modify:success](ActivityTypes/bucket-permission-modify.md) |
+| [gcp-role-list](FieldsMappings/gcp-role-list_fields.md) | [role-list:success](ActivityTypes/role-list.md) |
+| [gcp-role-write](FieldsMappings/gcp-role-write_fields.md) | [role-create:success](ActivityTypes/role-create.md) |
+| [gcp-serviceaccount-creds-write](FieldsMappings/gcp-serviceaccount-creds-write_fields.md) | [user-key-create:success](ActivityTypes/user-key-create.md) |
+| [gcp-serviceaccount-write](FieldsMappings/gcp-serviceaccount-write_fields.md) | [user-create:success](ActivityTypes/user-create.md) |
+| [gcp-snapshot-create](FieldsMappings/gcp-snapshot-create_fields.md) | [snapshot-create:success](ActivityTypes/snapshot-create.md) |
+| [gcp-storage-list](FieldsMappings/gcp-storage-list_fields.md) | [bucket-list:fail](ActivityTypes/bucket-list.md)|
+| [gcp-storageobject-acl](FieldsMappings/gcp-storageobject-acl_fields.md) | [file-permission-modify:success](ActivityTypes/file-permission-modify.md) |
+| [gcp-storageobject-read](FieldsMappings/gcp-storageobject-read_fields.md) | [file-read:success](ActivityTypes/file-read.md) |
+| [gcp-storageobject-write](FieldsMappings/gcp-storageobject-write_fields.md) | [file-write:success](ActivityTypes/file-write.md) |
+| [group-role-assign](FieldsMappings/group-role-assign_fields.md) | [group-role-assign:success](ActivityTypes/group-role-assign.md) |
+| [group-role-revoke](FieldsMappings/group-role-revoke_fields.md) | [group-role-revoke:success](ActivityTypes/group-role-revoke.md) |
+| [image-loaded](FieldsMappings/image-loaded_fields.md) | [dll-load:success](ActivityTypes/dll-load.md) |
+| [kerberos-logon](FieldsMappings/kerberos-logon_fields.md) | [endpoint-authentication:success](ActivityTypes/endpoint-authentication.md) |
+| [local-logon](FieldsMappings/local-logon_fields.md) | [endpoint-login:fail](ActivityTypes/endpoint-login.md)|
+| [logout-remote](FieldsMappings/logout-remote_fields.md) | [endpoint-logout:success](ActivityTypes/endpoint-logout.md) |
+| [m365-app-activity](FieldsMappings/m365-app-activity_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [m365-app-activity-fail](FieldsMappings/m365-app-activity-fail_fields.md) | [app-activity:fail](ActivityTypes/app-activity.md)|
+| [m365-file-copy](FieldsMappings/m365-file-copy_fields.md) | [file-copy:success](ActivityTypes/file-copy.md) |
+| [m365-file-delete](FieldsMappings/m365-file-delete_fields.md) | [file-delete:success](ActivityTypes/file-delete.md) |
+| [m365-file-download](FieldsMappings/m365-file-download_fields.md) | [file-download:success](ActivityTypes/file-download.md) |
+| [m365-file-move](FieldsMappings/m365-file-move_fields.md) | [file-move:success](ActivityTypes/file-move.md) |
+| [m365-file-read](FieldsMappings/m365-file-read_fields.md) | [file-read:success](ActivityTypes/file-read.md) |
+| [m365-file-rename](FieldsMappings/m365-file-rename_fields.md) | [file-rename:success](ActivityTypes/file-rename.md) |
+| [m365-file-write](FieldsMappings/m365-file-write_fields.md) | [file-write:success](ActivityTypes/file-write.md) |
+| [m365-group-create](FieldsMappings/m365-group-create_fields.md) | [group-create:success](ActivityTypes/group-create.md) |
+| [m365-user-create](FieldsMappings/m365-user-create_fields.md) | [user-create:success](ActivityTypes/user-create.md) |
+| [m365-user-create-fail](FieldsMappings/m365-user-create-fail_fields.md) | [user-create:fail](ActivityTypes/user-create.md)|
+| [m365-user-delete](FieldsMappings/m365-user-delete_fields.md) | [user-delete:success](ActivityTypes/user-delete.md) |
+| [mailbox-item-delete](FieldsMappings/mailbox-item-delete_fields.md) | [mailbox-item-delete:success](ActivityTypes/mailbox-item-delete.md) |
+| [mailbox-item-read](FieldsMappings/mailbox-item-read_fields.md) | [mailbox-item-read:success](ActivityTypes/mailbox-item-read.md) |
+| [mailbox-modify](FieldsMappings/mailbox-modify_fields.md) | [mailbox-modify:success](ActivityTypes/mailbox-modify.md) |
+| [member-added](FieldsMappings/member-added_fields.md) | [group-member-add:success](ActivityTypes/group-member-add.md) |
+| [member-removed](FieldsMappings/member-removed_fields.md) | [group-member-remove:success](ActivityTypes/group-member-remove.md) |
+| [nac-failed-logon](FieldsMappings/nac-failed-logon_fields.md) | [endpoint-authentication:fail](ActivityTypes/endpoint-authentication.md)|
+| [nac-logon](FieldsMappings/nac-logon_fields.md) | [endpoint-authentication:success](ActivityTypes/endpoint-authentication.md) |
+| [netflow-connection](FieldsMappings/netflow-connection_fields.md) | [network-session:success](ActivityTypes/network-session.md) |
+| [network-alert](FieldsMappings/network-alert_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [network-connection-failed](FieldsMappings/network-connection-failed_fields.md) | [network-close:success](ActivityTypes/network-close.md) |
+| [network-connection-successful](FieldsMappings/network-connection-successful_fields.md) | [dns-traffic:success](ActivityTypes/dns-traffic.md) |
+| [network-info](FieldsMappings/network-info_fields.md) | [network-notification:success](ActivityTypes/network-notification.md) |
+| [ntlm-logon](FieldsMappings/ntlm-logon_fields.md) | [endpoint-authentication:success](ActivityTypes/endpoint-authentication.md) |
+| [physical-access](FieldsMappings/physical-access_fields.md) | [physical_location-access:success](ActivityTypes/physical_location-access.md) |
+| [print-activity](FieldsMappings/print-activity_fields.md) | [printer-activity:success](ActivityTypes/printer-activity.md) |
+| [privileged-access](FieldsMappings/privileged-access_fields.md) | [user-privilege-assign:success](ActivityTypes/user-privilege-assign.md) |
+| [privileged-object-access](FieldsMappings/privileged-object-access_fields.md) | [user-privilege-use:success](ActivityTypes/user-privilege-use.md) |
+| [process-alert](FieldsMappings/process-alert_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [process-created](FieldsMappings/process-created_fields.md) | [process-create:success](ActivityTypes/process-create.md) |
+| [process-created-failed](FieldsMappings/process-created-failed_fields.md) | [process-create:fail](ActivityTypes/process-create.md)|
+| [process-network](FieldsMappings/process-network_fields.md) | [network-session:success](ActivityTypes/network-session.md) |
+| [process-network-failed](FieldsMappings/process-network-failed_fields.md) | [network-session:fail](ActivityTypes/network-session.md)|
+| [registry-write](FieldsMappings/registry-write_fields.md) | [registry-create:success](ActivityTypes/registry-create.md) |
+| [remote-access](FieldsMappings/remote-access_fields.md) | [endpoint-login:fail](ActivityTypes/endpoint-login.md)|
+| [remote-logon](FieldsMappings/remote-logon_fields.md) | [endpoint-login:fail](ActivityTypes/endpoint-login.md)|
+| [security-alert](FieldsMappings/security-alert_fields.md) | [alert-trigger:success](ActivityTypes/alert-trigger.md) |
+| [service-created](FieldsMappings/service-created_fields.md) | [service-create:success](ActivityTypes/service-create.md) |
+| [service-logon](FieldsMappings/service-logon_fields.md) | [endpoint-login:success](ActivityTypes/endpoint-login.md) |
+| [share-access](FieldsMappings/share-access_fields.md) | [share-access:success](ActivityTypes/share-access.md) |
+| [share-access-denied](FieldsMappings/share-access-denied_fields.md) | [share-access:fail](ActivityTypes/share-access.md)|
+| [share_link-create](FieldsMappings/share_link-create_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [share_link-member-add](FieldsMappings/share_link-member-add_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [share_link-modify](FieldsMappings/share_link-modify_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [share_link-use](FieldsMappings/share_link-use_fields.md) | [share_link-open:success](ActivityTypes/share_link-open.md) |
+| [system-info](FieldsMappings/system-info_fields.md) | [certificate-request:success](ActivityTypes/certificate-request.md) |
+| [task-created](FieldsMappings/task-created_fields.md) | [scheduled_task-create:success](ActivityTypes/scheduled_task-create.md) |
+| [usb-activity](FieldsMappings/usb-activity_fields.md) | [peripheral_storage-activity:success](ActivityTypes/peripheral_storage-activity.md) |
+| [usb-insert](FieldsMappings/usb-insert_fields.md) | [peripheral_storage-insert:success](ActivityTypes/peripheral_storage-insert.md) |
+| [usb-read](FieldsMappings/usb-read_fields.md) | [file-read:success](ActivityTypes/file-read.md) |
+| [usb-write](FieldsMappings/usb-write_fields.md) | [file-write:success](ActivityTypes/file-write.md) |
+| [user-role-assign](FieldsMappings/user-role-assign_fields.md) | [user-role-assign:success](ActivityTypes/user-role-assign.md) |
+| [user-role-revoke](FieldsMappings/user-role-revoke_fields.md) | [user-role-revoke:success](ActivityTypes/user-role-revoke.md) |
+| [vpn-connection](FieldsMappings/vpn-connection_fields.md) | [vpn-login:fail](ActivityTypes/vpn-login.md)|
+| [vpn-login](FieldsMappings/vpn-login_fields.md) | [vpn-login:success](ActivityTypes/vpn-login.md) |
+| [vpn-logout](FieldsMappings/vpn-logout_fields.md) | [vpn-logout:success](ActivityTypes/vpn-logout.md) |
+| [web-activity-allowed](FieldsMappings/web-activity-allowed_fields.md) | [http-session:success](ActivityTypes/http-session.md) |
+| [web-activity-denied](FieldsMappings/web-activity-denied_fields.md) | [http-session:fail](ActivityTypes/http-session.md)|
+| [web-meeting-created](FieldsMappings/web-meeting-created_fields.md) | [meeting-create:success](ActivityTypes/meeting-create.md) |
+| [web-meeting-ended](FieldsMappings/web-meeting-ended_fields.md) | [meeting-end:success](ActivityTypes/meeting-end.md) |
+| [web-meeting-participant-joined](FieldsMappings/web-meeting-participant-joined_fields.md) | [meeting-member-join:success](ActivityTypes/meeting-member-join.md) |
+| [web-meeting-started](FieldsMappings/web-meeting-started_fields.md) | [meeting-start:success](ActivityTypes/meeting-start.md) |
+| [web-meeting-updated](FieldsMappings/web-meeting-updated_fields.md) | [meeting-modify:success](ActivityTypes/meeting-modify.md) |
+| [webconference-login](FieldsMappings/webconference-login_fields.md) | [app-login:success](ActivityTypes/app-login.md) |
+| [webconference-operations-activity](FieldsMappings/webconference-operations-activity_fields.md) | [app-activity:success](ActivityTypes/app-activity.md) |
+| [winsession-disconnect](FieldsMappings/winsession-disconnect_fields.md) | [endpoint-logout:success](ActivityTypes/endpoint-logout.md) |
+| [workstation-locked](FieldsMappings/workstation-locked_fields.md) | [endpoint-lock:success](ActivityTypes/endpoint-lock.md) |
+| [workstation-unlocked](FieldsMappings/workstation-unlocked_fields.md) | [endpoint-unlock:success](ActivityTypes/endpoint-unlock.md) |
\ No newline at end of file
diff --git a/FieldsMappings/account-creation_fields.md b/FieldsMappings/account-creation_fields.md
new file mode 100644
index 0000000..d8379d5
--- /dev/null
+++ b/FieldsMappings/account-creation_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-creation
+### New-Scale Activity Type: user-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_used_domain,
account_domain | account_domain |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-deleted_fields.md b/FieldsMappings/account-deleted_fields.md
new file mode 100644
index 0000000..abaf9ba
--- /dev/null
+++ b/FieldsMappings/account-deleted_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-deleted
+### New-Scale Activity Type: user-delete:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-disabled_fields.md b/FieldsMappings/account-disabled_fields.md
new file mode 100644
index 0000000..92e5555
--- /dev/null
+++ b/FieldsMappings/account-disabled_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-disabled
+### New-Scale Activity Type: user-disable:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-enabled_fields.md b/FieldsMappings/account-enabled_fields.md
new file mode 100644
index 0000000..6926cdb
--- /dev/null
+++ b/FieldsMappings/account-enabled_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-enabled
+### New-Scale Activity Type: user-enable:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-lockout_fields.md b/FieldsMappings/account-lockout_fields.md
new file mode 100644
index 0000000..4eccd4d
--- /dev/null
+++ b/FieldsMappings/account-lockout_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-lockout
+### New-Scale Activity Type: user-lock:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid,
sid_user | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/account-password-change-failed_fields.md b/FieldsMappings/account-password-change-failed_fields.md
new file mode 100644
index 0000000..dfddb19
--- /dev/null
+++ b/FieldsMappings/account-password-change-failed_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-password-change-failed
+### New-Scale Activity Type: user-password-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-password-change_fields.md b/FieldsMappings/account-password-change_fields.md
new file mode 100644
index 0000000..0fefd7a
--- /dev/null
+++ b/FieldsMappings/account-password-change_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-password-change
+### New-Scale Activity Type: user-password-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason,
reason | failure_code |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-password-reset_fields.md b/FieldsMappings/account-password-reset_fields.md
new file mode 100644
index 0000000..b87dbfa
--- /dev/null
+++ b/FieldsMappings/account-password-reset_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-password-reset
+### New-Scale Activity Type: user-password-reset:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/account-switch_fields.md b/FieldsMappings/account-switch_fields.md
new file mode 100644
index 0000000..0fdb5c9
--- /dev/null
+++ b/FieldsMappings/account-switch_fields.md
@@ -0,0 +1,61 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-switch
+### New-Scale Activity Type: user-switch:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_id,
account_used_id | account_id |
+| account_logon_guid,
account_login_guid | account_login_guid |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_guid,
target_process_guid | process_guid |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_logon_guid,
user_login_guid | user_login_guid |
\ No newline at end of file
diff --git a/FieldsMappings/account-unlocked_fields.md b/FieldsMappings/account-unlocked_fields.md
new file mode 100644
index 0000000..274598a
--- /dev/null
+++ b/FieldsMappings/account-unlocked_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: account-unlocked
+### New-Scale Activity Type: user-unlock:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_ou,
account_ou | user_ou |
\ No newline at end of file
diff --git a/FieldsMappings/alert-iot_fields.md b/FieldsMappings/alert-iot_fields.md
new file mode 100644
index 0000000..c9dade3
--- /dev/null
+++ b/FieldsMappings/alert-iot_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: alert-iot
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/app-activity-failed_fields.md b/FieldsMappings/app-activity-failed_fields.md
new file mode 100644
index 0000000..9253ac6
--- /dev/null
+++ b/FieldsMappings/app-activity-failed_fields.md
@@ -0,0 +1,68 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: app-activity-failed
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_logon_guid,
user_login_guid | user_login_guid |
+| uid,
user_uid,
uuid | user_uid |
\ No newline at end of file
diff --git a/FieldsMappings/app-activity_fields.md b/FieldsMappings/app-activity_fields.md
new file mode 100644
index 0000000..796cc18
--- /dev/null
+++ b/FieldsMappings/app-activity_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: app-activity
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/app-login_fields.md b/FieldsMappings/app-login_fields.md
new file mode 100644
index 0000000..90d195e
--- /dev/null
+++ b/FieldsMappings/app-login_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: app-login
+### New-Scale Activity Type: app-authentication:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| url,
full_url | url |
+| sid,
user_sid,
user_id | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/app-logout_fields.md b/FieldsMappings/app-logout_fields.md
new file mode 100644
index 0000000..3f92614
--- /dev/null
+++ b/FieldsMappings/app-logout_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: app-logout
+### New-Scale Activity Type: app-logout:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| url,
full_url | url |
+| sid,
user_sid,
user_id | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/audit-log-clear_fields.md b/FieldsMappings/audit-log-clear_fields.md
new file mode 100644
index 0000000..d0d3cc3
--- /dev/null
+++ b/FieldsMappings/audit-log-clear_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: audit-log-clear
+### New-Scale Activity Type: endpoint-notification:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| policy | audit_policy_name |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/audit-policy-change_fields.md b/FieldsMappings/audit-policy-change_fields.md
new file mode 100644
index 0000000..0ee3726
--- /dev/null
+++ b/FieldsMappings/audit-policy-change_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: audit-policy-change
+### New-Scale Activity Type: audit_policy-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| policy | audit_policy_name |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/authentication-failed_fields.md b/FieldsMappings/authentication-failed_fields.md
new file mode 100644
index 0000000..f63d2e5
--- /dev/null
+++ b/FieldsMappings/authentication-failed_fields.md
@@ -0,0 +1,64 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: authentication-failed
+### New-Scale Activity Type: app-authentication:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason,
reason | failure_code |
+| failure_reason,
reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| account_dn,
user_dn | user_dn |
\ No newline at end of file
diff --git a/FieldsMappings/authentication-successful_fields.md b/FieldsMappings/authentication-successful_fields.md
new file mode 100644
index 0000000..66aaaa1
--- /dev/null
+++ b/FieldsMappings/authentication-successful_fields.md
@@ -0,0 +1,64 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: authentication-successful
+### New-Scale Activity Type: app-authentication:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| database_name,
db_name | db_name |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type_text,
logon_type | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| account_dn,
user_dn | user_dn |
+| sid,
user_sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-accessblock-failed_fields.md b/FieldsMappings/aws-bucket-accessblock-failed_fields.md
new file mode 100644
index 0000000..68bfd0c
--- /dev/null
+++ b/FieldsMappings/aws-bucket-accessblock-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-accessblock-failed
+### New-Scale Activity Type: bucket-accessblock-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-accessblock_fields.md b/FieldsMappings/aws-bucket-accessblock_fields.md
new file mode 100644
index 0000000..40de7c0
--- /dev/null
+++ b/FieldsMappings/aws-bucket-accessblock_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-accessblock
+### New-Scale Activity Type: bucket-accessblock-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-cors-failed_fields.md b/FieldsMappings/aws-bucket-cors-failed_fields.md
new file mode 100644
index 0000000..5431ad2
--- /dev/null
+++ b/FieldsMappings/aws-bucket-cors-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-cors-failed
+### New-Scale Activity Type: bucket-permission-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-cors_fields.md b/FieldsMappings/aws-bucket-cors_fields.md
new file mode 100644
index 0000000..b34d618
--- /dev/null
+++ b/FieldsMappings/aws-bucket-cors_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-cors
+### New-Scale Activity Type: bucket-permission-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-create-failed_fields.md b/FieldsMappings/aws-bucket-create-failed_fields.md
new file mode 100644
index 0000000..4e52955
--- /dev/null
+++ b/FieldsMappings/aws-bucket-create-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-create-failed
+### New-Scale Activity Type: bucket-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-create_fields.md b/FieldsMappings/aws-bucket-create_fields.md
new file mode 100644
index 0000000..9664c5b
--- /dev/null
+++ b/FieldsMappings/aws-bucket-create_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-create
+### New-Scale Activity Type: bucket-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-policy-failed_fields.md b/FieldsMappings/aws-bucket-policy-failed_fields.md
new file mode 100644
index 0000000..4921a4d
--- /dev/null
+++ b/FieldsMappings/aws-bucket-policy-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-policy-failed
+### New-Scale Activity Type: bucket-policy-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-bucket-policy_fields.md b/FieldsMappings/aws-bucket-policy_fields.md
new file mode 100644
index 0000000..e358c2f
--- /dev/null
+++ b/FieldsMappings/aws-bucket-policy_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-bucket-policy
+### New-Scale Activity Type: bucket-policy-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-compute-list-failed_fields.md b/FieldsMappings/aws-compute-list-failed_fields.md
new file mode 100644
index 0000000..bb75a16
--- /dev/null
+++ b/FieldsMappings/aws-compute-list-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-compute-list-failed
+### New-Scale Activity Type: endpoint-list:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-compute-list_fields.md b/FieldsMappings/aws-compute-list_fields.md
new file mode 100644
index 0000000..184c00d
--- /dev/null
+++ b/FieldsMappings/aws-compute-list_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-compute-list
+### New-Scale Activity Type: endpoint-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-function-write-failed_fields.md b/FieldsMappings/aws-function-write-failed_fields.md
new file mode 100644
index 0000000..3a386a1
--- /dev/null
+++ b/FieldsMappings/aws-function-write-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-function-write-failed
+### New-Scale Activity Type: function-write:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-function-write_fields.md b/FieldsMappings/aws-function-write_fields.md
new file mode 100644
index 0000000..2ae5baf
--- /dev/null
+++ b/FieldsMappings/aws-function-write_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-function-write
+### New-Scale Activity Type: function-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-general-activity-failed_fields.md b/FieldsMappings/aws-general-activity-failed_fields.md
new file mode 100644
index 0000000..9f19e6f
--- /dev/null
+++ b/FieldsMappings/aws-general-activity-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-general-activity-failed
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-general-activity_fields.md b/FieldsMappings/aws-general-activity_fields.md
new file mode 100644
index 0000000..aa75fc4
--- /dev/null
+++ b/FieldsMappings/aws-general-activity_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-general-activity
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-addtogroup-failed_fields.md b/FieldsMappings/aws-identity-addtogroup-failed_fields.md
new file mode 100644
index 0000000..da4f61d
--- /dev/null
+++ b/FieldsMappings/aws-identity-addtogroup-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-addtogroup-failed
+### New-Scale Activity Type: group-member-add:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-addtogroup_fields.md b/FieldsMappings/aws-identity-addtogroup_fields.md
new file mode 100644
index 0000000..99f4674
--- /dev/null
+++ b/FieldsMappings/aws-identity-addtogroup_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-addtogroup
+### New-Scale Activity Type: group-member-add:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-creds-write-failed_fields.md b/FieldsMappings/aws-identity-creds-write-failed_fields.md
new file mode 100644
index 0000000..d37357a
--- /dev/null
+++ b/FieldsMappings/aws-identity-creds-write-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-creds-write-failed
+### New-Scale Activity Type: user-key-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-creds-write_fields.md b/FieldsMappings/aws-identity-creds-write_fields.md
new file mode 100644
index 0000000..55d1676
--- /dev/null
+++ b/FieldsMappings/aws-identity-creds-write_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-creds-write
+### New-Scale Activity Type: user-key-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-list-failed_fields.md b/FieldsMappings/aws-identity-list-failed_fields.md
new file mode 100644
index 0000000..e3d6526
--- /dev/null
+++ b/FieldsMappings/aws-identity-list-failed_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-list-failed
+### New-Scale Activity Type: group-list:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-list_fields.md b/FieldsMappings/aws-identity-list_fields.md
new file mode 100644
index 0000000..662a875
--- /dev/null
+++ b/FieldsMappings/aws-identity-list_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-list
+### New-Scale Activity Type: group-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-loginprofile-failed_fields.md b/FieldsMappings/aws-identity-loginprofile-failed_fields.md
new file mode 100644
index 0000000..7b0fe93
--- /dev/null
+++ b/FieldsMappings/aws-identity-loginprofile-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-loginprofile-failed
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-loginprofile_fields.md b/FieldsMappings/aws-identity-loginprofile_fields.md
new file mode 100644
index 0000000..95d73cd
--- /dev/null
+++ b/FieldsMappings/aws-identity-loginprofile_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-loginprofile
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-write-failed_fields.md b/FieldsMappings/aws-identity-write-failed_fields.md
new file mode 100644
index 0000000..b844c12
--- /dev/null
+++ b/FieldsMappings/aws-identity-write-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-write-failed
+### New-Scale Activity Type: user-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-identity-write_fields.md b/FieldsMappings/aws-identity-write_fields.md
new file mode 100644
index 0000000..30b4058
--- /dev/null
+++ b/FieldsMappings/aws-identity-write_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-identity-write
+### New-Scale Activity Type: user-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-image-create-failed_fields.md b/FieldsMappings/aws-image-create-failed_fields.md
new file mode 100644
index 0000000..ef89a20
--- /dev/null
+++ b/FieldsMappings/aws-image-create-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-image-create-failed
+### New-Scale Activity Type: image-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-image-create_fields.md b/FieldsMappings/aws-image-create_fields.md
new file mode 100644
index 0000000..2cd4ec9
--- /dev/null
+++ b/FieldsMappings/aws-image-create_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-image-create
+### New-Scale Activity Type: image-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-image-modify-failed_fields.md b/FieldsMappings/aws-image-modify-failed_fields.md
new file mode 100644
index 0000000..2504121
--- /dev/null
+++ b/FieldsMappings/aws-image-modify-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-image-modify-failed
+### New-Scale Activity Type: image-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-image-modify_fields.md b/FieldsMappings/aws-image-modify_fields.md
new file mode 100644
index 0000000..f8eea4c
--- /dev/null
+++ b/FieldsMappings/aws-image-modify_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-image-modify
+### New-Scale Activity Type: image-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-command-failed_fields.md b/FieldsMappings/aws-instance-command-failed_fields.md
new file mode 100644
index 0000000..cdb03f8
--- /dev/null
+++ b/FieldsMappings/aws-instance-command-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-command-failed
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-command_fields.md b/FieldsMappings/aws-instance-command_fields.md
new file mode 100644
index 0000000..bba5d7d
--- /dev/null
+++ b/FieldsMappings/aws-instance-command_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-command
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-create-failed_fields.md b/FieldsMappings/aws-instance-create-failed_fields.md
new file mode 100644
index 0000000..68352ff
--- /dev/null
+++ b/FieldsMappings/aws-instance-create-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-create-failed
+### New-Scale Activity Type: endpoint-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-create_fields.md b/FieldsMappings/aws-instance-create_fields.md
new file mode 100644
index 0000000..3e3d397
--- /dev/null
+++ b/FieldsMappings/aws-instance-create_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-create
+### New-Scale Activity Type: endpoint-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-creds-read-failed_fields.md b/FieldsMappings/aws-instance-creds-read-failed_fields.md
new file mode 100644
index 0000000..c0f7557
--- /dev/null
+++ b/FieldsMappings/aws-instance-creds-read-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-creds-read-failed
+### New-Scale Activity Type: key-read:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-creds-read_fields.md b/FieldsMappings/aws-instance-creds-read_fields.md
new file mode 100644
index 0000000..8a7e6a2
--- /dev/null
+++ b/FieldsMappings/aws-instance-creds-read_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-creds-read
+### New-Scale Activity Type: key-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-creds-write-failed_fields.md b/FieldsMappings/aws-instance-creds-write-failed_fields.md
new file mode 100644
index 0000000..1434fca
--- /dev/null
+++ b/FieldsMappings/aws-instance-creds-write-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-creds-write-failed
+### New-Scale Activity Type: key-write:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-creds-write_fields.md b/FieldsMappings/aws-instance-creds-write_fields.md
new file mode 100644
index 0000000..ca86576
--- /dev/null
+++ b/FieldsMappings/aws-instance-creds-write_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-creds-write
+### New-Scale Activity Type: key-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-login-failed_fields.md b/FieldsMappings/aws-instance-login-failed_fields.md
new file mode 100644
index 0000000..c65de57
--- /dev/null
+++ b/FieldsMappings/aws-instance-login-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-login-failed
+### New-Scale Activity Type: endpoint-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-login_fields.md b/FieldsMappings/aws-instance-login_fields.md
new file mode 100644
index 0000000..91b442d
--- /dev/null
+++ b/FieldsMappings/aws-instance-login_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-login
+### New-Scale Activity Type: endpoint-login:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-modify-failed_fields.md b/FieldsMappings/aws-instance-modify-failed_fields.md
new file mode 100644
index 0000000..ce43dbf
--- /dev/null
+++ b/FieldsMappings/aws-instance-modify-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-modify-failed
+### New-Scale Activity Type: endpoint-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-modify_fields.md b/FieldsMappings/aws-instance-modify_fields.md
new file mode 100644
index 0000000..9b02ade
--- /dev/null
+++ b/FieldsMappings/aws-instance-modify_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-modify
+### New-Scale Activity Type: endpoint-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-screenshot-failed_fields.md b/FieldsMappings/aws-instance-screenshot-failed_fields.md
new file mode 100644
index 0000000..ab2090d
--- /dev/null
+++ b/FieldsMappings/aws-instance-screenshot-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-screenshot-failed
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-instance-screenshot_fields.md b/FieldsMappings/aws-instance-screenshot_fields.md
new file mode 100644
index 0000000..a544684
--- /dev/null
+++ b/FieldsMappings/aws-instance-screenshot_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-instance-screenshot
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-login-failed_fields.md b/FieldsMappings/aws-login-failed_fields.md
new file mode 100644
index 0000000..9b0f40d
--- /dev/null
+++ b/FieldsMappings/aws-login-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-login-failed
+### New-Scale Activity Type: app-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-login_fields.md b/FieldsMappings/aws-login_fields.md
new file mode 100644
index 0000000..8b38b2b
--- /dev/null
+++ b/FieldsMappings/aws-login_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-login
+### New-Scale Activity Type: app-login:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-policy-attach_fields.md b/FieldsMappings/aws-policy-attach_fields.md
new file mode 100644
index 0000000..3b4eb95
--- /dev/null
+++ b/FieldsMappings/aws-policy-attach_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-policy-attach
+### New-Scale Activity Type: group-policy-attach:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-policy-list-failed_fields.md b/FieldsMappings/aws-policy-list-failed_fields.md
new file mode 100644
index 0000000..763217a
--- /dev/null
+++ b/FieldsMappings/aws-policy-list-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-policy-list-failed
+### New-Scale Activity Type: policy-list:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-policy-list_fields.md b/FieldsMappings/aws-policy-list_fields.md
new file mode 100644
index 0000000..21437e4
--- /dev/null
+++ b/FieldsMappings/aws-policy-list_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-policy-list
+### New-Scale Activity Type: policy-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-policy-setversion-failed_fields.md b/FieldsMappings/aws-policy-setversion-failed_fields.md
new file mode 100644
index 0000000..26cbea0
--- /dev/null
+++ b/FieldsMappings/aws-policy-setversion-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-policy-setversion-failed
+### New-Scale Activity Type: policy-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-policy-setversion_fields.md b/FieldsMappings/aws-policy-setversion_fields.md
new file mode 100644
index 0000000..f1d3125
--- /dev/null
+++ b/FieldsMappings/aws-policy-setversion_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-policy-setversion
+### New-Scale Activity Type: policy-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-policy-write_fields.md b/FieldsMappings/aws-policy-write_fields.md
new file mode 100644
index 0000000..8c6a5d4
--- /dev/null
+++ b/FieldsMappings/aws-policy-write_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-policy-write
+### New-Scale Activity Type: policy-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-role-assume-failed_fields.md b/FieldsMappings/aws-role-assume-failed_fields.md
new file mode 100644
index 0000000..dfcb1b8
--- /dev/null
+++ b/FieldsMappings/aws-role-assume-failed_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-role-assume-failed
+### New-Scale Activity Type: role-assume:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-role-assume_fields.md b/FieldsMappings/aws-role-assume_fields.md
new file mode 100644
index 0000000..457292c
--- /dev/null
+++ b/FieldsMappings/aws-role-assume_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-role-assume
+### New-Scale Activity Type: role-assume:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-role-assumepolicy_fields.md b/FieldsMappings/aws-role-assumepolicy_fields.md
new file mode 100644
index 0000000..e28b4e8
--- /dev/null
+++ b/FieldsMappings/aws-role-assumepolicy_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-role-assumepolicy
+### New-Scale Activity Type: policy-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-role-switch_fields.md b/FieldsMappings/aws-role-switch_fields.md
new file mode 100644
index 0000000..df23d55
--- /dev/null
+++ b/FieldsMappings/aws-role-switch_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-role-switch
+### New-Scale Activity Type: role-assume:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-role-write_fields.md b/FieldsMappings/aws-role-write_fields.md
new file mode 100644
index 0000000..605902b
--- /dev/null
+++ b/FieldsMappings/aws-role-write_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-role-write
+### New-Scale Activity Type: role-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-snapshot-create-failed_fields.md b/FieldsMappings/aws-snapshot-create-failed_fields.md
new file mode 100644
index 0000000..25ea7d9
--- /dev/null
+++ b/FieldsMappings/aws-snapshot-create-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-snapshot-create-failed
+### New-Scale Activity Type: snapshot-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-snapshot-create_fields.md b/FieldsMappings/aws-snapshot-create_fields.md
new file mode 100644
index 0000000..197979e
--- /dev/null
+++ b/FieldsMappings/aws-snapshot-create_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-snapshot-create
+### New-Scale Activity Type: snapshot-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-snapshot-modify-failed_fields.md b/FieldsMappings/aws-snapshot-modify-failed_fields.md
new file mode 100644
index 0000000..bfe70b0
--- /dev/null
+++ b/FieldsMappings/aws-snapshot-modify-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-snapshot-modify-failed
+### New-Scale Activity Type: snapshot-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-snapshot-modify_fields.md b/FieldsMappings/aws-snapshot-modify_fields.md
new file mode 100644
index 0000000..6f7aefd
--- /dev/null
+++ b/FieldsMappings/aws-snapshot-modify_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-snapshot-modify
+### New-Scale Activity Type: snapshot-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storage-acl-failed_fields.md b/FieldsMappings/aws-storage-acl-failed_fields.md
new file mode 100644
index 0000000..b96ad5d
--- /dev/null
+++ b/FieldsMappings/aws-storage-acl-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storage-acl-failed
+### New-Scale Activity Type: bucket-permission-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storage-acl_fields.md b/FieldsMappings/aws-storage-acl_fields.md
new file mode 100644
index 0000000..7e5e7c9
--- /dev/null
+++ b/FieldsMappings/aws-storage-acl_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storage-acl
+### New-Scale Activity Type: bucket-permission-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storage-list-failed_fields.md b/FieldsMappings/aws-storage-list-failed_fields.md
new file mode 100644
index 0000000..74c925c
--- /dev/null
+++ b/FieldsMappings/aws-storage-list-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storage-list-failed
+### New-Scale Activity Type: bucket-list:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storage-list_fields.md b/FieldsMappings/aws-storage-list_fields.md
new file mode 100644
index 0000000..c04db8a
--- /dev/null
+++ b/FieldsMappings/aws-storage-list_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storage-list
+### New-Scale Activity Type: bucket-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storageobject-copy-failed_fields.md b/FieldsMappings/aws-storageobject-copy-failed_fields.md
new file mode 100644
index 0000000..f005d3a
--- /dev/null
+++ b/FieldsMappings/aws-storageobject-copy-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storageobject-copy-failed
+### New-Scale Activity Type: file-copy:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storageobject-copy_fields.md b/FieldsMappings/aws-storageobject-copy_fields.md
new file mode 100644
index 0000000..dd749c3
--- /dev/null
+++ b/FieldsMappings/aws-storageobject-copy_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storageobject-copy
+### New-Scale Activity Type: file-copy:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storageobject-read-failed_fields.md b/FieldsMappings/aws-storageobject-read-failed_fields.md
new file mode 100644
index 0000000..a31420d
--- /dev/null
+++ b/FieldsMappings/aws-storageobject-read-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storageobject-read-failed
+### New-Scale Activity Type: file-read:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storageobject-read_fields.md b/FieldsMappings/aws-storageobject-read_fields.md
new file mode 100644
index 0000000..56d406b
--- /dev/null
+++ b/FieldsMappings/aws-storageobject-read_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storageobject-read
+### New-Scale Activity Type: file-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storageobject-write-failed_fields.md b/FieldsMappings/aws-storageobject-write-failed_fields.md
new file mode 100644
index 0000000..ee16dca
--- /dev/null
+++ b/FieldsMappings/aws-storageobject-write-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storageobject-write-failed
+### New-Scale Activity Type: file-write:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-storageobject-write_fields.md b/FieldsMappings/aws-storageobject-write_fields.md
new file mode 100644
index 0000000..33f5a89
--- /dev/null
+++ b/FieldsMappings/aws-storageobject-write_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-storageobject-write
+### New-Scale Activity Type: file-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-volume-attach-failed_fields.md b/FieldsMappings/aws-volume-attach-failed_fields.md
new file mode 100644
index 0000000..b42284d
--- /dev/null
+++ b/FieldsMappings/aws-volume-attach-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-volume-attach-failed
+### New-Scale Activity Type: disk-attach:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-volume-attach_fields.md b/FieldsMappings/aws-volume-attach_fields.md
new file mode 100644
index 0000000..0b06513
--- /dev/null
+++ b/FieldsMappings/aws-volume-attach_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-volume-attach
+### New-Scale Activity Type: disk-attach:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-volume-create-failed_fields.md b/FieldsMappings/aws-volume-create-failed_fields.md
new file mode 100644
index 0000000..135240e
--- /dev/null
+++ b/FieldsMappings/aws-volume-create-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-volume-create-failed
+### New-Scale Activity Type: disk-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-volume-create_fields.md b/FieldsMappings/aws-volume-create_fields.md
new file mode 100644
index 0000000..e563a3e
--- /dev/null
+++ b/FieldsMappings/aws-volume-create_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-volume-create
+### New-Scale Activity Type: disk-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-volume-modify-failed_fields.md b/FieldsMappings/aws-volume-modify-failed_fields.md
new file mode 100644
index 0000000..03adc5d
--- /dev/null
+++ b/FieldsMappings/aws-volume-modify-failed_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-volume-modify-failed
+### New-Scale Activity Type: disk-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/aws-volume-modify_fields.md b/FieldsMappings/aws-volume-modify_fields.md
new file mode 100644
index 0000000..567ff2c
--- /dev/null
+++ b/FieldsMappings/aws-volume-modify_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: aws-volume-modify
+### New-Scale Activity Type: disk-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/azure-blob-read_fields.md b/FieldsMappings/azure-blob-read_fields.md
new file mode 100644
index 0000000..3a490c9
--- /dev/null
+++ b/FieldsMappings/azure-blob-read_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-blob-read
+### New-Scale Activity Type: file-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-blob-write_fields.md b/FieldsMappings/azure-blob-write_fields.md
new file mode 100644
index 0000000..41deccf
--- /dev/null
+++ b/FieldsMappings/azure-blob-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-blob-write
+### New-Scale Activity Type: file-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-container-acl_fields.md b/FieldsMappings/azure-container-acl_fields.md
new file mode 100644
index 0000000..cf98682
--- /dev/null
+++ b/FieldsMappings/azure-container-acl_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-container-acl
+### New-Scale Activity Type: file-permission-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-disk-write_fields.md b/FieldsMappings/azure-disk-write_fields.md
new file mode 100644
index 0000000..8055593
--- /dev/null
+++ b/FieldsMappings/azure-disk-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-disk-write
+### New-Scale Activity Type: disk-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-image-write_fields.md b/FieldsMappings/azure-image-write_fields.md
new file mode 100644
index 0000000..dfdf092
--- /dev/null
+++ b/FieldsMappings/azure-image-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-image-write
+### New-Scale Activity Type: image-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-instance-creds-write_fields.md b/FieldsMappings/azure-instance-creds-write_fields.md
new file mode 100644
index 0000000..a049350
--- /dev/null
+++ b/FieldsMappings/azure-instance-creds-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-instance-creds-write
+### New-Scale Activity Type: key-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-instance-write_fields.md b/FieldsMappings/azure-instance-write_fields.md
new file mode 100644
index 0000000..d924dc2
--- /dev/null
+++ b/FieldsMappings/azure-instance-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-instance-write
+### New-Scale Activity Type: image-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-keyvault-read_fields.md b/FieldsMappings/azure-keyvault-read_fields.md
new file mode 100644
index 0000000..36cf9b1
--- /dev/null
+++ b/FieldsMappings/azure-keyvault-read_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-keyvault-read
+### New-Scale Activity Type: key-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-keyvault-write_fields.md b/FieldsMappings/azure-keyvault-write_fields.md
new file mode 100644
index 0000000..1b7b567
--- /dev/null
+++ b/FieldsMappings/azure-keyvault-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-keyvault-write
+### New-Scale Activity Type: key-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-metrics_fields.md b/FieldsMappings/azure-metrics_fields.md
new file mode 100644
index 0000000..8b9737b
--- /dev/null
+++ b/FieldsMappings/azure-metrics_fields.md
@@ -0,0 +1,20 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-metrics
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------- | ---------------- |
+| authorization_scope | auth_scope |
+| bucket | bucket_name |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| source | legacy_product |
+| service | service_name |
+| full_url | url |
+| action,
outcome | action |
+| result,
outcome | result |
\ No newline at end of file
diff --git a/FieldsMappings/azure-role-assign_fields.md b/FieldsMappings/azure-role-assign_fields.md
new file mode 100644
index 0000000..426402d
--- /dev/null
+++ b/FieldsMappings/azure-role-assign_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-role-assign
+### New-Scale Activity Type: user-role-assign:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-role-write_fields.md b/FieldsMappings/azure-role-write_fields.md
new file mode 100644
index 0000000..faa140e
--- /dev/null
+++ b/FieldsMappings/azure-role-write_fields.md
@@ -0,0 +1,41 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-role-write
+### New-Scale Activity Type: role-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-snapshot-write_fields.md b/FieldsMappings/azure-snapshot-write_fields.md
new file mode 100644
index 0000000..2f127a3
--- /dev/null
+++ b/FieldsMappings/azure-snapshot-write_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-snapshot-write
+### New-Scale Activity Type: snapshot-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/azure-storage-list_fields.md b/FieldsMappings/azure-storage-list_fields.md
new file mode 100644
index 0000000..753802d
--- /dev/null
+++ b/FieldsMappings/azure-storage-list_fields.md
@@ -0,0 +1,40 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: azure-storage-list
+### New-Scale Activity Type: file-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
\ No newline at end of file
diff --git a/FieldsMappings/batch-logon_fields.md b/FieldsMappings/batch-logon_fields.md
new file mode 100644
index 0000000..dd3f86a
--- /dev/null
+++ b/FieldsMappings/batch-logon_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: batch-logon
+### New-Scale Activity Type: endpoint-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| description | additional_info |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_type | user_type |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type_text,
logon_type | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/cloud-admin-activity-failed_fields.md b/FieldsMappings/cloud-admin-activity-failed_fields.md
new file mode 100644
index 0000000..2957d7e
--- /dev/null
+++ b/FieldsMappings/cloud-admin-activity-failed_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: cloud-admin-activity-failed
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| group | group_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
\ No newline at end of file
diff --git a/FieldsMappings/cloud-admin-activity_fields.md b/FieldsMappings/cloud-admin-activity_fields.md
new file mode 100644
index 0000000..68e7d1a
--- /dev/null
+++ b/FieldsMappings/cloud-admin-activity_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: cloud-admin-activity
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| group | group_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
\ No newline at end of file
diff --git a/FieldsMappings/computer-logon_fields.md b/FieldsMappings/computer-logon_fields.md
new file mode 100644
index 0000000..f9a12be
--- /dev/null
+++ b/FieldsMappings/computer-logon_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: computer-logon
+### New-Scale Activity Type: dhcp-session:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| result_code | http_response_code |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| uids | user_uids |
+| description,
additional_info | additional_info |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid | user_sid |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/config-change_fields.md b/FieldsMappings/config-change_fields.md
new file mode 100644
index 0000000..602ec5e
--- /dev/null
+++ b/FieldsMappings/config-change_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: config-change
+### New-Scale Activity Type: configuration-modify:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/database-access_fields.md b/FieldsMappings/database-access_fields.md
new file mode 100644
index 0000000..a93b006
--- /dev/null
+++ b/FieldsMappings/database-access_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-access
+### New-Scale Activity Type: database-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_name | db_name |
+| schema | db_schema |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| database_object,
database_objects | db_object |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/database-activity-failed_fields.md b/FieldsMappings/database-activity-failed_fields.md
new file mode 100644
index 0000000..887f5f9
--- /dev/null
+++ b/FieldsMappings/database-activity-failed_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-activity-failed
+### New-Scale Activity Type: database-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_name | db_name |
+| database_object | db_object |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/database-alert_fields.md b/FieldsMappings/database-alert_fields.md
new file mode 100644
index 0000000..5da83f0
--- /dev/null
+++ b/FieldsMappings/database-alert_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-alert
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_object | db_object |
+| target_domain | dest_domain |
+| target_group | dest_group |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| database_name,
db_name | db_name |
+| database_schema,
schema | db_schema |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/database-delete_fields.md b/FieldsMappings/database-delete_fields.md
new file mode 100644
index 0000000..95b5322
--- /dev/null
+++ b/FieldsMappings/database-delete_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-delete
+### New-Scale Activity Type: database-delete:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_name | db_name |
+| database_object | db_object |
+| database_schema | db_schema |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/database-failed-login_fields.md b/FieldsMappings/database-failed-login_fields.md
new file mode 100644
index 0000000..d4aac44
--- /dev/null
+++ b/FieldsMappings/database-failed-login_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-failed-login
+### New-Scale Activity Type: database-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_id | db_id |
+| database_name | db_name |
+| database_object | db_object |
+| schema | db_schema |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| source_program | src_interface |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| reason,
failure_reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
+| sid,
user_sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/database-login_fields.md b/FieldsMappings/database-login_fields.md
new file mode 100644
index 0000000..6af14ac
--- /dev/null
+++ b/FieldsMappings/database-login_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-login
+### New-Scale Activity Type: database-login:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_id | db_id |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| user_group | user_group_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| database_name,
db_name | db_name |
+| schema,
db_schema,
database_schema | db_schema |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/database-query_fields.md b/FieldsMappings/database-query_fields.md
new file mode 100644
index 0000000..c3b3165
--- /dev/null
+++ b/FieldsMappings/database-query_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-query
+### New-Scale Activity Type: database-query:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_id | db_id |
+| database_name | db_name |
+| database_object | db_object |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| source_program | src_interface |
+| target_sha256 | target_hash_sha256 |
+| user_group | user_group_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| database_schema,
schema | db_schema |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/database-update_fields.md b/FieldsMappings/database-update_fields.md
new file mode 100644
index 0000000..5f102cf
--- /dev/null
+++ b/FieldsMappings/database-update_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: database-update
+### New-Scale Activity Type: database-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_name | db_name |
+| database_object | db_object |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| database_schema,
schema | db_schema |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| os_user,
user | user |
\ No newline at end of file
diff --git a/FieldsMappings/dcom-activation-failed_fields.md b/FieldsMappings/dcom-activation-failed_fields.md
new file mode 100644
index 0000000..654f120
--- /dev/null
+++ b/FieldsMappings/dcom-activation-failed_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dcom-activation-failed
+### New-Scale Activity Type: dcom-activate:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| appid | app_id |
+| clsid | cls_id |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_sid,
sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/dlp-alert_fields.md b/FieldsMappings/dlp-alert_fields.md
new file mode 100644
index 0000000..cc71a13
--- /dev/null
+++ b/FieldsMappings/dlp-alert_fields.md
@@ -0,0 +1,64 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dlp-alert
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| recipients | email_recipients |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| rules | rule |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| threat_score,
score,
risk_score | original_risk_score |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/dlp-email-alert-in-failed_fields.md b/FieldsMappings/dlp-email-alert-in-failed_fields.md
new file mode 100644
index 0000000..5b2bbd5
--- /dev/null
+++ b/FieldsMappings/dlp-email-alert-in-failed_fields.md
@@ -0,0 +1,64 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dlp-email-alert-in-failed
+### New-Scale Activity Type: email-receive:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| external_domain_recipient | dest_email_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| recipients | email_recipients |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| app,
app_name | app |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| external_domain_sender,
email_domain | email_domain |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason | failure_code |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| user,
suser | user |
\ No newline at end of file
diff --git a/FieldsMappings/dlp-email-alert-in_fields.md b/FieldsMappings/dlp-email-alert-in_fields.md
new file mode 100644
index 0000000..af590c8
--- /dev/null
+++ b/FieldsMappings/dlp-email-alert-in_fields.md
@@ -0,0 +1,65 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dlp-email-alert-in
+### New-Scale Activity Type: email-receive:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| external_domain_recipient | dest_email_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| recipients | email_recipients |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| result_code | http_response_code |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| app,
app_name | app |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| external_domain_sender,
email_domain | email_domain |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason,
reason | failure_code |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| user,
suser | user |
\ No newline at end of file
diff --git a/FieldsMappings/dlp-email-alert-out-failed_fields.md b/FieldsMappings/dlp-email-alert-out-failed_fields.md
new file mode 100644
index 0000000..d76c787
--- /dev/null
+++ b/FieldsMappings/dlp-email-alert-out-failed_fields.md
@@ -0,0 +1,64 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dlp-email-alert-out-failed
+### New-Scale Activity Type: email-send:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| external_domain_recipient | dest_email_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| recipients | email_recipients |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| app,
app_name | app |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| external_domain_sender,
email_domain | email_domain |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason | failure_code |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| user,
suser | user |
\ No newline at end of file
diff --git a/FieldsMappings/dlp-email-alert-out_fields.md b/FieldsMappings/dlp-email-alert-out_fields.md
new file mode 100644
index 0000000..32f96b2
--- /dev/null
+++ b/FieldsMappings/dlp-email-alert-out_fields.md
@@ -0,0 +1,65 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dlp-email-alert-out
+### New-Scale Activity Type: email-send:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| external_domain_recipient | dest_email_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| recipients | email_recipients |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| result_code | http_response_code |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| app,
app_name | app |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| external_domain_sender,
email_domain | email_domain |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason,
reason | failure_code |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| user,
suser | user |
\ No newline at end of file
diff --git a/FieldsMappings/dns-query_fields.md b/FieldsMappings/dns-query_fields.md
new file mode 100644
index 0000000..7195c38
--- /dev/null
+++ b/FieldsMappings/dns-query_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dns-query
+### New-Scale Activity Type: dns-request:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| query | dns_query |
+| query_flags | dns_query_flags |
+| query_type | dns_query_type |
+| response | dns_response |
+| response_flags | dns_response_flags |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/dns-response_fields.md b/FieldsMappings/dns-response_fields.md
new file mode 100644
index 0000000..a341ef9
--- /dev/null
+++ b/FieldsMappings/dns-response_fields.md
@@ -0,0 +1,61 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: dns-response
+### New-Scale Activity Type: dns-response:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| query | dns_query |
+| query_flags | dns_query_flags |
+| query_type | dns_query_type |
+| response | dns_response |
+| response_flags | dns_response_flags |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_reason,
reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/ds-access_fields.md b/FieldsMappings/ds-access_fields.md
new file mode 100644
index 0000000..464f8d9
--- /dev/null
+++ b/FieldsMappings/ds-access_fields.md
@@ -0,0 +1,61 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: ds-access
+### New-Scale Activity Type: ds_object-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| object_class | ds_object_class |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/email_rule-create_fields.md b/FieldsMappings/email_rule-create_fields.md
new file mode 100644
index 0000000..83056ad
--- /dev/null
+++ b/FieldsMappings/email_rule-create_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: email_rule-create
+### New-Scale Activity Type: email_rule-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/email_rule-delete_fields.md b/FieldsMappings/email_rule-delete_fields.md
new file mode 100644
index 0000000..ce3ee74
--- /dev/null
+++ b/FieldsMappings/email_rule-delete_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: email_rule-delete
+### New-Scale Activity Type: email_rule-delete:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/email_rule-disable_fields.md b/FieldsMappings/email_rule-disable_fields.md
new file mode 100644
index 0000000..4e0cbe0
--- /dev/null
+++ b/FieldsMappings/email_rule-disable_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: email_rule-disable
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/email_rule-enable_fields.md b/FieldsMappings/email_rule-enable_fields.md
new file mode 100644
index 0000000..73d68e1
--- /dev/null
+++ b/FieldsMappings/email_rule-enable_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: email_rule-enable
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/email_rule-modify_fields.md b/FieldsMappings/email_rule-modify_fields.md
new file mode 100644
index 0000000..1f11aaf
--- /dev/null
+++ b/FieldsMappings/email_rule-modify_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: email_rule-modify
+### New-Scale Activity Type: email_rule-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/failed-app-login_fields.md b/FieldsMappings/failed-app-login_fields.md
new file mode 100644
index 0000000..376b732
--- /dev/null
+++ b/FieldsMappings/failed-app-login_fields.md
@@ -0,0 +1,65 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: failed-app-login
+### New-Scale Activity Type: app-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| user_group | user_group_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_reason,
reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| url,
full_url | url |
+| sid,
user_sid,
user_id | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/failed-ds-access_fields.md b/FieldsMappings/failed-ds-access_fields.md
new file mode 100644
index 0000000..21beb03
--- /dev/null
+++ b/FieldsMappings/failed-ds-access_fields.md
@@ -0,0 +1,61 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: failed-ds-access
+### New-Scale Activity Type: ds_object-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| object_class | ds_object_class |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/failed-logon_fields.md b/FieldsMappings/failed-logon_fields.md
new file mode 100644
index 0000000..44e1034
--- /dev/null
+++ b/FieldsMappings/failed-logon_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: failed-logon
+### New-Scale Activity Type: endpoint-authentication:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| database_name | db_name |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_type | user_type |
+| account_used_id,
account_id | account_id |
+| description,
additional_info | additional_info |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type_text,
logon_type | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/failed-physical-access_fields.md b/FieldsMappings/failed-physical-access_fields.md
new file mode 100644
index 0000000..aac5fec
--- /dev/null
+++ b/FieldsMappings/failed-physical-access_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: failed-physical-access
+### New-Scale Activity Type: physical_location-access:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| blockinggroupname | blocking_group_name |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| user_firstname,
first_name | first_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| user_lastname,
last_name | last_name |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| reason,
outcome_reason | result_reason |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/failed-usb-activity_fields.md b/FieldsMappings/failed-usb-activity_fields.md
new file mode 100644
index 0000000..ad99a67
--- /dev/null
+++ b/FieldsMappings/failed-usb-activity_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: failed-usb-activity
+### New-Scale Activity Type: peripheral_storage-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/failed-vpn-login_fields.md b/FieldsMappings/failed-vpn-login_fields.md
new file mode 100644
index 0000000..f81ac40
--- /dev/null
+++ b/FieldsMappings/failed-vpn-login_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: failed-vpn-login
+### New-Scale Activity Type: vpn-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| user_group | user_group_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| bytes_sent,
bytes_out | bytes_out |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| record_id,
event_id,
log_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_code,
failure_reason,
reason | failure_code |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-alert_fields.md b/FieldsMappings/file-alert_fields.md
new file mode 100644
index 0000000..92b7fdf
--- /dev/null
+++ b/FieldsMappings/file-alert_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-alert
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-close_fields.md b/FieldsMappings/file-close_fields.md
new file mode 100644
index 0000000..3e2c4ef
--- /dev/null
+++ b/FieldsMappings/file-close_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-close
+### New-Scale Activity Type: file-close:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-delete_fields.md b/FieldsMappings/file-delete_fields.md
new file mode 100644
index 0000000..e4827a9
--- /dev/null
+++ b/FieldsMappings/file-delete_fields.md
@@ -0,0 +1,64 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-delete
+### New-Scale Activity Type: file-delete:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-download_fields.md b/FieldsMappings/file-download_fields.md
new file mode 100644
index 0000000..4ce0762
--- /dev/null
+++ b/FieldsMappings/file-download_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-download
+### New-Scale Activity Type: file-download:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| user_group | user_group_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_sid,
sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/file-move_fields.md b/FieldsMappings/file-move_fields.md
new file mode 100644
index 0000000..6898287
--- /dev/null
+++ b/FieldsMappings/file-move_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-move
+### New-Scale Activity Type: file-move:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| file_uri | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| uid,
user_uid,
uuid | user_uid |
\ No newline at end of file
diff --git a/FieldsMappings/file-permission-change_fields.md b/FieldsMappings/file-permission-change_fields.md
new file mode 100644
index 0000000..2cafcac
--- /dev/null
+++ b/FieldsMappings/file-permission-change_fields.md
@@ -0,0 +1,61 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-permission-change
+### New-Scale Activity Type: file-permission-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-read_fields.md b/FieldsMappings/file-read_fields.md
new file mode 100644
index 0000000..a47b7e2
--- /dev/null
+++ b/FieldsMappings/file-read_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-read
+### New-Scale Activity Type: file-read:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| conn_uids | connection_uid |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| file_uri | file_url |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| user_firstname,
first_name | first_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| last_name,
user_lastname | last_name |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-share_fields.md b/FieldsMappings/file-share_fields.md
new file mode 100644
index 0000000..3aa8771
--- /dev/null
+++ b/FieldsMappings/file-share_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-share
+### New-Scale Activity Type: file-share:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| file_uri | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| uid,
user_uid,
uuid | user_uid |
\ No newline at end of file
diff --git a/FieldsMappings/file-upload_fields.md b/FieldsMappings/file-upload_fields.md
new file mode 100644
index 0000000..bf84e7c
--- /dev/null
+++ b/FieldsMappings/file-upload_fields.md
@@ -0,0 +1,61 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-upload
+### New-Scale Activity Type: file-share:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/file-write_fields.md b/FieldsMappings/file-write_fields.md
new file mode 100644
index 0000000..3a99e9b
--- /dev/null
+++ b/FieldsMappings/file-write_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: file-write
+### New-Scale Activity Type: file-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| file_uri | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_file_parent,
src_file_dir | src_file_dir |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| uid,
user_uid,
uuid | user_uid |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-bucket-create_fields.md b/FieldsMappings/gcp-bucket-create_fields.md
new file mode 100644
index 0000000..47bf54b
--- /dev/null
+++ b/FieldsMappings/gcp-bucket-create_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-bucket-create
+### New-Scale Activity Type: bucket-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-compute-list_fields.md b/FieldsMappings/gcp-compute-list_fields.md
new file mode 100644
index 0000000..6884860
--- /dev/null
+++ b/FieldsMappings/gcp-compute-list_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-compute-list
+### New-Scale Activity Type: disk-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-disk-attach_fields.md b/FieldsMappings/gcp-disk-attach_fields.md
new file mode 100644
index 0000000..0edf2c9
--- /dev/null
+++ b/FieldsMappings/gcp-disk-attach_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-disk-attach
+### New-Scale Activity Type: disk-attach:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-disk-create_fields.md b/FieldsMappings/gcp-disk-create_fields.md
new file mode 100644
index 0000000..310b81e
--- /dev/null
+++ b/FieldsMappings/gcp-disk-create_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-disk-create
+### New-Scale Activity Type: disk-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-function-write_fields.md b/FieldsMappings/gcp-function-write_fields.md
new file mode 100644
index 0000000..8b40ce7
--- /dev/null
+++ b/FieldsMappings/gcp-function-write_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-function-write
+### New-Scale Activity Type: function-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-general-activity_fields.md b/FieldsMappings/gcp-general-activity_fields.md
new file mode 100644
index 0000000..35ef9c5
--- /dev/null
+++ b/FieldsMappings/gcp-general-activity_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-general-activity
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-image-create_fields.md b/FieldsMappings/gcp-image-create_fields.md
new file mode 100644
index 0000000..5d8f909
--- /dev/null
+++ b/FieldsMappings/gcp-image-create_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-image-create
+### New-Scale Activity Type: image-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-instance-create_fields.md b/FieldsMappings/gcp-instance-create_fields.md
new file mode 100644
index 0000000..2135d0c
--- /dev/null
+++ b/FieldsMappings/gcp-instance-create_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-instance-create
+### New-Scale Activity Type: endpoint-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-instance-screenshot_fields.md b/FieldsMappings/gcp-instance-screenshot_fields.md
new file mode 100644
index 0000000..2a7a021
--- /dev/null
+++ b/FieldsMappings/gcp-instance-screenshot_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-instance-screenshot
+### New-Scale Activity Type: endpoint-screenshot:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-instance-setmachinetype_fields.md b/FieldsMappings/gcp-instance-setmachinetype_fields.md
new file mode 100644
index 0000000..230e0d7
--- /dev/null
+++ b/FieldsMappings/gcp-instance-setmachinetype_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-instance-setmachinetype
+### New-Scale Activity Type: endpoint-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-instance-setmetadata_fields.md b/FieldsMappings/gcp-instance-setmetadata_fields.md
new file mode 100644
index 0000000..12c9c7a
--- /dev/null
+++ b/FieldsMappings/gcp-instance-setmetadata_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-instance-setmetadata
+### New-Scale Activity Type: endpoint-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-policy-write_fields.md b/FieldsMappings/gcp-policy-write_fields.md
new file mode 100644
index 0000000..881c736
--- /dev/null
+++ b/FieldsMappings/gcp-policy-write_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-policy-write
+### New-Scale Activity Type: bucket-permission-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-role-list_fields.md b/FieldsMappings/gcp-role-list_fields.md
new file mode 100644
index 0000000..195baae
--- /dev/null
+++ b/FieldsMappings/gcp-role-list_fields.md
@@ -0,0 +1,43 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-role-list
+### New-Scale Activity Type: role-list:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-role-write_fields.md b/FieldsMappings/gcp-role-write_fields.md
new file mode 100644
index 0000000..6cd4ecd
--- /dev/null
+++ b/FieldsMappings/gcp-role-write_fields.md
@@ -0,0 +1,43 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-role-write
+### New-Scale Activity Type: role-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| role | role_name |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-serviceaccount-creds-write_fields.md b/FieldsMappings/gcp-serviceaccount-creds-write_fields.md
new file mode 100644
index 0000000..5f3f290
--- /dev/null
+++ b/FieldsMappings/gcp-serviceaccount-creds-write_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-serviceaccount-creds-write
+### New-Scale Activity Type: user-key-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-serviceaccount-write_fields.md b/FieldsMappings/gcp-serviceaccount-write_fields.md
new file mode 100644
index 0000000..8bdbcd4
--- /dev/null
+++ b/FieldsMappings/gcp-serviceaccount-write_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-serviceaccount-write
+### New-Scale Activity Type: user-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-snapshot-create_fields.md b/FieldsMappings/gcp-snapshot-create_fields.md
new file mode 100644
index 0000000..f5221f7
--- /dev/null
+++ b/FieldsMappings/gcp-snapshot-create_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-snapshot-create
+### New-Scale Activity Type: snapshot-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-storage-list_fields.md b/FieldsMappings/gcp-storage-list_fields.md
new file mode 100644
index 0000000..130f4ab
--- /dev/null
+++ b/FieldsMappings/gcp-storage-list_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-storage-list
+### New-Scale Activity Type: bucket-list:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-storageobject-acl_fields.md b/FieldsMappings/gcp-storageobject-acl_fields.md
new file mode 100644
index 0000000..de855e7
--- /dev/null
+++ b/FieldsMappings/gcp-storageobject-acl_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-storageobject-acl
+### New-Scale Activity Type: file-permission-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-storageobject-read_fields.md b/FieldsMappings/gcp-storageobject-read_fields.md
new file mode 100644
index 0000000..d97a6c6
--- /dev/null
+++ b/FieldsMappings/gcp-storageobject-read_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-storageobject-read
+### New-Scale Activity Type: file-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/gcp-storageobject-write_fields.md b/FieldsMappings/gcp-storageobject-write_fields.md
new file mode 100644
index 0000000..940884c
--- /dev/null
+++ b/FieldsMappings/gcp-storageobject-write_fields.md
@@ -0,0 +1,42 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: gcp-storageobject-write
+### New-Scale Activity Type: file-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| bucket | bucket_name |
+| target_domain | dest_domain |
+| device | device_name |
+| user_email | email_address |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| service | service_name |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| src_domain,
caller_domain | src_domain |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/group-role-assign_fields.md b/FieldsMappings/group-role-assign_fields.md
new file mode 100644
index 0000000..3192e24
--- /dev/null
+++ b/FieldsMappings/group-role-assign_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: group-role-assign
+### New-Scale Activity Type: group-role-assign:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/group-role-revoke_fields.md b/FieldsMappings/group-role-revoke_fields.md
new file mode 100644
index 0000000..5e05d3b
--- /dev/null
+++ b/FieldsMappings/group-role-revoke_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: group-role-revoke
+### New-Scale Activity Type: group-role-revoke:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/image-loaded_fields.md b/FieldsMappings/image-loaded_fields.md
new file mode 100644
index 0000000..0e88aa3
--- /dev/null
+++ b/FieldsMappings/image-loaded_fields.md
@@ -0,0 +1,54 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: image-loaded
+### New-Scale Activity Type: dll-load:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/kerberos-logon_fields.md b/FieldsMappings/kerberos-logon_fields.md
new file mode 100644
index 0000000..3807bc1
--- /dev/null
+++ b/FieldsMappings/kerberos-logon_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: kerberos-logon
+### New-Scale Activity Type: endpoint-authentication:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_logon_guid,
user_login_guid | user_login_guid |
\ No newline at end of file
diff --git a/FieldsMappings/local-logon_fields.md b/FieldsMappings/local-logon_fields.md
new file mode 100644
index 0000000..9e06538
--- /dev/null
+++ b/FieldsMappings/local-logon_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: local-logon
+### New-Scale Activity Type: endpoint-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_info | user_info |
+| account_type | user_type |
+| account_used_id,
account_id | account_id |
+| description,
additional_info | additional_info |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| logon_type,
login_type | login_type |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/logout-remote_fields.md b/FieldsMappings/logout-remote_fields.md
new file mode 100644
index 0000000..0800143
--- /dev/null
+++ b/FieldsMappings/logout-remote_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: logout-remote
+### New-Scale Activity Type: endpoint-logout:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| description | additional_info |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/m365-app-activity-fail_fields.md b/FieldsMappings/m365-app-activity-fail_fields.md
new file mode 100644
index 0000000..15f51e8
--- /dev/null
+++ b/FieldsMappings/m365-app-activity-fail_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-app-activity-fail
+### New-Scale Activity Type: app-activity:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-app-activity_fields.md b/FieldsMappings/m365-app-activity_fields.md
new file mode 100644
index 0000000..1736604
--- /dev/null
+++ b/FieldsMappings/m365-app-activity_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-app-activity
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-copy_fields.md b/FieldsMappings/m365-file-copy_fields.md
new file mode 100644
index 0000000..5bed13e
--- /dev/null
+++ b/FieldsMappings/m365-file-copy_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-copy
+### New-Scale Activity Type: file-copy:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-delete_fields.md b/FieldsMappings/m365-file-delete_fields.md
new file mode 100644
index 0000000..94b1473
--- /dev/null
+++ b/FieldsMappings/m365-file-delete_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-delete
+### New-Scale Activity Type: file-delete:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-download_fields.md b/FieldsMappings/m365-file-download_fields.md
new file mode 100644
index 0000000..ecdd3e8
--- /dev/null
+++ b/FieldsMappings/m365-file-download_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-download
+### New-Scale Activity Type: file-download:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-move_fields.md b/FieldsMappings/m365-file-move_fields.md
new file mode 100644
index 0000000..f686e43
--- /dev/null
+++ b/FieldsMappings/m365-file-move_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-move
+### New-Scale Activity Type: file-move:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-read_fields.md b/FieldsMappings/m365-file-read_fields.md
new file mode 100644
index 0000000..9ff7679
--- /dev/null
+++ b/FieldsMappings/m365-file-read_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-read
+### New-Scale Activity Type: file-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-rename_fields.md b/FieldsMappings/m365-file-rename_fields.md
new file mode 100644
index 0000000..ea2374f
--- /dev/null
+++ b/FieldsMappings/m365-file-rename_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-rename
+### New-Scale Activity Type: file-rename:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-file-write_fields.md b/FieldsMappings/m365-file-write_fields.md
new file mode 100644
index 0000000..52012f3
--- /dev/null
+++ b/FieldsMappings/m365-file-write_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-file-write
+### New-Scale Activity Type: file-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-group-create_fields.md b/FieldsMappings/m365-group-create_fields.md
new file mode 100644
index 0000000..38351f1
--- /dev/null
+++ b/FieldsMappings/m365-group-create_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-group-create
+### New-Scale Activity Type: group-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-user-create-fail_fields.md b/FieldsMappings/m365-user-create-fail_fields.md
new file mode 100644
index 0000000..f532c08
--- /dev/null
+++ b/FieldsMappings/m365-user-create-fail_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-user-create-fail
+### New-Scale Activity Type: user-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-user-create_fields.md b/FieldsMappings/m365-user-create_fields.md
new file mode 100644
index 0000000..ce53642
--- /dev/null
+++ b/FieldsMappings/m365-user-create_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-user-create
+### New-Scale Activity Type: user-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/m365-user-delete_fields.md b/FieldsMappings/m365-user-delete_fields.md
new file mode 100644
index 0000000..545c589
--- /dev/null
+++ b/FieldsMappings/m365-user-delete_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: m365-user-delete
+### New-Scale Activity Type: user-delete:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/mailbox-item-delete_fields.md b/FieldsMappings/mailbox-item-delete_fields.md
new file mode 100644
index 0000000..5cc979f
--- /dev/null
+++ b/FieldsMappings/mailbox-item-delete_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: mailbox-item-delete
+### New-Scale Activity Type: mailbox-item-delete:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/mailbox-item-read_fields.md b/FieldsMappings/mailbox-item-read_fields.md
new file mode 100644
index 0000000..69f9e18
--- /dev/null
+++ b/FieldsMappings/mailbox-item-read_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: mailbox-item-read
+### New-Scale Activity Type: mailbox-item-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/mailbox-modify_fields.md b/FieldsMappings/mailbox-modify_fields.md
new file mode 100644
index 0000000..dee591a
--- /dev/null
+++ b/FieldsMappings/mailbox-modify_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: mailbox-modify
+### New-Scale Activity Type: mailbox-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/mailbox-permissiom-modify_fields.md b/FieldsMappings/mailbox-permissiom-modify_fields.md
new file mode 100644
index 0000000..43dc01f
--- /dev/null
+++ b/FieldsMappings/mailbox-permissiom-modify_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: mailbox-permissiom-modify
+### New-Scale Activity Type: NOTE: MISSING MAPPING!
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/member-added_fields.md b/FieldsMappings/member-added_fields.md
new file mode 100644
index 0000000..f6dd326
--- /dev/null
+++ b/FieldsMappings/member-added_fields.md
@@ -0,0 +1,66 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: member-added
+### New-Scale Activity Type: group-member-add:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| account_dn | user_dn |
+| account_ou | user_ou |
+| account_used_domain,
account_domain | account_domain |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| user_domain,
domain | domain |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_ou,
account_ou | user_ou |
+| sid,
user_sid,
sid_user | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/member-removed_fields.md b/FieldsMappings/member-removed_fields.md
new file mode 100644
index 0000000..ec2ff76
--- /dev/null
+++ b/FieldsMappings/member-removed_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: member-removed
+### New-Scale Activity Type: group-member-remove:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| account_dn | user_dn |
+| account_ou | user_ou |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid,
sid_user | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/nac-failed-logon_fields.md b/FieldsMappings/nac-failed-logon_fields.md
new file mode 100644
index 0000000..a9a8e1d
--- /dev/null
+++ b/FieldsMappings/nac-failed-logon_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: nac-failed-logon
+### New-Scale Activity Type: endpoint-authentication:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_reason,
reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/nac-logon_fields.md b/FieldsMappings/nac-logon_fields.md
new file mode 100644
index 0000000..af3073e
--- /dev/null
+++ b/FieldsMappings/nac-logon_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: nac-logon
+### New-Scale Activity Type: endpoint-authentication:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/netflow-connection_fields.md b/FieldsMappings/netflow-connection_fields.md
new file mode 100644
index 0000000..f90b491
--- /dev/null
+++ b/FieldsMappings/netflow-connection_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: netflow-connection
+### New-Scale Activity Type: network-session:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/network-alert_fields.md b/FieldsMappings/network-alert_fields.md
new file mode 100644
index 0000000..b0c5a4b
--- /dev/null
+++ b/FieldsMappings/network-alert_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: network-alert
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| connect_type | connection_type |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| rule_num | rule_count |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| appid,
application_id | app_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| destination_country,
dest_country | dest_country |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| log_id,
resource_id,
event_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| dest_country,
source_country | src_country |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/network-connection-failed_fields.md b/FieldsMappings/network-connection-failed_fields.md
new file mode 100644
index 0000000..47e61d1
--- /dev/null
+++ b/FieldsMappings/network-connection-failed_fields.md
@@ -0,0 +1,66 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: network-connection-failed
+### New-Scale Activity Type: network-close:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| conn_state | connection_state |
+| connect_type | connection_type |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| dest_ip,
remote_ip | dest_ip |
+| dest_port,
remote_port | dest_port |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| local_ip,
src_ip | src_ip |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| local_port,
src_port | src_port |
+| src_user,
caller_user | src_user |
+| user_id,
uid | user_id |
\ No newline at end of file
diff --git a/FieldsMappings/network-connection-successful_fields.md b/FieldsMappings/network-connection-successful_fields.md
new file mode 100644
index 0000000..e62d5d8
--- /dev/null
+++ b/FieldsMappings/network-connection-successful_fields.md
@@ -0,0 +1,70 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: network-connection-successful
+### New-Scale Activity Type: dns-traffic:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| age_of_conn | connection_age |
+| conn_state | connection_state |
+| connect_type | connection_type |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| dest_ip,
remote_ip | dest_ip |
+| dest_port,
remote_port | dest_port |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| log_id,
resource_id,
record_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| local_ip,
src_ip | src_ip |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| local_port,
src_port | src_port |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| user_id,
uid | user_id |
+| uid,
user_uid,
uuid | user_uid |
\ No newline at end of file
diff --git a/FieldsMappings/network-info_fields.md b/FieldsMappings/network-info_fields.md
new file mode 100644
index 0000000..7c6915a
--- /dev/null
+++ b/FieldsMappings/network-info_fields.md
@@ -0,0 +1,36 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: network-info
+### New-Scale Activity Type: network-notification:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| target_domain | dest_domain |
+| user_email | email_address |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
\ No newline at end of file
diff --git a/FieldsMappings/ntlm-logon_fields.md b/FieldsMappings/ntlm-logon_fields.md
new file mode 100644
index 0000000..1d8cc52
--- /dev/null
+++ b/FieldsMappings/ntlm-logon_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: ntlm-logon
+### New-Scale Activity Type: endpoint-authentication:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| description | additional_info |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_type | user_type |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/physical-access_fields.md b/FieldsMappings/physical-access_fields.md
new file mode 100644
index 0000000..1de6a4a
--- /dev/null
+++ b/FieldsMappings/physical-access_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: physical-access
+### New-Scale Activity Type: physical_location-access:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| blockinggroupname | blocking_group_name |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| user_firstname,
first_name | first_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| user_lastname,
last_name | last_name |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| reason,
outcome_reason | result_reason |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/print-activity_fields.md b/FieldsMappings/print-activity_fields.md
new file mode 100644
index 0000000..6d34c66
--- /dev/null
+++ b/FieldsMappings/print-activity_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: print-activity
+### New-Scale Activity Type: printer-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| num_pages,
number_of_page | num_pages |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/privileged-access_fields.md b/FieldsMappings/privileged-access_fields.md
new file mode 100644
index 0000000..7dfe3be
--- /dev/null
+++ b/FieldsMappings/privileged-access_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: privileged-access
+### New-Scale Activity Type: user-privilege-assign:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| additional_info,
description | additional_info |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_id,
logon_id | login_id |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/privileged-object-access_fields.md b/FieldsMappings/privileged-object-access_fields.md
new file mode 100644
index 0000000..2819e93
--- /dev/null
+++ b/FieldsMappings/privileged-object-access_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: privileged-object-access
+### New-Scale Activity Type: user-privilege-use:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| additional_info,
description | additional_info |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| logon_id,
login_id | login_id |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/process-alert_fields.md b/FieldsMappings/process-alert_fields.md
new file mode 100644
index 0000000..fcf98d7
--- /dev/null
+++ b/FieldsMappings/process-alert_fields.md
@@ -0,0 +1,66 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: process-alert
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| target_process_directory | dest_process_dir |
+| target_process_name | dest_process_name |
+| target_process | dest_process_path |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| grandparent_process | grandparent_process_path |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| target_pid,
target_process_guid | dest_process_id |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| group_name,
user_group | user_group_name |
+| sid,
user_sid,
sid_user | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/process-created-failed_fields.md b/FieldsMappings/process-created-failed_fields.md
new file mode 100644
index 0000000..021bd75
--- /dev/null
+++ b/FieldsMappings/process-created-failed_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: process-created-failed
+### New-Scale Activity Type: process-create:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| account_used_id | account_id |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| target_process_guid | process_guid |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_id,
logon_id | login_id |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/process-created_fields.md b/FieldsMappings/process-created_fields.md
new file mode 100644
index 0000000..6c1ffdd
--- /dev/null
+++ b/FieldsMappings/process-created_fields.md
@@ -0,0 +1,68 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: process-created
+### New-Scale Activity Type: process-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| account_used_id | account_id |
+| authentication | auth |
+| target_domain | dest_domain |
+| target_directory | dest_process_dir |
+| target_process_name | dest_process_name |
+| target_process | dest_process_path |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| grandparent_process | grandparent_process_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| target_pid,
target_process_guid | dest_process_id |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| record_id,
log_id,
event_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_id,
logon_id | login_id |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_guid,
target_process_guid | process_guid |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/process-network-failed_fields.md b/FieldsMappings/process-network-failed_fields.md
new file mode 100644
index 0000000..92590e8
--- /dev/null
+++ b/FieldsMappings/process-network-failed_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: process-network-failed
+### New-Scale Activity Type: network-session:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| target_process_directory | dest_process_dir |
+| target_process_name | dest_process_name |
+| target_process | dest_process_path |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| grandparent_process | grandparent_process_path |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| target_pid,
target_process_guid | dest_process_id |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| host,
local_asset | host |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/process-network_fields.md b/FieldsMappings/process-network_fields.md
new file mode 100644
index 0000000..469cc81
--- /dev/null
+++ b/FieldsMappings/process-network_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: process-network
+### New-Scale Activity Type: network-session:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| target_process_directory | dest_process_dir |
+| target_process_name | dest_process_name |
+| target_process | dest_process_path |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| grandparent_process | grandparent_process_path |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| target_pid,
target_process_guid | dest_process_id |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| host,
local_asset | host |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/registry-write_fields.md b/FieldsMappings/registry-write_fields.md
new file mode 100644
index 0000000..cb72b0d
--- /dev/null
+++ b/FieldsMappings/registry-write_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: registry-write
+### New-Scale Activity Type: registry-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| record_id,
event_id,
log_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_pid,
parent_process_id | parent_process_id |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/remote-access_fields.md b/FieldsMappings/remote-access_fields.md
new file mode 100644
index 0000000..9797710
--- /dev/null
+++ b/FieldsMappings/remote-access_fields.md
@@ -0,0 +1,65 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: remote-access
+### New-Scale Activity Type: endpoint-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| target_logon_id | dest_login_id |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_type | user_type |
+| uuid | user_uid |
+| account_logon_guid,
account_login_guid | account_login_guid |
+| description,
additional_info | additional_info |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| dest_service_name,
dest_service | dest_service_name |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type_text,
logon_type | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user_logon_guid,
user_login_guid | user_login_guid |
\ No newline at end of file
diff --git a/FieldsMappings/remote-logon_fields.md b/FieldsMappings/remote-logon_fields.md
new file mode 100644
index 0000000..7cf3727
--- /dev/null
+++ b/FieldsMappings/remote-logon_fields.md
@@ -0,0 +1,65 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: remote-logon
+### New-Scale Activity Type: endpoint-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| dest_service | dest_service_name |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| result_code | http_response_code |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_id,
account_used_id | account_id |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| log_id,
resource_id,
record_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type_text,
logon_type | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| account_dn,
user_dn | user_dn |
+| sid,
user_id | user_id |
+| user_ou,
account_ou | user_ou |
\ No newline at end of file
diff --git a/FieldsMappings/security-alert_fields.md b/FieldsMappings/security-alert_fields.md
new file mode 100644
index 0000000..ef4e55f
--- /dev/null
+++ b/FieldsMappings/security-alert_fields.md
@@ -0,0 +1,73 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: security-alert
+### New-Scale Activity Type: alert-trigger:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| cve | cve_id |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| recipients | email_recipients |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| alert_name,
alert | alert_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| malware_filename,
malware_file_name | malware_file_name |
+| threat_score,
score,
risk_score | original_risk_score |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| parent_process_id,
parent_pid | parent_process_id |
+| policy,
policy_name | policy_name |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome,
action_blocked,
action_success | result |
+| rule,
rule_name | rule |
+| rule_num,
rule_count | rule_count |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| url,
full_url | url |
+| user,
suser | user |
+| user_id,
uid | user_id |
+| uid,
user_uid,
uuid | user_uid |
\ No newline at end of file
diff --git a/FieldsMappings/service-created_fields.md b/FieldsMappings/service-created_fields.md
new file mode 100644
index 0000000..f0cef96
--- /dev/null
+++ b/FieldsMappings/service-created_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: service-created
+### New-Scale Activity Type: service-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/service-logon_fields.md b/FieldsMappings/service-logon_fields.md
new file mode 100644
index 0000000..99332c1
--- /dev/null
+++ b/FieldsMappings/service-logon_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: service-logon
+### New-Scale Activity Type: endpoint-login:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| description | additional_info |
+| target_domain | dest_domain |
+| target_logon_id | dest_login_id |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| account_type | user_type |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type_text,
logon_type | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/share-access-denied_fields.md b/FieldsMappings/share-access-denied_fields.md
new file mode 100644
index 0000000..5bd4b8a
--- /dev/null
+++ b/FieldsMappings/share-access-denied_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: share-access-denied
+### New-Scale Activity Type: share-access:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| creation_time | time_created |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| sid,
user_sid | user_sid |
\ No newline at end of file
diff --git a/FieldsMappings/share-access_fields.md b/FieldsMappings/share-access_fields.md
new file mode 100644
index 0000000..6ebe4c3
--- /dev/null
+++ b/FieldsMappings/share-access_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: share-access
+### New-Scale Activity Type: share-access:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| creation_time | time_created |
+| accesses,
accesses_code | access |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_id,
logon_id | login_id |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/share_link-create_fields.md b/FieldsMappings/share_link-create_fields.md
new file mode 100644
index 0000000..d2d307e
--- /dev/null
+++ b/FieldsMappings/share_link-create_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: share_link-create
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/share_link-member-add_fields.md b/FieldsMappings/share_link-member-add_fields.md
new file mode 100644
index 0000000..1dc20ec
--- /dev/null
+++ b/FieldsMappings/share_link-member-add_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: share_link-member-add
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/share_link-modify_fields.md b/FieldsMappings/share_link-modify_fields.md
new file mode 100644
index 0000000..d62b196
--- /dev/null
+++ b/FieldsMappings/share_link-modify_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: share_link-modify
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/share_link-use_fields.md b/FieldsMappings/share_link-use_fields.md
new file mode 100644
index 0000000..829ceb4
--- /dev/null
+++ b/FieldsMappings/share_link-use_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: share_link-use
+### New-Scale Activity Type: share_link-open:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/system-info_fields.md b/FieldsMappings/system-info_fields.md
new file mode 100644
index 0000000..c1048a8
--- /dev/null
+++ b/FieldsMappings/system-info_fields.md
@@ -0,0 +1,38 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: system-info
+### New-Scale Activity Type: certificate-request:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| --------------------------------------------------------- | --------------------------- |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
\ No newline at end of file
diff --git a/FieldsMappings/task-created_fields.md b/FieldsMappings/task-created_fields.md
new file mode 100644
index 0000000..7715d94
--- /dev/null
+++ b/FieldsMappings/task-created_fields.md
@@ -0,0 +1,57 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: task-created
+### New-Scale Activity Type: scheduled_task-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/usb-activity_fields.md b/FieldsMappings/usb-activity_fields.md
new file mode 100644
index 0000000..8c48685
--- /dev/null
+++ b/FieldsMappings/usb-activity_fields.md
@@ -0,0 +1,56 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: usb-activity
+### New-Scale Activity Type: peripheral_storage-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/usb-insert_fields.md b/FieldsMappings/usb-insert_fields.md
new file mode 100644
index 0000000..b7c71ed
--- /dev/null
+++ b/FieldsMappings/usb-insert_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: usb-insert
+### New-Scale Activity Type: peripheral_storage-insert:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| log_id,
resource_id,
record_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_id,
logon_id | login_id |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/usb-read_fields.md b/FieldsMappings/usb-read_fields.md
new file mode 100644
index 0000000..0a3cc12
--- /dev/null
+++ b/FieldsMappings/usb-read_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: usb-read
+### New-Scale Activity Type: file-read:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/usb-write_fields.md b/FieldsMappings/usb-write_fields.md
new file mode 100644
index 0000000..be1b462
--- /dev/null
+++ b/FieldsMappings/usb-write_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: usb-write
+### New-Scale Activity Type: file-write:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| source | legacy_product |
+| logon_id | login_id |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| parent_pid | parent_process_id |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| user_firstname,
first_name | first_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| last_name,
user_lastname | last_name |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/user-role-assign_fields.md b/FieldsMappings/user-role-assign_fields.md
new file mode 100644
index 0000000..464dbf3
--- /dev/null
+++ b/FieldsMappings/user-role-assign_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: user-role-assign
+### New-Scale Activity Type: user-role-assign:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/user-role-revoke_fields.md b/FieldsMappings/user-role-revoke_fields.md
new file mode 100644
index 0000000..578229b
--- /dev/null
+++ b/FieldsMappings/user-role-revoke_fields.md
@@ -0,0 +1,71 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: user-role-revoke
+### New-Scale Activity Type: user-role-revoke:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| attachment | email_attachment |
+| attachments | email_attachments |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| subcategory | sub_category |
+| target_sha256 | target_hash_sha256 |
+| action,
activity_action | action |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| file_extension,
file_ext | file_ext |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| http_response_code,
result,
response_code,
result_code | http_response_code |
+| operation,
activity | operation |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| full_url,
url | url |
+| account_dn,
user_dn | user_dn |
+| user_id,
sid | user_id |
+| account_type,
user_type | user_type |
\ No newline at end of file
diff --git a/FieldsMappings/vpn-connection_fields.md b/FieldsMappings/vpn-connection_fields.md
new file mode 100644
index 0000000..bb26bd9
--- /dev/null
+++ b/FieldsMappings/vpn-connection_fields.md
@@ -0,0 +1,54 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: vpn-connection
+### New-Scale Activity Type: vpn-login:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/vpn-login_fields.md b/FieldsMappings/vpn-login_fields.md
new file mode 100644
index 0000000..40f6f38
--- /dev/null
+++ b/FieldsMappings/vpn-login_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: vpn-login
+### New-Scale Activity Type: vpn-login:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| user_group | user_group_name |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| bytes_sent,
bytes_out | bytes_out |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| record_id,
event_id,
log_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group_name,
group | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
+| user,
username | user |
\ No newline at end of file
diff --git a/FieldsMappings/vpn-logout_fields.md b/FieldsMappings/vpn-logout_fields.md
new file mode 100644
index 0000000..f7d0b09
--- /dev/null
+++ b/FieldsMappings/vpn-logout_fields.md
@@ -0,0 +1,59 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: vpn-logout
+### New-Scale Activity Type: vpn-logout:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| group | group_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sconnection_id | source_connection_id |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| bytes_sent,
bytes_out | bytes_out |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| record_id,
event_id,
log_id | event_id |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-activity-allowed_fields.md b/FieldsMappings/web-activity-allowed_fields.md
new file mode 100644
index 0000000..57266be
--- /dev/null
+++ b/FieldsMappings/web-activity-allowed_fields.md
@@ -0,0 +1,63 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-activity-allowed
+### New-Scale Activity Type: http-session:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| user_group | user_group_name |
+| risk_level,
alert_severity | alert_severity |
+| app_class,
app_group | app_group |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_reason,
reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| response_code,
result_code | http_response_code |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-activity-denied_fields.md b/FieldsMappings/web-activity-denied_fields.md
new file mode 100644
index 0000000..7673950
--- /dev/null
+++ b/FieldsMappings/web-activity-denied_fields.md
@@ -0,0 +1,62 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-activity-denied
+### New-Scale Activity Type: http-session:fail
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| url | file_url |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| full_url | url |
+| user_group | user_group_name |
+| risk_level,
alert_severity | alert_severity |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| failure_reason,
reason | failure_reason |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| group,
group_name | group_name |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| response_code,
result_code | http_response_code |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-meeting-created_fields.md b/FieldsMappings/web-meeting-created_fields.md
new file mode 100644
index 0000000..3e23bc9
--- /dev/null
+++ b/FieldsMappings/web-meeting-created_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-meeting-created
+### New-Scale Activity Type: meeting-create:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-meeting-ended_fields.md b/FieldsMappings/web-meeting-ended_fields.md
new file mode 100644
index 0000000..0ef0a75
--- /dev/null
+++ b/FieldsMappings/web-meeting-ended_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-meeting-ended
+### New-Scale Activity Type: meeting-end:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-meeting-participant-joined_fields.md b/FieldsMappings/web-meeting-participant-joined_fields.md
new file mode 100644
index 0000000..314dd83
--- /dev/null
+++ b/FieldsMappings/web-meeting-participant-joined_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-meeting-participant-joined
+### New-Scale Activity Type: meeting-member-join:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-meeting-started_fields.md b/FieldsMappings/web-meeting-started_fields.md
new file mode 100644
index 0000000..8ae501b
--- /dev/null
+++ b/FieldsMappings/web-meeting-started_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-meeting-started
+### New-Scale Activity Type: meeting-start:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/web-meeting-updated_fields.md b/FieldsMappings/web-meeting-updated_fields.md
new file mode 100644
index 0000000..251f195
--- /dev/null
+++ b/FieldsMappings/web-meeting-updated_fields.md
@@ -0,0 +1,53 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: web-meeting-updated
+### New-Scale Activity Type: meeting-modify:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/webconference-login_fields.md b/FieldsMappings/webconference-login_fields.md
new file mode 100644
index 0000000..6c47993
--- /dev/null
+++ b/FieldsMappings/webconference-login_fields.md
@@ -0,0 +1,54 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: webconference-login
+### New-Scale Activity Type: app-login:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| login_type,
logon_type,
logon_type_text | login_type_text |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_id,
pid | process_id |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/webconference-operations-activity_fields.md b/FieldsMappings/webconference-operations-activity_fields.md
new file mode 100644
index 0000000..0a7be9c
--- /dev/null
+++ b/FieldsMappings/webconference-operations-activity_fields.md
@@ -0,0 +1,60 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: webconference-operations-activity
+### New-Scale Activity Type: app-activity:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| policy | policy_name |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| object_dn | src_ds_object_dn |
+| object_ou | src_ds_object_ou |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/winsession-disconnect_fields.md b/FieldsMappings/winsession-disconnect_fields.md
new file mode 100644
index 0000000..1b7ac17
--- /dev/null
+++ b/FieldsMappings/winsession-disconnect_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: winsession-disconnect
+### New-Scale Activity Type: endpoint-logout:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| description | additional_info |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/workstation-locked_fields.md b/FieldsMappings/workstation-locked_fields.md
new file mode 100644
index 0000000..0e4132f
--- /dev/null
+++ b/FieldsMappings/workstation-locked_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: workstation-locked
+### New-Scale Activity Type: endpoint-lock:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| result_code | http_response_code |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/FieldsMappings/workstation-unlocked_fields.md b/FieldsMappings/workstation-unlocked_fields.md
new file mode 100644
index 0000000..c98e669
--- /dev/null
+++ b/FieldsMappings/workstation-unlocked_fields.md
@@ -0,0 +1,58 @@
+Old to New-scale Field Mapping for a Specific Event
+===================================================
+
+### Old Event Type: workstation-unlocked
+### New-Scale Activity Type: endpoint-unlock:success
+
+This table maps old fields to the new-scale fields that comply with the Common Information Model.
+
+| Old Fields | New-Scale Fields |
+| ------------------------------------------------------------------ | --------------------------- |
+| accesses | access |
+| target_domain | dest_domain |
+| user_email | email_address |
+| subject | email_subject |
+| log_type | event_category |
+| record_id | event_id |
+| user_firstname | first_name |
+| user_fullname | full_name |
+| sha256_at | hash_sha256_at |
+| asset_id | host_id |
+| result_code | http_response_code |
+| user_lastname | last_name |
+| source | legacy_product |
+| logon_id | login_id |
+| logon_type | login_type |
+| login_type | login_type_text |
+| activity | operation |
+| activity_details | operation_details |
+| activity_type | operation_type |
+| parent_sha256hash | parent_hash_sha256 |
+| command_line | process_command_line |
+| pid | process_id |
+| reason | result_reason |
+| selected_sha256 | selected_hash_sha256 |
+| sender | src_email_address |
+| target_sha256 | target_hash_sha256 |
+| bytes,
bytes_num,
bytes_size,
file_size | bytes |
+| bytes_in,
bytes_recieved | bytes_in |
+| connection_id,
conn_id | connection_id |
+| target_user_email,
dest_email_address,
recipient | dest_email_address |
+| tgt_user,
target_user | dest_user |
+| user_sid,
target_user_sid | dest_user_sid |
+| device_name,
device | device_name |
+| sub_event_type,
event_subtype | event_subtype |
+| directory,
file_dir,
file_parent,
f_parent | file_dir |
+| md5,
md5_sum,
md5_hash | hash_md5 |
+| sha1,
sha1_sum | hash_sha1 |
+| sha256,
sha256_sum | hash_sha256 |
+| parent_process_cmd,
parent_command_line,
parent_cmd | parent_process_command_line |
+| parent_directory,
parent_process_directory | parent_process_dir |
+| process_directory,
directory | process_dir |
+| process_path,
process,
path | process_path |
+| result,
outcome | result |
+| rule,
rule_name | rule |
+| service_name,
service | service_name |
+| src_domain,
caller_domain | src_domain |
+| src_mac,
mac,
source_mac,
mac_address,
src_mac_address | src_mac |
+| src_user,
caller_user | src_user |
\ No newline at end of file
diff --git a/Fields_Descriptions.md b/Fields_Descriptions.md
new file mode 100644
index 0000000..cab6990
--- /dev/null
+++ b/Fields_Descriptions.md
@@ -0,0 +1,1084 @@
+ Fields Descriptions
+====================
+
+This table lists the Common Information Model fields that can be used to build events and to create searches and correlation rules.
+
+| Field | Data Type | Description |
+| ------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| AA | string | The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. |
+| RA | string | The Recursion Available bit in a response message indicates that the name server supports recursive queries. |
+| RD | string | The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. |
+| TC | string | The Truncation bit specifies that the message was truncated. |
+| TTLs | string | The caching intervals of the associated RRs described by the answers field. |
+| Z | string | A reserved field that is usually zero in queries and responses. |
+| access | string | Access permissions given to the user when trying to access an object |
+| access_group | string | name of the group in which access is managed in vpn-connection events |
+| access_mask | string | bitmask that specifies a set of access rights in the access mask of an access control entry. |
+| access_type | string | The type of access permissions given to the user when trying to access an object |
+| accessor | string | Retrieve the value of the token for which capabilities are being queried. |
+| access_list | string | Access list of permissions associated with a system resource |
+| account | string | The account is the actual account that was used in the activity. |
+| account_domain | string | The domain of the account the user operated on. |
+| account_id | string | the user id associated with the user |
+| account_name | string | Name of the account the user operated on |
+| acl_content | string | |
+| acs_session_id | string | Unique identifier of a cisco secure access control server session. |
+| action | string | An action that was taken against the event (allowed, blocked, quarantined...). |
+| action_type | string | A value describing the type of the action. |
+| activity_details | string | details of the activity recorded in the events |
+| activity_id | string | A unique identifier of the activity |
+| activity_type | string | The activity type context element. |
+| activity | string | The activity context element. |
+| actor | string | It is consolidated into Username |
+| added_keys | string | |
+| added_member | string | |
+| added_member_type | string | |
+| added_permissions | array | |
+| added_role | string | |
+| added_role_name | string | |
+| added_users | array | |
+| additional_info | string | Additional descriptive information about the event. |
+| admin_id | string | A unique identifier of an admin |
+| admin_interface | string | Name of the interface through which the logged system messages can be accessed |
+| adopter_id | string | A unique identifier for the adapter instance. |
+| agent_id | string | The unique identifier of the agent of the product. |
+| agent_name | string | The agent_name attribute specifies the name of an agent. |
+| aid | string | The unique identifier of the agent |
+| aip | string | This stands for Agent IP and represents the external IP address of the endpoint as seen by the Falcon Cloud |
+| alert_description | string | Security alert message |
+| alert_id | string | A unique identifier of the security alert. |
+| alert_name | string | The name of the security alert. |
+| alert_severity | string | The severity (level of urgency) of the alert as dictated by the vendor. |
+| alert_source | string | The source of the alert, as dictated by the vendor. |
+| alert_status | string | The status of the alert, as dictated by the vendor. |
+| alert_subject | string | The subject (title) of the alert. |
+| alert_type | string | The classification of the alert, as dictated by the vendor. |
+| allowed_data_actions | array | |
+| allowed_ids | array | |
+| allowed_permissions | array | Permissions specify access to AWS resources. |
+| allowed_resources | array | Lists all of the available resources that can be used in IAM policies to control access to AWS services |
+| allowed_uris | array | |
+| allowed_user_types | array | |
+| allowed_users | array | They have the permissions to access the AWS resources. |
+| analyzers | array | Framework for managing Zeek's protocol details. |
+| app | string | The name of the application mentioned in the event. |
+| app_code | string | The name of the folder which contains the application framework. |
+| app_group | string | It allow multiple apps produced by a single team to access shared containers and communicate using interprocess communication. |
+| app_id | string | A unique identifier of the application. |
+| app_learntime | string | |
+| app_protocol | string | The network protocol the application used. |
+| app_type | string | The type of the application. |
+| app_user | string | app_user is the current user running the application. |
+| app_version | string | The software version of the web conference application |
+| apps | array | |
+| area_classification | string | |
+| arg | string | An argument, a value passed as a parameter. |
+| asset_id | string | A unique identifier of the asset. |
+| assignble_scope | string | |
+| assigned_apps | array | The assigned apps shows the apps that are visible to users with the selected permission set. |
+| assigned_ip | ipv4/ipv6 | Client's actual assigned IP address. |
+| assignment_id | string | |
+| attachment | string | The attachments that were added to an email |
+| attachment_count | integer | Number of attachments in the email |
+| attachment_size | number | Size of attachments in the email |
+| attack | string | Name of the vulnerability category in case of a host or network vulnerability. |
+| attack_conf | string | Configuration of the vulnerability. |
+| attack_info | string | Description of the vulnerability in case of a host or network vulnerability. |
+| attribute | string | The attribute of the object which was accessed. |
+| attribute_value | string | |
+| attributes | array | A list of attributes of the object which was accessed. |
+| audit_category | string | The Windows category of the audit policy that was changed. |
+| audit_id | string | A unique identifier of the audit. |
+| audit_policy_name | string | The name of the audit policy document. |
+| audit_subcategory | string | |
+| auth | string | The type of authentication that was used in the event. |
+| auth_dn | string | The authentication domain name. |
+| auth_level | string | The current authentication security level. |
+| auth_method | string | The method/protocol package that was used in the authentication process. |
+| auth_package | string | The method used to authenticate an account. |
+| auth_process | string | The method/process used to authenticate an account. |
+| auth_server | string | The server name that was in charge of performing the authentication |
+| auth_type | string | The normalized authentication type used in the event. |
+| authorization_scope | string | |
+| availabilty_zone | string | |
+| aws_account | string | An account alias or an account ID for the AWS account. |
+| azure_category | string | It represents the category that belongs to the azure event. |
+| azure_resource_type | string | The type of azure resource accessed by the event. |
+| badge_id | string | The unique identifier of the physical badge. |
+| badge_reader | string | Badge readers record information such as user ID, date and time of entry for each access attempt. |
+| badge_status | string | A status badge shows whether a badge is currently valid or invalid. |
+| base_risk_score | number | These are the sum of all scores generated by triggered rules during a user session. |
+| bitdefender_operation_type | string | |
+| block_public_acls | array | |
+| block_public_policy | array | |
+| block_type | string | The block_type property specifies the block type of a particular memory object. |
+| blocked | boolean | It allows users to enhance the security of a router by configuring options to automatically block further login attempts |
+| blocking_group_name | string | It specifies the group name of a block that groups other blocks together inside one container. |
+| branch_name | string | |
+| browser | string | The browser the user used in this activity. |
+| bucket_arn | string | |
+| bucket_host | string | |
+| bucket_name | string | The name of a cloud storage container (bucket) that holds files/objects, in the cloud. |
+| bytes | number | The size in bytes. |
+| bytes_in | number | The amount of ingress bytes. |
+| bytes_out | number | The amount of egress bytes. |
+| bytes_unit | string | The measurement unit used to count the bytes. |
+| ca_runtime | string | The runtime of a certificate authority (CA) that issues Secure Sockets Layer (SSL) certificates. |
+| cabinet_name | string | The Cabinet name is the identities of an organization's Cabinet. |
+| calling_station_id | string | The called station identifier allows a RADIUS server to specify the MAC addresses or networks that a client can connect. |
+| card_num | string | The lenel card number is your identification at the university and your access to certain areas. |
+| card_status | string | Provides the status of the card. Example: Active. |
+| catalog | string | A catalog is a group of identical virtual machines. |
+| categories | array | A class or division of things regarded as having particular shared characteristics. |
+| category | string | A class or division of things regarded as having particular shared characteristics. |
+| category_behavior | string | A class or division of things having particular similar behavior. |
+| category_id | string | A unique identifier of the category. |
+| category_significance | string | |
+| cc | string | It can be commonly understood to mean courtesy copy. |
+| channel | string | A channel is an aggregation of multiple physical interfaces that creates a logical interface. |
+| channel_name | string | |
+| cipher | string | A secret or disguised way of writing. |
+| cipher_algorithm | string | A cipher algorithm is a mathematical formula designed specifically to obscure the value and content of data. |
+| cipher_method | string | |
+| circumstances | string | The condition connected with or relevant to an event or action. |
+| city | string | The name of the city. |
+| class_id | string | A unique identifier of the class. |
+| class_name | string | It is a globally unique identifier that identifies a COM class object. |
+| classification_name | string | The name of the classes on the basis of whether the traffic matches specific criteria. |
+| client | string | A desktop computer or workstation that is capable of obtaining information and applications from a server. |
+| client_cert_subject | string | It is a comma separated list of distinguished name fields and values. |
+| client_id | string | A unique identifier of the client. |
+| client_name | string | The name of the client. |
+| client_ssh_version | string | The ssh version of the client. |
+| client_system | string | The name of the client system. |
+| client_system_version | string | The system version of the client. |
+| client_token | string | A client token is a signed JWT that includes configuration and authorization information required by the client. |
+| client_type | string | The type of web conference application |
+| client_version | string | The application/ssh version of the client. |
+| cloud_drive_id | string | A unique identifier of the cloud drive. |
+| cls_id | string | The class ID of the application component. Used in Windows for COM apps. |
+| cluster_name | string | A name that identifies this database cluster (instance) for various purposes. |
+| code_size | number | |
+| collaborators | array | A collaborator is any person who can access, view, preview, download, comment, or edit a managed asset. |
+| command | string | A command is a specific instruction given to an application to perform some kind of task or function. |
+| community | string | Community is defined as a knowledge sharing hub; a place to collaborate, share insights and experiences, and get answers to questions. |
+| company | string | A company is a legal entity formed by a group of individuals to engage in and operate a business—commercial or industrial—enterprise. |
+| compatible_id | string | |
+| compression_alg | string | The compression algorithm in use. |
+| compression_algotithm | string | Specifies the compression algorithm to be used when compressing dump file data |
+| computer_name | string | A computer name is also called a PC name or device name which is used to help identify or locate a computer on a network. |
+| confidence_level | string | The confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic. |
+| connection_age | string | The time duration which the connection spanned. |
+| connection_counter | string | The number of times the carrier request for a packet in transmission. |
+| connection_id | string | The unique identifier of the network connection. |
+| connection_state | string | The state of the network connection, as dictated by the vendor. |
+| connection_status | string | The status of the connection. The expected values for this field are:Open, Close and Active. |
+| connection_uid | string | Calculation of md5 of the IP and user name as UID. |
+| connector_guid | string | Provides a list of all activities associated with a particular computer. |
+| contact_id | string | A unique identifier for the contact. |
+| contivity_session_id | string | A unique identifier of the contivity session. |
+| corp_client | string | It is custom profile attributes which have pre-defined Profile values, an essential element for controlled profiling and management example: Client, Matter, Author, etc. |
+| corp_matter | string | It allows users to view all matter-related information (documents, emails, etc.) in a single, logically organized interface. |
+| correlation_id | string | The correlation identifier assigned to the event, used to correlate with other events with the same identifier. |
+| count | number | It show the actual amount of connections that currently pass through the Security Gateway. |
+| country | string | The location or region of the event. |
+| country_code | string | The country code used to represent the event’s country. |
+| create_result | string | String of the create/open result. |
+| creator | string | |
+| creds_name | string | |
+| creds_path | string | |
+| cve_id | string | The unique identifier of the Common Vulnerabilities and Exposures. |
+| cvss_base_score | string | CVSS base score is used to rank the characteristics and severity of a software's exploitable weaknesses. |
+| cvss_impact_score | string | |
+| d_name | string | A dirent structure contains the character pointer d_name, which points to a string that gives the name of a file in the directory. |
+| d_parent | string | A dirent structure contains the character pointer d_parent, which points to a string that gives the name of a parent process in the directory. |
+| data | string | A data is an information that has been translated into a form that is efficient for movement or processing. |
+| datacenter_name | string | |
+| datastore_name | string | |
+| db_domain | string | The domain that contains the database. |
+| db_id | string | The unique identifier of the database. |
+| db_name | string | The name of the database. |
+| db_object | string | The database object that was referenced in the event. |
+| db_operation | string | Type of database query (insert,update,delete etc.) |
+| db_query | string | The full query that was sent to the database. |
+| db_schema | string | A database schema defines how data is organized within a relational database; this is inclusive of logical constraints such as, table names, fields, data types, and the relationships between these entities. |
+| db_user | string | The user name of the local database user in the event. |
+| decoder_name | string | Name of the decoder to use. |
+| denied_data_actions | array | It attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. |
+| denied_permissions | array | The permissions that are explicitly denied by some rule. |
+| denied_resources | array | resources that are not available or accessible to a particular user or system. |
+| denied_users | array | It refer to users who are not allowed to access certain resources or perform certain actions. |
+| department | string | The company department of the user |
+| depth | string | It can refer to the number of levels or layers in a data structure, such as a tree or a graph. |
+| description | string | A description of the event. |
+| desire_access | string | It refer to the desire or request to access a particular resource or service offered by Dell. |
+| dest_country | string | The country of the machine the activity operated on. |
+| dest_country_code | string | |
+| dest_dns_hostname | string | |
+| dest_domain | string | The domain of the destination user |
+| dest_email | email | |
+| dest_email_address | email | The full destination email address. |
+| src_email_address | email | The full source email address. |
+| src_email_domain | string | The domain of the source email address. |
+| dest_email_domain | string | The domain of the destination email address. |
+| dest_email_folder | string | |
+| dest_email_user | string | The user of the destination email address. |
+| dest_external_ip | ipv4/ipv6 | It refer to the destination external IP address of a network connection. |
+| dest_file_dir | string | |
+| dest_group | string | It refer to a group of destinations or recipients for a command or action. |
+| dest_host | string | The destination endpoint name. |
+| dest_interface | string | It refer to the destination interface of a network connection or packet. |
+| dest_ip | ipv4/ipv6 | The destination endpoint IP address. |
+| dest_ipv6 | ipv4/ipv6 | |
+| dest_login_id | string | The login id of the destination. |
+| dest_mac | string | The destination endpoint MAC address. |
+| dest_network_zone | string | It refer to the destination network zone of a network connection or traffic flow. |
+| dest_port | integer | The destination port used in the network communication. |
+| dest_process_command_line | string | The full command line of the targeted process. |
+| dest_process_dir | string | The directory that contains the targeted process. |
+| dest_process_id | hexadecimal | The process ID of the targeted process. |
+| dest_process_name | string | The process name of the targeted process. |
+| dest_process_path | string | The full path of the targeted process. |
+| dest_role | string | |
+| dest_service_name | string | The service name of the targeted service. |
+| dest_translated_host | string | It refer to the destination host that has been translated as part of a network translation process. |
+| dest_translated_ip | ipv4/ipv6 | The NATed IPv4 or IPv6 address to which a packet has been sent. |
+| dest_translated_port | integer | The NATed port to which a packet has been sent. |
+| dest_user | string | The user name of the targeted user. |
+| dest_user_arn | string | |
+| dest_user_dn | string | |
+| dest_user_id | string | The unique identifier of the targeted user. |
+| dest_user_ou | string | |
+| dest_user_sid | string | A unique identification value that is assigned to dest user account and group in the system. |
+| dest_user_type | string | |
+| dest_zone | string | It refer to the destination zone of a network connection or traffic flow. |
+| detection_level | string | |
+| detection_method | string | |
+| detection_source_alias | string | Indicated the name which has been provided when the cloud data connection was initially configured in the Code42 console. |
+| device | string | |
+| device_id | string | Unique identifier of a device such as a USB |
+| device_ip | ipv4/ipv6 | |
+| device_model | string | It refer to the model or type of device that is being used or managed by the software. |
+| device_name | string | The name of a device such as a USB. |
+| device_size | string | It refer to the size of a storage device such as a hard drive or a cloud storage service. |
+| device_type | string | Typically in USB related events, the type of the device that was used. E.g. USB, DVD/CD-ROM |
+| device_vendor | string | The vendor of the device. |
+| device_version | string | The version of the device. |
+| devid | string | It refer to a device identifier or a unique identification value that is associated with a particular device. |
+| dhcp_ip | ipv4/ipv6 | It refer to the IP address that is assigned to a device by a DHCP server. |
+| dhcp_type | string | It refer to the type of dynamic host configuration protocol (DHCP) message or packet that is being sent or received. |
+| direction | string | The directionality of the communication. |
+| directory_id | string | The unique identifier of the file directory. |
+| disk_mode | string | |
+| disk_name | string | |
+| disk_size | string | |
+| disk_state | string | |
+| disposition | string | It is used to specify what action to perform for an item that is returned by the customer. |
+| dlp_dict | string | It refer to a dictionary or list of keywords or phrases that are used by the DLP feature to identify sensitive data. |
+| dns_ip_flow | string | It refer to a stream of DNS traffic that is being monitored or analyzed by Splunk. |
+| dns_query | string | The full DNS query in the packet. |
+| dns_query_flags | string | The query flags of the DNS query packet. |
+| dns_query_id | string | The identifier of the query in the DNS packet. |
+| dns_query_type | string | The DNS query type. |
+| dns_record_type | string | It refer to the type of DNS (Domain Name System) record that is being used or configured. |
+| dns_response | string | The full DNS response in the packet. |
+| dns_response_code | string | The response code given in the DNS packet. |
+| dns_response_flags | string | The response flags of the DNS response packet. |
+| doc_id | string | A unique identifier of the document. |
+| document_name | string | Displays the full path and filename of the current document. |
+| domain | string | The domain of the user |
+| door_group_name | string | It include a user directory specification or unique identity attribute. |
+| door_name | string | It is the last person or method that locked or unlocked the door. |
+| door_side_id | string | The unique identifier of the door side. |
+| download_source | string | Source code that is being downloaded in this build phase. |
+| dproc | string | It is the time that a node spends processing a packet. |
+| drive_letter | string | Used to specify the drive letter of the volume. |
+| driver_name | string | |
+| ds_name | string | The name of the directory service. |
+| ds_object_class | string | The directory service object class. |
+| ds_object_type | string | The directory service object type. |
+| ds_object_dn | string | The full distinguished name of the directory service object. |
+| ds_object_name | string | The name of the directory service object. |
+| ds_object_ou | string | The organizational unit of the directory service object. |
+| ds_object_out | string | |
+| ds_type | string | |
+| dtz | string | These are file extensions that help computers locate correct application for specific files. |
+| duration | string | The time duration which the event spanned. |
+| edge_response_status | string | Edge response status code is an HTTP response code sent from Cloudflare to the client (end user). |
+| egress_security_zone | string | It refer to a security zone that is used to enforce security policies on traffic that is leaving a network. |
+| elevation_type | string | |
+| email_address | email | The full email address of the user. |
+| email_attachment | string | The name of the file attachment attached to the email. |
+| email_attachments | array | A full list of the attachment names in the email. |
+| email_dlp_from | string | It is the practice of detecting and preventing data exfiltration. |
+| email_dlp_policy_names | array | |
+| email_domain | string | The domain of the users’ email address. |
+| email_id | string | The unique identifier of the user's email. |
+| email_recipients | array | The full list of recipients in the email. |
+| email_subject | string | The subject (title) of the email. |
+| email_user | string | The user name of the users’ email address. |
+| employee_id | string | The unique identifier of the employee. |
+| employee_status | string | It means the full time, part time, casual and/or temporary capacity that an Employee is employed in. |
+| employee_title | string | It is the position a person hold in an organisation. |
+| employee_type | string | It refers to different kinds of employees an organization can hire. |
+| end_time | datetime | The end_time property indicates a data set's lookback cutoff date; data older than this value is not included in the data set's calculation. |
+| engine_version | string | The version number of the database engine to upgrade to. |
+| environment | string | It is a part of the logical message tree in which you can store information. |
+| error_code | string | A number that appears on a computer screen to show that you have made a particular mistake or that something has gone wrong in a program |
+| error_info | string | It retrieves error information for operations performed directly on the database handle. |
+| event_category | string | If a single log source can provide multiple categories of events, this field should represent the category that belongs to the event. |
+| event_code | string | The code of the operation type recorded in the event, not to be confused with event_id. For example - 4624. |
+| event_hub_name | string | It refer to the name of an event hub, which is a cloud-based data streaming platform that is used to collect, store, and process large amounts of data from a variety of sources. |
+| event_hub_namespace | string | An Event Hubs namespace provides a unique scoping container, in which you create one or more event hubs. |
+| event_id | string | the unique identification of a single generated event, not to be confused with event_code. |
+| event_name | string | The name of the operation recorded in the event. |
+| event_name_code | string | |
+| event_name_hub_name | string | |
+| event_name_hub_namespace | string | |
+| event_name_name | string | |
+| event_subtype | string | The sub category of the event. |
+| event_time | datetime | It refer to the time at which a particular event occurred. |
+| execution_status | string | It reflects the current status of the activity instance. ExecutionStatus is set by the runtime tracking infrastructure. |
+| expiry_time | datetime | It contains the Date and Time at which the password will expire. |
+| exploit_code_maturity | string | This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. |
+| exposure_type | string | Different types of file activity occurring across the Code42 environment. |
+| extension | string | An extension is a file containing programming that serves to extend the capabilities of or data available to a more basic program. |
+| external_address | email | The email address of the external party in an email. |
+| external_id | string | It contains unique record identifiers from a system outside of the current organization. |
+| extracted | string | Local filename of extracted file. |
+| extracted_cutoff | string | Set to true if the file being extracted was cut off so the whole file was not logged. |
+| extracted_size | number | The number of bytes extracted to disk. |
+| factor | string | It is a security process that helps verify users' identities before letting them access networks or online applications. |
+| failure_code | string | A code indicating the reason of the failure. |
+| failure_reason | string | A description of why the operation has failed. |
+| falcon_host_link | string | URL to view the detection in Falcon. |
+| field_name | string | It is the short name of your field. |
+| file_arn | string | |
+| file_category | string | The general categories of file type. |
+| file_dir | string | The directory of the file, not including the name. |
+| file_dir_id | string | |
+| file_dir_uri | string | |
+| file_exposure_changed_to | string | |
+| file_ext | string | The file extension. If the file name is myfile.txt, file_ext will be txt |
+| file_hash | string | A unique value that corresponds to the content of the file. |
+| file_id | string | The unique identifier of the file the activity operated on. |
+| file_name | string | The name of the file, not including the path. |
+| file_owner | string | A file's owner is identified by the user ID of the person who created the file. |
+| file_path | string | The full path of the file. |
+| file_path_at | string | |
+| file_permissions | array | File permissions control what user is permitted to perform which actions on a file. |
+| file_signature | string | |
+| file_signature_status | string | |
+| file_signed | string | |
+| file_type | string | The type of file accessed by the event. E.g file, folder, link. |
+| file_url | string | The full URL of the file’s location. |
+| fingerprint | string | It is the initial factor that unlocks the private cryptographic key that authenticates the user. |
+| firewall | string | It is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. |
+| first_name | string | The first name of the user, without the last name. |
+| firstseen | string | |
+| flow_end_time | datetime | The flow end time shows time or date when flow was ended. |
+| flow_start_time | datetime | The flow start time shows time or date when flow was started. |
+| folder_name | string | Name of the folder where the message is stored. |
+| framed_addr | string | The address given to the network access server, if present. |
+| from_user_at | string | |
+| full_name | string | The user full name. |
+| dest_user_full_name | string | The destination user full name. |
+| function_arn | string | |
+| function_name | string | |
+| function_role | string | |
+| function_runtime | string | |
+| gateway_station | string | The IP of the web application machine (PVWA) in cyberark. |
+| grandparent_process_path | string | |
+| group_arn | string | |
+| group_domain | string | The domain of the group identity. |
+| group_id | string | It distinguishes duplicate groups resulting from a GROUP BY specification. |
+| group_info | string | It is an encoded value containing the number of groups of symbols bound to the key as well as the specification of the treatment of out-of-range groups. |
+| group_name | string | The name of the group identity. |
+| group_ou | string | It is a subdivision of groups within an Active Directory. |
+| group_type | string | The type of the group, e.g. local, global, etc |
+| handle_id | string | The unique identifier of the handle on an object. |
+| hash_md5 | hexadecimal | A md5 hash value. |
+| hash_sha1 | hexadecimal | It is a widely used hash function which takes an input and produces a 160-bit hash value known as a message digest - typically rendered as 40 hexadecimal digits. |
+| hash_sha256 | hexadecimal | A sha256 hash value. |
+| hash_sha256_at | hexadecimal | |
+| hash_type | string | Different types of hash algorithms such as RipeMD, Tiger, xxhash and more, but the most common type of hashing used for file integrity checks are MD5, SHA-2 and CRC32. |
+| hierarchy_code | string | The hierarchy code governs the order in which entries in a block are printed in the CINDA book, and is used to some extent as a measure of the importance of a particular reference. |
+| history | string | Records the state history of connections as a string of letters. |
+| host | string | The machine that logged the event. This can be either a hostname or an IP address |
+| host_bytes_in | number | |
+| host_bytes_out | number | |
+| host_ip | ipv4/ipv6 | IP address on which public port is listening |
+| host_key | string | A host key is a cryptographic key used for authenticating computers in the SSH protocol. |
+| host_key_alg | string | Host key algorithms specify which host key types are allowed to be used for the SSH connection. |
+| host_type | string | A host type is a container for variables that are assigned to a particular host. |
+| host_zen_code | string | |
+| http_response_code | integer | The code returned by the web server after a request was made. |
+| identifier | string | An identifier is a token that is used to form a name. |
+| identities | string | An identity is an internet capable entity that Umbrella protects through policies and monitors through reports. |
+| identity_group | string | It is composed of information elements that identify and describe a specific group of users that belong to the same administrative group. |
+| identity_type | string | The type of authentication credential depend upon the configuration of the supplicant software running on the endpoint device. |
+| ignore_public_acls | string | |
+| image_file_name | string | File name of the associated process for the detection. |
+| image_name | string | It specifies the name of the image installed. |
+| image_publisher | string | Public image reference with publisher |
+| image_release | string | It refer to the process of making a new version of an image file or software program available to users. |
+| image_version | string | It refer to the specific version of an image file that is being used or referred to. |
+| impact | string | It refers to the potential severity of a security vulnerability or threat. |
+| in_reply_to | string | It refers to a relationship between two network communications where one communication is a response to the other. |
+| case_name | string | |
+| ingress_interface | string | It refers to the network interface through which a packet enters a device. |
+| ingress_security_zone | string | |
+| inode | string | The inode number is a unique identifier that is assigned to each file or directory on the file system. |
+| instance_id | string | An instance ID is a unique identifier assigned to an instance (i.e., a virtual machine) when it is launched. |
+| instance_profile_arn | string | |
+| instance_type | string | It is used to specify the hardware configuration of an instance, such as the number of vCPUs and amount of memory. |
+| interface | string | An interface is a point of connection between a device and a network. |
+| interface_id | string | An interface ID is a unique identifier assigned to a network interface when it is created. |
+| interface_in | string | It refers to the network interface on a virtual machine (VM) that is used for incoming traffic. |
+| interface_name | string | It refers to the name assigned to a physical or logical network interface on the firewall device. |
+| inzone | string | The inzone is used to identify the source of network traffic in security rules, and to apply the appropriate access control policies. |
+| ioc | string | An Indicator of Compromise (IOC) is a data point that can be used to identify malicious activity on a system or network. |
+| ioc_number | string | An Indicator of Compromise (IOC) number is a unique identifier assigned to each IOC. |
+| ip_lease_time | string | This is the length of time that the client can use the IP address it has been assigned. |
+| ip_protocl_id | string | |
+| ip_reputation | ipv4/ipv6 | It is a feature that allows you to identify and block traffic from known malicious IP addresses. |
+| is_archived | boolean | |
+| is_consolidated | boolean | It is a field that indicates whether or not an event or message has been consolidated. |
+| is_dok | boolean | A flag indicating that the operation took place on a peripheral device. |
+| is_executable | boolean | |
+| is_orig | boolean | It is a field that is used to identify the direction of a network connection. |
+| is_outbound | boolean | It is used to distinguish between connections that were initiated by the host and connections that were established as a result of an incoming request. |
+| issue_time | datetime | It represents the time that an event was generated or issued. |
+| item_creator | string | It represents the user or system that created an object. |
+| item_name | string | It is a field that represents the name of an object. |
+| item_type | string | It represents the type of object that is being used. |
+| kerberos_service_name | string | |
+| kex_alg | string | It contains the name of the key exchange algorithm that is used in the SSH connection. |
+| key_id | string | |
+| key_length | integer | It represents the length of a cryptographic key used for encryption or decryption. |
+| key_name | string | It is a field that represents the name of a key that is used for encryption or decryption. |
+| key_status | string | |
+| key_type | string | It specifies the algorithm used to generate the key. |
+| asset_labels | array | It represents the labels that have been assigned to an asset. |
+| landscape | string | Represents the landscape context element. |
+| last_blocked_time | datetime | It represents the last time that a threat was blocked by the software. |
+| last_known_ip | ipv4/ipv6 | It represents the last known IP address of a resource or virtual machine. |
+| last_name | string | The last name of the user, without the first name. |
+| lease_time | string | It represents the amount of time a DHCP lease is valid for. |
+| link | string | It is a field that represents a hyperlink to a resource or webpage. |
+| link_id | string | |
+| linked_service_account | string | It represents the service account that is linked to a specific resource or project. |
+| local_orig | string | It represents whether or not a network connection was initiated by a host on the local network. |
+| local_resp | string | It is used to indicate whether or not the connection was responded to by a host on the local network or from an external network. |
+| local_user_id | string | It represents the identifier of a user who is local to the Ping Identity platform. |
+| location | string | The full location of the physical access event. |
+| location_area | string | In physical access events, the name of the general area/compound in which the access took place. |
+| location_building | string | In physical access events, the name of the building in which the access took place. |
+| location_city | string | In physical access events, the name of the city in which the access took place. |
+| location_country | string | In physical access events, the name of the country in which the access took place |
+| location_door | string | In physical access events, the name of the door in which the access took place |
+| location_door_id | string | It is a field or attribute used to track or identify the location. |
+| location_full | string | It is a field or attribute that can be used to represent the full location of an object, event, or person. |
+| location_information | string | It is an information, obtained by means of a tracking device, concerning the location of an electronic device. |
+| location_state | string | In physical access events, the state of the physical location. E.g locked, disabled. |
+| log_location | string | It refer to the directory or file path where log files are stored. |
+| log_name | string | The name of the logging component that recorded the event. |
+| log_path | string | It refers to the file path or directory where log files are stored. |
+| log_severity | string | It refers to the level of importance assigned to a log entry or event. |
+| log_source | string | The service that provided that data to the logging service. |
+| log_time | datetime | It refers to the time when an event or log entry was recorded in the system. |
+| log_uid | string | It refers to a unique identifier assigned to a log entry or event. |
+| login_id | hexadecimal | The identifier of the depicted login session. |
+| login_method | string | It refers to the process used by a client to authenticate to a server. |
+| login_type | integer | In login events, used to describe the type of the login operation. E.g remote, local, kerberos… |
+| login_type_text | string | It is a field that describes the type of logon that was performed by a user or system account. |
+| mac_alg | string | It refers to the message authentication code (MAC) algorithm used to secure a connection. |
+| machine_type | string | It refers to the specific virtual machine (VM) instance type that is used to host a particular workload. |
+| mailbox_name | string | |
+| mailfrom | email | It is used to represent the sender of an email message. |
+| malicious_file_count | integer | It is a metric that tracks the number of files detected as malicious by the security system. |
+| malware_action | string | It is a field that specifies the action taken by the security system in response to a detected malware event. |
+| malware_family | string | It is a field used to identify the specific family or group of malware associated with an event or alert. |
+| malware_file_name | string | It is a field that identifies the file name associated with a piece of malware. |
+| malware_file_type | string | It refers to the type of file that is determined to contain malicious content. |
+| malware_id | string | It refers to a unique identifier assigned to a specific piece of malware. |
+| malware_name | string | It contains the name of the malware family, variant, or specific instance of malware. |
+| malware_score | string | The malware score assigned in the event by a security vendor. |
+| malware_url | string | It refers to the URL or web address associated with a piece of malware that has been detected by the security solution. |
+| malware_url_path | string | It refers to the path of a URL that is associated with malicious activity or a threat. |
+| manager | string | It refer to an individual or department in charge of a particular area or project. |
+| manager_email | email | |
+| manager_name | string | It is used to identify the name of an individual or entity that is responsible for overseeing a particular resource or asset. |
+| mbps | string | It refers to megabits per second, which is a measure of data transfer rate. |
+| meeting_duration | string | It is a field that indicates the length of time a Zoom meeting lasted for. |
+| meeting_host_id | string | The ID given to the user acting as host of the web conference meeting. |
+| meeting_name | string | The name of the web meeting. |
+| meeting_number | string | It refers to a unique identifier assigned to each Zoom meeting, which is generated when the meeting is scheduled or started. |
+| meeting_timezone | string | It refers to the time zone that is set for a particular Zoom meeting. |
+| meeting_topic | string | It refers to the subject or title of a virtual meeting or conference. |
+| meeting_type | string | It refers to the type of Zoom meeting being held. |
+| member | string | In groups and similar organizational units, the member represents the full name of an identity that’s contained in them. |
+| member_id | string | |
+| members | array | It refers to the users or groups that are part of an organization or a specific application or resource in Okta. |
+| memory_address | string | |
+| memory_protection | string | |
+| memory_size | string | |
+| message_id | string | A unique identifier of a communication message. |
+| method | string | Used in HTTP to describe the method of the web request. E.g GET, POST… |
+| mfa | string | It is a security process that requires a user to provide two or more authentication factors to verify their identity and access a resource. |
+| mime | string | Typically in web-access events, the media type of the content, e.g. text, audio/mpeg |
+| miscellaneous | string | It could refer to a category or field in log data that contains information that does not fit into a more specific category. |
+| missed_bytes | number | Indicates the number of bytes missed in content gaps, which is representative of packet loss. |
+| mitre_labels | array | It refer to the specific MITRE ATT&CK techniques and tactics used in a particular security incident. |
+| mobile_version | string | |
+| modified_keys | array | It refer to the modification of keys in a cryptographic context, such as encryption keys or access keys. |
+| module_hash_names | array | It refers to a specific configuration or data structure within a Cisco product. |
+| monitoring_plan | string | It refer to a plan for monitoring and auditing IT systems and infrastructure for compliance with regulations, best practices, and organizational policies. |
+| more_info | string | |
+| msg_id | string | It refers to a message identifier used in Inter-Process Communication (IPC) mechanisms such as System V message queues. |
+| name_at | string | |
+| nas_ip_address | ipv4/ipv6 | It is used in the context of Remote Authentication Dial-In User Service (RADIUS), which is a protocol used to provide centralized authentication. |
+| native_file_system | string | It is a custom file system specifically designed for processing and storing large amounts of network data. |
+| network | string | The name of the network that was accessed in the event. |
+| network_app | string | It is used to refer to an application or service running on a network. |
+| new_attribute | string | It refer to a new attribute or field that has been added to a data structure or configuration in a Symantec product. |
+| new_enrollment | string | It refer to a new process of enrolling a device or user into a Cisco security solution. |
+| new_file_name | string | |
+| new_hash | string | It refer to a new hash value, which is a unique digital fingerprint of a file, document, or other digital content. |
+| new_host | string | |
+| new_ip | ipv4/ipv6 | |
+| new_multiattach | string | |
+| new_password | string | The new/latest password required to enter a web conference meeting |
+| new_size | number | |
+| new_user_name | string | It refers to a new username that has been created for a user account. |
+| new_value | string | |
+| num_external_recipients | integer | The amount of external (out of the organization) recipients that the communication message was sent to. |
+| num_internal_recipients | integer | The amount of internal (in the organization) recipients that the communication message was sent to. |
+| num_pages | integer | The amount of pages printed. |
+| num_recipients | integer | The amount of recipients the communication message was sent to. |
+| object | string | When representing a generic/unknown entity, the object is the full path of the entity. |
+| object_class | string | It refers to a class of objects that are used to manage system resources. |
+| object_dn | string | It is a unique identifier for an object in the Active Directory, and it is used to locate and manage the object. |
+| object_handle | string | |
+| object_id | string | When representing a generic/unknown entity, this represents the unique identifier of the entity. |
+| object_name | string | When representing a generic/unknown entity, this represents the name of the entity. |
+| object_ou | string | It is a container object in the Active Directory that is used to organize and manage other objects. |
+| object_server | string | An object server is a software component that provides objects for use by other components in the network. |
+| object_type | string | When representing a generic/unknown entity, this represents the type of the entity. |
+| occured_time | datetime | It refers to the time at which a specific event or security incident took place. |
+| old_attribute | string | The attribute before it was changed |
+| old_file_name | string | The old file name before it was rename |
+| old_hash | hexadecimal | It refer to the hash value of a file before it was updated or changed. |
+| old_multiattach | string | |
+| old_password | string | The old/previous password required to enter a web conference meeting. |
+| old_size | number | |
+| old_user_name | string | It refers to a old username that has been used for a user account. |
+| old_value | string | It refers to a previous value or setting of some attribute or configuration in a virtual machine or virtual infrastructure. |
+| opcode | string | It refers to a machine-level instruction or operation code that is executed by the processor. |
+| operation | string | The activity that was recorded in the event. |
+| operation_details | string | Additional information about the activity that could add context when reviewing the event in the UI. |
+| operation_first | string | It refers to a concept in auditing or logging where the first operation performed by a user or process is recorded. |
+| operation_id | string | It refers to a unique identifier assigned to a specific operation or request. |
+| operation_last | string | It refers to a concept in auditing or logging where the last operation performed by a user or process is recorded. |
+| operation_name | string | It refers to the name or description of a specific operation performed within the Azure platform. |
+| operation_type | string | The classification/type of the operation. |
+| operation_version | string | It refers to a version number or identifier assigned to a specific operation performed within the Azure platform. |
+| operator_name | string | It refers to the name of the user who performed an action within the platform. |
+| order_num | string | It is used to track and identify specific orders within a system, and can be used for purposes such as tracking, auditing, and reporting. |
+| orig_bytes | number | It refers to the number of bytes of data in the original or incoming direction of a network connection or communication. |
+| orig_cc | string | It refers to the two-letter country code of the originator of a network connection or communication. |
+| orig_filenames | string | It refers to the names of files that are being sent or received in the original or incoming direction of a network connection or communication. |
+| orig_pkts | string | It refers to the number of packets in the original or incoming direction of a network connection or communication. |
+| origin_ip | ipv4/ipv6 | It refers to the IP address of the originator of a network connection or communication. |
+| origin_name | string | It refers to the name of the originator of a network connection or communication. |
+| origin_response_status | string | It refers to the status code of the response received from the origin server during a network communication. |
+| original_risk_score | number | It refers to an initial assessment of the risk or threat level associated with a particular event, action, or activity. |
+| original_user | string | |
+| os | string | The operating system of the device taking the action |
+| os_admin | string | It refers to the administrator account associated with the operating system (OS) of a virtual machine (VM) or other computing resource in the Azure cloud platform. |
+| os_environment | string | It refers to the OS environment of a computer or network device, including information about the version, type, and configuration of the OS and related software. |
+| os_revision | string | It refers to the version or revision number of the operating system (OS) being used by a device or computer. |
+| os_type | string | The type of the device’s operating system. |
+| os_version | string | The version number of the device’s operating system. |
+| outcome | string | Represents the outcome context element. |
+| outzone | string | It refers to a security zone in a network that is outside of the trusted security perimeter and is considered to be less secure than other zones |
+| overflow_bytes | number | It refers to the number of bytes of data that are discarded due to buffer overflow. |
+| owned_user | string | |
+| owner_id | string | |
+| packet_rate | string | It refers to the rate at which packets are being transmitted across a network. |
+| packets | integer | Number of total packets in a network connection. |
+| packets_in | integer | Number of ingress packets in a network connection. |
+| packets_out | integer | Number of egress packets in a network connection. |
+| page_count | integer | It refers to the number of pages in an electronic document or file. |
+| parent_hash_sha256 | hexadecimal | |
+| parent_md5hash | hexadecimal | It refers to a unique identifier used to track the relationship between parent and child processes in a computer system. |
+| parent_process | string | It refers to the process that spawned or created another process in a computer system. |
+| parent_process_command_line | string | The full command line of the parent process. |
+| parent_process_dir | string | The directory of the parent process, without the process name. |
+| parent_process_guid | string | The unique global identifier assigned to the parent process. |
+| parent_process_hash | hexadecimal | It refers to a unique identifier that is assigned to a parent process running on a computer. |
+| parent_process_id | string | The process ID of the parent process. |
+| parent_process_name | string | The process name of the parent process, without the path. |
+| parent_process_path | string | The full path of the parent process. |
+| path | string | It refer to the location or file path of a specific configuration or log file within an application. |
+| payload_printable | string | It refers to the human-readable representation of the payload in a network communication or a malware file. |
+| peer_gateway | string | It is the remote endpoint of a VPN tunnel and is used to securely connect two separate network segments over the internet. |
+| permission | string | It refers to the set of rules that govern access to files, directories, and other resources. |
+| permissions | string | |
+| phishing_score | string | It refers to a score assigned to a detected email based on the likelihood that it is a phishing attempt. |
+| platform | string | Represents the platform context element. |
+| playbook_files | string | |
+| policies | string | It refers to a set of rules and configurations that define how resources should be managed within an organization. |
+| policy | string | |
+| policy_arn | string | It refers to the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) policy. |
+| policy_bindings | string | It refers to the set of policies that are associated with a resource in Google Cloud Platform. |
+| policy_changes | string | |
+| policy_content | string | It contain the JSON text of a policy, which is a set of statements that specify the actions that are allowed or denied for a particular user, group, or role. |
+| policy_delta | string | It refers to a change made to a specific policy. |
+| policy_id | string | It refers to a unique identifier assigned to a specific security policy. |
+| policy_name | string | The name of the policy document. |
+| policy_runtime | string | It refers to the set of security policies that are being enforced at a given time on a particular device or network. |
+| policy_version_id | string | It refers to the unique identifier for a specific version of an AWS identity and Access Management (IAM) policy. |
+| primary_key | string | It is a unique identifier assigned to each process, binary, or file that is captured and analyzed by the platform. |
+| principal_id | string | It refers to a unique identifier for an AWS identity, such as an AWS account root user, an IAM user, or a federated user. |
+| principal_name | string | It refers to the name associated with a specific user, group or service that is granted access to a computer system, network, or application. |
+| principal_type | string | It is a term used to refer to the type of entity that performed an action. |
+| printer_id | string | The identifier of the printer device. |
+| printer_name | string | The name of the printer device. |
+| printer_port | integer | |
+| printer_sn | string | Ther serial number of the printer device. |
+| printer_type | string | The type of the printer |
+| priority | string | level of urgency |
+| private_cookie | string | It refers to a cookie that is not shared with third-party domains, and is stored in a user's web browser for a specific website. |
+| private_ip | ipv4/ipv6 | It refers to an IP address that is assigned to a device within a private network and is not reachable from the Internet. |
+| privileges | array | All the privileges given on an object, e.g. SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege. |
+| process | string | The path of executed process |
+| process_command_line | string | The command line of the event’s process. |
+| process_dir | string | The directory (without the name) of the event’s process. |
+| process_guid | string | The graphical unique identifier of the event’s process. |
+| process_hash | hexadecimal | It refers to a unique identifier that is assigned to a process running on a computer. |
+| process_id | hexadecimal | The PID of the event’s process. |
+| process_integrity | string | It refers to the level of trust associated with a process. |
+| process_name | string | The name of the event’s process. |
+| process_owner | string | The user that owned the process. |
+| process_path | string | The full path (directory and name) of the event’s process. |
+| process_permission | string | |
+| process_type | string | It refers to the classification or categorization of a process based on its type, behavior, or characteristics. |
+| process_vendor | string | It refers to the company or organization that developed the process that is being monitored. |
+| processing_end_time | datetime | It refers to the time when the processing of a particular operation, task, or process within the Azure environment is completed |
+| product | string | The product context element. |
+| product_category | string | The product category context element. |
+| product_name | string | It refers to the name of a specific product offered by the company. |
+| profile | string | It refers to a group of configuration settings and policies that are applied to a particular type of network traffic, such as web, email, or VPN traffic. |
+| profiles | array | It refers to the configuration settings that specify the behavior of an iOS or macOS app or framework. |
+| project_id | string | It is a unique identifier for a project. It is used to organize resources and associate them with a specific project. |
+| properties | string | It refers to the specific characteristics, features, or attributes of an object, such as a file, folder, device, or system component. |
+| protection_name | string | It refers to the name assigned to a security policy or rule that is implemented to protect the network from specific threats or attacks. |
+| protection_type | string | It refers to the type of security protection provided by a particular security solution or feature. |
+| protocol | string | The network protocol the event used, e.g. DNS, TCP, HTTP. |
+| provider_name | string | It is used to refer to the name of the software or service that provides a specific log event. |
+| proxied | string | It refers to network traffic that is being passed through a proxy server. |
+| proxy_action | string | In http communication events, the way the proxy identifies the request, e.g. TCP_MISS, TCP_HIT. |
+| proxy_ip | ipv4/ipv6 | It indicate the IP address of the proxy server through which the web traffic is flowing. |
+| qclass | string | It is a term used to describe a field in the DNS protocol that specifies the class of a query. |
+| qclass_name | string | The query class defines the type of data being queried, such as Internet address (IN), Chaosnet (CH), or Hesiod (HS). |
+| query | string | It refer to a request for information, data or content from a network or device. |
+| query_id | string | Identifier of a query. |
+| query_string | string | It refers to the part of a URL that contains data to be passed to a web application or a resource, after the ? symbol. |
+| radius_flow_type | string | It refers to the type of RADIUS flow, which is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for remote access to a network. |
+| rcptto | string | It refers to the recipient's email address to which the email message is being sent. |
+| readonly | string | A resource with readonly permission can only be viewed and not modified. |
+| realm | string | Name of the VPN realm |
+| recipient | email | It refers to the person or entity who receives an email, file, message, or other information in a service or application. |
+| recipient_count | integer | It refers to the total number of recipients associated with an email, document, or other file. |
+| recipients | array | It refers to the individuals or groups that a message or piece of content is addressed to. |
+| record_type | string | It refers to the type of record stored in a file system. |
+| recorded_time | datetime | |
+| redirect_url | string | |
+| referrer | string | In HTTP communication the url that referred to the current site. |
+| region | string | It refers to a geographical area, where one or more data centers are located, that is designed to provide low latency and high throughput network connections. |
+| registration_no | string | It refers to a unique identification number assigned to a device or product upon its registration with the system. |
+| registry_details | string | The details of the registry object. |
+| registry_details_type | string | The details type of the registry object. |
+| registry_hive | string | The hive of the registry object. |
+| registry_key | string | The registry key in the activity. |
+| registry_path | string | The full path to the registry object. |
+| registry_value | string | The value of the registry object. |
+| relying_party_id | string | It refers to a unique identifier assigned to a relying party in a security token service (STS) system. |
+| remediation_steps | string | It refers to the actions that need to be taken to resolve an issue or address a vulnerability. |
+| remote_location_city | string | It is a field that represents the city of the remote location in a network connection. |
+| remote_location_country_code | string | It refers to the two-letter country code of the remote location of a network communication or activity. |
+| remote_location_latitude | string | It is a field that represents the latitude of the remote location from where a network connection was initiated. |
+| remote_location_longitude | string | It refers to the longitude coordinate of the remote location. |
+| remote_location_region | string | It refers to the region information of a remote host based on its location, as determined by the IP address. |
+| removable_media_bus_type | string | It refers to the type of bus interface used by a removable storage device, such as USB, FireWire, or SCSI. |
+| removable_media_capacity | string | It refers to the amount of storage space available on a removable media device. |
+| removable_media_media_name | string | It refers to the name or label assigned to a removable storage device. |
+| removable_media_name | string | It is the name of a removable media device, that has been connected to a computer being monitored by Code42. |
+| removable_media_partition_id | string | It refers to a unique identifier assigned to a specific partition on a removable storage device. |
+| removable_media_serial_number | string | It is an unique identifier for a removable media device |
+| removable_media_vendor | string | It is a term used to describe the manufacturer or vendor of a removable media device. |
+| removable_media_volume_name | string | It refers to the name assigned to a specific partition on a removable storage device. |
+| removed_member | string | It refers to a user who has been removed from a group or an organization. |
+| removed_member_type | string | It refers to the type of a removed member (user, group, etc.) from a specific resource. |
+| removed_permissions | array | The permissions that were previously granted to an individual or group have been revoked or removed. |
+| removed_role | string | It refers to a role that was previously assigned to a user or group, but has since been removed. |
+| removed_role_name | string | It refers to the name of a specific role that has been removed or revoked from a user or group. |
+| removed_users | array | |
+| reply_to | array | It refers to the IP address or domain name that a server should direct replies to a specific communication to. |
+| report | string | |
+| reporter | string | It refers to the source of the log or event data that is being analyzed. |
+| repository_name | string | |
+| request_binding | string | It is a security concept related to the process of binding authentication data to the request that is sent between a client and a server. |
+| request_cookie | string | It refers to a piece of data that is stored on the client side and sent to the server in subsequent requests. |
+| request_type | string | It is one of the properties of the event that provides information about the type of request made by the client. |
+| requested_app | string | It refers to the application or resource that a user is attempting to access. |
+| requested_app_id | string | It refers to a unique identifier assigned to a specific application or resource that the user is trying to access. |
+| resource | string | Typically in app-activity activity-type, this is a property of the object the action is taken on. For example, if a user A gives user B permissions on directory C, B would be parsed as object and C as resource. |
+| resource_group | string | It is a logical container for grouping related resources. |
+| resource_id | string | It is a unique identifier for a specific resource. |
+| resource_name | string | The resource name is typically assigned by the user when the resource is created and it can be used to identify the resource in various services |
+| resource_path | string | It refers to the location of a resource within the Azure environment. |
+| resource_type | string | It refers to the type or category of a specific resource |
+| resp_bytes | number | It is a field that represents the size of a response packet in bytes. |
+| resp_cc | string | It is a field that represents the country code of the origin of a response packet. |
+| resp_pkts | integer | It is a field that represents the number of response packets sent in response to a network request. |
+| response | string | It refers to the information that is returned in response to a request or command. |
+| response_size | number | It refers to the size of the response that is sent from a server to a client in bytes. |
+| response_time | datetime | |
+| response_ttl | string | It refers to the Time-To-Live (TTL) value that is associated with a response packet. |
+| restrict_public_buckets | string | |
+| result | string | Describes the result of an event's occurrence as parsed (succeeded, failed...) |
+| result_at | string | |
+| result_code | string | A code indicating the outcome of an activity, e.g. 0x0, 0x1F, success. |
+| result_reason | string | A description of why this result was given. |
+| return_path | string | The return path of an email message. This may or may not be identical to the sender. |
+| risk_level | number | It refers to a security risk rating that is assigned to network traffic based on its content and behavior. |
+| role | string | It refers to a set of permissions and responsibilities assigned to a user or group of users in order to manage and control access to network resources and configurations. |
+| role_arn | string | It is the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role. |
+| role_definition | string | It is a blueprint that outlines the specific permissions and actions that can be performed by a role. |
+| role_definition_id | string | It is a unique identifier for a role definition. |
+| role_id | string | |
+| role_name | string | |
+| role_permissions | array | It refer to the set of actions and operations that can be performed by a user with a specific role. |
+| role_type | string | |
+| router_ip_flow | string | It is a type of data source used to collect and analyze network flow data. |
+| router_subnet | string | It is a segment of a network that is assigned to a specific router. |
+| rtt | string | It stands for Round-Trip Time and is a measurement of the time it takes for a packet to travel from its source to its destination and back. |
+| rule | string | It is a set of criteria and actions used to control network traffic. |
+| rule_action | string | It is a term used to describe the action that is taken when a specific security rule is triggered. |
+| rule_count | number | It refers to the total number of security rules defined in a firewall policy. |
+| rule_id | string | It refers to a unique identifier assigned to each security rule defined in a firewall policy. |
+| rule_reason | string | It refers to the reason or justification for why a particular security rule was triggered. |
+| rule_severity | string | It refers to the level of importance or criticality assigned to a particular security rule. |
+| rule_uid | string | It is a unique identifier assigned to each security rule in the firewall policy. |
+| run_level | string | It refers to the state or configuration level at which the operating system operates, and is used to manage the behavior and accessibility of the system. |
+| safe_name | string | It is a unique identifier assigned to each Safe (secure repository), which is used to distinguish and organize different Safes within the platform. |
+| safe_value | string | The name of the safe in which the password is stored |
+| scan_id | string | It refers to a unique identifier assigned to a security scan, such as a vulnerability scan or a web application security scan. |
+| scan_type | string | The type of the scan the product did. |
+| schema_name | string | It refers to the name given to a particular organization of database objects in a database management system, such as Microsoft SQL Server. |
+| schema_version | string | It refers to a version number assigned to a particular organization or structure of database objects in a database management system. |
+| secondary_key | string | It refers to a supplementary key or password used in addition to a primary key to provide an additional layer of security. |
+| secret | string | |
+| secured | string | It refers to a feature or setting within the platform that provides security and protection for stored data. |
+| security_group | string | |
+| see_also | string | It refers to a feature or functionality in cyber exposure platform that allows users to access additional resources or related information. |
+| selected_hash_sha256 | hexadecimal | It is used to identify the specific hash algorithm used to calculate the SHA256 hash value of a file or piece of software. |
+| selected_md5hash | hexadecimal | It is used to identify the specific hash algorithm used to calculate the MD5 hash value of a file or piece of software. |
+| sender | email | It is used to identify the source of the email and can be used to filter or categorize incoming email messages. |
+| sense_score | string | It refers to a metric used in the IBM Watson Discovery service to measure the relevance of a document or piece of content to a particular query. |
+| sense_value | string | It refers to a value assigned to a specific security event based on the level of risk it poses to the organization. |
+| sensor | string | It refers to a software component that is installed on a network to collect and analyze security-related data, such as network traffic and logs, in real-time to detect and prevent cyber-attacks. |
+| sensor_id | string | It refers to a unique identifier assigned to each endpoint device that has the agent installed. |
+| sensor_name | string | It refers to the unique identifier given to a specific instance of a network security device or system within a network. |
+| seq_num | number | It is a numerical identifier of the specific packet within a larger set of data, typically used in network security systems. |
+| sequence | string | It refers to the order in which packets are processed by the firewall. |
+| serial_num | string | It is a unique identifier assigned to a product by the manufacturer. |
+| server | string | A server is a device to centralize resources and provide centralized management, which can make it easier for administrators to manage and maintain their networks. |
+| server_group | string | In some database solutions (e.g. MS SQL), a server group is a way to organize connections to servers and databases. |
+| server_name | string | The server name the activity operated in |
+| server_ssh_version | string | It is a string value that represents the version of the SSH (Secure Shell) protocol that the server is running. |
+| server_version | string | It refers to a string that identifies the version of software or operating system that is running on a server. |
+| service_command_line | string | It refers to the command line arguments or parameters used to start, stop, or manage Windows services. |
+| service_id | string | Service found for the connection (by the destination port). |
+| service_name | string | The service name the activity operated on |
+| service_start_type | string | It is used by the service installer to indicate whether the new service should be disabled or start automatically or started manually by a user or application. |
+| service_state | string | They are used to determine when event handlers are executed and when notifications are initially sent out. |
+| service_type | string | It specifies the type of service and determines how the service operates, such as whether it runs in the background or interacts with the user interface. |
+| session_arn | string | The Session ARN (Amazon Resource Name) is a unique identifier that represents a session in the AWS Management Console. |
+| session_day | string | It refers to a field in a log or report that indicates the day of a network session. |
+| session_duration | string | It refers to a field in a log or report that indicates the length of time a network session was active. |
+| session_end | string | |
+| session_expiration | string | It refers to the time at which a session will expire and be terminated. |
+| session_hour | string | It refers to a field in a log or report that indicates the hour of a network session. |
+| session_id | string | Unique identifier of a vpn or network connection session. |
+| session_min | string | It refers to a field in a log or report that indicates the minute of a network session. |
+| session_name | string | It refers to an optional parameter that can be provided when creating a session. |
+| session_sec | string | It refers to a field in a log or report that indicates the second of a network session. |
+| session_start | datetime | |
+| session_tag | string | |
+| set_as_defualt | string | It refers to an option that can be used to set a specific profile as the default profile for a user. |
+| severity | string | It refers to a field in a log or report that indicates the level of importance or criticality of a security event or threat. |
+| sha | hexadecimal | It refers to the Secure Hash Algorithm, a family of cryptographic hash functions that are widely used for digital signatures. |
+| share_name | string | The name of the accessed network share, e.g. IPC$, SYSVOL |
+| share_path | string | The full path of a network share, e.g. D://SYSVOL_DFSR//sysvol |
+| share_type | string | It refers to a field in a log or report that indicates the type of a network share. |
+| shared | string | Indication if the file was shared. |
+| shared_with | string | It refers to a field in a log or report that indicates the recipients or users with whom a file or resource has been shared. |
+| shared_with_at | string | It refers to a field in a log or report that indicates the date and time when a file or resource was shared with specific recipients. |
+| sid_domain | string | It refers to the domain component of a SID, which identifies the domain in which the security principal is defined. |
+| sid_history | string | It refers to a feature that allows the SID of a user or group account to be preserved when the account is migrated from one domain to another. |
+| site_at | string | It refers to a field in a log or report that indicates the location or site at which a specific security event or activity occurred. |
+| site_id | string | In physical access events, the ID of the physical location. |
+| site_name | string | In physical access events, the name of the physical location. |
+| site_state | string | In physical access events, the state of the physical location. E.g NY. |
+| smartdefense_profile | string | It refers to a configuration setting in Check Point software that defines the level of protection for a specific security policy or rule. |
+| source_connection_id | string | It refers to a log or report entry that provides information about a specific connection, such as the identity of the client device. |
+| spam_score | string | It refers to a numerical value assigned to an email message, indicating the likelihood that the message is spam or unwanted. |
+| sql_count | integer | The number of entries affected by a database operation |
+| src_bucket_arn | string | |
+| src_country | string | The country of the machine from which the activity originated. |
+| src_country_code | string | The country code of the machine from which the activity originated. |
+| src_domain | string | It refers to the source domain of a network connection or event. |
+| src_ds_object_dn | string | The full distinguished name of the source directory service object. |
+| src_ds_object_name | string | The name of the source directory service object |
+| src_ds_object_ou | string | The organizational unit of the source directory service object. |
+| src_email_folder | string | |
+| src_file_arn | string | |
+| src_file_dir | string | The directory of the source file, not including the name. |
+| src_file_ext | string | The source file extension. If the file name is myfile.txt, src_file_ext will be txt |
+| src_file_name | string | The name of the source file, not including the path. |
+| src_file_path | string | The full path of the source file. |
+| src_fqdn | string | The fully qualified domain name (FQDN) refers to a log or report entry that provides information about the source of a connection, such as the hostname and domain name of the device that initiated the connection. |
+| src_group_name | string | |
+| src_host | string | The name of the machine from which the activity originated. |
+| src_host_type | string | It refers to the type of the source host involved in a network connection or event. |
+| src_interface | string | Name of the interface associated with the connection origination |
+| src_ip | ipv4/ipv6 | The IP of the machine from which the activity originated. |
+| src_ipv6 | ipv4/ipv6 | |
+| src_location | string | It refers to the location of the source host involved in a network connection or event. |
+| src_location_area | string | |
+| src_location_door_id | string | |
+| src_location_full | string | |
+| src_location_id | string | It refers to a unique identifier for the location of the source host involved in a network connection or event. |
+| src_mac | string | The source endpoint MAC address. |
+| src_net_status | string | It refers to the status of the source network involved in a network connection or event. |
+| src_network | string | It refers to a log or report entry that provides information about the source network, such as its IP address range, subnet, or hostname. |
+| src_network_zone | string | It refers to the network security zone associated with the source network in a network connection. |
+| src_password | string | |
+| src_port | integer | The source port used in the network communication. |
+| src_process_dir | string | The directory of the process that did the activity. |
+| src_process_id | string | The identifier of the process that did the activity. |
+| src_process_name | string | The name of the process that did the activity. |
+| src_process_path | string | The path of the process that did the activity. |
+| src_resource | string | |
+| src_resource_type | string | |
+| src_role | string | |
+| src_translated_host | string | It refers to a log that provides information about the translated source host, which may be different from the actual source host. |
+| src_translated_ip | ipv4/ipv6 | In NAT situations, the internal assigned IP. This is different from the src_ip which would be the external facing IP. For example, in a VPN connection src_ip is the external, internet routable IP, while src_translated_ip is the internal address assigned to the vpn connection. |
+| src_translated_ipnum | string | It refers to a log or report entry that provides information about the translated source IP address, which may be different from the actual source IP address due to NAT or PAT. |
+| src_translated_port | integer | It refers to the translated source port in a network connection or event. |
+| src_user | string | It refers to the source user or the user who initiated a particular action or event. |
+| src_zen_code | string | |
+| src_zone | string | It refers to a log or report entry that provides information about the security zone from which a particular network event or traffic flow originated. |
+| src_zone_name | string | It provides information about the source security zone associated with a particular network event, such as the name of the security zone. |
+| ssid | string | The Service Set Identifier (network name) the activity was on. |
+| ssno | string | It refer to the unique 9-digit identification number assigned by the Social Security Administration (SSA) to U.S. citizens and residents for tracking purposes. |
+| state | string | It refer to various aspects of system or program behavior, configuration, or status. |
+| status_msg | string | It is a message that provides information about the status or outcome of an operation or request. |
+| storage_account | string | It is a type of account that provides a scalable and secure data storage solution for unstructured data, such as blobs, files, queues, and tables. |
+| sub_category | string | A subcategory of the log. |
+| sub_domain | string | It is a field that represents the sub-domain portion of a fully qualified domain name (FQDN). |
+| sub_status | string | It refers to the status of a sub-component or sub-process within a larger security system or process. |
+| subject | string | |
+| subnetwork | string | A subnetwork (also known as a subnet) is a portion of a larger network that is divided for the purposes of network organization and management. |
+| subscription_id | string | The subscription ID is a unique alphanumeric string that identifies your product subscription. |
+| subtype | string | |
+| suid | string | SUID (Set User ID) is a Linux permission attribute for executable files that allows a user to execute the file with the permissions of its owner. |
+| sync_destination | string | It refers to the location to which data is being synced or backed up. |
+| syscall | string | A syscall is a system call, which is a request to the operating system's kernel to provide a specific service, such as allocating memory or creating a process. |
+| system_manufacturer | string | It refers to the manufacturer of a device or computer system. |
+| system_type | string | It refers to the classification of a device as a router, switch, firewall, or other network device. |
+| tab_title | string | It is a term used in the security platform to refer to the title or label of a tab in a user interface. |
+| tab_url | string | It refers to the URL of the web page that was open in a web browser tab during the time a file was being accessed. |
+| table | string | It refers to the name of a database table. |
+| table_name | string | It refers to the name of a database table. |
+| tag | string | It refers to a metadata label or keyword assigned to an object or resource to categorize, group, or identify it. |
+| tags | array | Tags are a metadata label assigned to a network communication or an event. |
+| target | string | The object the activity operated on. |
+| target_domain | string | |
+| target_hash_sha256 | hexadecimal | It refers to a 256-bit Secure Hash Algorithm (SHA-256) that is used to calculate a digital fingerprint or hash value of a target file or system. |
+| target_host | string | The destination endpoint name. |
+| target_md5hash | hexadecimal | It is a field that represents the MD5 hash of a target file in the system. |
+| target_uri | string | It refers to the uniform resource identifier (URI) of the target system, application, or resource that is being accessed |
+| task_id | string | The unique identifier of the schedule task the activity operated on. |
+| task_name | string | The name of the schedule task the activity operated on. |
+| tcp_flags | string | The TCP flags in a tcp communication. |
+| tenant_id | string | It refers to a unique identifier for a tenant in a multi-tenant architecture, such as in Microsoft's cloud platform, Azure Active Directory. |
+| terminal | string | It is a text-based interface, or a graphical user interface, and is used to submit SQL commands, view data, and perform various other database-related operations. |
+| thread_id | string | It refers to a unique identifier assigned to a process or a set of processes running in an operating system. |
+| threat_category | string | The category of the threat the product detected, as dictated by the vendor. |
+| threat_handled | string | It refers to an event, action or measure taken by a security system to mitigate or eliminate a detected threat. |
+| threat_id | string | The identifier of the threat the product detected, as dictated by the vendor. |
+| threat_level | string | It refers to a classification of a potential security threat, which determines the severity or urgency of the threat. |
+| threat_type | string | It refers to the category of a detected threat. |
+| threat_url | string | It refers to the URL or web link that is suspected of hosting malicious content, such as phishing scams or malware downloads. |
+| ticket_encryption_type | string | It refers to the encryption algorithm used to encrypt the security tickets used in authentication between client and server. |
+| ticket_options | string | It refers to specific settings or flags that are associated with a Kerberos ticket. |
+| time | datetime | The time in which the activity occurred. |
+| time_created | datetime | The time the file was created. |
+| time_modified | datetime | The last time the file modified. |
+| time_taken | number | It refers to the amount of time required for a process or operation to complete. |
+| timedout | string | It refers to whether or not a connection has timed out. |
+| token_issuer_type | string | It refers to the type of security token issuer that is used to generate the token. |
+| top_domain | string | The domain without the subdomain. E.g. in www.exabeam.com, exabeam.com would be parsed in this field |
+| tracking_id | string | is a unique identifier used to track and associate related events and transactions within the system. |
+| traffic_type | string | |
+| trans_depth | string | This field allows to track the different layers of protocol encoding used in a network connection. |
+| trans_id | string | It refers to the unique identifier assigned to a particular transaction (communication between two endpoints) being monitored. |
+| transaction | string | A transaction is a specific set of tasks or operations that are performed in the system to achieve a specific goal, such as creating a new customer or updating an existing one. |
+| transaction_id | string | It refers to a unique identifier assigned to a specific transaction or group of related transactions in a system. |
+| transistive_tags | array | |
+| trigger_entity | string | It refers to an event, alert, or indicator that triggers an investigation or response action within the security information and event management (SIEM) system. |
+| trigger_time | datetime | It refers to the time when a particular event or action in the system was triggered or initiated. |
+| trigger_type | string | It refers to the type of event or activity that initiates an action or response within the security platform. |
+| triggers | string | It refer to a set of rules or conditions that initiate a specific action when met. |
+| tunnel_parents | string | It refers to the parent sessions or connections in which the current session is encapsulated within, forming a tunnel. |
+| tunnel_protocol | string | It refers to the protocol used to encapsulate the original network traffic, which is often encrypted and transmitted over another network. |
+| udid | string | It refers to the Unique Device Identifier, a code that identifies a specific device in the Cisco system. |
+| uri | string | The full URI of the web page. |
+| uri_path | string | The URI path of the web page. |
+| uri_query | string | The query in a URI in of a web page. |
+| url | string | The URL of a web page. |
+| usb_serial_number | string | It refers to the unique identifier of a USB device connected to a computer. |
+| usb_vendor | string | It refers to the identifier of the vendor of a USB device. |
+| rule_usecases | array | It refers to the specific use cases that a security rule is intended to address. |
+| user | string | The user name of the user that did the activity. |
+| user_agent | string | The user-agent in a web activity. |
+| user_arn | string | It refers to the Amazon Resource Name (ARN) of a user. |
+| user_dn | string | It refers to the distinguished name (DN) of a user. |
+| user_group_name | string | The groups the user belongs to. |
+| user_id | string | The generic unique identifier of the user. |
+| user_info | string | It refers to information about a specific user, such as their name, username, and other relevant details. |
+| user_ou | string | The directory service organizational unit of the user. |
+| user_sid | string | The SID (Security Identifier) of the user. |
+| user_type | string | The type of the user. |
+| user_uid | string | It refers to a unique identifier assigned to a user account. |
+| user_uids | string | It is a field that represents the unique identifier for a user. |
+| user_upn | string | UPN (User Principal Name) is a unique identifier for a user in Microsoft's Active Directory. |
+| userdata | string | |
+| users | array | It refers to the individuals who have access to the security systems and services provided by them, such as firewalls, VPNs, and other security solutions. |
+| vault_entity_id | string | It is a unique identifier for an entity in Vault. |
+| vendor | string | The vendor context element. |
+| vendor_id | string | It is a unique identifier assigned to a vendor. |
+| vendor_name | string | It refers to the name of the manufacturer of the device that is being backed up or monitored. |
+| version | string | The version of the monitoring program. |
+| virtual_station_name | string | It refers to the name assigned to a virtual station (VSTA) in a wireless LAN (WLAN) network. |
+| virus_name | string | It refers to the name assigned to a specific malicious software that has been detected by antivirus software. |
+| vm_host_name | string | |
+| vm_pool_name | string | |
+| vm_size | string | It refers to the size or type of a virtual machine (VM) in terms of the amount of memory, CPU, and storage resources it is allocated. |
+| vm_template_name | string | |
+| volume_device | string | |
+| volume_size | string | |
+| volume_type | string | |
+| volume_zone | string | |
+| vpc | string | It stands for Virtual Private Cloud, it is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network. |
+| vpn_client | string | It is a secure VPN connection that allows remote workers or third-party contractors to connect to the company's network securely, using their own device. |
+| vpn_client_type | string | It refers to the type of VPN client software that is used to establish a secure connection to a remote network. |
+| wazuh_manager | string | It refers to the central manager component responsible for managing agents, rules, and alerts. |
+| web_domain | string | The full domain with the subdomain. Egs. gmail.google.com. |
+| wifiap | string | It refers to a Wireless Access Point, a device that allows wireless devices to connect to a wired network using Wi-Fi. |
+| workspace_name | string | |
+| zone | string | It refers to a distinct and isolated environment for running applications, processes, and/or services. |
+| zone_id | string | It refers to a unique identifier assigned to a zone in a network. |
+| connection_type | string | It refers to the type of network connection between a device and another device or network. |
+| egress_zone | string | It refers to the security zone from which network traffic exits or is transmitted to an external network. |
+| bootup_safeguard_enabled | boolean | This attribute specifically refers to whether or not the feature is enabled on a given endpoint. |
+| detect | string | It refers to the ability of the software to identify and detect potential security threats or malicious activity on a device or network. |
+| dns_domain | string | It refers to a field that holds the domain name information of a DNS (Domain Name System) request or response. |
+| critical_process_disabled | boolean | It is a security feature that prevents unauthorized changes to key system processes. |
+| bytes_to_client | number | |
+| bytes_to_server | number | |
+| connection_duration | string | It refers to the amount of time a connection between two devices (e.g. network devices, computers, servers, etc.) has been active. |
+| start_time | datetime | It refers to the time that a process or a job was initiated or started to run. |
+| response_type | string | It refers to the type of response received from a device or system when performing an action or issuing a command. |
+| ingress_zone | string | It refers to the network zone through which data enters a network. |
+| grandparent_command_line | string | It refers to the command line of the process that started the parent process of a given process. |
+| grandparent_image_filename | string | It refers to the file name of the image or executable that started the parent process of the current process being monitored. |
+| inddet_mask | string | |
+| indicator | string | It refers to a specific attribute or characteristic of an event, activity, or artifact, which can be used to identify or distinguish malicious behavior. |
+| initiator_packets | string | It refers to the number of packets sent by the initiator of a network connection. |
+| is_incident | string | It refers to a field indicating if an event or log entry represents a security incident or not. |
+| kill_parent | boolean | It refers to an action that terminates the parent process of a detected threat. |
+| kill_process | boolean | It refers to a feature that allows the user to immediately terminate a malicious or suspicious process that has been detected by the platform. |
+| kill_sub_process | boolean | It is a term used to describe the action of terminating a sub-process that is associated with a malicious or suspicious activity. |
+| nap_policy | string | It refer to a policy that specifies the requirements for accessing the network, such as minimum security standards for client computers |
+| nt_domain | string | It is a type of network authentication service used in computer networks to control access to resources and provide centralized administration. |
+| operation_blocked | boolean | It refers to a security feature that blocks or denies specific security-related operations that are deemed potentially suspicious. |
+| parent_image_filename | string | It refers to the name of the executable file of the parent process of a detected activity. |
+| pattern_disposition_description | string | It refers to the human-readable explanation of the outcome of an analysis or detection performed by system. |
+| pkts_toclient | string | It refers to the number of packets sent from the server to the client in a network. |
+| pkts_toserver | string | It is a count of the number of packets from client to server. |
+| policy_disabled | boolean | It refers to a security policy or set of security rules that are temporarily or permanently disabled or inactive. |
+| process_blocked | boolean | It refers to a security alert generated by the platform, indicating that a process has been blocked by the security software. |
+| quarantine_file | boolean | It refers to a file that has been isolated from the rest of the system because it has been identified as potentially harmful. |
+| quarantine_machine | boolean | It refers to the process of isolating a potentially compromised device or machine to prevent further spread of malware. |
+| registry_operation_blocked | boolean | It is a term used to describe when a specific operation in the registry is prevented from executing due to security policy. |
+| reputation | string | It refers to a score assigned to an IP address, URL, or file, indicating the perceived level of risk associated with it. |
+| responder_packets | integer | It refers to the number of packets sent by the responder in a network communication. |
+| rooting | boolean | It refers to the process of gaining privileged access to a computer system or mobile device. |
+| sensor_only | boolean | It indicate that the detection and response was done locally on the device, rather than relying on the cloud-based components. |
+| fs_operation_blocked | boolean | It refers to a security feature that blocks a file system operation (e.g., create, delete, modify, etc.) based on predefined security policies. |
+| domain_join | string | It refers to the process of joining a computer to a domain in a Microsoft Active Directory environment. |
+| dns_response_type | string | It refers to the type of response received from a DNS server. |
+| container_id | string | It refers to a unique identifier assigned to a container in a container orchestration platform, such as Docker. |
+| rule_description | string | It refers to a brief text description of a particular rule that has been configured in a system. |
+| incident_creation_time | datetime | It refers to the time at which an incident was created. |
+| rule_type | string | It refer to a type of security rule or firewall rule that is configured in the security firewall. |
+| scriptblock_text | string | It refers to the text of a PowerShell script block. |
+| script_type | string | |
+| script_name | string | It refers to the name of a script file (e.g. a .bat, .vbs, .ps1, etc.) that is being executed. |
+| logon_type | string | |
+| mfa_device | string | The mfa_device field contain information about the specific MFA device being used, such as its type, serial number, and associated user. |
+| mfa_country | string | It refers to the country from which the user is attempting to access a system. |
+| alert_reason | string | A description of why this alert was given. |
+| command_invocation | string | A command can apply to one or more managed nodes. |
+| domain_user_name | string | Enriched field to define a user entity by combining 'user' and 'domain' fields. |
+| dest_domain_user_name | string | Enriched field to define a user entity by combining 'dest_user' and 'domain' OR 'dest_domain' fields. |
+| account_user_name | string | Enriched field to define a user entity by combining 'account' and 'domain' OR 'account_domain fields. |
+| database_user_name | string | Enriched field to define a user entity by combining 'db_user' and 'db_name' fields. |
+| local_user_name | string | Enriched field to define a user entity by combining 'user' and 'src_host' OR 'platform' fields. |
+| dest_local_user_name | string | Enriched field to define a user entity by combining 'dest_user' and 'src_host' fields. |
+| cid | string | Crowdstrike customer identification |
+| subject_sid | string | The SID (Security Identifier) of the subject, should be use subject is not user. |
+| subscription_code | string | Subscription code of the customer |
+| src_vendor | string | Original vendor for 3rd party alerts and regular events. |
+| src_product | string | Original product for 3rd party alerts and regular events. |
+| rarity_score | integer | Normalized rarity score from BEAM. Value should be between 0 to 100. |
+| rarity_raw_score | integer | Raw score from BEAM. Value should be between 0 to 100 or more. |
+| rarity_percentile | integer | Added by BEAM. Number between 0 to 100. |
+| risk_score | integer | The calculated risk score between 0 and 100. If UP is disabled for the subscription, the risk_score will not be present. |
+| business_criticality | string | Added by UP. Contains the business criticality (Tier1, Tier2, Tier3, N/A) used to assign risk_score. If business_criticality or UP is disabled for the subscription, this will not be present. |
+| observed_activity | string | Added by UP. Contains the observed activity type (Engage, Prepare, Presence, Effect, N/A) used to assign risk_score. If observed_activity or UP is disabled for the subscription, this will not be present. |
+| recoverability | string | Added by UP. Contains (Yes, No, N/A). If recoverability or UP is disabled for the subscription, this will not be present. |
+| event_filter | string | Search query event filter to get all the participating events for this trigger. |
+| event_from_time_millis | datetime | search query event filter start time. |
+| event_to_time_millis | datetime | search query event filter end time. |
+| event_url | string | URL to Search App to query the events associated with this rule trigger |
+| previous_id | string | Point to previous rule trigger id in case of new rule trigger due to late arriving events. |
+| create_case | boolean | Required only for Correlation Rule Engine Events. |
+| case_description | string | Required only when create_case is true. Set by CR. |
+| rule_source | string | BEAM or CR |
+| type | string | In case of security alert, this would be the alert type. in case of correlation rule: use case of the correlation rule |
+| technique_key | string | Technique Key |
+| technique | string | Technique Name |
+| tactic | string | Tactic Name |
+| tactic_key | string | Tactic Key |
+| entity_type | string | Entity type. User, Endpoint, File, Process etc |
+| entity_key | string | The key used for the given entity type in Entity Manager like user_name, email_address etc for User or ip_address, host_name etc for Endpoint |
+| event_field | string | The field in the event that will provide the value for the entity_key. For example for entity_type:Endpoint and entity_key:ip_address the event_field can have a value like src_ip or dest_ip. |
+| field_value | string | This is the value of the event_field in the event that triggered the rule. |
+| rules | json | Empty rules is a valid case. If BEAM is sending update to fix previous false positive rule trigger event then new rule trigger event will have empty rules and entities with zero risks score. |
+| entities | json | If the fields required for entity creation are missing in the event, there will be no entity fields created. This is a valid case. |
\ No newline at end of file
diff --git a/MetaFieldsMappings.md b/MetaFieldsMappings.md
new file mode 100644
index 0000000..4d2afa1
--- /dev/null
+++ b/MetaFieldsMappings.md
@@ -0,0 +1,105 @@
+Metadata Field Mapping
+========================
+
+This table maps old metadata field names to New-Scale field names that correspond to the Common Information Model.
+
+| Old Metadata Field Name | New-Scale Metadata Field Name |
+| ----------------------------------- | ------------------------------------- |
+| @host | m_host |
+| @metadata.beat | m_metadata_beat |
+| @metadata.topic | m_metadata_topic |
+| @metadata.type | m_metadata_type |
+| @metadata.version | m_metadata_version |
+| @timestamp | m_timestamp |
+| @version | m_version |
+| agent.ephemeral_id | m_agent_ephemeral_id |
+| agent.hostname | m_agent_hostname |
+| agent.id | m_agent_id |
+| agent.type | m_agent_type |
+| agent.version | m_agent_version |
+| beat_name | m_beat_name |
+| beat_version | m_beat_version |
+| collector_name | m_collector_name |
+| collector_type | m_collector_type |
+| computer_name | m_computer_name |
+| destinationServiceName | m_destinationServiceName |
+| dproc | m_dproc |
+| event.action | m_event_action |
+| event.code | m_event_code |
+| event.created | m_event_created |
+| event.kind | m_event_kind |
+| event.original | m_event_original |
+| event.provider | m_event_provider |
+| event_data.PackageName | m_event_data_PackageName |
+| event_data.Status | m_event_data_Status |
+| event_data.TargetUserName | m_event_data_TargetUserName |
+| event_data.Workstation | m_event_data_Workstation |
+| event_id | m_event_id |
+| exa-message-size | m_exa_message_size |
+| exa_rsc.agent.ephemeral_id | m_exa_rsc_agent_ephemeral_id |
+| exa_rsc.agent.hostname | m_exa_rsc_agent_hostname |
+| exa_rsc.agent.id | m_exa_rsc_agent_id |
+| exa_rsc.agent.type | m_exa_rsc_agent_type |
+| exa_rsc.agent.version | m_exa_rsc_agent_version |
+| exa_rsc.hostname | m_exa_rsc_hostname |
+| exa_rsc.input.type | m_exa_rsc_input_type |
+| exa_rsc.kafka.headers | m_exa_rsc_kafka_headers |
+| exa_rsc.kafka.key | m_exa_rsc_kafka_key |
+| exa_rsc.kafka.offset | m_exa_rsc_kafka_offset |
+| exa_rsc.kafka.partition | m_exa_rsc_kafka_partition |
+| exa_rsc.kafka.topic | m_exa_rsc_kafka_topic |
+| exa_rsc.time_off | m_exa_rsc_time_off |
+| exa_rsc.timestamp | m_exa_rsc_timestamp |
+| exa_rsc.timezone | m_exa_rsc_timezone |
+| exa_sc.collector_name | m_exa_sc_collector_name |
+| exa_sc.collector_type | m_exa_sc_collector_type |
+| exa_sc.hostname | m_exa_sc_hostname |
+| forwarder | m_forwarder |
+| hostname | m_hostname |
+| input.type | m_input_type |
+| keywords | m_keywords |
+| level | m_level |
+| log.file.path | m_log_file_path |
+| log.level | m_log_level |
+| log.name | m_log_name |
+| log.offset | m_log_offset |
+| message | m_message |
+| opcode | m_opcode |
+| path | m_path |
+| port | m_port |
+| provider_guid | m_provider_guid |
+| record.number | m_record_number |
+| source.name | m_source_name |
+| task | m_task |
+| time_off | m_time_off |
+| timezone | m_timezone |
+| type | m_type |
+| winlog.activity_id | m_winlog_activity_id |
+| winlog.api | m_winlog_api |
+| winlog.channel | m_winlog_channel |
+| winlog.computer_name | m_winlog_computer_name |
+| winlog.event_data.Binary | m_winlog_event_data_Binary |
+| winlog.event_data.LogonType | m_winlog_event_data_LogonType |
+| winlog.event_data.PrivilegeList | m_winlog_event_data_PrivilegeList |
+| winlog.event_data.SubjectDomainName | m_winlog_event_data_SubjectDomainName |
+| winlog.event_data.TargetDomainName | m_winlog_event_data_TargetDomainName |
+| winlog.event_data.TargetLogonId | m_winlog_event_data_TargetLogonId |
+| winlog.event_data.TargetUserName | m_winlog_event_data_TargetUserName |
+| winlog.event_data.TargetUserSid | m_winlog_event_data_TargetUserSid |
+| winlog.event_data.lmpackagename | m_winlog_event_data_lmpackagename |
+| winlog.event_data.param1 | m_winlog_event_data_param1 |
+| winlog.event_data.param2 | m_winlog_event_data_param2 |
+| winlog.event_data.param3 | m_winlog_event_data_param3 |
+| winlog.event_id | m_winlog_event_id |
+| winlog.keywords | m_winlog_keywords |
+| winlog.opcode | m_winlog_opcode |
+| winlog.process.pid | m_winlog_process_pid |
+| winlog.process.thread.id | m_winlog_process_thread_id |
+| winlog.provider_guid | m_winlog_provider_guid |
+| winlog.provider_name | m_winlog_provider_name |
+| winlog.record_id | m_winlog_record_id |
+| winlog.task | m_winlog_task |
+| winlog.user.domain | m_winlog_user_domain |
+| winlog.user.identifier | m_winlog_user_identifier |
+| winlog.user.name | m_winlog_user_name |
+| winlog.user.type | m_winlog_user_type |
diff --git a/ParserNamesMatrix.md b/ParserNamesMatrix.md
new file mode 100644
index 0000000..a3fba8b
--- /dev/null
+++ b/ParserNamesMatrix.md
@@ -0,0 +1,8 @@
+ Matrix of Old vs. New Parser Names
+===================================
+
+ Parser names follow a standardized set of conventions that ensure consistency across Exabeam products. For more information, see [Parser Naming Conventions](https://docs.exabeam.com/en/content/all/exabeam-security-content-cim/exabeam-parsers/parser-naming-conventions.html). If you've been using Exabeam products prior to the introduction of this parser-naming convention, consult the alphabetic tables below to find the new name for existing parsers.
+
+| [A](ParsersLegacy/a_parsers.md) | [B](ParsersLegacy/b_parsers.md) | [C](ParsersLegacy/c_parsers.md) | [D](ParsersLegacy/d_parsers.md) | [E](ParsersLegacy/e_parsers.md) | [F](ParsersLegacy/f_parsers.md) | [G](ParsersLegacy/g_parsers.md) | [H](ParsersLegacy/h_parsers.md) | [I](ParsersLegacy/i_parsers.md) | [J](ParsersLegacy/j_parsers.md) | [K](ParsersLegacy/k_parsers.md) | [L](ParsersLegacy/l_parsers.md) | | |
+|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|:-------------------------------:|
+| [M](ParsersLegacy/m_parsers.md) | [N](ParsersLegacy/n_parsers.md) | [O](ParsersLegacy/o_parsers.md) | [P](ParsersLegacy/p_parsers.md) | [Q](ParsersLegacy/q_parsers.md) | [R](ParsersLegacy/r_parsers.md) | [S](ParsersLegacy/s_parsers.md) | [T](ParsersLegacy/t_parsers.md) | [U](ParsersLegacy/u_parsers.md) | [V](ParsersLegacy/v_parsers.md) | [W](ParsersLegacy/w_parsers.md) | [X](ParsersLegacy/x_parsers.md) | [Y](ParsersLegacy/y_parsers.md) | [Z](ParsersLegacy/z_parsers.md) |
\ No newline at end of file
diff --git a/ParsersLegacy/a_parsers.md b/ParsersLegacy/a_parsers.md
new file mode 100644
index 0000000..799abc5
--- /dev/null
+++ b/ParsersLegacy/a_parsers.md
@@ -0,0 +1,507 @@
+| Old Parser Name | New Parser Name |
+| ----------------------------------------------------- | --------------------------------------------------------------------------------- |
+| abnormal-security-alert | abnormalsecurity-as-json-alert-trigger-success-attacktype |
+| absolute-app-activity | absolute-siemconnector-cef-app-activity-success-deviceuserinformationupdated |
+| absolute-app-activity-1 | absolute-siemconnector-cef-app-activity-success-devicelocationupdated |
+| absolute-app-login | absolute-siemconnector-cef-app-login-success-loggedin |
+| accelion-dlp-alert | accellion-kw-json-alert-trigger-success-httpincident |
+| accelion-kite-app-3 | accellion-kw-json-file-upload-success-addfile |
+| accelion-kite-app-activity-2 | accellion-kw-json-app-activity-success-event |
+| accelion-kite-app-activity-3 | accellion-kw-json-app-activity-success-urlhost |
+| accelion-kite-app-activity-4 | accellion-kw-json-app-activity-success-apphost |
+| accelion-kite-app-activity-5 | accellion-kw-json-app-activity-success-description |
+| accelion-kite-app-activity-6 | accellion-kw-json-file-read-success-event |
+| accelion-kite-app-activity-email-alert | accellion-kw-json-email-send-success-sendemail |
+| accelion-kite-app-admin-login | accellion-kw-json-app-login-success-adminloggedin |
+| accelion-kite-app-delete-draft | accellion-kw-json-app-activity-success-deletedraft |
+| accelion-kite-app-download | accellion-kw-json-file-download-success-description |
+| accelion-kite-app-download-1 | accellion-kw-json-file-download-success-apphost |
+| accelion-kite-app-file-delete | accellion-kw-json-file-delete-success-deletefolderpermanent |
+| accelion-kite-app-file-delete-1 | accellion-kw-json-file-delete-success-deletefolder |
+| accelion-kite-app-file-withdraw | accellion-kw-json-app-activity-success-filewithdrawn |
+| accelion-kite-app-login-1 | accellion-kw-json-app-login-success-userloggedin |
+| accelion-kite-app-network-setting | accellion-kw-json-app-activity-success-networksettings |
+| accelion-kite-app-password-change | accellion-kw-json-user-password-modify-success-updatepassword |
+| accelion-kite-app-reset-password | accelion-kw-json-user-password-reset-fail-resetpassword |
+| accelion-kite-app-setting | accellion-kw-json-app-activity-success-applicationsettingschanged |
+| accelion-kite-app-system | accellion-kw-json-app-activity-success-system |
+| accelion-kite-app-user-delete | accellion-kw-json-app-activity-success-deleteuser |
+| accelion-kite-failed-app-login | accellion-kw-json-app-login-fail-userloginfailed |
+| accessit-badge-access | accessit-universal-json-physical-location-access-success-cardholderlink |
+| ad-audit-2089 | manageengine-adauditplus-kv-app-notification-success-2089 |
+| ad-audit-2887 | manageengine-adauditplus-kv-app-authentication-2887 |
+| ad-audit-4616 | manageengine-adauditplus-kv-endpoint-time-modify-4616 |
+| ad-audit-4624 | microsoft-evsecurity-kv-endpoint-login-success-adaudit-4624 |
+| ad-audit-4625 | microsoft-evsecurity-kv-endpoint-login-fail-adaudit-4625 |
+| ad-audit-4656 | manageengine-adauditplus-kv-handle-request-4656 |
+| ad-audit-4659 | manageengine-adauditplus-kv-handle-request-4659 |
+| ad-audit-4662 | microsoft-evsecurity-kv-ds-object-activity-success-4662-3 |
+| ad-audit-4663 | microsoft-evsecurity-kv-file-success-4663 |
+| ad-audit-4663-1 | microsoft-evsecurity-kv-file-success-4663-1 |
+| ad-audit-4688 | microsoft-evsecurity-kv-process-create-success-4688 |
+| ad-audit-4699 | manageengine-adauditplus-kv-scheduled-task-delete-4699 |
+| ad-audit-4720 | microsoft-evsecurity-kv-user-create-success-4720 |
+| ad-audit-4722 | microsoft-evsecurity-kv-user-enable-success-4722 |
+| ad-audit-4723 | microsoft-evsecurity-kv-user-password-modify-4723 |
+| ad-audit-4724 | microsoft-evsecurity-kv-user-password-reset-success-4724 |
+| ad-audit-4725 | microsoft-evsecurity-kv-user-disable-success-4725 |
+| ad-audit-4726 | microsoft-evsecurity-kv-user-delete-fail-deleted |
+| ad-audit-4728 | microsoft-evsecurity-kv-group-member-add-success-adauditplus |
+| ad-audit-4729 | microsoft-evsecurity-kv-group-member-remove-success-removedfrom |
+| ad-audit-4730 | microsoft-evsecurity-kv-group-delete-success-4730 |
+| ad-audit-4738 | microsoft-evsecurity-kv-ds-object-modify-success-4738 |
+| ad-audit-4740 | microsoft-evsecurity-kv-user-lock-success-4740 |
+| ad-audit-4742 | microsoft-evsecurity-kv-ds-object-modify-success-4742 |
+| ad-audit-4743 | microsoft-evsecurity-kv-user-delete-success-4743 |
+| ad-audit-4759 | microsoft-evsecurity-kv-group-create-success-4759 |
+| ad-audit-4767 | microsoft-evsecurity-kv-user-unlock-success-4767 |
+| ad-audit-4768 | microsoft-evsecurity-kv-endpoint-authentication-success-adaudit-4768 |
+| ad-audit-4769 | microsoft-evsecurity-kv-endpoint-login-4769-10 |
+| ad-audit-4771 | microsoft-evsecurity-kv-endpoint-login-fail-adaudit-4771 |
+| ad-audit-4778 | microsoft-evsecurity-kv-rdp-traffic-success-adaudit-4778 |
+| ad-audit-4779 | microsoft-evsecurity-kv-endpoint-logout-success-4779 |
+| ad-audit-4800 | microsoft-evsecurity-kv-endpoint-lock-success-4800 |
+| ad-audit-4801 | microsoft-evsecurity-kv-endpoint-unlock-success-4801 |
+| ad-audit-5136 | microsoft-evsecurity-kv-ds-object-modify-success-5136 |
+| ad-audit-5137 | microsoft-evsecurity-kv-ds-object-create-success-5137-1 |
+| ad-audit-5139 | microsoft-evsecurity-kv-ds-object-move-success-5139 |
+| ad-audit-5140 | microsoft-evsecurity-kv-share-access-success-5140 |
+| ad-audit-5141 | microsoft-evsecurity-kv-ds-object-delete-success-5141-1 |
+| ad-audit-alert | microsoft-windows-kv-alert-trigger-success-adapalerts |
+| ad-audit-json-4624 | microsoft-evsecurity-json-endpoint-login-success-4624-1 |
+| ad-audit-json-4656 | microsoft-evsecurity-sk4-handle-request-success-4656-1 |
+| ad-audit-json-4663 | microsoft-evsecurity-json-file-read-success-4663 |
+| ad-audit-json-4663-1 | microsoft-evsecurity-json-file-delete-success-4663-1 |
+| ad-audit-json-4768 | microsoft-evsecurity-json-endpoint-authentication-success-4768 |
+| ad-audit-json-4771 | microsoft-evsecurity-json-endpoint-login-fail-4771-3 |
+| ad-audit-json-5140 | microsoft-evsecurity-json-share-access-success-objectaccessed |
+| ad-json-4720 | microsoft-evsecurity-json-user-create-success-4720-1 |
+| ad-json-4722 | microsoft-evsecurity-json-user-enable-success-4722-1 |
+| ad-json-4724 | microsoft-evsecurity-json-user-password-reset-success-4724-1 |
+| ad-json-4740 | microsoft-evsecurity-json-user-lock-success-4740-1 |
+| ad-json-4767 | microsoft-evsecurity-json-user-unlock-success-4767-1 |
+| ad-json-5140 | microsoft-evsecurity-json-share-access-success-5140-1 |
+| ad-json-member-added-2008 | microsoft-evsecurity-json-group-member-add-success-securityenabled |
+| ad-json-member-removed-2008 | microsoft-evsecurity-json-group-member-remove-success-memberremoved |
+| adfs-299-auth-successful | microsoft-evsecurity-kv-endpoint-login-success-299-1 |
+| adfs-500-auth-successful | microsoft-evsecurity-kv-endpoint-login-success-500-1 |
+| adfs-501-auth-successful | microsoft-evsecurity-kv-endpoint-login-success-501 |
+| adfs-account-lockout-512 | microsoft-adfs-kv-user-lock-success-512 |
+| adfs-account-lockout-516 | microsoft-adfs-kv-user-lock-success-516 |
+| adfs-auth-failed | "microsoft-windows-xml-endpoint-authentication-fail-adfs342 |
+| adfs-auth-failed-324 | microsoft-adfs-kv-app-authentication-fail-324 |
+| adfs-auth-failed-411 | microsoft-adfs-kv-app-authentication-fail-411 |
+| adfs-auth-failed-413 | microsoft-adfs-kv-app-authentication-fail-413 |
+| adfs-auth-failed-501 | microsoft-adfs-str-app-notification-success-501 |
+| adfs-auth-successful | microsoft-evsecurity-kv-endpoint-login-success-299 |
+| adfs-auth-successful-1 | microsoft-evsecurity-kv-endpoint-login-success-500 |
+| adfs-dns-request | microsoft-adfs-kv-http-request-audit |
+| adfs-dns-response | microsoft-adfs-kv-http-response-success-dispatched |
+| admanager-activity | microsoft-ad-kv-app-group-admp |
+| adminbyrequest-privileged-access | adminbyrequest-a-json-user-privilege-use-success-adminsession |
+| adminbyrequest-privileged-object-access | adminbyrequest-a-json-user-privilege-use-success-runasadmin |
+| airlock-appwhitelisting-app-activity | airlock-allowlisting-str-app-activity-success-fileactivity |
+| airlock-appwhitelisting-app-activity-1 | airlock-allowlisting-str-app-activity-success-serveractivity |
+| airlock-create-folder | airlock-sah-kv-file-write-success-createfolder |
+| airlock-disconnect | airlock-sah-kv-vpn-logout-success-auditlog |
+| airlock-file-delete | airlock-sah-kv-file-delete-success-deletefile |
+| airlock-file-download | airlock-sah-kv-file-download-success-download |
+| airlock-file-download-failed | airlock-sah-kv-app-activity-fail-downloadfailed |
+| airlock-file-upload | airlock-sah-kv-file-upload-success-upload |
+| airlock-file-upload-failed | airlock-sah-kv-app-activity-fail-uploadfailed |
+| airlock-firewall-network-connection | airlock-sah-json-network-traffic-networktraffic |
+| airlock-firewall-system-info-1 | airlock-sah-json-network-traffic-connectiontrace |
+| airlock-firewall-system-info-2 | airlock-sah-str-app-notification-webrequests |
+| airlock-login-failed | airlock-sah-kv-app-login-fail-loginfailed |
+| airlock-login-success | airlock-sah-kv-app-login-success-loginsuccessful |
+| airlock-logout | airlock-sah-kv-vpn-logout-success-logout |
+| airlock-network-connection | airlock-sah-kv-network-traffic-success-connectionsuccessful |
+| airlock-rename-folder | airlock-sah-kv-file-write-success-renamefolder |
+| airwatch-admin-loggedin | vmware-airwatch-kv-endpoint-login-success-adminuserloggedin |
+| airwatch-admin-loggedout | vmware-airwatch-kv-app-logout-success-userloggedout |
+| airwatch-admin-login-failed | vmware-airwatch-kv-endpoint-login-fail-loginfailed |
+| airwatch-application-remove-requested | vmware-airwatch-kv-app-activity-success-appremoved |
+| airwatch-auth-successful | vmware-airwatch-kv-endpoint-login-success-login |
+| airwatch-authentication | vmware-airwatch-kv-endpoint-login-fail-authentication |
+| airwatch-authtoken-revoked | vmware-airwatch-kv-app-activity-success-tokenrevoked |
+| airwatch-breakmdm-requested | vmware-airwatch-kv-app-activity-success-breakmdmr |
+| airwatch-device-entr-wipe-requested | vmware-airwatch-kv-app-activity-success-wiperequested |
+| airwatch-device-wipe-requested | vmware-airwatch-kv-app-activity-success-wiperequested-1 |
+| airwatch-devicedelete-requested | vmware-airwatch-kv-app-activity-success-deleterequest |
+| airwatch-exitlauncher-requested | vmware-airwatch-kv-app-activity-success-exitlauncher |
+| airwatch-locationgroup-deleted | vmware-airwatch-kv-group-delete-success-groupdeleted |
+| airwatch-profile-deleted | vmware-airwatch-kv-user-delete-success-profiledeleted |
+| airwatch-profile-inactivated | vmware-airwatch-kv-user-disable-success-profileinactivated |
+| airwatch-profile-modified | vmware-airwatch-kv-user-modify-success-profilemodified |
+| airwatch-profileremove-requested | vmware-airwatch-kv-user-delete-success-profileremove |
+| airwatch-revoked | vmware-airwatch-kv-certificate-expire-success-revoked |
+| airwatch-security-alerts | vmware-airwatch-kv-alert-trigger-success-airwatch |
+| airwatch-user-deleted | vmware-airwatch-kv-user-delete-success-userdeleted |
+| airwatch-wiperequest | vmware-airwatch-kv-app-activity-success-wiperequest |
+| aix-auth-failed | unix-unix-kv-endpoint-login-fail-authfailure |
+| aix-auth-successful | unix-unix-kv-endpoint-authentication-success-dsepamauth |
+| aix-file-open-operation | unix-unix-str-file-read-success-fileopen |
+| aix-file-read-operation | unix-unix-str-file-read-success-fileread |
+| aix-file-rename-operation | unix-aix-str-file-write-success-filerename |
+| aix-file-write-operation | unix-unix-str-file-write-success-1 |
+| aix-process-create-operation | unix-unix-str-process-create-success-proccreate |
+| aix-process-created | unix-unix-str-process-create-success-cmd |
+| aix-process-delete-operation | unix-unix-str-process-close-success-procdelete |
+| aix-process-execute-operation | unix-unix-str-process-create-success-procexecute |
+| aix-task-created | unix-unix-str-scheduled-task-create-success-cmd |
+| aix-task-created-1 | unix-unix-str-scheduled-task-create-success-croncmd |
+| akamai-security-alert | akamai-siem-cef-alert-trigger-success-alerttriggerd |
+| akamai-web-activity | akamai-ca-json-http-session-webactivity |
+| amag-badge-access | amag-sac-json-physical-location-access-accessbadge |
+| amazon-rds-database-login | amazon-ards-sk4-database-login-success-connectionauthorized |
+| amazon-rds-database-operation | amazon-rds-str-database-query-modify-success-auditevent |
+| amazon-rds-database-operation-1 | amazon-rds-str-database-query-modify-success-auditevent-1 |
+| anywhere365-app-activity | anywhere365-a-kv-app-activity-success-callreceive |
+| anywhere365-app-activity-1 | anywhere365-a-kv-app-activity-success-ucccall |
+| anywhere365-app-activity-2 | anywhere365-a-kv-app-activity-success-newconference |
+| anywhere365-app-activity-3 | anywhere365-a-kv-app-activity-success-conferencecreator |
+| anywhere365-app-activity-4 | anywhere365-a-kv-app-activity-success-outboundcall |
+| apache-app-login-1 | apache-guacamole-str-app-authentication-success-user |
+| apache-authentication-attempt-1 | apache-guacamole-str-app-authentication-fail-authenticatethelockeduser |
+| apache-failed-app-login-1 | apache-guacamole-str-app-login-fail-authservice |
+| apache-failed-app-login-2 | apache-guacamole-str-app-login-fail-bindingerror |
+| apache-tomcat-system-info | apache-tomcat-str-app-notification-tomcatcatalina |
+| apache-web-activity-1 | apache-guacamole-kv-http-session-success-client |
+| apc-authentication-failed | apc-a-kv-endpoint-login-fail-smtpauthfail |
+| apc-dlp-email-alert-in | apc-a-kv-email-receive-success-accept |
+| apc-dlp-email-alert-in-failed | apc-a-kv-email-receive-fail-reject |
+| apc-failed-logon | apc-a-str-app-login-fail-invalidcredentials |
+| apc-network-alert | apc-a-str-alert-trigger-success-0004 |
+| apc-remote-logon | apc-a-str-endpoint-login-success-webuser |
+| apc-remote-logout | apc-a-str-app-logout-success-loggedout |
+| appsense-process-alert | appsense-am-leef-alert-trigger-success-warning |
+| arbor-network-fail | arbor-a-str-network-traffic-fail-block |
+| arista-networks-awake-security-alert | aristanetworks-as-cef-alert-trigger-success-deviceurlpath |
+| armis-alert-iot | armis-a-cef-alert-trigger-success-systempolicyviolation |
+| aruba-controller-ap-protection | hp-arubawc-str-app-notification-success-4111 |
+| aruba-controller-assoc | hp-arubawc-str-network-traffic-4111 |
+| aruba-controller-blacklist | hp-arubawc-str-app-notification-success-4111-1 |
+| aruba-controller-deauthenticate | hp-arubawc-str-app-notification-success-4107 |
+| aruba-controller-drop | hp-arubawc-str-network-traffic-fail-4107 |
+| aruba-controller-failed-nac-logon | hp-arubawc-kv-endpoint-login-fail-authfailed |
+| aruba-controller-radius | hp-arubawc-str-radius-traffic-success-4107 |
+| aruba-controller-wpa2 | hp-arubawc-str-app-notification-success-4107-1 |
+| aruba-local-logon-1 | hp-arubamm-cef-endpoint-login-success-authenticatedsuccessfully |
+| aruba-nac-failed-1 | hp-arubamm-cef-endpoint-login-fail-userauthenticationfailed |
+| aruba-nac-logon | hp-arubawc-kv-endpoint-login-success-authsuccessful |
+| aruba-nac-logon-1 | hp-arubamm-sk4-endpoint-login-success-ttamreporter |
+| aruba-nac-logon-2 | hp-arubamm-sk4-endpoint-login-success-authsuccess |
+| aruba-network-info-1 | hp-arubamm-sk4-app-notification-appnotification |
+| aruba-remote-logon-1 | hp-arubamm-cef-endpoint-login-success-authenticationsucceededforuser |
+| aruba-system-info-1 | hp-arubaos-str-app-notification-ikequickmodesucceeded |
+| aruba-system-info-2 | hp-arubaos-str-app-notification-ipsecsadeletedforpeer |
+| aruba-system-info-3 | hp-arubaos-str-endpoint-notification-kernelreportstimeerror |
+| aruba-system-info-4 | hp-arubamm-sk4-app-notification-appnotification-1 |
+| aruba-system-info-5 | hp-aruba-str-app-notification-success-sapd |
+| asa-aaa-cef-vpn-start | cisco-asa-cef-vpn-login-success-authsuccess |
+| asa-aaa-vpn-start | cisco-asa-str-vpn-login-success-109005 |
+| asa-aaa-vpn-stop | cisco-asa-str-vpn-logout-success-authensessionend |
+| asa-nap-cef-7.1.7-vpn-start | cisco-asa-cef-vpn-login-success-assignedprivateip |
+| asa-nap-cef-vpn-end | cisco-asa-cef-vpn-logout-success-sessionisbeingtorndown |
+| asa-nap-cef-vpn-start | cisco-asa-cef-vpn-login-success-assignedprivateip-1 |
+| asa-svc-cef-7.1.7-vpn-end | cisco-asa-cef-vpn-logout-success-sessiondisconnected |
+| asa-svc-cef-vpn-close | cisco-asa-cef-vpn-logout-success-svcclosingconnection |
+| asa-svc-vpn-713050-end | cisco-asa-str-vpn-logout-success-713050 |
+| asa-svc-vpn-716001-start | cisco-asa-str-vpn-login-success-716001 |
+| asa-svc-vpn-716002-end | cisco-asa-str-vpn-logout-success-716002 |
+| asa-svc-vpn-716038-start | cisco-asa-str-vpn-login-success-716038 |
+| asa-svc-vpn-716059-start | cisco-asa-str-vpn-login-success-716059 |
+| asa-svc-vpn-751025-start | cisco-asa-str-vpn-login-success-751025 |
+| asa-svc-vpn-start-iPhone | cisco-asa-str-vpn-login-success-722051-1 |
+| asa-web-activity-716003 | cisco-asa-str-http-session-success-716003 |
+| assetview-file-download-activity | assetview-av-csv-file-download-success-15091 |
+| assetview-file-write | assetview-av-str-file-write-success-10001 |
+| assetview-print-activity | assetview-av-csv-printer-activity-success-15041 |
+| assetview-security-alert | assetview-av-str-alert-trigger-success-35131 |
+| assetview-usb-activity | assetview-av-csv-peripheral-storage-insert-success-15031 |
+| audit-unix-process-created | unix-ad-kv-process-create-success-audit |
+| auditbeat-account-switch | unix-unix-json-user-switch-success-pamsessionopen |
+| auditbeat-account-switch-2 | unix-unix-json-user-switch-success-process |
+| auditbeat-auth-success | unix-unix-json-endpoint-login-success-logstash |
+| auditbeat-authentication-successful | unix-auditbeat-kv-endpoint-login-success-userlogin |
+| auditbeat-file-access | unix-unix-json-file-read-success-fileaccess |
+| auditbeat-file-operation-4 | unix-auditbeat-json-file-create-success-file |
+| auditbeat-file-operations | unix-unix-json-file-success-logstashfile |
+| auditbeat-file-operations-2 | unix-unix-json-file-success-logstashfile-1 |
+| auditbeat-file-operations-3 | unix-unix-json-file-success-logstashfile-2 |
+| auditbeat-local-logon | unix-unix-json-endpoint-login-success-userlogin |
+| auditbeat-logout | unix-auditbeat-json-endpoint-logout-success-userlogout |
+| auditbeat-password-change | unix-unix-json-user-password-modify-success-process |
+| auditbeat-perm-mod | unix-unix-json-file-permission-modify-success-permissionmodify |
+| auditbeat-process-activity | unix-auditbeat-json-process-close-success-processstopped |
+| auditbeat-process-audit | unix-auditbeat-json-app-activity-success-process |
+| auditbeat-process-created | unix-auditbeat-json-process-create-success-processstarted |
+| auditbeat-process-created-failed | unix-auditbeat-json-process-create-fail-processerror |
+| auditbeat-process-creation | unix-unix-json-process-create-logstash |
+| auditbeat-process-network | unix-auditbeat-json-network-session-fail-networkflow |
+| auditbeat-security-alert | unix-unix-json-alert-trigger-success-suspactivity |
+| auditbeat-security-alert-2 | unix-unix-json-alert-trigger-success-unauthedfileaccess |
+| auditbeat-security-alert-3 | unix-unix-json-alert-trigger-success-recon |
+| auditbeat-security-alert-4 | unix-unix-json-alert-trigger-success-powerabuse |
+| auditbeat-ssh-login | unix-unix-json-ssh-traffic-success-process |
+| auditbeat-ssh-login-2 | unix-unix-json-endpoint-login-success-pubkeyauth |
+| auditbeat-ssh-login-3 | unix-unix-json-endpoint-login-success-key |
+| auditbeat-ssh-login-4 | unix-unix-json-endpoint-login-success-userlogin-1 |
+| auditbeat-unix-account-created | unix-unix-json-user-create-success-adduser |
+| auditbeat-unix-account-created-2 | unix-auditbeat-json-group-create-success-addshadowgroup |
+| auditbeat-unix-account-created-3 | unix-auditbeat-json-group-create-success-addgroup |
+| auditbeat-unix-account-delete | unix-unix-json-user-delete-fail-process |
+| auditbeat-unix-account-delete-2 | unix-unix-json-user-delete-fail-auditbeat |
+| auditbeat-unix-account-delete-3 | unix-unix-json-user-delete-fail-deletegroup |
+| auditbeat-unix-member-removed | unix-unix-json-group-member-remove-success-process |
+| auditbeat-unix-member-removed-2 | unix-unix-json-group-member-remove-success-auditbeat |
+| auditd-unix-account-switch | unix-auditd-kv-user-switch-success-userrolechange |
+| auditd-unix-process-created | unix-ad-kv-process-create-success-audispd |
+| auth0-login-failed | auth0-a-json-endpoint-login-fail-fp |
+| auth0-login-failed-1 | auth0-a-json-endpoint-login-fail-invalidrequest |
+| auth0-login-success | auth0-a-json-app-login-success-s |
+| auth0-password-breached | auth0-a-json-alert-trigger-success-pwdleak |
+| auth0-password-change-failed | auth0-a-json-user-password-modify-fail-fcp |
+| authmgr-auth-system-alert | dell-rsaauthmngr-kv-app-authentication-status |
+| authmgr-authentication-failed | dell-rsaauthmngr-kv-endpoint-authentication-fail-authfail |
+| authmgr-authentication-failed-1 | dell-rsaauthmngr-kv-endpoint-login-fail-authorizationfail |
+| authmgr-authentication-failed-2 | dell-rsaauthmngr-kv-endpoint-authentication-fail-usertokenfailed |
+| authmgr-authentication-successful | dell-rsaauthmngr-kv-endpoint-authentication-success-authsuccess |
+| authmgr-authentication-successful-1 | dell-rsaauthmngr-kv-endpoint-login-success-authorizationsuccess |
+| authmgr-authentication-successful-2 | dell-rsaauthmngr-kv-endpoint-authentication-success-usertokencreated |
+| avanan-dlp-alert | checkpoint-avanan-json-alert-trigger-success-avanansecurityeventdlp |
+| avanan-dlp-alert-1 | checkpoint-avanan-json-alert-trigger-success-dlp |
+| avanan-dlp-email-alert | checkpoint-avanan-json-email-receive-avanansecurityevent |
+| avanan-dlp-email-alert-1 | checkpoint-avanan-json-email-send-avanansecurityevent |
+| avanan-dlp-email-alert-2 | checkpoint-avanan-json-email-receive-securityevent |
+| avanan-dlp-email-alert-3 | checkpoint-avanan-json-email-send-securityevent |
+| avanan-dlp-email-alert-4 | checkpoint-avanan-json-email-send-receive-phishing |
+| avanan-security-alert | checkpoint-avanan-json-alert-trigger-success-avanansecurityeventmalware |
+| avanan-security-alert-1 | checkpoint-avanan-json-alert-trigger-success-securityeventmalware |
+| avaya-switch-auth-attempt | avaya-ers-str-endpoint-login-fail-unauthorized |
+| avaya-switch-auth-attempt-1 | avaya-ers-str-endpoint-login-fail-disallowed |
+| avaya-switch-auth-failed | avaya-ers-str-app-authentication-fail-6 |
+| avaya-switch-auth-failed-1 | avaya-ers-str-endpoint-login-fail-intruderip |
+| avaya-switch-auth-successful | avaya-ers-str-endpoint-login-success-sessionopened |
+| avaya-switch-auth-successful-1 | avaya-ers-str-endpoint-login-success-successfulconnection |
+| avaya-switch-logout | avaya-ers-str-endpoint-logout-success-connectionclosed |
+| avaya-switch-logout-1 | avaya-ers-str-endpoint-logout-success-sessionclosed |
+| avaya-switch-system-event | avaya-ers-str-endpoint-activity-success-ssh |
+| avecto-local-logon | beyondtrust-privmgmt-kv-endpoint-login-success-userlogon |
+| avecto-process-created | beyondtrust-privmgmt-kv-process-create-success-processstarted |
+| avecto-process-created-1 | beyondtrust-privmgmt-kv-process-create-success-processstarttime |
+| aventail-vpn-end | dell-sw-kv-vpn-logout-success-infosystem |
+| aventail-vpn-start | dell-sw-str-vpn-login-success-csacl |
+| aventail-vpn-start-1 | dell-sw-kv-vpn-login-success-platformprefix |
+| avi-lb-app-login | avinetworks-a-str-app-login-success-loginsuccess |
+| avi-lb-app-logout | avinetworks-lb-str-endpoint-logout-userlogout |
+| aws-addusertogroup-json | amazon-awscloudtrail-json-group-member-add-addusertogroup |
+| aws-alert-1 | amazon-awscloudtrail-sk4-user-create-createmembers |
+| aws-assumerole-json | amazon-awscloudtrail-json-role-assume-success-assumerole |
+| aws-attachgrouppolicy-json | amazon-awscloudtrail-json-group-policy-attach-success-attachgrouppolicy |
+| aws-attachrolepolicy-json | amazon-awscloudtrail-json-role-policy-attach-success-attachrolepolicy |
+| aws-attachuserpolicy-json | amazon-awscloudtrail-json-user-policy-attach-success-attachuserpolicy |
+| aws-attachvolume-json | amazon-awscloudtrail-json-disk-attach-attachvolume |
+| aws-cloudtrail-activity | amazon-awscloudtrail-sk4-app-activity-aws |
+| aws-cloudtrail-app-activity | amazon-awscloudtrail-json-app-activity-success-awsapicall |
+| aws-consolelogin-json | amazon-awscloudtrail-json-aws-login-consolelogin |
+| aws-copyobject-json | amazon-awscloudtrail-json-file-copy-copyobject |
+| aws-createaccesskey-json | amazon-awscloudtrail-json-user-key-create-createaccesskey |
+| aws-createbucket-json | amazon-awscloudtrail-json-bucket-create-awsapicall |
+| aws-createfunction-json | amazon-awscloudtrail-json-function-write-createfunction |
+| aws-creategroup-json | amazon-awscloudtrail-json-user-create-creategroup |
+| aws-createimage-json | amazon-awscloudtrail-json-image-create-awsapicall |
+| aws-createkeypair-json | amazon-awscloudtrail-json-key-write-createkeypair |
+| aws-createloginprofile-json | amazon-awscloudtrail-json-app-activity-loginprofile |
+| aws-createpolicy-json | amazon-awscloudtrail-json-policy-create-success-createpolicy |
+| aws-createpolicyversion-json | amazon-awscloudtrail-json-policy-modify-success-createpolicyversion |
+| aws-createrole-json | amazon-awscloudtrail-json-role-create-success-createrole |
+| aws-createsnapshot-json | amazon-awscloudtrail-json-snapshot-create-awsapicall |
+| aws-createuser-json | amazon-awscloudtrail-json-user-create-awsapicall |
+| aws-createvolume-json | amazon-awscloudtrail-json-disk-create-createvolume |
+| aws-general-activity | amazon-awscloudtrail-json-app-activity-awsapicall |
+| aws-getconsolescreenshot-json | amazon-awscloudtrail-json-app-activity-getscreenshot |
+| aws-getobject-json | amazon-awscloudtrail-json-file-read-getobject |
+| aws-getpassworddata-json | amazon-awscloudtrail-json-key-read-getpassword |
+| aws-listattachedgrouppolicies-json | amazon-awscloudtrail-json-policy-list-success-grouppolicies |
+| aws-listattachedrolepolicies-json | amazon-awscloudtrail-json-policy-list-success-rolepolicies |
+| aws-listattacheduserpolicies-json | amazon-awscloudtrail-json-policy-list-success-userpolicies |
+| aws-listgrouppolicies-json | amazon-awscloudtrail-json-policy-list-success-listgrouppolicies |
+| aws-listrolepolicies-json | amazon-awscloudtrail-json-policy-list-success-listrolepolicies |
+| aws-listuserpolicies-json | amazon-awscloudtrail-json-policy-list-success-listuserpolicies |
+| aws-modifyimageattribute-json | amazon-awscloudtrail-json-image-modify-imageattribute |
+| aws-modifyinstanceattribute-json | amazon-awscloudtrail-json-endpoint-modify-instanceattribute |
+| aws-modifysnapshotattribute-json | amazon-awscloudtrail-json-snapshot-modify-awsapicall |
+| aws-modifyvolume-json | amazon-awscloudtrail-json-disk-modify-modifyvolume |
+| aws-putbucketacl-json | amazon-awscloudtrail-json-bucket-permission-modify-putbucketacl |
+| aws-putbucketcors-json | amazon-awscloudtrail-json-bucket-permission-modify-putbucketcors |
+| aws-putbucketpolicy-json | amazon-awscloudtrail-json-bucket-policy-modify-putbucketpolicy |
+| aws-putbucketpublicaccessblock-json | amazon-awscloudtrail-json-bucket-accessblock-modify-awsapicall |
+| aws-putgrouppolicy-json | amazon-awscloudtrail-json-policy-create-success-putgrouppolicy |
+| aws-putobject-json | amazon-awscloudtrail-json-file-write-putobject |
+| aws-putobjectacl-json | amazon-awscloudtrail-json-bucket-permission-modify-putobjectacl |
+| aws-putrolepolicy-json | amazon-awscloudtrail-json-policy-create-success-putrolepolicy |
+| aws-putuserpolicy-json | amazon-awscloudtrail-json-policy-create-success-putuserpolicy |
+| aws-renewrole-json | amazon-awscloudtrail-json-role-assume-renewrole |
+| aws-runinstances-json | amazon-awscloudtrail-json-endpoint-create-runinstances |
+| aws-security-alert | amazon-awsguardduty-sk4-alert-trigger-success-guardduty-3 |
+| aws-sendcommand-json | amazon-awscloudtrail-json-app-activity-sendcommand |
+| aws-sendsshpublickey-json | amazon-awscloudtrail-json-endpoint-login-sendsshkey |
+| aws-setpolicyversion-json | amazon-awscloudtrail-json-policy-modify-success-setpolicyversion |
+| aws-switchrole-json | amazon-awscloudtrail-json-role-assume-success-switchrole |
+| aws-updateassumerolepolicy-json | amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy |
+| aws-updatefunctioncode-json | amazon-awscloudtrail-json-function-write-updatefunction |
+| aws-updatefunctionconfiguration-json | amazon-awscloudtrail-json-function-write-updateconfiguration |
+| aws-updateloginprofile-json | amazon-awscloudtrail-json-app-activity-updateprofile |
+| aws-waf-web-activity | aws-waf-json-http-session-httprequest |
+| aws-web-activity | amazon-awswaf-sk4-http-request-httprequest |
+| aws-web-activity-1 | amazon-awswaf-json-app-authentication-httprequest |
+| axway-remote-logon | axway-gateway-str-endpoint-login-success-successfullogin |
+| axway-sftp-file-upload | axway-gateway-kv-file-upload-success-fileupload |
+| azure-ad-account-disabled | microsoft-azuread-json-user-disable-success-accountdisable |
+| azure-ad-account-password-change | microsoft-azuread-json-user-password-reset-fail-changepassword |
+| azure-ad-account-password-change-1 | azure-azuread-json-user-password-modify-success-selfservice |
+| azure-ad-account-password-change-2 | microsoft-azuread-sk4-user-password-modify-success-userpasswordchange |
+| azure-ad-account-password-change-3 | microsoft-azuread-sk4-user-password-modify-success-changepassword |
+| azure-ad-account-unlocked | microsoft-azuread-json-user-unlock-success-useraccountunlock |
+| azure-ad-app-activity | microsoft-m365auditlogs-json-app-activity-operationname |
+| azure-ad-app-login | microsoft-azuread-cef-app-login-signinoperation |
+| azure-ad-member-added | microsoft-azuread-json-group-member-add-success-aadiam |
+| azure-ad-member-added-1 | microsoft-azuread-cef-group-member-add-success-auditlogs |
+| azure-ad-member-removed | microsoft-azuread-json-group-member-remove-success-groupmemberremoved |
+| azure-ad-member-removed-1 | microsoft-azure-cef-group-member-remove-success-removefromgroup |
+| azure-ad-security-alert-2 | microsoft-azureadip-json-alert-trigger-success-graphsecurityalert |
+| azure-app-activity | microsoft-azuremon-sk4-app-activity-destinationservicename |
+| azure-app-activity-1 | microsoft-azure-json-app-activity-strongauthenticationuserdetails |
+| azure-app-activity-2 | microsoft-azure-sk4-app-activity-userupdate |
+| azure-app-activity-3 | microsoft-azure-sk4-app-activity-adduser |
+| azure-app-activity-4 | microsoft-azure-sk4-app-activity-addgroup |
+| azure-app-activity-5 | microsoft-azure-sk4-app-activity-deleteuser |
+| azure-app-activity-6 | microsoft-azure-sk4-app-activity-addmembertorole |
+| azure-app-activity-7 | microsoft-azure-sk4-app-activity-addownertogroup |
+| azure-app-activity-8 | microsoft-azuremon-sk4-app-activity-success-updategroup |
+| azure-app-auth-events | microsoft-windows-sk4-endpoint-login-requireduomfa |
+| azure-app-login | microsoft-azure-sk4-app-login-success-loginevent |
+| azure-app-logon | microsoft-windows-cef-app-login-tokenissuertype |
+| azure-app-logon-2 | microsoft-windows-cef-app-login-conditionalaccessstatus |
+| azure-app-logon-3 | microsoft-windows-sk4-app-login-fail-signin |
+| azure-atp-security-alert | microsoft-azureatp-json-alert-trigger-success-advancedthreatprotection |
+| azure-atp-security-alert-1 | microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert |
+| azure-atp-security-alert-2 | microsoft-azureatp-json-alert-trigger-success-enumerationsecurityalert |
+| azure-atp-security-alert-3 | microsoft-azureatp-json-alert-trigger-success-passtheticket |
+| azure-atp-security-alert-4 | microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert |
+| azure-atp-security-alert-5 | microsoft-azureatp-json-alert-trigger-success-remoteexecutionsecurityalert-1 |
+| azure-atp-security-alert-6 | microsoft-azureatp-json-alert-trigger-success-netlogonbypasssecurityalert-1 |
+| azure-atp-security-alert-7 | microsoft-azure-sk4-alert-trigger-success-aatp |
+| azure-blob-activity1 | microsoft-azure-json-file-success-1 |
+| azure-blob-activity2 | microsoft-azure-json-file-success-2 |
+| azure-cloud-system-info | microsoft-azuremon-json-app-activity-success-sourcesystem |
+| azure-databrick-app-activity-1 | microsoft-azuremon-sk4-secret-read-getsecret |
+| azure-databrick-app-activity-2 | microsoft-azuremon-sk4-app-notification-clusterstartresult |
+| azure-databrick-app-activity-3 | microsoft-azuremon-sk4-app-notification-clusterstart |
+| azure-disks-write | microsoft-azure-json-disk-write-success-disk |
+| azure-event-hub-administrative | microsoft-azuremon-sk4-app-activity-administrative |
+| azure-event-hub-alert | microsoft-azuremon-sk4-app-activity-alert |
+| azure-event-hub-app-service-audit-logs | microsoft-azure-cef-app-login-success-auditlogs |
+| azure-event-hub-app-service-http-logs | microsoft-azuremon-sk4-http-session-appservicehttplogs |
+| azure-event-hub-application-gateway-access-log | microsoft-azureeh-sk4-app-activity-success-applicationgatewayaccesslog |
+| azure-event-hub-application-gateway-access-log-1 | microsoft-azuremon-sk4-app-activity-applicationgatewayaccess |
+| azure-event-hub-application-gateway-access-log-2 | microsoft-azuremon-sk4-http-request-applicationgateway |
+| azure-event-hub-application-gateway-firewall-log | microsoft-azure-cef-network-traffic-firewall |
+| azure-event-hub-application-gateway-performance-log | microsoft-azuremon-sk4-app-notification-performancelog |
+| azure-event-hub-application-gateway-performance-log-1 | microsoft-azuremon-sk4-app-activity-clientrequest |
+| azure-event-hub-device-logon | microsoft-defenderep-kv-endpoint-login-devicelogonevents |
+| azure-event-hub-dns-query | microsoft-defenderep-kv-dns-response-dnsqueryresponse |
+| azure-event-hub-file-events | microsoft-azure-kv-file-success-vmid |
+| azure-event-hub-file-read | microsoft-azure-cef-file-read-success-actiontype |
+| azure-event-hub-gateway | microsoft-azuremon-sk4-app-activity-eventhub |
+| azure-event-hub-gateway-1 | microsoft-azuremon-sk4-app-notification-gatewaylogs |
+| azure-event-hub-image-load | microsoft-defenderep-kv-dll-load-eventhubbeat |
+| azure-event-hub-key-vault-activity | microsoft-azuremon-sk4-app-activity-auditevent |
+| azure-event-hub-key-vault-auth | microsoft-azure-cef-app-login-success-authentication |
+| azure-event-hub-member-added | microsoft-azure-kv-group-member-add-success-eventhubbeat |
+| azure-event-hub-member-removed | microsoft-azure-kv-group-member-remove-success-deviceevents |
+| azure-event-hub-network-connection | microsoft-azure-kv-network-traffic-eventhubbeat |
+| azure-event-hub-network-security-group-event | microsoft-azure-cef-network-traffic-event |
+| azure-event-hub-network-security-group-rule-counter | microsoft-azure-cef-network-traffic-rule |
+| azure-event-hub-policy | microsoft-azuremon-sk4-app-activity-policy |
+| azure-event-hub-process-events | microsoft-azure-kv-process-create-success-processcreated |
+| azure-event-hub-process-events-1 | microsoft-azure-kv-process-create-success-powershellcommand |
+| azure-event-hub-recommendation | microsoft-azuremon-sk4-app-activity-recommendation |
+| azure-event-hub-registry | microsoft-windows-kv-registry-eventhubbeat |
+| azure-event-hub-remote-logon | microsoft-azure-csv-rdp-traffic-success-vmid |
+| azure-event-hub-resource-health | microsoft-azuremon-sk4-app-notification-resourcehealth |
+| azure-event-hub-security | microsoft-azureeh-csv-alert-trigger-security |
+| azure-event-hub-service-health | microsoft-azuremon-sk4-app-notification-servicehealth |
+| azure-event-hub-sql-security-event | microsoft-azure-cef-database-query-success-event |
+| azure-event-hub-system-event | microsoft-defenderep-kv-endpoint-activity-deviceevents |
+| azure-event-hub-system-info | microsoft-defenderep-kv-network-notification-eventhubbeat |
+| azure-event-hub-system-info-1 | microsoft-defenderep-kv-endpoint-notification-eventhubbeat |
+| azure-event-hub-system-info-2 | microsoft-azuremon-sk4-app-notification-timegrain |
+| azure-event-hub-task-created | microsoft-defenderep-kv-scheduled_task-create-scheduledtaskcreated |
+| azure-event-hub-usb-activity | microsoft-azure-kv-peripheral-storage-activity-success-eventhubbeat |
+| azure-event-hub-usb-insert | microsoft-azure-json-peripheral-storage-insert-success-usbdrivemount |
+| azure-eventhubbeat-app-activity | microsoft-azure-json-app-activity-updatedevice |
+| azure-eventhubbeat-app-activity-1 | microsoft-azure-json-app-activity-updateuser |
+| azure-eventhubbeat-app-activity-2 | microsoft-azure-kv-app-activity-adduser |
+| azure-eventhubbeat-app-activity-3 | microsoft-azure-kv-app-activity-deleteuser |
+| azure-eventhubbeat-app-activity-4 | microsoft-azure-kv-app-activity-changeuserlicense |
+| azure-eventhubbeat-app-activity-5 | microsoft-azure-json-app-activity-updategroup |
+| azure-eventhubbeat-app-activity-6 | microsoft-azure-json-app-activity-addgroup |
+| azure-eventhubbeat-app-activity-7 | microsoft-azure-kv-app-activity-harddeletegroup |
+| azure-eventhubbeat-app-activity-8 | microsoft-azure-json-app-activity-groupmanagement |
+| azure-eventhubbeat-app-activity-9 | microsoft-azure-json-app-activity-deletegroup |
+| azure-file-read | microsoft-azure-cef-file-read-success-loganalytics |
+| azure-file-read-1 | microsoft-azure-sk4-file-read-success-keyget |
+| azure-file-read-2 | microsoft-azure-sk4-file-read-success-vaultget |
+| azure-file-read-3 | microsoft-azure-sk4-file-read-success-resourceid |
+| azure-file-write | microsoft-azure-cef-file-write-success-secretset |
+| azure-fw-network-connection | microsoft-azure-sk4-network-traffic-nsgflow |
+| azure-fw-network-info | microsoft-azuremon-sk4-http-request-success-applicationgateways |
+| azure-fw-network-info-2 | microsoft-azuremon-sk4-app-activity-success-networksecuritygroups |
+| azure-fw-network-info-3 | microsoft-azuremon-sk4-network-session-azurefirewall |
+| azure-fw-network-info-4 | microsoft-azuremon-sk4-app-activity-success-virtualnetworkgateways |
+| azure-fw-network-info-5 | microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy |
+| azure-fw-network-info-7 | microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule |
+| azure-fw-network-info-8 | microsoft-azuremon-sk4-app-notification-applicationgatewayfirewalllog |
+| azure-images-write | microsoft-azure-json-image-write-success-imagewrite |
+| azure-keyvault-activity | microsoft-azure-json-key-success-keyvault |
+| azure-mfa-add-user-mobile | microsoft-azuremfa-csv-user-modify-added |
+| azure-mfa-added-new-user | microsoft-azuremfa-str-user-modify-success-addednewuser |
+| azure-mfa-admin-activity | microsoft-azuremfa-str-app-activity-success-user |
+| azure-mfa-auth-attempt | microsoft-azuremfa-str-app-authentication-validate-oath-code-1 |
+| azure-mfa-auth-attempt-2 | microsoft-azuremfa-str-user-modify-changed |
+| azure-mfa-auth-attempt-3 | microsoft-azuremfa-str-app-authentication-fail-from |
+| azure-mfa-auth-attempt-4 | microsoft-azuremfa-str-app-authentication-primery |
+| azure-mfa-auth-attempt-5 | microsoft-azuremfa-str-app-authentication-fail-validate-security-question-answers |
+| azure-mfa-auth-attempt-6 | microsoft-azuremfa-str-app-authentication-validate-oath-code |
+| azure-mfa-auth-failed | microsoft-azuremfa-str-endpoint-login-fail-pfsvc |
+| azure-mfa-auth-failed-2 | microsoft-azuremfa-str-endpoint-login-fail-incorrect |
+| azure-mfa-auth-failed-3 | microsoft-azuremfa-str-app-authentication-fail-failed |
+| azure-mfa-auth-successful | microsoft-azuremfa-str-endpoint-login-success-callstatus |
+| azure-mfa-changed-oath-token-success | microsoft-azuremfa-csv-process-token-modify-pfsvc |
+| azure-mfa-delete-user | microsoft-azuremfa-csv-user-delete-deleted |
+| azure-mfa-delete-user-mobile | microsoft-azuremfa-csv-user-modify-deleted |
+| azure-network-connection-success | microsoft-azure-sk4-network-traffic-success-firewallnetworkrule |
+| azure-network-info | microsoft-azuremon-sk4-app-notification-applicationgateways |
+| azure-password-protection-30006 | "microsoft-evazureadppdca-xml-app-notification-30006 |
+| azure-process-created | microsoft-o365-sk4-process-create-success-processcreated |
+| azure-process-created-1 | microsoft-azure-json-process-create-success-vmprocess |
+| azure-roleassignments-write | microsoft-azure-json-user-role-assign-success-createroleassignment |
+| azure-roledefiniton-write | microsoft-azure-json-role-write-success-createroledefination |
+| azure-security-alert | microsoft-sentinel-sk4-alert-trigger-success-loganalytics |
+| azure-security-alert-1 | microsoft-azuresc-sk4-alert-trigger-success-logactivity |
+| azure-security-alert-2 | microsoft-azuresc-sk4-alert-trigger-success-securityalert |
+| azure-security-center-network-alert | microsoft-azuresc-json-alert-trigger-success-trafficfromunrecommendedip |
+| azure-security-center-process-alert | microsoft-azuresc-json-alert-trigger-success-kvappanomaly |
+| azure-security-center-security-alert | microsoft-azuresc-json-alert-trigger-success-sqldbprincipalanomaly |
+| azure-security-center-security-alert-1 | microsoft-azuresc-json-alert-trigger-success-asc |
+| azure-security-center-security-alert-2 | microsoft-azuresc-json-alert-trigger-success-vmwindowsobfus |
+| azure-security-center-security-alert-3 | microsoft-azuresc-json-alert-trigger-success-geoanomaly |
+| azure-security-center-security-alert-4 | microsoft-azuresc-json-alert-trigger-success-anomalouspageaccess |
+| azure-security-center-security-alert-5 | microsoft-azuresc-sk4-alert-trigger-success-asc |
+| azure-snapshots-write | microsoft-azure-json-snapshot-write-success-snapshotswrite |
+| azure-sshpublickeys-write | microsoft-azure-json-key-write-success-sshpublickey |
+| azure-system-info | microsoft-azuremon-kv-app-activity-uam |
+| azure-virtualmachines-write | microsoft-azure-json-image-write-success-createvm |
+| azure-waf-system-info | microsoft-azure-sk4-app-notification-success-healthprobelog |
\ No newline at end of file
diff --git a/ParsersLegacy/b_parsers.md b/ParsersLegacy/b_parsers.md
new file mode 100644
index 0000000..4d4df7e
--- /dev/null
+++ b/ParsersLegacy/b_parsers.md
@@ -0,0 +1,199 @@
+| Old Parser Name | New Parser Name |
+| ----------------------------------------- | ------------------------------------------------------------------------------------------ |
+| badgepoint-physical-badge-access-1 | badgepoint-b-kv-physical-location-access-readerid |
+| barracuda-accounting-login | barracuda-firewall-kv-vpn-login-success-accountinglogin |
+| barracuda-accounting-logout | barracuda-firewall-kv-vpn-logout-success-session |
+| barracuda-dlp-email-alert-out | barracuda-esg-json-dlp-email-send-success |
+| barracuda-dlp-email-alert-out-1 | barracuda-esg-json-dlp-email-send-success-1 |
+| barracuda-dlp-email-alert-out-failed | barracuda-esg-json-dlp-email-send-fail |
+| barracuda-email | barracuda-esg-cef-email-receive-barracudanetworks |
+| barracuda-failed-logon | barracuda-firewall-str-endpoint-login-fail-denied |
+| barracuda-failed-vpn-login | barracuda-firewall-str-vpn-login-fail-authfail |
+| barracuda-firewall-network-connection | barracuda-firewall-str-network-traffic-firewallactivity |
+| barracuda-firewall-network-connection-1 | barracuda-firewall-kv-network-traffic-networktraffic |
+| barracuda-login-peer | barracuda-firewall-kv-vpn-login-success-peerlogin |
+| barracuda-logout | barracuda-firewall-str-app-logout-success-closed |
+| barracuda-logout-peer | barracuda-firewall-kv-vpn-logout-success-peer |
+| barracuda-network-info-1 | barracuda-firewall-str-alert-trigger-insertevent |
+| barracuda-network-info-2 | barracuda-firewall-str-app-notification-success-4004 |
+| barracuda-network-info-3 | barracuda-firewall-str-app-notification-success-4006 |
+| barracuda-network-info-4 | barracuda-firewall-str-app-notification-success-4024 |
+| barracuda-network-info-5 | barracuda-firewall-str-app-notification-success-4008 |
+| barracuda-network-info-6 | barracuda-firewall-str-app-notification-success-4016 |
+| barracuda-remote-logon | barracuda-firewall-str-endpoint-login-allowed |
+| barracuda-vpn-auth-attempt | barracuda-firewall-str-app-authentication-success-requestfromuser |
+| barracuda-vpn-auth-attempt-1 | barracuda-firewall-str-app-authentication-success-preauthentication |
+| barracuda-vpn-auth-attempt-2 | barracuda-firewall-str-app-authentication-success-authrequest |
+| barracuda-vpn-auth-attempt-3 | barracuda-firewall-str-app-authentication-success-authlogin |
+| barracuda-vpn-login | barracuda-firewall-str-vpn-login-success-authsucceeded |
+| barracuda-web-activity | barracuda-waf-str-http-request-success-tr |
+| barracuda-web-activity-1 | barracuda-waf-str-http-request-success-valid |
+| barracuda-web-activity-2 | barracuda-waf-str-http-request-success-profiledvalid |
+| barracuda-web-activity-3 | barracuda-waf-str-http-request-success-protectedvalid |
+| barracuda-web-activity-4 | barracuda-waf-str-http-request-success-unproctectedvalid |
+| barracuda-web-activity-5 | barracuda-waf-str-http-request-success-defaultunprotectedvalid |
+| barracuda-web-activity-6 | barracuda-waf-str-http-request-success-passivevalid |
+| barracuda-web-activity-7 | barracuda-waf-str-http-request-success-serverdefaultpassivevalid |
+| bastion-failed-logon | amazon-awabastion-str-endpoint-login-fail-accessdeniedtoidqsadsgui |
+| bastion-remote-logon | amazon-awabastion-str-endpoint-login-success-logon |
+| beyond-account-add | beyondtrust-bi-json-user-create-success-add |
+| beyond-account-delete | beyondtrust-bi-json-user-delete-success-delete |
+| beyond-account-retrieve | beyondtrust-bi-json-user-privilege-use-switch-success-retrieve |
+| beyond-account-unlock | beyondtrust-bi-json-user-unlock-success-unlock |
+| beyond-activity-approve | beyondtrust-bi-json-app-activity-success-approve |
+| beyond-activity-cancel | beyondtrust-bi-json-app-activity-success-cancel |
+| beyond-activity-deny | beyondtrust-bi-json-app-activity-success-deny |
+| beyond-activity-expire | beyondtrust-bi-json-app-activity-success-expire |
+| beyond-activity-update | beyondtrust-bi-json-app-activity-success-update |
+| beyondtrust-account-add | beyondtrust-bi-cef-user-create-success-add |
+| beyondtrust-app-activity | beyondtrust-sra-kv-app-activity-success-connectionterminated |
+| beyondtrust-app-activity-1 | beyondtrust-b-kv-endpoint-login-success-loggedin |
+| beyondtrust-app-activity-2 | beyondtrust-sra-cef-app-activity-success-read |
+| beyondtrust-app-activity-3 | beyondtrust-sra-cef-app-activity-success-add |
+| beyondtrust-app-activity-4 | beyondtrust-sra-cef-app-activity-success-edit |
+| beyondtrust-app-activity-5 | beyondtrust-sra-cef-app-activity-success-schedule |
+| beyondtrust-app-activity-6 | beyondtrust-bi-cef-app-activity-success-approve |
+| beyondtrust-app-activity-7 | beyondtrust-bi-cef-app-activity-success-appauditadd |
+| beyondtrust-app-activity-8 | beyondtrust-bi-cef-app-activity-success-appauditdelete |
+| beyondtrust-app-login | beyondtrust-sra-kv-app-login-success-event |
+| beyondtrust-auth-attempt | beyondtrust-sra-kv-endpoint-login-success-challenge |
+| beyondtrust-failed-app-login | beyondtrust-sra-kv-app-login-fail-status |
+| beyondtrust-passwordsafe | beyondtrust-passwordsafe-kv-user-passwordretrieve |
+| beyondtrust-passwordsafe-app-activity | beyondtrust-passwordsafe-json-app-activity-success-read |
+| beyondtrust-passwordsafe-app-activity-1 | beyondtrust-passwordsafe-json-user-password-reset-success-passwordreset |
+| beyondtrust-passwordsafe-app-login | beyondtrust-passwordsafe-json-app-login-success-beyondinsight |
+| beyondtrust-passwordsafe-app-login-1 | beyondtrust-passwordsafe-json-app-login-success-applogin |
+| beyondtrust-passwordsafe-failed-app-login | beyondtrust-passwordsafe-json-app-login-fail-loginfailure |
+| beyondtrust-passwordsafe-logout | beyondtrust-passwordsafe-json-app-logout-success-logout |
+| beyondtrust-pi-account-password-change | beyondtrust-prividentity-json-user-password-modify-success-2023 |
+| beyondtrust-pi-account-password-change-1 | beyondtrust-prividentity-kv-user-password-modify-success-sharedcredentiallisteditedaccount |
+| beyondtrust-pi-account-switch | beyondtrust-prividentity-kv-user-switch-success-passwordcheckedout |
+| beyondtrust-pi-app-activity | "beyondtrust-prividentity-xml-app-activity-success-identity |
+| beyondtrust-pi-app-activity-10 | beyondtrust-prividentity-kv-app-activity-success-sharedcredentiallistaddedaccount |
+| beyondtrust-pi-app-activity-4 | beyondtrust-prividentity-kv-app-activity-success-webapppasswordcheckin |
+| beyondtrust-pi-app-activity-5 | beyondtrust-prividentity-kv-app-activity-success-passwordcheckedin |
+| beyondtrust-pi-app-activity-6 | beyondtrust-prividentity-kv-app-activity-success-passwordchangeonsystem |
+| beyondtrust-pi-app-activity-8 | beyondtrust-prividentity-kv-app-activity-success-passwordcheckoutexpired |
+| beyondtrust-pi-app-activity-9 | beyondtrust-prividentity-kv-app-activity-success-sharedcredentiallistremovedaccount |
+| beyondtrust-pi-app-login | beyondtrust-prividentity-cef-app-login-privilegedidentity |
+| beyondtrust-pi-app-logout | beyondtrust-prividentity-cef-app-logout-success-webapplogout |
+| beyondtrust-pi-app-system-info | beyondtrust-prividentity-cef-app-activity-eventid |
+| beyondtrust-pi-logout | beyondtrust-prividentity-kv-app-logout-3020 |
+| beyondtrust-pi-password-access | beyondtrust-prividentity-cef-app-activity-success-idpassword |
+| beyondtrust-pi-privilege-access | beyondtrust-prividentity-kv-user-privilege-use-success-2038 |
+| beyondtrust-pi-privileged-access | beyondtrust-prividentity-kv-user-privilege-modify-success-jobaccountelevated |
+| beyondtrust-pi-privileged-access-1 | beyondtrust-prividentity-kv-user-privilege-modify-success-jobaccountelevationdeelevated |
+| beyondtrust-privileged-access | beyondtrust-powerbroker-kv-user-privilege-use-success-elevation |
+| beyondtrust-privileged-access-1 | beyondtrust-b-kv-user-privilege-assign-success-secureremoteaccess |
+| beyondtrust-privileged-access-2 | beyondtrust-b-json-user-privilege-assign-success-28691 |
+| beyondtrust-privileged-access-3 | beyondtrust-b-json-user-privilege-assign-success-28693 |
+| beyondtrust-process-created | beyondtrust-powerbroker-json-process-create-success-28692 |
+| bind-dns-query | unix-unixnamed-str-dns-request-success-client |
+| bind-dns-query-1 | unix-unixnamed-json-dns-request-denied |
+| bind-dns-query-2 | unix-unixnamed-str-dns-request-success-client-1 |
+| bind-dns-query-3 | unix-binddns-str-dns-request-success-query |
+| bind-dns-query-4 | unix-unixnamed-str-dns-request-success-rpz |
+| bind-dns-response-1 | unix-unixnamed-json-dns-response-success |
+| bind-system-info-1 | unix-unixnamed-json-app-notification-novalidrrsig |
+| bind-system-info-2 | unix-unixnamed-json-app-notification-insecurity |
+| bind-system-info-3 | unix-unixnamed-json-app-notification-unreachable |
+| bind-system-info-4 | unix-unixnamed-json-app-notification-dsresolving |
+| bitglass-app-login | bitglass-casb-mix-app-login-success-allowlogin |
+| bitglass-app-login-failed | bitglass-casb-mix-app-login-fail-loginfailure |
+| bitglass-dlp-email-alert-out | bitglass-casb-json-email-send-success-emailsend |
+| bitglass-failed-login | bitglass-casb-kv-app-login-fail-login |
+| bitglass-file-download | bitglass-casb-kv-file-download-success-cloudstorage |
+| bitglass-file-download-1 | bitglass-casb-kv-file-download-success-downloaded |
+| bitglass-file-read | bitglass-casb-json-file-read-success-download |
+| bitglass-file-write | bitglass-casb-json-file-write-success-uploaded |
+| bluecat-networks-dhcp | bluecatnetworks-bnetworks-kv-dhcp-session-success-dhcpd |
+| bluecoat-proxy-1 | symantec-bcpa-mix-http-session-observed |
+| bluecoat-proxy-10 | symantec-bcpa-cef-http-session-security |
+| bluecoat-proxy-11 | symantec-bcpa-str-network-traffic-fail-tcp |
+| bluecoat-proxy-12 | symantec-bcpa-str-http-session-observedtcp |
+| bluecoat-proxy-13 | symantec-bcpa-mix-http-session-get |
+| bluecoat-proxy-14 | symantec-bcpa-str-network-traffic-fail-ssl |
+| bluecoat-proxy-15 | symantec-bcpa-str-http-session-failed |
+| bluecoat-proxy-2 | symantec-bcpa-str-http-session-httpproxied |
+| bluecoat-proxy-3 | symantec-bcpa-mix-http-session-deniedtcp |
+| bluecoat-proxy-4 | symantec-bcpa-str-http-session-observedssl |
+| bluecoat-proxy-5 | symantec-bcpa-csv-space-delimited-http-session-proxied |
+| bluecoat-proxy-6 | symantec-bcpa-csv-http-session-tunneled |
+| bluecoat-proxy-7 | symantec-bcpa-mix-http-session-connect |
+| bluecoat-proxy-8 | symantec-bcpa-mix-http-session-proxied |
+| bluecoat-proxy-9 | symantec-bcpa-mix-http-session-ssldenied |
+| bluecoat-proxy-v2 | symantec-wss-kv-http-session-filter |
+| bluecoat-proxy-v3 | symantec-wss-kv-http-session-cshost |
+| bluecoat-proxy-v4 | symantec-wss-str-http-session-logstashproxysgserver |
+| bluecoat-proxy-v5 | symantec-wss-str-http-session-proxysgclient |
+| bluecoat-proxy-v6 | symantec-bcpa-kv-http-session-connect |
+| bluecoat-proxy-v7 | symantec-bcpa-kv-http-session-get |
+| bluecoat-web-activity | symantec-wss-json-http-session-queryresponse |
+| box-activity | box-ccm-kv-file-operation |
+| box-activity-1 | box-ccm-csv-file-read-success-preview |
+| box-activity-2 | box-ccm-csv-file-download-success-download |
+| box-skyformation-file-activity | box-ccm-cef-file-success-box |
+| brivo-badge-access | brivo-b-json-physical-location-access-sitename |
+| bro-captureloss | zeek-z-str-app-notification-captureloss |
+| bro-conn | zeek-z-str-network-traffic-connlog |
+| bro-dce_rpc | zeek-z-str-endpoint-login-success-dcerpclog |
+| bro-dhcp | zeek-z-str-dhcp-traffic-success-dhcp |
+| bro-dhcp-1 | zeek-z-json-endpoint-login-success-ipassign |
+| bro-dhcp-activity-2 | zeek-z-json-endpoint-login-success-protocol |
+| bro-dns | zeek-z-str-dns-response-success-dnslog |
+| bro-dns-query | zeek-z-json-dns-request-success-dnsred |
+| bro-dns-response | zeek-z-json-dns-response-success-rcode |
+| bro-dns-response-1 | zeek-z-json-dns-response-success-dnsred |
+| bro-dns-response-2 | zeek-z-kv-dns-response-success-dnsresponse |
+| bro-dpd | zeek-z-str-app-notifiction-dpd |
+| bro-files | zeek-z-str-file-read-success-fileslog |
+| bro-files-analysis | zeek-z-json-file-read-success-fuid |
+| bro-ftp | zeek-z-str-ftp-traffic-ftp |
+| bro-ftp-1 | zeek-z-json-app-activity-success-resph |
+| bro-ftp-activity-2 | zeek-z-json-app-activity-success-protocol |
+| bro-ftp-app-activity | zeek-z-str-app-activity-success-ftpappactivity |
+| bro-http-web-activity-2 | zeek-z-json-http-session-fileset |
+| bro-httpeth0 | zeek-z-str-http-session-httpeth0log |
+| bro-kerberos | zeek-z-str-endpoint-login-kerberoslog |
+| bro-kerberos-1 | zeek-z-json-endpoint-login-id |
+| bro-knownhosts | zeek-z-str-app-activity-success-hosts |
+| bro-knownservices | zeek-z-str-network-notification-services |
+| bro-mysql | zeek-z-kv-database-query-success-tquery |
+| bro-mysql-1 | zeek-z-str-database-login-success-tlogin |
+| bro-mysql-2 | zeek-z-json-database-activity-mysql |
+| bro-network | zeek-z-str-network-traffic-empty |
+| bro-network-alert | zeek-z-json-alert-trigger-success-weirdred |
+| bro-network-connection | zeek-z-json-network-traffic-success-connstate |
+| bro-network-connection-1 | zeek-z-json-network-traffic-success-ageofconn |
+| bro-notice | zeek-z-str-alert-trigger-notice |
+| bro-ntlm | zeek-z-str-endpoint-login-ntlmlog |
+| bro-ntlm-1 | zeek-z-json-endpoint-login-id-1 |
+| bro-radius | zeek-z-json-radius-traffic-id |
+| bro-radius-1 | zeek-z-json-endpoint-login-framefail |
+| bro-rdp-remote-logon-1 | zeek-z-str-endpoint-login-success-3389 |
+| bro-rdp-remote-logon-2 | zeek-z-str-endpoint-login-3389 |
+| bro-rdp-remote-logon-3 | zeek-z-json-rdp-traffic-success-id |
+| bro-remote-logon-2 | zeek-z-json-endpoint-login-rdp |
+| bro-share-access | zeek-z-json-share-access-success-action |
+| bro-share-access-2 | zeek-z-str-share-access-success-445 |
+| bro-smb-files | zeek-z-json-file-success-sbmfiles |
+| bro-smb_mapping | zeek-z-str-share-access-success-445-1 |
+| bro-smb_mapping-1 | zeek-z-json-share-access-success-smbmapping |
+| bro-smb_mapping-2 | zeek-z-json-share-access-success-sharetype |
+| bro-smtp | zeek-z-str-email-success-smtplog |
+| bro-smtp-1 | zeek-z-json-email-send-receive-rcptto |
+| bro-smtp-activity-2 | zeek-z-json-email-send-success-smtp |
+| bro-software | zeek-z-kv-network-notification-software |
+| bro-ssh | zeek-z-str-ssh-traffic-success-sshlog |
+| bro-ssh-1 | zeek-z-json-ssh-endpoint-ssh |
+| bro-ssh-2 | zeek-z-json-endpoint-login-fail-ssh |
+| bro-ssl | zeek-z-str-network-traffic-ssl |
+| bro-ssl-1 | zeek-z-json-endpoint-authentication-ssl |
+| bro-ssl-activity-2 | zeek-z-json-endpoint-authentication-established |
+| bro-stats | zeek-zeek-str-network-session-statslog |
+| bro-syslog | zeek-zeek-str-network-traffic-syslog |
+| bro-tunnel | zeek-zeek-str-network-traffic-tunnellog |
+| bro-tunnel-1 | zeek-z-json-network-traffic-tunnel |
+| bro-web-activity | zeek-z-json-http-session-hoststatus |
+| bro-weird | zeek-z-str-network-traffic-weird |
+| bro-x509 | zeek-z-str-network-notification-x509 |
\ No newline at end of file
diff --git a/ParsersLegacy/c_parsers.md b/ParsersLegacy/c_parsers.md
new file mode 100644
index 0000000..6801349
--- /dev/null
+++ b/ParsersLegacy/c_parsers.md
@@ -0,0 +1,2435 @@
+| Old Parser Name | New Parser Name |
+| -------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| carbonblack-app-activity | vmware-carbonblack-sk4-app-activity-cbdefense |
+| carbonblack-edr-auth-successful | vmware-carbonblackedr-sk4-app-authentication-success-loginname |
+| carbonblack-edr-crossproc | vmware-carbonblackceedr-sk4-process-create-success-crossproc |
+| carbonblack-edr-filemod | vmware-carbonblackedr-cef-file-write-success-edr |
+| carbonblack-edr-moduleload | vmware-carbonblackedr-sk4-dll-load-actionloadmodule |
+| carbonblack-edr-netconn | vmware-carbonblackceedr-sk4-network-traffic-success-actionconncreate |
+| carbonblack-edr-procstart | vmware-carbonblackceedr-sk4-process-create-success-procstart |
+| carbonblack-edr-procstart-1 | vmware-carbonblackceedr-json-process-create-success-procstart |
+| carbonblack-edr-regmod | vmware-carbonblackedr-sk4-registry-registryoperation |
+| carbonblack-endpoint-process-file | vmware-carbonblackedr-mix-file-filemod |
+| carbonblack-endpoint-process-network | vmware-carbonblackedr-json-network-session-success-netconn-2 |
+| carbonblack-endpoint-process-start | vmware-carbonblackappctrl-json-process-create-success-procstart |
+| carbonblack-file-activity | vmware-carbonblackappctrl-kv-file-success-filedownload |
+| carbonblack-file-operations | vmware-carbonblackappctrl-kv-file-success-filethreat |
+| carbonblack-file-operations-1 | vmware-carbonblackappctrl-kv-file-success-subtype |
+| carbonblack-process-alert | vmware-carbonblackappctrl-kv-alert-trigger-success-execution |
+| carbonblack-process-alert-1 | vmware-carbonblackappctrl-kv-alert-trigger-success-execution-1 |
+| carbonblack-process-created | vmware-carbonblackappctrl-kv-process-create-success-allowed |
+| carbonblack-process-created-1 | vmware-carbonblackappctrl-kv-process-create-success-execution |
+| carbonblack-security-alert-2 | vmware-carbonblack-json-alert-trigger-success-threat |
+| carbonblack-system-info | vmware-carbonblackedr-kv-endpoint-activity-cbprotection |
+| carbonblack-system-info-1 | vmware-carbonblack-json-app-notification-cbdefense |
+| carbonblack-system-info-2 | vmware-carbonblack-sk4-app-activity-auditlogs |
+| carbonblack-system-info-3 | vmware-carbonblackedr-sk4-app-notification-success-carbonblackcloud |
+| carbonblack-usb-insert | vmware-carbonblackappctrl-kv-peripheral-storage-insert-success-cbprotection |
+| carbonblack-usb-insert-1 | vmware-carbonblackappctrl-kv-peripheral-storage-insert-success-deviceattached |
+| carbonblack-usb-removed-1 | vmware-carbonblackappctrl-kv-peripheral-storage-insert-success-devicedetached |
+| cas-app-activity | microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered |
+| cas-login-failed | microsoft-mcas-kv-app-login-fail-failedauth |
+| cas-login-success | microsoft-mcas-kv-app-login-success-successauth |
+| cassandra-db-activity-failed | apache-cassandradb-str-database-activity-fail-auth |
+| cassandra-db-login | apache-cassandradb-kv-database-login-success-auth |
+| cassandra-db-update | apache-cassandradb-str-database-modify-success-ddl |
+| cb-defense-app-login | vmware-carbonblack-sk4-app-login-success-loggedinsuccessfully |
+| cb-defense-auth-successfull | vmware-carbonblack-sk4-endpoint-login-success-cbdefense |
+| cb-defense-failed-app-login | vmware-carbonblack-sk4-app-login-fail-loginfailed |
+| cc-carbonblack-edr-apicall | vmware-carbonblackedr-sk4-endpoint-activity-apicall |
+| cc-carbonblack-edr-crossproc | vmware-carbonblackedr-cef-process-create-success-crossproc |
+| cc-carbonblack-edr-filemod | vmware-edr-cef-file-write-success-filemod |
+| cc-carbonblack-edr-moduleload | vmware-carbonblackedr-sk4-dll-load-moduleload |
+| cc-carbonblack-edr-netconn | vmware-carbonblackedr-cef-network-session-success-netconn |
+| cc-carbonblack-edr-procend | vmware-carbonblackedr-sk4-process-close-success-endpointeventprocend |
+| cc-carbonblack-edr-procstart | vmware-carbonblackedr-cef-process-create-success-childproc |
+| cc-carbonblack-edr-regmod | vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication |
+| cc-carbonblack-process-alert-1 | vmware-carbonblackceedr-sk4-alert-trigger-success-watchlists |
+| cc-pulsesecure-access-control | juniper-ps-sk4-vpn-login-success-agentlogin |
+| cc-pulsesecure-account-deleted | juniper-ps-sk4-user-delete-success-accountmodified |
+| cc-pulsesecure-authentication-failed | juniper-ps-sk4-vpn-login-fail-authenticationfailed |
+| cc-pulsesecure-authentication-failed-1 | juniper-ps-sk4-vpn-login-fail-checkfailed |
+| cc-pulsesecure-authentication-successful | juniper-ps-sk4-vpn-authentication-success-authsuccess |
+| cc-pulsesecure-authentication-successful-1 | juniper-ps-sk4-vpn-authentication-success-authsuccess-1 |
+| cc-pulsesecure-certificate-failed | juniper-ps-sk4-vpn-login-fail-testingcertificate |
+| cc-pulsesecure-certificate-passed | juniper-ps-sk4-vpn-authentication-success-restrictionspassed |
+| cc-pulsesecure-failed-vpn-login | juniper-ps-sk4-vpn-login-fail-authloginfailed |
+| cc-pulsesecure-failed-vpn-login-1 | juniper-ps-sk4-vpn-login-fail-loginfailed |
+| cc-pulsesecure-key-exchange | juniper-ps-sk4-vpn-session-success-keyexchange |
+| cc-pulsesecure-password-restriction-failed | juniper-ps-sk4-vpn-login-fail-testingpasswordfailed |
+| cc-pulsesecure-password-restriction-passed | juniper-ps-sk4-vpn-login-success-passwordrestrictionspassed |
+| cc-pulsesecure-ssl-negotiation-failed | juniper-ps-sk4-network-traffic-fail-sslfailed |
+| cc-pulsesecure-time-sync-failed | juniper-ps-sk4-app-activity-fail-unabletosynctime |
+| cc-pulsesecure-vpn-close | juniper-ps-sk4-vpn-logout-success-closedconnection |
+| cc-pulsesecure-vpn-end | juniper-ps-sk4-vpn-logout-success-sessionended |
+| cc-pulsesecure-vpn-end-1 | juniper-ps-sk4-vpn-logout-success-sessionlogout |
+| cc-pulsesecure-vpn-resume | juniper-ps-sk4-vpn-login-success-sessionresumed |
+| cc-pulsesecure-vpn-start | juniper-ps-sk4-vpn-login-success-sessionstarted |
+| cc-pulsesecure-vpn-start-1 | juniper-ps-sk4-vpn-login-success-connectedwithip |
+| cc-pulsesecure-vpn-timeout | juniper-ps-sk4-vpn-logout-success-sessiontimedout |
+| cc-sentinelone-security-alert | sentinelone-singularityp-sk4-alert-trigger-malwaredetected |
+| cc-sophos-dlp-alert | sophos-ep-sk4-alert-trigger-success-peripheralblock |
+| cc-sophos-security-alert | sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented |
+| ccure-app-activity | tyco-ccure-str-app-activity-success-activityconditions |
+| ccure-app-activity-1 | tyco-ccure-json-physical-location-modify-success-objectchangedstate |
+| ccure-app-login | tyco-ccure-cef-app-login-success-operatorlogin |
+| ccure-app-login-1 | tyco-ccure-json-app-login-success-loggedin |
+| ccure-app-logout | tyco-ccure-json-app-logout-success-operatorlogin |
+| ccure-badge-access | tyco-ccure-json-physical-location-access-fail-flexnumber |
+| ccure-badge-access-1 | "tyco-ccure-xml-physical-location-access-fail-card |
+| ccure-badge-access-2 | "tyco-ccure-xml-physical-location-access-objectname1 |
+| ccure-badge-access-3 | tyco-ccure-csv-physical-location-access-fail-cs6 |
+| ccure-badge-access-4 | tyco-ccure-kv-physical-location-access-vendoraction |
+| cds-account-auth | cds-cds-kv-endpoint-login-userauth |
+| cds-process-creation | unix-unix-kv-process-create-success-exe |
+| cds-user-login | cds-cds-kv-endpoint-login-userlogin |
+| cef-1102 | microsoft-evsecurity-cef-log-clear-success-auditlogcleared |
+| cef-4624 | microsoft-evsecurity-cef-endpoint-login-success-4624 |
+| cef-4625 | microsoft-evsecurity-cef-endpoint-login-fail-4625 |
+| cef-4627 | microsoft-evsecurity-cef-endpoint-notification-success-4627 |
+| cef-4634 | microsoft-evsecurity-cef-endpoint-logout-success-4634 |
+| cef-4648 | microsoft-evsecurity-cef-user-switch-success-4648 |
+| cef-4656 | microsoft-evsecurity-cef-handle-request-success-4656-1 |
+| cef-4658 | microsoft-evsecurity-cef-endpoint-authentication-success-4658 |
+| cef-4663 | microsoft-evsecurity-cef-file-success-4663 |
+| cef-4670 | microsoft-evsecurity-cef-file-permission-modify-success-4670 |
+| cef-4672 | microsoft-evsecurity-cef-user-privilege-assign-success-4672 |
+| cef-4673 | microsoft-evsecurity-cef-user-privilege-assign-success-4673 |
+| cef-4674 | microsoft-evsecurity-cef-user-privilege-use-success-4674 |
+| cef-4688 | microsoft-evsecurity-cef-process-create-success-4688 |
+| cef-4689 | microsoft-evsecurity-cef-process-close-success-4689 |
+| cef-4690 | microsoft-evsecurity-cef-handle-copy-success-4690 |
+| cef-4720 | microsoft-evsecurity-cef-user-create-success-4720 |
+| cef-4722 | microsoft-evsecurity-cef-user-enable-success-4722 |
+| cef-4723 | microsoft-evsecurity-cef-user-password-modify-4723 |
+| cef-4724 | microsoft-evsecurity-cef-user-password-reset-success-4724 |
+| cef-4725 | microsoft-evsecurity-cef-user-disable-success-4725 |
+| cef-4735 | microsoft-evsecurity-cef-group-modify-success-4735-2 |
+| cef-4740 | microsoft-evsecurity-cef-user-lock-success-4740 |
+| cef-4768 | microsoft-evsecurity-cef-endpoint-authentication-success-4768 |
+| cef-4769 | microsoft-evsecurity-cef-endpoint-authentication-success-4769 |
+| cef-4770 | microsoft-evsecurity-cef-endpoint-login-success-4770 |
+| cef-4771 | microsoft-evsecurity-cef-endpoint-login-fail-4771 |
+| cef-4776 | microsoft-evsecurity-cef-endpoint-login-4776 |
+| cef-4799 | microsoft-evsecurity-cef-group-member-list-success-4799 |
+| cef-4800 | microsoft-evsecurity-cef-endpoint-lock-success-4800 |
+| cef-4801 | microsoft-evsecurity-cef-endpoint-unlock-success-4801 |
+| cef-4985 | microsoft-evsecurity-cef-endpoint-notification-4985 |
+| cef-5136 | microsoft-evsecurity-cef-ds-object-modify-success-5136 |
+| cef-5140 | microsoft-evsecurity-cef-share-access-success-5140 |
+| cef-5142 | microsoft-evsecurity-cef-share-access-success-5142 |
+| cef-5142-1 | "microsoft-evsecurity-xml-share-create-success-5142 |
+| cef-5143 | microsoft-evsecurity-cef-share-access-success-5143 |
+| cef-5144 | microsoft-evsecurity-cef-share-access-success-5144 |
+| cef-5145 | microsoft-evsecurity-cef-share-access-5145 |
+| cef-5152 | microsoft-evsecurity-cef-network-traffic-success-5152 |
+| cef-528 | microsoft-evsecurity-cef-endpoint-login-success-528 |
+| cef-540 | microsoft-evsecurity-cef-endpoint-login-success-540 |
+| cef-5447 | microsoft-evsecurity-cef-policy-modify-success-5447 |
+| cef-576 | microsoft-evsecurity-cef-user-privilege-assign-success-576 |
+| cef-624 | microsoft-evsecurity-cef-user-create-success-624 |
+| cef-672 | microsoft-evsecurity-cef-endpoint-672 |
+| cef-673 | microsoft-evadfs-cef-endpoint-login-673 |
+| cef-Juniper-network-connection-close | juniper-srx-cef-network-traffic-success-sessionclosed |
+| cef-O365-dlp-email-1 | microsoft-m365auditlogs-kv-email-send-emailsend |
+| cef-O365-dlp-email-in | microsoft-o365-sk4-email-receive-success-inbound |
+| cef-O365-dlp-email-out | microsoft-o365-sk4-email-send-fail-outbound |
+| cef-O365-dlp-email-out-1 | microsoft-o365-cef-email-receive-success-fromname |
+| cef-absolute-security-alert | absolute-siemconnector-cef-alert-trigger-success-absolute |
+| cef-ad-fs-audit-1102 | microsoft-adfs-cef-http-request-success-1102 |
+| cef-ad-fs-audit-299 | microsoft-evsecurity-cef-endpoint-login-299 |
+| cef-ad-fs-audit-324 | microsoft-adfs-cef-app-authentication-fail-324 |
+| cef-ad-fs-audit-403 | microsoft-adfs-cef-http-request-success-403 |
+| cef-ad-fs-audit-404 | microsoft-adfs-cef-http-response-success-404 |
+| cef-ad-fs-audit-410 | microsoft-adfs-cef-app-notification-success-410 |
+| cef-ad-fs-audit-411 | microsoft-evsecurity-cef-app-authentication-fail-adfsauditing |
+| cef-ad-fs-audit-412 | microsoft-adfs-cef-app-authentication-success-412 |
+| cef-ad-fs-audit-413 | microsoft-evsecurity-cef-app-authentication-fail-adfsauditing-1 |
+| cef-ad-fs-audit-431 | microsoft-adfs-cef-app-notification-success-431 |
+| cef-ad-fs-audit-500 | microsoft-evsecurity-cef-endpoint-login-500 |
+| cef-ad-fs-audit-501 | microsoft-evsecurity-cef-endpoint-login-501 |
+| cef-ad-fs-audit-516 | microsoft-evsecurity-cef-user-lock-success-516 |
+| cef-aix-process-created | unix-ad-cef-process-create-success-cmd |
+| cef-algosec-network-alert | algosec-fa-cef-alert-trigger-success-unauthorizedtraffic |
+| cef-algosec-system-info | algosec-fa-cef-app-notification-msg |
+| cef-amag-badge-access-1 | amag-sac-cef-physical-location-access-success-grantedaccess |
+| cef-amag-badge-access-2 | amag-sac-cef-physical-location-access-success-badge-flooraccess |
+| cef-amag-badge-access-failed-1 | amag-sac-cef-physical-location-access-fail-atwrongdoor |
+| cef-amag-badge-access-failed-2 | amag-sac-cef-physical-location-access-fail-inactive |
+| cef-amag-badge-access-failed-3 | amag-sac-cef-physical-location-access-fail-wronghandtemplate |
+| cef-arcsight-system-info | microfocusarcsight-ma-cef-app-notification-success-arcsight |
+| cef-aruba-mobile | hp-arubawc-cef-alert-trigger-success-wirelesssecurity |
+| cef-aruba-nac-failed-logon | hp-arubawc-cef-radius-traffic-fail-authfailed |
+| cef-aruba-nac-logon | hp-arubawc-cef-endpoint-login-success-radiusaccounting |
+| cef-aruba-nac-logon-1 | hp-arubacpm-cef-endpoint-login-success-13003 |
+| cef-aruba-nac-logon-2 | hp-arubawc-kv-endpoint-login-success-guestaccess |
+| cef-aruba-nac-logon-3 | hp-arubawc-kv-endpoint-login-success-loggedin |
+| cef-aruba-nac-logon-4 | hp-arubacpm-cef-radius-traffic-success-authsource |
+| cef-aruba-network-info | hp-arubamm-cef-app-notification-appnotification |
+| cef-asa-113004-vpn-start | cisco-asa-cef-radius-traffic-success-113004 |
+| cef-asa-svc-vpn-start | cisco-asa-cef-vpn-login-success-722051 |
+| cef-asupim-print-event | asupim-a-cef-printer-activity-success-printcontrolevent |
+| cef-ata-account-alert | microsoft-ata-cef-alert-trigger-success-accountactivity |
+| cef-ata-behavior-alert | microsoft-ata-kv-alert-trigger-success-abnormalbehaviorsuspiciousactivity |
+| cef-ata-bruteforce-alert | microsoft-ata-cef-alert-trigger-success-bruteforceactivity |
+| cef-ata-database-alert | microsoft-ata-cef-alert-trigger-success-monitoringalert |
+| cef-ata-directory-alert | microsoft-ata-cef-alert-trigger-success-replicationactivity |
+| cef-ata-disconnect-alert | microsoft-ata-cef-app-notification-gatewaydisconnectedmonitoringalert |
+| cef-ata-dns-alert | microsoft-ata-kv-alert-trigger-success-dnsreconnaissancesuspiciousactivity |
+| cef-ata-encryption-alert | microsoft-ata-cef-alert-trigger-success-encryptiondowngradesuspiciousactivity |
+| cef-ata-execution-alert | microsoft-ata-cef-alert-trigger-success-executionactivity |
+| cef-ata-failure-alert | microsoft-ata-cef-app-notification-gatewaystartfailuremonitoringalert |
+| cef-ata-forgedpac-alert | microsoft-ata-cef-alert-trigger-success-forgedpac |
+| cef-ata-goldenticket-alert | microsoft-ata-cef-alert-trigger-success-goldenticket |
+| cef-ata-groupmembership-alert | microsoft-ata-kv-alert-trigger-success-changesuspiciousactivity |
+| cef-ata-hash-alert | microsoft-ata-cef-alert-trigger-success-passthehash |
+| cef-ata-honeytoken-alert | microsoft-ata-kv-alert-trigger-success-honeytokenactivitysuspiciousactivity |
+| cef-ata-ldap-bruteforce-alert | microsoft-ata-cef-alert-trigger-success-ldapbruteforcesuspiciousactivity |
+| cef-ata-lowmemory-alert | microsoft-ata-cef-endpoint-notification-gatewaylowmemorymonitoringalert |
+| cef-ata-object-alert | microsoft-ata-cef-alert-trigger-success-massiveobjectdeletion |
+| cef-ata-overloadednetwork-alert | microsoft-ata-cef-alert-trigger-monitoringalert |
+| cef-ata-protocol-alert | microsoft-ata-cef-alert-trigger-success-abnormprotoactivity |
+| cef-ata-retrievedata-alert | microsoft-ata-cef-alert-trigger-success-retrievedata |
+| cef-ata-samr-alert | microsoft-ata-kv-alert-trigger-success-samrreconnaissancesuspiciousactivity |
+| cef-ata-session-alert | microsoft-ata-cef-alert-trigger-success-sessionactivity |
+| cef-ata-ticket-alert | microsoft-ata-cef-alert-trigger-success-ticketactivity |
+| cef-atp-alert-1 | microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert |
+| cef-atp-alert-11 | microsoft-atp-cef-alert-trigger-success-dnsremotecodeexecution |
+| cef-atp-alert-12 | microsoft-atp-cef-alert-trigger-success-dnssuspiciouscommunication |
+| cef-atp-alert-13 | microsoft-atp-cef-alert-trigger-success-encryptiondowngrade |
+| cef-atp-alert-14 | microsoft-atp-cef-alert-trigger-success-forgedpac |
+| cef-atp-alert-15 | microsoft-atp-cef-alert-trigger-success-forgedprincipal |
+| cef-atp-alert-16 | microsoft-atp-cef-alert-trigger-success-goldenticketencryptiondowngrade |
+| cef-atp-alert-17 | microsoft-atp-cef-alert-trigger-success-goldenticket |
+| cef-atp-alert-18 | microsoft-atp-cef-alert-trigger-success-goldenticketsizeanomaly |
+| cef-atp-alert-19 | microsoft-azureatp-cef-alert-trigger-success-honeytokenactivity |
+| cef-atp-alert-2 | microsoft-atp-cef-alert-trigger-success-abnormalprotocol |
+| cef-atp-alert-20 | microsoft-atp-cef-alert-trigger-success-ldapbruteforce |
+| cef-atp-alert-21 | microsoft-atp-cef-alert-trigger-success-maliciousservicecreation |
+| cef-atp-alert-22 | microsoft-atp-cef-alert-trigger-success-passthehash |
+| cef-atp-alert-23 | microsoft-atp-cef-alert-trigger-success-passtheticket |
+| cef-atp-alert-24 | microsoft-atp-cef-alert-trigger-success-remoteexecution |
+| cef-atp-alert-25 | microsoft-atp-cef-alert-trigger-success-retrievedataprotectionbackupkey |
+| cef-atp-alert-26 | microsoft-azureatp-cef-alert-trigger-success-securityalert |
+| cef-atp-alert-27 | microsoft-atp-cef-alert-trigger-success-smbdataexfiltration |
+| cef-atp-alert-28 | microsoft-atp-cef-alert-trigger-success-sensordirectory |
+| cef-atp-alert-29 | microsoft-atp-cef-alert-trigger-success-sensorcapture |
+| cef-atp-alert-3 | microsoft-atp-cef-alert-trigger-success-sensitivegroupmembershipchange |
+| cef-atp-alert-30 | microsoft-atp-cef-alert-trigger-success-workspacedirectory |
+| cef-atp-alert-31 | microsoft-atp-cef-alert-trigger-success-sensornetwork |
+| cef-atp-alert-32 | microsoft-atp-cef-alert-trigger-success-sensorlowmemory |
+| cef-atp-alert-33 | microsoft-atp-cef-alert-trigger-success-ldapsearch |
+| cef-atp-alert-34 | microsoft-atp-cef-alert-trigger-success-dnshostname |
+| cef-atp-alert-4 | microsoft-atp-cef-alert-trigger-success-abnormalvpn |
+| cef-atp-alert-5 | microsoft-azureatp-cef-alert-trigger-success-enumerationsecurityalert |
+| cef-atp-alert-6 | microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert |
+| cef-atp-alert-7 | microsoft-atp-cef-alert-trigger-success-directoryservicesreplicatio |
+| cef-atp-alert-8 | microsoft-atp-cef-alert-trigger-success-directoryservicesroguepromotion |
+| cef-atp-alert-9 | microsoft-atp-cef-alert-trigger-success-directoryservicesroguereplication |
+| cef-attivo-network-connection | attivo-botsink-cef-network-traffic-success-networktrafficsuccess |
+| cef-attivo-security-alert | attivo-botsink-cef-alert-trigger-success-sshd |
+| cef-aws-cloudwatch-netflow-connection | amazon-awscloudwatch-cef-network-traffic-success-cloudwatch |
+| cef-aws-guardduty | amazon-awsguardduty-cef-alert-trigger-success-catsecurity |
+| cef-aws-guardduty-discovery-alert | amazon-awsguardduty-sk4-alert-trigger-success-guardduty |
+| cef-aws-guardduty-security-alert-1 | amazon-awsguardduty-sk4-alert-trigger-success-guardduty-1 |
+| cef-aws-guardduty-security-alert-10 | amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-1 |
+| cef-aws-guardduty-security-alert-11 | amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-1 |
+| cef-aws-guardduty-security-alert-12 | amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-2 |
+| cef-aws-guardduty-security-alert-13 | amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-2 |
+| cef-aws-guardduty-security-alert-14 | amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-3 |
+| cef-aws-guardduty-security-alert-15 | amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-3 |
+| cef-aws-guardduty-security-alert-16 | amazon-awsguardduty-sk4-alert-trigger-success-instancecredentialexfiltration |
+| cef-aws-guardduty-security-alert-17 | amazon-awsguardduty-sk4-alert-trigger-success-anomalousbehavior-1 |
+| cef-aws-guardduty-security-alert-18 | amazon-awsguardduty-sk4-alert-trigger-success-guardduty-4 |
+| cef-aws-guardduty-security-alert-2 | amazon-awsguardduty-sk4-alert-trigger-success-toripcaller |
+| cef-aws-guardduty-security-alert-3 | amazon-awsguardduty-sk4-alert-trigger-success-guardduty-2 |
+| cef-aws-guardduty-security-alert-4 | amazon-awsguardduty-sk4-alert-trigger-success-rootcredentialusage |
+| cef-aws-guardduty-security-alert-5 | amazon-awsguardduty-sk4-alert-trigger-success-anomalousbehavior |
+| cef-aws-guardduty-security-alert-6 | amazon-awsguardduty-sk4-alert-trigger-success-sshbruteforce |
+| cef-aws-guardduty-security-alert-7 | amazon-awsguardduty-sk4-alert-trigger-success-torclient |
+| cef-aws-guardduty-security-alert-8 | amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile |
+| cef-aws-guardduty-security-alert-9 | amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile |
+| cef-aws-netflow-connection | amazon-awscloudwatch-sk4-network-traffic-success-awsflowlogs |
+| cef-aws-redshift-db-query | amazon-awsredshift-sk4-database-query-success-db |
+| cef-aws-redshift-info | amazon-awscloudtrail-sk4-app-activity-success-redshift |
+| cef-aws-vpc-netflow-connection | amazon-awscloudwatch-sk4-network-traffic-success-awss3bucket |
+| cef-azure-ad-app-login | microsoft-azuread-cef-app-signinactivity |
+| cef-azure-app-activity-1 | microsoft-azure-cef-app-activity-updategroup |
+| cef-azure-app-activity-2 | microsoft-azure-cef-app-activity-updateuser |
+| cef-azure-app-activity-3 | microsoft-azure-cef-app-activity-adduser |
+| cef-azure-app-activity-4 | microsoft-azure-cef-app-activity-updatedevice |
+| cef-azure-app-activity-5 | microsoft-azure-cef-app-activity-addmembertogroup |
+| cef-azure-app-login | microsoft-azure-cef-app-login-success-userloggedin |
+| cef-azure-auth-failed | microsoft-azuread-cef-endpoint-authentication-fail-loginerror |
+| cef-azure-authentication | microsoft-windows-cef-endpoint-login-device |
+| cef-azure-event-hub-cosmosdb-create | microsoft-azuremon-sk4-database-create-create |
+| cef-azure-event-hub-cosmosdb-delete | microsoft-azuremon-cef-database-delete-dataplanerequests |
+| cef-azure-event-hub-cosmosdb-query | microsoft-azuremon-cef-database-query-documentdb |
+| cef-azure-event-hub-cosmosdb-read | microsoft-azuremon-sk4-database-query-read |
+| cef-azure-event-hub-cosmosdb-readfeed | microsoft-azuremon-sk4-database-list-readfeed |
+| cef-azure-event-hub-cosmosdb-update | microsoft-azuremon-cef-database-modify-dataplanerequest |
+| cef-azure-event-hub-cosmosdb-upsert | microsoft-azuremon-sk4-database-modify-upsert |
+| cef-azure-event-hub-postgresql | microsoft-azuremon-sk4-database-activity-postgresqllogs |
+| cef-azure-event-hub-security | microsoft-azure-sk4-alert-trigger-success-security |
+| cef-azure-failed-app-login | microsoft-azure-cef-app-login-fail-userloginfailed |
+| cef-azure-mysql-database-login | microsoft-azuremon-sk4-database-login-connectionlog |
+| cef-azure-mysql-database-query | microsoft-azuremon-sk4-database-query-mysqlauditlogs |
+| cef-azure-onedrive-account-password-change | microsoft-mcas-cef-user-password-modify-success-changepassword |
+| cef-azure-onedrive-account-password-reset | microsoft-mcas-cef-user-password-reset-success-resetpassword |
+| cef-azure-onedrive-app-activity-1 | microsoft-mcas-cef-app-activity-success-accessfolder |
+| cef-azure-onedrive-app-activity-10 | microsoft-mcas-cef-app-activity-success-impersonated |
+| cef-azure-onedrive-app-activity-11 | microsoft-mcas-cef-app-activity-success-itemcreate |
+| cef-azure-onedrive-app-activity-12 | microsoft-mcas-cef-app-activity-success-agentusercreate |
+| cef-azure-onedrive-app-activity-13 | microsoft-mcas-cef-app-activity-success-folderdelete |
+| cef-azure-onedrive-app-activity-14 | microsoft-mcas-cef-app-activity-success-msgdelete |
+| cef-azure-onedrive-app-activity-15 | microsoft-mcas-cef-app-activity-success-msgdelete-1 |
+| cef-azure-onedrive-app-activity-16 | microsoft-mcas-cef-app-activity-success-alertdismiss |
+| cef-azure-onedrive-app-activity-17 | microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty |
+| cef-azure-onedrive-app-activity-18 | microsoft-mcas-cef-app-activity-success-foldermove |
+| cef-azure-onedrive-app-activity-19 | microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder |
+| cef-azure-onedrive-app-activity-2 | microsoft-mcas-cef-app-activity-success-addmembertogroup |
+| cef-azure-onedrive-app-activity-20 | microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder |
+| cef-azure-onedrive-app-activity-21 | microsoft-mcas-cef-app-activity-success-msgpurge |
+| cef-azure-onedrive-app-activity-22 | microsoft-mcas-cef-app-activity-success-purgemessages |
+| cef-azure-onedrive-app-activity-23 | microsoft-mcas-cef-app-activity-success-removemember |
+| cef-azure-onedrive-app-activity-24 | microsoft-mcas-cef-app-activity-success-folderrename |
+| cef-azure-onedrive-app-activity-25 | microsoft-mcas-cef-app-activity-success-resolvealert |
+| cef-azure-onedrive-app-activity-26 | microsoft-mcas-cef-app-activity-success-commandrun |
+| cef-azure-onedrive-app-activity-27 | microsoft-mcas-cef-app-activity-success-msgsend |
+| cef-azure-onedrive-app-activity-28 | microsoft-mcas-cef-app-activity-success-msgsend-1 |
+| cef-azure-onedrive-app-activity-29 | microsoft-mcas-cef-app-activity-success-setcompanyinfo |
+| cef-azure-onedrive-app-activity-3 | microsoft-mcas-cef-app-activity-success-addmembertorole |
+| cef-azure-onedrive-app-activity-30 | microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity |
+| cef-azure-onedrive-app-activity-31 | microsoft-mcas-cef-app-activity-success-suspiciousemail |
+| cef-azure-onedrive-app-activity-32 | microsoft-mcas-cef-app-activity-success-unspecified |
+| cef-azure-onedrive-app-activity-33 | microsoft-mcas-cef-app-activity-success-msgupdate |
+| cef-azure-onedrive-app-activity-34 | microsoft-mcas-cef-app-activity-success-msgupdate-1 |
+| cef-azure-onedrive-app-activity-35 | microsoft-mcas-cef-app-activity-success-updateserviceprincipal |
+| cef-azure-onedrive-app-activity-36 | microsoft-mcas-cef-app-activity-success-updateuser |
+| cef-azure-onedrive-app-activity-4 | microsoft-mcas-cef-app-activity-success-addpermissiontomailbox |
+| cef-azure-onedrive-app-activity-5 | microsoft-mcas-cef-app-activity-success-mailboxpermission |
+| cef-azure-onedrive-app-activity-6 | microsoft-mcas-cef-app-activity-success-azureoperation |
+| cef-azure-onedrive-app-activity-7 | microsoft-mcas-cef-app-activity-success-groupsettingchange |
+| cef-azure-onedrive-app-activity-8 | microsoft-mcas-cef-app-activity-success-changeuserlicense |
+| cef-azure-onedrive-app-activity-9 | microsoft-mcas-cef-app-activity-success-foldercreate |
+| cef-azure-onedrive-file-activity-1 | microsoft-mcas-cef-file-delete-success-deletefile |
+| cef-azure-onedrive-file-activity-10 | microsoft-mcas-cef-file-read-success-checkoutfile |
+| cef-azure-onedrive-file-activity-11 | microsoft-mcas-cef-file-read-success-createfileaccessrequest |
+| cef-azure-onedrive-file-activity-12 | microsoft-mcas-cef-file-read-success-modifyfile |
+| cef-azure-onedrive-file-activity-13 | microsoft-mcas-cef-file-read-success-movefile |
+| cef-azure-onedrive-file-activity-14 | microsoft-mcas-cef-file-read-success-renamefile |
+| cef-azure-onedrive-file-activity-15 | microsoft-mcas-cef-file-read-success-sharefile |
+| cef-azure-onedrive-file-activity-2 | microsoft-mcas-cef-file-download-success-downloadfile |
+| cef-azure-onedrive-file-activity-3 | microsoft-mcas-cef-file-download-success-syncfiledownload |
+| cef-azure-onedrive-file-activity-4 | microsoft-mcas-cef-file-upload-success-fileupload |
+| cef-azure-onedrive-file-activity-5 | microsoft-mcas-cef-file-upload-success-uploadfile |
+| cef-azure-onedrive-file-activity-6 | microsoft-mcas-cef-file-read-success-request |
+| cef-azure-onedrive-file-activity-7 | microsoft-mcas-cef-file-read-success-invitation |
+| cef-azure-onedrive-file-activity-8 | microsoft-mcas-cef-file-read-success-mcas |
+| cef-azure-onedrive-file-activity-9 | microsoft-mcas-cef-file-read-success-checkinfile |
+| cef-azure-onedrive-file-upload | microsoft-mcas-cef-file-upload-success-appidonedrive |
+| cef-azure-onedrive-file-write | microsoft-mcas-cef-file-write-success-appidonedrive |
+| cef-azure-password-change | microsoft-azuread-cef-user-password-modify-success-changeuserpassword |
+| cef-azure-process-created | microsoft-windows-cef-process-create-success-process |
+| cef-azure-security-alert | microsoft-azuresc-sk4-alert-trigger-success-graphsecurityalerts |
+| cef-azure-siem-app-logon | microsoft-mcas-cef-app-login-eventcategorylogin |
+| cef-azure-user-signin | microsoft-azureadsignin-cef-app-login-success-signin |
+| cef-bcn-bdds-dhcp | bluecatnetworks-bnetworks-cef-endpoint-login-fail-dhcpmessage |
+| cef-beyondtrust-app-activity | beyondtrust-prividentity-cef-app-activity-success-pbpsadmin |
+| cef-beyondtrust-app-activity-1 | beyondtrust-prividentity-cef-app-activity-success-pbpsmanaged |
+| cef-beyondtrust-app-activity-2 | beyondtrust-prividentity-cef-app-activity-success-pbpsrequestor |
+| cef-beyondtrust-app-login | beyondtrust-bi-cef-app-login-success-login |
+| cef-bit9-app-login | vmware-carbonblackappctrl-cef-app-login-success-consoleuserlogin |
+| cef-bit9-epp-alert | vmware-carbonblackappctrl-cef-alert-trigger-success-securityalert |
+| cef-bit9-file-alert | vmware-carbonblackappctrl-cef-alert-trigger-success-securityplatform |
+| cef-bit9-process-alert | vmware-carbonblackappctrl-cef-alert-trigger-success-securityplatform-1 |
+| cef-bit9-usb-activity | vmware-carbonblackappctrl-cef-peripheral-storage-insert-success-tached |
+| cef-bitdefender-gravityzone-alert | bitdefender-gz-cef-alert-trigger-success-gravityzone |
+| cef-bitglass-app-login-1 | bitglass-casb-sk4-app-login-success-loginsuccess |
+| cef-bitglass-dlp-alert | bitglass-casb-cef-alert-trigger-success-filelink |
+| cef-bitglass-logout | bitglass-casb-cef-app-logout-activity |
+| cef-bitglass-system-info-1 | bitglass-casb-cef-app-scan-dlpscan |
+| cef-bitglass-system-info-2 | bitglass-casb-cef-app-scan-scantimeout |
+| cef-bitglass-system-info-3 | bitglass-casb-cef-app-scan-malwarescan |
+| cef-bitglass-system-info-4 | bitglass-casb-sk4-app-activity-success-onedrive |
+| cef-bluecoat-proxy | symantec-wss-cef-http-session-proxysg |
+| cef-box-app-login | box-ccm-sk4-app-login-success-login |
+| cef-box-file-activity | box-ccm-cef-file-success-contentaccess |
+| cef-bromium-bem-security-alert | bromium-aes-cef-alert-trigger-success-hostthreatfilehash |
+| cef-bromium-bem-security-alert-1 | bromium-aes-cef-alert-trigger-success-hostrecorded |
+| cef-bromium-file-permission-change | bromium-sp-cef-file-permission-modify-success-trusted |
+| cef-bromium-file-read | bromium-sp-cef-file-read-success-filedownload |
+| cef-bromium-file-write | bromium-sp-cef-file-write-success-upload |
+| cef-bromium-security-alert | bromium-aes-cef-alert-trigger-success-vsentryblock |
+| cef-bromium-security-alert-1 | bromium-aes-cef-alert-trigger-success-isothreatrecorded |
+| cef-carbonblack-alert | vmware-carbonblackedr-cef-alert-trigger-success-dhost |
+| cef-carbonblack-alert-1 | vmware-carbonblackedr-cef-alert-trigger-success-threatreputation |
+| cef-carbonblack-alert-2 | vmware-carbonblackedr-cef-alert-trigger-success-threatexchange |
+| cef-carbonblack-app-login | vmware-carbonblackappctrl-cef-app-login-success-console |
+| cef-carbonblack-edr-process-alert | vmware-carbonblackedr-cef-alert-trigger-success-threathunter |
+| cef-carbonblack-endpoint-process | vmware-carbonblackedr-sk4-process-create-success-redcanary |
+| cef-carbonblack-file-alert | vmware-carbonblackappctrl-cef-alert-trigger-success-protection |
+| cef-carbonblack-file-alert-2 | vmware-carbonblackappctrl-cef-alert-trigger-success-appcontrol |
+| cef-carbonblack-file-alert-3 | vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce |
+| cef-carbonblack-file-create | vmware-carbonblack-sk4-file-write-success-cbdefense |
+| cef-carbonblack-file-read-1 | vmware-carbonblack-sk4-file-read-success-access |
+| cef-carbonblack-file-read-2 | vmware-carbonblack-sk4-file-read-success-threatindicators |
+| cef-carbonblack-file-write-1 | vmware-carbonblack-sk4-file-write-success-threatindicators |
+| cef-carbonblack-file-write-2 | vmware-carbonblack-sk4-file-write-success-threatindicators-1 |
+| cef-carbonblack-file-write-3 | vmware-carbonblack-sk4-file-write-success-threatindicators-2 |
+| cef-carbonblack-file-write-4 | vmware-carbonblack-sk4-file-write-success-threatindicators-3 |
+| cef-carbonblack-local-logon | vmware-carbonblackappctrl-cef-endpoint-login-success-000000005 |
+| cef-carbonblack-local-logon-3 | vmware-carbonblackappctrl-cef-endpoint-login-success-00000005 |
+| cef-carbonblack-network-connection | vmware-carbonblack-json-network-traffic-success-connectionto |
+| cef-carbonblack-network-connection-failed-1 | vmware-carbonblackedr-sk4-network-traffic-fail-operationfailed |
+| cef-carbonblack-network-connection-failed-2 | vmware-carbonblackedr-cef-network-traffic-fail-unsuccessfulattempt |
+| cef-carbonblack-network-connection-successful-1 | vmware-carbonblack-sk4-network-session-success-threatindicators |
+| cef-carbonblack-network-connection-successful-2 | vmware-carbonblack-json-network-traffic-success-netflow |
+| cef-carbonblack-process-alert | vmware-carbonblackappctrl-cef-alert-trigger-success-carbonblack |
+| cef-carbonblack-process-alert-1 | vmware-carbonblackedr-cef-alert-trigger-success-response |
+| cef-carbonblack-process-alert-2 | vmware-carbonblackedr-cef-alert-trigger-success-response-1 |
+| cef-carbonblack-process-alert-3 | vmware-carbonblackedr-cef-alert-trigger-success-alertwatchlisthitingressprocess |
+| cef-carbonblack-process-alert-query | vmware-carbonblackedr-kv-alert-trigger-success-feedquery |
+| cef-carbonblack-process-alert-storage | vmware-carbonblackedr-kv-alert-trigger-success-feedstorage |
+| cef-carbonblack-process-created | vmware-carbonblackedr-json-process-create-success-createprocess |
+| cef-carbonblack-process-created-1 | vmware-carbonblack-json-process-create-success-invoked |
+| cef-carbonblack-process-created-2 | vmware-carbonblack-sk4-process-create-success-successfullyattempted |
+| cef-carbonblack-process-created-3 | vmware-carbonblack-json-process-create-success-threatindicators |
+| cef-carbonblack-process-created-failed-1 | vmware-carbonblack-json-process-create-fail-unsuccessfullyattempted |
+| cef-carbonblack-security-alert | vmware-carbonblack-cef-alert-trigger-success-activethreat |
+| cef-carbonblack-security-alert-1 | vmware-carbonblack-sk4-alert-trigger-success-high |
+| cef-carbonblack-system-error | vmware-edr-cef-app-notification-error |
+| cef-carbonblack-system-error-1 | vmware-carbonblackappctrl-cef-app-notification-servererror |
+| cef-carbonblack-system-error-2 | vmware-ac-cef-app-notification-error |
+| cef-carbonblack-system-info | vmware-carbonblackedr-cef-app-activity-protection |
+| cef-carbonblack-system-info-1 | vmware-carbonblackedr-kv-alert-trigger-ingresshit |
+| cef-carbonblack-system-info-2 | vmware-carbonblackappctrl-cef-app-activity-carbonblackevent |
+| cef-carbonblack-usb-activity | vmware-carbonblackappctrl-cef-peripheral-storage-insert-success-protection |
+| cef-carbonblack-workstation-locked | vmware-carbonblackappctrl-cef-endpoint-lock-success-sessionlock |
+| cef-carbonblack-workstation-locked-2 | vmware-carbonblackappctrl-cef-endpoint-lock-success-sessionlock-1 |
+| cef-carbonblack-workstation-unlocked | vmware-carbonblackappctrl-cef-endpoint-unlock-success-sessionunlock |
+| cef-carbonblack-workstation-unlocked-2 | vmware-carbonblackappctrl-cef-endpoint-unlock-success-sessionunlock-1 |
+| cef-cas-security-alert | microsoft-mcas-json-alert-trigger-success-mcasalerts |
+| cef-catonetworks-network-alert | catonetworks-cc-cef-alert-trigger-success-policy |
+| cef-catonetworks-vpn-end | catonetwork-cc-cef-vpn-logout-success-disconnect |
+| cef-catonetworks-vpn-login | catonetwork-cc-cef-vpn-login-success-connection |
+| cef-catonetworks-web-activity | catonetwork-cc-cef-vpn-http-success-security |
+| cef-ccure-badge-access | tyco-ccure-cef-physical-location-access-fail-flexnumber |
+| cef-ccure-badge-access-1 | tyco-ccure-cef-physical-location-access-card |
+| cef-ccure-badge-access-2 | tyco-ccure-cef-physical-location-access-fail-ccurebadge |
+| cef-checkpoint-alert | checkpoint-es-cef-alert-trigger-success-checkpoint |
+| cef-checkpoint-alert-3 | checkpoint-am-cef-alert-trigger-success-checkpointantimalware |
+| cef-checkpoint-auth-successful | checkpoint-ngfw-cef-endpoint-login-success-login |
+| cef-checkpoint-auth-successful-1 | checkpoint-ngfw-cef-endpoint-login-success-update |
+| cef-checkpoint-auth-successful-2 | checkpoint-ngfw-cef-endpoint-authentication-success-login |
+| cef-checkpoint-events | checkpoint-sg-cef-app-activity-connectra |
+| cef-checkpoint-firewall | checkpoint-ngfw-cef-network-traffic-access |
+| cef-checkpoint-firewall-1 | checkpoint-ngfw-cef-network-traffic-urlfiltering |
+| cef-checkpoint-firewall-2 | checkpoint-ngfw-cef-network-traffic-firewall |
+| cef-checkpoint-firewall-3 | checkpoint-ngfw-cef-network-traffic-logupdate |
+| cef-checkpoint-firewall-4 | checkpoint-ngfw-cef-network-traffic-appcontrol |
+| cef-checkpoint-firewall-5 | checkpoint-ngfw-cef-network-traffic-smartdefense |
+| cef-checkpoint-firewall-accept | checkpoint-ngfw-cef-network-traffic-success-accept |
+| cef-checkpoint-logout | checkpoint-ngfw-cef-app-logout-logout |
+| cef-checkpoint-logout-1 | checkpoint-ngfw-cef-vpn-logout-success-logout |
+| cef-checkpoint-logout-2 | checkpoint-ngfw-cef-vpn-logout-success-vpn |
+| cef-checkpoint-network-alert | checkpoint-tp-cef-alert-trigger-success-checkpointsmartdefense |
+| cef-checkpoint-network-info | checkpoint-ngfw-cef-configuration-modify-success-updated |
+| cef-checkpoint-vpn-end | checkpoint-sg-cef-vpn-logout-success-checkpoint |
+| cef-checkpoint-vpn-login | checkpoint-sg-cef-vpn-login-success-mobileaccessblade |
+| cef-checkpoint-vpn-login-1 | checkpoint-sg-cef-vpn-login-success-identityawareness |
+| cef-checkpoint-vpn-login-2 | checkpoint-ngfw-cef-vpn-login-success-authentication |
+| cef-checkpoint-vpn-login-3 | checkpoint-ngfw-cef-vpn-login-success-login |
+| cef-checkpoint-vpn-login-4 | checkpoint-ngfw-cef-vpn-login-success-login-1 |
+| cef-cisco-acs-auth-failed | cisco-ise-cef-endpoint-login-fail-loginfailed |
+| cef-cisco-acs-auth-successful | cisco-ise-cef-endpoint-login-success-authsuccess |
+| cef-cisco-asa-106001 | cisco-asa-cef-network-session-fail-106001 |
+| cef-cisco-asa-106006 | cisco-asa-cef-network-traffic-fail-106006 |
+| cef-cisco-asa-106015 | cisco-asa-cef-network-traffic-fail-106015-1 |
+| cef-cisco-asa-106023 | cisco-asa-cef-network-traffic-fail-106023-1 |
+| cef-cisco-asa-113039-vpn-start | cisco-asa-cef-vpn-login-success-113039 |
+| cef-cisco-asa-302013 | cisco-asa-cef-app-notification-success-302013 |
+| cef-cisco-asa-302014 | cisco-asa-cef-network-close-success-302014 |
+| cef-cisco-asa-302015 | cisco-asa-cef-app-notification-success-302015 |
+| cef-cisco-asa-302016 | cisco-asa-cef-app-notification-success-302016 |
+| cef-cisco-asa-302020 | cisco-asa-cef-network-start-success-302020 |
+| cef-cisco-asa-302021 | cisco-asa-cef-network-notification-302021 |
+| cef-cisco-asa-305011 | cisco-asa-cef-app-notification-success-305011 |
+| cef-cisco-asa-305012 | cisco-asa-cef-app-notification-success-305012 |
+| cef-cisco-asa-721016-vpn-start | cisco-asa-cef-vpn-login-success-721016 |
+| cef-cisco-asa-722041-vpn-login | cisco-asa-cef-vpn-login-success-722041 |
+| cef-cisco-asa-auth-successful | cisco-asa-cef-endpoint-authentication-success-611101 |
+| cef-cisco-asa-generic | cisco-asa-cef-app-activity-success-devicedirection |
+| cef-cisco-dns-response-sk4 | cisco-umbrella-cef-dns-response-success-responsecode |
+| cef-cisco-dns-response-sk4-2 | cisco-umbrella-sk4-dns-response-success-allowed |
+| cef-cisco-dns-response-sk4-3 | cisco-umbrella-sk4-dns-response-success-blocked |
+| cef-cisco-dns-response-sk4-4 | cisco-umbrella-kv-dns-response-success-proxied |
+| cef-cisco-dns-response-sk4-ad-computers | cisco-umbrella-cef-dns-response-success-adcomputers |
+| cef-cisco-dns-response-sk4-ad-users | cisco-umbrella-cef-dns-response-success-adusers |
+| cef-cisco-dns-response-sk4-internal-networks | cisco-umbrella-cef-dns-response-success-internalnetworks |
+| cef-cisco-dns-response-sk4-networks | cisco-umbrella-cef-dns-response-success-networks |
+| cef-cisco-dns-response-sk4-roaming-client | cisco-umbrella-sk4-dns-response-success-roamingclient |
+| cef-cisco-dns-response-sk4-roaming-computer | cisco-umbrella-cef-dns-response-success-roamingcomputers |
+| cef-cisco-firepower | cisco-fp-cef-network-traffic-connection-stats |
+| cef-cisco-firepower-dns-query | cisco-fp-kv-dns-request-success-firepower |
+| cef-cisco-ise-nac-failed-logon | cisco-ise-cef-endpoint-authentication-fail-authfail |
+| cef-cisco-ise-nac-logon | cisco-ise-cef-endpoint-login-success-authpassed |
+| cef-cisco-ise-nac-logon-1 | cisco-ise-cef-endpoint-login-success-accounting |
+| cef-cisco-ise-nac-logon-2 | cisco-ise-cef-endpoint-login-success-accountingreqaccounting |
+| cef-cisco-ise-radius-accounting | cisco-ise-cef-radius-traffic-success-ciceradius |
+| cef-cisco-vpn-end | cisco-ac-cef-vpn-logout-success-userdisconnect |
+| cef-cisco-vpn-start | cisco-ac-cef-vpn-login-success-receivedremoteproxy |
+| cef-citrix-netscaler-generic | citrix-cgateway-cef-app-activity-appactivity |
+| cef-citrix-xenapp-app-login | citrix-cvapps-cef-app-login-success-xenappevent |
+| cef-cloud-system-info | amazon-awscloudwatch-sk4-app-activity-aws |
+| cef-cloud-system-info-1 | microsoft-azuremon-sk4-app-activity-loganalyticsomsworkspace |
+| cef-cloudflare-net-connection | cloudflare-waf-sk4-network-traffic-success-fwnetworktraffic |
+| cef-cloudflare-waf | cloudfare-waf-sk4-http-request-cloudflarelogging |
+| cef-cloudflare-waf-1 | cloudfare-waf-sk4-http-request-cloudflareaws |
+| cef-connectra-vpn-changeip | checkpoint-sg-cef-vpn-login-success-ipchanged |
+| cef-connectra-vpn-login | checkpoint-sg-cef-vpn-login-success-authcrypt |
+| cef-connectra-vpn-login-failed | checkpoint-sg-cef-vpn-login-fail-authcryptfailed |
+| cef-connectra-vpn-logout | checkpoint-sg-cef-vpn-logout-success-logout |
+| cef-contrast-security-alert | contrastsecurity-cs-cef-alert-trigger-success-security |
+| cef-cortex-xdr-alert | pan-cortex-cef-alert-trigger-success-alert |
+| cef-cortex-xdr-alert-1 | pan-cortex-mix-alert-trigger-success-xdr |
+| cef-counterbreach-db-alert | imperva-counterbreach-cef-alert-trigger-success-accessedtables |
+| cef-crowdstrike-alert | crowdstrike-falcon-cef-alert-trigger-success-host |
+| cef-crowdstrike-app-activity | crowdstrike-falcon-cef-app-activity-useractivityauditevent-1 |
+| cef-crowdstrike-app-login | crowdstrike-falcon-cef-app-login-authactivity |
+| cef-crowdstrike-app-login-1 | "crowdstrike-falcon-sk4-app-login-authentication |
+| cef-crowdstrike-system-event | crowdstrike-falcon-sk4-app-notification-fdr |
+| cef-cyberark-account-switch | cyberark-pam-cef-user-switch-success-pwdretrieve |
+| cef-cyberark-account-switch-1 | cyberark-pam-cef-user-switch-success-safe |
+| cef-cyberark-app-activity | cyberark-pam-cef-file-safe |
+| cef-cyberark-app-login | cyberark-pam-cef-app-login-success-logon |
+| cef-cyberark-failed-app-login | cyberark-pam-cef-app-login-fail-userauth |
+| cef-cyberark-password-change | cyberark-pam-cef-user-password-modify-success-vault |
+| cef-cyberark-password-change-1 | cyberark-pam-cef-user-password-modify-success-vault-1 |
+| cef-cyberark-security-alert | cyberark-pam-cef-alert-trigger-success-vault |
+| cef-cyberark-security-alert-1 | cyberark-pta-cef-alert-trigger-success-riskyactivities |
+| cef-cybereason-security-alert | cybereason-cr-cef-alert-trigger-success-malops |
+| cef-cylance-alert | blackberry-protect-cef-alert-trigger-success-cylance |
+| cef-darktrace | darktrace-darktrace-cef-alert-trigger-success-darktrace |
+| cef-db2-activity | ibm-db2-kv-database-activity-itsecurity |
+| cef-db2-auth-failed | ibm-db2-cef-vpn-login-fail-pcidb2 |
+| cef-db2-file-read | ibm-db2-cef-file-read-success-pcidb2 |
+| cef-db2-object-access | ibm-db2-kv-database-activity-pcidb2 |
+| cef-db2-remote-logon | ibm-db2-cef-endpoint-login-fail-security |
+| cef-db2-security-alert | ibm-db2-cef-alert-trigger-success-appsec |
+| cef-db2-security-alert-2 | ibm-db2-cef-alert-trigger-success-securitysystemattack |
+| cef-defender-atp-alert | microsoft-defenderep-sk4-alert-trigger-success-requestclientapplication |
+| cef-defender-atp-batch-logon | microsoft-defenderep-cef-endpoint-login-batch |
+| cef-defender-atp-file | microsoft-defenderep-cef-file-devicefileevents |
+| cef-defender-atp-file-write | microsoft-defenderep-cef-link-create-shelllinkcreatefileevent |
+| cef-defender-atp-image-load | microsoft-defenderep-sk4-dll-load-deviceimageloadevents |
+| cef-defender-atp-local-logon | microsoft-defenderep-cef-endpoint-login-interactive |
+| cef-defender-atp-malware-detected | microsoft-defenderep-sk4-alert-trigger-success-windowsdefenderav |
+| cef-defender-atp-member-added | microsoft-defenderep-cef-group-member-add-success-accountadded |
+| cef-defender-atp-member-removed | microsoft-defenderep-cef-group-member-remove-success-accountremoved |
+| cef-defender-atp-network-con | microsoft-defenderep-cef-network-session-devicenetworkevents |
+| cef-defender-atp-network-info | microsoft-defenderep-cef-network-notification-advancedhunting |
+| cef-defender-atp-process | microsoft-defenderep-sk4-process-create-success-deviceprocessevents |
+| cef-defender-atp-process-1 | microsoft-defenderep-cef-process-create-success-processcreated |
+| cef-defender-atp-process-created-1 | microsoft-defenderep-sk4-http-request-browserlaunched |
+| cef-defender-atp-process-created-failed | microsoft-defenderep-sk4-alert-trigger-callblocked |
+| cef-defender-atp-process-created-failed-1 | microsoft-defenderep-cef-process-create-fail-exploitguardnonmicrosoftsignedblocked |
+| cef-defender-atp-registry | microsoft-defenderep-sk4-registry-modify-advancedhunting |
+| cef-defender-atp-remote-access | microsoft-defenderep-cef-endpoint-login-network |
+| cef-defender-atp-remote-logon | microsoft-defenderep-cef-endpoint-login-remoteinteractive |
+| cef-defender-atp-service-created-1 | microsoft-defenderep-cef-service-create-serviceinstalled |
+| cef-defender-atp-service-logon | microsoft-defenderep-cef-endpoint-login-service |
+| cef-defender-atp-system-alert-1 | microsoft-defenderep-sk4-alert-trigger-wificonnection |
+| cef-defender-atp-system-event | microsoft-defenderep-cef-process-token-modify-processprimarytokenmodified |
+| cef-defender-atp-system-event-1 | microsoft-defenderep-cef-script-execute-powershellcommand |
+| cef-defender-atp-system-event-10 | microsoft-defenderep-cef-process-thread-create-remotethreadapicall |
+| cef-defender-atp-system-event-11 | microsoft-defenderep-sk4-clipboard-read-getclipboarddata |
+| cef-defender-atp-system-event-12 | microsoft-defenderep-cef-process-memory-read-readprocessmemoryapicall |
+| cef-defender-atp-system-event-13 | microsoft-defenderep-cef-process-memory-allocate-advancedhunting-1 |
+| cef-defender-atp-system-event-14 | microsoft-defenderep-cef-endpoint-notification-deviceconnected |
+| cef-defender-atp-system-event-15 | microsoft-defenderep-sk4-alert-trigger-theftaudited |
+| cef-defender-atp-system-event-18 | microsoft-defenderep-sk4-alert-trigger-theftblocked |
+| cef-defender-atp-system-event-2 | microsoft-defenderep-sk4-ds-object-read-ldapsearch |
+| cef-defender-atp-system-event-3 | microsoft-defenderep-cef-process-memory-allocate-advancedhunting |
+| cef-defender-atp-system-event-4 | microsoft-defenderep-sk4-driver-load-driverload |
+| cef-defender-atp-system-event-5 | microsoft-defenderep-cef-process-open-apicall |
+| cef-defender-atp-system-event-6 | microsoft-defenderep-sk4-endpoint-screenshot-screenshottaken |
+| cef-defender-atp-system-event-7 | microsoft-defenderep-sk4-alert-trigger-childprocessaudited |
+| cef-defender-atp-system-event-8 | microsoft-defenderep-sk4-alert-trigger-acgenforced |
+| cef-defender-atp-system-info | microsoft-defenderep-sk4-endpoint-activity-deviceevents |
+| cef-defender-atp-system-info-1 | microsoft-defenderep-sk4-alert-trigger-antivirusreport |
+| cef-defender-atp-system-info-2 | microsoft-defenderep-cef-endpoint-scan-antivirusscan |
+| cef-defender-atp-system-info-3 | microsoft-defenderep-cef-scheduled-task-delete-scheduledtaskdeleted |
+| cef-defender-atp-system-info-4 | microsoft-defenderep-sk4-endpoint-notification-huntingdeviceevents |
+| cef-defender-atp-task-created | microsoft-defenderep-cef-scheduled-task-create-scheduledtaskcreated |
+| cef-defender-device-info | microsoft-defenderep-cef-endpoint-notification-advancehuntingdevinfo |
+| cef-defender-graph-security-alert | microsoft-defenderep-sk4-alert-trigger-success-securityalerts |
+| cef-defender-system-info | microsoft-azureatp-sk4-alert-trigger-success-deviceinfo |
+| cef-digitalguardian-file-operation | dg-ep-cef-file-dgfileoperation |
+| cef-digitalguardian-local-logon | dg-ep-cef-endpoint-login-success-userlogon |
+| cef-digitalguardian-print | dg-ep-cef-printer-activity-success-print |
+| cef-digitalguardian-send-mail | dg-ndlp-cef-email-send-success-sendmail |
+| cef-dlp-email-in | microsoft-exchange-cef-email-receive-incoming |
+| cef-dlp-email-out | microsoft-exchange-cef-email-send-originating |
+| cef-dropbox-app-activity-1 | dropbox-d-cef-vpnfileapp-1 |
+| cef-dropbox-app-activity-10 | dropbox-d-json-app-activity-success-shared |
+| cef-dropbox-app-activity-2 | dropbox-d-cef-vpnfileapp-2 |
+| cef-dropbox-app-activity-3 | dropbox-d-cef-vpnfileapp-3 |
+| cef-dropbox-app-activity-4 | dropbox-d-cef-vpnfileapp-4 |
+| cef-dropbox-app-activity-5 | dropbox-d-cef-vpnfileapp-5 |
+| cef-dropbox-app-activity-6 | dropbox-d-cef-vpnfileapp-6 |
+| cef-dropbox-app-activity-7 | dropbox-d-cef-vpnfileapp-7 |
+| cef-dropbox-app-activity-8 | dropbox-d-cef-vpnfileapp-8 |
+| cef-dropbox-app-activity-9 | dropbox-d-json-app-file-success-tag |
+| cef-dropbox-login-activity | dropbox-d-json-app-login-success-login |
+| cef-dtex-dir-created | dtexsystems-intercept-cef-file-write-success-dircreated |
+| cef-dtex-dir-delete | dtexsystems-intercept-cef-file-delete-success-dirdeleted |
+| cef-dtex-dir-moved | dtexsystems-intercept-cef-file-write-success-dirmoved |
+| cef-dtex-dir-renamed | dtexsystems-intercept-cef-file-write-success-dirrenamed |
+| cef-dtex-file-copied | dtexsystems-intercept-cef-file-write-success-filecopied |
+| cef-dtex-file-created | dtexsystems-intercept-cef-file-write-success-filecreated |
+| cef-dtex-file-delete | dtexsystems-intercept-cef-file-delete-success-filedeleted |
+| cef-dtex-file-modified | dtexsystems-intercept-cef-file-write-success-filemodified |
+| cef-dtex-file-moved | dtexsystems-intercept-cef-file-write-success-filemoved |
+| cef-dtex-file-read | dtexsystems-intercept-cef-file-read-success-fileread |
+| cef-dtex-file-renamed | dtexsystems-intercept-cef-file-write-success-filerenamed |
+| cef-dtex-local-logon | dtexsystems-intercept-cef-endpoint-login-success-sessionlogon |
+| cef-dtex-print-activity | dtexsystems-intercept-cef-printer-activity-success-dtex |
+| cef-dtex-process-created | dtexsystems-intercept-cef-process-create-success-processcreated |
+| cef-dtex-remote-logon | dtexsystems-intercept-cef-endpoint-login-success-sessionactivity |
+| cef-dtex-web-activity | dtexsystems-intercept-cef-http-session-success-webpageaccessed |
+| cef-dtex-workstation-locked | dtexsystems-intercept-cef-endpoint-lock-success-sessionlocked |
+| cef-dtex-workstation-unlocked | dtexsystems-intercept-cef-endpoint-unlock-success-sessionunlocked |
+| cef-duo-VPN-login | cisco-duo-sk4-vpn-login-success-newenrollment |
+| cef-duo-VPN-login-failed | cisco-duo-cef-vpn-login-fail-loginfailure |
+| cef-duo-app-activity | cisco-duo-cef-app-login-destservicenameduo |
+| cef-duo-app-activity-1 | cisco-duo-json-app-activity-success-api |
+| cef-duo-app-login | cisco-duo-cef-app-login-success-twofactorsuccess |
+| cef-duo-app-login-1 | cisco-duo-cef-app-login-success-success |
+| cef-duo-auth | cisco-duo-cef-endpoint-authentication-mfaservice |
+| cef-duo-authentication | cisco-duo-cef-endpoint-authentication-newenrollment |
+| cef-duo-failed-app-login-1 | cisco-duo-cef-app-login-fail-twofactorfail |
+| cef-ecat-security-alert | rsa-ecat-cef-alert-trigger-success-ecatalert |
+| cef-edirectory-account-disabled | novell-ed-cef-user-disable-success-logindisabled |
+| cef-edirectory-account-enabled | novell-ed-cef-user-enable-success-loginenabled |
+| cef-edirectory-account-password-change | novell-ed-cef-user-password-modify-success-passwordchanged |
+| cef-edirectory-account-unlocked | novell-ed-kv-user-unlock-success-accountunlock |
+| cef-edirectory-auth-1 | novell-ed-cef-endpoint-authentication-login |
+| cef-edirectory-auth-2 | novell-ed-cef-endpoint-authentication-authenticate |
+| cef-edirectory-security-alert | novell-ed-cef-alert-trigger-success-intruderdetected |
+| cef-egnyte-app-activity | egnyte-egnyte-sk4-app-activity-success-addedtogroup |
+| cef-egnyte-app-activity-1 | egnyte-egnyte-sk4-app-activity-success-removedfromgroup |
+| cef-egnyte-app-activity-10 | egnyte-egnyte-sk4-app-activity-success-delete |
+| cef-egnyte-app-activity-11 | egnyte-e-cef-app-activity-success-create |
+| cef-egnyte-app-activity-12 | engyte-e-cef-app-activity-success-update |
+| cef-egnyte-app-activity-13 | egnyte-egnyte-sk4-app-activity-success-subject |
+| cef-egnyte-app-activity-2 | egnyte-egnyte-sk4-app-activity-success-verificationdisable |
+| cef-egnyte-app-activity-3 | egnyte-egnyte-sk4-app-activity-success-verificationenable |
+| cef-egnyte-app-activity-4 | egnyte-egnyte-sk4-app-activity-success-upgradedtopower |
+| cef-egnyte-app-activity-5 | egnyte-egnyte-sk4-app-activity-success-verified |
+| cef-egnyte-app-activity-6 | egnyte-e-cef-app-activity-success-disable |
+| cef-egnyte-app-activity-7 | egnyte-egnyte-sk4-app-activity-success-enable |
+| cef-egnyte-app-activity-8 | egnyte-egnyte-sk4-app-activity-success-passwordchange |
+| cef-egnyte-app-activity-9 | egnyte-egnyte-sk4-app-activity-success-passwordreset |
+| cef-egnyte-file-operations | egnyte-e-cef-file-permission-modify-success-assigner |
+| cef-endgame-process-alert | endgame-edr-cef-alert-trigger-success-alerttrigger |
+| cef-epic-app-activity-1 | epic-siem-cef-app-activity-success-maskeddatadisplay |
+| cef-epic-app-activity-10 | epic-siem-cef-app-activity-success-accessgranted |
+| cef-epic-app-activity-11 | epic-siem-cef-app-activity-success-browserexternalpage |
+| cef-epic-app-activity-12 | epic-siem-cef-app-activity-success-acbreaktheglassaccess |
+| cef-epic-app-activity-2 | epic-siem-cef-app-activity-success-maskeddataprinting |
+| cef-epic-app-activity-3 | epic-siem-cef-app-activity-success-startup |
+| cef-epic-app-activity-4 | epic-seim-cef-app-activity-success-secure |
+| cef-epic-app-activity-5 | epic-siem-cef-app-activity-success-unsecure |
+| cef-epic-app-activity-6 | epic-siem-cef-app-activity-success-icserviceaudit |
+| cef-epic-app-activity-7 | epic-seim-cef-app-activity-success-switchuser |
+| cef-epic-app-activity-8 | epic-siem-cef-app-activity-success-roverfailedlogin |
+| cef-epic-app-activity-9 | epic-siem-cef-app-activity-success-contextchange |
+| cef-epic-app-login | epic-siem-cef-app-login-success-login |
+| cef-epic-auth-successful | epic-siem-cef-endpoint-login-success-security |
+| cef-epic-failed-app-login | epic-siem-cef-app-login-fail-failedlogin |
+| cef-exchange-app-activity | microsoft-exchange-sk4-app-activity-success-harddelete |
+| cef-exchange-app-activity-1 | microsoft-exchange-cef-app-activity-exchangeonline |
+| cef-exchange-app-activity-2 | microsoft-exchange-cef-app-activity-update |
+| cef-exchange-app-activity-3 | microsoft-exchange-cef-app-activity-movetodeleteditems |
+| cef-exchange-app-activity-4 | microsoft-exchange-cef-app-activity-setuser |
+| cef-exchange-app-activity-5 | microsoft-exchange-cef-app-activity-softdelete |
+| cef-exchange-app-activity-6 | microsoft-exchange-cef-app-activity-setmailbox |
+| cef-exchange-app-activity-7 | microsoft-exchange-cef-app-activity-newmailbox |
+| cef-exchange-scanmail-alert | trendmicro-scanmail-cef-alert-trigger-success-100104 |
+| cef-exchange-scanmail-app-activity | trendmicro-scanmail-cef-configuration-modify-300101 |
+| cef-extrahop-network-sec | extrahop-revealx-cef-alert-trigger-success-riskscore |
+| cef-f5-asm-alert | f5-asm-cef-alert-trigger-success-http |
+| cef-f5-dns-request | f5-bigipdns-cef-dns-request-success-dnsevent |
+| cef-f5-network-alert | f5-afm-cef-alert-trigger-attack |
+| cef-f5-vpn-end | f5-apm-cef-vpn-logout-success-stop |
+| cef-f5-vpn-start | f5-apm-cef-vpn-login-success-newsessionfromclient |
+| cef-f5-vpn-start-1 | f5-apm-cef-vpn-login-success-start |
+| cef-f5-vpn-user | f5-apm-cef-vpn-success-username |
+| cef-fidelis-alert | fidelis-fnetwork-sk4-alert-trigger-success-alerttime |
+| cef-fireeye-email-alert | fireeye-networksecurity-cef-alert-trigger-success-mailciousmail |
+| cef-fireeye-ex-security-alert | fireeye-emailsecurity-cef-alert-trigger-success-fireeye |
+| cef-fireeye-hx-app-activity | fireeye-endpointsecurity-cef-alert-trigger-containment |
+| cef-fireeye-hx-security-alert | fireeye-endpointsecurity-cef-alert-trigger-success-malwarehitfound |
+| cef-forcepoint-dlp-alert | forcepoint-dlp-cef-alert-trigger-success-tritonapdata |
+| cef-forcepoint-dlp-alert-1 | forcepoint-dlp-cef-alert-trigger-success-forcepointdlp |
+| cef-forcepoint-dlp-alert-2 | forcepoint-dlp-cef-alert-trigger-success-forcepoint |
+| cef-forcepoint-dlp-alert-3 | forcepoint-dlp-cef-alert-trigger-success-dlpsyslog |
+| cef-forcepoint-dlp-email-alert | forcepoint-dlp-cef-email-send-success-message |
+| cef-forcepoint-dlp-email-alert-1 | forcepoint-emailsecurity-cef-email-send-success-message |
+| cef-forcepoint-dlp-email-alert-2 | forcepoint-dlp-cef-email-violationtriggers |
+| cef-forcepoint-dlp-email-alert-out | forcepoint-dlp-cef-email-send-success-smtp |
+| cef-forcepoint-email-outcome | forcepoint-dlp-cef-email-receive-success-emaildelivery |
+| cef-forcepoint-email-spam-score | forcepoint-dlp-cef-email-receive-success-policyclean |
+| cef-forcepoint-email-subject | forcepoint-dlp-cef-email-receive-success-message |
+| cef-forcepoint-it-dlp-alert | forcepoint-insiderthreat-cef-alert-trigger-success-siemnotification |
+| cef-forcepoint-proxy | forcepoint-wsg-cef-http-session-request |
+| cef-fortinet-app-activity | fortinet-firewall-cef-app-activity-appctrl |
+| cef-fortinet-auth-failed | fortinet-utm-cef-endpoint-authentication-fail-ntlmauth |
+| cef-fortinet-auth-successful | fortinet-utm-cef-endpoint-authentication-success-ntlmauth |
+| cef-fortinet-network-connection | fortinet-firewall-cef-network-traffic-connectionaction |
+| cef-fortinet-web-activity | fortinet-utm-cef-http-session-webfilter |
+| cef-fortinet-web-activity-1 | fortinet-utm-cef-http-session-fortinet |
+| cef-fortinet-web-activity-2 | fortinet-fortigate-cef-http-session-webfilter |
+| cef-fsecure-security-alert | fsecure-policymanager-cef-alert-trigger-success-fsecure |
+| cef-fsecure-system-info | fsecure-policymanager-cef-app-activity-import |
+| cef-gcp-system-info | google-gcpca-sk4-app-activity-stackdriverevents |
+| cef-generic | microfocusarcsight-ma-cef-app-activity-success-4363448 |
+| cef-github-app-activity | github-g-sk4-repository-create-success-github |
+| cef-google-app-activity-1 | google-workspace-sk4-app-activity-success-calendar |
+| cef-google-app-activity-2 | google-workspace-sk4-app-activity-success-mobile |
+| cef-google-app-activity-3 | google-workspace-sk4-app-success-token |
+| cef-google-app-activity-4 | google-workspace-sk4-app-activity-success-admin |
+| cef-google-app-activity-5 | google-workspace-sk4-app-activity-success-groups |
+| cef-google-app-activity-6 | google-workspace-sk4-app-success-activity |
+| cef-google-app-activity-7 | google-workspace-cef-app-activity-success-audit |
+| cef-google-app-login | google-workspace-cef-app-login-uniquequalifier |
+| cef-google-app-login-1 | google-workspace-sk4-app-login-success-googleapps2 |
+| cef-google-file-activity | google-workspace-sk4-file-success-googleapps1 |
+| cef-google-logout | google-workspace-sk4-app-logout-success-login |
+| cef-google-password-update | google-workspace-sk4-user-password-success-changepassword |
+| cef-graph-security-alert | microsoft-m365auditlogs-sk4-alert-trigger-adminrelatedactivityalert |
+| cef-gtb-dlp-alert | gtb-gtbi-cef-alert-trigger-success-gtb |
+| cef-gtb-failed-usb-activity | gtb-gtbdlp-cef-file-write-fail-blocked |
+| cef-gtb-failed-usb-activity-1 | gtb-gtbdlp-cef-file-write-fail-blocked-1 |
+| cef-gtb-usb-activity | gtb-gtbdlp-cef-file-delete-logged |
+| cef-gtb-usb-read | gtb-gtbdlp-cef-file-write-logged |
+| cef-gtb-usb-write | gtb-gtbdlp-cef-file-write-loggedviolation |
+| cef-gtb-usb-write-1 | gtb-gtbdlp-cef-file-write-loggedviolation-1 |
+| cef-guardium-database-alert | ibm-guardium-cef-alert-trigger-success-unauthaccess |
+| cef-guardium-db-alert | ibm-guardium-cef-alert-trigger-success-classification |
+| cef-guardium-db-alert-1 | ibm-guardium-cef-alert-trigger-success-loginfail |
+| cef-guardium-db-query | ibm-guardium-kv-database-query-success-sql |
+| cef-honeywell-physical-badge-access | honeywell-siama-cef-physical-location-access-success-skud |
+| cef-hp-print-activity | hp-printserver-cef-printer-activity-success-printserver |
+| cef-ibm-auth-failed | ibm-lmc-cef-endpoint-login-fail-lmcloginfail |
+| cef-ibm-auth-successful | ibm-lmc-cef-endpoint-login-success-logsuccess |
+| cef-ibm-racf-app-activity | ibm-racf-cef-app-login-ibmracf |
+| cef-ibm-racf-app-activity-1 | ibm-racf-cef-app-notification-zos |
+| cef-ibm-sense | ibm-s-leef-alert-trigger-success-ubamachinelearninganomaly |
+| cef-icdb-app-activity | icdb-i-cef-app-activity-success-appactivity |
+| cef-iis-web-activity | microsoft-iis-cef-http-session-internetinformationserver |
+| cef-iis-web-activity-1 | microsoft-iis-str-http-session-webactivity |
+| cef-imperva-web-activity | imperva-securesphere-cef-http-request-servergroup |
+| cef-incapsula-web-activity | imperva-incapsula-cef-http-session-ddos |
+| cef-incapsula-web-activity-2 | imperva-incapsula-cef-http-session-siemintegration |
+| cef-infoblox-network-alert | infoblox-bddi-cef-alert-trigger-success-alert |
+| cef-infoblox-network-connection | infoblox-bddi-cef-network-traffic-threat |
+| cef-infoblox-system-info | infoblox-nios-cef-app-activity-esm |
+| cef-infowatch-app-login | infowatch-dlp-cef-app-login-success-login |
+| cef-infowatch-email-alert | infowatch-dlp-cef-email-receive-send-success-mailonclient |
+| cef-infowatch-print-activity | infowatch-dlp-cef-printer-activity-success-print |
+| cef-infowatch-usb-write | infowatch-dlp-cef-file-write-success-externaldevice |
+| cef-infowatch-web-activity | infowatch-iwdlp-cef-http-session-success-webmessage |
+| cef-infowatch-web-activity-1 | infowatch-dlp-cef-http-session-success-mailinbrowser |
+| cef-ironport-dlp-email | cisco-ie-cef-email-send-receive-success-subject |
+| cef-ixia-network-connection | ixia-ta-cef-network-traffic-fail-networktrafficfail |
+| cef-juniper-access-control | juniper-ps-cef-vpn-login-success-agentloginsucceededfor |
+| cef-juniper-access-control-1 | juniper-srx-cef-vpn-login-success-agentlogin |
+| cef-juniper-access-control-2 | juniper-srx-cef-vpn-login-success-addeduser |
+| cef-juniper-access-control-3 | juniper-srx-cef-vpn-login-success-removeduser |
+| cef-juniper-account-deleted | juniper-ps-cef-user-delete-fail-juniper |
+| cef-juniper-failed-vpn-login | juniper-ps-cef-vpn-login-fail-loginfail |
+| cef-juniper-failed-vpn-login-1 | juniper-srx-cef-vpn-login-fail-loginfailedusing |
+| cef-juniper-failed-vpn-login-2 | juniper-srx-cef-vpn-login-fail-secureaccess |
+| cef-juniper-proxy | juniper-ps-cef-http-session-success-webrequestcompleted |
+| cef-juniper-pulse-activity | juniper-ps-cef-app-activity-success-requestcompleted |
+| cef-juniper-vpn-authfailed | juniper-ps-cef-endpoint-authentication-fail-authfailed |
+| cef-juniper-vpn-close | juniper-ps-cef-vpn-logout-success-juniper |
+| cef-juniper-vpn-close-1 | juniper-ps-cef-vpn-logout-success-closed |
+| cef-juniper-vpn-end | juniper-ps-cef-vpn-logout-success-sessionendedeforuser |
+| cef-juniper-vpn-end-1 | juniper-ps-cef-vpn-logout-success-authenticated |
+| cef-juniper-vpn-login | juniper-ps-cef-vpn-login-success-loginsucceeded |
+| cef-juniper-vpn-logout | juniper-ps-cef-vpn-logout-success-logout |
+| cef-juniper-vpn-relogin | juniper-ps-cef-vpn-logout-success-loggedoutfrom |
+| cef-juniper-vpn-resume | juniper-ps-cef-vpn-login-success-sessionresumed |
+| cef-juniper-vpn-start | juniper-ps-cef-vpn-login-success-sessionstartedforuser |
+| cef-juniper-vpn-start-1 | juniper-srx-cef-vpn-login-success-loginsucceededfor |
+| cef-juniper-vpn-start-2 | juniper-srx-cef-vpn-login-success-loginfromip |
+| cef-juniper-vpn-timeout | juniper-ps-cef-vpn-logout-success-adminidletimeout |
+| cef-juniper-vpn-timeout-1 | juniper-ps-cef-vpn-logout-success-timedout |
+| cef-kaba-badge-access | kabaexos-k-cef-physical-location-access-success-9300 |
+| cef-kaspersky-dlp-email | kaspersky-av-cef-email-receive-success-emailreceive |
+| cef-kaspersky-file-alert | kaspersky-av-cef-alert-trigger-success-objnotprocessed |
+| cef-kaspersky-security-alert | kaspersky-endpointsecurity-cef-alert-trigger-success-endpointsecurity |
+| cef-kaspersky-security-alert-1 | kaspersky-endpointsecurity-cef-alert-trigger-success-securitycenter |
+| cef-leap-app-activity-3 | leap-l-str-app-activity-success-leapshk |
+| cef-liebsoft-app-activity-1 | beyondtrust-prividentity-cef-app-activity-elevationfailed |
+| cef-liebsoft-app-activity-2 | beyondtrust-prividentity-cef-app-activity-jobaccount |
+| cef-liebsoft-app-activity-3 | beyondtrust-prividentity-cef-app-activity-accountdeelevated |
+| cef-liebsoft-app-activity-4 | beyondtrust-prividentity-cef-app-activity-deelevationfailed |
+| cef-liebsoft-app-activity-5 | beyondtrust-prividentity-cef-app-activity-listaddedaccount |
+| cef-lightcyber-alert | pan-magnifier-cef-alert-trigger-success-lightcyber |
+| cef-logbinder-file-operation | logbinder-sharepoint-cef-file-app-fname |
+| cef-logrhythm-process-created | logrhythm-l-kv-process-create-success-pid |
+| cef-lyrix-badge-access | lyrix-l-cef-physical-location-access-success-doorname |
+| cef-lyrix-badge-access-1 | lyrix-l-cef-physical-location-access-success-department |
+| cef-magento-waf | magento-waf-sk4-http-session-wafseverity |
+| cef-malwarebytes-network-alert-ids | malwarebytes-ep-cef-alert-trigger-success-remoteintrusiondetectionfound |
+| cef-malwarebytes-security-alert | malwarebytes-ep-cef-alert-trigger-success-websiteblocked |
+| cef-malwarebytes-security-alert-1 | malwarebytes-ep-cef-alert-trigger-success-endpointprotection |
+| cef-malwarebytes-security-alert-2 | malwarebytes-ep-cef-alert-trigger-success-incidentresponse |
+| cef-malwarebytes-security-alert-exploit | malwarebytes-ep-cef-alert-trigger-success-exploitblocked |
+| cef-mbmc-security-alert-detection | malwarebytes-ep-cef-alert-trigger-success-detection-1 |
+| cef-mbmc-security-alert-detection-1 | malwarebytes-ep-cef-alert-trigger-success-detection |
+| cef-mbmc-security-alert-ipblock | malwarebytes-ep-cef-alert-trigger-success-ipblock |
+| cef-mcafee-cloud-dlp-alert | mcafee-dlp-cef-alert-trigger-success-cloud |
+| cef-mcafee-dlp-alert | mcafee-dlp-cef-alert-trigger-success-deviceplug |
+| cef-mcafee-dlp-alert-1 | mcafee-dlp-mix-alert-trigger-success-dlp |
+| cef-mcafee-dlp-alert-2 | mcafee-dlp-cef-alert-trigger-success-alerttrigger |
+| cef-mcafee-dlp-alert-3 | mcafee-dlp-cef-alert-trigger-success-alerttrigger-1 |
+| cef-mcafee-dlp-alert-info | mcafee-dlp-cef-alert-trigger-success-administrative |
+| cef-mcafee-dlp-email | mcafee-ep-cef-email-send-success-emailsubject |
+| cef-mcafee-dlp-email-alert | mcafee-ep-cef-email-send-success-emaildelivered |
+| cef-mcafee-dlp-email-alert-2 | mcafee-ep-cef-email-send-success-emailprotection |
+| cef-mcafee-dlp-email-alert-failed | mcafee-ep-cef-email-receive-fail-emailrejected |
+| cef-mcafee-dlp-email-out | mcafee-dlp-cef-email-send-success-protectedcontent |
+| cef-mcafee-dlp-prevent | mcafee-dlp-cef-email-send-fail-dlpprevent |
+| cef-mcafee-dns-query | infoblox-bddi-cef-dns-request-success-mcafee |
+| cef-mcafee-epo-alert | mcafee-es-cef-alert-trigger-success-virisscan |
+| cef-mcafee-epo-alert-1 | mcafee-es-cef-alert-trigger-success-roguesystemdetected |
+| cef-mcafee-epo-alert-2 | mcafee-es-cef-alert-trigger-success-notauthorized |
+| cef-mcafee-epo-alert-3 | mcafee-es-cef-alert-trigger-success-portblocking |
+| cef-mcafee-epo-alert-4 | mcafee-es-cef-alert-trigger-success-infectedfiledeleted |
+| cef-mcafee-epo-alert-5 | mcafee-es-cef-alert-trigger-success-userdefinedrules |
+| cef-mcafee-epo-alert-6 | mcafee-es-cef-alert-trigger-success-accessprotectionrule |
+| cef-mcafee-epo-alert-solidifier | mcafee-solidifier-kv-alert-trigger-success-signatureid |
+| cef-mcafee-epo-dlp-alert | mcafee-dlp-kv-alert-trigger-success-epodlpe |
+| cef-mcafee-epo-system-info | mcafee-es-cef-file-delete-epolicyorchestrator |
+| cef-mcafee-epo-system-info-1 | mcafee-es-cef-app-activity-ops |
+| cef-mcafee-mvision-skyhigh-dlp-alert-1 | mcafee-sncasb-cef-alert-trigger-success-alertpolicy |
+| cef-mcafee-network-alert | mcafee-nsp-cef-alert-trigger-success-securitymanager |
+| cef-mcafee-print-activity | mcafee-dlp-cef-printer-activity-success-printingprotection |
+| cef-mcafee-print-activity-1 | mcafee-dlp-cef-printer-activity-success-printername |
+| cef-mcafee-process-alert | mcafee-es-cef-alert-trigger-success-epolicyorchestrator |
+| cef-mcafee-security-alert | mcafee-es-cef-alert-trigger-success-hostintrusion |
+| cef-mcafee-security-alert-1 | mcafee-es-cef-alert-trigger-success-endpointsecurity |
+| cef-mcafee-skyhigh-app-activity | mcafee-sncasb-cef-app-activity-success-appnavigation |
+| cef-mcafee-skyhigh-app-activity-1 | mcafee-sncasb-cef-app-activity-success-userinfoedited |
+| cef-mcafee-skyhigh-app-activity-10 | mcafee-sncasb-leef-app-activity-success-savedviewdeleted |
+| cef-mcafee-skyhigh-app-activity-11 | mcafee-sncasb-leef-app-activity-success-scheduledreportcreated |
+| cef-mcafee-skyhigh-app-activity-12 | mcafee-sncasb-leef-app-activity-success-apiaccess |
+| cef-mcafee-skyhigh-app-activity-2 | mcafee-sncasb-cef-app-activity-success-apploadtimings |
+| cef-mcafee-skyhigh-app-activity-3 | mcafee-sncasb-cef-app-activity-success-showlessview |
+| cef-mcafee-skyhigh-app-activity-4 | mcafee-sncasb-cef-app-activity-success-newusercreated |
+| cef-mcafee-skyhigh-app-activity-5 | mcafee-sncasb-cef-app-activity-success-incidentdownloaded |
+| cef-mcafee-skyhigh-app-activity-6 | mcafee-sncasb-cef-app-activity-success-showmoreview |
+| cef-mcafee-skyhigh-app-activity-7 | mcafee-sncasb-cef-app-activity-success-userdeleted |
+| cef-mcafee-skyhigh-app-activity-8 | mcafee-sncasb-leef-app-activity-success-changeincidentstatus |
+| cef-mcafee-skyhigh-app-activity-9 | mcafee-sncasb-leef-app-activity-success-reportdownloaded |
+| cef-mcafee-skyhigh-app-login | mcafee-sncasb-cef-app-login-success-userloggedin |
+| cef-mcafee-skyhigh-dlp-alert | mcafee-sncasb-mix-alert-trigger-success-anomalies |
+| cef-mcafee-skyhigh-dlp-alert-1 | mcafee-sncasb-cef-alert-trigger-success-dlpalertpolicy |
+| cef-mcafee-skyhigh-failed-app-login | mcafee-sncasb-cef-app-login-fail-auditlogs |
+| cef-mcafee-skyhigh-file-downloaded | mcafee-sncasb-cef-file-download-success-anomalousaccesslocation |
+| cef-mcafee-skyhigh-logout | mcafee-sncasb-cef-app-logout-success-userloggedout |
+| cef-mcafee-skyhigh-security-alert | mcafee-sncasb-cef-alert-trigger-success-superhumanalertaccess |
+| cef-mcafee-usb | mcafee-dlp-cef-file-write-success-blockusb |
+| cef-mcafee-usb-activity | mcafee-es-cef-file-write-success-deviceplug |
+| cef-mcafee-usb-activity-1 | mcafee-es-cef-file-write-success-removablestorage |
+| cef-mcafee-usb-insert | mcafee-es-cef-peripheral-storage-insert-success-deviceplug |
+| cef-mcafee-vse-alert | mcafee-es-cef-alert-trigger-success-virusscan |
+| cef-mdam-db-alert | mcafee-mdam-cef-alert-trigger-success-alert |
+| cef-mdam-db-alert-1 | mcafee-mdam-cef-alert-trigger-success-alert-1 |
+| cef-member-added-2003 | microsoft-evsecurity-cef-group-member-add-success-groupmemberadded |
+| cef-member-added-2008 | microsoft-evsecurity-cef-group-member-add-success-securityenabled |
+| cef-member-removed-2008 | microsoft-evsecurity-cef-group-member-remove-success-4733 |
+| cef-meraki-network-alert | cisco-mma-cef-alert-trigger-success-classification |
+| cef-microsoft-app-activity-1 | microsoft-o365-cef-app-file-success-addmembertorole |
+| cef-microsoft-app-activity-10 | microsoft-o365-cef-app-file-success-deleteuser |
+| cef-microsoft-app-activity-11 | microsoft-o365-cef-app-file-success-restoreuser |
+| cef-microsoft-app-activity-12 | microsoft-o365-cef-app-file-success-updateuser |
+| cef-microsoft-app-activity-13 | microsoft-o365-cef-app-file-success-storageanalyticsevents |
+| cef-microsoft-app-activity-14 | "microsoft-azuremon-sk4-app-activity-operationname |
+| cef-microsoft-app-activity-15 | microsoft-azuremon-sk4-app-activity-bastionauditlogs |
+| cef-microsoft-app-activity-16 | microsoft-azuremon-cef-app-activity-category |
+| cef-microsoft-app-activity-17 | microsoft-o365-cef-app-file-success-filemodified |
+| cef-microsoft-app-activity-18 | microsoft-o365-cef-app-file-success-foldercreated |
+| cef-microsoft-app-activity-19 | microsoft-o365-cef-app-file-success-filedeleted |
+| cef-microsoft-app-activity-2 | microsoft-o365-cef-app-file-success-addgroup |
+| cef-microsoft-app-activity-20 | microsoft-o365-cef-app-file-success-filemoved |
+| cef-microsoft-app-activity-21 | microsoft-o365-cef-app-file-success-filerenamed |
+| cef-microsoft-app-activity-22 | microsoft-o365-cef-app-file-success-fileupload |
+| cef-microsoft-app-activity-23 | microsoft-o365-cef-app-file-success-channeladded |
+| cef-microsoft-app-activity-24 | microsoft-o365-cef-app-file-success-channeldeleted |
+| cef-microsoft-app-activity-25 | microsoft-o365-cef-app-file-success-memberadded |
+| cef-microsoft-app-activity-26 | microsoft-o365-cef-app-file-success-memberremoved |
+| cef-microsoft-app-activity-27 | microsoft-o365-cef-app-file-success-rolechanged |
+| cef-microsoft-app-activity-28 | microsoft-o365-cef-app-file-success-tabadded |
+| cef-microsoft-app-activity-29 | microsoft-o365-cef-app-file-success-tabupdated |
+| cef-microsoft-app-activity-3 | microsoft-o365-cef-app-file-success-deletegroup |
+| cef-microsoft-app-activity-30 | microsoft-o365-cef-app-file-success-viewreport |
+| cef-microsoft-app-activity-31 | microsoft-o365-cef-app-file-success-updatedevice |
+| cef-microsoft-app-activity-32 | microsoft-o365-cef-app-file-success-crmdefaultactivity |
+| cef-microsoft-app-activity-33 | microsoft-o365-cef-app-file-success-downloadreport |
+| cef-microsoft-app-activity-34 | microsoft-o365-cef-app-file-success-refreshdataset |
+| cef-microsoft-app-activity-35 | microsoft-o365-cef-app-file-success-viewdashboard |
+| cef-microsoft-app-activity-36 | microsoft-o365-sk4-app-file-success-viewdashboard |
+| cef-microsoft-app-activity-37 | microsoft-o365-cef-app-file-success-displayname |
+| cef-microsoft-app-activity-38 | microsoft-azure-cef-app-file-success-ldapquery |
+| cef-microsoft-app-activity-39 | microsoft-o365-cef-app-file-success-movetodeleteditems |
+| cef-microsoft-app-activity-4 | microsoft-o365-cef-app-file-success-groupupload |
+| cef-microsoft-app-activity-40 | microsoft-o365-cef-app-file-success-addapplication |
+| cef-microsoft-app-activity-41 | microsoft-o365-cef-app-file-success-harddelete |
+| cef-microsoft-app-activity-42 | microsoft-o365-cef-app-file-success-modifiedproperties |
+| cef-microsoft-app-activity-43 | microsoft-azure-sk4-app-file-success-secretget |
+| cef-microsoft-app-activity-44 | microsoft-azure-sk4-app-file-success-keybackup |
+| cef-microsoft-app-activity-5 | microsoft-o365-cef-app-file-success-removememberfromgroup |
+| cef-microsoft-app-activity-51 | microsoft-o365-cef-app-file-success-filesyncuploadedfull |
+| cef-microsoft-app-activity-52 | microsoft-o365-cef-app-file-success-addtogroup |
+| cef-microsoft-app-activity-53 | microsoft-o365-sk4-app-activity-success-addedtogroup |
+| cef-microsoft-app-activity-54 | microsoft-o365-sk4-app-activity-success-softdelete |
+| cef-microsoft-app-activity-55 | microsoft-o365-sk4-app-activity-success-movetodeleteditems-2 |
+| cef-microsoft-app-activity-56 | microsoft-o365-sk4-app-activity-success-create |
+| cef-microsoft-app-activity-7 | microsoft-o365-cef-app-file-success-serviceprincipal |
+| cef-microsoft-app-activity-8 | microsoft-o365-cef-app-file-success-addownertogroup |
+| cef-microsoft-app-activity-9 | microsoft-o365-cef-app-file-success-adduser |
+| cef-microsoft-app-activity-inbox-rule | microsoft-o365-cef-app-activity-success-inboxrule |
+| cef-microsoft-app-login | microsoft-azure-cef-app-login-success-description |
+| cef-microsoft-app-login-1 | microsoft-azuremon-sk4-app-authentication-accounttokenlogin |
+| cef-microsoft-app-login-2 | microsoft-azuremon-sk4-app-login-databricks |
+| cef-microsoft-app-login-3 | microsoft-azuremon-cef-app-login-browserlogin |
+| cef-microsoft-app-logout | microsoft-azuremon-sk4-app-logout-sshlogout |
+| cef-microsoft-auth-attempt | microsoft-azure-cef-app-authentication-credentialsvalidation |
+| cef-microsoft-azure-signalr | microsoft-azuremon-mix-network-start-collection |
+| cef-microsoft-azure-signalr-1 | microsoft-azuremon-cef-network-start-fail-startconnectionfailed |
+| cef-microsoft-azure-signalr-2 | microsoft-azuremon-cef-network-close-connectionabort |
+| cef-microsoft-azure-signalr-3 | microsoft-azuremon-mix-network-start-collection |
+| cef-microsoft-database-delete | microsoft-mssql-cef-database-delete-success-deletedatabasecommand |
+| cef-microsoft-database-events | logbinder-sqlserver-cef-database-activity-logbindersql |
+| cef-microsoft-database-failed-login | microsoft-mssql-cef-database-login-fail-24003 |
+| cef-microsoft-database-failed-login-1 | microsoft-mssql-cef-database-login-fail-atz |
+| cef-microsoft-database-login | microsoft-mssql-cef-database-login-success-loginsucceded |
+| cef-microsoft-database-query | microsoft-azure-cef-database-query-success-samr |
+| cef-microsoft-dlp-alert | microsoft-defendercloud-cef-alert-trigger-success-datalossprevention |
+| cef-microsoft-dns-query | microsoft-azure-cef-dns-request-success-dnsquery |
+| cef-microsoft-failed-app-login | microsoft-azure-cef-app-login-fail-dest |
+| cef-microsoft-file-activity | microsoft-azuremon-sk4-app-activity-appservicefileauditlogs |
+| cef-microsoft-graph-activity | microsoft-o365-json-app-login-fail-loginfail |
+| cef-microsoft-graph-activity-1 | microsoft-o365-json-app-login-success-loginsuccess |
+| cef-microsoft-graph-activity-2 | microsoft-m365auditlogs-sk4-app-activity-graphdirectoryauditlogs |
+| cef-microsoft-graph-activity-3 | microsoft-o365-json-app-login-fail-loginfailed |
+| cef-microsoft-graph-activity-4 | microsoft-o365-json-app-login-success-loginsuccess-1 |
+| cef-microsoft-graph-activity-5 | microsoft-m365auditlogs-sk4-app-activity-mcasactivities |
+| cef-microsoft-graph-activity-6 | microsoft-o365-json-app-login-success-loginsuccess-2 |
+| cef-microsoft-password-change | microsoft-azure-cef-user-password-modify-success-pwdchanged |
+| cef-microsoft-print-activity | microsoft-evprintservice-cef-printer-activity-success-307 |
+| cef-microsoft-process-alert | microsoft-defendercloud-cef-alert-trigger-success-vmsvchostrun |
+| cef-microsoft-process-alert-1 | microsoft-defendercloud-cef-alert-trigger-success-vmrunbypsexec |
+| cef-microsoft-remote-logon | microsoft-azure-cef-rdp-traffic-success-remotedesktop |
+| cef-microsoft-security-alert | microsoft-defendercloud-cef-alert-trigger-success-storageblob |
+| cef-microsoft-security-alert-1 | microsoft-defendercloud-cef-alert-trigger-success-mcasalert |
+| cef-microsoft-system-info | microsoft-o365-sk4-app-activity-auditevent |
+| cef-mimecast-dlp-email | mimecast-seg-cef-email-send-receive-rcpt |
+| cef-mimecast-dlp-email-attachment | mimecast-seg-cef-email-send-receive-attname |
+| cef-mimecast-email-alert | mimecast-seg-cef-email-url |
+| cef-mimecast-email-alert-1 | mimecast-seg-cef-email-inbound |
+| cef-mimecast-email-alert-2 | mimecast-seg-sk4-email-receive-success-emailsecurity |
+| cef-mimecast-email-alert-3 | mimecast-seg-sk4-email-send-receive-defaulttenant |
+| cef-mimecast-failed-app-login | mimecast-seg-cef-app-login-fail-logonauthfailed |
+| cef-mimecast-message-view | mimecast-seg-cef-app-activity-success-messageviewlogs |
+| cef-mimecast-security-alert | mimecast-seg-cef-email-hold |
+| cef-mimecast-web-activity | mimecast-ttp-sk4-http-session-emailsecurity |
+| cef-moveit-activity | ipswitch-moveittransfer-cef-app-activity-success-moveit |
+| cef-moveit-app-failed-login | ipswitch-moveittransfer-kv-app-login-fail-moveit |
+| cef-moveit-app-login | ipswitch-moveittransfer-kv-app-login-success-signon |
+| cef-msn-nac-logon | microsoft-nps-cef-endpoint-login-success-accessrequest |
+| cef-mssql-database-access | microsoft-mssql-cef-database-activity-success-sqlserver |
+| cef-mssql-database-login | microsoft-mssql-cef-database-login-success-authentication |
+| cef-mwg-proxy | mcafee-wg-cef-http-session-gateway |
+| cef-nac-logon | cisco-ise-cef-endpoint-login-success-authenticationsucceeded |
+| cef-named-dns-config-change | infoblox-nios-cef-configuration-modify-rpziprewrite |
+| cef-netapp-4624 | microsoft-evsecurity-sk4-endpoint-4624 |
+| cef-netapp-4634 | microsoft-evsecurity-sk4-endpoint-logout-success-4634 |
+| cef-netapp-4656 | microsoft-evsecurity-sk4-handle-request-success-4656 |
+| cef-netapp-4659 | microsoft-evsecurity-sk4-handle-request-success-4659 |
+| cef-netapp-4660 | microsoft-evsecurity-sk4-endpoint-activity-success-4660 |
+| cef-netapp-4663 | microsoft-evsecurity-sk4-file-write-success-4663 |
+| cef-netapp-4670 | netapp-n-sk4-file-permission-modify-4670 |
+| cef-netapp-9999 | netapp-n-sk4-file-rename-9999 |
+| cef-netapp-file-delete | netapp-n-cef-file-delete-success-objectopenfordelete |
+| cef-netapp-file-delete-2 | netapp-n-cef-file-delete-success-deleteobjectattempt |
+| cef-netapp-file-operations-1 | netapp-n-json-file-success-operation |
+| cef-netapp-file-read | netapp-n-cef-file-read-success-objectopen |
+| cef-netapp-file-read-2 | netapp-n-cef-file-read-success-objectopen-1 |
+| cef-netapp-file-updates | netapp-n-cef-file-write-success-cifs |
+| cef-netscaler-aaatm-login | citrix-cgateway-cef-endpoint-login-success-login |
+| cef-netscreen-network-connection-deny | juniper-srx-cef-network-traffic-fail-trafficdeny |
+| cef-netscreen-network-connection-permit | juniper-srx-cef-network-traffic-success-trafficpermit |
+| cef-netskope-alert | netskope-sc-sk4-alert-trigger-success-netskope-1 |
+| cef-netskope-alert-1 | netskope-sc-sk4-alert-trigger-success-netskope |
+| cef-netskope-alert-2 | netskope-sc-sk4-alert-trigger-success-malwaretype |
+| cef-netskope-alert-anomaly | netskope-sc-sk4-alert-trigger-success-alerttypeanomaly |
+| cef-netskope-alert-compromise | netskope-sc-sk4-alert-trigger-success-breach |
+| cef-netskope-alert-malsite | netskope-sc-sk4-alert-trigger-success-malsite |
+| cef-netskope-alert-policy | netskope-sc-sk4-alert-trigger-success-actdetect |
+| cef-netskope-alert-policy-1 | netskope-sc-json-alert-trigger-success-policy |
+| cef-netskope-app-activity-1 | netskope-sc-sk4-app-activity-success-dislike |
+| cef-netskope-app-activity-10 | netskope-sc-sk4-app-activity-success-create |
+| cef-netskope-app-activity-11 | netskope-sc-sk4-app-activity-success-delete |
+| cef-netskope-app-activity-12 | netskope-sc-sk4-app-activity-success-download |
+| cef-netskope-app-activity-13 | netskope-sc-sk4-app-activity-success-edit |
+| cef-netskope-app-activity-14 | netskope-sc-sk4-app-activity-success-invite |
+| cef-netskope-app-activity-15 | netskope-sc-sk4-app-activity-success-move |
+| cef-netskope-app-activity-16 | netskope-sc-sk4-app-activity-success-share |
+| cef-netskope-app-activity-17 | netskope-sc-sk4-app-activity-success-upload |
+| cef-netskope-app-activity-18 | netskope-sc-sk4-app-activity-success-view |
+| cef-netskope-app-activity-19 | netskope-sc-sk4-app-activity-success-viewall |
+| cef-netskope-app-activity-2 | netskope-sc-sk4-app-activity-success-like |
+| cef-netskope-app-activity-20 | netskope-sc-sk4-app-activity-success-mark |
+| cef-netskope-app-activity-21 | netskope-sc-cef-file-write-success-rename |
+| cef-netskope-app-activity-22 | netskope-sc-sk4-app-activity-success-sitecolumncreated |
+| cef-netskope-app-activity-23 | netskope-sc-sk4-app-activity-success-deleteuser |
+| cef-netskope-app-activity-24 | netskope-sc-sk4-app-activity-success-strongauthentication |
+| cef-netskope-app-activity-25 | netskope-sc-sk4-app-activity-success-searchqueryperformed |
+| cef-netskope-app-activity-26 | netskope-sc-sk4-app-activity-success-updatetimestamp |
+| cef-netskope-app-activity-27 | netskope-sc-sk4-app-activity-success-alertcenterview |
+| cef-netskope-app-activity-28 | netskope-sc-sk4-app-activity-success-archiveuser |
+| cef-netskope-app-activity-29 | netskope-sc-sk4-app-activity-success-changegmailsetting |
+| cef-netskope-app-activity-3 | netskope-sc-sk4-app-activity-success-powerups |
+| cef-netskope-app-activity-30 | netskope-sc-sk4-app-activity-success-createlevel |
+| cef-netskope-app-activity-31 | netskope-sc-sk4-app-activity-success-creategmailsetting |
+| cef-netskope-app-activity-32 | netskope-sc-sk4-app-activity-success-deletelevel |
+| cef-netskope-app-activity-33 | netskope-sc-sk4-app-activity-success-deletesetting |
+| cef-netskope-app-activity-34 | netskope-sc-sk4-app-activity-success-driverestore |
+| cef-netskope-app-activity-35 | netskope-sc-sk4-app-activity-success-emaillogsearch |
+| cef-netskope-app-activity-36 | netskope-sc-sk4-app-activity-success-groupmembersdownload |
+| cef-netskope-app-activity-37 | netskope-sc-sk4-app-activity-success-requesttransfer |
+| cef-netskope-app-activity-38 | netskope-sc-sk4-app-activity-success-securityinvestigationquery |
+| cef-netskope-app-activity-39 | netskope-sc-sk4-app-activity-success-accesslevel |
+| cef-netskope-app-activity-4 | netskope-sc-sk4-app-activity-success-follow |
+| cef-netskope-app-activity-40 | netskope-sc-sk4-app-activity-success-updategroupmember |
+| cef-netskope-app-activity-41 | netskope-sc-sk4-app-activity-success-alertcentergetsitlink |
+| cef-netskope-app-activity-42 | netskope-sc-sk4-app-activity-success-alertcenterlistchange |
+| cef-netskope-app-activity-43 | netskope-sc-sk4-app-activity-success-alertcenterlistfeedback |
+| cef-netskope-app-activity-44 | netskope-sc-sk4-app-activity-success-alertcenterlistrelatedalerts |
+| cef-netskope-app-activity-45 | netskope-sc-sk4-app-activity-success-putobject |
+| cef-netskope-app-activity-46 | netskope-sc-sk4-app-activity-success-copyobject |
+| cef-netskope-app-activity-47 | netskope-sc-sk4-app-activity-success-multipartupload |
+| cef-netskope-app-activity-48 | netskope-sc-sk4-app-activity-success-uploadpart |
+| cef-netskope-app-activity-49 | netskope-sc-sk4-app-activity-success-deleteobject |
+| cef-netskope-app-activity-5 | netskope-sc-sk4-app-activity-success-post |
+| cef-netskope-app-activity-50 | netskope-sc-sk4-app-activity-success-completeupload |
+| cef-netskope-app-activity-51 | netskope-sc-sk4-app-activity-success-pageprefetched |
+| cef-netskope-app-activity-6 | netskope-sc-sk4-app-activity-success-terminate |
+| cef-netskope-app-activity-7 | netskope-sc-sk4-app-activity-success-receive |
+| cef-netskope-app-activity-8 | netskope-sc-sk4-app-activity-success-send |
+| cef-netskope-app-activity-9 | netskope-sc-sk4-app-activity-success-approve |
+| cef-netskope-app-login-1 | netskope-sc-sk4-app-login-success-page |
+| cef-netskope-app-login-2 | netskope-sc-cef-app-login-success-loginsuccessful |
+| cef-netskope-dlp-alert | netskope-sc-sk4-alert-trigger-success-alertypedlp |
+| cef-netskope-dlp-alert-1 | netskope-sc-sk4-alert-trigger-success-alertypedlp |
+| cef-netskope-dlp-alert-3 | netskope-sc-json-alert-trigger-success-dlp-1 |
+| cef-netskope-dlp-alert-4 | netskope-sc-cef-alert-trigger-success-dlp |
+| cef-netskope-dlp-email-alert-1 | netskope-sc-cef-email-send-success-mail |
+| cef-netskope-failed-app-login | netskope-sc-cef-app-login-fail-loginfailed |
+| cef-netskope-file-operation-1 | netskope-sc-cef-file-browse |
+| cef-netskope-file-operation-11 | netskope-sc-cef-file-read-success-preview |
+| cef-netskope-file-operation-12 | netskope-sc-cef-file-permission-modify-success-share |
+| cef-netskope-file-operation-13 | netskope-sc-cef-file-upload-success-upload |
+| cef-netskope-file-operation-14 | netskope-sc-cef-file-read-success-view |
+| cef-netskope-file-operation-15 | netskope-sc-cef-file-read-success-viewall |
+| cef-netskope-file-operation-16 | netskope-sc-cef-file-read-success-accessedextended |
+| cef-netskope-file-operation-17 | netskope-sc-cef-file-write-success-modifiedextended |
+| cef-netskope-file-operation-18 | netskope-sc-cef-file-write-success-listupdated |
+| cef-netskope-file-operation-19 | netskope-sc-cef-file-write-success-listcolumncreated |
+| cef-netskope-file-operation-2 | netskope-sc-json-file-read-success-introspectionscan |
+| cef-netskope-file-operation-20 | netskope-sc-cef-file-write-success-listcreated |
+| cef-netskope-file-operation-21 | netskope-sc-cef-file-delete-success-listitemdeleted |
+| cef-netskope-file-operation-22 | netskope-sc-cef-file-write-success-listitemupdated |
+| cef-netskope-file-operation-23 | netskope-sc-cef-file-delete-success-filedeleted |
+| cef-netskope-file-operation-24 | netskope-sc-sk4-file-delete-success-folderdeleted |
+| cef-netskope-file-operation-25 | netskope-sc-cef-file-read-success-pageviewedextended |
+| cef-netskope-file-operation-26 | netskope-sc-json-file-download-success-download |
+| cef-netskope-file-operation-3 | netskope-sc-cef-file-write-success-create |
+| cef-netskope-file-operation-4 | netskope-sc-cef-file-delete-success-delete |
+| cef-netskope-file-operation-5 | netskope-sc-cef-file-download-success-download |
+| cef-netskope-file-operation-6 | netskope-sc-cef-file-write-success-edit |
+| cef-netskope-file-operation-9 | netskope-sc-cef-file-write-success-move |
+| cef-netskope-logout | netskope-sc-cef-app-logout-logoutsuccessful |
+| cef-netskope-logout-1 | netskope-sc-json-app-logout-success-logout |
+| cef-netskope-network-info | netskope-sc-json-app-login-loginattempt |
+| cef-netskope-system-info | netskope-sc-sk4-app-activity-adminauditlogs |
+| cef-netskope-web-activity | netskope-sc-cef-http-session-success-page |
+| cef-netskope-web-activity-1 | netskope-sc-cef-http-session-success-cloudapp |
+| cef-netskope-web-policy | netskope-sc-cef-http-session-fail-block-1 |
+| cef-netskope-web-policy-1 | netskope-sc-cef-http-session-fail-block |
+| cef-nozomi-guardian-security-alert | nozomi-guardian-cef-alert-trigger-success-n2os |
+| cef-nsx-fw-logs-1 | vmware-nsxfw-cef-network-traffic-success-nsxfw |
+| cef-o365-app-activity-1 | microsoft-o365-cef-file-accessrequestapproved |
+| cef-o365-app-activity-10 | microsoft-o365-cef-file-read-success-removedfromgroup |
+| cef-o365-app-activity-11 | microsoft-o365-cef-file-read-success-searchquery |
+| cef-o365-app-activity-12 | microsoft-o365-cef-file-read-success-resultreturn |
+| cef-o365-app-activity-13 | microsoft-o365-cef-file-read-success-videorequest |
+| cef-o365-app-activity-14 | microsoft-o365-cef-app-file-teams |
+| cef-o365-app-activity-15 | microsoft-o365-cef-file-read-success-sharepoint |
+| cef-o365-app-activity-16 | microsoft-o365-cef-file-read-success-listcolumncreated |
+| cef-o365-app-activity-17 | microsoft-o365-cef-file-read-success-listupdate |
+| cef-o365-app-activity-18 | microsoft-o365-cef-file-read-success-dlprule |
+| cef-o365-app-activity-19 | microsoft-o365-cef-file-read-success-channeladd |
+| cef-o365-app-activity-2 | microsoft-o365-cef-file-read-success-accessrequest |
+| cef-o365-app-activity-20 | microsoft-o365-cef-file-read-success-memberadded |
+| cef-o365-app-activity-21 | microsoft-o365-cef-app-file-memberremoved |
+| cef-o365-app-activity-22 | microsoft-o365-cef-app-file-tabadded |
+| cef-o365-app-activity-23 | microsoft-o365-cef-file-read-success-tabupdated |
+| cef-o365-app-activity-24 | microsoft-o365-sk4-app-activity-success-setuser |
+| cef-o365-app-activity-3 | microsoft-o365-cef-file-addtogroup |
+| cef-o365-app-activity-4 | microsoft-o365-cef-file-write-success-companylink |
+| cef-o365-app-activity-5 | microsoft-o365-cef-file-write-success-microsoft |
+| cef-o365-app-activity-6 | microsoft-o365-cef-file-write-success-sharinginheritance |
+| cef-o365-app-activity-7 | microsoft-o365-cef-file-write-success-sharingrevoked |
+| cef-o365-app-activity-8 | microsoft-o365-cef-file-write-success-sharingset |
+| cef-o365-app-activity-9 | microsoft-o365-cef-file-write-success-wactoken |
+| cef-o365-app-login | microsoft-o365-cef-app-login-appdisplayname |
+| cef-o365-app-login-1 | microsoft-azuread-cef-app-login-clientappused |
+| cef-o365-app-login-2 | microsoft-o365-cef-app-login-success-user |
+| cef-o365-app-login-failed | microsoft-o365-cef-app-login-fail-userloginfailed |
+| cef-o365-dlp-alert | microsoft-o365-cef-alert-trigger-success-alertdetected |
+| cef-o365-dlp-email | microsoft-o365-cef-email-success-subject |
+| cef-o365-file-delete-1 | microsoft-o365-cef-file-delete-success-filedeleted |
+| cef-o365-file-delete-2 | microsoft-o365-cef-file-delete-success-folderdeleted |
+| cef-o365-file-read-1 | microsoft-o365-cef-file-read-success-fileaccessed |
+| cef-o365-file-read-2 | microsoft-o365-cef-file-read-success-fileaccessedextended |
+| cef-o365-file-read-3 | microsoft-o365-cef-file-read-success-filecheckedout |
+| cef-o365-file-read-4 | microsoft-o365-cef-file-read-success-filedownloaded |
+| cef-o365-file-read-5 | microsoft-o365-cef-file-read-success-filepreviewed |
+| cef-o365-file-read-6 | microsoft-o365-cef-file-read-success-filesync |
+| cef-o365-file-read-7 | microsoft-o365-cef-file-read-success-pageviewed |
+| cef-o365-file-read-8 | microsoft-o365-cef-file-read-success-pageviewedextended |
+| cef-o365-file-write-1 | microsoft-o365-cef-file-write-success-filecheckedin |
+| cef-o365-file-write-10 | microsoft-o365-cef-file-write-success-foldermoved |
+| cef-o365-file-write-11 | microsoft-o365-cef-file-write-success-folderrenamed |
+| cef-o365-file-write-2 | microsoft-o365-cef-file-write-success-filemodified |
+| cef-o365-file-write-3 | microsoft-o365-cef-file-write-success-filemodifiedextended |
+| cef-o365-file-write-4 | microsoft-o365-cef-file-write-success-filemoved |
+| cef-o365-file-write-5 | microsoft-o365-cef-file-write-success-filerenamed |
+| cef-o365-file-write-6 | microsoft-o365-cef-file-write-success-filesyncuploadedfull |
+| cef-o365-file-write-7 | microsoft-o365-cef-file-write-success-fileuploaded |
+| cef-o365-file-write-8 | microsoft-o365-cef-file-write-success-foldercreated |
+| cef-o365-file-write-9 | microsoft-o365-cef-file-write-success-filemodified-1 |
+| cef-o365-password-change | microsoft-o365-cef-user-password-modify-success-changeuserpassword |
+| cef-o365-security-alert | microsoft-o365-sk4-alert-trigger-success-graphidentity |
+| cef-o365-system-info | microsoft-m365auditlogs-sk4-app-activity-managementgeneral |
+| cef-observeit-app-activity | observeit-o-cef-app-activity-success-observeit |
+| cef-observeit-security-alert | observeit-o-cef-alert-trigger-success-high |
+| cef-okta-account-password-reset | okta-amfa-cef-user-password-reset-success-pwdreset |
+| cef-okta-account-unlocked | okta-amfa-cef-user-password-reset-success-pwdreset-1 |
+| cef-okta-app-activity | okta-amfa-sk4-app-appactivity |
+| cef-okta-app-login | okta-amfa-cef-app-login-success-userssosuccess |
+| cef-okta-app-login-1 | okta-amfa-cef-app-login-success-userauthverify |
+| cef-okta-logs-app-activity | okta-amfa-mix-app-login-success-securitycontext |
+| cef-okta-logs-app-alert | okta-amfa-cef-alert-trigger-success-passwordspraydetected |
+| cef-okta-logs-authentication | okta-amfa-sk4-endpoint-login-inbounddelauth |
+| cef-okta-member-added | okta-amfa-sk4-group-member-add-success-adduser |
+| cef-onapsis-app-login | onapsis-o-cef-app-login-success-onapsis |
+| cef-onapsis-failed-app-login | onapsis-o-cef-app-login-fail-logins |
+| cef-onapsis-security-alert | onapsis-o-cef-alert-trigger-success-osp |
+| cef-onapsis-system-event | onapsis-o-cef-app-notification-isalive |
+| cef-onedrive-app-activity | microsoft-o365-sk4-app-activity-success-pageviewed |
+| cef-onedrive-app-activity-1 | microsoft-o365-cef-app-activity-list-listcolumnupdated |
+| cef-onedrive-app-activity-2 | microsoft-o365-cef-app-activity-list-listcolumnupdated-1 |
+| cef-onedrive-app-activity-3 | microsoft-o365-cef-app-activity-list-updatedlist |
+| cef-onedrive-app-activity-4 | microsoft-o365-cef-app-activity-list-companylinkused |
+| cef-onedrive-app-activity-5 | microsoft-o365-cef-app-activity-list-listcreated |
+| cef-onedrive-app-activity-7 | microsoft-o365-cef-app-activity-list-filesyncdownloadedpartial |
+| cef-onedrive-file-activity | microsoft-o365-cef-file-read-success-fileaccessed-1 |
+| cef-onelogin-app-activity | onelogin-o-cef-app-login-assumingactinguserid |
+| cef-oracle-db-delete | oracle-db-cef-database-delete-success-delete |
+| cef-oracle-db-query | oracle-db-cef-database-query-success-select |
+| cef-oracle-db-update | oracle-db-cef-database-modify-success-update |
+| cef-palo-alto-networks-firewall-allow | pan-ngfw-cef-network-traffic-success-end |
+| cef-palo-alto-networks-firewall-connection | pan-ngfw-cef-network-traffic-trafficdeny |
+| cef-palo-alto-networks-firewall-connection-1 | pan-ngfw-cef-network-traffic-success-decryption |
+| cef-palo-alto-networks-firewall-deny | pan-ngfw-cef-network-traffic-fail-deny |
+| cef-palo-alto-networks-firewall-drop | pan-ngfw-cef-network-traffic-fail-drop |
+| cef-palo-alto-networks-firewall-drop-1 | pan-ngfw-cef-network-traffic-fail-trafficdrop |
+| cef-palo-alto-networks-firewall-end | pan-ngfw-cef-network-traffic-success-traffic |
+| cef-palo-alto-networks-firewall-end-1 | pan-ngfw-cef-network-traffic-trafficend |
+| cef-palo-alto-networks-firewall-start | pan-ngfw-cef-network-traffic-starttraffic |
+| cef-palo-alto-networks-security-alert | pan-ngfw-cef-alert-trigger-success-panos |
+| cef-palo-alto-networks-security-alert-1 | pan-ngfw-cef-alert-trigger-success-spyware |
+| cef-palo-alto-networks-setip | pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded |
+| cef-palo-alto-networks-vulnerability-alert | pan-ngfw-cef-alert-trigger-success-threatvulnerability |
+| cef-palo-alto-userid-login | pan-gp-cef-vpn-login-success-login |
+| cef-palo-alto-userid-logout | pan-gp-cef-vpn-logout-success-logout |
+| cef-palo-alto-vpn-system-event | pan-gp-cef-app-notification-success-vpn |
+| cef-palo-alto-vpn-system-event-1 | pan-gp-cef-app-notification-success-userid |
+| cef-paloalto-firewall | pan-ngfw-cef-network-traffic-fail-panostraffic |
+| cef-paloalto-firewall-global-protect | pan-gp-cef-endpoint-authentication-panossystem |
+| cef-pan-auth-failed | pan-gp-cef-endpoint-authentication-fail-authfailed |
+| cef-pan-auth-successful | pan-gp-cef-endpoint-authentication-success-userauthentication |
+| cef-pan-failed-logon | pan-gp-kv-endpoint-login-fail-globalprotect |
+| cef-pan-gp-app-activity | pan-ngfw-cef-app-activity-success-globalprotect |
+| cef-pan-gp-app-activity-1 | pan-ngfw-cef-app-activity-success-globalprotect-1 |
+| cef-pan-gp-app-activity-2 | pan-ngfw-cef-app-activity-success-hipreport |
+| cef-pan-gp-app-activity-3 | pan-ngfw-cef-app-activity-success-getconfig |
+| cef-pan-gp-app-activity-4 | pan-ngfw-cef-app-activity-success-tunnellatency |
+| cef-pan-gp-app-activity-5 | pan-ngfw-cef-app-activity-success-ipsec |
+| cef-pan-gp-system-event | pan-gp-cef-app-notification-success-panos |
+| cef-pan-gp-system-event-1 | pan-gp-cef-app-notification-success-hipmatch |
+| cef-pan-gp-vpn-end | pan-ngfw-cef-vpn-logout-success-logout |
+| cef-pan-gp-vpn-login | pan-ngfw-cef-vpn-login-prelogin |
+| cef-pan-gp-vpn-login-1 | pan-ngfw-cef-vpn-login-prelogin-1 |
+| cef-pan-gp-vpn-login-2 | pan-ngfw-cef-vpn-login-register |
+| cef-pan-gp-vpn-login-3 | pan-ngfw-cef-vpn-login-connected |
+| cef-pan-gp-vpn-start | pan-ngfw-cef-vpn-login-auth |
+| cef-pan-gp-vpn-start-1 | pan-ngfw-cef-vpn-login-auth-1 |
+| cef-pan-network-alert | pan-ngfw-cef-alert-trigger-success-threat |
+| cef-pan-network-alert-1 | pan-ngfw-cef-alert-trigger-success-panos-1 |
+| cef-pan-network-info | pan-ngfw-cef-app-activity-panos |
+| cef-pan-ngfw-system-auth | pan-ngfw-cef-app-notification-success-auth |
+| cef-pan-proxy | pan-ngfw-cef-http-session-url |
+| cef-pan-remote-logon | pan-gp-kv-endpoint-login-fail-loginsucceeded |
+| cef-pan-vpn-end | pan-gp-cef-vpn-logout-success-globalprotect |
+| cef-pan-vpn-login-failed | pan-gp-mix-vpn-login-fail-globalprotect |
+| cef-pan-vpn-login-failed-1 | pan-gp-cef-vpn-login-fail-globalprotect |
+| cef-pan-vpn-set-ip | pan-gp-cef-vpn-login-success-paloaltonetworks |
+| cef-pan-vpn-start | pan-gp-cef-vpn-login-success-gatewayuser |
+| cef-pantraps-alert | pan-tesm-mix-alert-trigger-success-trapsagent |
+| cef-phishme-security-alert | cofense-pm-cef-alert-trigger-success-rulematch |
+| cef-ping-app-login | pingidentity-pi-cef-app-login-success-sso-1 |
+| cef-ping-app-login-1 | pingidentity-pi-cef-app-login-success-sso |
+| cef-ping-app-login-2 | pingidentity-pingone-sk4-app-login-success-loginsuccess |
+| cef-ping-auth-attempt | pingidentity-pi-cef-app-authentication-success-inprogress |
+| cef-ping-auth-attempt-1 | pingidentity-pi-cef-app-authentication-success-inprogress-1 |
+| cef-ping-auth-attempt-2 | pingidentity-pi-cef-app-authentication-success-oauth |
+| cef-ping-auth-failed | pingidentity-pi-cef-app-authentication-fail-failure |
+| cef-ping-auth-failed-1 | pingidentity-pi-cef-endpoint-authentication-fail-failure |
+| cef-ping-auth-failed-2 | pingidentity-pi-cef-endpoint-authentication-fail-authfailure |
+| cef-ping-auth-failed-3 | pingidentity-pi-cef-app-authentication-fail-failure-1 |
+| cef-ping-auth-successful | pingidentity-pi-cef-vpn-authentication-success-authnattempt |
+| cef-ping-auth-successful-1 | pingidentity-pi-cef-endpoint-authentication-success-authsuccess |
+| cef-ping-auth-successful-2 | pingidentity-pi-cef-endpoint-authentication-success-authenticated |
+| cef-ping-auth-successful-3 | pingidentity-pi-cef-vpn-authentication-success-pingfederate |
+| cef-ping-auth-successful-4 | pingidentity-pingone-sk4-vpn-login-success-sso |
+| cef-ping-auth-successful-5 | pingidentity-pingone-cef-vpn-authentication-success-ping |
+| cef-ping-auth-successful-6 | pingidentity-pi-cef-vpn-authentication-success-authnsessionused |
+| cef-ping-auth-successful-7 | pingidentity-pi-cef-endpoint-authentication-success-authnsessioncreated |
+| cef-ping-events-skyformation-app-activity | pingidentity-pi-cef-app-activity-success-action |
+| cef-ping-events-skyformation-password | pingidentity-pi-cef-app-login-password |
+| cef-ping-events-skyformation-sso | pingidentity-pi-cef-app-login-sso |
+| cef-ping-events-skyformation-sso-idp | pingidentity-pi-cef-app-login-sso-idp |
+| cef-ping-events-skyformation-sso-session | pingidentity-pi-cef-app-login-sso-session |
+| cef-ping-failed-app-login | pingidentity-pi-cef-app-login-fail-sso-1 |
+| cef-ping-failed-app-login-1 | pingidentity-pi-cef-app-login-fail-sso |
+| cef-ping-failed-app-login-2 | pingidentity-pingone-sk4-app-login-fail-loginfailed |
+| cef-ping-logout | pingidentity-pi-cef-app-logout-success-slo |
+| cef-ping-logout-1 | pingidentiy-pi-cef-app-logout-success-authsessiondelete |
+| cef-ping-logout-2 | pingidentity-pi-cef-app-logout-success-slo-1 |
+| cef-ping-logout-3 | pingidentity-pi-cef-app-logout-success-pingfederate |
+| cef-pingfed-eamauth-authentication-attempt | pingidentity-pi-cef-app-authentication-success-eamauth |
+| cef-pingfed-eamauth-authentication-attempt-2 | pingidentity-pi-cef-app-authentication-success-authnattempt |
+| cef-pingfed-eamauth-authentication-attempt-3 | pingidentity-pi-cef-app-authentication-success-authnsessioncreated |
+| cef-pingfed-eamauth-authentication-attempt-4 | pingidentity-pi-cef-app-authentication-success-authnsessionused |
+| cef-pingid-auth | pingidentity-pi-cef-endpoint-login-sso |
+| cef-pingone-audit | pingidentity-pingone-sk4-app-activity-ping-1 |
+| cef-pingone-system-info | pingidentity-pingone-sk4-app-activity-ping |
+| cef-pingone-vpn-login | pingidentity-pingone-sk4-vpn-login-success-pingauthsuccess |
+| cef-postgresql-audit | postgresql-p-cef-database-178272478 |
+| cef-postscript-print-activity | postscript-ps-str-printer-activity-success-print |
+| cef-powershell-12039 | microsoft-evpowershell-cef-endpoint-activity-12039 |
+| cef-powershell-300 | microsoft-evpowershell-cef-process-create-success-300 |
+| cef-powershell-400 | microsoft-evpowershell-cef-endpoint-notification-400 |
+| cef-powershell-403 | microsoft-evpowershell-cef-endpoint-notification-403 |
+| cef-powershell-40961 | microsoft-evpowershell-cef-endpoint-notification-40961 |
+| cef-powershell-40962 | microsoft-evpowershell-cef-endpoint-notification-40962 |
+| cef-powershell-4100 | microsoft-evpowershell-cef-script-execute-fail-4100 |
+| cef-powershell-4102 | microsoft-evpowershell-cef-process-create-success-4102 |
+| cef-powershell-4104 | microsoft-evpowershell-cef-script-execute-success-4104 |
+| cef-powershell-53504 | microsoft-evpowershell-cef-network-listen-53504 |
+| cef-powershell-600 | microsoft-evsecurity-cef-process-create-success-600 |
+| cef-powershell-8196 | microsoft-evpowershell-cef-endpoint-notification-8196 |
+| cef-powershell-8197 | microsoft-evpowershell-cef-endpoint-activity-8197 |
+| cef-proofpoint-dlp-alert-1 | proofpoint-pep-cef-alert-trigger-success-emailquarantineout |
+| cef-proofpoint-dlp-alert-2 | proofpoint-pep-cef-email-alert-success-emaildelivery |
+| cef-proofpoint-dlp-alert-3 | proofpoint-pep-cef-email-send-success-emailquarantine |
+| cef-proofpoint-email-in | proofpoint-tap-cef-email-receive-messageblocked |
+| cef-proofpoint-email-in-1 | proofpoint-pep-cef-email-receive-success-emaildelivery |
+| cef-proofpoint-email-in-failed | proofpoint-pep-cef-email-receive-fail-emaildeliveryfailed |
+| cef-proofpoint-email-out | proofpoint-pep-cef-email-send-success-emaildeliveryout |
+| cef-proofpoint-email-out-failed | proofpoint-pep-cef-email-send-fail-emaildelivery |
+| cef-prowatch-badge-access | honeywell-pw-cef-physical-location-access-success-location |
+| cef-qip-dhcp | nokia-vqip-cef-dhcp-session-success-dhcpsession |
+| cef-radius-authentication | hp-arubawc-cef-radius-traffic-success-clearpass |
+| cef-radius-authentication-failed | hp-arubawc-cef-radius-traffic-fail-radius |
+| cef-rangeraudit-app-activity | rangeraudit-ra-json-app-activity-success-enforcer |
+| cef-rangeraudit-app-login | rangeraudit-ra-kv-app-login-success-ranger |
+| cef-rangeraudit-db-query-1 | rangeraudit-ra-json-database-access |
+| cef-rangeraudit-db-query-2 | rangeraudit-ra-cef-database-query-fail-alter |
+| cef-rangeraudit-db-query-3 | rangeraudit-ra-cef-database-query-fail-use |
+| cef-rangeraudit-db-query-4 | rangeraudit-ra-cef-database-query-fail-create |
+| cef-rangeraudit-db-query-5 | rangeraudit-ra-cef-database-query-fail-drop |
+| cef-rangeraudit-db-query-6 | rangeraudit-ra-cef-database-query-fail-update |
+| cef-rangeraudit-db-query-7 | rangeraudit-ra-cef-database-query-fail-masknull |
+| cef-rangeraudit-failed-login | rangeraudit-ra-str-app-login-fail-loginunsuccess |
+| cef-rangeraudit-file-operations | rangeraudit-ra-json-file-success-path |
+| cef-rightcrowd-failed-physical-access | rightcrowd-rc-cef-physical-location-access-fail-invalidreader |
+| cef-rightcrowd-failed-physical-access-1 | rightcrowd-rc-cef-physical-location-access-fail-rightcrowd |
+| cef-rightcrowd-failed-physical-access-2 | rightcrowd-rc-cef-physical-location-access-fail-codeerror |
+| cef-rightcrowd-failed-physical-access-3 | rightcrowd-rc-cef-physical-location-access-fail-programmed |
+| cef-rightcrowd-physical-access | rightcrowd-rc-cef-physical-location-access-success-validcard |
+| cef-rightcrowd-system-info | rightcrowd-rc-cef-app-activity-eventid |
+| cef-rsa-app-login | rsa-netwitness-cef-app-login-success-httpsrequest |
+| cef-rsa-app-login-1 | rsa-netwitness-cef-app-login-success-authsuccess |
+| cef-rsa-logout | rsa-netwitness-cef-app-logout-success-logoff |
+| cef-rsa-logout-1 | rsa-netwitness-cef-app-logout-success-audit |
+| cef-rsa-network-connection | rsa-netwitness-cef-app-login-success-secureconnection |
+| cef-rsa-system-event | rsa-netwitness-cef-app-activity-success-dataaccess |
+| cef-rsa-system-event-1 | rsa-netwitness-cef-app-activity-success-netwitnessaudit |
+| cef-rsa-system-event-2 | rsa-netwitness-cef-app-activity-success-systemoperation |
+| cef-rsa-system-event-3 | rsa-netwitness-cef-app-activity-success-api |
+| cef-ruid-auth-success | ruid-r-cef-endpoint-login-success-bca |
+| cef-salesforce-account-switch | salesforce-sf-sk4-user-switch-success-access |
+| cef-salesforce-app-activity-1 | salesforce-sf-sk4-app-activity-success-accountlayout |
+| cef-salesforce-app-activity-10 | salesforce-sf-sk4-app-activity-success-createdpicklistwithcolor |
+| cef-salesforce-app-activity-11 | salesforce-sf-sk4-app-activity-success-deletedpicklistwithcolor |
+| cef-salesforce-app-activity-12 | salesforce-sf-sk4-app-activity-success-deletedprofile |
+| cef-salesforce-app-activity-13 | salesforce-sf-sk4-app-activity-success-deployedchangeset |
+| cef-salesforce-app-activity-14 | salesforce-sf-sk4-app-activity-success-salescloud |
+| cef-salesforce-app-activity-15 | salesforce-sf-sk4-app-activity-success-permsetassign |
+| cef-salesforce-app-activity-16 | salesforce-sf-sk4-app-activity-success-permsetcreatenolicense |
+| cef-salesforce-app-activity-17 | salesforce-sf-sk4-app-activity-success-profileclonedstandard |
+| cef-salesforce-app-activity-18 | salesforce-sf-sk4-app-activity-success-profilecustappcustom |
+| cef-salesforce-app-activity-19 | salesforce-sf-sk4-app-activity-success-profileolpchangedcustom |
+| cef-salesforce-app-activity-2 | salesforce-sf-sk4-app-activity-success-changedpicklist |
+| cef-salesforce-app-activity-20 | salesforce-sf-sk4-app-activity-success-profilepermchangedcustom |
+| cef-salesforce-app-activity-21 | salesforce-sf-sk4-app-activity-success-decryptioncertificate |
+| cef-salesforce-app-activity-22 | salesforce-sf-sk4-app-activity-success-signcert |
+| cef-salesforce-app-activity-23 | salesforce-sf-sk4-app-activity-success-setupentityaccessaudit |
+| cef-salesforce-app-activity-24 | salesforce-sf-sk4-app-activity-success-suorgadminlogout |
+| cef-salesforce-app-activity-25 | salesforce-sf-sk4-app-activity-success-updatedcompactlayoutmapping |
+| cef-salesforce-app-activity-26 | salesforce-sf-sk4-app-activity-success-auditevent |
+| cef-salesforce-app-activity-27 | salesforce-sf-sk4-app-activity-success-createdrole |
+| cef-salesforce-app-activity-28 | salesforce-sf-sk4-app-activity-success-createipwhitelist |
+| cef-salesforce-app-activity-29 | salesforce-sf-sk4-app-activity-success-profileflschangedstandard |
+| cef-salesforce-app-activity-3 | salesforce-sf-sk4-app-activity-success-changedpicklistsort |
+| cef-salesforce-app-activity-30 | salesforce-sf-sk4-app-activity-success-createduser |
+| cef-salesforce-app-activity-31 | salesforce-sf-sk4-app-activity-success-changedpassword |
+| cef-salesforce-app-activity-32 | salesforce-sf-sk4-app-activity-success-resourcedeleted |
+| cef-salesforce-app-activity-34 | salesforce-sf-cef-email-send-success-emailmessage |
+| cef-salesforce-app-activity-35 | salesforce-sf-sk4-app-activity-success-deactivateduser |
+| cef-salesforce-app-activity-36 | salesforce-sf-sk4-app-activity-success-resetpassword |
+| cef-salesforce-app-activity-37 | salesforce-sf-sk4-app-activity-success-unlockeduser |
+| cef-salesforce-app-activity-38 | salesforce-sf-sk4-app-activity-success-addedtodelegatedgroup |
+| cef-salesforce-app-activity-39 | salesforce-sf-sk4-app-activity-success-userlockedout |
+| cef-salesforce-app-activity-4 | salesforce-sf-sk4-app-activity-success-changedpicklistvalueapiname |
+| cef-salesforce-app-activity-41 | salesforce-sf-sk4-app-activity-success-resourcepropertyupdated |
+| cef-salesforce-app-activity-42 | salesforce-sf-sk4-app-activity-success-activateduser |
+| cef-salesforce-app-activity-43 | salesforce-sf-sk4-app-activity-success-changedcommunitynickname |
+| cef-salesforce-app-activity-44 | salesforce-sf-sk4-app-activity-success-changedemail |
+| cef-salesforce-app-activity-45 | salesforce-sf-sk4-app-activity-success-changedprofileforuserstdtostd |
+| cef-salesforce-app-activity-46 | salesforce-sf-sk4-app-activity-success-frozeuser |
+| cef-salesforce-app-activity-47 | salesforce-sf-sk4-app-activity-success-useremailchangesent |
+| cef-salesforce-app-activity-5 | salesforce-sf-sk4-app-activity-success-changedprofileforuser |
+| cef-salesforce-app-activity-6 | salesforce-sf-sk4-app-activity-success-changedprofileforusercusttostd |
+| cef-salesforce-app-activity-7 | salesforce-sf-sk4-app-activity-success-changedprofileforuserstdtocust |
+| cef-salesforce-app-activity-8 | salesforce-sf-sk4-app-activity-success-changedroleforuser |
+| cef-salesforce-app-activity-9 | salesforce-sf-sk4-app-activity-success-changedroleforuserfromnone |
+| cef-salesforce-app-login | salesforce-sf-cef-app-login-success-loginsuccess |
+| cef-salesforce-failed-app-login | salesforce-sf-cef-app-login-fail-loginfailed |
+| cef-salesforce-file-download | salesforce-sf-cef-file-download-success-cloud |
+| cef-salesforce-file-upload | salesforce-sf-cef-file-upload-success-cloud |
+| cef-sap-account-creation | sap-s-cef-user-create-success-created |
+| cef-sap-account-deleted | sap-s-cef-user-delete-success-deleted |
+| cef-sap-account-lockout | sap-s-cef-user-lock-success-locked |
+| cef-sap-account-password-change | sap-s-cef-user-password-modify-success-changed |
+| cef-sap-account-unlocked | sap-s-cef-user-unlock-success-unlocked |
+| cef-sap-app-activity-1 | sap-s-cef-endpoint-authentication-logon |
+| cef-sap-app-activity-2 | sap-s-cef-user-delete-fail-audit |
+| cef-sap-app-activity-3 | sap-s-cef-file-download-success-auy |
+| cef-sap-authentication-attempt | sap-s-cef-endpoint-login-success-assertion |
+| cef-sap-authentication-attempt-1 | sap-s-cef-endpoint-login-success-assertion-1 |
+| cef-sap-authentication-failed | sap-s-cef-endpoint-login-fail-secude |
+| cef-sap-file-download | sap-s-cef-file-download-success-download |
+| cef-sap-file-write | sap-s-cef-file-write-success-download |
+| cef-sap-system-info | sap-s-cef-app-notification-success-bu4 |
+| cef-sap-system-info-1 | sap-s-cef-app-notification-success-eg0 |
+| cef-sap-system-info-10 | sap-s-cef-app-notification-success-cub |
+| cef-sap-system-info-11 | sap-s-cef-app-notification-success-bul |
+| cef-sap-system-info-2 | sap-s-cef-app-notification-success-h01 |
+| cef-sap-system-info-3 | sap-s-cef-app-notification-success-geo |
+| cef-sap-system-info-4 | sap-s-cef-app-notification-success-attribute |
+| cef-sap-system-info-5 | sap-s-cef-app-notification-success-nameid |
+| cef-sap-system-info-6 | sap-s-cef-app-notification-success-e00 |
+| cef-sap-system-info-7 | sap-s-cef-app-notification-success-bi0 |
+| cef-sap-system-info-8 | sap-s-cef-app-notification-success-aud |
+| cef-sap-system-info-9 | sap-s-cef-app-notification-success-cbus |
+| cef-scbpam-account-password-change | dell-oim-cef-user-password-modify-success-forcechange |
+| cef-scbpam-account-switch | dell-oim-cef-user-switch-success-retrievepassword |
+| cef-scbpam-app-activity | dell-oim-cef-app-activity-success-appactivity |
+| cef-secret-server-system-info | delinea-ss-cef-app-activity-appactivity |
+| cef-securesphere-app-login | imperva-securesphere-cef-app-login-success-userloggedin |
+| cef-securesphere-app-login-failed | imperva-securesphere-cef-app-login-fail-loginfailed |
+| cef-securesphere-database-operations | imperva-securesphere-cef-database-auditdam |
+| cef-securesphere-db-alert | imperva-securesphere-cef-alert-trigger-success-servergroup |
+| cef-securesphere-db-alert-1 | imperva-securesphere-cef-alert-trigger-success-alert |
+| cef-securesphere-db-alert-2 | imperva-securesphere-cef-alert-trigger-servergroup |
+| cef-securesphere-db-failed-login | imperva-securesphere-cef-database-login-fail-audit |
+| cef-securesphere-db-login | imperva-securesphere-cef-database-login-success-audit |
+| cef-securesphere-db-logout | imperva-securesphere-cef-database-logout-securespherelogout |
+| cef-securesphere-db-query | imperva-securesphere-cef-database-query-success-audit |
+| cef-securesphere-db-query-1 | imperva-securesphere-cef-database-query-success-securesphere |
+| cef-securesphere-db-query-2 | imperva-securesphere-cef-database-query-success-informative |
+| cef-securesphere-file-operations | imperva-fam-cef-file-success-audit |
+| cef-securesphere-logout | imperva-securesphere-cef-app-logout-userloggedout |
+| cef-security-graph-alert | microsoft-azuresc-json-alert-trigger-success-geoanomaly |
+| cef-sendmail-system-info | unix-unix-cef-app-activity-sendmail |
+| cef-sensormatik-badge-access | sensormatik-s-cef-physical-location-access-success-sensormatik |
+| cef-sentinelone-file-alert | sentinelone-singularityp-cef-file-success-securityfile |
+| cef-sentinelone-network-alert | sentinelone-singularityp-cef-alert-trigger-success-dns |
+| cef-sentinelone-network-alert-1 | sentinelone-singularityp-cef-alert-trigger-success-ip |
+| cef-sentinelone-security-alert | sentinelone-singularityp-cef-alert-trigger-success-newactivethreat |
+| cef-sentinelone-security-alert-1 | sentinelone-singularityp-cef-alert-trigger-threatclassification |
+| cef-sentinelone-security-alert-2 | sentinelone-singularityp-cef-process-create-success-process |
+| cef-sentinelone-security-alert-3 | sentinelone-singularityp-cef-registry-modify-success-registry |
+| cef-sentinelone-security-alert-4 | sentinelone-singularityp-cef-process-create-success-scheduledtask |
+| cef-sentinelone-security-alert-5 | sentinelone-singularityp-cef-alert-trigger-success-agentoperation |
+| cef-sentinelone-security-alert-6 | sentinelone-singularityp-cef-alert-trigger-success-classification |
+| cef-servicenow-auth-1 | servicenow-s-sk4-app-authentication-success-sessionestablished |
+| cef-servicenow-auth-2 | servicenow-s-sk4-app-authentication-success-externalauthenticationsucceeded |
+| cef-servicenow-file-operation-2 | servicenow-s-cef-file-syscreated |
+| cef-servicenow-login-1 | servicenow-s-json-app-login-sucess-login |
+| cef-servicenow-login-2 | servicenow-s-json-app-login-sucess-impersonationstart |
+| cef-servicenow-login-failed | servicenow-s-json-app-login-fail-loginfailed |
+| cef-servicenow-logout | servicenow-s-sk4-app-logout-success-impersonationend |
+| cef-servicenow-logout-1 | servicenow-s-sk4-app-logout-success-logout |
+| cef-sharepoint-system-info | microsoft-m365auditlogs-sk4-app-activity-dlpclassification |
+| cef-silverfort-app-login | silverfort-s-cef-app-login-adminconsole |
+| cef-siteminder-auth-failed | siteminder-symantecsm-cef-endpoint-authentication-fail-associates |
+| cef-siteminder-auth-successful | siteminder-symantecsm-cef-endpoint-authentication-success-associates |
+| cef-skyformation-failed-login | netskope-sc-cef-app-login-fail-flexstring1 |
+| cef-skyformation-file-activity | box-ccm-cef-file-success-move |
+| cef-skyformation-gmail-in | google-workspace-cef-email-receive |
+| cef-skyformation-gmail-out | google-workspace-cef-email-send |
+| cef-skyformation-gmail-out-1 | google-workspace-sk4-email-send-gmaillogs |
+| cef-skyformation-login-2 | skyformation-s-sk4-app-login-login |
+| cef-skyformation-mimecast-login | mimecast-seg-cef-app-login-success-audittype |
+| cef-skyformation-password-change | cloudapplication-ca-sk4-user-password-modify-success-changedpassword |
+| cef-slack-app-activity | slack-s-cef-file-success-action |
+| cef-snare-4624 | microsoft-evsecurity-cef-endpoint-success-4624 |
+| cef-snare-4648 | microsoft-evsecurity-cef-user-switch-success-4648-1 |
+| cef-snare-4663 | microsoft-evsecurity-cef-file-write-success-4663 |
+| cef-snare-4673 | microsoft-evsecurity-cef-user-privilege-use-success-4673 |
+| cef-snare-4688 | microsoft-evsecurity-cef-process-create-success-4688-1 |
+| cef-snare-4719 | microsoft-evsecurity-cef-audit-policy-modify-success-policychanged |
+| cef-snare-4769 | microsoft-evsecurity-cef-endpoint-login-4769-7 |
+| cef-snare-4954 | microsoft-evsecurity-cef-policy-apply-success-snare |
+| cef-snare-5136 | microsoft-evsecurity-kv-ds-object-modify-success-5136-1 |
+| cef-snare-5140 | microsoft-evsecurity-cef-share-access-success-5140-1 |
+| cef-snare-552 | microsoft-evsecurity-cef-user-switch-success-552 |
+| cef-snare-562 | microsoft-evsecurity-cef-handle-close-success-handleclosed |
+| cef-snare-567 | microsoft-evsecurity-cef-file-success-567 |
+| cef-snare-576 | microsoft-evsecurity-cef-user-privilege-assign-success-576-1 |
+| cef-snare-577 | microsoft-evsecurity-cef-user-privilege-use-success-577 |
+| cef-snare-578 | microsoft-evsecurity-cef-user-privilege-use-success-snare |
+| cef-snare-680 | microsoft-evsecurity-cef-endpoint-login-680 |
+| cef-snare-process-created | microsoft-windows-cef-process-create-success-snare |
+| cef-snare-windows-catchall | microsoft-evsecurity-cef-endpoint-activity-microsoftwindowssecurityauditing |
+| cef-snare-windows-catchall-1 | microsoft-evsecurity-cef-endpoint-activity-snare |
+| cef-snort-network-alert | snort-s-cef-alert-trigger-success-snort |
+| cef-snowflake-db-login | snowflake-s-sk4-database-login-success-login |
+| cef-snowflake-db-login-1 | snowflake-s-sk4-database-login-success-login-1 |
+| cef-snowflake-db-query | snowflake-s-sk4-database-query-success-queryhistory |
+| cef-sonicwall-failed-vpn-login | dell-sw-cef-vpn-login-fail-userloginfailed |
+| cef-sonicwall-rdp-logon | dell-sw-cef-rdp-traffic-success-rdp |
+| cef-sonicwall-vpn-end | dell-sw-cef-vpn-logout-success-loggedout |
+| cef-sonicwall-vpn-start | dell-sw-cef-vpn-login-success-userloginsuccessful |
+| cef-sophos-app-activity | sophos-ep-cef-alert-trigger-detected |
+| cef-sophos-config-change | sophos-ep-cef-app-notification-success-savdisabled |
+| cef-sophos-config-change-1 | sophos-ep-cef-app-notification-success-updatesuccess |
+| cef-sophos-config-change-2 | sophos-ep-cef-app-notification-success-updatefailure |
+| cef-sophos-config-change-3 | sophos-ep-cef-app-notification-success-savenabled |
+| cef-sophos-dlp-alert-13 | sophos-ep-sk4-alert-trigger-success-dlpautomaticallyallowed |
+| cef-sophos-dlp-alert-6 | sophos-ep-cef-alert-trigger-success-dlpatomaticallyallowed |
+| cef-sophos-dlp-alert-7 | sophos-ep-sk4-alert-trigger-success-datalossprevention |
+| cef-sophos-dlp-alert-8 | sophos-ep-sk4-alert-trigger-success-encryptionsuspened |
+| cef-sophos-network-connection | sophos-xgfirewall-cef-network-traffic-sfw |
+| cef-sophos-policy | sophos-ep-cef-endpoint-policy-verify-success-noncompliant |
+| cef-sophos-security-alert-1 | sophos-ep-sk4-alert-trigger-success-threatdetected-1 |
+| cef-sophos-security-alert-10 | sophos-ep-cef-alert-trigger-success-corecleanfailed |
+| cef-sophos-security-alert-11 | sophos-ep-cef-alert-trigger-success-corepuacleanfailed |
+| cef-sophos-security-alert-12 | sophos-ep-cef-alert-trigger-success-hmpacredguard |
+| cef-sophos-security-alert-13 | sophos-ep-cef-alert-trigger-success-safebrowsing |
+| cef-sophos-security-alert-14 | sophos-ep-cef-alert-trigger-success-puadetected |
+| cef-sophos-security-alert-15 | sophos-ep-sk4-alert-trigger-success-threatdetected |
+| cef-sophos-security-alert-18 | sophos-ep-sk4-alert-trigger-success-controlviolation |
+| cef-sophos-security-alert-2 | sophos-ep-cef-alert-trigger-success-webfilteringblocked |
+| cef-sophos-security-alert-26 | sophos-ep-sk4-alert-trigger-success-savdisable |
+| cef-sophos-security-alert-3 | sophos-ep-cef-alert-trigger-success-windowsfirewallblock |
+| cef-sophos-security-alert-30 | sophos-ep-sk4-alert-trigger-success-applicationblock |
+| cef-sophos-security-alert-32 | sophos-ep-sk4-alert-trigger-success-corepua |
+| cef-sophos-security-alert-33 | sophos-ep-cef-alert-trigger-success-threat |
+| cef-sophos-security-alert-34 | sophos-ep-sk4-alert-trigger-success-hmpacrypyguard |
+| cef-sophos-security-alert-35 | sophos-ep-sk4-alert-trigger-success-blocked |
+| cef-sophos-security-alert-36 | sophos-ep-cef-alert-trigger-success-applicationcontrol-1 |
+| cef-sophos-security-alert-37 | sophos-ep-cef-alert-trigger-success-endpointfirewall |
+| cef-sophos-security-alert-38 | sophos-ep-cef-alert-trigger-success-applicationcontrol |
+| cef-sophos-security-alert-39 | sophos-ep-sk4-alert-trigger-success-event |
+| cef-sophos-security-alert-4 | sophos-ep-cef-alert-trigger-success-coredetection |
+| cef-sophos-security-alert-40 | sophos-ep-sk4-alert-trigger-success-enc |
+| cef-sophos-security-alert-41 | sophos-ep-cef-alert-trigger-success-corepuadetected |
+| cef-sophos-security-alert-42 | sophos-ep-sk4-alert-trigger-success-userblocked |
+| cef-sophos-security-alert-43 | sophos-ep-sk4-alert-trigger-success-userauthorised |
+| cef-sophos-security-alert-5 | sophos-ep-cef-alert-trigger-success-hmpaexploitprevented |
+| cef-sophos-security-alert-6 | sophos-ep-cef-alert-trigger-success-hmpabehaviourprevented |
+| cef-sophos-security-alert-7 | sophos-ep-sk4-alert-trigger-success-threatclean |
+| cef-sophos-security-alert-8 | sophos-ep-cef-alert-trigger-success-exploitprevented |
+| cef-sophos-system-event | sophos-ep-cef-app-notification-success-updaterebootrequired |
+| cef-sophos-system-event-1 | sophos-ep-sk4-app-notification-success-sophoscentral |
+| cef-sophos-system-event-2 | sophos-ep-cef-app-notification-suspended |
+| cef-sophos-system-event-3 | sophos-ep-cef-app-notification-resumed |
+| cef-sophos-system-event-4 | sophos-ep-sk4-app-notification-success-renewapitoken |
+| cef-sophos-system-event-5 | sophos-ep-sk4-app-notification-success-azureerror |
+| cef-sophos-system-info | sophos-ep-cef-app-notification-registered |
+| cef-sophos-system-info-1 | sophos-ep-cef-user-create-userautocreated |
+| cef-sophos-system-info-2 | sophos-ep-cef-app-notification-reprotected |
+| cef-sophos-system-info-3 | sophos-ep-cef-app-notification-success-notprotected |
+| cef-sophos-system-info-4 | sophos-ep-sk4-app-notification-success-adsync |
+| cef-sophos-system-info-5 | sophos-ep-sk4-app-notification-success-scheduleddatauploadresumed |
+| cef-sophos-system-info-6 | sophos-ep-sk4-app-notification-success-scheduleddailylimitexceeded |
+| cef-sophos-system-info-7 | sophos-ep-sk4-app-notification-success-deduplicated |
+| cef-sophos-system-info-8 | sophos-ep-sk4-app-notification-success-clonedetected |
+| cef-sophos-usb-insert | sophos-ep-cef-peripheral-storage-insert-success-peripherals |
+| cef-sophos-usb-insert-1 | sophos-ep-cef-peripheral-storage-insert-success-alertedonly |
+| cef-sophos-usb-read | sophos-ep-sk4-file-read-success-readonly |
+| cef-sophos-web-activity | sophos-xgfirewall-cef-http-session-contentfiltering |
+| cef-sourcefire-estreamer-alert | cisco-fp-cef-alert-trigger-success-sourcefire |
+| cef-sourcefire-event-1 | cisco-sourcefire-cef-app-activity-success-router |
+| cef-sourcefire-event-2 | cisco-sourcefire-cef-app-activity-success-router-1 |
+| cef-ssh-login | unix-unix-cef-ssh-traffic-success-accepted |
+| cef-ssh-login-1 | unix-unix-cef-ssh-traffic-success-sessionopen |
+| cef-ssh-login-failed | unix-unix-cef-endpoint-login-fail-sshfail |
+| cef-ssh-logout | unix-unix-cef-endpoint-logout-success-closed |
+| cef-ssh-logout-1 | unix-unix-cef-endpoint-logout-success-disconnect |
+| cef-stealthbits-alert | stealthbits-ssd-cef-alert-trigger-abnormaluserbehavior |
+| cef-stealthbits-alert-1 | stealthbits-ssd-cef-alert-trigger-dcsync |
+| cef-stealthbits-file-operations | stealthbits-s-cef-file-read-success-filemonitor |
+| cef-stealthbits-security-alert | stealthbits-ssd-cef-alert-trigger-kerberoasting |
+| cef-stealthbits-security-alert-1 | stealthbits-ssd-cef-alert-trigger-goldenticket |
+| cef-stealthwatch-network-alert | cisco-securenwanalytics-cef-alert-trigger-success-stealthwatch |
+| cef-sybase-db-login | sybase-s-cef-database-login-success-login |
+| cef-sybase-db-query | sybase-s-cef-database-query-success-selecttable |
+| cef-symantec-atp-alert | symantec-atp-cef-alert-trigger-success-devicetime |
+| cef-symantec-atp-alert-1 | symantec-endpointprotection-cef-alert-trigger-success-atpincident |
+| cef-symantec-dlp-alert | symantec-dlp-cef-alert-trigger-success-symantecdlp |
+| cef-symantec-dlp-alert-1 | symantec-dlp-cef-alert-trigger-success-dlp |
+| cef-symantec-dlp-alert-2 | symantec-dlp-cef-alert-trigger-success-dlp-1 |
+| cef-symantec-email-alert | symantec-esc-json-email-send-antispam |
+| cef-symantec-email-alert-1 | symantec-esc-cef-alert-trigger-success-emailseccloud |
+| cef-symantec-network-alert | symantec-endpointprotection-cef-alert-trigger-success-symantec |
+| cef-symantec-sep-alert | symantec-endpointprotection-cef-alert-trigger-success-emailconvictionevent |
+| cef-symantec-sep-alert-1 | symantec-endpointprotection-cef-alert-trigger-success-lcpsepriskevent |
+| cef-symantec-sep-alert-2 | symantec-endpointprotection-cef-alert-trigger-success-sepproxyinsightevent |
+| cef-symantec-sep-alert-3 | symantec-endpointprotection-cef-alert-trigger-success-sepproxysonarevent |
+| cef-symantec-sep-alert-4 | symantec-endpointprotection-cef-alert-trigger-success-sepproxyipsevent |
+| cef-symantec-sep-alert-5 | symantec-endpointprotection-cef-alert-trigger-success-sepproxyavevent |
+| cef-symantec-system-event | symantec-s-sk4-app-activity-auditevent |
+| cef-symantec-web-activity | symantec-vswg-cef-http-session-securewebgateway |
+| cef-symantec-web-activity-1 | symantec-vswg-cef-http-session-websecurityservice |
+| cef-symantec-web-activity-2 | symantec-fireglass-cef-http-session-isolation |
+| cef-syslog-guardium-db-alert | ibm-guardium-cef-alert-trigger-success-cmealert |
+| cef-syslog-guardium-db-alert-1 | ibm-guardium-cef-alert-trigger-success-failedlogin |
+| cef-syslog-guardium-db-query | ibm-guardium-cef-database-query-success-command |
+| cef-syslog-microsoft-db-impersonate | microsoft-mssql-kv-database-login-success-impersonate |
+| cef-syslog-microsoft-db-login | microsoft-mssql-cef-database-login-success-loginsucceeded |
+| cef-syslog-oracle-db-login | oracle-db-cef-database-login-success-logon |
+| cef-syslog-oracle-db-query | oracle-db-cef-database-query-success-select-1 |
+| cef-syslog-securesphere-db-alert | imperva-securesphere-kv-alert-trigger-success-servergroup |
+| cef-syslog-securesphere-db-login | imperva-securesphere-kv-database-login-success-login |
+| cef-syslog-securesphere-db-query | imperva-securesphere-cef-database-query-success-true |
+| cef-syslog-sharepoint-activity | microsoft-o365-cef-file-success-fileoperation |
+| cef-sysmon-config-change-1 | microsoft-sysmon-cef-log-success-servicestatechanged |
+| cef-sysmon-config-change-2 | microsoft-sysmon-cef-driver-load-success-driverloaded |
+| cef-sysmon-config-change-3 | microsoft-sysmon-cef-process-thread-create-success-createremotethread |
+| cef-sysmon-file-write-1 | microsoft-sysmon-cef-file-write-success-filecreated |
+| cef-sysmon-file-write-2 | microsoft-sysmon-cef-registry-modify-success-registryvalueset |
+| cef-sysmon-file-write-3 | microsoft-sysmon-cef-file-time-modify-success-creationtimechanged |
+| cef-sysmon-file-write-4 | microsoft-sysmon-cef-file-stream-create-success-streamcreated |
+| cef-sysmon-file-write-5 | microsoft-sysmon-cef-registry-success-sysmonregkey |
+| cef-sysmon-process-created | microsoft-sysmon-cef-process-create-success-sysmoncreateprocess |
+| cef-sysmon-process-network | microsoft-sysmon-cef-network-session-success-networkconndetected |
+| cef-sysmon-process-terminated | microsoft-sysmon-cef-process-close-success-processterminated |
+| cef-tacacs-authentication | hp-arubawc-cef-endpoint-authentication-tacacsauth |
+| cef-tacacs-authentication-failed | hp-arubawc-cef-endpoint-authentication-fail-tacacsauthfailed |
+| cef-tenable-alert | tenable-t-sk4-alert-trigger-vulnerability |
+| cef-tenable-security-alert | tenable-t-sk4-alert-trigger-vulnerability-1 |
+| cef-tenable-system-information | tenable-t-cef-app-scan-scaninformation |
+| cef-tippingPoint-network-alert | trendmicro-tippingpoint-cef-alert-trigger-success-sms |
+| cef-tippingPoint-network-alert-1 | trendmicro-tippingpoint-cef-alert-trigger-success-unityone |
+| cef-trapx-file-read | trapx-t-cef-file-read-success-trapx |
+| cef-trend-system-info | trendmicro-ds-cef-app-activity-appactivity |
+| cef-trendmicro-alert | trendmicro-ddi-leef-alert-trigger-success-detection |
+| cef-trendmicro-alert-event | trendmicro-ddi-kv-alert-trigger-alertevent |
+| cef-trendmicro-app-login | trendmicro-ddi-cef-app-login-success-userloggedon |
+| cef-trendmicro-database-failed-login | trendmicro-ds-cef-database-login-fail-loginfailed |
+| cef-trendmicro-dlp | trendmicro-ddei-cef-email-receive-success-messagetracking |
+| cef-trendmicro-dlp-alert | trendmicro-officescan-cef-alert-trigger-success-blocked |
+| cef-trendmicro-dlp-alert-1 | trendmicro-officescan-cef-alert-trigger-success-dlp |
+| cef-trendmicro-dlp-email-alert | trendmicro-apexone-cef-email-receive-fail-apexcentral |
+| cef-trendmicro-dlp-email-alert-in | trendmicro-ddei-cef-email-receive-success-detection |
+| cef-trendmicro-password-change | trendmicro-ddi-cef-user-password-modify-success-accountpassword |
+| cef-trendmicro-product-update | trendmicro-ddi-kv-app-notification-success-productupdate |
+| cef-trendmicro-security-alert | trendmicro-officescan-kv-alert-trigger-success-deepsecuritymanager |
+| cef-trendmicro-security-alert-1 | trendmicro-ddi-cef-alert-trigger-success-alerttrigger |
+| cef-trendmicro-security-alert-2 | trendmicro-ddi-cef-alert-trigger-success-473 |
+| cef-trendmicro-security-alert-3 | trendmicro-ds-cef-alert-trigger-success-risk |
+| cef-trendmicro-security-alert-4 | trendmicro-ddi-cef-alert-trigger-success-trendmicro |
+| cef-trendmicro-security-alert-5 | trendmicro-ds-cef-alert-trigger-success-denialofservice |
+| cef-trendmicro-security-alert-6 | trendmicro-ds-cef-alert-trigger-success-moduleformatstring |
+| cef-trendmicro-security-alert-7 | trendmicro-ds-cef-alert-trigger-success-codeexecution |
+| cef-trendmicro-security-alert-8 | trendmicro-ds-cef-alert-trigger-success-wpsocialwarfareunauth |
+| cef-trendmicro-security-alert-9 | trendmicro-cas-cef-alert-trigger-success-cas |
+| cef-trendmicro-system-event | trendmicro-ddi-kv-app-activity-success-systemevent |
+| cef-trendmicro-usb-write | trendmicro-officescan-cef-file-write-success-passed |
+| cef-trendmicro-visionone-alert | trendmicro-vone-cef-alert-trigger-success-visioone |
+| cef-tripwire-file-alert | tripwire-t-cef-alert-trigger-success-filemodified |
+| cef-unix-account-1 | unix-unixauditd-cef-user-switch-success-userrolechange |
+| cef-unix-account-switch | unix-unix-cef-user-switch-success-runuser |
+| cef-unix-auditd-login | unix-ad-cef-endpoint-login-success-userauth |
+| cef-unix-auth-failed | unix-unix-cef-endpoint-login-fail-passwordcheckfailed |
+| cef-unix-authentication-1 | unix-unixauditd-cef-endpoint-login-userauth |
+| cef-unix-batch-logon | unix-unix-cef-endpoint-login-success-sessionopened |
+| cef-unix-cred-acq-1 | unix-ad-cef-authentication-success-credacq |
+| cef-unix-cred-disp-1 | unix-ad-cef-endpoint-authentication-success-creddisp |
+| cef-unix-cred-refer-1 | unix-ad-cef-endpoint-authentication-credrefr |
+| cef-unix-crypto-1 | unix-ad-cef-endpoint-login-success-cryptosession |
+| cef-unix-crypto-key-1 | unix-ad-cef-endpoint-login-success-cryptokeyuser |
+| cef-unix-dhcp | unix-dhcpd-cef-endpoint-login-success-arcsight |
+| cef-unix-dlp-email-alert | unix-unix-cef-email-send-receive-sendmail |
+| cef-unix-exe-1 | unix-unixauditd-cef-process-create-success-execve |
+| cef-unix-local-logon | unix-unix-cef-endpoint-login-success-sessionstart |
+| cef-unix-local-logon-1 | unix-ad-cef-endpoint-login-success-startingsession |
+| cef-unix-local-logon-2 | unix-ad-cef-endpoint-login-success-authenticateduser |
+| cef-unix-net-filter-1 | unix-ad-cef-endpoint-notification-netfiltercfg |
+| cef-unix-process-1 | unix-unixauditd-cef-process-create-success-syscall |
+| cef-unix-service-1 | unix-ad-cef-service-stop-servicestop |
+| cef-unix-software-1 | unix-ad-cef-endpoint-notification-softwareupdate |
+| cef-unix-ssh-disconnect | unix-ad-cef-app-activity-fail-ssh |
+| cef-unix-ssh-fail | unix-ad-cef-endpoint-login-fail-failedlogin |
+| cef-unix-su | unix-unix-cef-user-switch-success-sessionopen |
+| cef-unix-su-1 | unix-unix-cef-user-switch-success-susuccess |
+| cef-unix-su-2 | unix-unix-cef-user-switch-success-sessionclose |
+| cef-unix-sudo | unix-unix-cef-user-switch-success-executecommand |
+| cef-unix-sudo-1 | unix-unix-cef-user-switch-success-sudo |
+| cef-unix-system-info | unix-ad-cef-app-activity-unix |
+| cef-unix-user-account-1 | unix-ad-cef-user-modify-useracct |
+| cef-unix-user-cmd-1 | unix-unixauditd-cef-process-create-success-usercmd |
+| cef-unix-user-end-1 | unix-ad-cef-endpoint-logout-success-userend |
+| cef-unix-user-login-1 | unix-ad-cef-endpoint-login-success-login |
+| cef-unix-user-logout-1 | unix-ad-cef-endpoint-logout-success-userlogout |
+| cef-unix-user-start-1 | unix-ad-cef-endpoint-login-success-userstart |
+| cef-unix-virt-control-1 | unix-ad-cef-endpoint-start-stop-virtcontrol |
+| cef-vanderbilt-badge-access | vanderbilt-v-cef-physical-location-access-sms |
+| cef-vectra-alert | vectra-cd-cef-alert-trigger-success-vectranetworks |
+| cef-vontu-dlp-alert | symantec-dlp-cef-alert-trigger-success-contentsecurity |
+| cef-vontu-dlp-alert-2 | symantec-dlp-kv-alert-trigger-success-alerttrigger |
+| cef-vontu-dlp-alert-3 | symantec-dlp-cef-alert-trigger-success-applicationname |
+| cef-vontu-dlp-alert-4 | symantec-dlp-str-alert-trigger-success-symcdlpsys |
+| cef-websense-proxy | forcepoint-wsg-cef-http-session-websense |
+| cef-windows-10 | microsoft-sysmon-str-handle-open-success-10 |
+| cef-windows-100 | microsoft-evterminalservicesgateway-kv-scheduled-task-trigger-success-100 |
+| cef-windows-102 | microsoft-windows-kv-scheduled-task-finish-success-102 |
+| cef-windows-108 | microsoft-evadfs-kv-scheduled-task-trigger-success-108 |
+| cef-windows-119 | microsoft-windows-kv-scheduled-task-trigger-success-119 |
+| cef-windows-129 | microsoft-evsystem-kv-scheduled-task-trigger-success-129 |
+| cef-windows-13 | microsoft-sysmon-str-registry-modify-success-13 |
+| cef-windows-140 | microsoft-windows-kv-scheduled-task-modify-success-140 |
+| cef-windows-1503 | microsoft-evsystem-kv-policy-apply-success-1503 |
+| cef-windows-200 | microsoft-windows-kv-scheduled-task-trigger-success-200 |
+| cef-windows-201 | microsoft-windows-kv-scheduled-task-finish-success-201 |
+| cef-windows-21 | microsoft-evterminalservicesgateway-kv-endpoint-login-success-21 |
+| cef-windows-22 | microsoft-windows-kv-endpoint-login-success-22 |
+| cef-windows-23 | microsoft-windows-kv-endpoint-logout-success-23 |
+| cef-windows-24 | microsoft-windows-kv-endpoint-logout-success-24 |
+| cef-windows-39 | microsoft-windows-kv-endpoint-logout-success-39 |
+| cef-windows-40 | microsoft-evsystem-kv-endpoint-logout-success-40 |
+| cef-windows-41 | microsoft-windows-kv-endpoint-notification-success-41 |
+| cef-windows-4104 | microsoft-evpowershell-kv-process-create-success-4104-1 |
+| cef-windows-4105 | microsoft-evpowershell-kv-endpoint-notification-4105 |
+| cef-windows-42 | microsoft-windows-kv-endpoint-notification-success-42 |
+| cef-windows-4624 | microsoft-evsecurity-cef-endpoint-success-4624-1 |
+| cef-windows-4625 | microsoft-evsecurity-cef-endpoint-login-fail-4625-1 |
+| cef-windows-4634 | microsoft-evsecurity-sk4-endpoint-logout-success-anaccountwasloggedoff |
+| cef-windows-4653 | microsoft-evsecurity-cef-network-session-fail-4653 |
+| cef-windows-4654 | microsoft-evsecurity-cef-endpoint-notification-success-4654 |
+| cef-windows-4673 | microsoft-evsecurity-cef-user-privilege-modify-fail-4673 |
+| cef-windows-4674 | microsoft-evsecurity-cef-user-privilege-use-success-attempted |
+| cef-windows-4675 | microsoft-evsecurity-cef-app-notification-success-4675 |
+| cef-windows-4689 | microsoft-evsecurity-kv-process-close-success-4689 |
+| cef-windows-4703 | microsoft-evsecurity-kv-user-privilege-modify-success-4703 |
+| cef-windows-4735 | microsoft-evsecurity-cef-group-modify-success-4735-1 |
+| cef-windows-4742 | microsoft-evsecurity-cef-ds-object-activity-success-4742 |
+| cef-windows-4768 | microsoft-evsecurity-cef-endpoint-4768 |
+| cef-windows-4769 | microsoft-evsecurity-cef-endpoint-login-4769-1 |
+| cef-windows-4771 | microsoft-evsecurity-cef-endpoint-login-fail-4771-1 |
+| cef-windows-4776 | microsoft-evsecurity-cef-endpoint-login-4776-1 |
+| cef-windows-4793 | microsoft-evsecurity-kv-endpoint-notification-success-4793 |
+| cef-windows-53504 | microsoft-evpowershell-str-endpoint-notification-success-53504 |
+| cef-windows-6416 | microsoft-evsecurity-cef-peripheral-storage-insert-success-6416 |
+| cef-windows-7001 | microsoft-evsystem-kv-endpoint-login-success-7001 |
+| cef-windows-7002 | microsoft-evsystem-kv-endpoint-logout-success-7002 |
+| cef-windows-account-4720 | microsoft-evsecurity-sk4-user-create-success-usercreated |
+| cef-windows-defender | microsoft-defenderep-json-alert-trigger-success-operational |
+| cef-windows-dhcp | microsoft-evdhcpserver-sk4-app-activity-fail-adminevents |
+| cef-windows-dns-query | microsoft-windows-cef-dns-request-success-dnsserver |
+| cef-windows-dns-query-1 | microsoft-windows-cef-dns-request-success-packet |
+| cef-windows-dns-response | microsoft-windows-cef-dns-response-success-dnsresponse |
+| cef-windows-dns-response-1 | microsoft-windows-cef-dns-response-success-packet |
+| cef-windows-ds-access-5137 | microsoft-evsecurity-sk4-ds-object-create-success-5137 |
+| cef-windows-generic | microsoft-evsecurity-cef-endpoint-activity-4933 |
+| cef-windows-logout | microsoft-evdhcpserver-sk4-dns-record-create-fail-adminevents |
+| cef-windows-member-added-2003 | microsoft-evsecurity-cef-group-member-add-success-4732 |
+| cef-windows-member-removed-2003 | microsoft-evsecurity-cef-group-member-remove-success-4733-1 |
+| cef-windows-share-access | microsoft-evsecurity-sk4-share-create-success-5142 |
+| cef-windows-share-access-1 | microsoft-evsecurity-sk4-share-delete-success-5144 |
+| cef-windows-share-access-2 | microsoft-evsecurity-sk4-share-modify-success-5143 |
+| cef-xps-print-activity | xps-x-cef-print-activity-printer-activity-success-xpsprint |
+| cef-xps-print-activity-1 | xps-s-kv-printer-activity-success-set |
+| cef-zendesk-ticket-app-activity | zendesk-z-sk4-app-activity-success-ticketevent |
+| cef-zendesk-user-app-activity | zendesk-z-sk4-app-activity-success-userevent |
+| cef-zlock-app-activity | zlock-z-cef-app-activity-success-appactivity |
+| cef-zscaler-web-activity | zscaler-ia-cef-http-session-spriv |
+| centos-network-connection-failed | linux-centos-kv-network-traffic-fail-fwdrej |
+| centrify-account-authentication-attempt-1 | delinea-centrifyas-kv-app-authentication-success-54202 |
+| centrify-account-authentication-attempt-2 | delinea-centrifyas-kv-app-authentication-success-54203 |
+| centrify-account-password-change-failed-1 | delinea-centrifyas-kv-user-password-reset-success-6041 |
+| centrify-account-switch | delinea-centrifyztps-kv-user-switch-success-granted |
+| centrify-app-activity | delinea-centrifyztps-sk4-app-login-centrify |
+| centrify-auth-denied | delinea-centrifyas-cef-endpoint-login-fail-pam |
+| centrify-auth-success | delinea-centrifyas-kv-endpoint-login-success-pam |
+| centrify-authentication-failed-1 | delinea-centrifyas-kv-endpoint-login-fail-54207 |
+| centrify-authentication-failed-2 | delinea-centrifyas-kv-endpoint-login-fail-54201 |
+| centrify-authentication-success-1 | delinea-centrifyas-kv-endpoint-login-success-54206 |
+| centrify-failed-logon | delinea-centrifyas-kv-endpoint-login-fail-trustedpath |
+| centrify-failed-logon-1 | delinea-centrifyas-kv-endpoint-login-fail-6034 |
+| centrify-failed-logon-2 | delinea-centrifyas-kv-endpoint-login-fail-6049 |
+| centrify-file-access | delinea-centrifyams-kv-file-fail-setp |
+| centrify-local-logon | delinea-centrifyas-kv-endpoint-login-success-trustedpath |
+| centrify-process | delinea-centrifyis-kv-process-create-success-suite |
+| centrify-remote-logon-1 | delinea-centrifyas-kv-endpoint-login-success-6033 |
+| centrify-remote-logon-2 | delinea-centrifyas-kv-endpoint-login-success-6048 |
+| centrify-ssh-login | delinea-centrifyas-kv-ssh-traffic-success-sshd |
+| centrify-ssh-login-failed | delinea-centrifyas-cef-endpoint-login-fail-sshd |
+| centrify-trusted-path | delinea-centrifyas-kv-app-notification-success-trustedpath |
+| centurylink-security-alert | centurylink-ati-json-alert-trigger-success-dstas |
+| chcom-app-activity | chcom-c-json-app-activity-loyaltyassetpurchase |
+| chcom-app-login | chcom-c-json-app-login-success-trueclientip |
+| chcom-web-activity | apache-a-json-http-session-chcomaccesslog |
+| checkpoint-5599-network-connection | checkpoint-ngfw-kv-network-traffic-success-5599 |
+| checkpoint-auth-failed | checkpoint-ngfw-kv-endpoint-login-fail-failed |
+| checkpoint-auth-successful | checkpoint-ngfw-cef-endpoint-login-success-identity |
+| checkpoint-auth-successful-1 | checkpoint-ngfw-cef-endpoint-login-success-identity-1 |
+| checkpoint-connectra-failed-vpn-login | checkpoint-sg-kv-vpn-login-fail-loginfailure |
+| checkpoint-connectra-vpn-login | checkpoint-sg-kv-vpn-login-success-ipchanged |
+| checkpoint-connectra-vpn-login-1 | checkpoint-sg-json-vpn-login-success-ipchanged |
+| checkpoint-connectra-vpn-logout | checkpoint-sg-kv-vpn-logout-success-connectra |
+| checkpoint-dlp-alert-out | checkpoint-ngfw-json-email-send-success-emailsessionid |
+| checkpoint-dlp-email-alert | checkpoint-ngfw-kv-email-receive-success-firewall |
+| checkpoint-failed-vpn-login | checkpoint-sg-csv-vpn-login-fail-reject |
+| checkpoint-firewall-1 | checkpoint-ngfw-kv-network-traffic-vpn-1 |
+| checkpoint-firewall-2 | checkpoint-ngfw-cef-network-traffic-access-2 |
+| checkpoint-firewall-accept | checkpoint-ngfw-csv-network-traffic-success-accept-1 |
+| checkpoint-firewall-accept-1 | checkpoint-ngfw-kv-network-traffic-success-accept-1 |
+| checkpoint-firewall-accept-2 | checkpoint-ngfw-kv-network-traffic-success-accept-4 |
+| checkpoint-firewall-allow-1 | checkpoint-ngfw-str-network-traffic-success-allow |
+| checkpoint-firewall-allow-2 | checkpoint-ngfw-kv-http-session-success-allow |
+| checkpoint-firewall-block | checkpoint-ngfw-cef-network-traffic-fail-block |
+| checkpoint-firewall-decrypt | checkpoint-ngfw-kv-app-activity-success-decrypt |
+| checkpoint-firewall-decrypt-1 | checkpoint-ngfw-kv-app-activity-success-decrypt-1 |
+| checkpoint-firewall-drop | checkpoint-ngfw-csv-network-traffic-fail-drop |
+| checkpoint-firewall-drop-1 | checkpoint-ngfw-str-network-traffic-fail-drop |
+| checkpoint-firewall-drop-2 | checkpoint-ngfw-json-network-traffic-fail-drop |
+| checkpoint-firewall-encrypt | checkpoint-ngfw-kv-app-activity-success-encrypt |
+| checkpoint-firewall-encrypt-1 | checkpoint-ngfw-kv-app-activity-success-encrypt-1 |
+| checkpoint-firewall-logout-1 | checkpoint-ngfw-kv-app-logout-logout |
+| checkpoint-firewall-network-alert | checkpoint-ngfw-kv-alert-trigger-success-monitor |
+| checkpoint-firewall-network-alert-1 | checkpoint-ngfw-kv-alert-trigger-success-monitor-1 |
+| checkpoint-firewall-network-connection-1 | checkpoint-ngfw-kv-network-traffic-success-accept-5 |
+| checkpoint-firewall-network-connection-2 | checkpoint-ngfw-kv-network-traffic-success-decrypt |
+| checkpoint-firewall-network-connection-3 | checkpoint-ngfw-kv-network-traffic-success-encrypt |
+| checkpoint-firewall-network-connection-4 | checkpoint-ngfw-kv-network-traffic-fail-smtptransparentproxy |
+| checkpoint-firewall-network-connection-accept | checkpoint-ngfw-csv-network-traffic-success-accept |
+| checkpoint-firewall-network-connection-drop | checkpoint-ngfw-csv-network-traffic-fail-logdrop |
+| checkpoint-firewall-network-info | checkpoint-ngfw-kv-vpn-authentication-success-keyinstall |
+| checkpoint-firewall-network-info-1 | checkpoint-ngfw-kv-app-activity-securitygateway |
+| checkpoint-firewall-network-info-2 | checkpoint-ngfw-kv-app-notification-logmsg |
+| checkpoint-firewall-network-info-3 | checkpoint-ngfw-kv-app-notification-systemmonitor |
+| checkpoint-firewall-network-info-4 | checkpoint-ngfw-kv-app-activity-logupdate |
+| checkpoint-firewall-network-info-5 | checkpoint-tm-kv-app-activity-threatemulation |
+| checkpoint-firewall-network-info-6 | checkpoint-ngfw-kv-app-notification-sync |
+| checkpoint-firewall-network-info-7 | checkpoint-ngfw-kv-app-notification-updatestatus |
+| checkpoint-firewall-network-info-8 | checkpoint-ngfw-kv-app-activity-newantivirus |
+| checkpoint-firewall-reject | checkpoint-ngfw-str-network-traffic-fail-reject |
+| checkpoint-firewall-reject-1 | checkpoint-ngfw-json-network-traffic-fail-reject |
+| checkpoint-local-logon | checkpoint-ngfw-str-endpoint-login-fail-permission |
+| checkpoint-logout | checkpoint-ngfw-str-app-logout-success-loggedout |
+| checkpoint-network-alert | checkpoint-tp-kv-alert-trigger-success-actiondetect |
+| checkpoint-network-alert-1 | checkpoint-tp-json-alert-trigger-success-prevent |
+| checkpoint-network-alert-2 | checkpoint-tp-kv-alert-trigger-success-alert |
+| checkpoint-network-alert-3 | checkpoint-ngfw-kv-alert-trigger-success-antimalware |
+| checkpoint-network-alert-4 | checkpoint-tp-kv-alert-trigger-success-smartdefense |
+| checkpoint-network-alert-6 | checkpoint-ngfw-kv-alert-trigger-success-detect |
+| checkpoint-network-connection-1 | checkpoint-ngfw-str-network-traffic-success-decrypt |
+| checkpoint-network-connection-2 | checkpoint-ngfw-str-network-traffic-success-encrypt |
+| checkpoint-network-connection-3 | checkpoint-ngfw-str-network-traffic-success-bypass-2 |
+| checkpoint-network-connection-4 | checkpoint-ngfw-kv-network-traffic-success-drop |
+| checkpoint-network-connection-5 | checkpoint-ia-kv-network-traffic-firewall |
+| checkpoint-network-connection-accept-1 | checkpoint-ngfw-str-network-traffic-success-accept |
+| checkpoint-network-connection-accept-2 | checkpoint-ngfw-str-network-traffic-success-accept-2 |
+| checkpoint-network-connection-allow | checkpoint-ngfw-str-network-traffic-success-allow-2 |
+| checkpoint-network-connection-drop-1 | checkpoint-ngfw-str-network-traffic-fail-drop-2 |
+| checkpoint-network-connection-inbound | checkpoint-ngfw-kv-network-traffic-inbound |
+| checkpoint-network-decrypt | checkpoint-ngfw-json-alert-trigger-success-acceptdecrypt |
+| checkpoint-network-encrypt | checkpoint-ngfw-json-alert-trigger-success-acceptencrypt |
+| checkpoint-network-info-2 | checkpoint-ngfw-kv-app-activity-sequencenum |
+| checkpoint-proxy | checkpoint-ngfw-kv-http-session-user |
+| checkpoint-proxy-1 | checkpoint-ngfw-kv-http-session-srcusername |
+| checkpoint-proxy-2 | checkpoint-ngfw-kv-http-session-urlfiltering |
+| checkpoint-system-info | checkpoint-am-kv-app-activity-antimalware |
+| checkpoint-system-info-10 | checkpoint-ngfw-kv-http-session-fail-vpn1 |
+| checkpoint-system-info-11 | checkpoint-ngfw-kv-http-traffic-success-httpinspection |
+| checkpoint-system-info-12 | checkpoint-ngfw-kv-http-traffic-fail-urlfiltering |
+| checkpoint-system-info-13 | checkpoint-es-kv-vpn-login-success-rulelisted |
+| checkpoint-system-info-14 | checkpoint-ngfw-kv-vpn-authentication-success-authrequest |
+| checkpoint-system-info-15 | checkpoint-ngfw-kv-user-modify-success-checkpoint |
+| checkpoint-system-info-16 | checkpoint-ngfw-kv-app-activity-success-applicationcontrol |
+| checkpoint-system-info-6 | checkpoint-sg-kv-app-activity-awareness |
+| checkpoint-system-info-7 | checkpoint-ngfw-kv-app-activity-authcrypt |
+| checkpoint-system-info-8 | checkpoint-ngfw-kv-app-activity-bypass |
+| checkpoint-system-info-9 | checkpoint-ngfw-kv-app-activity-keyinst |
+| checkpoint-url-filtering | checkpoint-ngfw-kv-http-session-urlfilter |
+| checkpoint-vpn-authentication | checkpoint-ngfw-kv-vpn-login-network |
+| checkpoint-vpn-connection | checkpoint-ngfw-kv-vpn-session-success-update |
+| checkpoint-vpn-firewall | checkpoint-ngfw-kv-network-session-success-firewall |
+| checkpoint-vpn-login | checkpoint-sg-csv-vpn-login-success-raslogin |
+| checkpoint-vpn-login-1 | checkpoint-sg-kv-vpn-login-success-vpnlogin |
+| checkpoint-vpn-login-2 | checkpoint-sg-kv-vpn-user |
+| checkpoint-vpn-login-3 | checkpoint-ngfw-kv-vpn-login-success-vpnrouting |
+| checkpoint-vpn-login-4 | checkpoint-ia-kv-vpn-login-success-login |
+| checkpoint-vpn-login-5 | checkpoint-ia-kv-vpn-login-success-successfullogin |
+| checkpoint-vpn-login-6 | checkpoint-ngfw-kv-vpn-login-success-login |
+| checkpoint-vpn-logout | checkpoint-ngfw-kv-vpn-logout-success-logout |
+| checkpoint-vpn-logout-1 | checkpoint-ia-kv-vpn-logout-success-awareness |
+| checkpoint-vpn-logout-2 | checkpoint-ia-kv-vpn-logout-success-logout |
+| checkpoint-web-activity | checkpoint-ngfw-kv-http-session-ifname |
+| checkpoint-web-activity-1 | checkpoint-ngfw-kv-http-session-filtering |
+| cimtrak-file-delete | cimtrak-c-kv-file-read-success-filedeleted |
+| cimtrak-file-write-1 | cimtrak-c-kv-file-write-success-fileadded |
+| cimtrak-file-write-2 | cimtrak-c-kv-file-write-success-filemodified |
+| cisco-2960-auth-failed | cisco-asa-str-endpoint-login-fail-2960 |
+| cisco-2960-auth-failed-1 | cisco-asa-str-endpoint-login-fail-2960-1 |
+| cisco-2960-auth-successful | cisco-asa-str-endpoint-login-success-2960 |
+| cisco-BGP-system-info | cisco-asa-str-network-notification-bgp |
+| cisco-ISIS-system-info | cisco-ios-str-app-notification-success-isis |
+| cisco-acs-auth-failed | cisco-acs-cef-endpoint-authentication-fail-authfailed |
+| cisco-acs-auth-success | cisco-acs-cef-endpoint-authentication-success-login |
+| cisco-acs-auth-success-2 | cisco-acs-cef-endpoint-authentication-success-authsucceeded |
+| cisco-acs-nac-logon | cisco-ise-kv-radius-traffic-success-start |
+| cisco-acs-system-activity-1 | cisco-acs-cef-app-activity-success-appactivity |
+| cisco-acs-vpn-login | cisco-ise-kv-vpn-login-success-radiusaccounting |
+| cisco-acs-vpn-login-failed | cisco-ise-kv-vpn-login-success-attempts |
+| cisco-acs-vpn-logout | cisco-ise-kv-vpn-logout-success-virtual |
+| cisco-adc-web-activity | cisco-adc-str-http-session-success-adcapp |
+| cisco-airespace-network-alert | cisco-airespace-cef-alert-trigger-success-networkbased |
+| cisco-amp-system-info | cisco-secureendpoint-sk4-app-activity-orbital |
+| cisco-app-activity | cisco-cucm-kv-app-activity-success-useraccess |
+| cisco-asa-106001 | cisco-asa-str-network-session-fail-106001 |
+| cisco-asa-106006 | cisco-asa-str-network-traffic-fail-106006 |
+| cisco-asa-106007 | cisco-asa-str-network-traffic-fail-106007 |
+| cisco-asa-106012 | cisco-asa-str-network-traffic-fail-106012 |
+| cisco-asa-106015 | cisco-asa-str-network-traffic-fail-106015 |
+| cisco-asa-106021 | cisco-asa-str-alert-trigger-106021 |
+| cisco-asa-106023 | cisco-asa-cef-network-traffic-fail-106023 |
+| cisco-asa-110002 | cisco-asa-str-app-notification-110002 |
+| cisco-asa-113008 | cisco-asa-str-app-authentication-113008 |
+| cisco-asa-113009 | cisco-asa-str-app-authentication-113009 |
+| cisco-asa-113015 | cisco-asa-kv-endpoint-login-fail-113015 |
+| cisco-asa-302010 | cisco-asa-str-app-notification-302010 |
+| cisco-asa-302020 | cisco-asa-str-network-start-302020 |
+| cisco-asa-304001 | cisco-asa-str-http-traffic-304001 |
+| cisco-asa-305006 | cisco-asa-str-network-notification-305006 |
+| cisco-asa-313001 | cisco-asa-str-network-traffic-fail-313001 |
+| cisco-asa-313004 | cisco-asa-str-network-traffic-fail-313004 |
+| cisco-asa-313005 | cisco-asa-str-network-traffic-fail-313005 |
+| cisco-asa-313009 | cisco-asa-str-network-traffic-fail-313009 |
+| cisco-asa-315011 | cisco-asa-str-app-logout-315011 |
+| cisco-asa-402114 | cisco-asa-str-network-notification-402114 |
+| cisco-asa-405001 | cisco-asa-str-arp-traffic-405001 |
+| cisco-asa-419002 | cisco-asa-str-network-notification-419002 |
+| cisco-asa-434002 | cisco-asa-str-network-traffic-fail-434002 |
+| cisco-asa-500004 | cisco-asa-str-network-traffic-fail-500004 |
+| cisco-asa-502103 | cisco-asa-str-user-permission-modify-502103 |
+| cisco-asa-507003 | cisco-asa-str-network-traffic-fail-507003 |
+| cisco-asa-607001 | cisco-asa-str-app-notification-607001 |
+| cisco-asa-611103 | cisco-asa-kv-vpn-logout-611103 |
+| cisco-asa-710003 | cisco-asa-str-network-session-fail-710003 |
+| cisco-asa-710005 | cisco-asa-str-network-session-fail-requestdiscarded |
+| cisco-asa-713903 | cisco-asa-str-network-session-success-713903 |
+| cisco-asa-716058 | cisco-asa-str-network-close-716058 |
+| cisco-asa-722012 | cisco-asa-str-vpn-logout-722012 |
+| cisco-asa-722022 | cisco-asa-str-network-start-722022 |
+| cisco-asa-722023 | cisco-asa-str-vpn-logout-722023 |
+| cisco-asa-722032 | cisco-asa-str-vpn-login-722032 |
+| cisco-asa-722033 | cisco-asa-str-vpn-login-722033 |
+| cisco-asa-722034 | cisco-asa-str-vpn-login-722034 |
+| cisco-asa-722036 | cisco-asa-str-network-notfication-722036 |
+| cisco-asa-722041 | cisco-asa-str-ip-assign-fail-722041 |
+| cisco-asa-722055 | cisco-asa-str-app-authentication-722055 |
+| cisco-asa-725001 | cisco-asa-str-ssl-start-725001 |
+| cisco-asa-725002 | cisco-asa-str-ssl-traffic-725002 |
+| cisco-asa-725003 | cisco-asa-str-ssl-traffic-725003 |
+| cisco-asa-725007 | cisco-asa-str-ssl-close-725007 |
+| cisco-asa-725016 | cisco-asa-str-network-notification-725016 |
+| cisco-asa-733100 | cisco-asa-str-alert-trigger-733100 |
+| cisco-asa-734001 | cisco-asa-kv-app-notification-734001 |
+| cisco-asa-737003 | cisco-asa-str-network-notfication-737003 |
+| cisco-asa-737006 | cisco-asa-str-network-notification-737006 |
+| cisco-asa-737016 | cisco-asa-str-ip-assign-737016 |
+| cisco-asa-737026 | cisco-asa-str-ip-assign-737026 |
+| cisco-asa-737034 | cisco-asa-str-ip-assign-fail-737034 |
+| cisco-asa-746010 | cisco-asa-str-user-modify-fail-746010 |
+| cisco-asa-746016 | cisco-asa-str-dns-response-fail-746016 |
+| cisco-asa-750003 | cisco-asa-kv-network-session-fail-750003 |
+| cisco-asa-752012 | cisco-asa-str-network-session-fail-752012 |
+| cisco-asa-752015 | cisco-asa-str-network-session-fail-752015 |
+| cisco-asa-775002 | cisco-asa-str-network-session-fail-775002 |
+| cisco-asa-aaa-authentication-failed | cisco-asa-str-app-authentication-fail-authfailed |
+| cisco-asa-all | cisco-asa-str-network-notification-success |
+| cisco-asa-auth-failed | cisco-asa-str-vpn-login-fail-751011 |
+| cisco-asa-auth-successful | cisco-asa-str-endpoint-login-success-611101 |
+| cisco-asa-authentication-successful | cisco-asa-str-endpoint-login-success-3083 |
+| cisco-asa-connection-acl | cisco-asa-str-network-session-fail-10610 |
+| cisco-asa-connection-built | cisco-asa-str-network-traffic-success-built-30201 |
+| cisco-asa-connection-built-302013 | cisco-asa-str-network-traffic-success-built |
+| cisco-asa-connection-stop | cisco-asa-str-network-traffic-success-teardown |
+| cisco-asa-connection-teardown | cisco-asa-str-network-traffic-success-teardown-2 |
+| cisco-asa-firewall-translation | cisco-asa-str-app-notification-tcptranslation |
+| cisco-asa-network-connection-successful | cisco-asa-str-network-traffic-success-302015 |
+| cisco-asa-network-error | cisco-asa-str-app-notification-7398 |
+| cisco-asa-network-error-1 | cisco-asa-str-app-notification-success-5717 |
+| cisco-asa-network-error-2 | cisco-asa-str-app-notification-success-544 |
+| cisco-asa-network-info | cisco-asa-str-configuration-modify-8527 |
+| cisco-asa-network-info-1 | cisco-asa-str-configuration-modify-8330 |
+| cisco-asa-network-info-2 | cisco-asa-str-app-notification-success-1240 |
+| cisco-asa-process-created | cisco-asa-str-process-create-success-111008 |
+| cisco-asa-process-created-1 | cisco-asa-str-process-create-success-111010 |
+| cisco-asa-translation-30501 | cisco-asa-str-app-activity-30501 |
+| cisco-asa-vpn-login | cisco-asa-kv-vpn-login-success-user |
+| cisco-auth-failed | cisco-cucm-kv-endpoint-authentication-fail-userlogging |
+| cisco-auth-failed-1 | cisco-cucm-kv-endpoint-authentication-fail-authfailed |
+| cisco-auth-failed-2 | cisco-cucm-kv-endpoint-authentication-fail-failure |
+| cisco-auth-successful | cisco-cucm-kv-endpoint-login-success-authsuccess |
+| cisco-auth-successful-1 | cisco-cucm-kv-endpoint-login-success-authsuccess-1 |
+| cisco-auth-successful-2 | cisco-cucm-kv-endpoint-login-success-userlogging |
+| cisco-authentication-failed | cisco-aci-str-endpoint-login-fail-failure |
+| cisco-authentication-successful | cisco-aci-str-endpoint-login-success-loginsession |
+| cisco-config-change | cisco-ios-str-configuration-modify-success-configured |
+| cisco-config-change-1 | cisco-aci-str-configuration-modify-success-information |
+| cisco-dhcp | cisco-dhcp-kv-endpoint-login-success-domain |
+| cisco-dhcp-snooping-deny | cisco-ios-str-alert-trigger-success-snoopingdeny |
+| cisco-dns-response | cisco-fp-kv-dns-response-success-dnsquery |
+| cisco-dns-response-1 | cisco-umbrella-sk4-dns-response-success-dns |
+| cisco-dns-response-2 | cisco-umbrella-json-dns-response-success-responsecode |
+| cisco-duo-account-lockout | cisco-duo-str-user-lock-success-adminlockout |
+| cisco-duo-password-reset | cisco-duo-str-user-password-reset-success-authattempts |
+| cisco-eigrp-system-info | cisco-asa-mix-app-notification-eigrp |
+| cisco-esa-dlp-alert | cisco-se-cef-email-send-receive-success-suser |
+| cisco-esa-dlp-alert-1 | cisco-secureemail-cef-email-send-success-logevent |
+| cisco-esa-dlp-alert-2 | cisco-secureemail-cef-email-receive-fail-secureemailgateway |
+| cisco-file-activity | cisco-asa-str-file-success-client |
+| cisco-firepower-109201 | cisco-fp-kv-user-create-success-109201 |
+| cisco-firepower-109207 | cisco-fp-kv-user-modify-success-109207 |
+| cisco-firepower-109210 | cisco-fp-kv-user-delete-success-109210 |
+| cisco-firepower-713049 | cisco-fp-kv-vpn-authentication-success-713049 |
+| cisco-firepower-713075 | cisco-asa-kv-vpn-authentication-success-713075 |
+| cisco-firepower-713120 | cisco-fp-kv-vpn-authentication-success-713120 |
+| cisco-firepower-713257 | cisco-fp-str-network-notification-success-713257 |
+| cisco-firepower-722010 | cisco-fp-str-app-notification-success-722010 |
+| cisco-firepower-750001 | cisco-fp-kv-app-authentication-success-750001 |
+| cisco-firepower-750006 | cisco-fp-str-app-authentication-success-750006 |
+| cisco-firepower-750007 | cisco-fp-str-app-authentication-success-750007 |
+| cisco-firepower-752003 | cisco-fp-kv-app-notification-success-752003 |
+| cisco-firepower-752016 | cisco-asa-kv-vpn-authentication-success-752016 |
+| cisco-firesight-alert | cisco-fp-kv-alert-trigger-success-impactbits |
+| cisco-fpr-113003 | cisco-fp-str-user-modify-113003 |
+| cisco-fpr-113004 | cisco-asa-kv-radius-traffic-success-113004 |
+| cisco-fpr-113008 | cisco-fp-str-vpn-authentication-113008 |
+| cisco-fpr-113009 | cisco-asa-str-app-authentication-113009-1 |
+| cisco-fpr-113011 | cisco-fp-str-vpn-authentication-success-113011 |
+| cisco-ftd-106006 | cisco-fp-str-network-traffic-fail-106006 |
+| cisco-ftd-106010 | cisco-asa-kv-network-session-fail-106010 |
+| cisco-ftd-106015 | cisco-fp-str-network-traffic-fail-106015 |
+| cisco-ftd-106023 | cisco-fp-str-network-traffic-fail-106023 |
+| cisco-ftd-110002 | cisco-fp-str-configuration-read-110002 |
+| cisco-ftd-110003 | cisco-fp-str-configuration-delete-110003 |
+| cisco-ftd-111001 | cisco-fp-str-configuration-download-111001 |
+| cisco-ftd-111004 | cisco-fp-str-configuration-modify-111004 |
+| cisco-ftd-113004 | cisco-fp-kv-radius-traffic-success-113004 |
+| cisco-ftd-113008 | cisco-fp-kv-app-authentication-113008 |
+| cisco-ftd-113009 | cisco-fp-str-app-authentication-113009 |
+| cisco-ftd-210007 | cisco-fp-str-app-notification-210007 |
+| cisco-ftd-302010 | cisco-fp-str-network-notification-302010 |
+| cisco-ftd-302020 | cisco-fp-str-network-session-302020 |
+| cisco-ftd-313005 | cisco-fp-kv-network-traffic-fail-313005 |
+| cisco-ftd-602101 | cisco-fp-kv-app-authentication-602101 |
+| cisco-ftd-607001 | cisco-asa-str-app-notification-607001-1 |
+| cisco-ftd-710002 | cisco-fp-str-network-start-success-710002 |
+| cisco-ftd-716039 | cisco-asa-str-vpn-login-fail-716039 |
+| cisco-ftd-717022 | cisco-fp-str-certificate-validate-717022 |
+| cisco-ftd-717028 | cisco-fp-str-certificate-validate-717028 |
+| cisco-ftd-717037 | cisco-fp-str-certificate-validate-717037 |
+| cisco-ftd-721016 | cisco-asa-str-vpn-login-success-721016 |
+| cisco-ftd-721018 | cisco-asa-str-vpn-logout-success-721018 |
+| cisco-ftd-722011 | cisco-fp-str-vpn-logout-722011 |
+| cisco-ftd-722012 | cisco-fp-str-vpn-logout-722012 |
+| cisco-ftd-722022 | cisco-fp-str-vpn-login-722022 |
+| cisco-ftd-722023 | cisco-fp-str-vpn-logout-722023 |
+| cisco-ftd-722028 | cisco-fp-str-vpn-logout-success-722028 |
+| cisco-ftd-722032 | cisco-fp-str-vpn-login-722032 |
+| cisco-ftd-722033 | cisco-fp-str-vpn-login-722033 |
+| cisco-ftd-722034 | cisco-fp-str-vpn-login-722034 |
+| cisco-ftd-722036 | cisco-fp-str-network-notification-722036 |
+| cisco-ftd-722041 | cisco-fp-str-endpoint-login-success-722041 |
+| cisco-ftd-725001 | cisco-fp-str-ssl-start-725001 |
+| cisco-ftd-725002 | cisco-fp-str-ssl-traffic-725002 |
+| cisco-ftd-725003 | cisco-fp-str-ssl-traffic-725003 |
+| cisco-ftd-725007 | cisco-fp-str-ssl-close-725007 |
+| cisco-ftd-725016 | cisco-fp-str-ssl-traffic-725016 |
+| cisco-ftd-733100 | cisco-firepower-str-alert-trigger-733100 |
+| cisco-ftd-737003 | cisco-fp-str-app-notification-737003 |
+| cisco-ftd-737006 | cisco-fp-str-network-notification-737006 |
+| cisco-ftd-737016 | cisco-fp-str-ip-assign-737016 |
+| cisco-ftd-737026 | cisco-fp-str-ip-assign-737026 |
+| cisco-ftd-737034 | cisco-fp-str-ip-assign-737034 |
+| cisco-ftd-746014 | cisco-asa-str-dns-response-success-746014 |
+| cisco-ftd-746015 | cisco-asa-str-dns-response-success-746015 |
+| cisco-ftd-746016 | cisco-asa-str-dns-response-fail-746016-1 |
+| cisco-ftd-771002 | cisco-fp-str-app-time-modify-771002 |
+| cisco-ftd-connection-609001 | cisco-fp-str-app-activity-success-609001 |
+| cisco-ftd-connection-609002 | cisco-fp-str-app-activity-success-609002 |
+| cisco-ftd-connection-built-302013 | cisco-fp-str-network-traffic-success-built |
+| cisco-ftd-connection-stop | cisco-fp-str-network-traffic-success-teardown-connection |
+| cisco-ftd-connection-teardown | cisco-fp-str-network-traffic-success-teardown-duration |
+| cisco-ftd-file-download | cisco-asa-str-file-download-success-filedirection |
+| cisco-ftd-firewall-1 | cisco-fp-str-network-traffic-success-dup-tcp |
+| cisco-ftd-firewall-2 | cisco-fp-str-network-traffic-success-805002 |
+| cisco-ftd-firewall-3 | cisco-fp-str-network-traffic-success-305012 |
+| cisco-ftd-firewall-4 | cisco-fp-str-network-traffic-success-sip |
+| cisco-ftd-firewall-5 | cisco-fp-str-network-traffic-fail-icmp |
+| cisco-ftd-firewall-6 | cisco-fp-str-network-traffic-success-305011 |
+| cisco-ftd-firewall-7 | cisco-asa-str-vpn-login-success-602303 |
+| cisco-ftd-firewall-8 | cisco-fp-str-vpn-logout-success-602304 |
+| cisco-ftd-firewall-9 | cisco-fp-str-network-traffic-success-805001 |
+| cisco-ftd-firewall-translation | cisco-fp-str-app-activity-305011 |
+| cisco-ftd-permit-any | cisco-fp-kv-network-traffic-success-permitany |
+| cisco-ftd-process-created | cisco-fp-str-process-create-success-111008 |
+| cisco-ftd-process-created-1 | cisco-asa-str-process-create-success-111009 |
+| cisco-ftd-process-created-2 | cisco-fp-str-process-create-success-111010 |
+| cisco-ftd-translation-30501 | cisco-firepower-csv-app-activity-30501 |
+| cisco-ise-app-accounting-stop | cisco-ise-kv-app-logout-accounting |
+| cisco-ise-app-activity | cisco-ise-kv-app-activity-tacacsplus |
+| cisco-ise-app-activity-1 | cisco-ise-kv-app-activity-tacacsaccounting |
+| cisco-ise-auth-failed | cisco-ise-str-endpoint-policy-verify-authorizationfail |
+| cisco-ise-authentication-failed | cisco-ise-kv-endpoint-login-fail-loginfailed |
+| cisco-ise-config-change | cisco-ise-kv-configuration-modify-configurationchange |
+| cisco-ise-external-mdm | cisco-ise-kv-app-notification-externalmdm |
+| cisco-ise-failed-attempts | cisco-ise-kv-app-activity-fail-failedattempts |
+| cisco-ise-guest | cisco-ise-kv-app-activity-guest |
+| cisco-ise-nac-logon | cisco-ise-kv-endpoint-authentication-cisepassed |
+| cisco-ise-nac-ssh-login | cisco-ise-cef-endpoint-login-success-userloginsuccess |
+| cisco-ise-nac-system-info | cisco-ise-cef-app-activity-success-eventid |
+| cisco-ise-network-info | cisco-ise-kv-app-notification-profiler |
+| cisco-ise-network-info-1 | cisco-ise-kv-app-activity-administrativeandoperationalaudit |
+| cisco-ise-network-info-2 | cisco-ise-kv-app-notification-adconnector |
+| cisco-ise-network-info-3 | cisco-ise-kv-endpoint-authentication-flowdiagnostics |
+| cisco-ise-network-info-4 | cisco-ise-kv-endpoint-authentication-fail-warn |
+| cisco-ise-radius-accounting | cisco-ise-kv-endpoint-authentication-accounting |
+| cisco-ise-system-info | cisco-ise-kv-endpoint-policy-verify-accounting |
+| cisco-ise-tacacs-login | cisco-ise-cef-endpoint-login-success-adlogin |
+| cisco-ise-vpn-logout | cisco-ise-cef-vpn-logout-success-stop |
+| cisco-ldp-system-info | cisco-asa-cef-network-notification-neighbor |
+| cisco-logout | cisco-ucm-str-app-logout-success-loggedout |
+| cisco-logout-1 | cisco-aci-str-app-logout-success-logoutsession |
+| cisco-meraki-vpn-start | cisco-mma-str-vpn-login-success-vpnconnect |
+| cisco-meraki-vpn-stop | cisco-mma-str-vpn-logout-success-disconnected |
+| cisco-meraki-web-activity | cisco-mma-kv-http-session-success-dst |
+| cisco-nac-failed-logon | cisco-ise-kv-radius-traffic-fail-failedattempt |
+| cisco-nac-logon | cisco-ise-kv-radius-traffic-success-accountstartreq |
+| cisco-nac-logon-1 | cisco-ise-kv-radius-traffic-success-commandauthsuccess |
+| cisco-nac-logon-2 | cisco-ise-kv-radius-traffic-success-networkdeviceprofile |
+| cisco-nac-logon-3 | cisco-ise-kv-radius-traffic-success-tacacsaccouting |
+| cisco-netflow-connection | cisco-netflow-str-network-traffic-success-ipaccesslog |
+| cisco-netflow-connection-1 | cisco-fp-kv-network-traffic-success-accesscontrol |
+| cisco-netflow-connection-2 | cisco-netflow-kv-network-traffic-success-nfc-id |
+| cisco-network-connection | cisco-asa-str-app-activity-success-network |
+| cisco-process-created | cisco-npe-kv-process-create-success-loggedcommand |
+| cisco-process-network | cisco-ac-kv-network-session-success-nvzflow |
+| cisco-snmp-authentication-failure | cisco-asa-str-endpoint-authentication-fail-authfailure |
+| cisco-sourcefire-alert | cisco-fp-kv-alert-trigger-success-correlationevent |
+| cisco-ssh-login | cisco-asa-str-ssh-traffic-success-sshuserauth |
+| cisco-ssh-login-1 | cisco-c-mix-ssh-traffic-success-loginsuccess |
+| cisco-ssh-logout | cisco-c-mix-endpoint-logout-success-sessionexited |
+| cisco-system-event | cisco-firepower-json-app-activity-appactivity |
+| cisco-system-info-1 | cisco-asa-str-app-notification-success-dual |
+| cisco-system-info-10 | cisco-asa-str-app-activity-epm6 |
+| cisco-system-info-11 | cisco-ucm-kv-app-notification-success-deviceupdate |
+| cisco-system-info-12 | cisco-ucm-kv-configuration-modify-success-generalconfigurationupdate |
+| cisco-system-info-13 | cisco-ucm-kv-app-login-success-userlogging |
+| cisco-system-info-14 | cisco-ucm-kv-user-role-modify-success-userrolemembershipupdate |
+| cisco-system-info-15 | cisco-asa-str-app-notification-systemmsg |
+| cisco-system-info-16 | cisco-asa-str-app-notification-linkfailure |
+| cisco-system-info-17 | cisco-asa-str-app-notification-5 |
+| cisco-system-info-18 | cisco-asa-str-network-notification-duplex |
+| cisco-system-info-19 | cisco-asa-str-app-notification-flowcontrol |
+| cisco-system-info-2 | cisco-asa-str-app-notification-lineproto |
+| cisco-system-info-20 | cisco-asa-str-app-notification-systemmsg-1 |
+| cisco-system-info-21 | cisco-asa-str-app-notification-sysmgr |
+| cisco-system-info-22 | cisco-asa-str-network-notification-dupsrcip |
+| cisco-system-info-23 | cisco-asa-str-app-login-fail-conversationfailed |
+| cisco-system-info-24 | cisco-asa-str-app-notification-authpriv |
+| cisco-system-info-25 | cisco-asa-str-app-notification-success-basictrace |
+| cisco-system-info-26 | cisco-asa-str-alert-trigger-ethport3 |
+| cisco-system-info-27 | cisco-asa-str-app-notification-3 |
+| cisco-system-info-28 | cisco-asa-str-app-notification-coresavefailed |
+| cisco-system-info-29 | cisco-asa-str-app-notification-errormessage |
+| cisco-system-info-3 | cisco-asa-str-app-notification-updown |
+| cisco-system-info-30 | cisco-asa-str-configuration-modify-5 |
+| cisco-system-info-31 | cisco-asa-str-app-notification-ifup |
+| cisco-system-info-32 | cisco-asa-str-app-notification-iftxflowcontrol |
+| cisco-system-info-33 | cisco-asa-str-app-notification-channeldeleted |
+| cisco-system-info-34 | cisco-asa-str-app-notification-channelcreated |
+| cisco-system-info-35 | cisco-asa-str-app-notification-membersdown |
+| cisco-system-info-4 | cisco-asa-kv-app-notification-adjchg |
+| cisco-system-info-5 | cisco-asa-str-ssh-close-ssh |
+| cisco-system-info-6 | cisco-asa-str-ssh-start-session |
+| cisco-system-info-7 | cisco-asa-str-app-notification-startstop |
+| cisco-system-info-9 | cisco-asa-str-app-activity-authmgr5 |
+| cisco-tacacs-authentication-failed | cisco-tacacs-kv-app-authentication-fail-tacacsserver |
+| cisco-tacacs-system-info | cisco-acs-kv-app-authentication-fail-requestfailed |
+| cisco-ucs-authentication-failed | cisco-cucs-str-endpoint-login-fail-authfailed |
+| cisco-umbrella-intelligent-proxy | cisco-umbrella-json-http-session-verdicts |
+| cisco-umbrella-network-connection | cisco-umbrella-cef-network-traffic-success-ip |
+| cisco-umbrella-proxy | cisco-umbrella-cef-http-session-proxy |
+| cisco-vpn-logout | cisco-ac-cef-vpn-logout-success-stop |
+| cisco-vpn-logout-2 | cisco-ac-str-vpn-logout-success-resume |
+| cisco-vpn-start | cisco-ac-str-vpn-login-success-113039 |
+| cisco-vpn-start-2 | cisco-ac-str-vpn-login-success-722055 |
+| cisco-vpn-start-3 | cisco-ac-str-vpn-login-success-734001 |
+| cisco-w3c-proxy | cisco-securewebapp-str-http-session-webbrowsing |
+| cisco-wlc-network-info-1 | cisco-ios-kv-endpoint-notification-success-endpointnotification |
+| cisco-wlc-network-info-2 | cisco-ios-kv-endpoint-notification-success-endpointnotification-1 |
+| cisco-wlc-remote-logon | cisco-cwc-str-endpoint-login-success-loginpassed |
+| cisco-wsa-squid-proxy | cisco-securewebapp-str-http-session-squid |
+| cisco-wsa-web-activity | cisco-securewebapp-csv-http-session-info |
+| cisco-wsa-web-activity-1 | cisco-securewebapp-kv-http-session-accesslogs |
+| cise-alarm-info | cisco-ise-str-app-notification-alarm |
+| cise-audit-info | cisco-ise-str-app-notification-audit |
+| cise-config-change | cisco-ise-kv-configuration-modify-success-52001 |
+| cise-config-change-1 | cisco-ise-kv-configuration-modify-success-52000 |
+| cise-logout | cisco-ise-kv-endpoint-logout-51002 |
+| cise-logout-1 | cisco-ise-kv-app-logout-60116 |
+| cise-posture-audit-info | cisco-ise-str-app-notification-success-posturereport |
+| cise-remote-logon | cisco-ise-kv-ssh-traffic-success-60080 |
+| cise-remote-logon-1 | cisco-ise-kv-endpoint-login-success-51001 |
+| cise-remote-logon-2 | cisco-ise-kv-endpoint-login-61025 |
+| cise-remote-logon-3 | cisco-ise-kv-ssh-traffic-success-60115 |
+| citrix-activesync-app-activity | citrix-gac-kv-app-activity-success-allow |
+| citrix-activesync-app-activity-failed | citrix-gac-kv-app-activity-fail-deny |
+| citrix-app-activity | citrix-sharefile-sk4-app-activity-success-editnote |
+| citrix-app-activity-1 | citrix-sharefile-sk4-app-activity-success-usermodifiedpermission |
+| citrix-app-login | citrix-sharefile-sk4-app-login-success-loginactivity |
+| citrix-app-login-2 | citrix-sharefile-sk4-app-login-success-tfalogin |
+| citrix-app-login-3 | citrix-cvapps-kv-app-login-success-hdx |
+| citrix-app-login-4 | citrix-cvapps-json-app-login-success-applicationstart |
+| citrix-app-login-fail | citrix-sharefile-sk4-app-login-fail-failedlogin |
+| citrix-app-login-fail-1 | citrix-sharefile-sk4-app-login-fail-tfaloginfail |
+| citrix-app-login-fail-2 | citrix-sharefile-sk4-app-login-fail-loginlocked |
+| citrix-appfw-400-resp | citrix-appfw-str-network-traffic-400-resp |
+| citrix-appfw-bufferoverflow-cookie | citrix-appfw-str-network-traffic-bufferoverflowcookie |
+| citrix-appfw-bufferoverflow-url | citrix-appfw-str-network-traffic-bufferoverflow-url |
+| citrix-appfw-content-type | citrix-appfw-kv-network-traffic-success-contenttype |
+| citrix-appfw-csrf-tag | citrix-appfw-str-network-traffic-csrftag |
+| citrix-appfw-csrf-tag-1 | citrix-appfw-cef-network-traffic-success-csrftag |
+| citrix-appfw-denyurl | citrix-appfw-str-network-traffic-denyurl |
+| citrix-appfw-fieldconsistency | citrix-appfw-str-network-traffic-fieldconsistency |
+| citrix-appfw-fieldconsistency-1 | citrix-appfw-cef-network-traffic-success-fieldconsistency |
+| citrix-appfw-fieldformat | citrix-appfw-kv-network-traffic-fieldformat |
+| citrix-appfw-malformed-req-err | citrix-appfw-str-network-traffic-malformed-reqerr |
+| citrix-appfw-multiple-header | citrix-appfw-str-network-traffic-multheader |
+| citrix-appfw-network-info | citrix-waf-cef-http-request-success-netscaler |
+| citrix-appfw-policy_hit | citrix-appfw-str-network-traffic-policyhit |
+| citrix-appfw-referer-header | citrix-appfw-cef-network-traffic-referer-header |
+| citrix-appfw-referer-header-1 | citrix-appfw-cef-network-traffic-success-refererheader |
+| citrix-appfw-signature-match | citrix-appfw-str-network-traffic-signature-match |
+| citrix-appfw-sql | citrix-appfw-str-network-traffic-sql |
+| citrix-appfw-starturl | citrix-appfw-str-network-traffic-starturl |
+| citrix-appfw-starturl-1 | citrix-appfw-cef-network-traffic-success-starturl |
+| citrix-appfw-xss | citrix-appfw-str-network-traffic-xss |
+| citrix-device-aaa-auth-failed | citrix-cgateway-str-vpn-login-fail-authenticationfailed |
+| citrix-device-aaa-auth-success | citrix-cgateway-str-vpn-authentication-success-succeededpolicy |
+| citrix-device-aaa-msg-1 | citrix-cgateway-str-app-notification-ns_aaa_dialogue_handler |
+| citrix-device-aaa-msg-2 | citrix-cgateway-str-network-notification-below |
+| citrix-device-aaa-msg-3 | citrix-cgateway-str-app-authentication-message |
+| citrix-device-aaa-msg-4 | citrix-cgateway-str-user-read-receive-ldap-user-search-event |
+| citrix-device-aaa-msg-5 | citrix-cgateway-str-endpoint-policy-verify-fail-received |
+| citrix-device-aaa-user-failed | citrix-cgateway-str-vpn-login-fail-failedpolicy |
+| citrix-device-down-info | citrix-cgateway-str-app-notification-devicedown |
+| citrix-device-extracted-info | citrix-cgateway-csv-app-notification-extracted_groups |
+| citrix-device-monitordown-info | citrix-cgateway-str-app-notification-monitordown |
+| citrix-device-monitorup-info | citrix-cgateway-kv-app-notification-monitorup |
+| citrix-device-nonhttp-info | citrix-cgateway-str-app-activity-accessdenied |
+| citrix-device-routing-info | citrix-cgateway-str-app-notification-ppe |
+| citrix-device-saveconfig-info | citrix-cgateway-str-configuration-save-saveconfig |
+| citrix-device-snmp-info | citrix-cgateway-str-app-notification-trap_sent |
+| citrix-device-ssltcp-info | citrix-cgateway-str-vpn-logout-tcpconntimeout |
+| citrix-device-transform-info | citrix-cgateway-str-network-notification-filerequest |
+| citrix-device-up-info | citrix-cgateway-str-app-notification-diviceup |
+| citrix-endpoint-mgmt-activity | citrix-endpointmgmt-kv-app-activity-success-audit |
+| citrix-file-download | citrix-sharefile-cef-file-download-success-download |
+| citrix-file-share | citrix-cgateway-sk4-app-activity-success-sharessend |
+| citrix-file-upload | citrix-sharefile-cef-file-upload-success-fileupload |
+| citrix-logout | citrix-cvapps-json-endpoint-logout-desktopstop |
+| citrix-logout-1 | citrix-cvapps-json-app-logout-success-applicationstop |
+| citrix-remote-logon | citrix-cvapps-json-endpoint-login-success-shadowuser |
+| citrix-remote-logon-1 | citrix-cvapps-json-rdp-traffic-success-message |
+| citrix-system-info | citrix-cvapps-json-app-activity-adminaction |
+| citrix-vpn-connection | citrix-cgateway-str-vpn-login-success-acessallowed |
+| citrix-vpn-connection-1 | citrix-cgateway-str-vpn-session-tcpconnstat |
+| citrix-vpn-logout | citrix-cgateway-str-vpn-logout-success-removesessiondebug |
+| citrix-vpn-logout-1 | citrix-cgateway-str-vpn-logout-success-icaend |
+| citrix-vpn-system-info | citrix-cgateway-str-app-notification-sslvpn |
+| citrix-xenapp-login | citrix-cvapps-kv-app-login-success-sslvpn |
+| cl-cisco-dns-response-sk4-4 | cisco-umbrella-json-dns-response-success-tenantid |
+| clearsense-app-activity | clearsense-cs-sk4-app-activity-success-clearsenseaudit |
+| clearsense-app-login | clearsense-cs-sk4-app-login-success-loginsuccessful |
+| clearswift-dlp-email | clearswiftseg-cseg-str-email-send-receive-msgsiacpt |
+| clickstudio-passwordstate-account-disabled | clickstudios-passwordstate-kv-user-disable-success-servicedisable |
+| clickstudio-passwordstate-account-password-change | clickstudios-passwordstate-kv-user-password-modify-success-modifiedpassword |
+| clickstudio-passwordstate-account-password-change-failed | clickstudios-passwordstate-kv-user-password-modify-fail-resetpassword |
+| clickstudio-passwordstate-account-password-reset | clickstudios-passwordstate-kv-user-password-reset-fail-apifailed |
+| clickstudio-passwordstate-account-password-reset-1 | clickstudios-passwordstate-kv-user-password-reset-success-resetsuccess |
+| clickstudio-passwordstate-account-password-reset-2 | clickstudios-passwordstate-kv-user-password-reset-success-apiresetsuccess |
+| clickstudio-passwordstate-app-activity | clickstudios-passwordstate-kv-app-activity-success-updatepassword |
+| clickstudio-passwordstate-app-activity-1 | clickstudios-passwordstate-kv-app-activity-success-modifyaccess |
+| clickstudio-passwordstate-auth-attempt | clickstudios-pwdstate-str-app-notification-success-retrievedpassword |
+| clickstudio-passwordstate-auth-success | clickstudios-passwordstate-kv-app-authentication-success-authtoapi |
+| clickstudio-passwordstate-auth-success-1 | clickstudios-passwordstate-kv-app-authentication-success-loginforuserid |
+| clickstudio-passwordstate-logout | clickstudios-pwdstate-str-app-logout-success-manuallogoff |
+| clickstudio-passwordstate-logout-1 | clickstudios-pwdstate-str-app-logout-success-autologoff |
+| clickstudio-passwordstate-member-removed | clickstudios-passwordstate-kv-group-member-remove-success-serviceremove |
+| clickstudio-passwordstate-remote-logon | clickstudios-passwordstate-kv-endpoint-login-success-remotesession |
+| clickstudio-passwordstate-system-info | clickstudios-pwdstate-str-app-notification-success-checkfailed |
+| clickstudio-passwordstate-system-info-1 | clickstudios-pwdstate-str-app-notification-success-clientip |
+| cloud-iq-network-info | extremenetworks-eciq-kv-endpoint-authentication-success-authsuccess |
+| cloudflare-app-activity | cloudflare-insights-sk4-app-member-success-cloudflare |
+| cloudflare-app-activity-1 | cloudflare-insights-sk4-app-member-success-cloudflare-1 |
+| cloudflare-network-alert | cloudfare-waf-sk4-alert-trigger-success-firewall |
+| cloudflare-network-alert-2 | cloudfare-cdn-sk4-alert-trigger-success-edgestart |
+| code42-alert-1 | code42-incydr-sk4-alert-trigger-success-cloudstorage |
+| code42-alert-2 | code42-incydr-sk4-alert-trigger-success-publicshares |
+| code42-alert-3 | code42-incydr-sk4-alert-trigger-success-sourcecode |
+| code42-app-activity | code42-incydr-sk4-app-activity-success-appclient |
+| code42-email-out-operations | code42-incydr-sk4-email-send-success-emailed |
+| code42-file-operations | code42-incydr-str-file-success-logcollector |
+| code42-file-operations-2 | code42-incydr-json-file-delete-success-deviceaddress |
+| code42-file-operations-3 | code42-incydr-csv-file-delete-success-code42logcollector |
+| code42-file-operations-4 | code42-incydr-json-file-success-oshostname |
+| code42-file-read | code42-incydr-sk4-file-read-succes-appread |
+| code42-print-operations | code42-incydr-sk4-printer-activity-success-printed |
+| code42-system-info | code42-cp-json-endpoint-notification-computer |
+| code42-usb-insert | code42-incydr-json-peripheral-storage-insert-success-deviceappeared |
+| code42-usb-removed | code42-incydr-json-peripheral-storage-activity-success-deviceaddress |
+| cognitas-vpn-start | cognitascrosslink-cc-cef-vpn-login-success-authsuccess |
+| cohesity-app-login | cohesity-dataplatform-json-app-login-success-actionlogin |
+| cohesity-system-info-1 | cohesity-dataplatform-json-app-activity-kphysical |
+| cohesity-system-info-2 | cohesity-dataplatform-json-user-token-create-accesstoken |
+| cohesity-system-info-3 | cohesity-dataplatform-json-app-activity-appactivity |
+| common-ftp-app-login | ftp-f-csv-app-login-success-successlogin |
+| common-ftp-failed-app-login | ftp-f-csv-app-login-fail-failurelogin |
+| common-ftp-file-delete | ftp-f-csv-file-delete-success-filedeleted |
+| common-ftp-file-download | ftp-f-csv-file-read-success-filedownloaded |
+| common-ftp-file-upload | ftp-f-csv-file-write-success-fileuploaded |
+| common-ftp-logout | ftp-f-csv-ftp-close-success-sessionclosed |
+| confer-alert | vmware-carbonblack-mix-alert-trigger-success-threat |
+| connectra-auth-failed | checkpoint-vsec-kv-vpn-login-fail-authcryptfailed |
+| connectra-auth-successful | checkpoint-vsec-kv-vpn-authentication-success-connectra |
+| connectra-failed-vpn-login | checkpoint-sg-kv-vpn-login-fail-connectra |
+| connectra-vpn-end | checkpoint-sg-kv-vpn-logout-success-logout-1 |
+| connectra-vpn-login | checkpoint-sg-kv-vpn-login-success-connectraloginsuccess |
+| connectra-vpn-login-1 | checkpoint-vsec-kv-vpn-login-success-ipchanged |
+| connectra-vpn-logout | checkpoint-sg-kv-vpn-logout-success-logout |
+| contivity-vpn-end | nortelcontivity-vpn-str-vpn-logout-success-loggedout |
+| contivity-vpn-exceeded-idle-timeout | nortelcontivity-vpn-str-vpn-logout-exceedtimeout |
+| contivity-vpn-set-ip | nortelcontivity-vpn-json-vpn-login-success-assignip |
+| contivity-vpn-start | nortelcontivity-vpn-json-vpn-login-success-address |
+| corelight-dns-query | zeek-z-json-dns-request-success-dns |
+| cortex-xdr-app-activity | pan-cortex-cef-app-login-success-loginsuccess |
+| counteract-config-change | forescout-couteract-str-configuration-modify-success-session |
+| counteract-logout | forescout-couteract-cef-app-logout-success-logoffevent |
+| counteract-nac-logon-successful | forescout-counteract-cef-endpoint-login-success-intractivelogonevents |
+| counteract-network-alert | forescout-couteract-kv-alert-trigger-success-deviceblocked |
+| counteract-network-alert-1 | forescout-counteract-str-alert-trigger-success-unauthorizedhostevent |
+| counteract-network-alert-2 | forescout-couteract-kv-alert-trigger-success-alerttrigger |
+| counteract-network-alert-3 | forescout-couteract-kv-alert-trigger-success-mainappliance |
+| counteract-network-alert-4 | forescout-couteract-cef-alert-trigger-success-rule |
+| counteract-network-alert-5 | forescout-couteract-json-alert-trigger-success-alerttrigger |
+| counteract-network-alert-6 | forescout-couteract-kv-alert-trigger-success-virtualfirewall |
+| counteract-network-connection | forescout-counteract-str-network-traffic-success-established |
+| counteract-network-connection-1 | forescout-counteract-kv-network-traffic-status |
+| counteract-network-info-1 | forescout-couteract-kv-app-activity-source |
+| counteract-network-info-2 | forescout-couteract-kv-alert-trigger-counteract |
+| counteract-network-info-3 | forescout-couteract-kv-app-activity-info |
+| crowdstrike-app-activity | crowdstrike-falcon-cef-app-activity-useractivityauditevent |
+| crowdstrike-app-activity-1 | crowdstrike-falcon-json-app-activity-awsec2securitygroup |
+| crowdstrike-app-activity-10 | crowdstrike-falcon-sk4-app-activity-updateuser |
+| crowdstrike-app-activity-11 | crowdstrike-falcon-cef-app-activity-deleteuser |
+| crowdstrike-app-activity-12 | crowdstrike-falcon-sk4-case-modify-success-detectionupdate |
+| crowdstrike-app-activity-13 | crowdstrike-falcon-sk4-app-activity-success-quarantinedfileupdate |
+| crowdstrike-app-activity-14 | crowdstrike-falcon-sk4-group-modify-success-updategroup |
+| crowdstrike-app-activity-15 | crowdstrike-falcon-sk4-app-activity-success-assert |
+| crowdstrike-app-activity-16 | crowdstrike-falcon-sk4-policy-modify-success-updatepriority |
+| crowdstrike-app-activity-17 | crowdstrike-falcon-sk4-group-success-aufitevent |
+| crowdstrike-app-activity-18 | crowdstrike-falcon-sk4-file-download-success-downloadsensorinstaller |
+| crowdstrike-app-activity-19 | crowdstrike-falcon-sk4-user-password-modify-success-changepassword |
+| crowdstrike-app-activity-2 | crowdstrike-falcon-sk4-app-activity-awsec2networkinterface |
+| crowdstrike-app-activity-20 | crowdstrike-falcon-sk4-group-success-addgroup |
+| crowdstrike-app-activity-21 | crowdstrike-falcon-sk4-app-activity-success-revealtoken |
+| crowdstrike-app-activity-22 | crowdstrike-falcon-sk4-app-activity-success-hidehostrequested |
+| crowdstrike-app-activity-23 | crowdstrike-falcon-sk4-user-password-reset-success-requestresetpassword |
+| crowdstrike-app-activity-24 | crowdstrike-falcon-sk4-policy-modify-success-updatepolicy |
+| crowdstrike-app-activity-25 | crowdstrike-falcon-sk4-app-activity-success-selfaccepteula |
+| crowdstrike-app-activity-26 | crowdstrike-falcon-sk4-user-role-assign-success-grantuserroles |
+| crowdstrike-app-activity-27 | crowdstrike-falcon-sk4-user-create-success-createuser |
+| crowdstrike-app-activity-28 | crowdstrike-falcon-sk4-policy-enable-success-enablepoliy |
+| crowdstrike-app-activity-29 | crowdstrike-falcon-sk4-policy-create-success-createpolicy |
+| crowdstrike-app-activity-3 | crowdstrike-falcon-json-app-activity-awsec2networkaclentry |
+| crowdstrike-app-activity-30 | crowdstrike-falcon-json-app-activity-success-sourceip |
+| crowdstrike-app-activity-4 | crowdstrike-falcon-json-app-activity-awsec2networkacl |
+| crowdstrike-app-activity-5 | crowdstrike-falcon-cef-app-activity-useraccountadded |
+| crowdstrike-app-activity-7 | crowdstrike-falcon-cef-app-activity-grantuserroles |
+| crowdstrike-app-activity-8 | crowdstrike-falcon-cef-app-activity-revokeuserroles |
+| crowdstrike-app-activity-9 | crowdstrike-falcon-cef-app-activity-createuser |
+| crowdstrike-auth-failed-1 | crowdstrike-falcon-json-endpoint-login-fail-userlogonfail |
+| crowdstrike-auth-failed-2 | crowdstrike-falcon-json-endpoint-login-fail-userlogonfail-1 |
+| crowdstrike-config-change | crowdstrike-falcon-json-configuration-modify-success-firewall |
+| crowdstrike-falcon-usb-write | crowdstrike-falcon-sk4-file-write-success-written |
+| crowdstrike-falcon-usb-write-1 | crowdstrike-falcon-json-file-write-success-written |
+| crowdstrike-file-alert | crowdstrike-falcon-sk4-alert-trigger-success-quarantinedfilestate |
+| crowdstrike-file-delete | crowdstrike-falcon-json-file-delete-success-deleted |
+| crowdstrike-file-delete-1 | crowdstrike-falcon-json-file-delete-success-executabledeleted |
+| crowdstrike-file-download | crowdstrike-falcon-json-file-download-success-bitsjobcreated |
+| crowdstrike-file-download-1 | crowdstrike-falcon-cef-file-download-success-loadconfirmation |
+| crowdstrike-file-operations-1 | crowdstrike-falcon-cef-file-success-info |
+| crowdstrike-file-process-alert | crowdstrike-falcon-sk4-alert-trigger-lsasshandlefromunsignedmodule |
+| crowdstrike-file-process-alert-2 | crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule |
+| crowdstrike-file-read | crowdstrike-falcon-json-file-read-success-criticalfileaccessed |
+| crowdstrike-file-read-2 | crowdstrike-falcon-json-file-read-success-criticalfileaccessed-1 |
+| crowdstrike-file-read-3 | crowdstrike-falcon-json-file-read-success-ransomware |
+| crowdstrike-file-write | crowdstrike-falcon-cef-file-write-success-written |
+| crowdstrike-file-write-1 | crowdstrike-falcon-mix-file-write-success-directorycreate |
+| crowdstrike-file-write-10 | crowdstrike-falcon-json-file-write-success-olefilewritten |
+| crowdstrike-file-write-11 | crowdstrike-falcon-json-file-write-success-pdffilewritten |
+| crowdstrike-file-write-12 | crowdstrike-falcon-json-file-write-success-dwgfilewritten |
+| crowdstrike-file-write-13 | crowdstrike-falcon-json-file-write-success-dmpfilewritten |
+| crowdstrike-file-write-14 | crowdstrike-falcon-json-file-write-success-directorycreate |
+| crowdstrike-file-write-2 | crowdstrike-falcon-json-file-write-success-renamed |
+| crowdstrike-file-write-3 | crowdstrike-falcon-json-file-write-success-asepfilechange |
+| crowdstrike-file-write-4 | crowdstrike-falcon-json-file-write-success-machofilewritten |
+| crowdstrike-file-write-5 | crowdstrike-falcon-cef-file-write-success-fsvolumemounted |
+| crowdstrike-file-write-6 | crowdstrike-falcon-cef-file-write-success-critialfilemodified |
+| crowdstrike-file-write-7 | crowdstrike-falcon-cef-file-write-success-unmounted |
+| crowdstrike-file-write-8 | crowdstrike-falcon-json-file-write-success-pefilewritten |
+| crowdstrike-file-write-9 | "crowdstrike-falcon-json-file-write-success-ooxmlfilewritten |
+| crowdstrike-host-info | crowdstrike-falcon-mix-endpoint-login-success-hostinfo |
+| crowdstrike-incident-summary | crowdstrike-falcon-sk4-alert-trigger-incidentsummaryevent |
+| crowdstrike-logon | crowdstrike-falcon-mix-endpoint-login-success-userlogon |
+| crowdstrike-logon-2 | crowdstrike-falcon-json-endpoint-login-userlogin |
+| crowdstrike-modify-binary | crowdstrike-falcon-json-file-write-success-modifyservicebinary |
+| crowdstrike-network-connection | crowdstrike-falcon-json-network-traffic-success-connectip |
+| crowdstrike-process-created | crowdstrike-falcon-json-process-create-success-processrollup |
+| crowdstrike-process-created-1 | crowdstrike-falcon-json-process-create-success-processroll |
+| crowdstrike-process-created-2 | crowdstrike-falcon-json-process-create-success-syntheticprocessroll |
+| crowdstrike-process-info-1 | crowdstrike-falcon-json-dll-load-imagehash |
+| crowdstrike-process-info-2 | crowdstrike-falcon-json-process-create-processrollup2stats |
+| crowdstrike-process-info-3 | crowdstrike-falcon-json-process-close-terminateprocess |
+| crowdstrike-process-info-4 | crowdstrike-falcon-json-process-create-syntheticprocessrollup2 |
+| crowdstrike-process-info-5 | crowdstrike-falcon-sk4-process-thread-create-success-suspectcreatethreadstack |
+| crowdstrike-process-info-6 | crowdstrike-falcon-sk4-alert-trigger-userexceptiondep |
+| crowdstrike-process-info-all | "crowdstrike-falcon-sk4-app-activity-eventsimplename |
+| crowdstrike-process-network | crowdstrike-falcon-json-network-session-success-listenip |
+| crowdstrike-registry-update | crowdstrike-falcon-cef-registry-modify-asepvalueupdate |
+| crowdstrike-registry-update-1 | crowdstrike-falcon-cef-registry-modify-asepkeyupdate |
+| crowdstrike-security-alert | crowdstrike-falcon-json-alert-trigger-success-eventsimplename |
+| crowdstrike-security-alert-1 | crowdstrike-falcon-sk4-alert-trigger-suspiciousdnsrequest |
+| crowdstrike-security-alert-2 | crowdstrike-falcon-mix-alert-trigger-success-detectionsummaryevent |
+| crowdstrike-security-alert-4 | crowdstrike-falcon-json-alert-trigger-success-dllinjection |
+| crowdstrike-security-alert-5 | crowdstrike-falcon-json-alert-trigger-success-scenario |
+| crowdstrike-security-alert-6 | crowdstrike-falcon-json-alert-trigger-success-falconhostlink |
+| crowdstrike-security-alert-7 | "crowdstrike-falcon-sk4-alert-trigger-success-idpdetection |
+| crowdstrike-service-created | crowdstrike-falcon-json-process-create-success-servicestarted |
+| crowdstrike-service-created-1 | crowdstrike-falcon-json-process-create-success-createservice |
+| crowdstrike-system-error | crowdstrike-falcon-kv-app-notification-crashnotification |
+| crowdstrike-system-info | crowdstrike-falcon-kv-log-clear-eventlogcleared |
+| crowdstrike-system-info-1 | crowdstrike-falcon-sk4-endpoint-notification-timestamp |
+| crowdstrike-system-info-2 | crowdstrike-falcon-json-endpoint-name-modify-hostnamechanged |
+| crowdstrike-system-info-3 | crowdstrike-falcon-sk4-app-notification-mbcsfdrv2 |
+| crowdstrike-system-info-4 | "crowdstrike-falcon-cef-app-notification-stramstarted |
+| crowdstrike-system-info-5 | "crowdstrike-falcon-cef-app-notification-streamstopped |
+| crowdstrike-system-info-6 | crowdstrike-falcon-sk4-app-activity-success-resetapiclientsecret |
+| crowdstrike-system-info-7 | "crowdstrike-falcon-sk4-endpoint-activity-customeridstring |
+| crowdstrike-system-info-8 | "crowdstrike-falcon-sk4-alert-trigger-firewallmatchevent |
+| crowdstrike-usb-activity | crowdstrike-falcon-sk4-peripheral-storage-activity-dcusb |
+| crowdstrike-usb-alert | crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation |
+| crowdstrike-usb-connect | crowdstrike-falcon-cef-peripheral-storage-insert-success-dcusbdeviceconnected |
+| crowdstrike-usb-disconnect | crowdstrike-falcon-cef-peripheral-storage-activity-success-dcusbdevicedisconnected |
+| crowdstrike-usb-insert | crowdstrike-falcon-mix-peripheral-storage-insert-success-removablemediavolumemounted |
+| crowdstrike-user-identity | crowdstrike-falcon-mix-endpoint-login-success-useridentity |
+| crowdstrike-win-task-created | crowdstrike-falcon-cef-scheduled-task-create-success-win |
+| crowdstrike-win-task-updated | crowdstrike-falcon-cef-scheduled-task-modify-win |
+| cws-proxy | cisco-cws-cef-http-session-requestmethod |
+| cws-proxy-1 | cisco-cws-csv-http-session-accesslogs |
+| cyberark-account-switch | cyberark-pam-mix-user-switch-success-retrievepassword |
+| cyberark-account-switch-1 | cyberark-pam-kv-user-switch-success-retrievepassword |
+| cyberark-alert | cyberark-pam-kv-alert-trigger-success-attackblock |
+| cyberark-app-activity | cyberark-pam-kv-app-activity-auditrecord |
+| cyberark-app-login | cyberark-pam-mix-app-login-success-logon |
+| cyberark-password-change | cyberark-pam-mix-user-password-modify-success-changepassword |
+| cyberark-privileged-access | cyberark-epm-json-user-privilege-use-success-elevationrequest |
+| cyberark-process-alert | cyberark-epm-str-alert-trigger-success-detected |
+| cyberark-system-event | cyberark-pam-kv-app-notification-moniterrecord |
+| cylance-alert | blackberry-protect-kv-alert-trigger-success-threat |
+| cylance-alert-1 | blackberry-protect-kv-alert-trigger-success-scriptcontrol |
+| cylance-alert-2 | blackberry-protect-sk4-alert-trigger-success-cyclaneprotect |
+| cylance-alert-3 | blackberry-protect-json-alert-trigger-success-cylanceprotect |
+| cylance-dlp-alert | blackberry-protect-kv-alert-trigger-success-devicecontrol |
+| cylance-process-alert | blackberry-protect-sk4-alert-trigger-success-terminate |
+| cylance-protect-file-alert | blackberry-c-json-alert-trigger-success-cylancescore |
+| cylance-protect-security-alert | blackberry-protect-json-alert-trigger-success-cylancescore |
+| cylance-security-alert | blackberry-protect-kv-alert-trigger-success-exploitattempt |
+| cylance-security-alert-1 | "blackberry-protect-xml-alert-trigger-success-32 |
+| cylance-security-alert-2 | cylance-protect-json-alert-trigger-detection |
+| cylance-system-info-1 | cylance-protect-kv-endpoint-activity-device |
+| cylance-system-info-2 | "cylance-protect-xml-app-notification-8 |
+| cylance-system-info-3 | "cylance-protect-xml-endpoint-notification-16 |
+| cylance-system-info-4 | "cylance-protect-xml-service-stop-success-0 |
+| cyphort-alert | juniper-jn-cef-alert-trigger-success-cyphort |
\ No newline at end of file
diff --git a/ParsersLegacy/d_parsers.md b/ParsersLegacy/d_parsers.md
new file mode 100644
index 0000000..8aaeb01
--- /dev/null
+++ b/ParsersLegacy/d_parsers.md
@@ -0,0 +1,399 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------------- | ------------------------------------------------------------------------------- |
+| damballa-cef-alert | damballa-fs-cef-alert-trigger-success-failsafe |
+| damballa-leef-alert | damballa-fs-leef-alert-trigger-success-failsafe |
+| darktrace-alert-1 | darktrace-darktrace-json-alert-trigger-success-comparatortype |
+| darktrace-app-login | darktrace-darktrace-json-app-login-success-successfullogin |
+| darktrace-app-logout | darktrace-darktrace-json-app-logout-success-endpointlogout |
+| darktrace-failed-app-login | darktrace-darktrace-json-app-login-fail-failedlogin |
+| darktrace-security-alert | darktrace-darktrace-json-alert-trigger-breachurl |
+| darktrace-system-info | darktrace-darktrace-json-app-activity-appactivity |
+| db-logoff-1 | oracle-db-json-database-logout-userhost |
+| defender-atp-file-events | microsoft-defenderep-json-file-success-tenantid |
+| defender-atp-image-load | microsoft-defenderep-json-dll-load-imageloadevents |
+| defender-atp-logon | microsoft-defenderep-json-app-login-success-timegenerated |
+| defender-atp-network | microsoft-defenderep-json-network-session-fail-devicenetworkevents |
+| defender-atp-network-info | microsoft-defenderep-json-network-notification-success-networkinfo |
+| defender-atp-process | microsoft-defenderep-json-process-create-success-events |
+| defender-atp-process-2 | microsoft-defenderep-json-process-create-success-processevents |
+| defender-atp-registry | microsoft-defenderep-json-endpoint-activity-registryevents |
+| defender-atp-security-alert | microsoft-defenderep-json-alert-trigger-success-lateralmovement |
+| defender-atp-security-alert-1 | microsoft-defenderep-json-alert-trigger-success-malware |
+| defender-atp-security-alert-11 | microsoft-defenderep-json-alert-trigger-success-suspiciousactivity |
+| defender-atp-security-alert-12 | microsoft-defenderep-json-alert-trigger-success-collection |
+| defender-atp-security-alert-13 | microsoft-defenderep-json-alert-trigger-success-malware-1 |
+| defender-atp-security-alert-14 | microsoft-defenderep-json-alert-trigger-success-lateralmovement-1 |
+| defender-atp-security-alert-15 | microsoft-defenderep-json-alert-trigger-success-unwantedsoftware |
+| defender-atp-security-alert-16 | microsoft-defenderep-json-alert-trigger-success-persistence-1 |
+| defender-atp-security-alert-2 | microsoft-defenderep-mix-alert-trigger-success-suspiciousactivity |
+| defender-atp-security-alert-3 | microsoft-defenderep-json-alert-trigger-success-exploit |
+| defender-atp-security-alert-4 | microsoft-defenderep-json-alert-trigger-success-initialaccess |
+| defender-atp-security-alert-5 | microsoft-defenderep-json-alert-trigger-success-persistence |
+| defender-atp-security-alert-6 | microsoft-defenderep-json-alert-trigger-success-discovery |
+| defender-atp-security-alert-7 | microsoft-defenderep-json-alert-trigger-success-successfullogon |
+| defender-atp-security-alert-8 | microsoft-defenderep-sk4-alert-trigger-success-malware |
+| defender-atp-security-alert-9 | microsoft-defenderep-json-alert-trigger-success-exploit-1 |
+| defender-atp-system-info | microsoft-defenderep-json-endpoint-notification-deviceinfo |
+| dell-file-operations-1 | dell-emcisilon-str-file-read-success-open |
+| dell-file-operations-2 | dell-emcisilon-str-file-delete-success-delete |
+| dell-file-operations-3 | dell-emcisilon-str-file-write-success-write |
+| dell-file-operations-4 | dell-emcisilon-str-file-read-success-read |
+| dell-file-remote-access | dell-emcisilon-str-endpoint-login-success-smb |
+| dell-system-info-1 | dell-emcisilon-str-app-notification-treeconnect |
+| dell-system-info-11 | dell-emcisilon-str-endpoint-logout-logoff |
+| dell-system-info-3 | dell-isilon-str-file-close-smb |
+| dell-system-info-5 | dell-emcisilon-str-file-rename-smb |
+| dell-system-info-8 | dell-emcisilon-str-file-permission-read-getsecurity |
+| dell-system-info-9 | dell-isilon-str-file-permission-modify-set_security |
+| dhcp-dns-record | unix-dhcpd-csv-dns-record-delete-fail-notdeleted |
+| dhcp-expired | unix-dhcpd-csv-dhcp-traffic-expired |
+| dhcp-release | unix-dhcpd-csv-dhcp-traffic-release |
+| dhcpd-balance-pool | unix-dhcpd-str-app-notification-balancedpool |
+| dhcpd-balancing-pool | unix-dhcpd-str-app-notification-balancingpool |
+| dhcpd-detected-host | unix-unixdhcpd-str-endpoint-notification-parameter |
+| dhcpd-dhcpack | unix-dhcpd-str-dhcp-acknowledge-dhcpack |
+| dhcpd-dhcpack-logon | unix-unixdhcpd-str-dhcp-session-success-collector |
+| dhcpd-dhcpdiscover | unix-dhcpd-str-dhcp-discoverdhcpd |
+| dhcpd-dhcpinform | unix-dhcpd-str-dhcp-traffic-dhcpinform |
+| dhcpd-dhcpnak | unix-dhcpd-str-dhcp-traffic-dhcpnak |
+| dhcpd-dhcpoffer | unix-dhcpd-mix-dhcp-offer-dhcpoffer |
+| dhcpd-dhcprelease | unix-dhcpd-str-dhcp-traffic-dhcprelease |
+| dhcpd-grant | unix-unixdhcpd-kv-network-traffic-grant |
+| dhcpd-renew | unix-unixdhcpd-kv-dhcp-session-success-renew |
+| dhcpd-reuse | unix-dhcpd-str-app-notification-reuselease |
+| digipass-app-login | onespan-dp-csv-app-login-success-userauthsuccess |
+| digipass-authentication-attempt | onespan-dp-csv-app-notification-sourcelocation |
+| digipass-nac-failed-logon | onespan-dp-kv-endpoint-login-fail-backendauth |
+| digipass-nac-logon | onespan-dp-kv-endpoint-login-success-endauthsuccess |
+| digipass-nac-logon-1 | onespan-dp-csv-endpoint-authentication-challengeissued |
+| digipass-nac-logon-2 | onespan-dp-kv-endpoint-authentication-success-sourcelocation |
+| digital-guardian-app-activity | dg-ep-json-peripheral_storage-remove-deviceremoved |
+| digital-guardian-app-data-exe | dg-ep-kv-app-activity-success-21 |
+| digital-guardian-attach-mail | dg-ep-kv-file-upload-success-operation36 |
+| digital-guardian-file-copy | dg-ep-kv-file-write-success-operation11 |
+| digital-guardian-file-move | dg-ep-kv-file-write-success-operation12 |
+| digital-guardian-file-operations | dg-ep-json-file-success-time |
+| digital-guardian-file-recycle | dg-ep-kv-file-delete-success-operation17 |
+| digital-guardian-file-save-as | dg-ep-kv-file-write-success-operation7 |
+| digital-guardian-print | dg-ep-kv-printer-activity-success-operation22 |
+| digital-guardian-send-mail | dg-ndlp-kv-email-send-success-28 |
+| digital-guardian-send-mail-1 | dg-ndlp-json-email-send-success-sendmail |
+| digital-web-activity | digitalarts-ifb-csv-http-session-proxy |
+| digitalguardian-process-created | dg-ep-kv-process-create-success-applicationfullname |
+| dns-network-connection-1 | unix-unixnamed-str-network-notification-success-rcoderesolving |
+| dns-network-connection-2 | unix-unixnamed-str-network-notification-rfc1918 |
+| dns-network-connection-3 | unix-unixnamed-str-app-notification-lameserverresolving |
+| dns-network-connection-timed-out | unix-unixnamed-str-app-notification-resolving |
+| dns-network-connection-unreachable | unix-unixnamed-str-app-notification-networkunreachable |
+| dns-system-event-1 | unix-unixnamed-str-app-activity-updatesecurity |
+| dns-system-event-2 | unix-unixnamed-str-app-activity-general |
+| dns-system-event-3 | unix-unixnamed-str-app-notification-success-cname |
+| dns-system-event-4 | unix-unixnamed-str-app-notification-success-notify |
+| dns-system-event-5 | unix-unixnamed-str-app-activity-success-lameservers |
+| dummy-new-auth0-parser | auth0-a-json-endpoint-login-fail-invalidrequest-1 |
+| dummy-new-auth0-parser-1 | auth0-a-json-app-login-fail-apilimit |
+| dummy-new-auth0-parser-10 | auth0-a-json-endpoint-login-success-exchange |
+| dummy-new-auth0-parser-11 | auth0-a-json-endpoint-login-success-verification |
+| dummy-new-auth0-parser-2 | auth0-a-json-app-logout-fail-flo |
+| dummy-new-auth0-parser-3 | auth0-a-json-app-authentication-success-startauth |
+| dummy-new-auth0-parser-4 | auth0-a-json-app-login-fail-limitwc |
+| dummy-new-auth0-parser-5 | auth0-a-json-app-login-success-ss |
+| dummy-new-auth0-parser-6 | auth0-a-json-app-authentication-fail-warning |
+| dummy-new-auth0-parser-7 | auth0-a-json-app-login-success-changeemail |
+| dummy-new-auth0-parser-8 | auth0-a-json-user-password-modify-success-changepassword |
+| dummy-new-auth0-parser-9 | auth0-a-json-user-delete-success-userdeletion |
+| dummy-new-event-6 | cisco-securenwanalytics-json-network-session-success-serviceid |
+| dummy-new-juniper-parser | juniper-ps-str-certificate-request-success-crlcheckingstarted |
+| dummy-new-juniper-parser-1 | juniper-ps-str-certificate-validate-success-passedcrlchecking |
+| dummy-new-juniper-parser-2 | juniper-ps-str-network-notification-success-transportmodeswitched |
+| dummy-new-juniper-parser-3 | juniper-ps-str-vpn-session-success-keyexchange-1 |
+| dummy-new-juniper-parser-4 | juniper-ps-str-vpn-logout-success-sessiontimedout |
+| dummy-new-juniper-parser-5 | juniper-ps-str-vpn-login-fail-loginfailed-1 |
+| dummy-new-juniper-parser-6 | pfsense-p-csv-network-traffic-fail-block-1 |
+| dummy-new-netowrk-parser | claroty-ctd-cef-alert-trigger-success-network-hostscan |
+| dummy-new-netowrk-parser-1 | claroty-ctd-cef-alert-trigger-success-security-knownthreat |
+| dummy-new-netowrk-parser-2 | claroty-ctd-cef-alert-trigger-success-network-policyvoilation |
+| dummy-new-netowrk-parser-3 | claroty-ctd-cef-alert-trigger-success-security-portscan |
+| dummy-new-netowrk-parser-4 | claroty-ctd-cef-endpoint-login-fail |
+| dummy-new-netowrk-parser-5 | claroty-ctd-cef-app-notification-informationchange |
+| dummy-new-netowrk-parser-6 | claroty-ctd-cef-app-notification-baselinedeviation |
+| dummy-new-netowrk-parser-7 | claroty-ctd-cef-alert-trigger-success-network-entityconfict |
+| dummy-new-netowrk-parser-8 | claroty-ctd-cef-app-notification-evetprotocol |
+| dummy-new-parser | exabeam-cr-kv-rule-trigger-success-correlationrule |
+| dummy-new-parser-1 | exabeam-cr-kv-alert-trigger-success-correlationrule |
+| dummy-new-parser-10 | amazon-awsvpc-str-network-notification-success-skipdata |
+| dummy-new-parser-100 | microsoft-iis-str-http-session-postoab |
+| dummy-new-parser-101 | microsoft-iis-str-http-session-postowa |
+| dummy-new-parser-102 | microsoft-iis-str-http-session-postrpc |
+| dummy-new-parser-103 | microsoft-iis-str-http-session-deleteapi |
+| dummy-new-parser-104 | microsoft-iis-str-http-session-deleteautodiscover |
+| dummy-new-parser-105 | microsoft-iis-str-http-session-deleteecp |
+| dummy-new-parser-106 | microsoft-iis-str-http-session-deleteews |
+| dummy-new-parser-107 | microsoft-iis-str-http-session-deleteews-1 |
+| dummy-new-parser-108 | microsoft-iis-str-http-session-deletemapi |
+| dummy-new-parser-109 | microsoft-iis-str-http-session-deletemicrosoftserver |
+| dummy-new-parser-11 | amazon-awsvpc-str-network-traffic-fail-reject |
+| dummy-new-parser-110 | microsoft-iis-str-http-session-deleteoab |
+| dummy-new-parser-111 | microsoft-iis-str-http-session-deleteowa |
+| dummy-new-parser-112 | microsoft-iis-str-http-session-deleterpc |
+| dummy-new-parser-113 | microsoft-iis-str-http-session-patchapi |
+| dummy-new-parser-114 | microsoft-iis-str-http-session-patchautodiscover |
+| dummy-new-parser-115 | microsoft-iis-str-http-session-patchecp |
+| dummy-new-parser-116 | microsoft-iis-str-http-session-patchews |
+| dummy-new-parser-117 | microsoft-iis-str-http-session-patchews-1 |
+| dummy-new-parser-118 | microsoft-iis-str-http-session-patchmapi |
+| dummy-new-parser-119 | microsoft-iis-str-http-session-patchmicrosoftserver |
+| dummy-new-parser-12 | amazon-awsvpc-str-network-notification-success-nodata |
+| dummy-new-parser-120 | microsoft-iis-str-http-session-patchoab |
+| dummy-new-parser-121 | microsoft-iis-str-http-session-patchowa |
+| dummy-new-parser-123 | microsoft-iis-str-http-session-patchrpc |
+| dummy-new-parser-124 | microsoft-iis-str-http-session-optionsautodiscover-1 |
+| dummy-new-parser-125 | microsoft-iis-str-http-session-getautodiscover-1 |
+| dummy-new-parser-126 | microsoft-iis-str-http-session-headautodiscover-1 |
+| dummy-new-parser-127 | microsoft-iis-str-http-session-putautodiscover-1 |
+| dummy-new-parser-128 | microsoft-iis-str-http-session-postautodiscover-1 |
+| dummy-new-parser-129 | microsoft-iis-str-http-session-deleteautodiscover-1 |
+| dummy-new-parser-13 | amazon-awsvpc-str-network-traffic-success-accept |
+| dummy-new-parser-130 | microsoft-iis-str-http-session-patchautodiscover-1 |
+| dummy-new-parser-131 | symantec-endpointprotection-json-alert-trigger-success-tamperprotection |
+| dummy-new-parser-132 | symantec-endpointprotection-json-peripheral_storage-insert-fail-blockautoruninf |
+| dummy-new-parser-133 | symantec-endpointprotection-json-file-write-success-filewrite |
+| dummy-new-parser-134 | symantec-endpointprotection-json-file-read-success-fileread |
+| dummy-new-parser-135 | symantec-endpointprotection-json-alert-trigger-success-malwareprotection |
+| dummy-new-parser-136 | symantec-endpointprotection-json-alert-trigger-success-firewallnetworkdetection |
+| dummy-new-parser-137 | symantec-endpointprotection-json-alert-trigger-success-networkips |
+| dummy-new-parser-138 | symantec-endpointprotection-json-alert-trigger-success-behavioralanalysis |
+| dummy-new-parser-139 | microsoft-evdhcpserver-csv-app-notification-success-deleted |
+| dummy-new-parser-14 | "microsoft-evsystem-xml-alert-trigger-5827 |
+| dummy-new-parser-140 | zscaler-ia-csv-endpoint-login-success-signin |
+| dummy-new-parser-141 | crowdstrike-falcon-json-endpoint-logout-success-userlogoff |
+| dummy-new-parser-142 | crowdstrike-falcon-json-service-stop-success-hostedservicestopped |
+| dummy-new-parser-143 | crowdstrike-falcon-json-alert-trigger-success-processblock |
+| dummy-new-parser-144 | microsoft-azureadip-sk4-alert-trigger-success-anomaloustoken |
+| dummy-new-parser-145 | microsoft-azureadip-sk4-alert-trigger-success-passwordspray |
+| dummy-new-parser-146 | microsoft-o365-sk4-alert-trigger-success-compliancemanager |
+| dummy-new-parser-147 | microsoft-azureadip-sk4-alert-trigger-success-maliciousip |
+| dummy-new-parser-15 | "microsoft-evsystem-xml-alert-trigger-5830 |
+| dummy-new-parser-150 | microsoft-evsecurity-xml-user-privilege-modify-success-4705 |
+| dummy-new-parser-151 | microsoft-evsecurity-xml-user-privilege-assign-success-4704 |
+| dummy-new-parser-152 | microsoft-evsecurity-xml-app-notification-success-5056 |
+| dummy-new-parser-154 | microsoft-evsecurity-xml-ds-replication-start-4932-1 |
+| dummy-new-parser-155 | microsoft-evsecurity-xml-ds-replication-stop-4933-1 |
+| dummy-new-parser-156 | microsoft-evsecurity-xml-group-member-add-4761-1 |
+| dummy-new-parser-157 | microsoft-evsecurity-xml-member-remove-success-4762-1 |
+| dummy-new-parser-158 | microsoft-evsecurity-xml-group-modify-success-4737 |
+| dummy-new-parser-159 | microsoft-evsecurity-xml-endpoint-create-4741 |
+| dummy-new-parser-16 | claroty-c-cef-network-notification-success-commevent |
+| dummy-new-parser-160 | microsoft-evsecurity-xml-user-permission-modify-4718 |
+| dummy-new-parser-161 | microsoft-evsecurity-xml-group-create-success-4727-1 |
+| dummy-new-parser-162 | microsoft-evsecurity-xml-user-modify-4717 |
+| dummy-new-parser-169 | microsoft-evsecurity-xml-password-read-5379-1 |
+| dummy-new-parser-17 | claroty-c-cef-alert-trigger-success-alertaffecteddevice |
+| dummy-new-parser-170 | microsoft-evsecurity-xml-ds-replication-modify-4931 |
+| dummy-new-parser-171 | microsoft-evsecurity-xml-audit-policy-modify-4907-1 |
+| dummy-new-parser-172 | microsoft-evsecurity-xml-group-modify-success-4760-2 |
+| dummy-new-parser-173 | microsoft-evsecurity-xml-audit-policy-modify-4904-3 |
+| dummy-new-parser-174 | microsoft-evsecurity-xml-audit-policy-modify-4905-2 |
+| dummy-new-parser-175 | microsoft-evsecurity-xml-group-modify-success-4755-1 |
+| dummy-new-parser-177 | microsoft-evsecurity-xml-app-notification-4675-1 |
+| dummy-new-parser-178 | microsoft-evsecurity-xml-policy-apply-6144-1 |
+| dummy-new-parser-179 | microsoft-evsecurity-xml-endpoint-notification-4985-1 |
+| dummy-new-parser-18 | exabeam-search-kv-alert-trigger-success-rulename |
+| dummy-new-parser-180 | microsoft-evsecurity-xml-user-delete-success-4743-1 |
+| dummy-new-parser-181 | microsoft-evsecurity-xml-endpoint-logout-4647-1 |
+| dummy-new-parser-182 | microsoft-evsecurity-xml-endpoint-notification-4793-1 |
+| dummy-new-parser-183 | microsoft-evsecurity-xml-policy-modify-4946-1 |
+| dummy-new-parser-184 | microsoft-evsecurity-xml-group-create-success-4759-1 |
+| dummy-new-parser-185 | microsoft-evsecurity-xml-service-create-success-5478-1 |
+| dummy-new-parser-186 | microsoft-evsecurity-xml-endpoint-notification-5033-1 |
+| dummy-new-parser-187 | microsoft-evsecurity-xml-endpoint-notification-5024-1 |
+| dummy-new-parser-188 | microsoft-evsecurity-xml-endpoint-notification-4902-1 |
+| dummy-new-parser-189 | microsoft-evsecurity-xml-configuration-load-4826-1 |
+| dummy-new-parser-19 | auth0-a-json-app-login-success-seccft |
+| dummy-new-parser-190 | microsoft-evsecurity-xml-endpoint-time-modify-4616-1 |
+| dummy-new-parser-191 | microsoft-evsecurity-xml-endpoint-start-4608-1 |
+| dummy-new-parser-2 | exabeam-aa-kv-alert-trigger-success-anomaly |
+| dummy-new-parser-20 | auth0-a-json-app-logout-success-slo |
+| dummy-new-parser-201 | secureauth-idp-kv-app-authentication-fail-23812 |
+| dummy-new-parser-202 | secureauth-idp-kv-app-authentication-fail-24240 |
+| dummy-new-parser-203 | secureauth-idp-kv-app-authentication-fail-40603 |
+| dummy-new-parser-204 | secureauth-idp-kv-app-authentication-fail-41502 |
+| dummy-new-parser-205 | secureauth-idp-kv-app-authentication-fail-41503 |
+| dummy-new-parser-206 | secureauth-idp-kv-app-authentication-fail-41505 |
+| dummy-new-parser-207 | secureauth-idp-kv-app-authentication-fail-41601 |
+| dummy-new-parser-208 | secureauth-idp-kv-app-authentication-fail-41603 |
+| dummy-new-parser-209 | secureauth-idp-kv-certificate-validate-success-23810 |
+| dummy-new-parser-21 | auth0-a-json-app-login-success-ssa |
+| dummy-new-parser-210 | secureauth-login-kv-endpoint-login-20990-1 |
+| dummy-new-parser-211 | secureauth-login-kv-app-login-90010-1 |
+| dummy-new-parser-212 | secureauth-login-kv-app-authentication-fail-41501-1 |
+| dummy-new-parser-213 | secureauth-login-leef-app-logout-90050 |
+| dummy-new-parser-214 | microsoft-evsecurity-xml-endpoint-notification-success-5441 |
+| dummy-new-parser-215 | microsoft-evsecurity-xml-endpoint-notification-success-5446 |
+| dummy-new-parser-216 | microsoft-evsecurity-xml-endpoint-notification-success-5440 |
+| dummy-new-parser-217 | microsoft-evsecurity-xml-endpoint-notification-success-5444 |
+| dummy-new-parser-218 | microsoft-evsecurity-xml-endpoint-notification-success-4953 |
+| dummy-new-parser-219 | microsoft-evsecurity-xml-endpoint-notification-success-5442 |
+| dummy-new-parser-22 | auth0-a-json-app-login-success-seacft |
+| dummy-new-parser-220 | microsoft-evsecurity-xml-audit-policy-modify-success-5448 |
+| dummy-new-parser-221 | microsoft-evsecurity-xml-audit-policy-modify-success-5450 |
+| dummy-new-parser-222 | microsoft-evsecurity-xml-endpoint-notification-success-4956 |
+| dummy-new-parser-223 | microsoft-evsecurity-xml-endpoint-notification-success-4944 |
+| dummy-new-parser-224 | microsoft-evsecurity-xml-audit-policy-modify-success-4714 |
+| dummy-new-parser-225 | microsoft-evsecurity-xml-endpoint-notification-success-1108 |
+| dummy-new-parser-226 | microsoft-evsecurity-xml-endpoint-notification-success-4945 |
+| dummy-new-parser-227 | microsoft-evsecurity-xml-audit-policy-modify-success-5449 |
+| dummy-new-parser-228 | crowdstrike-falcon-sk4-app-activity-fdritemsexplorer |
+| dummy-new-parser-229 | secureauth-idp-kv-app-authentication-success-41590 |
+| dummy-new-parser-23 | hp-arubamm-cef-endpoint-authentication-success-authenticated |
+| dummy-new-parser-230 | secureauth-idp-kv-app-authentication-success-41890 |
+| dummy-new-parser-231 | secureauth-idp-kv-app-login-success-31020 |
+| dummy-new-parser-232 | secureauth-idp-kv-app-authentication-success-40601 |
+| dummy-new-parser-233 | sophos-ep-json-alert-trigger-success-datalosspreventionuserblocked |
+| dummy-new-parser-234 | sophos-ep-json-alert-trigger-success-datalosspreventionuserallowed |
+| dummy-new-parser-235 | sophos-ep-json-alert-trigger-success-datalosspreventionuserallowed |
+| dummy-new-parser-236 | secureauth-idp-kv-user-password-modify-fail-41070 |
+| dummy-new-parser-237 | secureauth-idp-kv-user-password-modify-success-41080 |
+| dummy-new-parser-238 | secureauth-idp-kv-user-search-success-51000 |
+| dummy-new-parser-239 | secureauth-idp-kv-user-search-success-51010 |
+| dummy-new-parser-24 | hp-arubamm-cef-user-create-success-useradded |
+| dummy-new-parser-240 | secureauth-idp-kv-user-modify-success-41140 |
+| dummy-new-parser-241 | secureauth-idp-kv-user-password-expire-success-21061 |
+| dummy-new-parser-242 | secureauth-idp-kv-endpoint-authentication-fail-51101 |
+| dummy-new-parser-243 | secureauth-idp-kv-endpoint-authentication-fail-51140 |
+| dummy-new-parser-244 | secureauth-idp-kv-endpoint-authentication-fail-51160 |
+| dummy-new-parser-245 | secureauth-idp-kv-endpoint-authentication-fail-70050 |
+| dummy-new-parser-246 | secureauth-idp-kv-user-password-modify-fail-51202 |
+| dummy-new-parser-247 | secureauth-idp-kv-user-password-reset-fail-passwordreset |
+| dummy-new-parser-248 | secureauth-idp-kv-alert-trigger-success-92100 |
+| dummy-new-parser-249 | secureauth-idp-kv-endpoint-authentication-success-51100 |
+| dummy-new-parser-25 | hp-arubamm-cef-network-notification-success-systemevent |
+| dummy-new-parser-250 | secureauth-idp-kv-endpoint-authentication-success-51110 |
+| dummy-new-parser-251 | secureauth-idp-kv-endpoint-notification-success |
+| dummy-new-parser-252 | banyansecurity-bnn-json-endpoint-authentication-success-connectionauthorized |
+| dummy-new-parser-253 | banyansecurity-bnn-json-endpoint-authentication-fail-connectionunauthorized |
+| dummy-new-parser-254 | banyansecurity-bnn-json-app-authentication-success-accessauthorized |
+| dummy-new-parser-255 | banyansecurity-bnn-json-app-authentication-fail-accessunauthorized |
+| dummy-new-parser-256 | banyansecurity-bnn-json-app-authentication-success-identitygrant |
+| dummy-new-parser-257 | banyansecurity-bnn-json-app-authentication-fail-identitydeny |
+| dummy-new-parser-258 | banyansecurity-bnn-json-app-login-success-adminlogin |
+| dummy-new-parser-259 | banyansecurity-bnn-json-app-notification-success-identity |
+| dummy-new-parser-26 | hp-arubamm-cef-endpoint-authentication-success-systemevent |
+| dummy-new-parser-260 | banyansecurity-bnn-json-app-notification-success-trustscoring |
+| dummy-new-parser-261 | banyansecurity-bnn-json-app-notification-success-registration |
+| dummy-new-parser-27 | hp-arubamm-cef-endpoint-authentication-fail-deauthenticated |
+| dummy-new-parser-28 | microsoft-evadfs-kv-app-authentication-success-1200 |
+| dummy-new-parser-29 | microsoft-evadfs-kv-app-authentication-success-1202 |
+| dummy-new-parser-3 | cisco-sca-json-network-session-success-sessionsuccess |
+| dummy-new-parser-30 | microsoft-evadfs-kv-endpoint-login-fail-1203 |
+| dummy-new-parser-31 | microsoft-evadfs-kv-endpoint-login-fail-1201 |
+| dummy-new-parser-32 | microsoft-evadfs-kv-user-password-modify-success-1204 |
+| dummy-new-parser-33 | microsoft-evadfs-kv-user-password-modify-fail-1205 |
+| dummy-new-parser-339 | symantec-edr-json-app-notification-success-1000 |
+| dummy-new-parser-34 | microsoft-evadfs-kv-log-clear-success-1102 |
+| dummy-new-parser-340 | symantec-edr-json-app-alert-success-8061 |
+| dummy-new-parser-342 | symantec-edr-json-app-notification-success-3 |
+| dummy-new-parser-343 | symantec-edr-json-app-notification-success-21 |
+| dummy-new-parser-344 | symantec-edr-json-app-notification-success-2 |
+| dummy-new-parser-345 | symantec-edr-json-app-notification-success-11 |
+| dummy-new-parser-346 | symantec-edr-json-app-notification-success-4 |
+| dummy-new-parser-347 | symantec-edr-json-process-create-success-8001 |
+| dummy-new-parser-348 | symantec-edr-json-network-traffic-success-8007 |
+| dummy-new-parser-349 | symantec-edr-json-file-write-success-8003 |
+| dummy-new-parser-35 | microsoft-evsystem-kv-dcom-activate-fail-10016-1 |
+| dummy-new-parser-350 | osquery-o-json-app-activity-success-added |
+| dummy-new-parser-351 | osquery-o-json-app-activity-success-removed |
+| dummy-new-parser-352 | osquery-o-json-app-activity-success-snapshot |
+| dummy-new-parser-353 | symantec-edr-json-alert-trigger-success-8018 |
+| dummy-new-parser-354 | symantec-edr-json-app-success-8000 |
+| dummy-new-parser-355 | symantec-edr-json-registry-write-success-8006 |
+| dummy-new-parser-36 | microsoft-evsecurity-kv-endpoint-time-modify-4616 |
+| dummy-new-parser-37 | microsoft-evsecurity-kv-endpoint-notification-success-4902 |
+| dummy-new-parser-38 | microsoft-evdhcpserver-csv-dhcp-traffic-success-release |
+| dummy-new-parser-39 | microsoft-evdhcpserver-csv-dns-record-delete-fail-notdeleted |
+| dummy-new-parser-4 | cisco-ac-json-network-session-success-pph |
+| dummy-new-parser-40 | claroty-c-cef-alert-trigger-success-vulnerabilityaffecteddevice |
+| dummy-new-parser-42 | juniper-ps-str-vpn-login-success-startedaovpn |
+| dummy-new-parser-43 | "exabeam-aa-kv-rule-trigger-success-anomaly |
+| dummy-new-parser-44 | juniper-ps-str-vpn-login-success-startedaovpn |
+| dummy-new-parser-45 | oracle-pc-json-app-activity-success-appaccess |
+| dummy-new-parser-46 | oracle-pc-json-app-login-success-sessioncreatesuccess |
+| dummy-new-parser-47 | oracle-pc-json-app-activity-success-authfactorinitiated |
+| dummy-new-parser-48 | oracle-pc-json-configuration-modify-success-sessionmodifysuccess |
+| dummy-new-parser-49 | oracle-pc-json-app-logout-success-sessiondeletesuccess |
+| dummy-new-parser-5 | cisco-securenwanalytics-json-network-session-success-flow_id |
+| dummy-new-parser-50 | oracle-pc-json-app-login-fail-authenticationfailure |
+| dummy-new-parser-51 | oracle-pc-json-configuration-mfa-enable-success-mfafactorenrolled |
+| dummy-new-parser-52 | oracle-pc-json-configuration-modify-fail-sessionmodifyfailure |
+| dummy-new-parser-53 | microsoft-iis-str-http-session-optionsapi |
+| dummy-new-parser-54 | microsoft-iis-str-http-session-optionsautodiscover |
+| dummy-new-parser-55 | microsoft-iis-str-http-session-optionsecp |
+| dummy-new-parser-56 | microsoft-iis-str-http-session-optionsews |
+| dummy-new-parser-57 | microsoft-iis-str-http-session-optionsews-1 |
+| dummy-new-parser-58 | microsoft-iis-str-http-session-optionsmapi |
+| dummy-new-parser-59 | microsoft-iis-str-http-session-optionsmicrosoftserver |
+| dummy-new-parser-6 | cisco-fp-json-alert-trigger-success-malware |
+| dummy-new-parser-60 | microsoft-iis-str-http-session-optionsoab |
+| dummy-new-parser-61 | microsoft-iis-str-http-session-optionsowa |
+| dummy-new-parser-62 | microsoft-iis-str-http-session-optionsrpc |
+| dummy-new-parser-63 | microsoft-iis-str-http-session-getapi |
+| dummy-new-parser-64 | microsoft-iis-str-http-session-getautodiscover |
+| dummy-new-parser-65 | microsoft-iis-str-http-session-getecp |
+| dummy-new-parser-66 | microsoft-iis-str-http-session-getews |
+| dummy-new-parser-67 | microsoft-iis-str-http-session-getews-1 |
+| dummy-new-parser-68 | microsoft-iis-str-http-session-getmapi |
+| dummy-new-parser-69 | microsoft-iis-str-http-session-getmicrosoftserver |
+| dummy-new-parser-7 | exabeam-audit-json-alert-case-success |
+| dummy-new-parser-70 | microsoft-iis-str-http-session-getoab |
+| dummy-new-parser-71 | microsoft-iis-str-http-session-getowa |
+| dummy-new-parser-72 | microsoft-iis-str-http-session-getrpc |
+| dummy-new-parser-73 | microsoft-iis-str-http-session-headapi |
+| dummy-new-parser-74 | microsoft-iis-str-http-session-headautodiscover |
+| dummy-new-parser-75 | microsoft-iis-str-http-session-headecp |
+| dummy-new-parser-76 | microsoft-iis-str-http-session-headews |
+| dummy-new-parser-77 | microsoft-iis-str-http-session-headews-1 |
+| dummy-new-parser-78 | microsoft-iis-str-http-session-headmapi |
+| dummy-new-parser-79 | microsoft-iis-str-http-session-headmicrosoftserver |
+| dummy-new-parser-8 | cisco-fp-json-network-session-connection-fw |
+| dummy-new-parser-80 | microsoft-iis-str-http-session-headoab |
+| dummy-new-parser-81 | microsoft-iis-str-http-session-headowa |
+| dummy-new-parser-82 | microsoft-iis-str-http-session-headrpc |
+| dummy-new-parser-83 | microsoft-iis-str-http-session-putapi |
+| dummy-new-parser-84 | microsoft-iis-str-http-session-putautodiscover |
+| dummy-new-parser-85 | microsoft-iis-str-http-session-putecp |
+| dummy-new-parser-86 | microsoft-iis-str-http-session-putews |
+| dummy-new-parser-87 | microsoft-iis-str-http-session-putews-1 |
+| dummy-new-parser-88 | microsoft-iis-str-http-session-putmapi |
+| dummy-new-parser-89 | microsoft-iis-str-http-session-putmicrosoftserver |
+| dummy-new-parser-9 | cisco-fp-json-alert-trigger-success-intrusion |
+| dummy-new-parser-90 | microsoft-iis-str-http-session-putoab |
+| dummy-new-parser-91 | microsoft-iis-str-http-session-putowa |
+| dummy-new-parser-92 | microsoft-iis-str-http-session-putrpc |
+| dummy-new-parser-93 | microsoft-iis-str-http-session-postapi |
+| dummy-new-parser-94 | microsoft-iis-str-http-session-postautodiscover |
+| dummy-new-parser-95 | microsoft-iis-str-http-session-postecp |
+| dummy-new-parser-96 | microsoft-iis-str-http-session-postews |
+| dummy-new-parser-97 | microsoft-iis-str-http-session-postews-1 |
+| dummy-new-parser-98 | microsoft-iis-str-http-session-postmapi |
+| dummy-new-parser-99 | microsoft-iis-str-http-session-postmicrosoftserver |
+| duo-app-activity | cisco-duo-json-app-activity-success-user |
+| duo-app-activity-1 | cisco-duo-sk4-app-activity-success-app-userupdate |
+| duo-app-activity-10 | cisco-duo-json-app-activity-success-admindelete |
+| duo-app-activity-11 | cisco-duo-str-app-activity-success-passwordset |
+| duo-app-activity-12 | cisco-duo-str-app-activity-success-activationsendemail |
+| duo-app-activity-13 | cisco-duo-str-app-activity-success-activationcomplete |
+| duo-app-activity-14 | cisco-duo-json-user-create-success-usercreate |
+| duo-app-activity-15 | cisco-duo-json-app-activity-success-updateuser |
+| duo-app-activity-2 | cisco-duo-sk4-app-activity-success-useradded |
+| duo-app-activity-3 | cisco-duo-sk4-app-activity-success-useradminupdate |
+| duo-app-activity-4 | cisco-duo-sk4-app-activity-success-admincreate |
+| duo-app-activity-6 | cisco-duo-json-app-activity-success-adminactivate |
+| duo-app-activity-7 | cisco-duo-json-app-activity-success-adminselfactivate |
+| duo-app-activity-8 | cisco-duo-json-app-activity-success-adminupdate-1 |
+| duo-app-activity-9 | cisco-duo-sk4-app-activity-success-admincreate-1 |
+| duo-app-login | cisco-duo-csv-app-login-success-successful |
+| duo-app-login-1 | cisco-duo-json-app-login-success-adminlogin-1 |
+| duo-auth-set-ip | cisco-duo-str-app-authentication-success-ipaddress |
+| duo-auth-successful | cisco-duo-str-app-authentication-success-loginfor |
+| duo-failed-app-login | cisco-duo-csv-app-login-fail-failure |
+| dxc-network-info | dxc-dxctech-str-app-notification-dxcnetwork |
\ No newline at end of file
diff --git a/ParsersLegacy/e_parsers.md b/ParsersLegacy/e_parsers.md
new file mode 100644
index 0000000..ad8d0f2
--- /dev/null
+++ b/ParsersLegacy/e_parsers.md
@@ -0,0 +1,188 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------- | --------------------------------------------------------------------- |
+| edocs-app-activity | opentext-edocs-kv-app-activity-success-permitted |
+| egnyte-app-login | egnyte-e-cef-app-login-success-eventlogin |
+| egnyte-failed-app-login | egnyte-egnyte-sk4-app-login-fail-username |
+| egnyte-file-operations | egnyte-e-cef-file-success-fileactivity |
+| elk-cisco-wsa-web-activity | cisco-securewebapp-str-http-session-accesslog-1 |
+| emc-syslog-4624 | microsoft-evsecurity-kv-endpoint-success-4624-2 |
+| emc-syslog-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4625-1 |
+| emc-syslog-4648 | microsoft-evsecurity-kv-endpoint-login-success-4648-1 |
+| emc-syslog-4672 | microsoft-evsecurity-kv-user-privilege-assign-success-4672-2 |
+| emc-syslog-4673 | microsoft-evsecurity-kv-user-privilege-use-success-4673-1 |
+| emc-syslog-4674 | microsoft-evsecurity-kv-user-privilege-use-success-4674 |
+| emc-syslog-4688 | microsoft-evsecurity-kv-process-create-success-processcreated |
+| emc-syslog-4723 | microsoft-evsecurity-kv-user-password-modify-4723-2 |
+| emc-syslog-4740 | microsoft-evsecurity-kv-user-delete-fail-locked |
+| emc-syslog-4768 | microsoft-evsecurity-kv-endpoint-4768-1 |
+| emc-syslog-4769 | microsoft-evsecurity-kv-endpoint-authentication-sucess-4769-1 |
+| emc-syslog-4776 | microsoft-evsecurity-kv-endpoint-login-success-4776-1 |
+| emc-syslog-member-added-2008 | microsoft-evsecurity-kv-group-member-add-success-47 |
+| emp-app-activity | emp-e-str-app-icall |
+| endgame-edr-security-alert | endgame-edr-json-alert-trigger-success-investigationid |
+| ensilo-security-alert | fortinet-fortiedr-kv-alert-trigger-success-ensilo |
+| entrust-identityguard-account-lockout | entrust-ie-str-user-delete-fail-islocked |
+| entrust-identityguard-auth-attempt-2 | entrust-ie-kv-app-authentication-success-challengerequest |
+| entrust-identityguard-auth-attempt-3 | entrust-ie-str-app-authentication-success-pendingtoken |
+| entrust-identityguard-auth-failed-2 | entrust-ie-kv-endpoint-login-fail-authfail |
+| entrust-identityguard-auth-failed-3 | entrust-ie-kv-endpoint-login-fail-authfailforuser |
+| entrust-identityguard-auth-successful | entrust-ie-kv-endpoint-login-success-sucesssauth |
+| entrust-identityguard-failed-login | entrust-ie-str-app-authentication-fail-failedauthentication |
+| entrust-identityguard-login-2 | entrust-ie-str-app-authentication-success-validated |
+| entrust-identityguard-login-3 | entrust-ie-str-app-authentication-success-apiauthtype |
+| entrust-identityguard-login-4 | entrust-ie-str-app-authentication-success-apiauthenticate |
+| entrust-identityguard-login-5 | entrust-ie-str-app-authentication-success-igradiusapiauthenticate |
+| entrust-identityguard-system-events | entrust-ie-str-app-activity-success-igsystem |
+| entrust-identityguard-system-info | entrust-ie-str-space-delimited-app-authentication-fail-foruser |
+| esector-app-login | esector-defesalogger-json-app-login-success-applogin |
+| esector-app-logout | esector-defesalogger-json-app-logout-success-applogout |
+| esector-file-delete | esector-defesalogger-json-file-delete-success-user |
+| esector-file-read | esector-defesalogger-json-file-read-success-user |
+| esector-file-write | esector-defesalogger-json-file-write-success-user |
+| esector-file-write-1 | esector-defesalogger-json-file-write-success-user-1 |
+| esector-file-write-2 | esector-defesalogger-json-file-write-success-user-2 |
+| esector-system-event | esector-defesalogger-json-app-activity-appactivity |
+| eset-alert | eset-es-cef-alert-trigger-success-eventtype |
+| eset-domain-user-failed-login | eset-es-leef-endpoint-authentication-fail-userlogin |
+| eset-domain-user-login | eset-es-leef-endpoint-authentication-success-userlogin |
+| eset-domain-user-logout | eset-es-leef-app-logout-success-domainuserlogout |
+| eset-scan-activity | symantec-endpointprotection-csv-app-activity-success-user1 |
+| eset-system-alert | eset-es-str-app-notification-lognotificationoccurred |
+| eset-system-info | eset-es-kv-app-notification-occurred |
+| estreamer-dns-query | cisco-fp-kv-dns-request-success-estreamer |
+| esxi-remote-logon-failed | vmware-esxi-str-app-login-fail-invalidcredentials |
+| esxi-system-event-1 | vmware-esxi-str-app-activity-info |
+| esxi-system-event-10 | vmware-esxi-str-endpoint-activity-success-localcli |
+| esxi-system-event-11 | vmware-esxi-str-endpoint-activity-success-configstore |
+| esxi-system-event-12 | vmware-esxi-kv-app-notification-success-esxupdate |
+| esxi-system-event-13 | vmware-esxi-str-app-notification-success-root |
+| esxi-system-event-14 | vmware-esxi-str-endpoint-activity-success-crxcli |
+| esxi-system-event-15 | vmware-esxi-str-endpoint-activity-success-vmwipmi |
+| esxi-system-event-16 | vmware-esxi-str-app-notification-success-nicmgmtd |
+| esxi-system-event-17 | vmware-esxi-str-app-notification-success-sfcbd |
+| esxi-system-event-18 | vmware-esxi-str-endpoint-activity-success-providermanager |
+| esxi-system-event-19 | vmware-esxi-str-endpoint-activity-success-userworldcorrelator |
+| esxi-system-event-2 | vmware-esxi-str-endpoint-activity-vmkernel |
+| esxi-system-event-20 | vmware-esxi-str-app-login-success-vmauthd |
+| esxi-system-event-3 | vmware-esxi-str-app-activity-vsansystem |
+| esxi-system-event-4 | vmware-esxi-str-app-notification-failed |
+| esxi-system-event-5 | vmware-esxi-str-network-session-fail-iofiltervpd |
+| esxi-system-event-6 | vmware-esxi-str-app-notification-vmkwarning |
+| esxi-system-event-7 | vmware-esxi-str-app-notification-vsantraceurgent |
+| esxi-system-event-8 | vmware-esxi-str-app-activity-vsand |
+| esxi-system-event-9 | vmware-esxi-str-endpoint-delete-removedvm |
+| event-carbonblack-process-end | vmware-carbonblackappctrl-json-process-close-success-deviceexternalip |
+| eventtracker-4611 | microsoft-evsecurity-json-endpoint-notification-success-4611 |
+| evntslog-528 | microsoft-evsecurity-kv-endpoint-success-528 |
+| evntslog-672 | microsoft-evsecurity-str-endpoint-672 |
+| evntslog-673 | microsoft-evsecurity-kv-endpoint-authentication-success-673 |
+| evntslog-675 | microsoft-evsecurity-kv-endpoint-login-fail-675-1 |
+| evntslog-680 | microsoft-evsecurity-kv-endpoint-login-680-1 |
+| evntslog-member-added-2003 | microsoft-evsecurity-kv-group-member-add-success-securityenabled-1 |
+| exa-app-activity-1 | exabeam-search-json-app-activity-success-groupmodified |
+| exa-app-activity-2 | exabeam-search-json-app-activity-success-role |
+| exa-app-activity-3 | exabeam-search-json-app-activity-success-rule |
+| exa-app-activity-4 | exabeam-search-json-app-activity-success-search |
+| exa-app-activity-5 | exabeam-search-json-app-activity-success-permissionchange |
+| exa-app-activity-6 | exabeam-search-json-app-activity-success-restarting |
+| exa-app-activity-7 | exabeam-search-json-app-activity-success-addededited |
+| exa-app-activity-aa | exabeam-aa-json-app-activity-success-search |
+| exa-app-login | exabeam-search-json-app-login-success-activitylogin |
+| exa-app-login-aa | exabeam-aa-json-app-login-success-applogin |
+| exa-app-logout | exabeam-search-json-app-logout-loggedout |
+| exa-cor-rule-alerts | exabeam-search-kv-alert-trigger-success-rulealerts |
+| exa-dl-search-activity | exabeam-search-json-app-activity-success-searchquery |
+| exa-failed-app-login | exabeam-aa-json-app-login-fail-failedlogin |
+| exa-log-source-added | exabeam-search-json-app-activity-success-logsourceadded |
+| exa-syslog-nac-logon-1 | ruckus-r-str-endpoint-login-success-user |
+| exa-syslog-nac-logon-2 | ruckus-r-str-endpoint-login-success-rejoinswlan |
+| exa-syslog-nac-logon-3 | ruckus-r-str-endpoint-login-success-roamsfrom |
+| exa-syslog-nac-logon-4 | ruckus-r-str-endpoint-login-success-roamsout |
+| exa-syslog-network-connection-stop-1 | ruckus-r-str-network-close-success-disconnects |
+| exa-syslog-network-connection-stop-2 | ruckus-r-str-network-close-success-leave |
+| exa-syslog-network-info | ruckus-r-kv-app-activity-success-filecatchsync |
+| exa-system-info | exabeam-search-kv-app-notification-trigger |
+| exabeam-analytics-health-alert | exabeam-search-kv-app-notification-health |
+| exabeam-analytics-health-check | exabeam-search-json-app-notification-servicecheck |
+| exabeam-cm-rsyslog | exabeam-aa-json-app-notification-queue |
+| exabeam-session-info | exabeam-search-kv-alert-trigger-success-alertscount |
+| exabeam-syslog-notification | exabeam-aa-kv-alert-trigger-exaanalyticsmaster |
+| exabeam-system-health-alert-1 | exabeam-search-kv-app-notification-serverhealth |
+| exabeam-system-health-alert-2 | exabeam-search-json-app-notification-webcommon |
+| exalms-4625 | microsoft-evsecurity-json-endpoint-login-fail-4625-1 |
+| exalms-4662 | microsoft-evsecurity-json-ds-object-activity-success-4662-2 |
+| exalms-4663 | microsoft-evsecurity-json-file-success-timestamp |
+| exalms-4674 | microsoft-evsecurity-json-user-privilege-use-success-4674-1 |
+| exalms-4719 | microsoft-evsecurity-json-audit-policy-modify-success-4719-1 |
+| exalms-4742 | microsoft-evsecurity-json-ds-object-modify-success-4742 |
+| exalms-4776 | microsoft-evsecurity-json-endpoint-login-4776-1 |
+| exalms-540 | microsoft-evsecurity-json-endpoint-login-success-540 |
+| exalms-552 | microsoft-evsecurity-kv-endpoint-login-success-552-1 |
+| exalms-567 | microsoft-evsecurity-json-file-success-567-1 |
+| exalms-576 | microsoft-evsecurity-json-user-privilege-assign-success-576 |
+| exalms-680 | microsoft-evsecurity-json-endpoint-login-fail-680 |
+| exalms-sqlserver-failed-login | microsoft-mssql-json-app-login-fail-loginfailedforuser |
+| exalms-sqlserver-failed-login-1 | microsoft-mssql-json-app-login-fail-loginfailedforuser-1 |
+| exalms-sqlserver-system-info-1 | microsoft-mssql-json-network-traffic-success-17832 |
+| exchange-app-activity | microsoft-exchange-kv-app-activity-success-list |
+| exchange-app-activity-1 | microsoft-exchange-kv-email-delete-success-exchangeserver |
+| exchange-app-activity-2 | microsoft-exchange-kv-email-read-success-exchangeserver |
+| exchange-app-login | microsoft-exchange-kv-app-login-success-serverexchange |
+| exchange-app-login-1 | microsoft-exchange-csv-app-authentication-success-server |
+| exchange-authentication-failed | microsoft-exchange-str-app-authentication-fail-auth |
+| exchange-authentication-successful | microsoft-exchange-kv-app-authentication-success-exserver |
+| exchange-dlp-alert | microsoft-exchange-csv-alert-trigger-success-filteredasspam |
+| exchange-dlp-alert-1 | microsoft-exchange-csv-alert-trigger-success-quarantined |
+| exchange-dlp-email-alert-1 | microsoft-exchange-csv-email-send-receive-delivered |
+| exchange-dlp-email-alert-10 | microsoft-exchange-csv-app-notification-routingtransfer |
+| exchange-dlp-email-alert-11 | microsoft-exchange-csv-alert-trigger-dsnbadmail |
+| exchange-dlp-email-alert-12 | microsoft-exchange-csv-app-notification-routingexpand |
+| exchange-dlp-email-alert-13 | microsoft-exchange-csv-app-notification-transfer |
+| exchange-dlp-email-alert-14 | microsoft-exchange-csv-app-notification-routingdrop |
+| exchange-dlp-email-alert-15 | microsoft-exchange-csv-app-notification-dsn |
+| exchange-dlp-email-alert-16 | microsoft-exchange-csv-app-notification-redirecting |
+| exchange-dlp-email-alert-17 | microsoft-exchange-csv-app-notification-hadiscard |
+| exchange-dlp-email-alert-18 | microsoft-exchange-csv-email-receive-smtphareceive |
+| exchange-dlp-email-alert-19 | microsoft-exchange-csv-app-notification-agentinfo |
+| exchange-dlp-email-alert-2 | microsoft-exchange-csv-email-send-receive-expanded |
+| exchange-dlp-email-alert-20 | microsoft-exchange-csv-app-notification-success-storedriver |
+| exchange-dlp-email-alert-21 | microsoft-exchange-csv-app-notification-processmeetingmessage |
+| exchange-dlp-email-alert-22 | microsoft-exchange-csv-app-notification-agentresubmit |
+| exchange-dlp-email-alert-23 | microsoft-exchange-csv-app-notification-smtpdefer |
+| exchange-dlp-email-alert-24 | microsoft-exchange-csv-app-notification-smtpharedirectfail |
+| exchange-dlp-email-alert-25 | microsoft-exchange-csv-app-notification-routingduplicateredirect |
+| exchange-dlp-email-alert-26 | microsoft-exchange-csv-app-notification-success-queueresubmit |
+| exchange-dlp-email-alert-27 | microsoft-exchange-csv-app-notification-agentdefer |
+| exchange-dlp-email-alert-28 | microsoft-exchange-csv-app-notification-success-queuetransfer |
+| exchange-dlp-email-alert-29 | microsoft-exchange-csv-app-notification-success-safetynetresubmit |
+| exchange-dlp-email-alert-3 | microsoft-x-csv-email-failed |
+| exchange-dlp-email-alert-30 | microsoft-exchange-csv-app-notification-success-smtpfail |
+| exchange-dlp-email-alert-4 | microsoft-exchange-csv-email-receive-smtpreceive |
+| exchange-dlp-email-alert-5 | microsoft-exchange-csv-app-notification-smtpharedirect |
+| exchange-dlp-email-alert-6 | microsoft-exchange-csv-email-send-success-smtpsend |
+| exchange-dlp-email-alert-7 | microsoft-exchange-csv-app-notification-success-routingsuppressed |
+| exchange-dlp-email-alert-8 | microsoft-exchange-csv-app-notification-routing |
+| exchange-dlp-email-alert-9 | microsoft-exchange-csv-email-receive-agentreceive |
+| exchange-dlp-email-alert-resolved | microsoft-x-csv-email-resolved |
+| exchange-dlp-email-in | microsoft-x-csv-email-deliver |
+| exchange-dlp-email-in-1 | microsoft-exchange-str-email-receive-success-inbound |
+| exchange-dlp-email-in-2 | microsoft-x-csv-email-receive-success-incoming |
+| exchange-dlp-email-in-3 | microsoft-x-kv-email-receive-success-smtp |
+| exchange-dlp-email-in-failed | microsoft-x-csv-email-receive-failed |
+| exchange-dlp-email-in-sd | microsoft-exchange-csv-email-receive-success-deliver |
+| exchange-dlp-email-internal | microsoft-exchange-str-email-success-internal |
+| exchange-dlp-email-out | microsoft-x-csv-email-received |
+| exchange-dlp-email-out-1 | microsoft-exchange-str-email-send-success-outbound |
+| exchange-dlp-email-out-2 | microsoft-x-kv-email-send-success-catrs |
+| exchange-dlp-email-out-3 | microsoft-x-csv-email-send-success-mailboxrule |
+| exchange-dlp-email-out-4 | microsoft-x-csv-email-send-success-routing |
+| exchange-dlp-email-out-failed | microsoft-x-csv-email-send-failed |
+| exchange-dlp-email-out-sd | microsoft-exchange-csv-email-send-success-receive |
+| exchange-failed-app-login | microsoft-exchange-kv-app-login-fail-imap4 |
+| extrahop-4768 | microsoft-evsecurity-json-endpoint-4768-2 |
+| extrahop-4769 | microsoft-evsecurity-json-endpoint-login-4769-7 |
+| extrahop-4770 | microsoft-evsecurity-json-endpoint-login-4770 |
+| extrahop-4771 | microsoft-evsecurity-json-endpoint-login-fail-4771-4 |
+| extrahop-dns-query | extrahop-revealx-json-dns-request-success-dnsquery |
+| extrahop-network-perf | extrahop-revealx-json-alert-trigger-success-dnsnames |
+| extrahop-network-sec | extrahop-revealx-json-alert-trigger-success-sec |
\ No newline at end of file
diff --git a/ParsersLegacy/f_parsers.md b/ParsersLegacy/f_parsers.md
new file mode 100644
index 0000000..7fa3aee
--- /dev/null
+++ b/ParsersLegacy/f_parsers.md
@@ -0,0 +1,176 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------------- | ------------------------------------------------------------------ |
+| f5-afm-alert | f5-afm-kv-alert-trigger-success-module |
+| f5-anacron-system-info | f5-waf-json-endpoint-activity-success-anacron |
+| f5-asm-alert | f5-asm-cef-alert-trigger-success-cookie |
+| f5-asm-alert-1 | f5-asm-cef-alert-trigger-success-responsecode |
+| f5-asm-alert-2 | "f5-asm-xml-alert-trigger-userid |
+| f5-asm-alert-3 | f5-asm-kv-alert-trigger-success-shareincreased |
+| f5-asm-web-activity | f5-asm-kv-http-session-mitigationaction |
+| f5-big-ip-authentication-successful | f5-bigip-str-app-authentication-success-01490265 |
+| f5-config-change | f5-bigip-kv-configuration-modify-audit |
+| f5-dlp-email-out | f5-waf-json-email-send-success-sentmail |
+| f5-network-alert-1 | f5-waf-kv-alert-trigger-success-request |
+| f5-network-alert-3 | f5-waf-kv-alert-trigger-success-waf |
+| f5-network-alert-4 | f5-ipintelligence-kv-alert-trigger-success-ipi |
+| f5-network-connection | f5-afm-kv-network-traffic-success-networktraffic |
+| f5-network-connection-1 | f5-bigip-kv-network-traffic-success-irule |
+| f5-network-connection-2 | f5-waf-str-network-traffic-fail-ssl |
+| f5-network-connection-3 | f5-waf-str-network-traffic-fail-ssl-1 |
+| f5-network-connection-4 | f5-waf-str-network-traffic-fail-handshake |
+| f5-network-connection-5 | f5-waf-str-network-traffic-success-connectionrequest |
+| f5-network-connection-6 | f5-waf-str-network-traffic-success-connectionresponse |
+| f5-process-created | f5-waf-json-process-create-success-cmd |
+| f5-silverline-ipi | f5-silverline-kv-alert-trigger-ipi |
+| f5-silverline-ipi-1 | f5-silverline-kv-alert-trigger-ipi-1 |
+| f5-silverline-irule | f5-silverline-kv-network-session-fail-irule |
+| f5-silverline-network-alert-1 | f5-silverline-kv-alert-trigger-success-waf |
+| f5-silverline-network-alert-2 | f5-silverline-csv-alert-trigger-l7ddos |
+| f5-silverline-waf | f5-silverline-json-alert-trigger-success-waf |
+| f5-snmpd-system-lnfo | f5-waf-json-endpoint-activity-success-snmpd |
+| f5-ssh-failed-logon | f5-apm-kv-endpoint-login-fail-httpd |
+| f5-ssh-login-successful | f5-bigip-kv-ssh-traffic-success-sshd |
+| f5-ssh-login-successful-1 | f5-waf-json-endpoint-login-success-acceptkeyforroot |
+| f5-sshd-logout | f5-waf-json-endpoint-logout-success-connectionclosed |
+| f5-sshd-logout-1 | f5-waf-json-endpoint-logout-success-sessionclosed |
+| f5-syslog-alert | f5-bigipasm-str-app-notification-infologger |
+| f5-system-event | f5-bigipdns-mix-http-request-http |
+| f5-system-event-1 | f5-bigipdns-str-http-request-success-proxyrequest |
+| f5-system-info | f5-f-kv-app-activity-common |
+| f5-system-info-1 | f5-bigip-str-app-activity-restserver |
+| f5-system-info-10 | f5-bigip-kv-app-notification-success-01490157 |
+| f5-system-info-2 | f5-apm-csv-app-notification-start |
+| f5-system-info-3 | f5-bigip-str-app-notification-info |
+| f5-system-info-4 | f5-bigip-kv-app-notification-success-vpn |
+| f5-system-info-5 | f5-bigip-kv-app-notification-success-01490248 |
+| f5-system-info-6 | f5-bigip-kv-app-notification-success-01490008 |
+| f5-system-info-7 | f5-bigip-kv-app-notification-success-01490128 |
+| f5-system-info-8 | f5-bigip-kv-vpn-logout-success-01490115 |
+| f5-system-info-9 | f5-bigip-kv-app-notification-success-01490517 |
+| f5-system-info-auditd | f5-waf-json-endpoint-activity-success-auditd |
+| f5-system-info-crond | f5-waf-json-endpoint-activity-success-crond |
+| f5-system-info-sshd | f5-waf-json-endpoint-activity-success-sshd |
+| f5-systemd-system-info | f5-waf-json-endpoint-activity-success-systemd |
+| f5-vip-network-alert | f5-vip-str-alert-trigger-monitorstatus |
+| f5-vpn-additional-info | f5-apm-str-vpn-success-01490005 |
+| f5-vpn-assign-ip | f5-bigip-str-vpn-login-success-01490549 |
+| f5-vpn-auth-failed | f5-apm-json-endpoint-login-fail-01490212 |
+| f5-vpn-auth-failed-1 | f5-bigip-kv-endpoint-login-fail-accessdenied |
+| f5-vpn-cert-user | f5-bigip-str-vpn-success-sessionsslcert |
+| f5-vpn-login-failed | f5-apm-str-vpn-login-fail-01490106 |
+| f5-vpn-password-change-failed | f5-bigip-kv-user-password-modify-fail-changerejected |
+| f5-vpn-policy | f5-apm-str-vpn-success-01490102 |
+| f5-vpn-session-data | f5-apm-str-vpn-logout-success-01490521 |
+| f5-vpn-session-end | f5-bigip-str-vpn-logout-success-01490 |
+| f5-vpn-session-end-1 | f5-bigip-kv-vpn-logout-success-closed |
+| f5-vpn-session-start | f5-bigip-mix-vpn-login-success-01490500 |
+| f5-vpn-session-start-1 | f5-bigip-kv-vpn-login-success-started |
+| f5-vpn-start-custom | f5-apm-str-vpn-success-allow |
+| f5-vpn-user | f5-apm-mix-vpn-success-01490 |
+| f5-vpn-user-agent | f5-apm-str-vpn-success-01490506 |
+| f5-vpn-username | f5-bigipapm-str-vpn-login-success-username |
+| f5-web-activity | f5-websafe-str-http-session-cookiemonster |
+| f5-web-activity-1 | f5-bigip-kv-http-response-success-httpresponse |
+| falcon-dns-request | crowdstrike-falcon-mix-dns-request-success-dnsrequest |
+| fidelis-email-alert | fidelis-fxps-kv-email-receive-success-fidelisxps |
+| fidelis-leef-alert | fidelis-fxps-leef-alert-trigger-success-cybersecurity |
+| fileauditor-file-delete | fileauditor-fa-kv-file-delete-success-delete |
+| fileauditor-file-read | fileauditor-fa-kv-file-read-success-read |
+| fileauditor-file-write-1 | fileauditor-fa-kv-file-write-success-create |
+| fileauditor-file-write-2 | fileauditor-fa-kv-file-write-success-modify |
+| fileauditor-file-write-3 | fileauditor-fa-kv-file-write-success-rename |
+| fileauditor-file-write-4 | fileauditor-fa-kv-file-write-success-overwrite |
+| fileauditor-object-access | fileauditor-fa-kv-file-read-fail-readdeny |
+| filesite-app-activity | imanage-i-kv-app-activity-success-appactivity |
+| fireeye-cef-alert | fireeye-networksecurity-cef-alert-trigger-success-deviceseverity |
+| fireeye-cef-alert-no-connector | fireeye-networksecurity-cef-alert-trigger-success-fireeye |
+| fireeye-cef-email-alert | fireeye-networksecurity-cef-alert-trigger-success-suser |
+| fireeye-dlp-email | fireeye-etp-json-email-receive-success-fireeyeetp |
+| fireeye-dlp-email-alert | fireeye-etp-kv-email-receive-fenotify |
+| fireeye-hx-alert | fireeye-endpointsecurity-json-alert-trigger-success-fireeyehx |
+| fireeye-json-alert-email | fireeye-emailgateway-json-alert-trigger-success-emailmps |
+| fireeye-mps-json-generic-alert | fireeye-networksecurity-json-alert-trigger-success-alert |
+| fireeye-mps-json-generic-alert-1 | fireeye-networksecurity-json-alert-trigger-success-srcipv4 |
+| fireeye-mps-json-unformatted-alert | fireeye-networksecurity-json-alert-trigger-success-product |
+| fireeye-mps-xml-extended-body-alert | "fireeye-networksecurity-xml-alert-trigger-success-fenotify |
+| fireeye-mps-xml-extended-consolidated-alert | "fireeye-networksecurity-xml-alert-trigger-success-webmps |
+| fireeye-mps-xml-extended-head-alert | "fireeye-networksecurity-xml-alert-trigger-success-1alert |
+| fireeye-mps-xml-normal-alert | "fireeye-networksecurity-xml-alert-trigger-success-msgnormal |
+| fireeye-security-alert | fireeye-etp-kv-alert-trigger-fenotify |
+| fireeye-web-activity | fireeye-networksecurity-json-http-session-dstdomain |
+| fireeyecm-nx-alert | fireeye-escm-json-alert-trigger-success-fireeyecm |
+| firepower-dns-response | cisco-fp-json-dns-response-success-dnssinkhole |
+| firepower-network-alert | cisco-fp-kv-alert-trigger-success-malware |
+| firepower-network-alert-1 | cisco-fp-kv-alert-trigger-success-sinkhole |
+| fireye-security-alert-1 | fireeye-endpointsecurity-json-alert-trigger-success-iocnames |
+| forcepoint-network-connection | forcepoint-ngfw-cef-network-close-connectionclosed |
+| forcepoint-network-connection-1 | forcepoint-ngfw-cef-network-traffic-70621 |
+| forcepoint-network-connection-2 | forcepoint-ngfw-cef-network-traffic-fail-71042 |
+| forcepoint-network-connection-3 | forcepoint-ngfw-cef-network-notification-70961 |
+| forcepoint-network-connection-4 | forcepoint-ngfw-cef-network-traffic-71257 |
+| forcepoint-network-connection-5 | forcepoint-ngfw-cef-network-traffic-70613 |
+| forcepoint-network-connection-7 | forcepoint-ngfw-cef-network-traffic-1004 |
+| forcepoint-network-connection-failed | forcepoint-ngfw-cef-network-session-fail-discarded |
+| forcepoint-network-connection-failed-1 | forcepoint-ngfw-kv-network-traffic-fail-connectionclosed |
+| forcepoint-network-connection-failed-2 | forcepoint-ngfw-kv-network-traffic-fail-connectiondiscarded |
+| forcepoint-network-connection-failed-3 | forcepoint-ngfw-kv-network-traffic-fail-incompleteconnectionclosed |
+| forcepoint-network-connection-failed-4 | forcepoint-ngfw-cef-app-activity-1008 |
+| forcepoint-network-connection-failed-5 | forcepoint-ngfw-cef-network-session-fail-fwconnectiondiscarded |
+| forcepoint-network-connection-failed-6 | forcepoint-ngfw-cef-network-close-70022 |
+| forcepoint-network-connection-successful | forcepoint-ngfw-cef-network-traffic-success-connectionallowed |
+| forcepoint-network-connection-successful-1 | forcepoint-ngfw-kv-network-traffic-success-newconnection |
+| forcepoint-network-event | forcepoint-ngfw-cef-app-activity-log |
+| forcepoint-proxy | forcepoint-wsg-leef-http-session-security |
+| forcepoint-proxy-1 | forcepoint-wsg-kv-http-session-httpuseragent |
+| forcepoint-proxy-2 | forcepoint-wsg-kv-http-session-action |
+| forcepoint-web-activity | forcepoint-wsg-cef-http-session-success-httpurllogged |
+| forcepoint-web-activity-2 | forcepoint-wsg-kv-http-session-apiexportcsvtokv |
+| forefront-epp-cef-alert | microsoft-defenderep-cef-alert-trigger-success-malwaredetected |
+| fortiauthenticator-auth-successful | fortinet-fortiauthenticator-kv-endpoint-login-action |
+| fortiauthenticator-logout | fortinet-fortiauthenticator-kv-app-logout-authentication |
+| fortinet-0102043011 | fortinet-vpn-kv-app-authentication-fail-0102043011 |
+| fortinet-0102043039 | fortinet-fortiauthenticator-kv-endpoint-login-success-0102043039 |
+| fortinet-0102043040 | fortinet-vpn-kv-app-logout-0102043040 |
+| fortinet-app-activity | fortinet-utm-kv-http-session-appctrl |
+| fortinet-auth-successful | fortinet-vpn-kv-endpoint-login-success-logdesc |
+| fortinet-dlp-alert | fortinet-utm-kv-alert-trigger-success-dlp |
+| fortinet-dlp-alert-email | fortinet-utm-kv-email-receive-success-dlp |
+| fortinet-dlp-alert-email-1 | fortinet-utm-kv-email-receive-success-emailreceived |
+| fortinet-ipsec-vpn-end | fortinet-vpn-cef-vpn-logout-success-connection |
+| fortinet-ipsec-vpn-start | fortinet-vpn-cef-vpn-login-success-connection |
+| fortinet-logout | fortinet-vpn-kv-app-logout-logoff |
+| fortinet-netflow | fortinet-firewall-json-network-traffic-success-trafficlocality |
+| fortinet-network-alert | fortinet-utm-kv-alert-trigger-success-ips |
+| fortinet-network-alert-1 | fortinet-utm-kv-alert-trigger-success-ips1 |
+| fortinet-network-connection | fortinet-firewall-kv-network-traffic-notice |
+| fortinet-network-connection-1 | fortinet-fortigate-cef-network-traffic-success-trafficdns |
+| fortinet-network-connection-2 | fortinet-fortigate-cef-network-traffic-success-trafficipconn |
+| fortinet-network-connection-3 | fortinet-fortigate-cef-network-traffic-success-forward |
+| fortinet-security-alert | fortinet-utm-kv-alert-trigger-success-virus |
+| fortinet-security-alert-1 | fortinet-utm-kv-alert-trigger-virus |
+| fortinet-security-alert-2 | fortinet-utm-kv-alert-trigger-success-anomaly |
+| fortinet-ssl-failed-vpn-login | fortinet-vpn-kv-vpn-login-fail-loginfailed |
+| fortinet-ssl-vpn-end | fortinet-vpn-kv-vpn-logout-success-0102043040-1 |
+| fortinet-ssl-vpn-end-3 | fortinet-vpn-cef-vpn-logout-success-down |
+| fortinet-ssl-vpn-start | fortinet-vpn-kv-vpn-login-success-ssl |
+| fortinet-ssl-vpn-start-1 | fortinet-vpn-cef-vpn-login-success-login |
+| fortinet-utm-app-activity | fortinet-utm-kv-app-activity-appctrl |
+| fortinet-vpn-connection | fortinet-fortigate-cef-vpn-login-success-loggedin |
+| fortinet-web-activity | fortinet-utm-kv-http-session-webfilter |
+| fortinet-web-activity-1 | fortinet-fortiweb-kv-http-session-traffic |
+| fortinet-web-activity-2 | fortinet-utm-cef-http-seesion-logver |
+| fortinet-web-activity-3 | fortinet-fortiweb-kv-http-session-threatweight |
+| fortios-firewall-alert | fortinet-fortigate-kv-network-traffic-logid |
+| fortios-network-connection-1 | fortinet-firewall-kv-network-traffic-success-vpn |
+| fortios-network-connection-failed | fortinet-firewall-kv-network-traffic-fail-traffic |
+| fortios-network-connection-successful | fortinet-firewall-kv-network-traffic-success-accept |
+| fortios-system-event | fortinet-fortigate-kv-app-activity-system |
+| fortios-wireless-access | fortinet-fortigate-kv-app-activity-wireless |
+| foxt-file-download | helpsystems-piam-kv-file-read-success-successfuldownloadfile |
+| foxt-file-remove | helpsystems-piam-kv-file-delete-success-sftpfileremove |
+| foxt-file-upload | helpsystems-piam-kv-file-write-success-successfuluploadfile |
+| foxt-local-logon | helpsystems-powertechiam-kv-endpoint-login-success-loginok |
+| foxt-ssh-login | helpsystems-powertechiam-kv-ssh-traffic-success-sshloginsuccess |
+| foxt-sshruncmd-process-created | helpsystems-powertechiam-kv-process-create-success-sshfrom |
+| foxt-suexec-process-created | helpsystems-powertechiam-kv-process-create-success-suexec |
+| foxt-unix-su | helpsystems-piam-kv-user-switch-success-suaccessuser |
\ No newline at end of file
diff --git a/ParsersLegacy/g_parsers.md b/ParsersLegacy/g_parsers.md
new file mode 100644
index 0000000..89d7bb7
--- /dev/null
+++ b/ParsersLegacy/g_parsers.md
@@ -0,0 +1,124 @@
+| Old Parser Name | New Parser Name |
+| --------------------------------------- | ------------------------------------------------------------------------------------------ |
+| gallagher-failed-physical-access | gallagher-ac-csv-physical-location-access-fail-nozoneprivilege |
+| gallagher-physical-access | gallagher-ac-csv-physical-location-access-success-dooraccessgranted |
+| gallagher-physical-access-1 | gallagher-ac-csv-physical-location-access-success-cardexitgranted |
+| gallagher-physical-access-2 | gallagher-ac-csv-physical-location-access-noentry |
+| gamma-security-alert | gamma-g-kv-alert-trigger-success-security-violation |
+| gcp-accountsetiampolicy-json | google-cloudplatform-json-policy-modify-success-adminsetiampolicy |
+| gcp-createrole-json | google-cloudplatform-json-role-create-success-googleiamcreaterole |
+| gcp-createserviceaccount-json | google-cloudplatform-json-user-create-success-googleiamcreateserviceaccount |
+| gcp-createserviceaccountkey-json | google-cloudplatform-json-user-key-create-success-googleiamcreateserviceaccountkey |
+| gcp-diskscreatesnapshot-json | google-cloudplatform-json-snapshot-create-success-computediskscreatesnapshot |
+| gcp-disksetiampolicy-json | google-cloudplatform-json-policy-modify-success-computediskssetiampolicy |
+| gcp-disksinsert-json | google-cloudplatform-json-disk-create-success-computedisksinsert |
+| gcp-general-activity | google-cloudplatform-json-app-activity-success-googleapismethodname |
+| gcp-ids-network-alert | google-cloudplatform-sk4-alert-trigger-success-googleapis |
+| gcp-imagesetiampolicy-json | google-cloudplatform-json-policy-modify-success-computeimagessetiampolicy |
+| gcp-imagesinsert-json | google-cloudplatform-json-image-create-success-computeimagesinsert |
+| gcp-instancesattachdisk-json | google-cloudplatform-json-disk-attach-success-computeinstancesattachdisk |
+| gcp-instancesetiampolicy-json | google-cloudplatform-json-policy-modify-success-computeinstancessetiampolicy |
+| gcp-instancesinsert-json | google-cloudplatform-json-endpoint-create-success-betacomputeinstancesinsert |
+| gcp-instancessetmachinetype-json | google-cloudplatform-json-endpoint-modify-success-computeinstancessetmachinetype |
+| gcp-instancessetmetadata-json | google-cloudplatform-json-endpoint-modify-success-computeinstancessetmetadata |
+| gcp-objectsupdate-json | google-cloudplatform-json-file-permission-modify-success-storageobjectsupdatepolicydelta |
+| gcp-projectsetiampolicy-json | google-cloudplatform-json-policy-modify-success-googleapissetiampolicy |
+| gcp-projectssetinstancemetadata-json | google-cloudplatform-json-endpoint-modify-success-computeprojectssetcommoninstancemetadata |
+| gcp-snapshotsetiampolicy-json | google-cloudplatform-json-policy-modify-success-computesnapshotssetiampolicy |
+| gcp-storagesetiampermissions-json | google-cloudplatform-json-bucket-permission-modify-success-storagesetiampermissions |
+| gcp-updaterole-json | google-cloudplatform-json-role-modify-success-googleiamupdaterole |
+| gcpvpc-netflow-connection | google-cloudplatform-json-network-traffic-success-payload |
+| gentax-app-activity | fastenterprises-gt-csv-app-notification-accountmanagement |
+| gentax-app-login | fastenterprises-gt-str-app-login-success-accesslogs |
+| gigamon-system-info-1 | gigamon-gvuehc2-cef-network-notification-success-sessiondecrypt |
+| gigamon-system-info-2 | gigamon-gvuehc2-cef-network-notification-success-sessionnodecrypt |
+| gigamon-system-info-3 | gigamon-gvuehc2-cef-network-notification-success-sessiondrop |
+| gigamon-system-info-4 | gigamon-gvuehc2-cef-network-notification-success-urlcatlookup |
+| gigamon-system-info-5 | gigamon-gvuehc2-cef-network-notification-success-maxcpsupdate |
+| github-app-activity-1 | github-g-csv-repository-modify-success-update |
+| github-app-activity-10 | github-g-csv-app-activity-success-orgrm |
+| github-app-activity-11 | github-g-csv-app-activity-success-repocreate |
+| github-app-activity-12 | github-g-csv-app-activity-success-teamchange |
+| github-app-activity-13 | github-g-csv-app-activity-success-branchupdate |
+| github-app-activity-14 | github-g-csv-app-activity-success-refupdate |
+| github-app-activity-15 | github-g-csv-app-activity-success-removemember |
+| github-app-activity-16 | github-g-csv-app-activity-success-repodestroy |
+| github-app-activity-17 | github-g-csv-app-activity-success-addmember |
+| github-app-activity-18 | github-g-csv-app-activity-success-parentteam |
+| github-app-activity-19 | github-g-csv-app-activity-success-updatemember |
+| github-app-activity-2 | github-g-csv-app-activity-success-teamadd |
+| github-app-activity-20 | github-g-csv-app-activity-success-teamdestroy |
+| github-app-activity-21 | github-g-csv-app-activity-success-orgaudit |
+| github-app-activity-22 | github-g-csv-app-activity-success-teamrename |
+| github-app-activity-23 | github-g-csv-app-activity-success-removerepo |
+| github-app-activity-24 | github-g-csv-app-activity-success-teamdelete |
+| github-app-activity-25 | github-g-csv-app-activity-success-statuscheck |
+| github-app-activity-26 | github-g-csv-app-activity-success-branchdestroy |
+| github-app-activity-27 | github-g-csv-app-activity-success-orgcancel |
+| github-app-activity-28 | github-g-csv-app-activity-success-requireds |
+| github-app-activity-29 | github-g-csv-app-activity-success-paymethod |
+| github-app-activity-3 | github-g-csv-app-activity-success-orginvite |
+| github-app-activity-30 | github-g-csv-app-activity-success-hookconfig |
+| github-app-activity-31 | github-g-csv-app-activity-success-reporen |
+| github-app-activity-32 | github-g-csv-app-activity-success-hookcreate |
+| github-app-activity-33 | github-g-csv-app-activity-success-repotrans |
+| github-app-activity-34 | github-g-csv-app-activity-success-enforcement |
+| github-app-activity-35 | github-g-csv-repository-create-success-projectcreate |
+| github-app-activity-36 | github-g-csv-app-activity-success-projectclose |
+| github-app-activity-37 | github-g-csv-app-activity-success-enabletwo |
+| github-app-activity-38 | github-g-csv-app-activity-success-billingemail |
+| github-app-activity-39 | github-g-csv-app-activity-success-accountplan |
+| github-app-activity-4 | github-g-csv-app-activity-success-teamremovem |
+| github-app-activity-5 | github-g-csv-app-activity-success-orgmem |
+| github-app-activity-6 | github-g-csv-app-activity-success-repoadd |
+| github-app-activity-7 | github-g-csv-app-activity-success-issuecomment |
+| github-app-activity-8 | github-g-csv-app-activity-success-createteam |
+| github-app-activity-9 | github-g-csv-app-activity-success-craeteb |
+| github-audit-failed-login | github-g-json-app-login-fail-failedlogin |
+| github-audit-hook-activity | github-g-json-http-request-success-githubaudithook |
+| github-audit-org-activity | github-g-json-user-invite-success-org |
+| github-audit-repo-activity | github-g-json-repository-create-success-githubauditrepo |
+| github-audit-team-activity | github-g-json-user-create-success-githubauditteam |
+| gm-print-activity | hp-lprinter-json-printer-activity-success-laserjet |
+| goanywhere-app-activity | goanywhere-gamft-kv-file-rename-fail-failed |
+| goanywhere-failed-logon | goanywhere-gamft-kv-endpoint-login-fail-loginfailed |
+| goanywhere-file-delete | goanywhere-gamft-kv-file-delete-success-deletefile |
+| goanywhere-file-delete-1 | goanywhere-gamft-kv-file-delete-success-deletefile-1 |
+| goanywhere-file-download | goanywhere-gamft-kv-file-download-success-download |
+| goanywhere-file-download-1 | goanywhere-gamft-kv-file-download-success-download-1 |
+| goanywhere-file-upload | goanywhere-gamft-kv-file-upload-success-upload |
+| goanywhere-file-upload-1 | goanywhere-gamft-kv-file-upload-success-upload-1 |
+| goanywhere-logout | goanywhere-gamft-kv-app-logout-success-disconnect |
+| goanywhere-logout-1 | goanywhere-gamft-kv-app-logout-success-logout |
+| goanywhere-logout-2 | goanywhere-gamft-kv-app-logout-success-disconnected |
+| goanywhere-logout-3 | goanywhere-gamft-kv-app-logout-success-logout-1 |
+| goanywhere-remote-logon | goanywhere-gamft-kv-endpoint-login-success-loginsuccessful |
+| goanywhere-remote-logon-1 | goanywhere-gamft-kv-endpoint-login-success-connectionsuccessful |
+| goanywhere-remote-logon-2 | goanywhere-gamft-kv-endpoint-login-success-loginsuccessful-1 |
+| goanywhere-remote-logon-3 | goanywhere-gamft-kv-endpoint-login-success-connectionsuccessful-1 |
+| google-drive-app-activity | google-workspace-sk4-app-activity-success-drive |
+| google-plus-app-activity | google-gplus-sk4-app-activity-gplus |
+| googlecloud-app-activity | google-cloudplatform-mix-app-activity-success-prototpayload |
+| googlecloud-app-activity-1 | google-gcpca-sk4-app-activity-cloud |
+| googlecloud-web-activity | google-cloudplatform-json-http-session-jsonpayload |
+| gravityzone-security-alert-aph | bitdefender-gz-json-alert-trigger-success-aph |
+| gravityzone-security-alert-aph-1 | bitdefender-gz-sk4-alert-trigger-success-aph |
+| gravityzone-security-alert-av | bitdefender-gz-json-alert-trigger-success-av |
+| gravityzone-security-alert-av-1 | bitdefender-gz-sk4-alert-trigger-success-av |
+| gravityzone-security-alert-avc | bitdefender-gz-json-alert-trigger-success-avc |
+| gravityzone-security-alert-avc-1 | bitdefender-gz-sk4-alert-trigger-success-avc |
+| gravityzone-security-alert-fw | bitdefender-gz-sk4-alert-trigger-success-fw |
+| gravityzone-security-alert-hd | bitdefender-gz-json-alert-trigger-success-hd |
+| gravityzone-security-alert-new-incident | bitdefender-gz-sk4-alert-trigger-success-newincident |
+| gravityzone-security-alert-new-login | bitdefender-gz-json-app-login-success-gravityzonelogin |
+| gravityzone-security-module-info | bitdefender-gz-json-app-notification-modules |
+| gravityzone-system-info | bitdefender-gz-json-app-notification-databsebackup |
+| gravityzone-system-info-1 | bitdefender-gz-json-app-activity-success-registration |
+| gravityzone-web-activity-denied | bitdefender-gz-json-http-session-fail-blocked |
+| graylog-ras-auth-failed | radius-r-json-endpoint-login-fail-loginincorrect |
+| graylog-ras-auth-successful | radius-r-json-vpn-login-success-loginok |
+| graylog-ras-vpn-start | openvpn-ov-json-vpn-login-success-connection |
+| greenbay-4776 | microsoft-evsecurity-json-endpoint-login-4776-2 |
+| greenbay-group-membership | microsoft-evsecurity-json-endpoint-notification-4627-1 |
+| greenbay-privileged-access | microsoft-evsecurity-json-user-privilege-use-success-privileges |
+| guardium-db-query | ibm-guardium-kv-database-query-success-dbuser |
\ No newline at end of file
diff --git a/ParsersLegacy/h_parsers.md b/ParsersLegacy/h_parsers.md
new file mode 100644
index 0000000..ae5293d
--- /dev/null
+++ b/ParsersLegacy/h_parsers.md
@@ -0,0 +1,78 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------ | ----------------------------------------------------------- |
+| hashicorp-app-login-1 | hashicorp-vault-sk4-app-login-success-response |
+| hashicorp-app-login-2 | hashicorp-vault-json-app-login-success-applogin |
+| hashicorp-password-reset | hashicorp-vault-sk4-user-password-reset-success-request |
+| honeywell-physical-badge-access | honeywell-pw-json-physical-location-access-areaname |
+| hornet-dlp-email | hornet-email-kv-email-receive-success-1 |
+| hornet-dlp-email-alert | hornet-email-kv-email-receive-success-2 |
+| hornet-email-security-alert | hornet-email-kv-alert-trigger-success-5 |
+| hp-aruba-authentication-successful | hp-arubawc-str-app-authentication-success-loggedin |
+| hp-aruba-authentication-successful-1 | hp-arubawc-str-app-authentication-success-webui |
+| hp-aruba-clearpass-info-1 | hp-arubacpm-kv-app-notification-success-cppmendpointprofile |
+| hp-aruba-clearpass-info-2 | hp-arubacpm-kv-app-notification-success-cppmprocstats |
+| hp-aruba-clearpass-info-3 | hp-arubacpm-kv-app-notification-success-cppmsystemstat |
+| hp-aruba-clearpass-info-4 | hp-arubacpm-str-app-notification-8904 |
+| hp-aruba-clearpass-info-5 | hp-arubacpm-str-app-activity-5691 |
+| hp-aruba-clearpass-info-6 | hp-arubacpm-str-app-notification-5688 |
+| hp-aruba-switch-info | hp-arubaos-str-port-block-00435 |
+| hp-aruba-switch-info-1 | hp-arubaos-str-port-disable-00077 |
+| hp-aruba-switch-info-10 | hp-arubaos-str-configuration-modify-success-04695 |
+| hp-aruba-switch-info-11 | hp-arubaos-str-app-notification-success-03803 |
+| hp-aruba-switch-info-12 | hp-arubaos-str-app-notification-02555 |
+| hp-aruba-switch-info-13 | hp-arubaos-str-configuration-modify-02633 |
+| hp-aruba-switch-info-14 | hp-arubaos-str-configuration-modify-00688 |
+| hp-aruba-switch-info-15 | hp-arubaos-str-configuration-modify-04260 |
+| hp-aruba-switch-info-16 | hp-arubaos-str-configuration-modify-04257 |
+| hp-aruba-switch-info-17 | hp-arubaos-str-configuration-modify-00410 |
+| hp-aruba-switch-info-18 | hp-arubaos-str-configuration-modify-00417 |
+| hp-aruba-switch-info-19 | hp-arubaos-str-endpoint-start-00066 |
+| hp-aruba-switch-info-2 | hp-arubaos-str-port-block-00329 |
+| hp-aruba-switch-info-20 | hp-arubaos-str-service-start-success-04320 |
+| hp-aruba-switch-info-21 | hp-arubaos-str-service-modify-success-00138 |
+| hp-aruba-switch-info-22 | hp-arubaos-str-endpoint-notification-success-02672 |
+| hp-aruba-switch-info-23 | hp-arubaos-str-log-disable-04332 |
+| hp-aruba-switch-info-24 | hp-arubaos-str-configuratuin-modify-03125 |
+| hp-aruba-switch-info-25 | hp-arubaos-str-log-enable-04331 |
+| hp-aruba-switch-info-26 | hp-arubaos-str-endpoint-login-success-00179 |
+| hp-aruba-switch-info-3 | hp-arubaos-str-port-enable-00076 |
+| hp-aruba-switch-info-4 | hp-arubaos-str-endpoint-notification-success-00828 |
+| hp-aruba-switch-info-5 | hp-arubaos-str-endpoint-notification-success-00166 |
+| hp-aruba-switch-info-6 | hp-arubaos-str-endpoint-login-success-03362 |
+| hp-aruba-switch-info-7 | hp-arubaos-str-endpoint-logout-success-03363 |
+| hp-aruba-switch-info-8 | hp-arubaos-str-endpoint-notification-success-04693 |
+| hp-aruba-switch-info-9 | hp-arubaos-str-endpoint-notification-success-04694 |
+| hp-ilo-app-login-1 | hp-hpilo-str-app-login-success-browserlogin |
+| hp-ilo-app-login-2 | "hp-hpilo-str-app-login-success-xmllogin |
+| hp-ilo-app-logout-1 | hp-hpilo-str-app-logout-success-browserlogout |
+| hp-ilo-app-logout-2 | hp-hpilo-str-app-logout-success-loggedout |
+| hp-interface-updown | hp-comware-str-app-notification-interface |
+| hp-link-updown | hp-comware-str-app-notification-link |
+| hp-ndcl-process-created | hp-comware-str-process-create-success-commandis |
+| hp-port-forwarding | hp-comware-str-configuration-modify-forwarding |
+| hp-print-activity | hp-safecom-json-printer-activity-success-5291 |
+| hp-virtual-connect-login | hp-vcem-str-app-login-success-userlogin |
+| hp-virtual-connect-logout | hp-vcem-kv-app-logout-success-logout |
+| hp-virtual-connect-logout-1 | hp-vcem-kv-app-logout-success-logout-1 |
+| hpe-3par-system-event | hp-3parstoreserv-str-app-activity-cli |
+| hpe-3par-system-event-1 | hp-3parstoreserv-str-app-activity-cli-1 |
+| hpnonstop-system-info | hp-nonstop-kv-app-activity-appactivity |
+| httpd-auth-event | unix-unix-kv-endpoint-authentication-pam |
+| httpd-system-info | unix-unix-str-app-notification-httpdauth |
+| huawei-auth-success | huawei-usg-str-endpoint-login-success-loginsuccess |
+| huawei-firewall | huawei-enf-kv-network-traffic-17 |
+| huawei-ids | huawei-usg-kv-alert-trigger-success-ips |
+| huawei-ids-audit | huawei-usg-kv-app-activity-success-audit |
+| huawei-ids-ike | huawei-usg-kv-app-activity-success-ike |
+| huawei-ids-ipsec | huawei-usg-str-app-activity-success-ipsec |
+| huawei-ids-ipsec-2 | huawei-usg-str-network-session-success-ipsec |
+| huawei-ids-nlog | huawei-usg-str-app-activity-success-nlog |
+| huawei-ids-ntp | huawei-usg-str-app-activity-success-systemclock |
+| huawei-ids-sec | huawei-usg-kv-app-notification-success-sec |
+| huawei-ids-um | huawei-usg-str-app-activity-success-usersynchronization |
+| huawei-ids-url | huawei-usg-kv-http-request-url |
+| huawei-network-alert | huawei-usg-kv-alert-trigger-success-assoc |
+| huawei-process-created | huawei-usg-kv-process-create-success-shell |
+| huawei-vpn-login | huawei-usg-str-vpn-login-success-session |
+| huawei-vpn-login-1 | huawei-usg-kv-vpn-login-success-logonsuccess |
+| huawei-vpn-logout | huawei-usg-kv-vpn-logout-success-logout |
\ No newline at end of file
diff --git a/ParsersLegacy/i_parsers.md b/ParsersLegacy/i_parsers.md
new file mode 100644
index 0000000..cb0c1ce
--- /dev/null
+++ b/ParsersLegacy/i_parsers.md
@@ -0,0 +1,119 @@
+| Old Parser Name | New Parser Name |
+| -------------------------------------- | ----------------------------------------------------------------- |
+| ibm-auth-successful | ibm-i-str-app-authentication-success-indbinddn |
+| ibm-datapower-network-info | ibm-datapower-str-app-notification-certificate |
+| ibm-db2-db-login | ibm-db2-kv-database-login-fail-validate |
+| ibm-db2-db-update | ibm-db2-kv-database-modify-success-createobject |
+| ibm-failed-app-login | ibm-st-csv-app-login-fail-sametimeauth |
+| ibm-lotus-app-login | ibm-hclnotes-str-app-login-opensession |
+| ibm-lotus-app-logout | ibm-hclnotes-str-app-logout-closedsession |
+| ibm-lotus-database-update | ibm-ln-str-database-modify-success-updating |
+| ibm-lotus-network-connection | ibm-ln-str-network-traffic-success-connected |
+| ibm-lotus-system-info | ibm-hclnotes-str-app-notification-success-locate |
+| ibm-lotus-system-info-1 | ibm-hclnotes-str-message-send-success-delivered |
+| ibm-lotus-system-info-2 | ibm-hclnotes-str-network-close-success-disconnected |
+| ibm-lotus-system-info-3 | ibm-hclnotes-str-file-upload-success-pushing |
+| ibm-lotus-system-info-4 | ibm-hclnotes-str-file-download-success-pulling |
+| ibm-lotus-system-info-5 | ibm-hclnotes-str-app-notification-success-agent |
+| ibm-lotus-system-info-6 | ibm-hclnotes-str-file-write-success-updated |
+| ibm-lotus-system-info-7 | ibm-hclnotes-str-file-write-success-added |
+| ibm-mainframe-account-disabled | ibm-mainframe-json-user-disable-success-suspendedon |
+| ibm-mainframe-app-login | ibm-mainframe-json-app-login-success-loggedon |
+| ibm-mainframe-failed-app-login-1 | ibm-mainframe-json-app-login-fail-incorrectpassword |
+| ibm-mainframe-failed-app-login-2 | ibm-mainframe-json-app-login-fail-passwordmissing |
+| ibm-mainframe-failed-app-login-3 | ibm-mainframe-json-app-login-fail-notauthorized |
+| ibm-mainframe-failed-app-login-4 | ibm-mainframe-json-app-login-fail-invalidsource |
+| ibm-mainframe-logout | ibm-mainframe-json-app-logout-success-loggedoff |
+| ibm-web-activity | ibm-sam-str-http-session-webseald |
+| iboss-web-activity | iboss-cloud-kv-http-session-url |
+| ifilter-web-activity | digitalarts-ifb-str-http-session-proxyifilter |
+| iguard-dlp-alert | mcafee-dlp-cef-email-alert-trigger-success-iguard |
+| illumio-network-connection | illumio-ic-leef-network-traffic-fail-sequenceid |
+| illumio-network-connection-1 | illumio-ic-mix-network-traffic-illumiopce |
+| imanage-app-activity | imanage-i-kv-app-activity-success-accesspermitted |
+| imanage-app-activity-1 | imanage-i-json-app-activity-success-checkout |
+| imanage-dlp-alert | imanage-i-kv-alert-trigger-success-docnum |
+| imperva-attack-analytics-network-alert | imperva-attackanalytics-cef-alert-trigger-success-attackanalytics |
+| imprivata-app-activity-1 | imprivata-i-kv-app-activity-success-agentshutdown |
+| imprivata-app-activity-2 | imprivata-i-kv-app-activity-success-selfenroldeclined |
+| imprivata-app-activity-3 | imprivata-i-kv-app-activity-success-passwordreset |
+| imprivata-app-activity-4 | imprivata-i-str-app-activity-success-passwordchange |
+| imprivata-app-activity-5 | imprivata-i-kv-app-activity-success-primarylockout |
+| imprivata-app-login | imprivata-i-kv-app-login-success-primaryloginsuccess |
+| imprivata-failed-app-login | imprivata-i-kv-app-login-fail-primaryloginfailure |
+| imss-dlp-alert | imss-i-str-alert-trigger-success-dlpalert |
+| imss-dlp-alert-1 | imss-i-str-alert-trigger-success-capacityregulation |
+| imss-security-alert | imss-i-str-alert-trigger-success-securityalert |
+| imss-security-alert-1 | imss-i-str-alert-trigger-success-antispamrules |
+| imss-security-alert-2 | imss-i-json-alert-trigger-success-spf |
+| imss-security-alert-3 | imss-i-str-alert-trigger-success-spoofedemailfilter |
+| imsva-dlp-email-in | imsva-i-str-email-receive-success-sent |
+| imsva-dlp-email-in-failed | imsva-i-str-email-receive-fail-quarantinetransac |
+| imsva-dlp-email-out | imsva-i-str-email-send-success-queuedas |
+| infoblox-bloxone-dns-response | infoblox-bddi-cef-dns-response-success-dns |
+| infoblox-dhcp-config-change | infoblox-bddi-kv-configuration-modify-success-dhcprange |
+| infoblox-dns-config-change | infoblox-bddi-kv-dns-record-create-hostrecord |
+| infoblox-dns-config-change-10 | infoblox-bddi-kv-dns-record-modify-success-mxrecord |
+| infoblox-dns-config-change-11 | infoblox-bddi-kv-dns-record-delete-success-mxrecord |
+| infoblox-dns-config-change-12 | infoblox-bddi-str-configuration-modify-deletedip |
+| infoblox-dns-config-change-13 | infoblox-bddi-kv-dns-record-delete-dnsview |
+| infoblox-dns-config-change-14 | infoblox-bddi-str-dns-record-delete-deletedptrrecord |
+| infoblox-dns-config-change-15 | infoblox-bddi-str-configuration-modify-success-forwardzone |
+| infoblox-dns-config-change-16 | infoblox-bddi-kv-configuration-modify-success-hostalias |
+| infoblox-dns-config-change-17 | infoblox-bddi-kv-configuration-modify-success-forwardzonecreated |
+| infoblox-dns-config-change-18 | infoblox-bddi-kv-configuration-modify-success-modified |
+| infoblox-dns-config-change-19 | infoblox-bddi-kv-dns-record-modify-success-cnamerecord |
+| infoblox-dns-config-change-2 | infoblox-bddi-str-dns-record-delete-httpd |
+| infoblox-dns-config-change-20 | infoblox-bddi-kv-network-notification-reservedrange |
+| infoblox-dns-config-change-21 | infoblox-bddi-kv-configuration-modify-success-authzonecreate |
+| infoblox-dns-config-change-22 | infoblox-bddi-str-configuration-modify-success-policyzone |
+| infoblox-dns-config-change-23 | infoblox-bddi-str-configuration-modify-success-named |
+| infoblox-dns-config-change-3 | infoblox-bddi-kv-dns-record-create-httpd |
+| infoblox-dns-config-change-4 | infoblox-bddi-kv-configuration-modify-success-canonicalname |
+| infoblox-dns-config-change-5 | infoblox-bddi-kv-dns-record-create-success-exchanger |
+| infoblox-dns-config-change-6 | infoblox-bddi-str-dns-record-delete-success-cnamerecorddeleted |
+| infoblox-dns-config-change-7 | infoblox-bddi-kv-dns-record-create-set |
+| infoblox-dns-config-change-8 | infoblox-bddi-kv-dns-record-modify-httpd |
+| infoblox-dns-config-change-9 | infoblox-bddi-kv-dns-record-modify-httpd-1 |
+| infoblox-dns-query | infoblox-bddi-str-dns-request-successresolving |
+| infoblox-dns-query-1 | infoblox-bddi-csv-dns-request-success-query |
+| infoblox-dns-response | infoblox-bddi-csv-dns-response-success-response |
+| infoblox-logout | infoblox-bddi-str-app-logout-success-group |
+| infoblox-logout-1 | infoblox-bddi-kv-app-logout-httpd |
+| infoblox-nios-dhcp | infoblox-nios-cef-dhcp-traffic-dhcpd |
+| infoblox-nios-dns-query | infoblox-nios-json-dns-request-success-hostname |
+| infoblox-remote-logon | infoblox-bddi-kv-endpoint-login-success-loginallowed |
+| infoblox-system-info | infoblox-nios-str-app-notification-cacheview |
+| infoblox-system-info-1 | infoblox-nios-str-app-notification-recursionclient |
+| infoblox-system-info-2 | infoblox-nios-str-configuration-create-dashboardconfiguration |
+| infoblox-system-info-3 | infoblox-nios-kv-app-notification-failure |
+| intercept-x-invincea-alert | sophos-invincea-kv-alert-trigger-success-invincea |
+| ipsec-vpn-user | securenet-s-kv-vpn-success-pppd |
+| iptables-network-connection-failed | iptables-i-kv-network-traffic-fail-deny |
+| iptables-network-connection-successful | iptables-i-kv-network-traffic-success-accept |
+| ironport-dlp-email-alert | cisco-ie-kv-email-send-receive-summary |
+| ironport-proxy | cisco-iws-cef-http-session-ironportwebsecurityappliance |
+| ironport-proxy-1 | cisco-iws-csv-http-session-tcp |
+| ironport-proxy-3 | cisco-iws-str-http-session-direct |
+| ironport-proxy-4 | cisco-iws-kv-http-session-accesslog |
+| ironport-proxy-parser-10 | cisco-iws-kv-http-session-tcphit |
+| ironport-proxy-parser-11 | cisco-iws-kv-http-session-tcpimshit |
+| ironport-proxy-parser-12 | cisco-iws-kv-http-session-tcpmemhit |
+| ironport-proxy-parser-13 | cisco-iws-kv-http-session-tcpmissssl |
+| ironport-proxy-parser-14 | cisco-iws-kv-http-session-tcprefreshhit |
+| ironport-proxy-parser-15 | cisco-iws-kv-http-session-info |
+| ironport-proxy-parser-16 | cisco-iws-kv-http-session-info-1 |
+| ironport-proxy-parser-3 | cisco-iws-kv-http-session-none |
+| ironport-proxy-parser-4 | cisco-iws-kv-http-session-nonessl |
+| ironport-proxy-parser-5 | cisco-iws-kv-http-session-tcpclientrefreshmiss |
+| ironport-proxy-parser-6 | cisco-iws-kv-http-session-tcpclientrefreshmissssl |
+| ironport-proxy-parser-7 | cisco-iws-kv-http-session-tcpmiss |
+| ironport-proxy-parser-8 | cisco-iws-kv-http-session-tcpdenied |
+| ironport-proxy-parser-9 | cisco-iws-kv-http-session-tcpdeniedssl |
+| ironport-system-info | cisco-ie-str-app-notification-maillogs |
+| isilon-file-delete | dell-emcisilon-str-file-delete-success-delete-1 |
+| isilon-file-permission-change | dell-emcisilon-str-file-permission-modify-success-setsecurity |
+| isilon-file-read | dell-emcisilon-str-file-read-success-open-1 |
+| isilon-file-read-1 | dell-emcisilon-str-file-close-success-isilon |
+| isilon-file-read-2 | dell-emcisilon-str-file-read-fail-isilon |
+| isilon-file-write | dell-emcisilon-str-file-write-success-rename |
\ No newline at end of file
diff --git a/ParsersLegacy/j_parsers.md b/ParsersLegacy/j_parsers.md
new file mode 100644
index 0000000..e29c600
--- /dev/null
+++ b/ParsersLegacy/j_parsers.md
@@ -0,0 +1,446 @@
+| Old Parser Name | New Parser Name |
+| ----------------------------------------------- | ----------------------------------------------------------------------------------- |
+| jp-4662 | microsoft-evsecurity-kv-ds-object-activity-success-4662-4 |
+| jp-5158 | microsoft-evsecurity-kv-network-session-success-5158-1 |
+| jp-member-added-1 | microsoft-evsecurity-kv-group-member-add-success-4728 |
+| jp-member-added-2 | microsoft-evsecurity-kv-group-member-add-success-4732 |
+| jp-member-added-3 | microsoft-evsecurity-kv-group-member-add-success-4756 |
+| jp-process-network | microsoft-evsecurity-csv-network-session-success-5156 |
+| jp-share-access-5140 | microsoft-evsecurity-kv-share-access-success-5140-1 |
+| jp-share-access-5145 | microsoft-evsecurity-kv-share-access-success-5145-2 |
+| json-1100 | microsoft-windows-sk4-log-disable-success-1100 |
+| json-299 | microsoft-windows-sk4-app-authentication-success-299 |
+| json-403 | microsoft-windows-sk4-http-request-success-403 |
+| json-404 | microsoft-windows-sk4-http-response-success-404 |
+| json-410 | microsoft-windows-sk4-app-notification-success-410 |
+| json-4104 | microsoft-evpowershell-json-process-create-success-4104 |
+| json-412 | microsoft-windows-sk4-app-notification-success-412 |
+| json-431 | microsoft-evadfs-sk4-app-notification-success-431 |
+| json-4608 | microsoft-windows-sk4-endpoint-start-success-4806 |
+| json-4610 | microsoft-windows-sk4-dll-load-success-4610 |
+| json-4611 | microsoft-evsecurity-json-endpoint-notification-4611 |
+| json-4614 | microsoft-evsecurity-sk4-dll-load-success-4614 |
+| json-4622 | microsoft-evsecurity-sk4-service-create-success-4622 |
+| json-4622-1 | microsoft-evsecurity-json-service-create-success-4622 |
+| json-4624 | microsoft-evsecurity-json-endpoint-login-success-4624 |
+| json-4624-1 | microsoft-evsecurity-json-endpoint-login-success-4624-4 |
+| json-4624-2 | microsoft-evsecurity-json-endpoint-login-success-4624-2 |
+| json-4625 | microsoft-evsecurity-json-endpoint-login-fail-4625 |
+| json-4625-1 | microsoft-evsecurity-json-endpoint-login-fail-4625-3 |
+| json-4625-2 | microsoft-evsecurity-json-endpoint-login-fail-4625-2 |
+| json-4627 | microsoft-evsecurity-json-endpoint-notification-4627 |
+| json-4634 | microsoft-evsecurity-json-endpoint-logout-4634 |
+| json-4634-1 | microsoft-evsecurity-json-endpoint-logout-success-4634 |
+| json-4634-2 | microsoft-evsecurity-json-endpoint-logout-success-4634-1 |
+| json-4634-3 | microsoft-evsecurity-sk4-endpoint-logout-success-anaccountwasloggedoff-1 |
+| json-4634-4 | microsoft-evsecurity-json-endpoint-logout-4634-2 |
+| json-4647-1 | microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff |
+| json-4647-2 | microsoft-evsecurity-json-endpoint-logout-4647 |
+| json-4648 | microsoft-evsecurity-json-user-switch-success-4648 |
+| json-4648-1 | microsoft-evsecurity-json-endpoint-login-success-4648 |
+| json-4648-2 | microsoft-evsecurity-json-endpoint-login-success-4648-2 |
+| json-4653 | microsoft-evsecurity-json-network-session-fail-4653 |
+| json-4656 | microsoft-evsecurity-cef-handle-request-success-4656 |
+| json-4656-1 | microsoft-evsecurity-json-handle-request-4656 |
+| json-4659 | microsoft-evsecurity-json-handle-request-success-4659 |
+| json-4660 | microsoft-evsecurity-json-endpoint-activity-4660 |
+| json-4662 | microsoft-evsecurity-json-ds-object-activity-success-4662 |
+| json-4662-1 | microsoft-evsecurity-json-ds-object-activity-success-4662-1 |
+| json-4670 | microsoft-evsecurity-json-file-permission-modify-4670 |
+| json-4670-1 | microsoft-evsecurity-json-file-permission-modify-4670-2 |
+| json-4670-2 | microsoft-evsecurity-json-file-permission-modify-4670-1 |
+| json-4672 | microsoft-evsecurity-json-user-privilege-assign-success-4672 |
+| json-4672-1 | microsoft-evsecurity-sk4-user-privilege-assign-success-4672 |
+| json-4672-2 | microsoft-evsecurity-sk4-user-privilege-use-success-4672 |
+| json-4673 | microsoft-evsecurity-json-user-privilege-assign-success-4673 |
+| json-4673-1 | microsoft-evsecurity-sk4-user-privilege-assign-success-4673 |
+| json-4673-2 | microsoft-evsecurity-json-user-privilege-assign-success-4673-1 |
+| json-4674 | microsoft-evsecurity-json-user-privilege-use-success-4674 |
+| json-4690 | microsoft-evsecurity-json-handle-copy-4690 |
+| json-4698 | microsoft-evsecurity-json-scheduled-task-create-success-4698 |
+| json-4702 | microsoft-evsecurity-json-scheduled-task-modify-4702 |
+| json-4719 | microsoft-evsecurity-json-audit-policy-modify-success-4719 |
+| json-4720 | microsoft-evsecurity-json-user-create-success-4720-4 |
+| json-4720-1 | microsoft-evsecurity-json-user-create-success-4720-2 |
+| json-4722 | microsoft-evsecurity-json-user-enable-success-4722-2 |
+| json-4723 | microsoft-evsecurity-json-user-password-modify-4723 |
+| json-4723-1 | microsoft-evsecurity-sk4-user-password-modify-4723 |
+| json-4723-2 | microsoft-evsecurity-json-user-password-modify-4723-2 |
+| json-4724 | microsoft-evsecurity-json-user-password-reset-success-4724-3 |
+| json-4724-1 | microsoft-evsecurity-json-user-password-reset-success-4724-2 |
+| json-4724-2 | microsoft-evsecurity-sk4-user-password-reset-success-4724 |
+| json-4725 | microsoft-evsecurity-json-user-disable-success-4725-1 |
+| json-4726 | microsoft-evsecurity-json-user-delete-success-4726 |
+| json-4728 | microsoft-evsecurity-json-group-member-add-success-4728 |
+| json-4729 | microsoft-evsecurity-json-group-member-remove-success-4729 |
+| json-4737 | microsoft-evsecurity-json-group-modify-success-4737 |
+| json-4738 | microsoft-evsecurity-json-ds-object-modify-success-4738 |
+| json-4738-1 | microsoft-evsecurity-sk4-ds-object-modify-success-4738 |
+| json-4740 | microsoft-evsecurity-json-user-delete-fail-instanceid |
+| json-4740-1 | microsoft-windows-json-user-lock-success-4740-2 |
+| json-4755 | microsoft-evsecurity-json-group-modify-success-4755 |
+| json-4767 | microsoft-evsecurity-json-user-unlock-success-4767-2 |
+| json-4768 | microsoft-evsecurity-json-endpoint-login-4768 |
+| json-4768-1 | microsoft-evsecurity-json-endpoint-4768-3 |
+| json-4768-2 | microsoft-evsecurity-json-endpoint-login-4768-3 |
+| json-4768-3 | microsoft-evsecurity-json-endpoint-login-4768-2 |
+| json-4769 | microsoft-evsecurity-json-endpoint-login-4769 |
+| json-4769-1 | microsoft-evsecurity-json-endpoint-authentication-sucess-4769-2 |
+| json-4769-2 | microsoft-evsecurity-json-endpoint-login-4769-1 |
+| json-4770 | microsoft-evsecurity-json-endpoint-login-success-4770 |
+| json-4771 | microsoft-evsecurity-json-endpoint-login-fail-4771 |
+| json-4776 | microsoft-evsecurity-json-endpoint-login-4776 |
+| json-4776-1 | microsoft-evsecurity-json-endpoint-login-4776-4 |
+| json-4776-2 | microsoft-evsecurity-json-endpoint-login-4776-3 |
+| json-4778 | microsoft-evsecurity-json-rdp-traffic-success-4778 |
+| json-4779 | microsoft-evsecurity-json-endpoint-logout-success-4779 |
+| json-4797 | microsoft-windows-sk4-endpoint-notification-success-4797 |
+| json-4798 | microsoft-windows-sk4-group-list-success-4798 |
+| json-4799 | microsoft-evsecurity-json-group-member-list-4799 |
+| json-4799-1 | microsoft-evsecurity-sk4-group-member-list-success-4799 |
+| json-4800 | microsoft-evsecurity-json-endpoint-lock-success-4800 |
+| json-4800-1 | microsoft-evsecurity-sk4-endpoint-lock-success-4800 |
+| json-4826 | microsoft-windows-sk4-configuration-load-success-4826 |
+| json-4902 | microsoft-windows-sk4-endpoint-notification-success-4902 |
+| json-4904 | microsoft-evsecurity-sk4-audit-policy-modify-4904 |
+| json-4905 | microsoft-evsecurity-sk4-audit-policy-modify-4905 |
+| json-4907 | microsoft-evsecurity-sk4-audit-policy-modify-success-4907 |
+| json-4907-1 | microsoft-evsecurity-json-audit-policy-modify-4907 |
+| json-4985 | microsoft-evsecurity-json-endpoint-notification-4985 |
+| json-500 | microsoft-windows-sk4-app-notification-success-500 |
+| json-501 | microsoft-windows-sk4-app-notification-success-501 |
+| json-5058 | microsoft-evsecurity-json-file-5058 |
+| json-5058-1 | microsoft-evsecurity-json-file-5058-1 |
+| json-5061 | microsoft-evsecurity-json-key-5061 |
+| json-5061-1 | microsoft-evsecurity-sk4-key-5061 |
+| json-5136 | microsoft-evsecurity-json-ds-object-modify-success-5136 |
+| json-5136-1 | microsoft-evsecurity-sk4-ds-object-modify-success-5136 |
+| json-5140 | microsoft-evsecurity-json-share-access-success-5140 |
+| json-5140-1 | microsoft-evsecurity-sk4-share-access-success-5140-1 |
+| json-5140-2 | microsoft-evsecurity-json-share-access-success-5140-3 |
+| json-5145 | microsoft-evsecurity-json-share-access-5145-1 |
+| json-5145-1 | microsoft-evsecurity-sk4-share-access-success-5145 |
+| json-5145-2 | microsoft-evsecurity-json-share-access-success-5145 |
+| json-5156 | microsoft-evsecurity-json-network-session-success-5156-2 |
+| json-5156-1 | microsoft-evsecurity-json-network-session-success-5156-1 |
+| json-5158 | microsoft-evsecurity-json-network-session-success-5158 |
+| json-5186 | microsoft-evsystem-json-process-close-5186 |
+| json-5447 | microsoft-evsecurity-json-policy-modify-5447 |
+| json-5478 | microsoft-evsecurity-json-service-create-success-5478 |
+| json-6272 | microsoft-evnps-sk4-endpoint-authentication-success-6272 |
+| json-6272-1 | microsoft-evnps-sk4-endpoint-authentication-success-6272-1 |
+| json-6273 | microsoft-nps-sk4-endpoint-authentication-fail-6273 |
+| json-6416 | microsoft-evsecurity-sk4-peripheral_storage-insert-success-6416 |
+| json-8001 | microsoft-windows-sk4-app-notification-success-8001 |
+| json-alertlogic-network-alert | alertlogic-al-json-alert-trigger-success-ids |
+| json-auditd-account-switch | unix-unix-json-user-switch-success-userstart |
+| json-auditd-process-creation | unix-unix-json-process-create-auditd |
+| json-azure-ad-security-alert | microsoft-azureadip-mix-alert-trigger-success-unfamiliarlocation |
+| json-azure-ad-security-alert-1 | microsoft-azureadip-json-alert-trigger-success-impossibletravel |
+| json-bluecoat-proxy-web-activity | symantec-wss-json-http-session-actioncf |
+| json-bro-certs-analyzer | zeek-z-json-network-notification-certificate |
+| json-bro-dce_rpc | zeek-z-json-endpoint-login-success-operation |
+| json-bro-dhcp | zeek-z-json-dhcp-traffic-success-uids |
+| json-bro-dhcp-2 | zeek-z-json-endpoint-login-success-clientaddr |
+| json-bro-dns-query | zeek-z-json-dns-request-success-uid |
+| json-bro-dns-query-2 | zeek-z-json-dns-request-success-dnsrequest |
+| json-bro-email-in | zeek-z-json-email-receive-success-smtp |
+| json-bro-files-analysis | zeek-z-json-file-read-success-fileslog |
+| json-bro-files-analysis-2 | zeek-z-json-file-read-success-txhosts |
+| json-bro-kerberos | zeek-z-json-endpoint-authentication-success-kerberos |
+| json-bro-notice | zeek-zeek-json-network-notification-actionlog |
+| json-bro-ntlm | zeek-z-json-endpoint-login-success-ntlmlog |
+| json-bro-smb_mapping | zeek-z-json-network-traffic-mapping |
+| json-bro-snmp | zeek-z-json-network-traffic-getresponses |
+| json-bro-ssl | zeek-z-json-app-authentication-success-ssllogs |
+| json-bro-ssl-failed | zeek-z-json-endpoint-login-fail-note |
+| json-bro-ssl-failed-2 | zeek-z-json-endpoint-login-fail-resumed |
+| json-bro-tls | zeek-z-json-endpoint-login-success-tls |
+| json-bro-web-activity | zeek-z-json-http-session-status |
+| json-bro-weird | zeek-z-json-alert-trigger-success-weirdlog |
+| json-bro-weird-2 | zeek-z-json-network-traffic-name |
+| json-bro-x509 | zeek-zeek-json-certificate-exchange-certificate |
+| json-carbonblack-device-control-security-alert | vmware-carbonblack-sk4-alert-trigger-success-devicecontrol |
+| json-carbonblack-edr-fileless-scriptload | vmware-carbonblackceedr-json-process-create-success-fileless |
+| json-carbonblack-edr-moduleload | vmware-carbonblackedr-json-dll-load-success-edr |
+| json-carbonblack-edr-moduleload-1 | vmware-carbonblackedr-sk4-dll-load-success-ngav |
+| json-carbonblack-edr-netconn | vmware-carbonblackedr-json-network-traffic-success-edr |
+| json-carbonblack-edr-scriptload | vmware-carbonblackceedr-json-process-create-success-scriptload |
+| json-carbonblack-ngav-apicall | vmware-carbonblackedr-json-endpoint-activity-success-epapicall |
+| json-carbonblack-ngav-crossproc | vmware-carbonblack-json-process-create-success-crossproc |
+| json-carbonblack-ngav-filemod | vmware-carbonblack-json-file-write-success-filemod |
+| json-carbonblack-ngav-netconn | vmware-carbonblack-json-network-traffic-success-ngav |
+| json-carbonblack-ngav-procstart | vmware-carbonblack-json-process-create-success-procstart |
+| json-carbonblack-ngav-regmod | vmware-carbonblack-json-registry-create-success-ngav |
+| json-ccure-badge-access | tyco-ccure-json-physical-location-access-fail-doorname |
+| json-ccure-badge-access-2 | tyco-ccure-json-physical-location-access-success-user |
+| json-checkpoint-system-info | checkpoint-am-kv-app-activity-antimalware-1 |
+| json-cisco-cloudlock-dlp | cisco-cloudlock-json-alert-trigger-success-entityowneremail |
+| json-cisco-firesight-alert-1 | cisco-fp-json-alert-trigger-success-malwareeventtype |
+| json-cisco-netflow-connection | cisco-netflow-json-network-traffic-success-90 |
+| json-cisco-netflow-connection-1 | cisco-netflow-kv-network-traffic-success-networkflow |
+| json-cyberark-app-activity | cyberark-epm-json-file-property-modify-filechangeevent |
+| json-cyberark-app-activity-1 | cyberark-epm-json-app-activity-success-policyauditevent |
+| json-cyberark-app-activity-2 | cyberark-epm-json-app-activity-success-zerotouchevent |
+| json-cyberark-privileged-object-access | cyberark-epm-json-user-privilege-use-success-setname |
+| json-cybereason-security-alert | cybereason-cr-json-alert-trigger-success-affectedusers |
+| json-defender-alert-evidence | microsoft-365defender-json-alert-trigger-success-publish |
+| json-defender-alert-info | microsoft-365defender-json-alert-trigger-success-publish-1 |
+| json-defender-atp-alert | microsoft-defenderep-json-alert-trigger-success-devicealertevents |
+| json-defender-email-attachment-info | microsoft-o365-json-email-send-fail-advancedhunting |
+| json-defender-email-events | microsoft-o365-json-email-send-fail-publish |
+| json-dell-file-operations | dell-emcisilon-json-file-write-success-create |
+| json-duo-auth-attempt | cisco-duo-json-endpoint-authentication-authfailed |
+| json-email-saas-o365-alert | microsoft-o365-json-email-send-success-messagetrace |
+| json-exchange-dlp-email-in | microsoft-exchange-json-email-receive-incoming |
+| json-exchange-dlp-email-out | microsoft-exchange-json-email-send-originating |
+| json-exchange-email | microsoft-exchange-json-email-success-5290 |
+| json-exchange-scanmail-alert | trendmicro-scanmail-json-alert-trigger-success-wineventlog |
+| json-eyeinspect-failed-logon | forescout-eyeinspect-json-endpoint-login-fail-failedlogin |
+| json-eyeinspect-logout | forescout-eyeinspect-json-app-logout-success-clientip |
+| json-f5-auth-attempt | f5-apm-json-endpoint-login-0149 |
+| json-fireeye-alert-endpoint | fireeye-nshelix-json-alert-trigger-success-rule |
+| json-fireeye-alert-network | fireeye-nshelix-json-alert-trigger-success-fireeyerule |
+| json-github-app-activity | github-g-json-app-activity-success-namespaceid |
+| json-hmail-email-alert | hmail-hmailserver-json-app-activity-winhmailserver |
+| json-iptables-network-connection | iptables-fw-json-network-traffic-fwiptable |
+| json-irondefense-network-alert | ironnet-id-json-alert-trigger-success-irondefense |
+| json-lenel-badge-access | lenel-og-json-physical-location-access-badgeid |
+| json-malwarebytes-web-activity-denied | malwarebytes-ep-sk4-http-session-fail-blocked |
+| json-mcafee-epo-alert | mcafee-es-json-alert-trigger-success-threatcategory |
+| json-mcafee-epo-alert-1 | mcafee-es-json-alert-trigger-success-avdetect |
+| json-mcafee-epo-alert-2 | mcafee-es-sk4-alert-trigger-success-analyzername |
+| json-member-added-2008 | microsoft-evsecurity-json-group-member-add-success-memberadded |
+| json-member-removed | microsoft-evsecurity-json-group-member-remove-memberremoved |
+| json-microsoft-app-activity-1 | microsoft-o365-sk4-app-file-success-group |
+| json-microsoft-app-activity-10 | microsoft-o365-sk4-app-file-success-userdelete |
+| json-microsoft-app-activity-11 | microsoft-o365-sk4-app-file-success-userrestore |
+| json-microsoft-app-activity-12 | microsoft-o365-sk4-app-file-success-userupdate |
+| json-microsoft-app-activity-17 | microsoft-o365-sk4-file-write-success-filemodified |
+| json-microsoft-app-activity-19 | microsoft-o365-sk4-file-delete-success-filedeleted |
+| json-microsoft-app-activity-2 | microsoft-o365-sk4-app-file-success-groupadd |
+| json-microsoft-app-activity-31 | microsoft-o365-sk4-app-file-success-deviceupdate |
+| json-microsoft-app-activity-32 | microsoft-o365-json-app-activity-success-labelupdated |
+| json-microsoft-app-activity-5 | microsoft-o365-sk4-app-file-success-groupunassign |
+| json-microsoft-app-activity-6 | microsoft-o365-sk4-app-file-success-groupupdate |
+| json-microsoft-app-activity-8 | microsoft-o365-sk4-file-download-success-group |
+| json-microsoft-app-activity-9 | microsoft-o365-sk4-app-file-success-useradd |
+| json-microsoft-dns-query | microsoft-evdnsserver-json-dns-request-success-qname |
+| json-microsoft-mcas-anomaly | microsoft-mcas-json-alert-trigger-success-anomalydetection |
+| json-microsoft-mcas-anubis | microsoft-mcas-json-alert-trigger-success-alertanubisdetection |
+| json-microsoft-mcas-cabinet | microsoft-mcas-json-alert-trigger-success-alertcabinet |
+| json-microsoft-o365-alert | microsoft-m365auditlogs-json-alert-trigger-supervision |
+| json-microsoft-o365-alert-1 | microsoft-m365auditlogs-json-alert-trigger-threatmanagement |
+| json-microsoft-o365-alert-10 | microsoft-azureadip-json-alert-trigger-success-infecteddevicelogin |
+| json-microsoft-o365-alert-11 | microsoft-defenderep-json-alert-trigger-success-initialaccess-1 |
+| json-microsoft-o365-alert-12 | microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry |
+| json-microsoft-o365-alert-13 | microsoft-mcas-json-alert-trigger-success-failedloginattempt |
+| json-microsoft-o365-alert-14 | microsoft-mcas-json-alert-trigger-success-riskyipanonymous |
+| json-microsoft-o365-alert-15 | microsoft-mcas-json-alert-trigger-success-emaildetection |
+| json-microsoft-o365-alert-16 | microsoft-mcas-json-alert-trigger-success-cabinetapppermission |
+| json-microsoft-o365-alert-17 | microsoft-mcas-json-alert-trigger-success-managementgeneric |
+| json-microsoft-o365-alert-18 | microsoft-defenderep-json-alert-trigger-success-suspactivity |
+| json-microsoft-o365-alert-19 | microsoft-defenderep-mix-alert-trigger-success-unwantedsoftware |
+| json-microsoft-o365-alert-2 | microsoft-azureadip-json-alert-trigger-success-anonymouslogin |
+| json-microsoft-o365-alert-20 | microsoft-azureadip-json-alert-trigger-success-leakedcredentials |
+| json-microsoft-o365-alert-21 | microsoft-m365auditlogs-json-app-notification-mailflow |
+| json-microsoft-o365-alert-22 | microsoft-m365auditlogs-json-alert-trigger-datalossprevention |
+| json-microsoft-o365-alert-23 | microsoft-m365auditlogs-json-alert-trigger-accessgovernance |
+| json-microsoft-o365-alert-24 | microsoft-o365-sk4-alert-trigger-threatmanagement |
+| json-microsoft-o365-alert-25 | microsoft-m365auditlogs-sk4-alert-trigger-accessgovernance |
+| json-microsoft-o365-alert-26 | microsoft-365defender-sk4-alert-trigger-success-execution |
+| json-microsoft-o365-alert-3 | microsoft-defenderep-json-alert-trigger-success-commandandcontrol |
+| json-microsoft-o365-alert-4 | microsoft-defenderep-json-alert-trigger-success-credentialaccess |
+| json-microsoft-o365-alert-5 | microsoft-defenderep-mix-alert-trigger-success-credentialaccess |
+| json-microsoft-o365-alert-6 | microsoft-defenderep-json-alert-trigger-success-defenseevasion |
+| json-microsoft-o365-alert-7 | microsoft-defenderep-json-alert-trigger-success-defenseevasion-1 |
+| json-microsoft-o365-alert-8 | microsoft-defenderep-json-alert-trigger-success-execution |
+| json-microsoft-o365-alert-9 | microsoft-defenderep-json-alert-trigger-success-impact |
+| json-microsoft-o365-file-alert | microsoft-m365auditlogs-json-alert-trigger-datagovernance |
+| json-microsoft-o365-file-alert-1 | microsoft-m365auditlogs-sk4-alert-trigger-datagovernance |
+| json-microsoft-scep-epp-alert | microsoft-defenderep-json-alert-trigger-success-trojanprocess |
+| json-mwg-web-activity | mcafee-wg-json-http-session-amwprobability |
+| json-netskope-app-activity-17 | netskope-sc-json-app-activity-success-upload |
+| json-netskope-app-activity-18 | netskope-sc-json-app-activity-success-share |
+| json-netskope-app-login | netskope-sc-json-app-login-success-loginsuccessful |
+| json-netskope-failed-app-login | netskope-sc-json-app-login-fail-loginfailed |
+| json-o365-activity-2 | microsoft-m365auditlogs-json-app-activity-appactivity |
+| json-o365-activity-3 | microsoft-o365-sk4-file-app-userkey |
+| json-o365-app-login | microsoft-o365-sk4-app-login-success-loggedin |
+| json-o365-dlp-email | "microsoft-o365-json-email-send-receive-subject |
+| json-o365-failed-app-login | microsoft-o365-sk4-app-login-fail-appdisplayname |
+| json-o365-file-write-7 | microsoft-o365-sk4-file-write-success-fileuploaded |
+| json-okta-account-lockout | okta-amfa-json-user-lock-success-lockedout |
+| json-okta-app-login | okta-amfa-cef-app-login-success-appadloginsuccess |
+| json-okta-app-login-1 | okta-amfa-cef-app-login-success-coreuserauthloginsuccess |
+| json-okta-authentication-failed-3 | okta-amfg-cef-endpoint-login-fail-auth |
+| json-okta-authentication-failed-4 | okta-amfg-cef-endpoint-login-fail-invalidtoken |
+| json-okta-authentication-failed-5 | okta-amfg-cef-endpoint-login-fail-attemptfail |
+| json-okta-authentication-success | okta-amfg-cef-endpoint-login-success-attemptsuccess |
+| json-okta-failed-app-login-1 | okta-amfa-json-app-login-fail-signinfailed |
+| json-okta-failed-app-login-2 | okta-amfa-json-app-login-fail-factor |
+| json-okta-failed-app-login-3 | okta-amfa-json-app-login-fail-policy |
+| json-okta-failed-app-login-4 | okta-amfa-cef-app-login-fail-appadloginbadpassword |
+| json-okta-failed-app-login-5 | okta-amfa-cef-app-login-fail-apprichclientloginfailure |
+| json-okta-failed-app-login-6 | okta-amfa-cef-app-login-fail-coreuserauthloginfailed |
+| json-okta-member-added | okta-amfa-json-group-member-add-success-active |
+| json-okta-security-alert | okta-amfa-cef-alert-trigger-success-threatdetected |
+| json-okta-system-info | okta-amfa-json-user-password-forget-recovery |
+| json-okta-system-info-1 | okta-amfa-json-user-password-expire-provider |
+| json-paloalto-firewall-traffic-drop | pan-ngfw-json-network-traffic-fail-deny-1 |
+| json-paloalto-ngfw-network-connection | pan-ngfw-json-network-traffic-start |
+| json-pan-file-alert | pan-ngfw-json-alert-trigger-success-file |
+| json-pan-system-general | pan-ngfw-json-app-activity-success-subtype |
+| json-pan-system-hipmatch | pan-ngfw-json-alert-trigger-success-hipmatch |
+| json-pan-system-userid | pan-ngfw-json-app-notification-success-userid |
+| json-pan-system-vpn | pan-ngfw-json-vpn-authentication-success-subtypevpn |
+| json-ping-id-auth-failed | pingidentity-pi-json-app-authentication-fail-triggeredby |
+| json-ping-id-auth-failed-1 | pingidentity-pi-json-app-authentication-fail-applicationmsg |
+| json-ping-id-auth-failed-2 | pingidentity-pi-json-app-authentication-fail-ping |
+| json-prisma-security-alert | pan-prisma-json-alert-trigger-success-prismacloud |
+| json-process-created | microsoft-evsecurity-json-process-create-success-4688 |
+| json-process-created-1 | microsoft-evsecurity-json-process-create-success-4688-1 |
+| json-process-created-2 | microsoft-evsecurity-json-process-create-success-4688-2 |
+| json-s-proofpoint-email-alert-2 | "proofpoint-tap-json-email-receive-fail-threat |
+| json-sentinelone-app-activity | sentinelone-singularityp-json-group-create-success-groupcreation |
+| json-sentinelone-config-change | sentinelone-singularityp-json-dll-load-success-module |
+| json-sentinelone-driver-load | sentinelone-singularityp-json-driver-load-success-driverload |
+| json-sentinelone-process-alert | sentinelone-singularityp-json-alert-trigger-success-behavioralindicators |
+| json-sentinelone-process-created | sentinelone-singularityp-json-process-create-success-processcreation |
+| json-sentinelone-registry-write | sentinelone-singularityp-json-registry-modify-success-valuemodifies |
+| json-sentinelone-registry-write-1 | sentinelone-singularityp-json-registry-create-success-valuecreate |
+| json-sentinelone-registry-write-2 | sentinelone-singularityp-json-registry-create-success-keycreate |
+| json-sentinelone-registry-write-3 | sentinelone-singularityp-json-registry-modify-success-keysecuritychanges |
+| json-sentinelone-security-alert | sentinelone-singularityp-json-alert-trigger-success-processachieved |
+| json-sentinelone-singularityp-alert | sentinelone-singularityp-json-alert-trigger-success-ip |
+| json-sentinelone-singularityp-alert-1 | sentinelone-singularityp-json-alert-trigger-success-dnsresolved |
+| json-sentinelone-singularityp-alert-2 | sentinelone-singularityp-json-alert-trigger-success-indicators |
+| json-sentinelone-singularityp-file | sentinelone-singularityp-json-file-edreventcategory |
+| json-sentinelone-singularityp-process-created-1 | sentinelone-singularityp-json-process-create-success-process |
+| json-sentinelone-singularityp-process-network | sentinelone-singularityp-json-network-session-success-iplisten |
+| json-sentinelone-system-alert | sentinelone-singularityp-json-registry-delete-success-valuedelete |
+| json-sentinelone-system-alert-1 | sentinelone-singularityp-json-registry-delete-success-keydelete |
+| json-sentinelone-system-event | sentinelone-singularityp-json-handle-open-success-openremoteprocesshandle |
+| json-sentinelone-system-event-1 | sentinelone-singularityp-json-handle-copy-success-duplicateprocesshandle |
+| json-sentinelone-system-info | sentinelone-singularityp-json-script-execute-success-commandscript |
+| json-sentinelone-threat-file-delete | sentinelone-singularityp-json-file-delete-success-deletionfile |
+| json-sentinelone-threat-file-write | sentinelone-singularityp-json-file-write-success-filemodify |
+| json-sentinelone-threat-file-write-2 | sentinelone-singularityp-json-file-write-success-filecreation-1 |
+| json-sentinelone-threat-network-connection | sentinelone-singularityp-json-network-traffic-success-ipconnect |
+| json-sybase-db-access | sybase-s-json-database-activity-success-accesstodb |
+| json-sybase-db-access-1 | sybase-s-json-database-activity-success-eventdesc |
+| json-sybase-db-login | sybase-s-json-database-login-success-login |
+| json-sybase-db-logout | sybase-s-json-database-logout-logout |
+| json-sybase-db-query-create | sybase-s-json-database-query-success-createtable |
+| json-sybase-db-query-delete | sybase-s-json-database-query-success-deletetable |
+| json-sybase-db-query-insert | sybase-s-json-database-query-success-inserttable |
+| json-sybase-db-query-select | sybase-s-json-database-query-success-selecttable |
+| json-sybase-db-query-update | sybase-s-json-database-query-success-updatetable |
+| json-sysmon-config-change | microsoft-sysmon-json-driver-load-6 |
+| json-sysmon-file-create | microsoft-sysmon-json-file-write-success-11 |
+| json-sysmon-file-create-1 | microsoft-sysmon-json-file-write-success-2 |
+| json-sysmon-process-created | microsoft-sysmon-json-process-create-success-processcreate |
+| json-sysmon-process-created-1 | microsoft-sysmon-json-process-create-success-createremotethread |
+| json-sysmon-process-network | microsoft-sysmon-json-network-session-success-netconn |
+| json-sysmon-process-terminated | microsoft-sysmon-json-process-close-terminated |
+| json-unix-ssh-login-failed | unix-unix-json-endpoint-login-fail-failed |
+| json-unix-ssh-logout | unix-unix-sk4-endpoint-logout-success-disconnectedbyuser |
+| json-unix-ssh-logout-1 | unix-unix-sk4-endpoint-logout-success-connectionclosed |
+| json-windows-auth | microsoft-windows-json-endpoint-login-authentication |
+| json-windows-dns-query | microsoft-windows-json-dns-request-success-windns |
+| json-windows-dns-response | microsoft-windows-json-dns-response-success-logtype |
+| json-windows-events-catchall | microsoft-evsecurity-json-endpoint-activity-auditing |
+| json-windows-events-netlogon | "microsoft-evsystem-xml-endpoint-login-fail-5805 |
+| json-windows-heartbeat-system-info | microsoft-windows-sk4-app-notification-success-heartbeat |
+| json-windows-system-event | microsoft-evsecurity-sk4-endpoint-activity-success-microsoftwindowssecurityauditing |
+| json-windows-vpn-login | microsoft-windows-json-vpn-login-virtualserver |
+| json-xml-4658 | "microsoft-evsecurity-mix-handle-close-4658 |
+| json-xml-4673 | microsoft-evsecurity-json-user-privilege-use-success-4673 |
+| json-xml-4717 | "microsoft-evsecurity-cef-user-modify-4717 |
+| json-xml-4718 | "microsoft-evsecurity-cef-user-permission-modify-4718 |
+| json-xml-4735 | "microsoft-evsecurity-xml-group-modify-success-4735-2 |
+| json-xml-4768 | "microsoft-evsecurity-xml-endpoint-4768 |
+| json-xml-4769 | microsoft-evsecurity-mix-endpoint-login-4769-2 |
+| json-xml-4770 | microsoft-evsecurity-mix-endpoint-login-4770-1 |
+| json-xml-4771 | "microsoft-evsecurity-xml-endpoint-login-fail-4771-1 |
+| json-xml-4798 | "microsoft-evsecurity-xml-group-list-4798-2 |
+| json-xml-4799 | "microsoft-evsecurity-xml-group-member-list-4799 |
+| json-xml-4904 | "microsoft-evsecurity-xml-audit-policy-modify-4904-1 |
+| json-xml-4905 | "microsoft-evsecurity-xml-audit-policy-modify-4905-1 |
+| json-xml-5058 | "microsoft-evsecurity-mix-file-5058 |
+| json-xml-5058-1 | "microsoft-evsecurity-cef-file-5058 |
+| json-xml-5059 | "microsoft-evsecurity-mix-key-migrate-5059-1 |
+| json-xml-5059-1 | "microsoft-evsecurity-mix-key-migrate-5059 |
+| json-xml-5061 | "microsoft-evsecurity-mix-key-5061 |
+| json-xml-5061-1 | "microsoft-evsecurity-cef-key-5061 |
+| json-xml-5140 | "microsoft-evsecurity-json-share-access-success-5140-2 |
+| json-xml-5141 | microsoft-evsecurity-xml-ds-object-delete-success-5141-1 |
+| json-xml-5152 | "microsoft-evsecurity-mix-network-traffic-fail-5152-1 |
+| json-xml-5156 | "microsoft-evsecurity-xml-network-session-success-5156-1 |
+| json-xml-5157 | "microsoft-evsecurity-xml-network-session-fail-5157-1 |
+| json-xml-5158 | "microsoft-evsecurity-xml-network-session-success-5158-1 |
+| json-xml-8002 | "microsoft-evapplocker-cef-endpoint-notification-8002 |
+| json-zeek-app-activity | zeek-zeek-json-app-notification-software |
+| json-zeek-kerberos | zeek-z-json-endpoint-login-zeek_kerberos |
+| json-zeek-known-services | zeek-z-json-network-notification-knownservices |
+| json-zeek-network-connection | zeek-z-json-network-traffic-success-pathsnmp |
+| json-zeek-network-connection-1 | zeek-z-json-network-traffic-success-http |
+| json-zeek-network-connection-2 | zeek-z-json-network-traffic-success-dpd |
+| json-zeek-network-info | zeek-zeek-json-network-notification-dnstunnels |
+| json-zeek-notice | zeek-z-json-alert-trigger-notice |
+| json-zeek-ntp | zeek-z-json-network-traffic-ntp |
+| json-zeek-sip | zeek-z-json-network-traffic-sip |
+| json-zeek-snmp | zeek-z-json-network-traffic-snmp |
+| json-zeek-x509 | zeek-z-json-network-notification-x509 |
+| json-zeek_dce_rpc | zeek-z-json-endpoint-login-success-endpointlogin |
+| json-zeek_dhcp | zeek-z-json-endpoint-login-success-discover |
+| json-zeek_dns | zeek-z-json-dns-request-success-zeekdns |
+| json-zeek_files | zeek-z-json-file-read-success-analyzers |
+| json-zeek_http | zeek-z-json-http-session-zeekhttp |
+| json-zeek_ntlm | zeek-z-json-endpoint-login-success-resp |
+| json-zeek_ssl | zeek-z-json-app-authentication-success-zeekssl |
+| json-zeek_weird | zeek-z-json-alert-trigger-success-ip |
+| jsonar-database-login | jsonar-sonarg-json-database-login-success-sonarw |
+| jsonar-database-login-1 | jsonar-sonarg-leef-database-login-success-logout |
+| jun-flow-mcast-rpf-fail | juniper-srx-kv-network-notification-flowmcastrpffail |
+| jun-network-connection | juniper-srx-kv-network-session-netscreen |
+| jun-rt-alg-ntc-fsm-drop | juniper-srx-kv-network-notification-rtalgntcfsmdrop |
+| jun-rt-alg-ntc-parse-err | juniper-srx-kv-app-notification-rtalgntcparseerr |
+| jun-rt-alg-wrn-cfg-need | juniper-srx-kv-app-notification-rtalgwrncfgneed |
+| jun-system-info | juniper-srx-str-app-activity-netscreen-1 |
+| jun-ui-login-event | juniper-srx-kv-endpoint-login-success-uiloginevent |
+| juniper-access-control | "juniper-ps-str-vpn-login-success-login-1 |
+| juniper-auth-failed | juniper-jn-kv-endpoint-authentication-fail-authfailure |
+| juniper-commit-events | juniper-jn-str-configuration-modify-success-mgd |
+| juniper-failed-login | juniper-jn-kv-app-login-fail-sshdloginfailed |
+| juniper-firewall-auth-successful | juniper-srx-str-app-authentication-success-authsuccessfor |
+| juniper-firewall-auth-successful-1 | juniper-srx-str-app-login-success-loggedon |
+| juniper-firewall-logout | juniper-srx-str-app-logout-success-logout |
+| juniper-firewall-network-connection-close | juniper-jn-kv-network-close-rtflowsessionclose |
+| juniper-firewall-network-connection-close-1 | juniper-srx-str-network-session-fail-sessionclosed |
+| juniper-firewall-network-connection-create | juniper-srx-kv-network-session-success-sessioncreate |
+| juniper-firewall-network-connection-create-2 | juniper-srx-str-network-session-success-sessioncreate |
+| juniper-firewall-network-connection-deny | juniper-srx-kv-network-session-fail-sessiondeny |
+| juniper-firewall-network-connection-deny-2 | juniper-srx-str-network-session-fail-sessiondeny |
+| juniper-firewall-network-connection-failed | juniper-srx-kv-network-traffic-fail-actiondeny |
+| juniper-firewall-network-connection-successful | juniper-srx-kv-network-traffic-success-actionpermit |
+| juniper-firewall-session-creation | juniper-srx-str-network-traffic-success-sessioncreated |
+| juniper-firewall-system-info | juniper-srx-str-app-activity-netscreen |
+| juniper-network-alert-1 | juniper-jn-kv-alert-trigger-success-idpattacklogevent |
+| juniper-network-alert-2 | juniper-srx-cef-alert-trigger-success-inpolicy |
+| juniper-network-connection | juniper-jn-kv-network-session-success-connection |
+| juniper-network-connection-1 | juniper-jn-sk4-network-start-success-rtflowsessioncreate |
+| juniper-network-connection-2 | juniper-jn-sk4-network-close-success-rtflowsessionclose |
+| juniper-network-connection-3 | juniper-jn-sk4-network-session-fail-rtflowsessiondeny |
+| juniper-network-vpn-connection | juniper-ps-str-vpn-authentication-unauthenticatedrequest |
+| juniper-nwc-vpn-end | juniper-ps-kv-vpn-logout-success-juniper |
+| juniper-nwc-vpn-start | juniper-ps-kv-vpn-login-success-23464 |
+| juniper-owa | juniper-ps-kv-app-login-success-loginsuccess |
+| juniper-process-created-1 | juniper-jn-str-process-create-success-user |
+| juniper-process-created-2 | juniper-jn-str-process-create-success-client |
+| juniper-security-alert | juniper-srx-kv-alert-trigger-success-avvirusdetected |
+| juniper-vpn-close | "juniper-ps-kv-vpn-logout-success-closed |
+| juniper-web-activity-1 | juniper-ps-str-http-session-success-request-1 |
+| juniper-web-activity-2 | juniper-ps-str-http-session-success-request |
+| juniper-web-activity-3 | juniper-ps-str-http-session-success-request-2 |
+| junos-ids-network-connection | juniper-srx-kv-app-activity-drop |
\ No newline at end of file
diff --git a/ParsersLegacy/k_parsers.md b/ParsersLegacy/k_parsers.md
new file mode 100644
index 0000000..644bf1a
--- /dev/null
+++ b/ParsersLegacy/k_parsers.md
@@ -0,0 +1,26 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------- | --------------------------------------------------------------------------- |
+| kaspersky-es-alert-1 | kaspersky-endpointsecurity-kv-alert-trigger-success-kes |
+| kaspersky-es-alert-2 | kaspersky-endpointsecurity-kv-alert-trigger-success-wsee |
+| kaspersky-network-alert | kaspersky-endpointsecurity-kv-alert-trigger-success-networkthreatprotection |
+| kaspersky-system-event | kaspersky-endpointsecurity-kv-app-activity-success-notification |
+| kaspersky-system-info | kaspersky-endpointsecurity-cef-app-activity-success-agt |
+| kaspersky-usb-activity-1 | kaspersky-endpointsecurity-kv-peripheral-storage-insert-success-kes |
+| kaspersky-usb-activity-2 | kaspersky-endpointsecurity-kv-peripheral-storage-insert-success-kes-1 |
+| kemp-lb-failed-login | kemp-loadmaster-str-app-authentication-fail-loginfailed |
+| kemp-lb-logout | kemp-loadmaster-str-app-logout-success-loggedout |
+| kemp-lb-remote-login | kemp-loadmaster-str-endpoint-login-success-loggedin |
+| kemp-lb-system-info | kemp-loadmaster-str-app-notification-automatedbackup |
+| kemp-lb-system-info-1 | kemp-loadmaster-str-app-notification-disabled |
+| kemp-lb-system-info-2 | kemp-loadmaster-str-app-activity-l4d |
+| kemp-lb-system-info-3 | kemp-loadmaster-str-app-notification-smtpalertsuccessfullysent |
+| kerberos-as | unix-unix-str-endpoint-login-as-req-krb |
+| kerberos-tgs | unix-unix-str-endpoint-login-success-tgs-reg-krb |
+| kiteworks-account-lockout-1 | accellion-kw-kv-user-lock-success-useraccountlocked |
+| kiteworks-account-unlocked-1 | accellion-kw-kv-user-unlock-success-reactivateuser |
+| kiteworks-account-unlocked-2 | accellion-kw-kv-user-unlock-success-useraccountunlocked |
+| kiteworks-app-activity-1 | accellion-kw-kv-group-member-add-adduser |
+| kiteworks-failed-app-login-1 | accellion-kw-kv-app-login-fail-userlogin |
+| kiteworks-logout-1 | accellion-kw-kv-app-logout-success-userloggedout |
+| kiteworks-password-change-1 | accellion-kw-kv-user-password-modify-success-resetpassword |
+| kv-sensormatik-badge-access | sensormatik-s-kv-physical-location-access-cardadmitted |
\ No newline at end of file
diff --git a/ParsersLegacy/l_parsers.md b/ParsersLegacy/l_parsers.md
new file mode 100644
index 0000000..639d11a
--- /dev/null
+++ b/ParsersLegacy/l_parsers.md
@@ -0,0 +1,261 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------------------- | -------------------------------------------------------------------------------------- |
+| l-4673 | "microsoft-evsecurity-xml-user-privilege-assign-success-4673 |
+| l-4674 | microsoft-evsecurity-cef-user-privilege-use-success-4674-1 |
+| l-4688-v2 | "microsoft-evsecurity-xml-process-create-success-4688-1 |
+| l-4720 | "microsoft-evsecurity-xml-user-create-success-4720-1 |
+| l-4722 | "microsoft-evsecurity-xml-user-enable-success-4722 |
+| l-4723 | microsoft-evsecurity-str-user-password-modify-4723-1 |
+| l-4724 | microsoft-evsecurity-str-user-password-reset-success-4724 |
+| l-4725 | microsoft-evsecurity-json-user-disable-success-4725 |
+| l-4740 | "microsoft-evsecurity-xml-user-lock-success-4740-1 |
+| l-4767 | "microsoft-evsecurity-xml-user-unlock-success-4767-1 |
+| l-aruba-failed-nac-logon | hp-arubacpm-kv-endpoint-authentication-fail-authfailed |
+| l-aruba-nac-logon | hp-arubacpm-kv-endpoint-login-success-authsuccessfull |
+| l-ironport-dlp-email-alert | cisco-ie-kv-email-alert |
+| l-ironport-dlp-email-attachment | cisco-ie-kv-email-attachment |
+| l-ironport-dlp-email-host | cisco-ie-kv-email-response |
+| l-ironport-email-outcome | cisco-ie-csv-email-outcome |
+| l-lenel-badge-access | lenel-og-json-physical-location-access-success-accessgranted |
+| l-lenel-badge-access-1 | lenel-og-json-physical-location-access-fail-accessdenied |
+| l-member-added-2008 | "microsoft-evsecurity-xml-group-member-add-success-47 |
+| l-network-connection | logrhythm-l-csv-network-session-logrhythmdpi |
+| l-oracle-db-logout | oracle-db-kv-database-logout-success-dbuser |
+| l-pan-file-alert | pan-ngfw-csv-alert-trigger-success-file |
+| l-pan-scan-alert | pan-ngfw-csv-alert-trigger-success-scan |
+| l-pan-vulnerability-alert | pan-ngfw-mix-alert-trigger-success-threadvulnerability |
+| l-pan-vulnerability-alert-1 | pan-ngfw-json-alert-trigger-success-vulnerability |
+| l-sysmon-file-create | "microsoft-sysmon-xml-file-write-success-11-1 |
+| l-sysmon-process-created | "microsoft-sysmon-xml-process-create-success-1 |
+| lastline-security-alert-1 | vmware-nsxatp-cef-alert-trigger-success-lastline |
+| lastline-security-alert-2 | vmware-nsxatp-cef-alert-trigger-success-emailattachment |
+| lastline-security-alert-3 | vmware-nsxatp-cef-alert-trigger-success-signaturematch |
+| lastpass-account-creation | lastpass-l-json-user-create-success-createdaccount |
+| lastpass-account-password-change | lastpass-l-json-user-password-modify-success-passwordchanged |
+| lastpass-app-activity | lastpass-l-sk4-app-activity-success-report |
+| lastpass-app-activity-1 | lastpass-l-json-app-activity-success-eventreporting |
+| lastpass-app-login | lastpass-l-sk4-app-login-success-actionlogin |
+| lastpass-app-login-1 | lastpass-l-sk4-app-login-success-adminconsole |
+| lastpass-app-login-2 | lastpass-l-json-app-login-success-eventreporting |
+| lastpass-app-login-failed | lastpass-l-cef-app-login-fail-failedloginattempt |
+| lastpass-app-login-failed-1 | lastpass-l-json-app-login-fail-failedloginattempt |
+| ldap-auth-attempt | sunone-s-kv-endpoint-authentication-bind-1 |
+| leap-access | leap-l-csv-app-activity-success-leapaccess |
+| leap-app-activity | leap-l-str-app-activity-success-leapaccess |
+| leap-app-activity-1 | leap-l-str-app-activity-success-leapaudit |
+| leap-app-activity-2 | leap-l-csv-app-activity-success-tuaccess |
+| leap-app-activity-3 | leap-l-csv-app-activity-success-tuaudit |
+| leap-audit | leap-l-csv-app-activity-success-leapaudit |
+| leef-appsense-process-alert | appsense-am-leef-alert-trigger-success-appsenseapplicationmanager |
+| leef-aruba-app-login | hp-arubacpm-leef-app-login-success-loggedin |
+| leef-aruba-nac-logon | hp-arubacpm-mix-radius-traffic-clearpass |
+| leef-beyondtrust-account-password-change-failed | beyondtrust-bi-leef-user-password-modify-fail-changecancelled |
+| leef-beyondtrust-account-password-change-failed-1 | beyondtrust-bi-leef-user-password-modify-fail-changefailed |
+| leef-beyondtrust-app-activity | beyondtrust-bi-leef-app-activity-success-system |
+| leef-beyondtrust-app-activity-1 | beyondtrust-bi-leef-app-activity-success-turnedoff |
+| leef-beyondtrust-app-activity-10 | beyondtrust-bi-leef-app-activity-success-managed |
+| leef-beyondtrust-app-activity-2 | beyondtrust-bi-leef-app-activity-success-passwordreset |
+| leef-beyondtrust-app-activity-3 | beyondtrust-bi-leef-app-activity-success-releasepasswordreset |
+| leef-beyondtrust-app-activity-4 | beyondtrust-bi-leef-app-activity-success-passwordexpired |
+| leef-beyondtrust-app-activity-5 | beyondtrust-bi-leef-app-activity-success-updated |
+| leef-beyondtrust-app-activity-6 | beyondtrust-bi-leef-app-activity-success-mismatch |
+| leef-beyondtrust-app-activity-7 | beyondtrust-bi-leef-app-activity-success-thesystem |
+| leef-beyondtrust-app-activity-8 | beyondtrust-bi-leef-app-activity-success-passwordchange |
+| leef-beyondtrust-app-activity-9 | beyondtrust-bi-leef-app-activity-success-managedaccount |
+| leef-beyondtrust-app-login | beyondtrust-bi-leef-app-login-success-login |
+| leef-beyondtrust-app-login-1 | beyondtrust-bi-leef-app-login-success-pmmlogin |
+| leef-beyondtrust-failed-app-login | beyondtrust-bi-leef-app-login-fail-loginfailure |
+| leef-beyondtrust-failed-logon | beyondtrust-bi-leef-app-login-fail-connectfailure |
+| leef-beyondtrust-failed-logon-1 | beyondtrust-bi-leef-app-login-fail-failedtologon |
+| leef-bit9-security-alert | vmware-carbonblackedr-leef-alert-trigger-success-securityplatform |
+| leef-broadcom-system-info | broadcom-zos-leef-network-traffic-success-mvsb |
+| leef-carbonblack-file-alert | vmware-carbonblackedr-leef-alert-trigger-success-huntingapt28 |
+| leef-carbonblack-file-alert-1 | vmware-carbonblackappctrl-leef-alert-trigger-success-lowenforcement |
+| leef-carbonblack-local-logon-1 | vmware-carbonblackappctrl-leef-endpoint-login-success-protection |
+| leef-carbonblack-local-logon-2 | vmware-carbonblackappctrl-leef-endpoint-login-success-consoleconnect |
+| leef-carbonblack-logout-1 | vmware-carbonblackappctrl-leef-endpoint-logout-success-sessionlogoff |
+| leef-carbonblack-logout-2 | vmware-carbonblackappctrl-leef-endpoint-logout-success-consoledisconnect |
+| leef-carbonblack-process-alert | vmware-carbonblackedr-leef-alert-trigger-success-watchliststoragehitprocess |
+| leef-carbonblack-security-alert | vmware-carbonblack-leef-alert-trigger-success-privilegeescalate |
+| leef-carbonblack-system-event | vmware-carbonblackappctrl-leef-app-activity-protection |
+| leef-carbonblack-usb-activity | vmware-carbonblackappctrl-leef-peripheral-storage-tached |
+| leef-carbonblack-workstation-locked | vmware-carbonblackappctrl-leef-endpoint-lock-success-sessionlock |
+| leef-carbonblack-workstation-unlocked | vmware-carbonblackappctrl-leef-endpoint-login-success-sessionunlock |
+| leef-cbdef-security-alert | vmware-carbonblack-leef-alert-trigger-success-activethreat |
+| leef-checkpoint-alert | checkpoint-ngfw-leef-alert-trigger-success-smartdefense |
+| leef-checkpoint-alert-1 | checkpoint-am-leef-alert-trigger-success-antimalware |
+| leef-checkpoint-alert-2 | checkpoint-es-leef-alert-trigger-success-checkpoint |
+| leef-checkpoint-firewall-1 | checkpoint-ngfw-leef-network-traffic-applicationcontrol |
+| leef-checkpoint-firewall-2 | checkpoint-ngfw-leef-network-traffic-success-appcontrolandurlfiltering |
+| leef-checkpoint-firewall-3 | checkpoint-ngfw-leef-network-traffic-success-urlfiltering |
+| leef-checkpoint-firewall-4 | checkpoint-ngfw-leef-network-traffic-firewall |
+| leef-crowdstrike-alert | crowdstrike-falcon-leef-alert-trigger-success-falconhost |
+| leef-crowdstrike-alert-1 | crowdstrike-falcon-leef-app-notification-scanresults |
+| leef-crowdstrike-alert-2 | crowdstrike-falcon-leef-app-login-authactivityauditevent |
+| leef-crowdstrike-alert-3 | crowdstrike-falcon-leef-app-activity-useractivityauditevent |
+| leef-crowdstrike-app-login | crowdstrike-falcon-leef-app-login-falconhost |
+| leef-crowdstrike-detectionsummaryevent | crowdstrike-falcon-leef-alert-trigger-success-0 |
+| leef-crowdstrike-dnsrequests | crowdstrike-falcon-leef-dns-request-success-dnsrequests |
+| leef-crowdstrike-documentsaccessed | crowdstrike-falcon-leef-file-read-success-documentsaccessed |
+| leef-crowdstrike-executableswritten | crowdstrike-falcon-leef-file-write-success-executableswritten |
+| leef-crowdstrike-networkaccesses | crowdstrike-falcon-leef-network-traffic-success-networkaccesses |
+| leef-cyberark-app-activity | cyberark-pam-leef-appactivityfile-vault |
+| leef-digitalguardian-dlp-email-alert-out | dg-ndlp-leef-email-send-success-sendmail |
+| leef-digitalguardian-dlp-email-alert-out-1 | dg-ep-leef-email-send-success-28 |
+| leef-digitalguardian-file-delete | dg-ep-leef-file-delete-success-filerecycle |
+| leef-digitalguardian-file-delete-1 | dg-ep-leef-file-delete-success-17 |
+| leef-digitalguardian-file-download | dg-ep-leef-file-download-success-networktransferdownload |
+| leef-digitalguardian-file-download-1 | dg-ep-leef-file-download-success-2 |
+| leef-digitalguardian-file-read-1 | dg-ep-leef-file-read-success-fileread |
+| leef-digitalguardian-file-read-2 | dg-ep-leef-file-read-success-fileopen |
+| leef-digitalguardian-file-read-3 | dg-ep-leef-file-read-success-21 |
+| leef-digitalguardian-file-upload | dg-ep-leef-file-upload-success-networktransferupload |
+| leef-digitalguardian-file-upload-1 | dg-ep-leef-file-upload-success-3 |
+| leef-digitalguardian-file-write-1 | dg-ep-leef-file-write-success-filecopy |
+| leef-digitalguardian-file-write-10 | dg-ep-leef-file-write-success-18 |
+| leef-digitalguardian-file-write-2 | dg-ep-leef-file-write-success-filemove |
+| leef-digitalguardian-file-write-3 | dg-ep-leef-file-write-success-filewrite |
+| leef-digitalguardian-file-write-4 | dg-ep-leef-file-write-success-filerename |
+| leef-digitalguardian-file-write-5 | dg-ep-leef-file-write-success-filesaveas |
+| leef-digitalguardian-file-write-6 | dg-ep-leef-file-write-success-5 |
+| leef-digitalguardian-file-write-7 | dg-ep-leef-file-write-success-7 |
+| leef-digitalguardian-file-write-8 | dg-ep-leef-file-write-success-11 |
+| leef-digitalguardian-file-write-9 | dg-ep-leef-file-write-success-12 |
+| leef-digitalguardian-local-logon | dg-ep-leef-endpoint-login-success-userlogon |
+| leef-digitalguardian-local-logon-1 | dg-ep-leef-endpoint-login-success-23 |
+| leef-digitalguardian-print-activity | dg-ep-leef-printer-activity-success-printevent |
+| leef-digitalguardian-print-activity-1 | dg-ep-leef-printer-activity-success-22 |
+| leef-digitalguardian-process-created | dg-ep-leef-process-create-success-applicationstart |
+| leef-digitalguardian-usb-insert | dg-ep-leef-peripheral-storage-insert-success-44 |
+| leef-dns-query | bluecatnetworks-bnetworks-leef-dns-request-success-bcn |
+| leef-epic-app-activity | epic-siem-leef-app-activity-securitysiem |
+| leef-eset-app-login-success | eset-es-leef-app-login-success-nativeuser |
+| leef-eset-failed-logon | eset-ep-leef-endpoint-login-fail-auditevent |
+| leef-eset-logout | eset-es-leef-app-logout-success-remoteadministrator |
+| leef-eset-network-alert | eset-es-leef-alert-trigger-success-firewallevent |
+| leef-eset-security-alert | eset-es-leef-alert-trigger-success-threatevent |
+| leef-eset-web-activity-denied | eset-es-leef-http-session-fail-blocked |
+| leef-eset-web-activity-denied-1 | eset-es-leef-http-session-fail-eset |
+| leef-fireeye-alert | fireeye-networksecurity-leef-alert-trigger-success-malwareobject |
+| leef-guardium-db-failed-login | ibm-guardium-leef-database-login-fail-loginfailed |
+| leef-guardium-db-query | ibm-guardium-leef-database-query-success-sql |
+| leef-guardium-db-query-1 | ibm-guardium-leef-database-query-success-sql-1 |
+| leef-ibm-sense-alert | ibm-s-leef-alert-trigger-success-ubaoffense |
+| leef-incapsula-web-activity | imperva-incapsula-leef-http-session-siemintegration |
+| leef-lastline-security-alert | vmware-nsxatp-leef-alert-trigger-success-email |
+| leef-lastline-system-info | vmware-lastline-leef-app-notification-appliancestatus |
+| leef-mssql-database-failed-login | microsoft-mssql-leef-database-login-fail-18456 |
+| leef-mssql-database-login-1 | microsoft-mssql-leef-database-login-success-18453 |
+| leef-mssql-database-login-2 | microsoft-mssql-leef-database-login-success-18454 |
+| leef-mwg-proxy | mcafee-wg-leef-http-session-webgateway |
+| leef-paloalto-app-activity | pan-gp-leef-app-activity-success-gatewayhipcheck |
+| leef-paloalto-app-activity-1 | pan-gp-leef-app-activity-success-gatewayhipreport |
+| leef-paloalto-app-activity-2 | pan-gp-leef-app-activity-success-getconfig |
+| leef-paloalto-firewall-alert | pan-ngfw-leef-alert-trigger-success-alert |
+| leef-paloalto-firewall-allow | pan-ngfw-leef-network-traffic-success-allow |
+| leef-paloalto-firewall-deny | pan-ngfw-leef-network-traffic-fail-deny |
+| leef-paloalto-firewall-deny-1 | pan-ngfw-leef-network-traffic-fail-deny-1 |
+| leef-paloalto-firewall-drop | pan-ngfw-leef-network-traffic-fail-drop |
+| leef-paloalto-vpn-end | pan-gp-leef-vpn-logout-success-globalprotect |
+| leef-paloalto-vpn-login | pan-gp-leef-vpn-login-success-globalprotect-3 |
+| leef-paloalto-vpn-login-1 | pan-gp-leef-vpn-login-globalprotect-4 |
+| leef-paloalto-vpn-start | pan-gp-leef-vpn-login-globalprotect-5 |
+| leef-pan-authentication-failed | pan-ngfw-leef-endpoint-authentication-fail-authfail |
+| leef-pan-authentication-successful | pan-ngfw-leef-endpoint-authentication-success-authsuccess |
+| leef-pan-authentication-successful-1 | pan-ngfw-leef-endpoint-authentication-success-signvalidated |
+| leef-pan-proxy | pan-ngfw-leef-http-session-threat |
+| leef-pan-remote-logon | pan-ngfw-leef-endpoint-login-fail-general |
+| leef-pan-spyware-alert | pan-wildfire-leef-alert-trigger-success-spyware |
+| leef-pan-system-info | pan-wildfire-leef-app-activity-general |
+| leef-pan-system-logoff | pan-wildfire-leef-app-logout-loggedout |
+| leef-pan-virus-alert | pan-wildfire-leef-alert-trigger-success-virus |
+| leef-pan-vpn-logout | pan-gp-leef-vpn-logout-success-gatewaylogout |
+| leef-pan-vpn-start | pan-gp-leef-vpn-login-success-globalprotect-2 |
+| leef-pan-vulnerability-alert | pan-wildfire-leef-alert-trigger-success-vulnerability |
+| leef-pan-wildfire-alert | pan-wildfire-leef-alert-trigger-success-wildfire |
+| leef-securesphere-db-alert | imperva-securesphere-leef-alert-trigger-success-alertdescription |
+| leef-securesphere-db-alert-1 | imperva-securesphere-leef-alert-trigger-success-description |
+| leef-stealthwatch-network-alert | cisco-securenwanalytics-leef-alert-trigger-success-alarmid |
+| leef-trendmicro-file-alert | trendmicro-ds-leef-endpoint-activity-success-integritymonitor |
+| leef-trendmicro-network-alert | trendmicro-officescan-leef-network-session-fail-firewall |
+| leef-trendmicro-privileged-object-access | trendmicro-officescan-leef-user-privilege-use-success-4674 |
+| leef-trendmicro-security-alert | trendmicro-officescan-leef-alert-trigger-success-antimalware |
+| leef-trendmicro-system-info | trendmicro-ds-leef-alert-trigger-loginspection |
+| leef-varonis-security-alert | varonis-dsp-leef-alert-trigger-success-varonis |
+| legacyParserName | nextGenParserName |
+| lenel-badge-access | lenel-og-kv-physical-location-access-cardium |
+| lenel-badge-access-2 | lenel-og-json-physical-location-access-empid |
+| lenel-badge-access-3 | lenel-og-kv-physical-location-access-success-accessgranted |
+| lexmark-print-activity | lexmark-l-cef-printer-activity-success-printjob |
+| lieberman-erpm | beyondtrust-prividentity-kv-user-privilege-use-success-seventid |
+| lieberman-events-2001 | beyondtrust-prividentity-kv-app-authentication-fail-refused |
+| lieberman-events-2006 | beyondtrust-prividentity-kv-app-authentication-2006 |
+| lieberman-events-3013 | beyondtrust-prividentity-kv-app-notification-genericmessage |
+| lieberman-events-3017 | beyondtrust-prividentity-kv-app-activity-privilegedidentity |
+| lieberman-events-3019 | beyondtrust-prividentity-kv-app-activity-privilegedidentity-1 |
+| linux-dhcp-request | linux-dhcp-str-dhcp-session-success-dhcprequest |
+| liquidfiles-app-login | liquidfiles-l-json-app-login-success-ldapauthentication |
+| liquidfiles-failed-app-login | liquidfiles-l-json-app-login-fail-ldapauthenticationerror |
+| liquidfiles-file-download | liquidfiles-l-json-file-download-success-downloadsuccess |
+| liquidfiles-file-upload | liquidfiles-l-json-file-upload-success-binaryuploadcomplete |
+| liquidfiles-security-alert | liquidfiles-l-json-alert-trigger-success-forbidden |
+| lmc-vpn-login | ibm-lmc-json-vpn-login-lmclogin |
+| logrhythm-0365-account-password-change | microsoft-o365-kv-user-password-modify-success-changeduserpassword |
+| logrhythm-0365-app-login | microsoft-o365-kv-app-login-success-userloggedin |
+| logrhythm-0365-failed-app-login | microsoft-o365-kv-app-login-fail-workload |
+| logrhythm-o365-app-activity | microsoft-m365auditlogs-kv-file-download-filesyncdownloadedfull |
+| logrhythm-o365-app-activity-10 | microsoft-m365auditlogs-kv-user-modify-updateuser |
+| logrhythm-o365-app-activity-11 | microsoft-m365auditlogs-kv-group-modify-updategroup |
+| logrhythm-o365-app-activity-12 | microsoft-m365auditlogs-kv-endpoint-modify-success-updatedevice |
+| logrhythm-o365-app-activity-13 | microsoft-m365auditlogs-kv-user-modify-success-updatestsrefreshtokenvalidfromtimestamp |
+| logrhythm-o365-app-activity-14 | microsoft-m365auditlogs-kv-user-modify-success-updateserviceprincipal |
+| logrhythm-o365-app-activity-15 | microsoft-m365auditlogs-kv-user-modify-changeuserlicense |
+| logrhythm-o365-app-activity-16 | microsoft-m365auditlogs-kv-user-create-adduser |
+| logrhythm-o365-app-activity-17 | microsoft-m365auditlogs-kv-email-send-success-send |
+| logrhythm-o365-app-activity-18 | microsoft-m365auditlogs-kv-email-send-success-sendonbehalf |
+| logrhythm-o365-app-activity-19 | microsoft-m365auditlogs-kv-email-send-sendas |
+| logrhythm-o365-app-activity-2 | microsoft-m365auditlogs-kv-file-share-sharingset |
+| logrhythm-o365-app-activity-20 | microsoft-m365auditlogs-kv-mailbox-item-create-create |
+| logrhythm-o365-app-activity-21 | microsoft-m365auditlogs-kv-app-login-success-teamssessionstarted |
+| logrhythm-o365-app-activity-22 | microsoft-m365auditlogs-kv-report-read-success-viewreport |
+| logrhythm-o365-app-activity-23 | microsoft-m365auditlogs-kv-file-download-success-exportartifact |
+| logrhythm-o365-app-activity-3 | microsoft-m365auditlogs-kv-file-read-success-pageviewed |
+| logrhythm-o365-app-activity-4 | microsoft-m365auditlogs-kv-file-property-modify-sharinginheritancebroken |
+| logrhythm-o365-app-activity-5 | microsoft-m365auditlogs-kv-group-member-add-addedtogroup |
+| logrhythm-o365-app-activity-6 | microsoft-m365auditlogs-kv-group-create-groupadded |
+| logrhythm-o365-app-activity-7 | microsoft-m365auditlogs-kv-app-notification-success-pageprefetched |
+| logrhythm-o365-app-activity-8 | microsoft-m365auditlogs-kv-share-link-open-success-companylinkused |
+| logrhythm-o365-app-activity-9 | microsoft-m365auditlogs-kv-file-unshare-sharingrevoked |
+| logrhythm-o365-file-activity | microsoft-o365-kv-file-read-success-fileaccessed |
+| logrhythm-o365-file-delete | microsoft-o365-kv-file-delete-success-filedeleted |
+| logrhythm-o365-file-delete-2 | microsoft-o365-kv-file-delete-success-folderdeleted |
+| logrhythm-o365-file-delete-3 | microsoft-o365-kv-file-delete-success-fileversions |
+| logrhythm-o365-file-read | microsoft-o365-kv-file-read-success-filepreviewed |
+| logrhythm-o365-file-read-2 | microsoft-o365-kv-file-read-success-fileaccessedextended |
+| logrhythm-o365-file-read-3 | microsoft-o365-kv-file-read-success-filedownloaded |
+| logrhythm-o365-file-read-4 | microsoft-o365-kv-file-read-success-pageviewed |
+| logrhythm-o365-file-read-5 | microsoft-o365-kv-file-read-success-pageviewedextended |
+| logrhythm-o365-file-read-6 | microsoft-o365-kv-file-read-success-anonymouslinkused |
+| logrhythm-o365-file-read-7 | microsoft-o365-kv-file-read-success-clientviewsignaled |
+| logrhythm-o365-file-upload | microsoft-o365-kv-file-upload-success-fileuploaded |
+| logrhythm-o365-file-write | microsoft-o365-kv-file-write-success-filesyncuploadedfull |
+| logrhythm-o365-file-write-2 | microsoft-o365-kv-file-write-success-filemodifiedextended |
+| logrhythm-o365-file-write-3 | microsoft-o365-kv-file-write-success-filemodified |
+| logrhythm-o365-file-write-4 | microsoft-o365-kv-file-write-success-filemoved |
+| logrhythm-o365-file-write-5 | microsoft-o365-kv-file-write-success-filerenamed |
+| logrhythm-o365-file-write-6 | microsoft-o365-kv-file-write-success-foldercreated |
+| logrhythm-o365-file-write-7 | microsoft-o365-kv-file-write-success-filecopied |
+| logrhythm-o365-file-write-8 | microsoft-o365-kv-file-write-success-anonymouslinkcreated |
+| logstash-4624 | microsoft-evsecurity-json-endpoint-login-success-4624-3 |
+| logstash-4768 | microsoft-evsecurity-json-endpoint-4768-1 |
+| logstash-4769 | microsoft-evsecurity-json-endpoint-login-4769-3 |
+| lumension-failed-usb-activity-1 | lumension-l-kv-peripheral-storage-activity-fail-readdenied |
+| lumension-failed-usb-activity-2 | lumension-l-kv-peripheral-storage-activity-fail-writedenied |
+| lumension-failed-usb-activity-3 | lumension-l-csv-peripheral-storage-activity-fail-writedenied-1 |
+| lumension-failed-usb-activity-4 | lumension-l-csv-peripheral-storage-activity-fail-readdenied-1 |
+| lumension-usb-activity | lumension-l-kv-peripheral-storage-activity-success-devicedetached |
+| lumension-usb-activity-1 | lumension-l-cef-peripheral-storage-activity-success-devicecontrol |
+| lumension-usb-insert-1 | lumension-l-kv-peripheral-storage-insert-success-deviceattached |
+| lumension-usb-insert-2 | lumension-l-kv-peripheral-storage-insert-success-mediuminserted |
+| lumension-usb-read | lumension-l-kv-file-read-success-readgranted |
+| lumension-usb-write | lumension-l-kv-file-write-success-writegranted |
\ No newline at end of file
diff --git a/ParsersLegacy/m_parsers.md b/ParsersLegacy/m_parsers.md
new file mode 100644
index 0000000..36b0cb5
--- /dev/null
+++ b/ParsersLegacy/m_parsers.md
@@ -0,0 +1,220 @@
+| Old Parser Name | New Parser Name |
+| --------------------------------------------- | ---------------------------------------------------------------------------------------- |
+| mariadb-connect | mariadb-m-csv-database-login-success-connect |
+| mariadb-connect-1 | mariadb-m-csv-database-login-success-connect-1 |
+| mariadb-create | mariadb-m-kv-database-modify-success-create |
+| mariadb-disconnect | mariadb-m-str-database-logout-success-disconnect |
+| mariadb-drop | mariadb-m-str-database-delete-success-drop |
+| mariadb-failedconnect | mariadb-m-csv-database-login-fail-failedconnect |
+| mariadb-query | mariadb-m-str-database-query-success-query-2 |
+| mariadb-read | mariadb-m-str-database-activity-success-read |
+| mariadb-read-1 | mariadb-m-str-database-activity-success-mariadb |
+| mariadb-write | mariadb-m-csv-database-modify-success-write |
+| mariadb-write-1 | mariadb-m-str-database-modify-success-write |
+| mastersam-pam-app-activity | mastersam-pam-kv-app-activity-updateresource |
+| mastersam-pam-app-activity-1 | mastersam-pam-kv-app-activity-apiaccountrequest |
+| mastersam-pam-auth-4 | mastersam-pam-kv-app-authentication-success-verifypasswordaccount |
+| mastersam-pam-auth-failed-2 | mastersam-pam-kv-endpoint-authentication-fail-loginfail |
+| mastersam-pam-auth-failed-3 | mastersam-pam-kv-endpoint-authentication-fail-otpfailed |
+| mastersam-pam-auth-successful-1 | mastersam-pam-kv-endpoint-authentication-success-login |
+| mastersam-pam-auth-successful-2 | mastersam-pam-kv-app-authentication-success-apilogin |
+| mastersam-pam-auth-successful-3 | mastersam-pam-kv-endpoint-authentication-success-verifiedotp |
+| mastersam-pam-logout-1 | mastersam-pam-kv-app-logout-success-logout |
+| mastersam-pam-logout-2 | mastersam-pam-kv-app-logout-success-logouttimeout |
+| mastersam-pam-password-change | mastersam-pam-kv-user-password-modify-success-resetaccountpassword |
+| mastersam-pam-remote-logon | mastersam-pam-kv-endpoint-login-success-connect |
+| mcafee-app-activity | mcafee-sncasb-kv-app-success-mvision |
+| mcafee-dlp-alert | mcafee-es-kv-alert-trigger-success-dataloss |
+| mcafee-dlp-email-alert | mcafee-ep-kv-email-send-fail-emailstatus |
+| mcafee-dlp-email-alert-1 | mcafee-ep-kv-email-send-fail-emailstatus-1 |
+| mcafee-dlp-mem-dev | mcafee-es-kv-file-write-success-memorydevices |
+| mcafee-dlp-pnp | mcafee-es-kv-file-write-success-pnp |
+| mcafee-dlp-pnp-2 | mcafee-es-kv-file-write-success-plugandplay |
+| mcafee-dlp-print | mcafee-dlp-kv-printer-activity-success-printer |
+| mcafee-dlp-print-2 | mcafee-dlp-kv-printer-activity-success-printer-1 |
+| mcafee-dlp-rem-stor | mcafee-es-kv-file-write-success-removablestorage |
+| mcafee-dlp-rem-stor-2 | mcafee-es-kv-file-write-success-removablestorage-1 |
+| mcafee-dlp-upload | mcafee-dlp-kv-alert-trigger-success-alerttrigger |
+| mcafee-epp-alert | mcafee-es-str-alert-trigger-success-epolicy |
+| mcafee-file-write-denied | "mcafee-es-xml-file-write-success-epoevents |
+| mcafee-hbss-dlp-alert | mcafee-atd-json-alert-trigger-success-dlpwindows |
+| mcafee-hbss-dlp-alert-2 | mcafee-atd-json-alert-trigger-success-threathandled |
+| mcafee-idps-network-alert | mcafee-idps-str-alert-trigger-success-ivrelevance |
+| mcafee-ips-network-alert | mcafee-nsp-kv-alert-trigger-success-sensorname |
+| mcafee-ips-network-error | mcafee-nsp-str-app-notification-faultforwarder |
+| mcafee-ips-network-info | mcafee-nsp-str-app-notification-auditlogforwarder |
+| mcafee-logout | mcafee-es-json-app-logout-success-userlogout |
+| mcafee-machineinfo | mcafee-epo-xml-endpoint-notification-success-epoevents |
+| mcafee-network-alert | mcafee-nsp-json-alert-trigger-success-threatsource |
+| mcafee-network-alert-1 | mcafee-nsp-kv-alert-trigger-success-result |
+| mcafee-nsm-app-login | mcafee-nsm-csv-app-login-success-succeeded |
+| mcafee-nsm-app-login-failed | mcafee-nsm-csv-app-login-fail-failed |
+| mcafee-process-created-failed | mcafee-es-csv-process-create-fail-executiondenied |
+| mcafee-remote-logon | mcafee-es-json-endpoint-login-success-successfuluserlogin |
+| mcafee-security-alert-1 | mcafee-es-kv-alert-trigger-success-hostintrusionprevention |
+| mcafee-security-alert-1027 | "mcafee-epo-xml-alert-trigger-success-1027 |
+| mcafee-security-alert-2 | mcafee-es-kv-alert-trigger-success-moveavoffloadserver |
+| mcafee-security-alert-3 | mcafee-es-kv-alert-trigger-success-endpointsecurity |
+| mcafee-security-alert-4 | mcafee-es-kv-alert-trigger-success-virusscanenterprise |
+| mcafee-security-alert-5 | mcafee-epo-kv-alert-trigger-success-string |
+| mcafee-siem-4624 | microsoft-evsecurity-json-endpoint-login-success-anaccountwassuccessfullyloggedon |
+| mcafee-siem-4625 | microsoft-evsecurity-json-endpoint-login-fail-anaccountfailedtologon |
+| mcafee-siem-4648 | microsoft-evsecurity-json-user-switch-success-4648-1 |
+| mcafee-siem-4672 | microsoft-evsecurity-json-user-privilege-assign-success-4672-3 |
+| mcafee-siem-4720 | microsoft-evsecurity-json-user-create-success-useraccountcreated |
+| mcafee-siem-4722 | microsoft-evsecurity-json-user-enable-success-auseraccountwasenabled |
+| mcafee-siem-4723 | microsoft-evsecurity-json-user-password-modify-4723-3 |
+| mcafee-siem-4724 | microsoft-evsecurity-json-user-password-reset-success-resetaccountspassword |
+| mcafee-siem-4725 | microsoft-evsecurity-json-user-disable-success-mcafeesiem |
+| mcafee-siem-4726 | microsoft-evsecurity-json-user-delete-fail-deleted |
+| mcafee-siem-4740 | microsoft-evsecurity-json-user-delete-fail-user |
+| mcafee-siem-4768 | microsoft-evsecurity-json-endpoint-kerberosauth |
+| mcafee-siem-4769 | microsoft-evsecurity-json-endpoint-login-4769-4 |
+| mcafee-siem-4770 | microsoft-evsecurity-json-endpoint-login-4770-2 |
+| mcafee-siem-4771 | microsoft-evsecurity-json-endpoint-login-fail-authfailed |
+| mcafee-siem-4776 | microsoft-evsecurity-json-endpoint-login-account |
+| mcafee-siem-4778 | microsoft-evsecurity-json-endpoint-login-success-4778 |
+| mcafee-siem-4779 | microsoft-evsecurity-json-endpoint-logout-success-sessiondisconnected |
+| mcafee-siem-5136 | microsoft-evsecurity-json-ds-object-modify-success-5136-1 |
+| mcafee-siem-5137 | microsoft-evsecurity-json-ds-object-modify-success-5137 |
+| mcafee-siem-5141 | microsoft-evsecurity-json-ds-object-modify-success-5141 |
+| mcafee-siem-process-created | microsoft-evsecurity-json-process-create-success-newprocess |
+| mcafee-skyhigh-dlp-alert | mcafee-sncasb-kv-alert-trigger-success-actoridtype |
+| mcafee-skyhigh-dlp-alert-1 | mcafee-sncasb-cef-alert-trigger-success-alertdata |
+| mcafee-system-info | mcafee-es-kv-app-notification-propertytranslator |
+| mcafee-system-info-1 | mcafee-es-kv-policy-apply-fail-pointproduct |
+| mcafee-usb-activity | "mcafee-es-xml-peripheral-storage-activity-success-20504 |
+| mcafee-usb-activity-1 | "mcafee-es-xml-peripheral-storage-activity-success-20508 |
+| mcafee-usb-insert | "mcafee-es-xml-peripheral-storage-insert-success-20500 |
+| mcafee-usb-insert-1 | "mcafee-es-xml-peripheral-storage-insert-success-20507 |
+| mcafee-usb-write | mcafee-es-kv-file-write-success-monitor |
+| mcafee-vse-epo-alert | mcafee-es-kv-alert-trigger-success-analyzername |
+| mcafee-windows-error | mcafee-es-kv-endpoint-notification-windowserror |
+| mcas-security-alert | microsoft-mcas-json-alert-trigger-success-riskysignin |
+| mcas-security-alert-1 | microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection |
+| mcas-security-alert-2 | microsoft-mcas-json-alert-trigger-success-velocity |
+| mcas-security-alert-3 | microsoft-mcas-json-alert-trigger-success-login |
+| mcas-security-alert-4 | microsoft-mcas-json-alert-trigger-success-download |
+| mcas-security-alert-5 | microsoft-mcas-json-alert-trigger-success-ransomware |
+| medigate-alert-iot | claroty-c-json-alert-trigger-success-iot |
+| medigate-security-alert | claroty-c-json-alert-trigger-success-23585 |
+| meraki-dhcp | cisco-mma-sk4-dhcp-traffic-dhcplease |
+| meraki-firepower-active-dir | cisco-fp-str-endpoint-login-success-connectedtoserver |
+| meraki-firepower-authentication | cisco-fp-kv-app-authentication-success-original |
+| meraki-firepower-dhcp | cisco-fp-str-dhcp-traffic-success-address |
+| meraki-firepower-failover | cisco-fp-str-app-notification-failover |
+| meraki-firepower-ids | cisco-fp-str-app-activity-ids |
+| meraki-ip-flow-end | cisco-mma-kv-network-traffic-flowend |
+| meraki-ip-flow-start | cisco-mma-kv-network-traffic-success-ip-flow |
+| meraki-network-alert | cisco-mma-cef-alert-trigger-success-securityevent |
+| meraki-network-connection | cisco-mma-kv-network-traffic-flows |
+| meraki-network-connection-1 | cisco-mma-kv-network-traffic-success-association |
+| meraki-system-info | cisco-mma-kv-alert-trigger-airmarshalevents |
+| meraki-web-activity-denied | cisco-mma-kv-http-session-fail-url |
+| messagelabs-email-in | symantec-esc-json-email-receive-success-emailinfo |
+| messagelabs-email-out | symantec-esc-json-email-send-success-emailinfo |
+| metricbeat-5156 | microsoft-evsecurity-json-network-session-success-5156 |
+| microsoft-app-activity-1 | microsoft-o365-sk4-app-activity-success-authzgroupupdated |
+| microsoft-app-activity-10 | microsoft-o365-sk4-app-activity-success-office365 |
+| microsoft-app-activity-11 | microsoft-o365-sk4-app-activity-success-authzgrouprenamed |
+| microsoft-app-activity-12 | microsoft-o365-json-app-activity-success-graphdirectoryauditlogs |
+| microsoft-app-activity-2 | microsoft-o365-sk4-app-activity-success-userupdated |
+| microsoft-app-activity-4 | microsoft-o365-sk4-app-activity-success-groupmanagement |
+| microsoft-app-activity-5 | microsoft-o365-sk4-app-activity-success-office365-1 |
+| microsoft-app-activity-6 | microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1 |
+| microsoft-app-activity-7 | microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1 |
+| microsoft-app-activity-8 | microsoft-o365-sk4-app-activity-success-groupmanagement-1 |
+| microsoft-app-activity-9 | microsoft-o365-sk4-app-activity-success-usermanagement |
+| microsoft-applocker-security-alert | "microsoft-evapplocker-xml-alert-trigger-success-policyname |
+| microsoft-azure-network-connection-successful | microsoft-azure-sk4-network-traffic-success-firewallapp |
+| microsoft-cloud-app-dlp-alert | microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile |
+| microsoft-cloud-app-security-alert | microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete |
+| microsoft-cloud-app-security-alert-1 | microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity |
+| microsoft-cloud-app-security-alert-2 | microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile |
+| microsoft-dns-renew-jp | microsoft-windows-csv-dhcp-session-success-dhcp |
+| microsoft-dns-renew-jp-1 | microsoft-windows-kv-dhcp-session-success-dns |
+| microsoft-dns-renew-jp-2 | microsoft-windows-kv-dhcp-session-success-dns-1 |
+| microsoft-dns-renew-jp-3 | microsoft-windows-csv-network-notification-success-dnsrenew |
+| microsoft-dns-renew-jp-4 | microsoft-windows-csv-network-notification-success-dnsrenew-1 |
+| microsoft-dns-renew-jp-5 | microsoft-windows-csv-dhcp-session-success-dns |
+| microsoft-dns-update-failed | microsoft-dhcpsyslog-csv-dns-record-modify-fail-updatefail |
+| microsoft-dns-update-request | microsoft-dhcpsyslog-csv-dns-record-modify-update |
+| microsoft-dns-update-successful | microsoft-windows-str-dns-record-modify-success-update |
+| microsoft-network-alert | microsoft-azure-cef-alert-trigger-success-block |
+| microsoft-network-alert-1 | microsoft-azuremon-sk4-http-request-frontdoorwebapplicationfirewalllog |
+| microsoft-npc-failed-logon-1 | "microsoft-nps-xml-radius-traffic-fail-3 |
+| microsoft-npc-nac-logon-1 | "microsoft-nps-xml-radius-traffic-success-2 |
+| microsoft-nps-6272 | "microsoft-nps-xml-endpoint-authentication-success-6272 |
+| microsoft-nps-6273 | "microsoft-nps-xml-radius-traffic-fail-6273 |
+| microsoft-nps-6274 | "microsoft-nps-xml-radius-traffic-fail-6274 |
+| microsoft-nps-6278 | "microsoft-nps-xml-radius-traffic-success-6278 |
+| microsoft-nps-nac-logon | microsoft-nps-cef-endpoint-login-success-accessaccept |
+| microsoft-o365-alert-1 | microsoft-o365-json-alert-trigger-success-threatmgmt |
+| microsoft-print-activity | microsoft-evprintservice-kv-printer-activity-success-document |
+| microsoft-print-activity-1 | "microsoft-evprintservice-xml-printer-activity-success-printingdocument |
+| microsoft-print-activity-2 | microsoft-evprintservice-str-printer-activity-success-307 |
+| microsoft-remote-desktop | microsoft-evterminalservicesgateway-str-rdp-traffic-success-connectedtoresource |
+| microsoft-rra-auth-failed | microsoft-rras-str-app-notification-erroroccurred |
+| microsoft-rra-auth-successful | microsoft-rras-kv-authentication-success-authsuccess |
+| microsoft-rra-vpn-login | microsoft-rras-str-vpn-login-success-assignedaddress |
+| microsoft-rra-vpn-logout | microsoft-rras-kv-vpn-logout-success-coid |
+| microsoft-rra-vpn-logout-1 | microsoft-rras-kv-vpn-logout-success-disconnected |
+| microsoft-scep-epp-alert | microsoft-defenderep-kv-alert-trigger-success-syscenterendpointprotection |
+| microsoft-scep-security-alert | microsoft-defenderep-kv-alert-trigger-success-malwareinfection |
+| microsoft-system-info-1 | "microsoft-nps-xml-endpoint-authentication-ias |
+| microsoft-system-info-2 | "microsoft-nps-xml-endpoint-authentication-11 |
+| microsoft-system-info-3 | "microsoft-nps-xml-endpoint-authentication-packettype4 |
+| microsoft-system-info-5 | microsoft-evapp-kv-endpoint-notification-3005 |
+| microsoft-web-activity-3 | microsoft-azuremon-sk4-http-session-frontdooraccesslog |
+| microsoft-windows-system-info | microsoft-evsystem-xml-app-activity-success-304 |
+| microsoft-windows-system-info-1 | microsoft-evsystem-xml-app-activity-success-305 |
+| microsoft-windows-system-info-2 | microsoft-evsystem-xml-app-activity-success-307 |
+| mimecast-dlp-email | mimecast-seg-kv-email-sender |
+| mobileiron-security-alert | mobileiron-mi-cef-alert-trigger-success-mobileiron |
+| mongodb-database-update | mongodb-m-json-database-modify-success-createcollection |
+| mongodb-database-update-1 | mongodb-m-json-database-modify-success-createdb |
+| moveit-account-password-change | ipswitch-moveittransfer-kv-user-password-modify-success-pwdfailed |
+| moveit-app-activity-1 | ipswitch-moveittransfer-str-log-read-viewauditlog |
+| moveit-authentication-failed | ipswitch-moveittransfer-kv-endpoint-authentication-fail-moveit |
+| moveit-authentication-failed-1 | ipswitch-moveittransfer-str-endpoint-authentication-fail-authfailed |
+| moveit-authentication-successful | ipswitch-moveittransfer-kv-app-login-success-signedon |
+| moveit-authentication-successful-1 | ipswitch-moveittransfer-kv-endpoint-login-success-signedon |
+| moveit-failed-logon | ipswitch-moveittransfer-kv-endpoint-login-fail-signon |
+| moveit-failed-logon-1 | ipswitch-moveittransfer-kv-endpoint-login-fail-signon-1 |
+| moveit-file-delete | ipswitch-mdmz-kv-file-delete-success-moveitdelfile |
+| moveit-file-delete-1 | ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfile |
+| moveit-file-delete-2 | ipswitch-mdmz-kv-file-delete-success-moveitdmzdelfolder |
+| moveit-file-download | ipswitch-mdmz-kv-file-download-success-moveitdownload |
+| moveit-file-download-1 | ipswitch-mdmz-kv-file-download-success-moveitdmzdownload |
+| moveit-file-upload | ipswitch-mdmz-kv-file-upload-success-moveitupload |
+| moveit-file-upload-1 | ipswitch-mdmz-kv-file-upload-success-moveitdmzupload |
+| moveit-file-upload-2 | ipswitch-mdmz-kv-file-upload-success-moveitdmzsend |
+| moveit-file-upload-3 | ipswitch-moveitdmz-kv-file-upload-success-move |
+| moveit-file-write-1 | ipswitch-mdmz-kv-file-write-success-moveitdmzaddfolder |
+| moveit-file-write-2 | ipswitch-moveitdmz-kv-file-write-success-rename |
+| moveit-logout | ipswitch-moveittransfer-str-app-logout-signoff |
+| moveit-logout-1 | ipswitch-moveittransfer-str-app-logout-dmzsignoff |
+| moveit-member-added-1 | ipswitch-moveittransfer-kv-group-member-add-success-adduser |
+| moveit-member-added-2 | ipswitch-moveitdmz-kv-group-member-add-success-addgroupmember |
+| moveit-ssh-login-failed | ipswitch-moveitdmz-kv-endpoint-login-fail-sshfail |
+| ms-azure-eventhubs-app-activity | microsoft-azure-json-app-activity-eventhubazurerecord |
+| ms-azure-eventhubs-login | microsoft-azure-json-app-login-azurerecord |
+| ms-azure-signin-app-login | microsoft-azure-json-app-login-userdisplayname |
+| ms-dhcp | msdhcp-m-str-dhcp-session-success-dnsupdate |
+| msnetwork-nac-logon | microsoft-nps-csv-endpoint-authentication-success-wirelessconnection |
+| msnetwork-nac-logon-2 | microsoft-nps-csv-endpoint-login-success-13 |
+| msnetwork-nac-logon-3 | microsoft-nps-csv-endpoint-login-success-ias |
+| msnetwork-nac-logon-4 | microsoft-nps-csv-endpoint-login-success-ras |
+| msnetwork-nac-logon-5 | microsoft-nps-csv-endpoint-login-success-ias-1 |
+| mssql-app-activity | microsoft-mssql-kv-app-activity-mssqlserver |
+| mssql-database-login | microsoft-mssql-kv-database-login-success-14 |
+| mssql-database-login-1 | microsoft-mssql-kv-database-login-fail-permission |
+| mssql-database-query-2 | microsoft-mssql-json-database-query-success-sqlserver |
+| mssql-database-query-3 | microsoft-mssql-json-database-query-success-databasequery |
+| mssql-member-added | microsoft-mssql-str-group-member-add-aprl |
+| mssql-member-removed | microsoft-mssql-str-group-member-remove-dprl |
+| mulesoft-web-activity | mulesoft-m-kv-http-request-entrytime |
+| mwg-proxy-1 | mcafee-wg-json-http-session-sha256 |
+| mwg-proxy-2 | mcafee-wg-json-http-session-mwg |
+| mwg-proxy-3 | mcafee-wg-csv-http-session-3 |
+| mysql-db-activity-json | mysql-m-json-database-query-success-activity |
\ No newline at end of file
diff --git a/ParsersLegacy/n_parsers.md b/ParsersLegacy/n_parsers.md
new file mode 100644
index 0000000..4066f96
--- /dev/null
+++ b/ParsersLegacy/n_parsers.md
@@ -0,0 +1,188 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------------- | --------------------------------------------------------------------------- |
+| n-cef-mcafee-alert | mcafee-esm-csv-alert-trigger-success-mcafeensmopmnsmp3 |
+| n-forwarded-cef-4611 | microsoft-evsecurity-cef-endpoint-notification-success-esm |
+| n-forwarded-cef-4624 | microsoft-evsecurity-kv-endpoint-success-mcafee |
+| n-forwarded-cef-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4326304625 |
+| n-forwarded-cef-4634 | microsoft-evsecurity-cef-endpoint-logout-success-4634-1 |
+| n-forwarded-cef-4648 | microsoft-evsecurity-cef-user-switch-success-4648-2 |
+| n-forwarded-cef-4662 | microsoft-evsecurity-cef-ds-object-activity-success-4662-2 |
+| n-forwarded-cef-4663 | microsoft-evsecurity-cef-file-write-success-43 |
+| n-forwarded-cef-4672 | microsoft-evsecurity-kv-user-privilege-use-success-4672-1 |
+| n-forwarded-cef-4673 | microsoft-evsecurity-cef-user-privilege-use-success-esm |
+| n-forwarded-cef-4688 | microsoft-evsecurity-kv-process-create-success-26304688 |
+| n-forwarded-cef-4722 | microsoft-evsecurity-cef-user-enable-success-4722-2 |
+| n-forwarded-cef-4724 | microsoft-evsecurity-kv-user-password-reset-success-4724-2 |
+| n-forwarded-cef-4725 | microsoft-evsecurity-kv-user-disable-success-4725-3 |
+| n-forwarded-cef-4740 | microsoft-evsecurity-kv-user-delete-fail-26304740 |
+| n-forwarded-cef-4768 | microsoft-evsecurity-json-endpoint-mcafeeesm |
+| n-forwarded-cef-4769 | microsoft-evsecurity-kv-endpoint-login-4769-9 |
+| n-forwarded-cef-4770 | microsoft-evsecurity-kv-endpoint-login-mcafee |
+| n-forwarded-cef-4771 | microsoft-evsecurity-kv-endpoint-login-fail-mcafeeesm |
+| n-forwarded-cef-4776 | microsoft-evsecurity-kv-endpoint-login-mcafeeesm |
+| n-forwarded-cef-5136 | microsoft-evsecurity-cef-ds-object-modify-success-43 |
+| n-forwarded-cef-528 | microsoft-evsecurity-cef-endpoint-success-528 |
+| n-forwarded-cef-540 | microsoft-evsecurity-kv-endpoint-login-success-mcafee |
+| n-forwarded-cef-552 | microsoft-evsecurity-kv-success-esm |
+| n-forwarded-cef-680 | microsoft-windows-kv-endpoint-login-esm |
+| n-forwarded-cef-asa-nap-vpn-end | cisco-asa-kv-vpn-logout-success-713259 |
+| n-forwarded-cef-asa-nap-vpn-start | cisco-asa-kv-vpn-login-success-privateipassigned |
+| n-forwarded-cef-asa-svc-vpn-end | cisco-asa-kv-vpn-logout-success-113019 |
+| n-forwarded-cef-asa-svc-vpn-start | cisco-asa-kv-vpn-login-success-addressassigned |
+| n-forwarded-cef-aventail-vpn-end | dell-sw-cef-vpn-logout-success-sessionend |
+| n-forwarded-cef-aventail-vpn-start | dell-sw-cef-vpn-login-success-userloginandzoneassignment |
+| n-forwarded-cef-barracuda-email | barracuda-esg-cef-app-activity-success-scan |
+| n-forwarded-cef-damballa-alert | damballa-failsafe-cef-alert-trigger-success-421 |
+| n-forwarded-cef-dns-update | microsoft-windows-kv-dhcp-session-success-mcafeeesm |
+| n-forwarded-cef-failed-logon-2003 | microsoft-windows-kv-endpoint-login-fail-failure |
+| n-forwarded-cef-fidelis-alert | fidelis-fxps-cef-alert-trigger-success-429 |
+| n-forwarded-cef-fireeye-alert | fireeye-networksecurity-leef-alert-trigger-success-2835433003 |
+| n-forwarded-cef-infoblox-dhcp | infoblox-bddi-cef-endpoint-login-success-addedmap |
+| n-forwarded-cef-juniper-vpn-end | juniper-ps-kv-vpn-logout-success-mcafee |
+| n-forwarded-cef-juniper-vpn-end-2 | juniper-ps-cef-vpn-logout-success-vpntunnelingended |
+| n-forwarded-cef-juniper-vpn-start | juniper-ps-kv-vpn-login-success-secureaccess |
+| n-forwarded-cef-juniper-vpn-start-2 | juniper-ps-cef-vpn-login-success-vpntunnelingstarted |
+| n-forwarded-cef-juniper-vpn-timeout | juniper-ps-cef-vpn-logout-success-secureaccess |
+| n-forwarded-cef-lastline | vmware-nsxatp-cef-alert-trigger-success-mcafee |
+| n-forwarded-cef-mcafee-epo | mcafee-es-kv-alert-trigger-success-367 |
+| n-forwarded-cef-mcafee-epo-dlp | mcafee-dlp-kv-alert-trigger-success-359 |
+| n-forwarded-cef-mcafee-epo-usb | mcafee-es-kv-file-write-success-removalstorage |
+| n-forwarded-cef-member-added-2008 | microsoft-evsecurity-kv-group-member-add-success-memberaddedtosecenabled |
+| n-forwarded-cef-member-removed-2008 | microsoft-evsecurity-cef-group-member-remove-success-securityenabled |
+| n-forwarded-cef-nac-logon | cisco-ise-cef-endpoint-login-success-mcafeeesm |
+| n-forwarded-cef-symantec-epp-alert | symantec-endpointprotection-cef-alert-trigger-success-5440 |
+| n-forwarded-cef-trendmicro-security-alert-2 | trendmicro-ddi-cef-alert-trigger-success-473-2 |
+| n-forwarded-cef-trendmicro-system-event | trendmicro-iws-cef-app-activity-success-6494165128 |
+| n-forwarded-cef-trendmicro-system-event-1 | trendmicro-iws-cef-app-activity-success-6494263011 |
+| n-forwarded-cef-trendmicro-web-activity-1 | trendmicro-iws-cef-http-session-web |
+| n-forwarded-cef-trendmicro-web-activity-2 | trendmicro-iws-cef-http-session-web-1 |
+| n-forwarded-cef-trendmicro-web-activity-3 | trendmicro-iws-cef-http-session-mcafeeesm |
+| n-forwarded-juniper-failed-vpn-login | juniper-ps-cef-vpn-login-fail-secureaccess-1 |
+| n-forwarded-juniper-vpn-close | juniper-ps-cef-vpn-logout-success-closedconnection |
+| n-forwarded-juniper-vpn-login | juniper-ps-cef-vpn-login-success-userlogin |
+| n-forwarded-juniper-vpn-login-2 | juniper-ps-cef-vpn-login-success-secureaccess-2 |
+| n-forwarded-juniper-vpn-login-3 | juniper-ps-cef-vpn-login-success-userconnected |
+| n-forwarded-juniper-vpn-logout | juniper-ps-cef-vpn-logout-success-userlogout |
+| n-forwarded-juniper-vpn-open | juniper-ps-cef-vpn-login-success-openedconnection |
+| n-forwarded-juniper-vpn-realm | juniper-ps-cef-vpn-login-success-hostcheckerpolicy |
+| n-forwarded-juniper-vpn-realm-1 | juniper-ps-cef-vpn-login-success-secureaccess-3 |
+| n-mwg-proxy | mcafee-wg-kv-http-session-mcafeewg |
+| n-proofpoint-email-alert | proofpoint-tap-cef-alert-trigger-success-proofpoint |
+| nagios-host-flapping-itops-alert | nagios-n-str-app-notification-hostflappingalert |
+| nagios-host-itops-alert | nagios-n-str-endpoint-notification-hostalert |
+| nagios-host-itops-notification | nagios-n-str-app-notification-hostnotification |
+| nagios-service-flapping-itops-alert | nagios-n-str-app-notification-serviceflappingalert |
+| nagios-service-itops-alert | nagios-n-str-app-notification-alert |
+| nagios-service-itops-notification | nagios-n-str-app-notification-servicenotification |
+| named-dns-query | infoblox-bddi-str-dns-request-success-dnsquery |
+| named-dns-query-1 | unix-unixnamed-str-dns-request-namedquery |
+| named-dns-query-2 | unix-unixnamed-str-network-notification-notifyforzone |
+| named-dns-query-3 | unix-unixnamed-str-app-notification-transfercompleted |
+| named-dns-query-4 | unix-unixnamed-str-app-notification-namedconnected |
+| named-dns-query-5 | unix-unixnamed-str-app-notification-transferredserial |
+| named-dns-query-6 | unix-unixnamed-str-app-notification-signature |
+| named-dns-query-7 | unix-unixnamed-str-network-notification-transferstarted |
+| named-dns-query-8 | unix-unixnamed-str-app-notification-zonenotify |
+| nas-share-access | synologynas-s-kv-share-access-success-fileevent |
+| nas-share-access-1 | synologynas-s-str-share-access-success-connection |
+| ncp-auth-failed | ncp-n-str-app-authentication-fail-verificationfailed |
+| ncp-vpn-end | ncp-n-str-vpn-logout-success-disconnect |
+| ncp-vpn-start | ncp-n-kv-vpn-login-success-connect |
+| netdoc-app-activity-1 | netdoc-n-json-file-activity-success |
+| netdocs-app-activity | "netdocs-n-xml-app-activity-success-appactivity |
+| netdocs-file-operations | netdocs-n-kv-file-success-storageobject |
+| netiq-app-login | netiq-netiqim-json-app-login-success-usersession |
+| netmotion-auth-successful | netmotionwireless-nw-str-endpoint-authentication-success-foruser |
+| netmotion-set-ip | netmotionwireless-nw-json-endpoint-authentication-success-vaddress |
+| netmotion-vpn-end | netmotionwireless-nw-kv-vpn-logout-success-disconnect |
+| netmotion-vpn-end-1 | netmotionwireless-nw-kv-vpn-logout-success-close |
+| netmotion-vpn-finish-1 | netmotionwireless-nw-kv-vpn-logout-success-finish |
+| netmotion-vpn-start | netmotionwireless-nw-kv-vpn-login-success-logdatetime |
+| netmotion-vpn-start-1 | netmotionwireless-nw-kv-vpn-login-success-mobilityanalytics |
+| netmotion-vpn-stop-1 | netmotionwireless-nw-kv-vpn-logout-success-stop |
+| netmotion-vpn-system-info | netmotionwireless-nw-kv-app-notification-update |
+| netmotion-vpn-system-info-1 | netmotionwireless-nw-kv-app-notification-roam |
+| netscalar-info-1 | citrix-cgateway-kv-app-notification-hdr_removed |
+| netscalar-info-2 | citrix-cgateway-kv-vpn-authentication-copied_nsb |
+| netscalar-info-3 | citrix-cgateway-str-app-notification-svr_output_handler |
+| netscalar-remote-access | citrix-cgateway-str-endpoint-login-success-initialization |
+| netscalar-remote-access-1 | citrix-cgateway-str-http-session-success-sslvpn |
+| netscalar-remote-access-2 | citrix-cgateway-cef-http-session-success-httprequest |
+| netscaler-cef-failed-vpn-login | citrix-cgateway-cef-vpn-login-fail-loginfailed |
+| netscaler-cef-vpn-end | citrix-cgateway-cef-vpn-logout-success-netscaler |
+| netscaler-cef-vpn-start | citrix-cgateway-cef-vpn-login-success-login |
+| netscaler-network-connection | citrix-netscalerwaf-str-network-traffic-default |
+| netscaler-network-connection-2 | citrix-netscalerwaf-str-network-traffic-bytes |
+| netscaler-network-connection-3 | citrix-netscalerwaf-str-network-traffic-ssl-handshake |
+| netscaler-network-system-info | citrix-appfw-str-app-notification-message |
+| netscaler-process-created | citrix-cgateway-str-process-create-success-command |
+| netscaler-ssllog-performance | cisco-gateway-str-ssl-traffic-ssllog |
+| netscaler-tcp-performance | citrix-cgateway-str-network-close-tcpconn |
+| netscaler-web-activity | citrix-weblogging-str-http-session-5991 |
+| netscaler-web-activity-1 | citrix-weblogging-str-http-session-success-ssois |
+| netscope-dlp-alert-activity | netskope-sc-sk4-alert-trigger-success-dlp |
+| netskope-activity | netskope-sc-json-app-activity-success-sessionbegin |
+| netskope-alert | netskope-sc-json-alert-trigger-success-sessionbegin |
+| netskope-app-activity | netskope-sc-json-app-activity-success-browsersessionid |
+| netskope-app-activity-1 | netskope-sc-json-app-activity-success-propertyupdated |
+| netskope-app-activity-2 | netskope-sc-json-app-activity-success-browsersession |
+| netskope-dlp-alert | netskope-sc-json-alert-trigger-success-yes |
+| netskope-dlp-alert-2 | netskope-sc-json-alert-trigger-success-dlp |
+| netskope-login | netskope-sc-json-app-login-success-login |
+| netskope-login-1 | netskope-sc-json-app-login-success-loginsuccess |
+| netskope-logout-1 | netskope-sc-sk4-app-logout-success-logout |
+| netskope-network-connection | netskope-sc-json-network-traffic-traffictype |
+| netskope-network-connection-1 | netskope-sc-json-app-activity-appactivity |
+| netskope-security-alert | netskope-sc-json-alert-trigger-success-alertname |
+| netskope-security-alert-1 | netskope-sc-json-alert-trigger-success-compromised |
+| netskope-system-info | netskope-sc-sk4-app-notification-success-auditevent |
+| netskope-web-activity | netskope-sc-str-http-session-success-transaction |
+| netwrix-ad-account-disabled | netwrix-auditor-cef-user-disable-success-accountdisabled |
+| netwrix-ad-account-lockout | netwrix-auditor-cef-user-lock-success-useraccount |
+| netwrix-ad-account-unlocked | netwrix-auditor-cef-user-disable-success-accountunlocked |
+| netwrix-ad-ds-access | netwrix-auditor-cef-ds-object-activity-success-netwrix |
+| netwrix-ad-member-added | netwrix-auditor-cef-group-member-add-success-groupadded |
+| netwrix-ad-member-added-2 | netwrix-auditor-cef-group-member-add-success-groupmodified |
+| netwrix-ad-member-removed | netwrix-auditor-cef-group-member-remove-success-removed |
+| netwrix-ad-password-reset | netwrix-auditor-cef-user-password-reset-success-administrativepasswordreset |
+| netwrix-app-activity-1 | "netwrix-auditor-xml-app-activity-success-1001 |
+| netwrix-app-activity-2 | "netwrix-auditor-xml-app-activity-success-1002 |
+| netwrix-app-activity-3 | "netwrix-auditor-xml-app-activity-success-1003 |
+| netwrix-app-activity-4 | netwrix-auditor-kv-app-activity-success-vmware |
+| netwrix-app-activity-5 | netwrix-auditor-cef-app-activity-success-settingschanged |
+| netwrix-app-login | netwrix-auditor-cef-app-login-success-successfullogon |
+| netwrix-db-activity | netwrix-auditor-kv-database-who |
+| netwrix-failed-app-login | netwrix-auditor-cef-app-login-fail-failedlogon |
+| netwrix-file-activity | "netwrix-auditor-xml-file-success-action |
+| netwrix-group-policy-change | netwrix-auditor-cef-ds-object-activity-success-grouppolicy |
+| nexthink-security-alert | nexthink-nexthink-kv-alert-trigger-success-source |
+| nexthink-security-alert-1 | nexthink-nexthink-kv-alert-trigger-success-user |
+| nic-4688 | microsoft-evsecurity-kv-process-create-success-mswineventlog4688 |
+| nic-4770 | microsoft-evsecurity-kv-endpoint-login-success-4770-1 |
+| nic-5136 | microsoft-evsecurity-mix-ds-object-modify-success-5136 |
+| nic-5137 | microsoft-evsecurity-kv-ds-object-activity-success-5137 |
+| nic-5141 | microsoft-evsecurity-kv-ds-object-activity-success-5141 |
+| nic-528 | microsoft-evsecurity-csv-endpoint-login-success-528 |
+| nic-627 | microsoft-evsecurity-kv-user-password-modify-627security |
+| nic-member-removed-2003 | microsoft-evsecurity-kv-group-member-remove-success-groupmemberremoved |
+| nic-member-removed-2008 | microsoft-evsecurity-kv-group-member-remove-success-memberwasremoved |
+| nnt-ct-alert | nnt-ct-cef-app-notification-agentalert |
+| nnt-ct-app-login | nnt-ct-cef-app-login-success-successfullogon |
+| nnt-ct-config-change | nnt-ct-cef-configuration-modify-plannedchange |
+| nnt-ct-config-change-1 | nnt-ct-cef-configuration-modify-unplannedchange |
+| nnt-ct-failed-app-login | nnt-ct-cef-app-login-fail-401 |
+| nnt-ct-system-event | nnt-ct-cef-app-notification-911 |
+| nnt-ct-system-event-1 | nnt-ct-cef-app-notification-912 |
+| nnt-ct-system-info | nnt-ct-cef-app-notification-315 |
+| nnt-ct-system-info-1 | nnt-ct-cef-app-notification-908 |
+| nokia-vitalqip-computer-logon | nokia-vqip-kv-dhcp-session-success-lucentdhcpservice |
+| nokia-vitalqip-computer-logon-1 | nokia-vqip-kv-dhcp-session-success-lucentdhcpservice-1 |
+| nsx-network-connection-failed | vmware-nsx-str-network-traffic-fail-term |
+| nsx-network-connection-successful | vmware-nsx-str-network-traffic-success-matchpass |
+| nutanix-file-delete | nutanix-us-str-file-delete-success-smb |
+| nutanix-file-read | nutanix-us-str-file-read-success-smb |
+| nutanix-file-write | nutanix-us-str-file-write-success-smb |
+| nutanix-file-write-1 | nutanix-us-str-file-write-success-filecreate |
+| nutanix-file-write-2 | nutanix-us-str-file-write-success-rename |
+| nutanix-file-write-3 | nutanix-us-str-file-write-success-directorycreate |
+| nxlog-json-4726 | microsoft-evsecurity-json-user-delete-success-4726-1 |
\ No newline at end of file
diff --git a/ParsersLegacy/o_parsers.md b/ParsersLegacy/o_parsers.md
new file mode 100644
index 0000000..896b274
--- /dev/null
+++ b/ParsersLegacy/o_parsers.md
@@ -0,0 +1,198 @@
+| Old Parser Name | New Parser Name |
+| -------------------------------------- | ------------------------------------------------------------------ |
+| o365-activity-1 | "microsoft-o365-xml-file-write-success-mailboxpermission |
+| o365-activity-2 | microsoft-o365-sk4-app-activity-appactivity |
+| o365-activity-3 | microsoft-o365-sk4-app-file-workload |
+| o365-alert-1 | microsoft-azureadip-cef-alert-trigger-success-logininfected |
+| o365-app-login | microsoft-o365-sk4-app-login-success-snowflake |
+| o365-app-login-1 | microsoft-o365-json-app-login-success-userloggedin |
+| o365-dlp-alert | microsoft-o365-json-alert-trigger-success-dlprulematch |
+| o365-dlp-alert-1 | microsoft-o365-json-alert-trigger-success-rulename |
+| o365-dlp-email-out-1 | microsoft-o365-cef-email-send-workload |
+| o365-dlp-email-out-2 | microsoft-o365-cef-email-send-sendas |
+| o365-dlp-policy-alert | microsoft-o365-json-alert-trigger-success-moplabel |
+| o365-dlp-rule-undo-activity | microsoft-o365-sk4-app-activity-success-dlpruleundo |
+| o365-email-alert | microsoft-o365-kv-email-delivered |
+| o365-failed-app-login | microsoft-o365-sk4-app-login-fail-snowflake |
+| o365-inbox-activity | microsoft-o365-cef-app-activity-success-addmailboxpermission |
+| o365-inbox-rules | microsoft-o365-sk4-app-activity-delivertomailboxandforward |
+| o365-inbox-rules-2 | microsoft-o365-sk4-app-activity-success-sentmailbox |
+| o365-inbox-rules-all | microsoft-o365-sk4-app-activity-success-newinboxrule |
+| o365-inbox-rules-all-2 | microsoft-o365-sk4-app-activity-success-setinboxrule |
+| o365-inbox-rules-forward-to | microsoft-o365-sk4-app-activity-success-forwardto |
+| o365-inbox-rules-forward-to-1 | microsoft-o365-sk4-app-activity-success-forward |
+| o365-inbox-rules-forward-to-2 | microsoft-o365-json-app-activity-success-updateinboxrules |
+| o365-inbox-rules-move-to-folder | microsoft-o365-sk4-app-activity-success-movetofolder |
+| o365-mal-url-click | microsoft-o365-sk4-alert-trigger-success-securitycompliance |
+| o365-malware-alert | microsoft-o365-sk4-alert-trigger-success-malwareindata |
+| o365-mip-label-activity | microsoft-o365-json-app-activity-success-operation |
+| o365-onedrive-app-activity | microsoft-o365-csv-app-activity-success-onedrive |
+| o365-phishing-alert | microsoft-o365-json-email-send-receive-internentmessageid |
+| o365-powerbi-activity | microsoft-o365-json-app-activity-success-powerbi |
+| o365-search-data-4 | microsoft-o365-mix-app-activity-success-securitycompliancecenter |
+| o365-security-alert | microsoft-o365-cef-alert-trigger-success-alerttriggerd |
+| o365-security-alert-1 | microsoft-o365-json-alert-trigger-success-anonymouslogin |
+| o365-security-alert-2 | microsoft-o365-json-alert-trigger-success-securitythreatdetected |
+| o365-security-alert-3 | microsoft-o365-json-alert-trigger-success-securitythreatdetected-1 |
+| o365-sharepoint-activity | microsoft-o365-mix-file-success-workload |
+| o365-sharepoint-app-activity | microsoft-o365-csv-file-success-sharepoint |
+| o365-signin-alert | microsoft-o365-cef-alert-trigger-success-anonymousipriskevent |
+| o365-teams-activity-1 | microsoft-o365-mix-app-activity-success-microsoftteams |
+| o365-teams-app-login | microsoft-o365-mix-app-login-success-teamssessionstarted |
+| o365-url-click-alert | microsoft-o365-sk4-alert-trigger-success-urlclicked |
+| o365-usb-write | microsoft-o365-sk4-file-write-success-filecreatedonremovablemedia |
+| observeit-alerts | observeit-o-kv-alert-trigger-success-alerts |
+| observeit-app-activity | proofpoint-o-json-app-activity-sessionurl |
+| observeit-audit-logins | observeit-o-kv-app-login-auditlogins |
+| observeit-dba-activity | observeit-o-kv-database-activity-success-dbactivity |
+| observeit-dlp-alert-1 | proofpoint-observeit-json-alert-trigger-success-dataexfiltration |
+| observeit-dlp-alert-2 | proofpoint-observeit-json-alert-trigger-success-datainfiltration |
+| observeit-security-alert-1 | proofpoint-observeit-json-alert-trigger-success-truedigital |
+| observeit-security-alert-2 | proofpoint-observeit-json-alert-trigger-success-high |
+| observeit-security-alert-3 | proofpoint-o-json-alert-trigger-sessionurl |
+| observeit-sessions | observeit-o-kv-endpoint-login-success-observeitsessions |
+| observeit-useractivity | observeit-o-kv-process-create-success-useractivity |
+| okta-account-creation | okta-amfa-json-user-create-success-usercreation |
+| okta-account-enabled | okta-amfa-json-user-enable-success-published |
+| okta-account-password-change | okta-amfa-sk4-user-password-modify-success-passwordupdate |
+| okta-app-activity | okta-amfa-json-app-activity-published |
+| okta-app-activity-1 | okta-amfa-sk4-app-published |
+| okta-app-activity-ad | okta-amfa-json-app-activity-success-appgroup |
+| okta-app-login | okta-amfa-sk4-app-login-success-signin |
+| okta-app-login-1 | okta-amfa-json-app-login-success-startnewsession |
+| okta-failed-app-login | okta-amfa-csv-app-login-fail-signfailed |
+| okta-member-removed | okta-amfa-sk4-group-member-remove-success-groupmembership |
+| onapsis-db-op | onapsis-o-kv-database-modify-success-dbactivity |
+| onapsis-system-event | onapsis-o-json-app-notification-usermaintenance |
+| onapsis-system-event-1 | onapsis-o-json-alert-trigger-erphost |
+| onapsis-system-event-2 | onapsis-o-json-app-notification-logline |
+| onapsis-system-event-3 | onapsis-o-str-app-activity-satori |
+| onelogin-app-activity | onelogin-o-kv-app-login-3005 |
+| onespan-failed-logon | onespan-osign-kv-endpoint-login-fail-ikeyserver |
+| onewelcome-authentication-failed | onewelcome-ocip-json-app-authentication-fail-430102 |
+| onewelcome-authentication-failed-1 | onewelcome-ocip-json-app-authentication-fail-130001 |
+| onewelcome-authentication-failed-2 | onewelcome-ocip-json-app-authentication-fail-430101 |
+| onewelcome-authentication-failed-3 | onewelcome-ocip-json-app-authentication-fail-130104 |
+| onewelcome-authentication-failed-4 | onewelcome-ocip-json-app-authentication-fail-111407 |
+| onewelcome-authentication-failed-5 | onewelcome-ocip-json-app-authentication-fail-130207 |
+| onewelcome-authentication-successful | onewelcome-ocip-json-app-authentication-success-120000 |
+| onewelcome-authentication-successful-1 | onewelcome-ocip-json-app-authentication-success-120202 |
+| onewelcome-authentication-successful-2 | onewelcome-ocip-json-app-authentication-success-111404 |
+| open-shift-1 | openshift-o-kv-app-activity-annotations |
+| opendj-auth-failure-reason | opendj-o-kv-endpoint-login-msgid |
+| opendj-auth-info | opendj-o-kv-endpoint-login-connectconn |
+| opendj-auth-uid | opendj-o-kv-endpoint-login-uid |
+| openvms-batch-logon | vms-openvms-kv-endpoint-login-fail-processlogin |
+| openvms-failed-logon | vms-openvms-kv-endpoint-login-fail-loginfailure |
+| openvms-file-access | vms-openvms-kv-file-read-success-username |
+| openvms-file-delete | vms-openvms-kv-file-delete-success-objectdeletion |
+| openvms-process-logout | vms-openvms-kv-endpoint-logout-success-batchprocesslogout |
+| openvms-remote-login | vms-openvms-kv-endpoint-login-fail-interactivelogin |
+| openvms-remote-logout | vms-openvms-kv-endpoint-logout-success-remoteinteractivelogout |
+| openvpn-app-activity | openvpn-ov-kv-app-activity-appactivity |
+| openvpn-auth-failed | sslopenvpn-s-kv-vpn-login-fail-authfail |
+| openvpn-auth-failed-1 | openvpn-ov-kv-app-notification-openvpn |
+| openvpn-auth-failed-2 | openvpn-sslvpn-kv-app-authentication-fail-authfailed |
+| openvpn-auth-successful | sslopenvpn-s-kv-vpn-login-success-authsuccess |
+| openvpn-failed-vpn-login | sslopenvpn-s-str-vpn-login-fail-authfailvpn |
+| openvpn-system-info | openvpn-ov-str-app-activity-datachannel |
+| openvpn-system-info-1 | openvpn-sslvpn-str-app-notification-ovpn |
+| openvpn-vpn-end | sslopenvpn-s-kv-vpn-logout-success-loggedout |
+| openvpn-vpn-end-1 | sslopenvpn-s-kv-vpn-logout-success-terminated |
+| openvpn-vpn-end-2 | openvpn-ov-str-vpn-logout-success-reset |
+| openvpn-vpn-end-3 | openvpn-ov-str-vpn-logout-success-reset-1 |
+| openvpn-vpn-end-4 | openvpn-ov-str-vpn-logout-success-timeout |
+| openvpn-vpn-login | sslopenvpn-s-kv-vpn-login-success-googleseclock |
+| openvpn-vpn-login-1 | sslopenvpn-s-kv-vpn-login-success-arrayos |
+| oracle-access-manager | oracle-am-cef-endpoint-authentication-accessmanager |
+| oracle-auth-failed | oracle-db-str-app-login-fail-sshfailed |
+| oracle-auth-successful | oracle-db-str-database-login-sshok |
+| oracle-avdf-database-login | oracle-avdf-json-database-login-success-loginsucceeded |
+| oracle-avdf-database-logout | oracle-avdf-kv-database-logout-success-logout |
+| oracle-avdf-database-query | oracle-avdf-kv-database-query-success-table |
+| oracle-database-access | oracle-db-kv-database-activity-success-oracleddl |
+| oracle-database-access-1 | oracle-db-json-database-activity-success-userhost |
+| oracle-database-delete | oracle-db-json-database-delete-success-sessionrec |
+| oracle-database-login | oracle-db-json-database-login-success-userhost |
+| oracle-database-query-4 | oracle-db-kv-database-query-success-actionname |
+| oracle-db-access | oracle-db-kv-database-activity-success-connectdata |
+| oracle-db-access-1 | oracle-db-csv-database-activity-success-oracle |
+| oracle-db-access-2 | oracle-db-kv-database-activity-success-grant |
+| oracle-db-insert | oracle-db-str-database-query-success-insert |
+| oracle-db-login | oracle-db-json-database-login-logon |
+| oracle-db-login-1 | oracle-db-str-database-login-action |
+| oracle-db-login-2 | oracle-o-kv-database-login-success-standardaudit |
+| oracle-db-login-3 | oracle-db-kv-database-login-success-unifiedaudit |
+| oracle-db-logout-1 | oracle-db-kv-database-logout-success-logoff |
+| oracle-db-query | oracle-db-json-database-query-success-returncode |
+| oracle-db-query-1 | oracle-db-json-database-query-success-grantrole |
+| oracle-db-query-2 | oracle-db-json-database-query-success-alter |
+| oracle-db-query-3 | oracle-db-json-database-query-success-oraclefga |
+| oracle-db-query-4 | oracle-db-kv-database-query-success-select |
+| oracle-db-query-5 | oracle-db-kv-database-query-success-createtable |
+| oracle-db-update | oracle-db-json-database-modify-success-fga |
+| oracle-db-update-1 | oracle-db-kv-database-modify-success-update |
+| oracle-logout | oracle-db-str-app-logout-logoutok |
+| oracle-public-cloud-netflow-connection | oracle-pc-sk4-network-traffic-success-dataevent |
+| oracle-public-cloud-storage-access | oracle-pc-sk4-app-activity-success-oracle |
+| oracle-system-info | oracle-db-kv-app-activity-sqlbind |
+| ordr-json-alert | ordr-sce-json-alert-trigger-success-warning |
+| osirium-app-login | osirium-o-str-app-login-success-logged |
+| ossec-security-alert-1 | ossec-o-cef-alert-trigger-success-location |
+| ossec-security-alert-2 | ossec-o-kv-alert-trigger-success-syscheck |
+| ossec-system-event | wazuh-w-json-alert-trigger-wazuhalerts |
+| osx-local-logon | apple-macos-str-endpoint-login-success-storingcredential |
+| outlook-exchange-app-activity-1 | microsoft-exchange-kv-app-activity-softdelete |
+| outlook-exchange-app-activity-10 | microsoft-exchange-kv-app-activity-sendonbehalf |
+| outlook-exchange-app-activity-2 | microsoft-exchange-kv-app-activity-folderbind |
+| outlook-exchange-app-activity-3 | microsoft-exchange-kv-app-activity-harddelete |
+| outlook-exchange-app-activity-4 | microsoft-exchange-kv-app-activity-mailitemsaccessed |
+| outlook-exchange-app-activity-5 | microsoft-exchange-kv-app-activity-movetodeleteditems |
+| outlook-exchange-app-activity-6 | microsoft-exchange-kv-app-activity-setuser |
+| outlook-exchange-app-activity-7 | microsoft-exchange-kv-app-activity-updateinboxrules |
+| outlook-exchange-app-activity-8 | microsoft-exchange-kv-app-activity-update |
+| outlook-exchange-app-activity-9 | microsoft-exchange-kv-app-activity-sendas |
+| ovirt-app-activity-1 | ovirt-o-kv-app-activity-success-vmsetticket |
+| ovirt-app-activity-10 | ovirt-o-kv-app-activity-success-storagedomain |
+| ovirt-app-activity-11 | ovirt-o-kv-app-activity-success-useraddeddiskprofile |
+| ovirt-app-activity-12 | ovirt-o-kv-app-activity-success-useradddisktovm |
+| ovirt-app-activity-13 | ovirt-o-kv-app-activity-success-userstoppedvm |
+| ovirt-app-activity-14 | ovirt-o-kv-app-activity-success-userinitiatedshutdownvm |
+| ovirt-app-activity-15 | ovirt-o-kv-app-activity-success-useraddvmstarted |
+| ovirt-app-activity-16 | ovirt-o-kv-app-activity-success-networkaddvminterface |
+| ovirt-app-activity-17 | ovirt-o-kv-app-activity-success-networkactivatevminterfacesuccess |
+| ovirt-app-activity-18 | ovirt-o-kv-app-activity-success-entityrenamed |
+| ovirt-app-activity-2 | ovirt-o-kv-app-activity-success-vmconsoleconnected |
+| ovirt-app-activity-20 | ovirt-o-kv-app-activity-success-storagepool |
+| ovirt-app-activity-21 | ovirt-kv-str-app-activity-success-templatefinishedsuccess |
+| ovirt-app-activity-22 | ovirt-o-kv-app-activity-success-imageastemplate |
+| ovirt-app-activity-23 | ovirt-o-kv-app-activity-success-vdsactivate |
+| ovirt-app-activity-24 | ovirt-o-kv-app-activity-success-vdsmaintainance |
+| ovirt-app-activity-25 | ovirt-o-kv-app-activity-success-userupdatestoragedomain |
+| ovirt-app-activity-26 | ovirt-o-kv-app-activity-success-userovfupdate |
+| ovirt-app-activity-27 | ovirt-o-kv-app-activity-success-updatecluster |
+| ovirt-app-activity-28 | ovirt-o-kv-app-activity-success-userstopvm |
+| ovirt-app-activity-29 | ovirt-o-kv-app-activity-success-unregistereddisks |
+| ovirt-app-activity-3 | ovirt-o-kv-app-activity-success-userstartedvm |
+| ovirt-app-activity-30 | ovirt-o-kv-app-activity-success-removevmtemplate |
+| ovirt-app-activity-31 | ovirt-o-kv-app-activity-success-removedomain |
+| ovirt-app-activity-32 | ovirt-o-kv-app-activity-success-attachedtovms |
+| ovirt-app-activity-33 | ovirt-o-kv-app-activity-success-userfailedrunvm |
+| ovirt-app-activity-34 | ovirt-o-kv-app-activity-success-ejectvmdisk |
+| ovirt-app-activity-35 | ovirt-o-kv-app-activity-success-detachfrompool |
+| ovirt-app-activity-36 | ovirt-o-kv-app-activity-success-attachdomains |
+| ovirt-app-activity-37 | ovirt-o-kv-app-activity-success-addvds |
+| ovirt-app-activity-38 | ovirt-o-kv-app-activity-success-updateinterface |
+| ovirt-app-activity-39 | ovirt-o-kv-app-activity-success-addprofile |
+| ovirt-app-activity-4 | ovirt-o-kv-app-activity-success-vmconsoledisconnected |
+| ovirt-app-activity-5 | ovirt-o-kv-app-activity-success-userupdatevm |
+| ovirt-app-activity-6 | ovirt-o-kv-app-activity-success-clearlog |
+| ovirt-app-activity-7 | ovirt-o-kv-app-activity-success-changedisk |
+| ovirt-app-activity-8 | ovirt-o-kv-app-activity-success-attachstoragetopool |
+| ovirt-app-activity-9 | ovirt-o-kv-app-activity-success-adddomain |
+| ovirt-app-activity-failed | ovirt-o-str-app-activity-fail-validation |
+| ovirt-app-login | ovirt-o-str-app-login-success-loggedin |
+| ovirt-app-logout | ovirt-o-kv-app-logout-success-loggedout |
+| ovirt-app-logout-1 | ovirt-o-str-app-logout-success-successfullyloggedout |
+| ovirt-failed-app-login | ovirt-o-str-app-login-fail-ovirt |
+| ovirt-failed-app-login-1 | ovirt-o-str-app-login-fail-unabletologin |
\ No newline at end of file
diff --git a/ParsersLegacy/p_parsers.md b/ParsersLegacy/p_parsers.md
new file mode 100644
index 0000000..1422b69
--- /dev/null
+++ b/ParsersLegacy/p_parsers.md
@@ -0,0 +1,269 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------------------- | ----------------------------------------------------------------------- |
+| packetfence-system-info-1 | packetfence-p-kv-app-notification-status |
+| packetfence-system-info-2 | packetfence-p-kv-app-notification-role |
+| packetfence-system-info-3 | packetfence-p-kv-app-notification-fromswitchip |
+| packetfence-system-info-4 | packetfence-p-str-app-notification-line |
+| packetfence-system-info-5 | packetfence-p-str-app-notification-connectiontypeiswirelessmacauth |
+| packetfence-system-info-6 | packetfence-p-str-app-notification-cantfindprovisionerfor |
+| palo-alto-app-activity | pan-gp-cef-app-activity-success-msg |
+| palo-alto-app-activity-1 | pan-aperture-csv-app-activity-success-monitoring |
+| palo-alto-app-activity-2 | pan-aperture-csv-app-activity-success-adminaudit |
+| palo-alto-app-login-1 | pan-aperture-csv-app-login-success-signin |
+| palo-alto-cortex-xdr-alert | pan-cortex-kv-alert-trigger-success-true |
+| palo-alto-cortex-xdr-system-info | pan-cortex-cef-endpoint-notification-success-cortexxdragent |
+| palo-alto-dlp-alert | pan-aperture-kv-alert-trigger-success-incident |
+| palo-alto-dlp-alert-1 | pan-aperture-csv-alert-trigger-success-policyviolation |
+| palo-alto-file-operations | pan-aperture-csv-file-success-activitymonitoring |
+| palo-alto-logout-1 | pan-aperture-csv-app-logout-success-signout |
+| palo-alto-networks-leef-setip | pan-gp-leef-vpn-login-success-globalprotect-6 |
+| palo-alto-networks-leef-system-info | pan-gp-leef-app-activity-system |
+| palo-alto-networks-leef-vpn-login | pan-gp-leef-vpn-login-success-userloginsucceeded |
+| palo-alto-networks-setip | pan-gp-csv-vpn-login-success-ssltunnel |
+| palo-alto-networks-twistlock-system-info | pan-prisma-kv-app-activity-success-twistlock |
+| paloalto-app-activity | pan-gp-cef-app-activity-success-gatewayhipcheck |
+| paloalto-app-activity-1 | pan-gp-cef-app-activity-success-gatewayhipreport |
+| paloalto-app-activity-2 | pan-gp-cef-app-activity-success-gatewaygetconfig |
+| paloalto-app-activity-3 | pan-gp-cef-app-activity-success-portalgetconfig |
+| paloalto-app-activity-4 | pan-gp-cef-app-activity-success-gatewayhipcheck-1 |
+| paloalto-app-activity-5 | pan-gp-cef-app-activity-success-gatewayhipreport-1 |
+| paloalto-app-activity-6 | pan-gp-cef-app-activity-success-gatewaygetconfig-1 |
+| paloalto-app-activity-7 | pan-gp-cef-app-activity-success-portalgetconfig-1 |
+| paloalto-firewall-alert-1 | pan-ngfw-json-alert-trigger-success-threat |
+| paloalto-firewall-allow | pan-ngfw-csv-network-traffic-success-allow |
+| paloalto-firewall-allow-1 | pan-ngfw-json-network-traffic-success-allow |
+| paloalto-firewall-allow-2 | pan-ngfw-csv-network-traffic-success-end |
+| paloalto-firewall-allow-3 | pan-ngfw-str-network-traffic-success-trafficallow |
+| paloalto-firewall-deny | pan-ngfw-csv-network-traffic-fail-panorama |
+| paloalto-firewall-deny-1 | pan-ngfw-csv-network-traffic-fail-tcp |
+| paloalto-firewall-drop | pan-ngfw-csv-network-traffic-fail-drop |
+| paloalto-firewall-drop-1 | pan-ngfw-str-network-traffic-fail-trafficdrop |
+| paloalto-firewall-traffic-deny | pan-ngfw-json-network-traffic-fail-drop |
+| paloalto-firewall-traffic-drop | pan-ngfw-json-network-traffic-fail-deny |
+| paloalto-firewall-traffic-drop-1 | pan-ngfw-json-network-traffic-fail-actiondrop |
+| paloalto-network-connection | pan-ngfw-csv-network-traffic-success-connection |
+| paloalto-ngfw-network-connection | pan-ngfw-json-network-traffic-fail-decryption |
+| paloalto-ngfw-source-stopped | pan-ngfw-str-alert-trigger-success-paseries |
+| paloalto-system-event | pan-gp-sk4-configuration-modify-gatewayconfigrelease |
+| paloalto-system-event-1 | pan-gp-cef-app-notification-success-globalprotect |
+| paloalto-vpn-end | pan-gp-sk4-vpn-logout-success-gatewaylogout |
+| paloalto-vpn-end-1 | pan-gp-cef-vpn-logout-success-gatewaylogout |
+| paloalto-vpn-login | pan-gp-sk4-vpn-login-portalauth |
+| paloalto-vpn-login-1 | pan-gp-sk4-vpn-login-gatewayprelogin |
+| paloalto-vpn-login-2 | pan-gp-sk4-vpn-login-portalprelogin |
+| paloalto-vpn-login-3 | pan-gp-sk4-vpn-login-gatewayconnected |
+| paloalto-vpn-login-4 | pan-gp-cef-vpn-login-gatewayregister |
+| paloalto-vpn-login-5 | pan-gp-cef-vpn-login-gatewayprelogin |
+| paloalto-vpn-login-6 | pan-gp-cef-vpn-login-portalprelogin |
+| paloalto-vpn-login-7 | pan-gp-cef-vpn-login-portalauth |
+| paloalto-vpn-login-8 | pan-gp-cef-vpn-login-gatewayconnected |
+| paloalto-vpn-start | pan-gp-sk4-vpn-login-gatewayauth |
+| paloalto-vpn-start-1 | pan-gp-cef-vpn-login-gatewayauth |
+| paloalto-web-activity | pan-ngfw-csv-http-session-webbrowsing |
+| paloalto-web-activity-1 | pan-ngfw-json-http-session-webbrowsing |
+| pam-account-switch-1 | ca-pamsc-kv-user-switch-success-0023 |
+| pam-account-switch-2 | ca-pamsc-kv-user-switch-success-0016 |
+| pam-app-login | ca-pamsc-kv-app-login-success-sso |
+| pam-auth-failed | ca-pamsc-csv-endpoint-login-fail-ldap |
+| pam-auth-failed-1 | ca-pamsc-csv-endpoint-login-fail-baduserid |
+| pam-auth-successful | ca-pamsc-csv-endpoint-login-success-loggedin |
+| pam-event-1 | ca-pamsc-kv-app-activity-admin |
+| pam-event-2 | ca-pamsc-kv-app-authentication-connection |
+| pam-event-3 | ca-pamsc-kv-app-activity-get |
+| pam-event-4 | ca-pamse-str-app-login-transactionlogin |
+| pam-event-5 | ca-pamsc-kv-app-logout-protocol |
+| pam-event-6 | ca-pamsc-kv-app-activity-put |
+| pam-event-7 | ca-pamsc-kv-app-activity-sessionrecording-1 |
+| pam-event-8 | ca-pamsc-kv-app-activity-system |
+| pam-logout | ca-pamsc-kv-app-logout-success-logout |
+| pam-logout-1 | ca-pamsc-kv-app-logout-success-conntimedout |
+| pam-logout-2 | ca-pamsc-kv-app-logout-success-connclosed |
+| pam-logout-3 | ca-pamsc-kv-app-logout-success-connterminated |
+| pam-remote-logon | ca-pamsc-kv-rdp-traffic-success-connection |
+| pam-system-info | ca-pamsc-kv-app-activity-sessionrecording |
+| pam360-app-login-ad | manageengine-pam360-str-app-login-success-userloggedin |
+| pam360-remote-session-ended | manageengine-pam360-str-app-activity-success-sessionended |
+| pam360-remote-session-started | manageengine-pam360-str-endpoint-login-success-sessionstarted |
+| pan-alert | pan-wildfire-csv-alert-trigger-success-threadwildfire |
+| pan-alert-1 | pan-wildfire-csv-alert-trigger-success-wildfirevirus |
+| pan-auth-failed | pan-gp-csv-endpoint-authentication-fail-authenticationfailed |
+| pan-auth-failed-1 | pan-gp-csv-endpoint-authentication-fail-authfail |
+| pan-auth-server-down | pan-ngfw-csv-app-notification-serverdown |
+| pan-auth-successful | pan-gp-csv-endpoint-authentication-success-authsuccess |
+| pan-auth-successful-1 | pan-gp-csv-vpn-login-useridlogin |
+| pan-auth-successful-2 | pan-gp-csv-endpoint-authentication-success-panoramaauthsuccess |
+| pan-authentication-userid-login | pan-gp-csv-vpn-login-success-login-1 |
+| pan-azure-auth-attempt | pan-gp-csv-app-authentication-authprofileazure |
+| pan-azure-auth-successful | pan-gp-csv-endpoint-login-success-system |
+| pan-cef-alert | pan-wildfire-kv-alert-trigger-success-wildfirethreat |
+| pan-cef-alert-1 | pan-wildfire-cef-alert-trigger-success-filethreat |
+| pan-cef-alert-2 | pan-wildfire-cef-alert-trigger-success-panos |
+| pan-cef-alert-3 | pan-wildfire-cef-alert-trigger-success-wildfirevirusthreat |
+| pan-cef-alert-4 | pan-wildfire-cef-alert-trigger-scan |
+| pan-cef-alert-5 | pan-wildfire-cef-alert-trigger-success-compliantrequest |
+| pan-cef-alert-6 | pan-wildfire-cef-alert-trigger-success-threat |
+| pan-cef-alert-7 | pan-wildfire-cef-alert-trigger-success-lsardeleteaccess |
+| pan-config-change | pan-ngfw-csv-configuration-modify-success-config |
+| pan-data-alert | pan-ngfw-csv-alert-trigger-success-data |
+| pan-failed-vpn-login | pan-ngfw-json-vpn-login-fail-failure |
+| pan-file-alert | pan-ngfw-json-alert-trigger-success-threatalert |
+| pan-flood-alert | pan-ngfw-csv-alert-trigger-success-flood |
+| pan-fw-packet-logs | pan-ngfw-kv-network-traffic-success-packetlog |
+| pan-leef-network-alert | pan-ngfw-leef-alert-trigger-success-syslogintegration |
+| pan-logout | pan-ngfw-csv-app-logout-logout |
+| pan-ngfw-system-auth | pan-ngfw-csv-app-authentication-success-general |
+| pan-packet-network-connection | pan-ngfw-csv-network-traffic-packet |
+| pan-proxy | pan-ngfw-csv-http-session-9999 |
+| pan-remote-logon | pan-ngfw-csv-endpoint-login-success-system |
+| pan-spyware-alert | pan-ngfw-json-alert-trigger-success-spyware |
+| pan-system | pan-ngfw-csv-app-notification-system |
+| pan-system-conn-status | pan-ngfw-csv-app-notification-connstatus |
+| pan-system-dhcp | pan-ngfw-csv-dhcp-traffic-generalinformational |
+| pan-system-dnsproxy | pan-ngfw-csv-app-activity-dnsproxy |
+| pan-system-event-1 | pan-tesm-csv-policy-modify-success-agent |
+| pan-system-event-2 | pan-tesm-csv-app-notification-success-heartbeat |
+| pan-system-event-3 | pan-tesm-csv-service-state-modify-success-statuschange |
+| pan-system-event-4 | pan-tesm-csv-service-start-success-servicealive |
+| pan-system-event-5 | pan-tesm-csv-endpoint-stop-success-shutdown |
+| pan-system-event-6 | pan-tesm-csv-app-notification-success-validationfailed |
+| pan-system-general | pan-ngfw-csv-app-activity-general |
+| pan-system-globalprotect | pan-ngfw-csv-app-activity-globalprotect |
+| pan-system-ha | pan-ngfw-csv-app-activity-ha |
+| pan-system-info | pan-tesm-csv-alert-trigger-hipmatch |
+| pan-system-info-1 | pan-panorama-kv-app-activity-panoramaver |
+| pan-system-ntpd | pan-ngfw-csv-app-time-modify-ntpd |
+| pan-system-ras | pan-ngfw-csv-configuration-load-ras |
+| pan-system-routing | pan-ngfw-csv-configuration-routing-modify-success-routing |
+| pan-system-satd | pan-ngfw-csv-configuration-load-satd |
+| pan-system-sslmgr | pan-ngfw-csv-configuration-load-sslmgr |
+| pan-system-tls | pan-ngfw-csv-app-notification-success-systemtls |
+| pan-system-url-filtering | pan-ngfw-csv-app-notification-urlfiltering |
+| pan-system-userid | pan-ngfw-csv-app-notification-userid |
+| pan-system-vpn | pan-ngfw-csv-vpn-authentication-systemvpn |
+| pan-system-wildfire | pan-ngfw-csv-app-activity-wildfire |
+| pan-traps-alert | pan-tesm-str-alert-trigger-success-trapsagent |
+| pan-url-alert | pan-ngfw-csv-alert-trigger-success-url |
+| pan-virus-alert | pan-ngfw-mix-alert-trigger-success-virus |
+| pan-virus-alert-1 | pan-ngfw-json-alert-trigger-success-resetserver |
+| pan-vpn-login-1 | pan-ngfw-json-vpn-login-success-userid |
+| pan-vpn-login-2 | pan-gp-cef-vpn-login-success-loginuserid |
+| pan-vpn-login-failed | pan-gp-csv-vpn-login-fail-registfail |
+| pan-vpn-logout | pan-gp-csv-vpn-logout-success-logout |
+| pan-vpn-logout-1 | pan-ngfw-json-vpn-logout-success-logout |
+| pan-vpn-logout-2 | pan-gp-cef-vpn-logout-success-logoutuserid |
+| pan-vulnerability-alert | pan-ngfw-json-alert-trigger-success-vulnerability-1 |
+| pan-vulnerability-alert-2 | pan-ngfw-json-alert-trigger-success-vulnerability-2 |
+| pan-wildfire-alert-1 | pan-wildfire-json-alert-trigger-success-wildfire |
+| paxton-badge-access | paxton-net2door-kv-physical-location-access-paxtonnet2 |
+| pensando-flow-create | amd-p-csv-network-session-flowcreate |
+| pensando-flow-delete | amd-p-csv-network-notification-success-flowdelete |
+| perforce-app-activity | perforce-p-str-app-activity-appactivity |
+| perforce-app-activity-1 | perforce-p-str-app-activity-success-sarver |
+| pfsense-network-connection-failed | pfsense-p-csv-network-traffic-fail-block |
+| pfsense-network-connection-successful | pfsense-p-csv-network-traffic-success-match |
+| pgsql-db-query | postgresql-p-json-database-query-success-databasequery |
+| physical-badge-access | amag-sac-kv-physical-location-access-eventcode |
+| physical-badge-access-1 | amag-sac-kv-physical-location-access-datetimeoftxn |
+| physical-badge-access-2 | badge-b-kv-physical-location-access-personname |
+| physical-badge-access-3 | siemens-s-kv-physical-location-access-direction |
+| ping-app-login | pingidentity-pi-cef-app-login-success-pingfederate |
+| ping-app-login-4 | pingidentity-pi-str-app-login-success-ssosuccess |
+| ping-auth-attempt-1 | pingidentity-pi-str-app-authentication-success-authattempt |
+| ping-auth-attempt-2 | pingidentity-pi-str-app-authentication-success-oauth |
+| ping-auth-failed-1 | pingidentity-pi-cef-endpoint-authentication-fail-authnattemptfail |
+| ping-auth-failed-2 | pingidentity-pi-cef-endpoint-authentication-fail-failure-1 |
+| ping-auth-failed-4 | pingidentity-pi-str-endpoint-login-fail-tid |
+| ping-auth-failed-5 | pingidentity-pi-str-endpoint-login-fail-oauth |
+| ping-auth-successful-1 | pingidentity-pi-str-endpoint-authentication-success-authnattemptsuccess |
+| ping-auth-successful-2 | pingidentity-pi-str-endpoint-authentication-success-oauthsuccess |
+| ping-auth-successful-4 | pingidentity-pi-str-endpoint-login-success-authn |
+| ping-auth-successful-5 | pingidentity-pi-str-endpoint-login-success-oauth |
+| ping-auth-successful-6 | pingidentity-pi-str-endpoint-authentication-success-authnsessioncreated |
+| ping-auth-successful-7 | pingidentity-pi-str-endpoint-authentication-success-authsessionused |
+| ping-auth-successful-8 | pingidentity-pi-str-endpoint-login-success-stssuccess |
+| ping-authentication-attempt | pingidentity-pi-json-app-authentication-success-pingid |
+| ping-authentication-attempt-1 | pingidentity-pi-json-app-authentication-success-user |
+| ping-authentication-attempt-2 | pingidentity-pi-json-app-authentication-fail-unsuccessattempt |
+| ping-authentication-attempt-3 | pingidentity-pi-sk4-app-authentication-success-queue |
+| ping-authentication-attempt-4 | pingidentity-pi-sk4-app-authentication-success-delivery |
+| ping-authentication-failed | pingidentity-pi-json-app-authentication-fail-user |
+| ping-authentication-failed-1 | pingidentity-pi-json-app-authentication-fail-pingid |
+| ping-authentication-successful | pingidentity-pi-json-vpn-authentication-success-policy |
+| ping-authentication-successful-1 | pingidentity-pi-json-vpn-authentication-success-pingid |
+| ping-failed-app-login-4 | pingidentity-pi-str-app-login-fail-ssofailure |
+| ping-federate-auth | pingidentity-pi-json-endpoint-authentication-success-fail-idp |
+| ping-logout | pingidentity-pi-kv-app-logout-success-slo |
+| ping-logout-1 | pingidentity-pi-kv-app-logout-success-authsessiondelete |
+| ping-system-info-1 | pingidentity-pi-kv-app-notification-success-requesthandler |
+| ping-system-info-2 | pingidentity-pi-kv-app-notification-success-aborthandler |
+| ping-system-info-3 | pingidentity-pi-kv-app-notification-success-asynchronousrequest |
+| placeholder-NGCIM-2384 | microsoft-o365-sk4-app-file-operationworkload |
+| pmp-account-switch | passwordmngrpro-p-str-user-switch-success-pwdretrieved |
+| pmp-app-login | passwordmngrpro-p-str-app-login-userloggedin |
+| pmp-auth-failed | passwordmngrpro-p-str-app-authentication-fail-authenticationfail |
+| pmp-auth-successful | passwordmngrpro-p-str-app-authentication-passwordapproved |
+| pmp-logout | passwordmngrpro-p-str-app-logout-userloggedout |
+| pmp-password-change | passwordmngrpro-p-str-user-password-modify-success-pwdchanged |
+| pmp-system-info-1 | passwordmngrpro-p-str-password-checkin-passwordcheckedin |
+| pmp-system-info-2 | passwordmngrpro-p-str-password-checkout-passwordcheckedout |
+| pmp-system-info-3 | passwordmngrpro-p-str-user-password-create-passwordrequested |
+| pmp-system-info-4 | passwordmngrpro-p-str-user-modify-settingchanged |
+| pmp-system-info-5 | passwordmngrpro-p-str-password-download-resourceexported |
+| portox-nac-failed-logon | portox-clear-cef-endpoint-login-fail-accessdenied |
+| portox-nac-failed-logon-1 | portox-clear-cef-endpoint-login-fail-authreject |
+| portox-nac-failed-logon-2 | portox-clear-cef-endpoint-login-fail-accountnotfound |
+| portox-nac-failed-logon-3 | portox-clear-cef-endpoint-login-fail-macbypassdenied |
+| portox-nac-logon | portox-clear-cef-endpoint-login-success-deviceauthsuccess |
+| portox-nac-logon-1 | portox-clear-cef-endpoint-login-success-guestauthsuccess |
+| postfix-dlp-email | unix-postfix-csv-app-notification-postfix |
+| postfix-dlp-email-from | postfix-postfix-kv-email-queue |
+| postgresql-database-login | postgresql-p-csv-database-login-success-authentication |
+| powersentry-app-activity | powersentry-ps-str-app-activity-primaryhost |
+| powersentry-app-login | powersentry-ps-str-app-login-success-sentry |
+| powersentry-failed-login | powersentry-ps-str-app-login-fail-loginunsuccessfull |
+| powersentry-logout | powersentry-ps-str-app-logout-success-loggedout |
+| powershell-4104 | microsoft-evpowershell-str-script-execute-success-4104 |
+| powershell-800 | "microsoft-evdnsserver-xml-process-create-success-800 |
+| powershell-800-syslog | microsoft-evdnsserver-kv-process-create-success-800-1 |
+| powershell-800-syslog-1 | microsoft-evdnsserver-kv-process-create-success-800 |
+| powershell-process-created | microsoft-windows-kv-process-create-success-available |
+| powershell-process-created-1 | microsoft-windows-kv-process-create-success-started |
+| powershell-process-created-2 | microsoft-evpowershell-kv-process-create-success-executing |
+| pro-file-object | procad-p-json-app-activity-appactivity |
+| progress-db-remote-logon | progress-pdatabase-str-endpoint-login-success-742 |
+| proofpoint-dlp-alert | proofpoint-casb-json-alert-trigger-success-dataleakage |
+| proofpoint-dlp-email-from | proofpoint-tappod-json-email-send-receive-sendmailfrom |
+| proofpoint-dlp-email-to | proofpoint-tappod-json-email-send-receive-sendmailto |
+| proofpoint-email | proofpoint-tappod-json-email-send-receive-rcpts |
+| proofpoint-email-1 | proofpoint-tap-json-email-envelope |
+| proofpoint-email-2 | proofpoint-tap-json-email-receive-fail-emailreceived |
+| proofpoint-email-3 | proofpoint-tap-sk4-email-routedirection |
+| proofpoint-email-4 | proofpoint-tappod-json-email-receive-fail-emailreceived |
+| proofpoint-email-5 | proofpoint-tappod-sk4-email-receive-fail-emailreceived |
+| proofpoint-email-6 | proofpoint-tappod-leef-email-resolvestatus |
+| proofpoint-m1 | proofpoint-tappod-cef-email-send-receive-envfrom |
+| proofpoint-m10 | proofpoint-pep-kv-alert-trigger-urldefense |
+| proofpoint-m11 | proofpoint-pep-kv-email-receive-envrcpt |
+| proofpoint-m12 | proofpoint-pep-kv-email-send-sendmail |
+| proofpoint-m13 | proofpoint-pep-kv-app-notification-checksubmsg |
+| proofpoint-m14 | proofpoint-pep-kv-app-activity-cmd |
+| proofpoint-m15 | proofpoint-tappod-cef-email-send-receive-runfrom |
+| proofpoint-m2 | proofpoint-tappod-cef-email-send-receive-datarcpt |
+| proofpoint-m3 | proofpoint-tappod-cef-email-send-receive-msg |
+| proofpoint-m4 | proofpoint-tappod-cef-email-send-receive-attachment |
+| proofpoint-m5 | proofpoint-tappod-cef-email-send-receive-run |
+| proofpoint-m6 | proofpoint-tappod-cef-email-send-receive-datafrom |
+| proofpoint-m7 | proofpoint-pep-kv-smtp-start-session |
+| proofpoint-m8 | proofpoint-pep-kv-smtp-close-disconnect |
+| proofpoint-m9 | proofpoint-pep-kv-app-notification-judge |
+| proofpoint-security-alert | proofpoint-casb-json-alert-trigger-success-suspiciouslogin |
+| proofpoint-security-alert-1 | proofpoint-casb-json-alert-trigger-success-severity |
+| proofpoint-system-info | proofpoint-tappod-sk4-app-notification-success-hostnotfound |
+| proofpoint-system-info-1 | proofpoint-tappod-sk4-app-notification-success-userunknown |
+| prowatch-badge-access | "honeywell-pw-xml-physical-location-access-evntdat |
+| prowatch-badge-access-1 | honeywell-pw-json-physical-location-access-success-badgeno |
+| prowatch-badge-access-3 | honeywell-pw-csv-physical-location-access-success-exabeam |
+| proxysg-auth-failed-1 | proxysg-p-kv-endpoint-login-fail-invalidcreds |
+| proxysg-auth-failed-2 | symantec-wss-str-endpoint-login-fail-auth |
+| pulsesecure-account-deleted | juniper-ps-str-user-delete-success-modified |
+| pulsesecure-vpn-login | juniper-ps-str-vpn-login-success-login |
\ No newline at end of file
diff --git a/ParsersLegacy/q_parsers.md b/ParsersLegacy/q_parsers.md
new file mode 100644
index 0000000..b3ebf05
--- /dev/null
+++ b/ParsersLegacy/q_parsers.md
@@ -0,0 +1,231 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------ | ------------------------------------------------------------------------ |
+| q-4656 | microsoft-evsecurity-kv-handle-request-4656-1 |
+| q-4662 | microsoft-evsecurity-kv-ds-object-move-success-4662 |
+| q-4697 | microsoft-evsecurity-kv-service-create-success-4697-1 |
+| q-4698 | "microsoft-evsecurity-xml-scheduled-task-create-success-4698-2 |
+| q-4800 | microsoft-evsecurity-kv-endpoint-lock-success-4800-3 |
+| q-4801 | microsoft-evsecurity-kv-endpoint-unlock-success-4801-3 |
+| q-5156 | microsoft-evsecurity-kv-network-session-success-5156 |
+| q-5158 | microsoft-evsecurity-kv-network-session-success-5158 |
+| q-6272 | microsoft-evnps-kv-endpoint-login-success-6272 |
+| q-6273 | microsoft-evnps-kv-radius-traffic-fail-6273 |
+| q-628 | microsoft-evsecurity-kv-user-password-reset-success-628 |
+| q-672 | microsoft-evsecurity-kv-endpoint-672 |
+| q-673 | microsoft-evsecurity-kv-endpoint-login-673 |
+| q-675 | microsoft-evsecurity-kv-endpoint-login-fail-675-3 |
+| q-680 | microsoft-evsecurity-kv-endpoint-login-680-3 |
+| q-adfs-auth-failed | microsoft-evsecurity-mix-endpoint-login-fail-1203 |
+| q-adfs-auth-failed-1 | microsoft-evsecurity-mix-endpoint-login-fail-1201 |
+| q-adfs-auth-failed-2 | microsoft-evsecurity-kv-endpoint-login-fail-411-1 |
+| q-adfs-auth-successful | microsoft-windows-mix-endpoint-login-success-1202 |
+| q-adfs-auth-successful-1 | microsoft-evsecurity-mix-endpoint-login-success-1200 |
+| q-aruba-failed-nac-logon | hp-arubacpm-kv-radius-traffic-fail-authfailed-2 |
+| q-aruba-failed-nac-logon-1 | hp-arubacpm-kv-radius-traffic-fail-authfailed |
+| q-aruba-nac-logon-1 | hp-arubacpm-kv-endpoint-login-success-logguestaccess |
+| q-aruba-nac-logon-2 | hp-arubacpm-kv-endpoint-login-success-loggedinuser |
+| q-aruba-nac-logon-3 | hp-arubacpm-kv-radius-traffic-success-radiusaccounting |
+| q-aruba-nac-logon-4 | hp-arubacpm-kv-radius-traffic-success-session |
+| q-aruba-nac-logon-5 | hp-arubacpm-kv-radius-traffic-success-loggedinusers |
+| q-aruba-nac-logon-6 | hp-arubacpm-kv-radius-traffic-success-guest |
+| q-aruba-nac-logon-7 | hp-arubacpm-kv-endpoint-login-success-authenticated |
+| q-asa-6-113039-vpn-start | cisco-asa-str-vpn-login-success-113039 |
+| q-asa-722037-vpn-end | cisco-asa-str-vpn-logout-success-722037 |
+| q-beyondtrust-process-created | beyondtrust-powerbroker-str-process-create-success-messageforwarded |
+| q-bit9-epp-alert | vmware-carbonblackappctrl-leef-alert-trigger-success-parity |
+| q-box-app-activity | box-ccm-json-file-activity-success-event |
+| q-ccure-badge-access | "tyco-ccure-xml-physical-location-access-fail-xmlmessage |
+| q-checkpoint-alert | checkpoint-es-kv-alert-trigger-success-protection |
+| q-cisco-acs-nac-logon | cisco-ise-kv-radius-traffic-success-cscoacspassedauth |
+| q-cisco-dns-response | cisco-umbrella-json-dns-response-success-identities |
+| q-crowdstrike-process-alert-1 | crowdstrike-falcon-leef-alert-trigger-success-md5 |
+| q-dlp-alert | symantec-dlp-leef-alert-email-modified |
+| q-duo-app-activity-1 | cisco-duo-kv-app-activity-success-sendenrollcode |
+| q-duo-app-activity-2 | cisco-duo-json-app-activity-success-usercreate-1 |
+| q-duo-app-activity-3 | cisco-duo-json-app-activity-success-phoneupdate |
+| q-duo-app-activity-4 | cisco-duo-json-app-activity-success-userpending |
+| q-duo-app-activity-5 | cisco-duo-kv-app-activity-success-userupdate |
+| q-duo-app-login | cisco-duo-kv-app-login-success-adminlogin |
+| q-duo-auth-failed | cisco-duo-kv-endpoint-authentication-fail-failure |
+| q-duo-auth-successful | cisco-duo-kv-endpoint-authentication-success-success |
+| q-duo-failed-app-login | cisco-duo-kv-app-login-fail-adminloginerror |
+| q-exchange-dlp-email-in | microsoft-exchange-kv-email-receive-deliver |
+| q-exchange-dlp-email-in-1 | microsoft-exchange-kv-email-receive-incoming |
+| q-exchange-dlp-email-in-2 | microsoft-exchange-kv-email-receive-success-smtp |
+| q-exchange-dlp-email-in-3 | microsoft-exchange-kv-email-receive-fail-incoming |
+| q-exchange-dlp-email-in-4 | microsoft-exchange-kv-email-receive-success-redirect |
+| q-exchange-dlp-email-in-5 | microsoft-exchange-kv-email-receive-success-send |
+| q-exchange-dlp-email-out | microsoft-exchange-kv-email-send-originating |
+| q-exchange-dlp-email-out-1 | microsoft-exchange-kv-email-send-originating-1 |
+| q-exchange-dlp-email-out-2 | microsoft-exchange-kv-email-send-fail-sendfailed |
+| q-exchange-dlp-email-out-3 | microsoft-exchange-kv-email-send-success-deliver |
+| q-exchange-dlp-email-out-4 | microsoft-exchange-kv-email-send-fail-sendfailed-1 |
+| q-exchange-dlp-email-out-5 | microsoft-exchange-kv-email-send-success-send |
+| q-failed-app-login | microsoft-exchange-kv-app-login-success-401 |
+| q-fireeye-mps | fireeye-networksecurity-leef-alert-trigger-success-fireeyemps |
+| q-firesight-alert | cisco-fp-kv-alert-trigger-success-ipsimpact |
+| q-firesight-alert-2 | cisco-fp-kv-alert-trigger-success-intrusionevent |
+| q-firesight-alert-3 | cisco-fp-kv-alert-trigger-success-filemalwareevent |
+| q-firesight-alert-4 | cisco-fp-kv-alert-trigger-success-intrusioneventrecordipv4 |
+| q-gemalto-auth-attempt | thalesgroup-gmfa-str-app-authentication-success-challenge |
+| q-gemalto-auth-failed | thalesgroup-gmfa-str-endpoint-login-fail-authfailure |
+| q-gemalto-auth-success | thalesgroup-gmfa-str-endpoint-login-success-authsuccess |
+| q-ibm-network-alert | ibm-pnips-leef-alert-trigger-success-attack |
+| q-ibm-system-info | ibm-pnips-leef-app-activity-audit |
+| q-imperva-proxy | imperva-incapsula-leef-http-request-incapsula |
+| q-kiteworks-app-activity | accellion-kw-kv-app-activity-success-userprofile |
+| q-kiteworks-app-activity-1 | accellion-kw-kv-app-activity-success-userdeleted |
+| q-kiteworks-app-activity-2 | accellion-kw-kv-app-activity-success-requestedafile |
+| q-kiteworks-app-activity-3 | accellion-kw-kv-app-activity-success-viewedemailsubject |
+| q-kiteworks-app-activity-4 | accellion-kw-kv-app-activity-success-draftchanged |
+| q-kiteworks-app-activity-5 | accellion-kw-kv-app-activity-success-createddraft |
+| q-kiteworks-app-login | accellion-kw-str-app-login-success-sessionstarted |
+| q-kiteworks-app-login-1 | accellion-kw-mix-app-login-success-loggedin |
+| q-kiteworks-email-out | accellion-kw-kv-email-send-success-withfiles |
+| q-kiteworks-email-out-1 | accellion-kw-kv-email-send-success-draftcreated |
+| q-kiteworks-file-delete | accellion-kw-kv-file-delete-success-deletedfolder |
+| q-kiteworks-file-download | accellion-kw-kv-file-download-success-downloadedfile |
+| q-kiteworks-file-download-1 | accellion-kw-kv-file-download-success-downloadedarchive |
+| q-kiteworks-file-download-2 | accellion-kw-kv-file-download-success-downloaded |
+| q-kiteworks-file-permission-change | accellion-kw-kv-file-permission-modify-success-addednewpermission |
+| q-kiteworks-file-read | accellion-kw-kv-file-read-success-viewedfile |
+| q-kiteworks-file-read-1 | accellion-kw-kv-file-read-success-viewfile |
+| q-kiteworks-file-upload | accellion-kw-kv-file-upload-success-uploadedfile |
+| q-kiteworks-file-upload-1 | accellion-kw-kv-file-upload-success-uploadedfile1 |
+| q-kiteworks-file-write | accellion-kw-kv-file-write-success-createdfolder |
+| q-kiteworks-password-change | accellion-kiteworks-kv-user-password-modify-success-updatedpassword |
+| q-ldap-auth-attempt | sunone-s-kv-endpoint-authentication-bind |
+| q-ldap-auth-attempt-1 | sunone-s-json-endpoint-authentication-ldapbind |
+| q-ldap-auth-attempt-2 | sunone-s-json-endpoint-authentication-success-message |
+| q-leef-ds-account-disabled | stealthbits-s-leef-user-disable-success-accountdisabled |
+| q-leef-ds-account-enabled | stealthbits-s-leef-user-enable-success-accountenable |
+| q-leef-ds-member-added | stealthbits-s-leef-group-member-add-success-memberadded |
+| q-leef-ds-member-removed | stealthbits-s-leef-group-member-remove-success-memberremoved |
+| q-leef-ds-object-modification | stealthbits-s-leef-ds-object-activity-attrnewvalue |
+| q-leef-invincea-alert | sophos-invincea-leef-alert-trigger-success-kiwisyslogserver |
+| q-leef-securesphere-db-login | imperva-securesphere-leef-database-login-success-valid |
+| q-leef-securesphere-db-query | imperva-securesphere-leef-database-query-success-query |
+| q-lenel-badge-access | lenel-og-kv-physical-location-access-success-accessgranted-1 |
+| q-lenel-badge-access-1 | lenel-og-kv-physical-location-access-accessgranted-2 |
+| q-mcafee-epo-alert | mcafee-es-kv-alert-trigger-success-threatcategory |
+| q-mcafee-epo-dlp-alert | mcafee-dlp-kv-alert-trigger-success-mailfilter |
+| q-member-added-2008 | microsoft-evsecurity-kv-group-member-add-success-memberadd |
+| q-member-removed-2003 | microsoft-evsecurity-kv-group-member-remove-success-groupmemberremoved-1 |
+| q-member-removed-2008 | microsoft-evsecurity-str-group-member-remove-success-memberwasremoved |
+| q-microsoft-4648 | microsoft-evsecurity-kv-user-switch-success-4648-2 |
+| q-microsoft-4719 | microsoft-evsecurity-kv-audit-policy-modify-success-4719-2 |
+| q-microsoft-4740 | microsoft-evsecurity-kv-user-lock-success-4740-1 |
+| q-microsoft-dhcp | microsoft-windows-kv-dhcp-session-success-assign |
+| q-microsoft-dhcp-renew | microsoft-windows-kv-dhcp-session-success-renew |
+| q-microsoft-dhcp-update | microsoft-windows-kv-dhcp-session-success-dnsupdate |
+| q-microsoft-print-activity | microsoft-evprintservice-kv-printer-activity-success-1 |
+| q-o365-dlp-email | microsoft-o365-kv-email-quarantined |
+| q-o365-sharepoint-activity | microsoft-o365-json-file-success-workload |
+| q-o365-siem-security-alert | microsoft-mcas-cef-alert-trigger-success-siemagent |
+| q-oam-app-activity-10 | oracle-oam-kv-app-activity-success-plugininvocationstart |
+| q-oam-app-activity-11 | oracle-oam-kv-app-activity-success-sessioncreation |
+| q-oam-app-activity-12 | oracle-oam-kv-app-activity-success-sessiondestroy |
+| q-oam-app-activity-2 | oracle-oam-kv-app-activity-success-authenticationattemp |
+| q-oam-app-activity-3 | oracle-oam-kv-app-activity-success-authorization |
+| q-oam-app-activity-4 | oracle-oam-kv-app-activity-success-credentialchallenge |
+| q-oam-app-activity-5 | oracle-oam-kv-app-activity-success-credentialsubmit |
+| q-oam-app-activity-6 | oracle-oam-kv-app-activity-success-credentialvalidation |
+| q-oam-app-activity-7 | oracle-oam-kv-app-activity-success-plugininvocationcomplete |
+| q-oam-app-activity-8 | oracle-oam-kv-app-activity-success-plugininvocationpause |
+| q-oam-app-activity-9 | oracle-oam-kv-app-activity-success-plugininvocationresume |
+| q-oam-app-login | oracle-am-kv-app-login-success-login |
+| q-oam-auth-successful | oracle-am-kv-endpoint-authentication-success-auth |
+| q-oam-logout | oam-am-kv-app-logout-success-logout |
+| q-okta-app-activity | okta-amfa-csv-app-login-success-securitycontext |
+| q-okta-app-login | okta-amfa-json-app-login-success-signinsuccessful |
+| q-okta-app-login-1 | okta-amfa-json-app-login-success-radiusagent |
+| q-okta-app-login-2 | okta-amfa-json-app-login-success-activedirectory |
+| q-okta-app-login-3 | okta-amfa-json-app-login-success-signin |
+| q-okta-app-login-4 | okta-amfa-json-app-login-success-singlesignon |
+| q-okta-app-login-5 | okta-amfa-json-app-login-success-iwaauthentication |
+| q-okta-app-login-6 | okta-amfa-json-app-login-success-evaluatesignon |
+| q-okta-app-logout | okta-mfa-json-app-logout-success-published |
+| q-okta-failed-app-login | okta-amfa-json-app-login-fail-signinfailed-1 |
+| q-okta-failed-app-login-1 | okta-amfa-json-app-login-fail-signin |
+| q-okta-failed-app-login-2 | okta-amfa-mix-app-login-fail-activedirectory |
+| q-oracle-db-login | oracle-db-kv-database-login-fail-user |
+| q-oracle-db-query | oracle-db-mix-database-query-success-audit |
+| q-pan-leef-alert | pan-wildfire-leef-alert-trigger-success-threat |
+| q-pan-vpn-setip | pan-gp-leef-vpn-login-success-clientconfigurationgenerated |
+| q-pan-vpn-start | pan-gp-leef-vpn-login-success-gatewayuser |
+| q-physical-badge-access | datawatchsystems-datawatch-str-physical_location-access-badgeaccess |
+| q-process-alert-carbonblack | vmware-carbonblackedr-leef-alert-trigger-success-watchlist |
+| q-process-alert-carbonblack-1 | vmware-carbonblackedr-leef-alert-trigger-success-feed |
+| q-proofpoint-email | proofpoint-tappod-leef-email-externaluser |
+| q-prowatch-badge-access | honeywell-pw-kv-physical-location-access-success-location |
+| q-qip-dhcp | nokia-vqip-kv-dhcp-session-success-dhcpsession |
+| q-quest-directory-access | questsoftware-caad-leef-ds-object-activity-changeauditor |
+| q-safenet-auth-attempt | safenet-thales-cef-app-authentication-auth |
+| q-sendmail-dlp-email-alert | unix-sm-kv-email-receive-success-sentemail |
+| q-snort-alert | snort-s-str-alert-trigger-success-potentiallyvulnerable |
+| q-snort-alert-1 | snort-s-cef-alert-trigger-success-classification |
+| q-symantec-dlp-alert | symantec-dlp-kv-email-send-incident-1 |
+| q-symantec-dlp-alert-1 | symantec-dlp-leef-alert-trigger-success-corporatenetwork |
+| q-symantec-dlp-email-out | symantec-dlp-leef-email-send-success-corporatenetwork |
+| q-symantec-system-info | symantec-endpointprotection-kv-app-notification-eventdescription |
+| q-symantec-system-info-1 | symantec-endpointprotection-json-app-activity-appactivity |
+| q-symantec-system-info-2 | symantec-endpointprotection-json-app-activity-appactivity-1 |
+| q-symantec-system-info-3 | symantec-endpointprotection-kv-app-activity-symantecserver |
+| q-tippingpoint-sms-alert | trendmicro-tippingpoint-str-alert-trigger-success-tcp-1 |
+| q-tippingpoint-sms-alert-1 | trendmicro-tippingpoint-str-alert-trigger-success-http |
+| q-tippingpoint-sms-alert-2 | trendmicro-tippingpoint-str-alert-trigger-success-ip |
+| q-tippingpoint-sms-alert-3 | trendmicro-tippingpoint-str-alert-trigger-success-udp |
+| q-tippingpoint-sms-alert-4 | trendmicro-tippingpoint-str-alert-trigger-success-smb |
+| q-tippingpoint-sms-alert-5 | trendmicro-tippingpoint-str-alert-trigger-success-icmp |
+| q-trendmicro-dlp-alert | trendmicro-officescan-kv-alert-trigger-success-transmissiondetected |
+| q-trendmicro-epp-alert | trendmicro-officescan-str-alert-trigger-success-virus |
+| q-trendmicro-syslog-alert | trendmicro-officescan-str-alert-trigger-success-officescan |
+| q-unix-as | unix-unix-mix-user-switch-success-sshdsession |
+| q-unix-audispd-logon | unix-unix-kv-ssh-traffic-audispd |
+| q-unix-dhcp-1 | unix-dhcpd-csv-dhcp-session-success-dhcpdrenewed |
+| q-varonis-file-activity | varonis-dsp-leef-file-success-datadvantage |
+| q-vontu-dlp-alert | symantec-dlp-kv-email-send-vontu |
+| q-winpak-badge-access | honeywell-wp-kv-physical-location-access-success-accessgranted |
+| q-wsa-proxy | cisco-securewebapp-csv-http-session-qradarlogging |
+| q-xgs-network-alert | ibm-qns-leef-alert-trigger-success-isnp |
+| q-zscaler-web-activity | zscaler-ia-leef-http-session-nss |
+| qualys-security-alert | qualys-q-kv-alert-trigger-success-scan |
+| quest-account-locked | questsoftware-caad-str-user-lock-success-changeauditor |
+| quest-account-unlocked | questsoftware-caad-str-user-unlock-success-changeauditor |
+| quest-change-account-enabled | questsoftware-caad-cef-user-unlock-success-auditor |
+| quest-change-account-enabled-1 | questsoftware-caad-cef-endpoint-enable-auditor |
+| quest-change-account-lockout | questsoftware-caad-cef-user-lock-success-auditor |
+| quest-change-account-password-change | questsoftware-caad-cef-user-password-modify-success-pwdchanged |
+| quest-change-audit-file-create | questsoftware-caad-json-file-write-success-addobject |
+| quest-change-audit-file-delete | questsoftware-caad-json-file-delete-success-deleteobject |
+| quest-change-audit-file-move | questsoftware-caad-json-file-write-success-moveobject |
+| quest-change-audit-file-open | questsoftware-caad-json-file-read-success-opened |
+| quest-change-audit-file-rename | questsoftware-caad-json-file-write-success-renameobject |
+| quest-change-audit-file-write | questsoftware-caad-json-file-write-success-filecontentwritten |
+| quest-change-local-logon | questsoftware-caad-cef-endpoint-login-success-interactively |
+| quest-change-logout | questsoftware-caad-cef-endpoint-login-sessionended |
+| quest-change-member-added | questsoftware-caad-cef-group-member-add-success-nestedmemberadd |
+| quest-change-member-added-1 | questsoftware-caad-cef-group-member-add-success-memberadd |
+| quest-change-member-added-2 | questsoftware-caad-cef-group-member-add-success-usermemberadd |
+| quest-change-member-removed-1 | questsoftware-caad-cef-group-member-remove-success-memberremove |
+| quest-change-member-removed-2 | questsoftware-caad-cef-group-member-remove-success-nestedmemberremove |
+| quest-change-member-removed-3 | questsoftware-caad-cef-group-member-remove-success-usermemberremove |
+| quest-change-remote-logon | questsoftware-caad-cef-endpoint-login-success-remoteinteractively |
+| quest-change-system-info | questsoftware-caad-cef-app-activity-appactivity |
+| quest-member-added | questsoftware-caad-str-group-member-add-success-memberaddedtouser |
+| quest-member-added-1 | questsoftware-caad-str-group-member-add-success-memberaddedtogroup |
+| quest-member-removed | questsoftware-caad-str-group-member-remove-success-memberremoved |
+| quest-member-removed-1 | questsoftware-caad-str-group-member-remove-success-usermemberremoved |
+| quest-password-changed | questsoftware-caad-str-user-password-modify-success-userpwdchanged |
+| quest-password-changed-1 | questsoftware-caad-str-user-password-modify-success-userpwdchanged-1 |
+| qush-reveal-dlp-alert | qush-r-json-alert-trigger-success-datatracking |
+| qush-reveal-file-upload | qush-r-json-file-upload-success-video |
+| qush-reveal-file-upload-1 | qush-r-json-file-upload-success-dataupload |
+| qush-reveal-file-write | qush-r-json-file-write-success-filecopy |
+| qush-reveal-file-write-1 | qush-r-json-file-write-success-datacompression |
+| qush-reveal-nac-logon | qush-r-json-radius-traffic-success-wifi |
+| qush-reveal-print-activity | qush-r-json-printer-activity-success-riskybehavior |
+| qush-reveal-remote-logon | qush-r-json-endpoint-login-success-insiderrisk |
+| qush-reveal-usb-insert | qush-r-json-peripheral_storage-insert-success-usb |
+| qush-reveal-web-activity | qush-r-json-http-session-success-riskybehavior |
+| qush-reveal-web-activity-1 | qush-r-json-http-session-success-flightrisk |
\ No newline at end of file
diff --git a/ParsersLegacy/r_parsers.md b/ParsersLegacy/r_parsers.md
new file mode 100644
index 0000000..c18e288
--- /dev/null
+++ b/ParsersLegacy/r_parsers.md
@@ -0,0 +1,445 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------------- | -------------------------------------------------------------------------- |
+| r-asa-aaa-vpn-start | cisco-asa-str-vpn-login-success-109005-1 |
+| r-nic-4771 | microsoft-evsecurity-kv-endpoint-login-fail-4771-1 |
+| r-nic-528 | microsoft-evsecurity-cef-endpoint-success-528-1 |
+| r-nic-540 | microsoft-evsecurity-kv-endpoint-login-success-540-1 |
+| r-nic-damballa-alert | damballa-failsafe-kv-alert-trigger-success-infected |
+| r-syslog-5136 | microsoft-evsecurity-kv-ds-object-activity-success-5136 |
+| r-syslog-bluecoatcas-alert | symantec-bccas-csv-alert-trigger-success-avservice |
+| r-syslog-chkpnt-vpn-end | checkpoint-sg-csv-vpn-logout-success-authcrypt |
+| r-syslog-chkpnt-vpn-set-ip | checkpoint-sg-str-vpn-login-success-decrypt |
+| r-syslog-chkpnt-vpn-start | checkpoint-sg-str-vpn-login-success-authcrypt |
+| r-syslog-physical-badge-access | siemens-s-kv-physical-location-access-siemensfusionac |
+| r-syslog-vontu-dlp | symantec-dlp-str-email-receive-incident |
+| r-syslog-vontu-dlp-1 | symantec-dlp-str-email-send-protectmanager |
+| racf-db-access | ibm-racf-kv-database-activity-success-access |
+| racf-db-access-1 | ibm-racf-kv-database-activity-success-insufficientauth |
+| racf-db-access-2 | ibm-racf-kv-database-activity-success-connect |
+| racf-db-access-3 | ibm-racf-kv-database-activity-success-setropts |
+| racf-db-access-4 | ibm-racf-kv-database-activity-success-altuser |
+| racf-db-access-5 | ibm-racf-kv-app-activity-general-audit-record-auditrecordwritten |
+| racf-db-failed-login | ibm-racf-kv-database-login-fail-signon |
+| radius-nac-logon | radius-r-kv-endpoint-success-sessionlogs |
+| radware-alert | radware-alteon-str-app-notification-accessattempted |
+| radware-app-activity | radware-alteon-str-app-notification-notsynchronized |
+| radware-failed-app-login | radware-alteon-str-app-login-fail-fromhost |
+| radware-network-alert | radware-waf-kv-alert-trigger-security |
+| rapid7-security-alert | rapid7-insightvm-cef-alert-trigger-success-vulnerability |
+| raw-10016 | microsoft-evsystem-kv-dcom-activate-fail-10016 |
+| raw-104 | microsoft-windows-str-log-clear-success-104 |
+| raw-1102 | microsoft-evsecurity-kv-log-clear-success-1102 |
+| raw-1149 | microsoft-evadfs-kv-endpoint-login-success-1149 |
+| raw-1149-1 | microsoft-evadfs-kv-rdp-traffic-success-remoteconnect |
+| raw-1202 | microsoft-evapp-str-endpoint-notification-1202 |
+| raw-14554 | microsoft-evsystem-str-endpoint-notification-14554 |
+| raw-148 | microsoft-evadfs-kv-endpoint-logout-success-148 |
+| raw-1503 | microsoft-evsystem-str-policy-apply-processsuccess |
+| raw-1644 | microsoft-evadfs-kv-endpoint-activity-success-1644 |
+| raw-2004 | microsoft-evsystem-str-endpoint-notification-success-2004 |
+| raw-216 | microsoft-windows-kv-file-write-success-216 |
+| raw-2889 | microsoft-evsecurity-str-app-authentication-2889 |
+| raw-325 | microsoft-windows-kv-file-write-success-325 |
+| raw-326 | microsoft-windows-kv-file-read-success-326 |
+| raw-327 | microsoft-windows-kv-file-close-success-327 |
+| raw-36874 | microsoft-evsystem-str-ssl-start-fail-36874 |
+| raw-40961 | microsoft-evpowershell-str-endpoint-notification-40961 |
+| raw-40962 | microsoft-evpowershell-str-endpoint-notification-40962 |
+| raw-4104 | microsoft-evpowershell-kv-script-execute-success-4104 |
+| raw-4611 | microsoft-evsecurity-kv-endpoint-notification-trustedlogonprocessregister |
+| raw-4611-1 | microsoft-evsecurity-kv-endpoint-notification-4611 |
+| raw-4622 | microsoft-evsecurity-kv-service-create-success-4622 |
+| raw-4624 | microsoft-evsecurity-kv-endpoint-login-success-4624 |
+| raw-4624-1 | microsoft-evsecurity-str-endpoint-success-successfullylogin |
+| raw-4624-10 | microsoft-evsecurity-kv-endpoint-success-4624-1 |
+| raw-4624-2 | microsoft-evsecurity-kv-endpoint-success-successfullylogin |
+| raw-4624-3 | microsoft-evsecurity-kv-endpoint-success-successfullylogin-1 |
+| raw-4624-4 | microsoft-evsecurity-kv-endpoint-success-successfullylogin-2 |
+| raw-4624-5 | microsoft-evsecurity-kv-endpoint-login-success-4624-2 |
+| raw-4624-6 | microsoft-evsecurity-json-endpoint-4624 |
+| raw-4624-7 | microsoft-evsecurity-kv-endpoint-login-success-4624-3 |
+| raw-4624-8 | microsoft-evsecurity-kv-endpoint-login-success-successfullyloggedon |
+| raw-4624-9 | microsoft-evsecurity-kv-endpoint-success-accountlogin |
+| raw-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4625 |
+| raw-4625-1 | microsoft-evsecurity-kv-endpoint-login-fail-4625-2 |
+| raw-4627 | microsoft-evsecurity-str-endpoint-notification-4627 |
+| raw-4627-1 | microsoft-evsecurity-str-endpoint-notification-logon |
+| raw-4634 | microsoft-evsecurity-kv-endpoint-logout-4634 |
+| raw-4634-1 | microsoft-evsecurity-json-endpoint-logout-success-4634-1 |
+| raw-4634-2 | microsoft-evsecurity-kv-endpoint-logout-loggedoff |
+| raw-4647 | microsoft-evsecurity-kv-endpoint-logout-4647 |
+| raw-4648 | microsoft-evsecurity-kv-user-switch-success-4648-1 |
+| raw-4648-1 | microsoft-evsecurity-kv-user-switch-success-4648 |
+| raw-4648-2 | microsoft-evsecurity-kv-endpoint-login-4648 |
+| raw-4648-3 | microsoft-evsecurity-kv-endpoint-login-success-4648-3 |
+| raw-4648-4 | microsoft-evsecurity-kv-user-switch-success-4648-3 |
+| raw-4648-5 | microsoft-evsecurity-kv-user-switch-success-4648-4 |
+| raw-4649 | microsoft-evsecurity-kv-alert-trigger-success-4649 |
+| raw-4656 | microsoft-evsecurity-kv-handle-request-4656 |
+| raw-4656-1 | microsoft-evsecurity-kv-handle-request-4656-2 |
+| raw-4657-1 | microsoft-evsecurity-str-registry-create-success-4657 |
+| raw-4658 | microsoft-evsecurity-kv-handle-close-4658 |
+| raw-4658-1 | microsoft-evsecurity-kv-handle-close-4658-1 |
+| raw-4658-2 | microsoft-evsecurity-kv-handle-close-4658-2 |
+| raw-4658-3 | microsoft-evsecurity-json-handle-close-timecreatedsystemtime |
+| raw-4659 | microsoft-evsecurity-kv-handle-request-success-4659 |
+| raw-4659-1 | microsoft-evsecurity-cef-handle-request-4659 |
+| raw-4659-2 | microsoft-evsecurity-kv-handle-request-success-4659-1 |
+| raw-4660 | microsoft-evsecurity-str-endpoint-activity-4660 |
+| raw-4661 | microsoft-evsecurity-kv-handle-request-4661 |
+| raw-4662 | microsoft-evsecurity-mix-ds-object-activity-success-4662 |
+| raw-4662-1 | microsoft-evsecurity-kv-ds-object-activity-success-4662 |
+| raw-4662-2 | microsoft-evsecurity-csv-ds-object-activity-success-4662 |
+| raw-4662-3 | microsoft-evsecurity-cef-ds-object-activity-success-4662 |
+| raw-4663 | microsoft-evsecurity-kv-file-success-4663-7 |
+| raw-4663-1 | microsoft-evsecurity-str-file-read-success-4663 |
+| raw-4663-10 | microsoft-evsecurity-json-file-success-accessanobject |
+| raw-4663-11 | microsoft-evsecurity-kv-file-read-success-4663-1 |
+| raw-4663-2 | microsoft-evsecurity-kv-file-success-4663-5 |
+| raw-4663-3 | microsoft-evsecurity-mix-file-success-4663-1 |
+| raw-4663-4 | microsoft-evsecurity-kv-file-success-4663-2 |
+| raw-4663-5 | microsoft-evsecurity-kv-file-read-success-4663-2 |
+| raw-4663-6 | microsoft-evsecurity-kv-file-success-4663-3 |
+| raw-4663-7 | microsoft-evsecurity-kv-file-success-4663-4 |
+| raw-4663-8 | microsoft-evsecurity-kv-file-read-success-4663-3 |
+| raw-4663-9 | microsoft-evsecurity-json-file-read-success-4663-4 |
+| raw-4670 | microsoft-evsecurity-kv-file-permission-modify-4670 |
+| raw-4672 | microsoft-evsecurity-mix-user-privilege-assign-success-4672 |
+| raw-4672-1 | microsoft-evsecurity-json-user-privilege-use-success-computername |
+| raw-4672-2 | microsoft-evsecurity-kv-user-privilege-assign-success-4672-1 |
+| raw-4672-3 | microsoft-evsecurity-csv-user-privilege-modify-success-4672 |
+| raw-4673 | microsoft-evsecurity-kv-user-privilege-assign-success-4673 |
+| raw-4673-1 | microsoft-evsecurity-mix-user-privilege-assign-success-4673 |
+| raw-4673-2 | microsoft-evsecurity-csv-user-privilege-use-success-4673 |
+| raw-4674 | microsoft-evsecurity-mix-user-privilege-use-success-4674 |
+| raw-4674-1 | microsoft-evsecurity-json-user-privilege-use-success-dhn |
+| raw-4674-2 | microsoft-evsecurity-json-user-privilege-use-success-auditing |
+| raw-4674-3 | microsoft-evsecurity-mix-user-privilege-use-success-4674-1 |
+| raw-4674-4 | microsoft-evsecurity-str-user-privilege-use-success-objectserver |
+| raw-4674-5 | microsoft-evsecurity-kv-user-privilege-use-success-4674-1 |
+| raw-4675 | "microsoft-evsecurity-xml-app-notification-4675 |
+| raw-4690 | mcirosoft-evsecurity-kv-handle-copy-4690 |
+| raw-4700 | "microsoft-evsecurity-xml-scheduled-task-create-success-4700-1 |
+| raw-4702 | "microsoft-evsecurity-xml-scheduled-task-modify-4702 |
+| raw-4702-1 | microsoft-evsecurity-cef-scheduled-task-modify-4702 |
+| raw-4703 | microsoft-evsecurity-kv-user-privilege-modify-tokenadjust |
+| raw-4717 | microsoft-evsecurity-kv-user-modify-4717 |
+| raw-4718 | microsoft-evsecurity-kv-user-permission-modify-4718 |
+| raw-4719 | microsoft-evsecurity-mix-audit-policy-modify-success-4719 |
+| raw-4723 | microsoft-evsecurity-mix-user-password-modify-4723 |
+| raw-4724 | microsoft-evsecurity-mix-user-password-reset-success-4724 |
+| raw-4727 | microsoft-evsecurity-kv-group-create-success-4727 |
+| raw-4730 | "microsoft-evsecurity-xml-group-delete-4730 |
+| raw-4731 | microsoft-evsecurity-kv-group-create-success-4731 |
+| raw-4735 | "microsoft-evsecurity-xml-group-modify-success-4735 |
+| raw-4735-1 | microsoft-evsecurity-kv-group-modify-success-4735 |
+| raw-4737 | microsoft-evsecurity-kv-group-modify-success-4737 |
+| raw-4738 | microsoft-evsecurity-mix-ds-object-modify-success-4738 |
+| raw-4741 | microsoft-evsecurity-kv-endpoint-create-created |
+| raw-4742 | microsoft-evsecurity-mix-ds-object-modify-success-4742 |
+| raw-4743 | "microsoft-evsecurity-xml-user-delete-success-4743 |
+| raw-4743-1 | microsoft-evsecurity-kv-user-delete-success-4743-1 |
+| raw-4743-2 | microsoft-evsecurity-kv-user-delete-fail-4743 |
+| raw-4754 | "microsoft-evsecurity-xml-group-create-4754 |
+| raw-4755 | "microsoft-evsecurity-xml-group-modify-success-4755 |
+| raw-4755-1 | microsoft-evsecurity-kv-group-modify-4755 |
+| raw-4758 | "microsoft-evsecurity-xml-group-delete-success-4758 |
+| raw-4760 | "microsoft-evsecurity-xml-group-modify-success-4760-1 |
+| raw-4760-1 | microsoft-evsecurity-kv-group-modify-success-4760 |
+| raw-4761 | microsoft-evsecurity-kv-group-member-add-4761 |
+| raw-4762 | microsoft-evsecurity-kv-group-member-remove-success-4762 |
+| raw-4767 | microsoft-evsecurity-str-user-unlock-success-4767 |
+| raw-4768 | microsoft-evsecurity-kv-endpoint-login-4768 |
+| raw-4768-1 | microsoft-evsecurity-kv-endpoint-login-4768-2 |
+| raw-4768-2 | microsoft-evsecurity-kv-endpoint-login-4768-3 |
+| raw-4768-3 | microsoft-evsecurity-kv-endpoint-login-requested |
+| raw-4768-4 | microsoft-evsecurity-kv-endpoint-login-4768-4 |
+| raw-4768-5 | microsoft-evsecurity-kv-endpoint-4768 |
+| raw-4769 | microsoft-evsecurity-kv-endpoint-login-4769 |
+| raw-4769-1 | microsoft-evsecurity-mix-endpoint-login-4769 |
+| raw-4769-2 | microsoft-evsecurity-kv-endpoint-login-4769-2 |
+| raw-4769-3 | microsoft-evsecurity-kv-endpoint-login-4769-4 |
+| raw-4769-4 | microsoft-evsecurity-kv-endpoint-login-4769-11 |
+| raw-4769-5 | microsoft-evsecurity-json-endpoint-login-4769-5 |
+| raw-4769-6 | microsoft-evsecurity-kv-endpoint-login-4769-12 |
+| raw-4769-7 | microsoft-evsecurity-csv-endpoint-login-4769 |
+| raw-4770 | microsoft-evsecurity-kv-endpoint-login-success-4770 |
+| raw-4770-1 | microsoft-evsecurity-kv-endpoint-login-success-4770-2 |
+| raw-4771 | microsoft-evsecurity-kv-endpoint-login-success-4771 |
+| raw-4771-2 | microsoft-evsecurity-kv-endpoint-login-fail-4771-3 |
+| raw-4774 | microsoft-evsecurity-kv-endpoint-authentication-4774 |
+| raw-4776 | microsoft-evsecurity-kv-endpoint-login-4776-6 |
+| raw-4776-1 | microsoft-evsecurity-kv-endpoint-login-success-4776-2 |
+| raw-4776-2 | microsoft-evsecurity-mix-endpoint-login-success-4776 |
+| raw-4776-3 | microsoft-evsecurity-mix-endpoint-login-validatecredentials |
+| raw-4776-4 | microsoft-evsecurity-kv-endpoint-login-4776-1 |
+| raw-4776-5 | microsoft-evsecurity-kv-endpoint-login-4776-2 |
+| raw-4778 | microsoft-evsecurity-kv-rdp-traffic-success-4778 |
+| raw-4778-1 | microsoft-evsecurity-kv-rdp-traffic-success-4778-1 |
+| raw-4779 | microsoft-evsecurity-mix-endpoint-logout-success-4779 |
+| raw-4780 | microsoft-evsecurity-kv-endpoint-notification-success-4780 |
+| raw-4781 | "microsoft-evsecurity-xml-user-name-modify-4781 |
+| raw-4793 | microsoft-evsecurity-kv-endpoint-notification-4793 |
+| raw-4798 | microsoft-evsecurity-kv-group-list-membershipenumerated |
+| raw-4799 | microsoft-evsecurity-kv-group-member-list-4799 |
+| raw-4800 | microsoft-evsecurity-kv-endpoint-lock-success-4800-1 |
+| raw-4801 | microsoft-evsecurity-kv-endpoint-unlock-success-4801-5 |
+| raw-4904 | "microsoft-evsecurity-xml-audit-policy-modify-4904-2 |
+| raw-4905 | microsoft-evsecurity-mix-audit-policy-modify-4905 |
+| raw-4907 | microsoft-evsecurity-kv-audit-policy-modify-4907 |
+| raw-4928 | microsoft-evadfs-kv-ds-object-create-success-4928 |
+| raw-4929 | microsoft-evadfs-kv-ds-object-delete-success-4929 |
+| raw-4931 | microsoft-evsecurity-str-ds-replication-modify-4931 |
+| raw-4932 | "microsoft-evsecurity-xml-ds-replication-start-4932 |
+| raw-4933 | "microsoft-evsecurity-xml-ds-replication-stop-4933 |
+| raw-4954 | microsoft-evsecurity-str-policy-apply-4954 |
+| raw-4964 | microsoft-evsecurity-str-endpoint-notification-4964 |
+| raw-4985 | microsoft-evsecurity-kv-endpoint-notification-4985 |
+| raw-5058 | microsoft-evsecurity-kv-file-fileoperation |
+| raw-5061 | microsoft-evsecurity-kv-key-cryptographicoperation |
+| raw-5136 | microsoft-evsecurity-mix-ds-object-modify-success-5136-1 |
+| raw-5137 | microsoft-evsecurity-kv-ds-object-create-success-5137 |
+| raw-5138 | microsoft-evsecurity-kv-ds-object-restore-success-5138 |
+| raw-5139 | microsoft-evsecurity-kv-ds-object-move-success-serviceobject |
+| raw-5140 | microsoft-evsecurity-mix-share-access-success-5140 |
+| raw-5140-1 | microsoft-evsecurity-kv-share-access-success-5140-5 |
+| raw-5140-2 | microsoft-evsecurity-kv-share-access-success-5140-6 |
+| raw-5141 | microsoft-evsecurity-kv-ds-object-delete-success-5141 |
+| raw-5142 | microsoft-evsecurity-kv-share-access-success-5142 |
+| raw-5143 | microsoft-evsecurity-kv-share-modify-success-5143 |
+| raw-5143-1 | microsoft-evsecurity-kv-share-access-success-5143 |
+| raw-5144 | microsoft-evsecurity-kv-share-access-success-5144 |
+| raw-5145 | "microsoft-evsecurity-mix-share-access-5145 |
+| raw-5145-1 | microsoft-evsecurity-kv-share-access-5145-1 |
+| raw-5145-10 | microsoft-evsecurity-kv-share-access-success-5145 |
+| raw-5145-11 | microsoft-evsecurity-kv-share-access-5145 |
+| raw-5145-2 | microsoft-evsecurity-kv-share-access-5145-2 |
+| raw-5145-3 | microsoft-evsecurity-kv-share-access-5145-7 |
+| raw-5145-4 | microsoft-evsecurity-json-share-access-hostname |
+| raw-5145-5 | microsoft-evsecurity-json-share-access-5145 |
+| raw-5145-6 | microsoft-evsecurity-mix-share-access-5145 |
+| raw-5145-7 | microsoft-evsecurity-kv-share-access-5145-4 |
+| raw-5145-8 | microsoft-evsecurity-kv-share-access-5145-5 |
+| raw-5145-9 | microsoft-evsecurity-kv-share-access-5145-6 |
+| raw-5152 | microsoft-evsecurity-mix-network-traffic-fail-5152 |
+| raw-5152-1 | microsoft-evsecurity-kv-network-traffic-fail-packetblocked |
+| raw-5152-2 | microsoft-evsecurity-str-network-traffic-fail-5152 |
+| raw-5154 | microsoft-evsecurity-kv-network-listen-5154 |
+| raw-5156 | microsoft-evsecurity-json-mul-network-session-success-5156 |
+| raw-5157 | microsoft-evsecurity-cef-network-session-fail-5157 |
+| raw-5157-1 | microsoft-evsecurity-kv-network-session-fail-blocked-conn |
+| raw-528 | microsoft-evsecurity-kv-endpoint-login-success-528 |
+| raw-53504 | microsoft-evpowershell-str-network-listen-53504 |
+| raw-5379 | microsoft-evsecurity-kv-user-password-read-5379 |
+| raw-540 | microsoft-evsecurity-kv-endpoint-login-success-540 |
+| raw-5447 | microsoft-evsecurity-cef-policy-modify-5447 |
+| raw-5478 | microsoft-evsecurity-kv-service-create-success-5478 |
+| raw-552 | microsoft-evsecurity-json-endpoint-login-success-552 |
+| raw-567 | microsoft-evsecurity-json-file-success-567 |
+| raw-5723 | microsoft-evsystem-str-endpoint-authentication-fail-5723 |
+| raw-5805 | "microsoft-evsystem-xml-endpoint-login-fail-5805-1 |
+| raw-6145 | microsoft-evsecurity-str-policy-apply-fail-6145 |
+| raw-627 | microsoft-evsecurity-kv-user-password-modify-changepasswordattempt |
+| raw-628 | microsoft-evsecurity-kv-user-password-reset-success-accountpasswordset |
+| raw-672 | microsoft-evsecurity-kv-endpoint-login-672 |
+| raw-673 | microsoft-evsecurity-json-endpoint-login-673 |
+| raw-674 | microsoft-evsecurity-json-endpoint-login-success-674 |
+| raw-675 | microsoft-evsecurity-kv-endpoint-login-fail-authfail |
+| raw-680 | microsoft-evsecurity-json-endpoint-login-680-1 |
+| raw-7036 | microsoft-evsystem-str-service-state-modify-7036-3 |
+| raw-7036-1 | microsoft-evsystem-str-service-state-modify-7036-1 |
+| raw-7036-2 | microsoft-evsystem-str-service-state-modify-7036 |
+| raw-7036-3 | microsoft-evsystem-str-service-state-modify-7036-2 |
+| raw-7040 | microsoft-evsystem-json-service-state-modify-7040 |
+| raw-7045 | microsoft-evsystem-str-service-create-success-7045 |
+| raw-8004 | microsoft-evntlm-str-app-authentication-fail-8004 |
+| raw-8004-1 | microsoft-evntlm-kv-endpoint-login-fail-8004 |
+| raw-8005 | microsoft-evntlm-str-app-authentication-fail-8005 |
+| raw-8006 | microsoft-evntlm-str-app-authentication-fail-8006 |
+| raw-asa-113004-vpn-start | cisco-asa-kv-radius-traffic-success-113004-1 |
+| raw-asa-113005 | cisco-asa-str-vpn-login-fail-authentication-rejected |
+| raw-asa-113005-1 | cisco-asa-kv-vpn-login-fail-113005 |
+| raw-asa-113005-2 | cisco-asa-str-vpn-login-fail-authentication-rejected-1 |
+| raw-asa-713184-vpn-start | cisco-asa-str-vpn-login-success-713184 |
+| raw-asa-713228-vpn-start | cisco-asa-str-vpn-login-success-713228 |
+| raw-asa-nap-vpn-end | cisco-asa-str-vpn-logout-success-713259 |
+| raw-asa-svc-vpn-end | cisco-asa-str-vpn-logout-success-113019 |
+| raw-asa-svc-vpn-start | cisco-asa-str-vpn-login-success-722051 |
+| raw-checkpoint-firewall-1 | checkpoint-ngfw-kv-network-traffic-firewall |
+| raw-checkpoint-firewall-2 | checkpoint-ngfw-str-network-traffic-firewall |
+| raw-checkpoint-firewall-accept | checkpoint-ngfw-kv-network-traffic-success-accept-2 |
+| raw-checkpoint-firewall-allow | checkpoint-ngfw-str-network-traffic-success-allow-1 |
+| raw-checkpoint-firewall-authcrypt | checkpoint-ngfw-kv-app-authentication-success-authcrypt |
+| raw-checkpoint-firewall-decrypt | checkpoint-ngfw-kv-app-activity-success-decrypt-2 |
+| raw-checkpoint-firewall-drop | checkpoint-ngfw-kv-network-traffic-fail-drop-1 |
+| raw-checkpoint-firewall-encrypt | checkpoint-ngfw-kv-app-activity-success-encrypt-2 |
+| raw-checkpoint-firewall-monitor | checkpoint-ngfw-kv-alert-trigger-monitor |
+| raw-cisco-vpnconcentrator-end | cisco-asa-kv-vpn-logout-success-28 |
+| raw-cisco-vpnconcentrator-start | cisco-asa-kv-vpn-login-success-connected |
+| raw-defender-av-1116 | microsoft-defenderep-kv-alert-trigger-success-1116-1 |
+| raw-defender-av-5007 | microsoft-defenderep-kv-configuration-modify-success-5007 |
+| raw-failed-logon-2003 | microsoft-evsecurity-kv-endpoint-login-fail-logonfailure |
+| raw-juniper-failed-vpn-login | "juniper-ps-cef-vpn-login-fail-loginfailed |
+| raw-juniper-nwc-vpn-authfailed | juniper-ps-mix-vpn-login-fail-authenticationfailed |
+| raw-juniper-nwc-vpn-authsuccess | juniper-ps-mix-vpn-login-success-authenticationsuccessful |
+| raw-juniper-nwc-vpn-authsuccess-1 | juniper-ps-kv-vpn-login-success-sso |
+| raw-juniper-nwc-vpn-connected | "juniper-ps-cef-vpn-login-success-connected-2 |
+| raw-juniper-nwc-vpn-end | "juniper-ps-cef-vpn-logout-success-ended |
+| raw-juniper-nwc-vpn-hostfailed | juniper-ps-str-vpn-login-fail-hostfailed |
+| raw-juniper-nwc-vpn-resume | juniper-ps-str-vpn-login-success-resume |
+| raw-juniper-nwc-vpn-start | "juniper-ps-json-vpn-login-success-started |
+| raw-juniper-nwc-vpn-terminated | "juniper-ps-cef-vpn-logout-success-terminated |
+| raw-member-added-2003 | microsoft-evsecurity-kv-group-member-add-success-securityenabled |
+| raw-member-added-2008 | microsoft-evsecurity-kv-group-member-add-success-memberwasadded |
+| raw-member-removed-2003 | microsoft-evsecurity-str-group-member-remove-success-memberremoved |
+| raw-member-removed-2008 | microsoft-evsecurity-kv-group-member-remove-success-computer |
+| raw-member-removed-2008-1 | microsoft-evsecurity-json-group-member-remove-success-memberwasremoved |
+| raw-member-removed-2008-2 | microsoft-evsecurity-json-group-member-remove-success-memberremoved-1 |
+| raw-member-removed-2008-3 | "microsoft-evsecurity-xml-group-member-remove-success-memberremoved |
+| raw-netscaler-events | citrix-cgateway-cef-app-activity-79916606 |
+| raw-netscaler-ica-login | citrix-cgateway-str-vpn-login-success |
+| raw-netscaler-vpn-start | citrix-cgateway-str-app-login-success-sslvpnlogin |
+| raw-netscaler-vpn-stop | citrix-cgateway-str-vpn-logout-success-logout |
+| raw-object-access-5058 | microsoft-evsecurity-str-file-5058 |
+| raw-object-access-5059 | microsoft-evsecurity-kv-key-migrate-5059 |
+| raw-object-access-5061 | microsoft-evsecurity-kv-key-5061 |
+| raw-pan-failed-vpn-login | pan-gp-csv-vpn-login-fail-loginfailure |
+| raw-pan-vpn-app-activity | pan-gp-cef-app-activity-success-globalprotect |
+| raw-pan-vpn-end | "pan-gp-leef-vpn-logout-success-succeeded |
+| raw-pan-vpn-end-2 | pan-gp-csv-vpn-logout-success-logout-2 |
+| raw-pan-vpn-login | pan-gp-csv-vpn-login-success-connected |
+| raw-pan-vpn-login-1 | pan-gp-json-vpn-login-success-success |
+| raw-pan-vpn-set-ip | pan-gp-csv-vpn-login-success-generated |
+| raw-pan-vpn-start | pan-gp-csv-vpn-login-success-loginsucceeded |
+| raw-pan-vpn-start-2 | pan-gp-csv-vpn-login-success-login |
+| raw-pix-106015 | cisco-pix-str-network-traffic-fail-106015 |
+| raw-pix-106023 | cisco-pix-str-network-traffic-fail-106023 |
+| raw-pix-302013 | cisco-pix-str-network-session-success-302013 |
+| raw-pix-302014 | cisco-pix-str-network-session-fail-302014 |
+| raw-pix-302015 | cisco-pix-str-network-session-success-302015 |
+| raw-pix-302016 | cisco-pix-str-network-session-fail-302016 |
+| raw-pix-302020 | cisco-pix-str-network-start-success-302020 |
+| raw-pix-302021 | cisco-pix-str-network-session-fail-302021 |
+| raw-pix-305009 | cisco-pix-str-app-notification-success-305009 |
+| raw-powershell-400 | microsoft-evpowershell-str-endpoint-notification-400 |
+| raw-powershell-600 | microsoft-evsecurity-kv-process-create-success-600 |
+| raw-process-created | microsoft-evsecurity-mix-process-create-success-created |
+| raw-process-created-1 | microsoft-evsecurity-kv-process-create-success-created-1 |
+| raw-protectwise-alert | protectwise-ndr-kv-alert-trigger-success-protectwiseemitter |
+| raw-scep-alert | microsoft-defenderep-kv-alert-trigger-success-detection |
+| raw-scep-epp-alert | microsoft-defenderep-kv-alert-trigger-success-systemcenterep |
+| raw-scep-epp-alert-csv | microsoft-defenderep-csv-alert-trigger-success-systemcenter |
+| raw-ssh-login | unix-unix-mix-ssh-traffic-success-ssh2accepted |
+| raw-sysmon-process-network | "microsoft-sysmon-xml-network-session-success-3 |
+| raw-unix-account-created | unix-unix-kv-user-create-success-useradd |
+| raw-unix-account-deleted | unix-unix-str-user-delete-success-deleteuser |
+| raw-unix-account-deleted-1 | unix-unix-str-user-delete-success-deleteuser-1 |
+| raw-unix-dhcp | unix-dhcpd-str-dhcp-session-success-dhcprequest |
+| raw-unix-dhcp-forwardmap | unix-dhcpd-str-dhcp-session-success-forwardmap |
+| raw-unix-dhcp-reversemap | unix-dhcpd-str-dhcp-session-success-reversemap |
+| raw-unix-dns-appliedadd | unix-unix-str-dhcp-session-success-appliedadd |
+| raw-unix-member-added-1 | unix-unix-str-group-member-add-success-gpasswd |
+| raw-unix-member-added-2 | unix-unix-str-group-member-add-success-usermod |
+| raw-unix-member-removed | unix-unix-str-group-member-remove-success-removed |
+| raw-unix-password-change | unix-unix-mix-user-password-modify-success-passwordchanged |
+| raw-unix-process-created | unix-unix-kv-process-create-success-command |
+| raw-unix-su | unix-unix-mix-user-switch-success-susession |
+| raw-unix-sudo | unix-unix-mix-user-switch-success-sudo |
+| raw-vpn-end | juniper-ps-str-vpn-logout-success-logout |
+| raw-vpn-start | juniper-ps-str-vpn-login-success-succeeded |
+| raw-vpn-start-1 | juniper-ps-str-vpn-login-success-pulsesecure |
+| raw-vpn-timeout | juniper-ps-str-vpn-logout-success-timeout |
+| raw-windows-21 | microsoft-evterminalservicesgateway-kv-endpoint-login-success-sessionlogon |
+| raw-windows-account-4720 | microsoft-evsecurity-kv-user-create-success-4720-1 |
+| raw-windows-account-4722 | microsoft-evsecurity-mix-user-enable-success-4722 |
+| raw-windows-account-4725 | microsoft-evsecurity-mix-user-disable-success-4725 |
+| raw-windows-account-4726 | microsoft-evsecurity-mix-user-delete-success-4726 |
+| raw-windows-account-4740 | microsoft-evsecurity-mix-user-lock-success-4740 |
+| raw-windows-account-624 | microsoft-evsecurity-kv-user-create-success-624 |
+| raw-windows-account-629 | microsoft-evsecurity-kv-user-disable-success-629 |
+| raw-windows-account-630 | microsoft-evsecurity-kv-user-delete-success-630 |
+| raw-windows-account-644 | microsoft-evsecurity-json-user-lock-success-644 |
+| raw-windows-powershell-4105 | microsoft-evpowershell-str-script-execute-4105 |
+| raw-windows-powershell-4106 | microsoft-evpowershell-str-endpoint-notification-4106 |
+| rdirectory-account-created | "namespacerdirectory-nrd-xml-user-create-success-createuser |
+| rdirectory-account-deleted | "namespacerdirectory-nrd-xml-user-delete-success-rdirectorydelete |
+| rdirectory-account-disable | "namespacerdirectory-nrd-xml-user-disable-success-disableaccount |
+| rdirectory-account-enable | "namespacerdirectory-nrd-xml-user-enable-success-modified |
+| rdirectory-member-added | "namespacerdirectory-nrd-xml-group-member-add-success-memberadd |
+| rdirectory-object-modification | "namespacerdirectory-nrd-xml-ds_object-activity-success-modifyuser |
+| rdirectory-password-change | "namespacerdirectory-nrd-xml-user-password-modify-success-modifiedby |
+| rdp-vectra-meta-data | vectra-cs-kv-rdp-traffic-success-metadatardp |
+| redcanary-security-alert | redcanary-rc-kv-alert-trigger-success-headline |
+| redcloud-physical-badge-access | redcloud-aacm-cef-physical-location-access-credential |
+| remotelyanywhere-remote-login | logmein-ra-json-endpoint-login-success-raloginsuccess |
+| remotelyanywhere-remote-logout | logmein-ra-kv-endpoint-logout-success-policyname |
+| rs-4624 | microsoft-evsecurity-kv-endpoint-4624 |
+| rs-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4625-3 |
+| rs2-badge-access | rs2-t-kv-physical-location-access-eventlocation |
+| rs2-badge-failed-physical-access-1 | "rs2-t-xml-physical_location-access-fail-accessdenied |
+| rs2-badge-failed-physical-access-2 | "rs2-t-xml-physical-location-access-fail-elevatoraccessdenied |
+| rs2-badge-physical-access-1 | "rs2-t-xml-physical-location-access-success-accessgranted |
+| rs2-badge-physical-access-2 | "rs2-t-xml-physical-location-access-success-elevatoraccessgranted |
+| rs2-physical-access | rs2-r-str-physical-location-access-lname |
+| rsa-app-activity | rsa-ram-kv-app-authentication-success-userstepup |
+| rsa-app-activity-1 | rsa-ram-kv-app-logout-success-sessiontimeout |
+| rsa-app-activity-2 | rsa-ram-kv-app-authentication-success-decisionpoint |
+| rsa-app-activity-3 | rsa-ram-kv-user-modify-success-condition |
+| rsa-app-login | dell-ram-kv-app-login-success-userprotectedappauth |
+| rsa-app-login-1 | rsa-ram-kv-app-login-success-singlepoint |
+| rsa-app-login-2 | rsa-ram-kv-app-login-success-userlogin |
+| rsa-auth-failed | rsa-ram-kv-app-authentication-fail-singlepoint |
+| rsa-auth-failed-1 | rsa-ram-kv-app-authentication-fail-userprotected |
+| rsa-auth-result | rsa-raa-str-app-authentication-authresult |
+| rsa-auth-successful-1 | dell-rsaauthmngr-kv-endpoint-authentication-userlogin |
+| rsa-auth-successful-2 | dell-rsaauthmngr-kv-endpoint-authentication-userauthn |
+| rsa-auth-successful-3 | dell-rsaauthmngr-kv-endpoint-authentication-userstepup |
+| rsa-auth-successful-4 | rsa-ram-kv-app-authentication-success-radius |
+| rsa-auth-successful-5 | rsa-ram-kv-app-authentication-success-userauthenticated |
+| rsa-auth-successful-6 | rsa-ram-kv-app-authentication-success-userauthenticated-1 |
+| rsa-authentication-attempt | rsa-ram-csv-app-authentication-success-validuser |
+| rsa-authentication-attempt-1 | rsa-ram-csv-app-authentication-success-request |
+| rsa-authentication-successful | rsa-ram-csv-endpoint-authentication-success-validuser |
+| rsa-authentication-successful-1 | rsa-ram-csv-endpoint-authentication-success-authorizationsuccess |
+| rsa-device-id-created | rsa-ram-str-app-notification-success-aaopaudit |
+| rsa-device-id-recovered | rsa-raa-str-app-notification-success-idrecovered |
+| rsa-device-token-header-mismatch | rsa-raa-str-app-authentication-fail-tokenheadermismatch |
+| rsa-dlp-alert | rsa-dlp-kv-alert-trigger-success-glba |
+| rsa-dlp-email-alert | rsa-dlp-kv-email-send-success-smtp |
+| rsa-enroll-completed | rsa-raa-str-app-register-success-enrollcompleted |
+| rsa-enroll-start | rsa-raa-str-app-register-success-enrollstart |
+| rsa-failed-app-login | dell-rsaauthmngr-kv-app-login-fail-notauth |
+| rsa-group-membership | rsa-ram-csv-app-notification-success-notingroup |
+| rsa-locking-out-user-id | rsa-raa-str-user-lock-success-lockingoutuserid |
+| rsa-logout | rsa-ram-kv-app-logout-success-userlogout |
+| rsa-netflow-connection | rsa-r-cef-network-traffic-success-flowdata |
+| rsa-risk-analysis | rsa-raa-str-app-notification-success-riskanalysis |
+| rsa-securid-auth-fail | rsa-securid-kv-endpoint-login-fail-tokenauth |
+| rsa-securid-auth-success | rsa-securid-kv-endpoint-login-success-acceptaccess |
+| rsa-system-info | rsa-ram-csv-app-notification-success-resourcecheck |
+| rsa-system-info-1 | rsa-ram-csv-app-notification-success-servertest |
+| rsa-system-info-2 | rsa-ram-csv-app-notification-success-checkresource |
+| rsa-system-info-3 | rsa-ram-csv-app-notification-success-validgroup |
+| rsa-system-info-4 | rsa-ram-kv-service-app-radiusservicestatus |
+| rsa-system-info-5 | rsa-ram-str-configuration-routing-modify-success-systemconfig |
+| rsa-system-info-6 | rsa-ram-kv-configuration-modify-success-confighost |
+| rsa-system-info-7 | rsa-ram-str-configuration-modify-success-configupdate |
+| rsa-user-bound | rsa-raa-str-user-modify-success-userbound |
+| rsa-user-challenged | rsa-raa-str-app-authentication-success-userchallenged |
+| rsa-user-confirmed-chl-maint | rsa-raa-str-app-authentication-success-confirmedchlmaint |
+| rsa-user-group-changed | rsa-raa-str-group-member-move-success-groupchanged |
+| rsa-user-id-locked-out | rsa-ram-str-user-lock-success-idlockedout |
+| rsa-user-id-not-found | rsa-raa-str-app-authentication-fail-idnotfound |
+| rsa-user-signin | rsa-raa-str-app-login-success-signin |
+| rsa-user-unbound | rsa-raa-str-user-modify-success-unbound |
+| rsa-vpn-end | rsa-securid-kv-vpn-logout-success-sessionremoved |
+| rstudio-app-login | rstudio-rserver-sk4-app-login-success-authlogin |
+| rstudio-app-logout | rstudio-rserver-sk4-app-logout-success-authlogout |
+| rsyslogd-system-info | rsyslogdpstats-rp-kv-app-notification-success-imptcp |
+| rubrik-account-creation | rubrik-cdm-kv-user-create-success-createlocaluser |
+| rubrik-app-login | rubrik-cdm-kv-app-login-success-loggedin |
+| rubrik-app-login-1 | rubrik-cdm-kv-app-login-success-loggedin-1 |
+| rubrik-app-logout | rubrik-cdm-kv-app-logout-audit |
+| rubrik-privileged-access | rubrik-cdm-kv-user-privilege-assign-success-assignedroles |
+| rubrik-system-info | rubrik-cdm-kv-app-activity-replication |
+| rundeck-app-activity | rundeck-r-kv-app-notification-success-rundeckauditqa |
\ No newline at end of file
diff --git a/ParsersLegacy/s_parsers.md b/ParsersLegacy/s_parsers.md
new file mode 100644
index 0000000..5100414
--- /dev/null
+++ b/ParsersLegacy/s_parsers.md
@@ -0,0 +1,1588 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------------- | ------------------------------------------------------------------------------ |
+| s-4611 | microsoft-evsecurity-kv-endpoint-notification-success-4611 |
+| s-4624-jp | microsoft-evsecurity-kv-endpoint-login-success-4624-4 |
+| s-4625-jp | microsoft-evsecurity-csv-endpoint-login-fail-4625 |
+| s-4648-jp | microsoft-evsecurity-csv-endpoint-login-success-4648 |
+| s-4662 | microsoft-evsecurity-kv-ds-object-activity-success-4662-1 |
+| s-4663-jp | microsoft-evsecurity-str-file-read-success-4663-5 |
+| s-4672-jp | microsoft-evsecurity-str-user-privilege-assign-success-4672 |
+| s-4674-jp | microsoft-evsecurity-str-user-privilege-use-success-4674 |
+| s-4688-jp | microsoft-evsecurity-kv-process-create-success-4688-1 |
+| s-4697 | microsoft-evsecurity-kv-service-create-success-4697 |
+| s-4698 | "microsoft-evsecurity-xml-scheduled-task-create-success-4698 |
+| s-4719 | microsoft-evsecurity-json-audit-policy-modify-success-4719-2 |
+| s-4719-1 | microsoft-evsecurity-kv-audit-policy-modify-success-4719 |
+| s-4720-jp | microsoft-evsecurity-kv-user-create-success-4720-3 |
+| s-4722-jp | microsoft-evsecurity-csv-user-enable-success-4722 |
+| s-4723-jp | microsoft-evsecurity-csv-user-password-modify-4723 |
+| s-4724-jp | microsoft-evsecurity-csv-user-password-reset-success-4724-1 |
+| s-4725-jp | microsoft-evsecurity-csv-user-disable-success-4725-1 |
+| s-4726-jp | microsoft-evsecurity-csv-user-delete-success-4726 |
+| s-4740-1 | microsoft-evsecurity-kv-user-delete-fail-lockedout |
+| s-4740-2 | microsoft-evsecurity-kv-user-delete-fail-accountname |
+| s-4740-jp | microsoft-evsecurity-str-user-lock-success-4740 |
+| s-4768-jp | microsoft-evsecurity-csv-endpoint-login-4768 |
+| s-4769-jp | microsoft-evsecurity-json-endpoint-login-4769-9 |
+| s-4770-jp | microsoft-evsecurity-csv-endpoint-login-success-4770 |
+| s-4771-jp | microsoft-evsecurity-kv-endpoint-login-failed-4771-jp |
+| s-4776-jp | microsoft-evsecurity-kv-endpoint-login-4776 |
+| s-4800 | microsoft-evsecurity-kv-endpoint-lock-success-4800-4 |
+| s-4801 | microsoft-evsecurity-kv-endpoint-unlock-success-4801-4 |
+| s-4801-1 | microsoft-evsecurity-kv-endpoint-unlock-success-4801-1 |
+| s-5137 | microsoft-evsecurity-kv-ds-object-activity-success-5137-1 |
+| s-5141 | microsoft-evsecurity-kv-ds-object-activity-success-5141-1 |
+| s-5141-1 | microsoft-evsecurity-kv-ds-object-activity-success-5141-2 |
+| s-516 | microsoft-evsecurity-kv-user-delete-fail-516 |
+| s-517 | microsoft-evsecurity-kv-log-clear-success-517 |
+| s-538 | microsoft-evsecurity-kv-endpoint-logout-success-538 |
+| s-560 | microsoft-evsecurity-json-file-success-objectopen |
+| s-560-jp | microsoft-evsecurity-csv-file-success-560 |
+| s-562 | microsoft-evsecurity-kv-handle-close-success-562 |
+| s-563 | microsoft-evsecurity-kv-handle-open-success-563 |
+| s-576 | microsoft-evsecurity-kv-user-privilege-assign-success-576 |
+| s-592 | microsoft-evsecurity-kv-process-create-success-592 |
+| s-612 | microsoft-evsecurity-kv-audit-policy-modify-success-612 |
+| s-627 | microsoft-evsecurity-kv-user-password-modify-627 |
+| s-672 | microsoft-evsecurity-kv-endpoint-login-672-1 |
+| s-673 | microsoft-evadfs-kv-endpoint-login-673-1 |
+| s-675 | microsoft-evsecurity-kv-endpoint-login-fail-675-2 |
+| s-680 | microsoft-evsecurity-kv-endpoint-login-680 |
+| s-7045 | microsoft-evsystem-kv-service-create-success-7045 |
+| s-O365-dlp-email | microsoft-o365-json-email-send-receive-emailsend |
+| s-O365-email | microsoft-o365-kv-email-send-success-emailsend |
+| s-adaxes-app-activity | adaxes-a-str-app-activity-success-adaxes |
+| s-adfs-auth-failed | microsoft-evsecurity-kv-endpoint-login-fail-411 |
+| s-amag-badge-access | amag-sac-kv-physical-location-access-success-datetimeoftxn |
+| s-aruba-authentication-failed | hp-arubacpm-kv-endpoint-login-fail-loginreject |
+| s-aruba-nac-logon | hp-arubawc-kv-endpoint-login-success-connection |
+| s-aruba-nac-logon-1 | hp-arubawc-kv-endpoint-login-success-authentication |
+| s-asa-605005 | cisco-asa-str-rdp-traffic-success-605005 |
+| s-atlassian-bitbucket-app-activity | atlassian-bitbucket-str-app-activity-success-sshgit |
+| s-avaya-failed-vpn-login | avaya-vpn-kv-vpn-login-fail-vpnfail |
+| s-avaya-vpn-login | avaya-vpn-kv-vpn-login-success-vpnsuccess |
+| s-aws-cloudtrail-activity-json | amazon-awscloudtrail-cef-app-activity-awsapicall |
+| s-aws-cloudtrail-assumedrole-json | amazon-awscloudtrail-cef-app-activity-assumedrole |
+| s-aws-cloudtrail-login-json | amazon-awscloudtrail-json-app-login-awsconsolesignin |
+| s-aws-netflow-connection | amazon-awscloudwatch-mix-network-traffic-success-accept |
+| s-aws-netflow-connection-reject | amazon-awscloudwatch-cef-network-traffic-success-reject |
+| s-azura-mfa-auth-failed | microsoft-azuremfa-str-endpoint-login-fail-callstatus |
+| s-azura-mfa-auth-successful | microsoft-azuremfa-str-endpoint-login-success-callstatus-1 |
+| s-azura-pri-auth-failed | microsoft-azuremfa-str-endpoint-login-fail-auth |
+| s-azura-pri-auth-successful | microsoft-azure-str-endpoint-login-success-primaryauth |
+| s-azure-ad-app-activity-2 | microsoft-azuread-json-app-activity-addmembertogroup |
+| s-azure-ad-app-login | microsoft-azuread-json-app-login-appdisplayname |
+| s-azure-ad-app-login-2 | microsoft-azuread-json-app-login-signin |
+| s-azure-ad-password-change-2 | microsoft-azuread-json-user-password-modify-success-passwordreset |
+| s-azure-app-activity | microsoft-azure-mix-app-activity-success-caller |
+| s-azure-app-login | microsoft-azure-json-app-login-datetime |
+| s-azure-authentication | microsoft-azure-kv-endpoint-login-access |
+| s-azure-container-service | microsoft-azuremon-sk4-app-activity-success-containerservice |
+| s-bit9-epp-alert | vmware-carbonblackappctrl-json-alert-trigger-success-processhashtype |
+| s-brightmail-email | symantec-esc-kv-email-send-success-brightmail |
+| s-bro-dhcp | zeek-z-str-endpoint-login-success-ahauth |
+| s-bro-email-in | zeek-z-str-email-receive-success-brosmtp |
+| s-bro-web-activity | zeek-z-str-http-session-custom |
+| s-carbonblack-security-alert | vmware-carbonblack-sk4-alert-trigger-success-cbanalytics |
+| s-carbonblack-security-alert-1 | vmware-carbonblack-sk4-alert-trigger-success-watchlist |
+| s-carbonblack-security-alert-2 | vmware-carbonblack-json-alert-trigger-success-watchlist-1 |
+| s-ccure-badge-access | tyco-ccure-kv-physical-location-access-card |
+| s-checkpoint-alert | checkpoint-es-kv-alert-trigger-success-smartdefense |
+| s-checkpoint-alert-1 | checkpoint-es-kv-alert-trigger-success-1 |
+| s-checkpoint-alert-2 | checkpoint-es-kv-alert-trigger-success-threatemulation |
+| s-checkpoint-alert-3 | checkpoint-es-kv-alert-trigger-success-prevent |
+| s-checkpoint-alert-4 | checkpoint-es-kv-alert-trigger-success-monitor |
+| s-checkpoint-firewall-accept | checkpoint-ngfw-kv-network-traffic-success-accept |
+| s-checkpoint-firewall-allow | checkpoint-ngfw-kv-network-traffic-success-allow |
+| s-checkpoint-firewall-block | checkpoint-ngfw-kv-network-traffic-fail-block |
+| s-checkpoint-firewall-drop | checkpoint-ngfw-kv-network-traffic-fail-drop |
+| s-checkpoint-firewall-encrypt | checkpoint-ngfw-kv-app-activity-encrypt |
+| s-checkpoint-fw-network-connection | checkpoint-ngfw-kv-network-traffic-success-accept-3 |
+| s-checkpoint-proxy | checkpoint-ngfw-kv-http-session-url |
+| s-cisco-acs-app-activity | cisco-ise-kv-app-activity-success-appactivity |
+| s-cisco-acs-auth-failed | cisco-ise-kv-vpn-login-fail-authfailed |
+| s-cisco-acs-auth-successful | cisco-ise-kv-endpoint-authentication-success-authenok |
+| s-cisco-acs-nac-failed-logon | cisco-ise-kv-radius-traffic-fail-cscoacsfailedattempt |
+| s-cisco-acs-nac-logon | cisco-ise-kv-radius-traffic-success-radius |
+| s-cisco-amp-alert-1 | cisco-secureendpoint-mix-alert-trigger-success-quarantine |
+| s-cisco-amp-alert-10 | cisco-secureendpoint-sk4-alert-trigger-success-cloudioc |
+| s-cisco-amp-alert-11 | cisco-secureendpoint-sk4-alert-trigger-success-policyupdatefailure |
+| s-cisco-amp-alert-13 | cisco-secureendpoint-cef-alert-trigger-success-detected |
+| s-cisco-amp-alert-14 | cisco-secureendpoint-sk4-alert-trigger-success-falsenegative |
+| s-cisco-amp-alert-15 | cisco-secureendpoint-sk4-alert-trigger-success-multipleinfectedfiles |
+| s-cisco-amp-alert-16 | cisco-secureendpoint-sk4-alert-trigger-success-threatdetection |
+| s-cisco-amp-alert-2 | cisco-secureendpoint-sk4-alert-trigger-success-quarantinefailure |
+| s-cisco-amp-alert-3 | cisco-secureendpoint-mix-alert-trigger-success-threatdetected |
+| s-cisco-amp-alert-4 | cisco-secureendpoint-mix-alert-trigger-threatquarantined |
+| s-cisco-amp-alert-5 | cisco-secureendpoint-mix-alert-trigger-success-vulnerable |
+| s-cisco-amp-alert-6 | cisco-secureendpoint-sk4-alert-trigger-success-failedtodelete |
+| s-cisco-amp-alert-7 | cisco-secureendpoint-sk4-alert-trigger-success-executedmalware |
+| s-cisco-amp-alert-8 | cisco-secureendpoint-sk4-alert-trigger-success-criticalfaultraised |
+| s-cisco-amp-alert-9 | cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised |
+| s-cisco-amp-system-info-10 | cisco-secureendpoint-sk4-policy-modify-policyupdate |
+| s-cisco-amp-system-info-11 | cisco-secureendpoint-sk4-endpoint-scan-scancompleted |
+| s-cisco-amp-system-info-12 | cisco-secureendpoint-sk4-alert-trigger-success-dropperinfection |
+| s-cisco-amp-system-info-13 | cisco-secureendpoint-sk4-app-notification-success-updatecompleted |
+| s-cisco-amp-system-info-14 | cisco-secureendpoint-mix-app-notification-productupdatefailed |
+| s-cisco-amp-system-info-15 | cisco-secureendpoint-cef-app-notification-productupdatestarted |
+| s-cisco-amp-system-info-16 | cisco-secureendpoint-sk4-endpoint-scan-scanstarted |
+| s-cisco-amp-system-info-17 | cisco-secureendpoint-sk4-alert-trigger-success-systemprocessprotected |
+| s-cisco-amp-system-info-18 | cisco-secureendpoint-sk4-alert-trigger-success-faultcleared |
+| s-cisco-amp-system-info-19 | cisco-secureendpoint-sk4-app-notification-success-rebootcompleted |
+| s-cisco-amp-system-info-20 | cisco-secureendpoint-sk4-app-notification-success-rebootpending |
+| s-cisco-amp-system-info-21 | cisco-secureendpoint-sk4-app-notification-success-rebootadvised |
+| s-cisco-amp-system-info-22 | cisco-secureendpoint-sk4-app-notification-success-rebootrequired |
+| s-cisco-amp-system-info-23 | cisco-secureendpoint-sk4-app-notification-success-installfailure |
+| s-cisco-amp-system-info-24 | cisco-secureendpoint-sk4-file-restore-success-fromquarantine |
+| s-cisco-amp-system-info-25 | cisco-secureendpoint-sk4-file-restore-success-falsepositive |
+| s-cisco-amp-system-info-26 | cisco-secureendpoint-sk4-endpoint-scan-scanfailed |
+| s-cisco-amp-system-info-27 | cisco-secureendpoint-sk4-alert-trigger-systemprocessprotection |
+| s-cisco-amp-system-info-8 | cisco-secureendpoint-sk4-file-read-filefetch |
+| s-cisco-amp-system-info-9 | cisco-secureendpoint-sk4-app-notification-installstarted |
+| s-codegreen-dlp-alert | dg-ndlp-kv-alert-trigger-success-emailsubject |
+| s-codegreen-dlp-email-out | dg-ndlp-kv-email-send-success-smtp |
+| s-common-ftp-app-activity | ftp-f-str-app-activity-undefined |
+| s-common-ftp-app-activity-1 | ftp-f-str-app-activity-user |
+| s-common-ftp-app-activity-2 | ftp-f-str-app-activity-sshdisconnect |
+| s-common-ftp-app-activity-3 | ftp-f-str-app-activity-list |
+| s-common-ftp-app-activity-4 | ftp-f-str-app-activity-size |
+| s-common-ftp-app-activity-5 | ftp-f-str-app-activity-mkd |
+| s-common-ftp-app-activity-6 | ftp-f-str-app-activity-quit |
+| s-common-ftp-app-activity-7 | ftp-f-str-app-activity-kick |
+| s-common-ftp-app-activity-8 | ftp-f-str-app-activity-retr |
+| s-common-ftp-delete | ftp-f-str-file-delete-success-250 |
+| s-common-ftp-delete-1 | ftp-f-str-file-delete-success-200 |
+| s-common-ftp-download | ftp-f-str-file-read-success-200 |
+| s-common-ftp-download-1 | ftp-f-str-file-read-success-226 |
+| s-common-ftp-failed-login | ftp-f-str-app-login-fail-401 |
+| s-common-ftp-failed-login-1 | ftp-f-str-app-login-fail-530 |
+| s-common-ftp-login | ftp-f-str-app-login-success-230 |
+| s-common-ftp-login-1 | ftp-f-str-app-login-success-200 |
+| s-common-ftp-upload | ftp-f-str-file-write-sucess-200 |
+| s-common-ftp-upload-1 | ftp-f-str-file-write-sucess-226 |
+| s-crowdstrike-app-dll-alert | crowdstrike-falcon-sk4-alert-trigger-success-reflectivedllname |
+| s-crowdstrike-app-login | crowdstrike-falcon-json-app-login-twofactorauth |
+| s-crowdstrike-app-login-1 | crowdstrike-falcon-json-app-login-userauth |
+| s-crowdstrike-app-login-10 | crowdstrike-falcon-json-app-login-success-assert |
+| s-crowdstrike-app-login-2 | crowdstrike-falcon-sk4-app-login-success-validateentitlement |
+| s-crowdstrike-app-login-3 | crowdstrike-falcon-cef-app-login-success-assert-1 |
+| s-crowdstrike-app-login-4 | crowdstrike-falcon-cef-app-login-accepteula |
+| s-crowdstrike-app-login-5 | crowdstrike-falcon-cef-app-login-success-startevent |
+| s-crowdstrike-app-login-6 | crowdstrike-falcon-json-app-login-createapi |
+| s-crowdstrike-app-login-7 | crowdstrike-falcon-json-app-login-streamstarted |
+| s-crowdstrike-app-login-8 | crowdstrike-falcon-json-app-login-twofactorauthenticate |
+| s-crowdstrike-app-login-9 | crowdstrike-falcon-sk4-app-login-success-userauthenticate |
+| s-crowdstrike-app-logout | crowdstrike-falcon-sk4-app-logout-streamstopped |
+| s-crowdstrike-app-logout-2 | "crowdstrike-falcon-cef-app-logout-sessionend |
+| s-crowdstrike-app-ransomware | crowdstrike-falcon-sk4-file-read-success-targetfilename |
+| s-crowdstrike-failed-logon | crowdstrike-falcon-sk4-endpoint-login-userloginfail |
+| s-crowdstrike-process-alert | crowdstrike-falcon-mix-alert-trigger-success-suspiciousactivity |
+| s-crowdstrike-security-alert | crowdstrike-falcon-mix-alert-trigger-success-detection |
+| s-cws-proxy | cisco-cws-kv-http-session-webcatcode |
+| s-cyberark-account-switch | cyberark-vault-kv-user-switch-success-retrievepassword-1 |
+| s-cyberark-account-switch-2 | cyberark-pam-str-user-switch-success-passwordretrieve |
+| s-cyberark-account-switch-3 | cyberark-pam-str-user-switch-success-passwordretrieve-1 |
+| s-cyberark-activity | cyberark-pam-kv-rdp-traffic-success-secureconnect |
+| s-cyberark-activity-1 | cyberark-pam-kv-rdp-traffic-success-windowtitle |
+| s-cyberark-activity-3 | cyberark-pam-kv-endpoint-logout-disconnect |
+| s-cyberark-activity-4 | cyberark-pam-kv-rdp-traffic-success-psmconnect |
+| s-cyberark-activity-5 | cyberark-pam-kv-ssh-traffic-success-keystrokelogin |
+| s-cyberark-activity-6 | cyberark-pam-str-app-activity-success-usepassword |
+| s-cyberark-activity-7 | cyberark-pam-str-app-activity-success-storepassword |
+| s-cyberark-app-activity | cyberark-pam-kv-app-activity-fileoperations |
+| s-cyberark-app-activity-1 | cyberark-pam-kv-app-activity-windowtitle |
+| s-cyberark-app-activity-2 | cyberark-pam-kv-app-activity-uploadrecording |
+| s-cyberark-app-activity-3 | cyberark-pam-kv-app-activity-usepassword |
+| s-cyberark-app-activity-4 | cyberark-pam-kv-app-activity-storepassword |
+| s-cyberark-app-activity-5 | cyberark-pam-kv-app-activity-filecategory |
+| s-cyberark-app-activity-6 | cyberark-pam-kv-app-activity-connectsessionend |
+| s-cyberark-app-activity-7 | cyberark-pam-kv-app-activity-logoff |
+| s-cyberark-app-activity-8 | cyberark-pam-kv-app-activity-rulesend |
+| s-cyberark-app-activity-9 | cyberark-pam-kv-app-activity-rulesstart |
+| s-cyberark-app-login | cyberark-vault-kv-app-login-logon |
+| s-cyberark-failed-logon | cyberark-vault-kv-endpoint-login-fail-psm |
+| s-cyberark-failed-logon-1 | cyberark-pam-kv-endpoint-login-fail-failedtoinit |
+| s-cyberark-file-delete | cyberark-pam-kv-file-delete-success-deletefile |
+| s-cyberark-file-read-1 | cyberark-pam-kv-file-read-success-openfile |
+| s-cyberark-file-read-2 | cyberark-pam-kv-file-read-success-retrievefile |
+| s-cyberark-file-write-1 | cyberark-pam-kv-file-write-success-openfile |
+| s-cyberark-file-write-2 | cyberark-pam-kv-file-write-success-storefile |
+| s-cyberark-password-change | cyberark-pam-kv-user-password-modify-success-cpmpasswordchanged |
+| s-cyberark-password-change-failed | cyberark-vault-kv-user-password-modify-fail-changepassword |
+| s-cyberark-password-reset | cyberark-pam-kv-user-password-reset-success-setpassword |
+| s-cyberark-remote-logon-1 | cyberark-vault-kv-rdp-traffic-success-psmconnect-1 |
+| s-cyberark-remote-logon-2 | cyberark-vault-kv-rdp-traffic-success-psmsecure |
+| s-cyberark-security-alert | cyberark-pta-kv-alert-trigger-success-pta |
+| s-cyberark-security-alert-1 | cyberark-pam-kv-alert-trigger-success-nonauthorizedimpersonation |
+| s-cyberark-security-alert-2 | cyberark-pam-kv-alert-trigger-success-keystrokelogging |
+| s-cyberark-tpm-account-switch | cyberark-pam-str-user-switch-success-retrievepassword |
+| s-cyberark-tpm-activity | cyberark-pam-kv-app-activity-success-otherinfo |
+| s-cyberark-tpm-login | cyberark-pam-kv-app-login-success-loginobjecttype |
+| s-cylance-app-activity | blackberry-protect-kv-app-login-success-loginsuccess |
+| s-damballa-alert | damballa-failsafe-kv-alert-trigger-success-alerttrigger |
+| s-database-login-18453 | microsoft-mssql-kv-database-login-success-18453 |
+| s-database-login-18454 | microsoft-mssql-kv-database-login-success-18454 |
+| s-db-failed-login | ibm-guardium-csv-database-login-fail-loginfailed |
+| s-db-login | ibm-guardium-csv-database-login-success-no |
+| s-digitalguardian-app-login-1 | dg-ep-kv-app-login-success-operation27 |
+| s-digitalguardian-app-login-2 | dg-ep-kv-app-login-success-applicationstart |
+| s-digitalguardian-app-login-3 | dg-ep-kv-app-login-success-applicationstart-1 |
+| s-digitalguardian-dlp-alert-1 | dg-ndlp-kv-email-send-success-ruleblock |
+| s-digitalguardian-dlp-alert-2 | dg-ndlp-kv-email-send-success-resolutionstatus |
+| s-digitalguardian-dlp-email-out-1 | dg-ndlp-kv-email-send-success-28-2 |
+| s-digitalguardian-dlp-email-out-2 | dg-ndlp-kv-email-send-success-28-1 |
+| s-digitalguardian-dlp-email-out-3 | dg-ndlp-kv-email-send-success-sendmail |
+| s-digitalguardian-dlp-email-out-4 | dg-ndlp-kv-email-send-success-sendmail-1 |
+| s-digitalguardian-file-download | dg-ep-kv-file-download-success-operationid2 |
+| s-digitalguardian-file-read | dg-ep-kv-file-success-applicationdataexchange |
+| s-digitalguardian-file-upload | dg-ep-kv-file-download-success-operationid21 |
+| s-digitalguardian-file-write-1 | dg-ep-kv-file-success-11 |
+| s-digitalguardian-file-write-2 | dg-ep-kv-file-success-7 |
+| s-digitalguardian-file-write-3 | dg-ep-kv-file-fixed |
+| s-digitalguardian-file-write-4 | dg-ep-kv-file-fileoperation |
+| s-digitalguardian-file-write-5 | dg-ep-kv-file-remote |
+| s-digitalguardian-local-logon-1 | dg-ep-kv-endpoint-login-success-23 |
+| s-digitalguardian-local-logon-2 | dg-ep-kv-endpoint-login-fail-userlogon |
+| s-digitalguardian-local-logon-3 | dg-ep-kv-endpoint-login-success-userlogon |
+| s-digitalguardian-logout | dg-ep-kv-app-kv-logout-success-utctime |
+| s-digitalguardian-logout-1 | dg-ep-kv-app-kv-logout-success-userlogoff |
+| s-digitalguardian-network-connection | dg-ep-kv-network-traffic-success-4 |
+| s-digitalguardian-print-activity-1 | dg-ep-kv-printer-activity-success-22-1 |
+| s-digitalguardian-print-activity-2 | dg-ep-kv-printer-activity-success-22 |
+| s-digitalguardian-print-activity-3 | dg-ep-kv-printer-activity-success-print |
+| s-digitalguardian-print-activity-4 | dg-ep-kv-printer-activity-success-print-1 |
+| s-digitalguardian-usb-activity | dg-ep-kv-peripheral-storage-insert-success-notblocked |
+| s-digitalguardian-usb-insert-2 | dg-ep-kv-peripheral-storage-insert-success-deviceadded |
+| s-digitalguardian-usb-insert-3 | dg-ep-kv-peripheral-storage-insert-success-deviceadded-1 |
+| s-digitalguardian-usb-write | dg-ep-kv-file-write-success-filecopy |
+| s-dlp-email-out | forcepoint-dlp-cef-email-send-datasecurity |
+| s-dropbox-app-activity-1 | dropbox-d-json-app-activity-success-sharing |
+| s-dropbox-app-activity-2 | dropbox-d-json-app-activity-success-sharing-2 |
+| s-dropbox-apps-activity | dropbox-d-json-app-activity-success-apps |
+| s-dropbox-devices-activity | dropbox-d-json-app-login-success-devices |
+| s-dropbox-files-activity | dropbox-d-json-file-success-fileactivity |
+| s-dropbox-logins-activity | dropbox-d-json-app-login-success-logines |
+| s-dropbox-members-activity | dropbox-d-json-app-activity-success-members |
+| s-dropbox-sharing-activity | dropbox-d-json-file-success-sharing |
+| s-dtex | dtexsystems-intercept-str-file-process-success-userdept |
+| s-duo-app-activity | cisco-duo-json-app-activity-success-phonecreate |
+| s-duo-app-login | cisco-duo-json-app-login-success-adminlogin |
+| s-duo-auth-json | cisco-duo-json-endpoint-authentication-ip |
+| s-duo-auth-json-1 | cisco-duo-json-endpoint-authentication-result |
+| s-duo-auth-set-ip | cisco-duo-str-app-authentication-success-forwardserver |
+| s-duo-auth-successful | cisco-duo-str-app-authentication-success-allow |
+| s-duo-failed-app-login | cisco-duo-json-app-login-fail-adminloginerror |
+| s-duo-failed-app-login-1 | cisco-duo-json-app-login-fail-admin2faerror |
+| s-endpoint-dlp-alert | dg-ndlp-kv-alert-trigger-success-endpointusername |
+| s-estreamer-network-connection | cisco-fp-json-network-traffic-accesscontrol |
+| s-estreamer-network-connection-1 | cisco-fp-kv-network-traffic-estreamer |
+| s-estreamer-network-connection-2 | cisco-fp-kv-network-traffic-success-accesscontrolrule |
+| s-estreamer-security-alert | cisco-fp-json-alert-trigger-success-502 |
+| s-exchange-app-activity | microsoft-exchange-kv-app-activity-appactivity |
+| s-f5-dns-response | f5-bigipdns-str-dns-response-success-rcode |
+| s-f5-vpn-p1 | f5-apm-kv-vpn-login-success-clientaccepted |
+| s-f5-vpn-p2 | f5-apm-kv-vpn-login-success-accesspolicyagentevt |
+| s-failed-app-login | microsoft-mssql-kv-app-login-fail-18456 |
+| s-failed-physical-access-unknown | badge-b-csv-physical-location-access-fail-unauthorisedcard |
+| s-failed-physical-access-unknown-1 | badge-b-csv-physical-location-access-fail-nozoneprivilege |
+| s-failed-physical-badge-access-7 | badge-b-csv-physical-location-access-fail-cardrejected |
+| s-fidelis-alert | fidelis-fnetwork-cef-alert-trigger-success-alertid |
+| s-fireeye-hx-alert | fireeye-endpointsecurity-leef-alert-trigger-success-iochitfound |
+| s-fireeye-hx-alert-1 | fireeye-endpointsecurity-kv-alert-trigger-success-fireeyeacquisitioncompleted |
+| s-fireeye-hx-alert-2 | fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled |
+| s-fireeye-hx-alert-3 | fireeye-endpointsecurity-json-alert-trigger-success-eventat |
+| s-fireeye-hx-alert-4 | fireeye-endpointsecurity-json-alert-trigger-success-processevent |
+| s-fireeye-hx-alert-5 | fireeye-es-json-file-write-success-alert |
+| s-fireeye-hx-alert-6 | fireeye-endpointsecurity-json-alert-trigger-success-ipv4networkevent |
+| s-fireeye-hx-alert-hx | fireeye-endpointsecurity-cef-alert-trigger-success-iochitfound |
+| s-fireeye-hx-alert-s-1 | fireeye-endpointsecurity-json-alert-trigger-success-product |
+| s-fireeye-mps-alert | fireeye-networksecurity-csv-alert-trigger-success-webmps |
+| s-fortinet-dhcp | fortinet-firewall-kv-dhcp-session-success-dhcpacklog |
+| s-github-activity | github-g-kv-app-login-authentication |
+| s-github-audit | github-g-json-app-activity-success-githubaudit |
+| s-github-unicorn-activity | "github-g-kv-http-request-api |
+| s-guardium-db-access | ibm-guardium-leef-database-activity-success-ibm |
+| s-guardium-db-alert | ibm-guardium-kv-alert-trigger-success-guardiumalert |
+| s-guardium-db-alert-1 | ibm-guardium-str-alert-trigger-success-mssql |
+| s-hp-print-activity | hp-printserver-kv-printer-activity-success-unspecified |
+| s-icpam-badge-access | icpam-i-kv-physical-location-access-success-granted |
+| s-infoblox-config-change | infoblox-bddi-str-configuration-modify-zoneapplied |
+| s-infoblox-dhcp-1 | infoblox-bddi-str-endpoint-login-success-dhcpack |
+| s-infoblox-dhcp-2 | infoblox-bddi-str-endpoint-login-success-dhcpoffer |
+| s-infoblox-dhcp-3 | infoblox-bddi-str-endpoint-login-success-requestdhcp |
+| s-infoblox-dhcp-4 | infoblox-bddi-str-dhcp-session-success-dynamicleases |
+| s-infoblox-dhcp-dhcpdecline | infoblox-bddi-str-dhcp-traffic-dhcpdecline |
+| s-infoblox-dhcp-dhcpdiscover | infoblox-bddi-str-dhcp-discover-dhcpd |
+| s-infoblox-dhcp-dhcpexpire | infoblox-bddi-str-dhcp-traffic-dhcpexpire |
+| s-infoblox-dhcp-dhcpinform | infoblox-bddi-str-dhcp-traffic-success-dhcpd |
+| s-infoblox-dhcp-dhcprelease | infoblox-bddi-str-dhcp-traffic-dhcprelease |
+| s-infoblox-dhcp-fixed | infoblox-bddi-csv-app-notification-fixed |
+| s-infoblox-dhcp-freed | infoblox-bddi-csv-ip-free-dhcpd |
+| s-infoblox-dhcp-issued | infoblox-bddi-str-network-notification-dhcpdissued |
+| s-infoblox-one-dhcp-file-write | infoblox-bddi-str-file-write-success-backupsuccess |
+| s-infoblox-one-dhcp-vpn-connection | infoblox-bddi-str-vpn-session-success-connectioninitiated |
+| s-intrust-dns | questintrust-q-kv-endpoint-login-success-dnsrecord |
+| s-ironport-dlp-email-alert | cisco-ie-str-email-success-dcid |
+| s-ironport-email-aborted | cisco-ie-str-email-aborted |
+| s-ironport-email-attachment | cisco-ie-str-email-attachment |
+| s-ironport-email-av-result | "cisco-ie-cef-email-antivirus |
+| s-ironport-email-av-result-2 | cisco-ie-str-email-av-verdict |
+| s-ironport-email-bytes | "cisco-ie-cef-email-bytesfrom |
+| s-ironport-email-file-verdict | cisco-ie-str-email-file-verdict |
+| s-ironport-email-graymail | cisco-ie-str-email-graymail |
+| s-ironport-email-outcome | "cisco-ie-cef-email-finished |
+| s-ironport-email-recipient | "cisco-ie-cef-email-to |
+| s-ironport-email-sender | "cisco-ie-cef-email-from |
+| s-ironport-email-sender-1 | cisco-ie-mix-email-send-receive-from |
+| s-ironport-email-spam-result | "cisco-ie-cef-email-spam |
+| s-ironport-email-subject | "cisco-ie-cef-email-subject |
+| s-ironport-email-url | cisco-ie-str-email-url |
+| s-ironport-email-url-1 | cisco-ie-str-email-url-1 |
+| s-json-4697 | microsoft-evsecurity-json-service-create-success-4697 |
+| s-json-4697-1 | microsoft-windows-json-service-create-success-4697 |
+| s-juniper-nwc-vpn-resume | juniper-ps-kv-vpn-login-success-firewall |
+| s-juniper-pulse-activity | juniper-ps-kv-app-activity-success-webrequestcomplect |
+| s-juniper-vpn-end | juniper-ps-kv-vpn-logout-success-firewall |
+| s-juniper-vpn-realm | juniper-ps-kv-vpn-login-success-firewall-3 |
+| s-juniper-vpn-start | juniper-ps-kv-vpn-login-success-firewall-1 |
+| s-juniper-vpn-timeout | juniper-ps-kv-vpn-logout-success-firewall-1 |
+| s-kaspersky-endpoint-security | "kaspersky-endpointsecurity-xml-alert-trigger-success-security |
+| s-kaspersky-es-alert | kaspersky-endpointsecurity-kv-alert-trigger-success-eventlog |
+| s-kaspersky-es-alert-1 | kaspersky-endpointsecurity-cef-alert-trigger-success-productversion |
+| s-lanscope-app-activity-1 | lanscope-cat-csv-app-activity-appactivity |
+| s-lanscope-asset-alert | lanscope-cat-csv-app-activity-success-assetalarmlog |
+| s-lanscope-file-operations | lanscope-cat-csv-file-success-realtime |
+| s-lanscope-print-activity | lanscope-cat-csv-printer-activity-success-activity |
+| s-lanscope-process-created | lanscope-cat-csv-network-session-success-active |
+| s-lanscope-process-created-failed | lanscope-cat-csv-process-create-fail-err |
+| s-lanscope-web-activity | lanscope-cat-csv-http-session-success-weblogaccess |
+| s-lanscopecat-logon | lanscope-cat-kv-endpoint-login-success-loginuser |
+| s-lanscopecat-print-activity | lanscope-cat-kv-printer-activity-success-lanscopecatprint |
+| s-lanscopecat-usb-activity | lanscope-cat-kv-peripheral-storage-activity-windowtitle |
+| s-lanscopecat-web-activity | lanscope-cat-kv-http-session-success-webaccess |
+| s-liebsoft-account-switch | beyondtrust-b-kv-user-switch-success-accessgranted |
+| s-liebsoft-app-login | beyondtrust-prividentity-kv-app-login-success-3016 |
+| s-lumension-usb | lumension-l-kv-peripheral-storage-insert-usb |
+| s-mcafee-clean-failed-alert | mcafee-es-csv-alert-trigger-success-cleanfailed |
+| s-mcafee-cleaned-alert | mcafee-es-str-alert-trigger-success-cleaned |
+| s-mcafee-deleted-alert | mcafee-es-str-alert-trigger-success-deleted |
+| s-mcafee-dlp-alert | mcafee-dlp-kv-alert-trigger-success-plug |
+| s-mcafee-dlp-alert-1 | mcafee-dlp-kv-alert-trigger-success-alerttrigger-1 |
+| s-mcafee-dlp-alert-2 | mcafee-dlp-kv-alert-trigger-success-destdns |
+| s-mcafee-dlp-alert-3 | mcafee-dlp-kv-alert-trigger-success-alerttrigger-2 |
+| s-mcafee-email-dlp-alert-out | mcafee-ep-kv-email-send-success-emailprotection |
+| s-mcafee-epo-alert | mcafee-es-kv-alert-trigger-success-timestamp |
+| s-mcafee-epo-alert-2 | mcafee-es-kv-alert-trigger-success-parametervalue |
+| s-mcafee-epo-alert-3 | mcafee-es-kv-alert-trigger-success-threathandled |
+| s-mcafee-epo-alert-4 | mcafee-es-kv-alert-trigger-success-alerttrigger |
+| s-mcafee-epo-dlp-alert | mcafee-dlp-kv-alert-trigger-success-lossprevention |
+| s-mcafee-epo-dlp-alert-2 | mcafee-ep-kv-alert-trigger-success-islaptop |
+| s-mcafee-print-activity | mcafee-dlp-kv-printer-activity-success-printingprotection |
+| s-mcafee-print-activity-1 | mcafee-dlp-kv-printer-activity-success-printing |
+| s-mcafee-print-activity-2 | mcafee-dlp-str-printer-activity-success-40301 |
+| s-mcafee-process-alert | mcafee-es-kv-alert-trigger-success-actionblocked |
+| s-mcafee-security-alert | mcafee-es-kv-alert-trigger-success-4 |
+| s-mcafee-security-alert-1 | mcafee-es-csv-alert-trigger-success-security |
+| s-mcafee-security-alert-2 | mcafee-es-csv-alert-trigger-success-alerttrigger |
+| s-mcafee-usb-activity | mcafee-es-kv-file-write-success-localizationkey |
+| s-mcafee-usb-activity-bluetooth | mcafee-es-str-file-write-success-bluetooth |
+| s-mcafee-usb-activity-diskdrives | mcafee-es-str-file-write-success-diskdrives |
+| s-mcafee-usb-activity-dvd | mcafee-es-str-file-write-success-romdrives |
+| s-mcafee-usb-activity-dvd-1 | mcafee-es-str-file-write-success-filewritepc |
+| s-mcafee-usb-activity-dvd-2 | mcafee-es-str-file-write-success-usbfilewritemac |
+| s-mcafee-usb-activity-imaging | mcafee-es-str-file-write-success-imagingdevices |
+| s-mcafee-usb-activity-portable | mcafee-es-str-file-write-success-portabledevice |
+| s-mcafee-usb-filewrite | mcafee-es-str-file-write-success-usbfilewrite |
+| s-mcafee-usb-insert-cddrive | mcafee-es-kv-file-write-success-romdrives-1 |
+| s-mcafee-usb-insert-dd | mcafee-es-kv-file-write-success-diskdrives-1 |
+| s-mcafee-usb-insert-pd | mcafee-es-kv-peripheral-storage-insert-success-pd |
+| s-mcafee-usb-insert-usbd | mcafee-es-kv-peripheral-storage-insert-success-usbd |
+| s-mcafee-vse-epo-dlp-alert | mcafee-dlp-kv-alert-trigger-success-analyzerdlp |
+| s-mdam-db-query | mcafee-mdam-kv-database-dbactivity |
+| s-member-added-2003 | microsoft-evsecurity-json-group-member-add-success-groupmemberadded |
+| s-member-added-2008 | microsoft-evsecurity-kv-group-member-add-success-memberaddedinsecurity |
+| s-member-added-2008-jp | microsoft-evsecurity-csv-group-member-add-success-memberadded |
+| s-member-removed-2003 | microsoft-evsecurity-json-group-member-remove-success-groupmemberremoved |
+| s-member-removed-2008 | microsoft-evsecurity-kv-group-member-remove-success-securityenabled |
+| s-microsoft-database-login | microsoft-mssql-kv-database-login-fail-sqlagent |
+| s-microsoft-dhcp | microsoft-windows-json-endpoint-login-success-assign |
+| s-microsoft-dhcp-nack | microsoft-evdhcpserver-str-dhcp-session-fail-nack |
+| s-microsoft-dns-renew | microsoft-windows-json-endpoint-login-success-renew |
+| s-microsoft-dns-update | microsoft-evdnsserver-json-endpoint-login-success-update |
+| s-microsoft-isa-proxy-1 | microsoft-wapgateway-str-http-session-tinet |
+| s-microsoft-isa-proxy-2 | microsoft-wapgateway-kv-http-session-thttp |
+| s-microsoft-isa-proxy-3 | microsoft-wapgateway-json-http-session-reqid |
+| s-microsoft-print-activity | microsoft-evprintservice-kv-printer-activity-success-printprocessor |
+| s-microsoft-print-activity-1 | microsoft-evprintservice-str-printer-activity-success-pagesprinted |
+| s-mimecast-app-activity | mimecast-seg-str-app-activity-success-auditlog |
+| s-mimecast-app-activity-1 | mimecast-seg-sk4-app-activity-success-auditevents |
+| s-mimecast-app-login | mimecast-seg-kv-app-login-success-auditlog |
+| s-mimecast-dlp-email | mimecast-seg-kv-email-rcpt |
+| s-mimecast-dlp-email-1 | mimecast-seg-sk4-email-receive-impersonationprotect |
+| s-morphisec-security-alert | morphisec-eptp-json-alert-trigger-success-attacktimedt |
+| s-mssql-database-login | microsoft-mssql-kv-database-login-success-33205 |
+| s-mssql-database-login-1 | microsoft-mssql-kv-database-login-success-lgis |
+| s-mssql-database-login-failed | microsoft-mssql-kv-database-login-fail-33205 |
+| s-mssql-database-login-failed-xml | "microsoft-mssql-xml-database-login-failed-33205 |
+| s-mssql-database-login-xml | "microsoft-mssql-xml-database-login-success-33205 |
+| s-mssql-database-logout | "microsoft-mssql-xml-database-logout-success-lgo |
+| s-mssql-database-query-al | microsoft-mssql-kv-database-query-success-33205-2 |
+| s-mssql-database-query-al-1 | microsoft-mssql-kv-database-modify-success-al |
+| s-mssql-database-query-al-xml | "microsoft-mssql-xml-database-query-success-30205-2 |
+| s-mssql-database-query-cr | microsoft-mssql-kv-database-modify-success-cr |
+| s-mssql-database-query-dl | microsoft-mssql-kv-database-query-success-33205 |
+| s-mssql-database-query-dl-1 | microsoft-mssql-kv-database-delete-success-dl |
+| s-mssql-database-query-dl-xml | "microsoft-mssql-xml-database-query-success-33205 |
+| s-mssql-database-query-dr | microsoft-mssql-kv-database-delete-success-dr |
+| s-mssql-database-query-sl | microsoft-mssql-kv-database-query-success-33205-1 |
+| s-mssql-database-query-sl-1 | microsoft-mssql-kv-database-query-success-sl |
+| s-mssql-database-query-sl-xml | "microsoft-mssql-xml-database-query-success-33205-1 |
+| s-mssql-database-query-vw | microsoft-mssql-kv-database-activity-success-dbactivity |
+| s-mvision-dlp-alert | mvision-m-kv-alert-trigger-success-alertpolicydlp |
+| s-mvision-dlp-alert-1 | mvision-m-json-alert-trigger-success-outgoingprinter |
+| s-mvision-dlp-alert-2 | mvision-m-json-alert-trigger-success-outgoingemail |
+| s-mvision-dlp-alert-3 | mvision-m-json-alert-trigger-success-outgoingmemoryviacloud |
+| s-mvision-dlp-alert-4 | mvision-m-json-alert-trigger-success-outgoinghttp |
+| s-mvision-dlp-alert-5 | mvision-m-json-alert-trigger-success-outgoingfsremovablestorage |
+| s-mwg-proxy | mcafee-wg-kv-http-session-urlp |
+| s-mwg-proxy-1 | mcafee-wg-kv-http-session-urlp-1 |
+| s-mwg-proxy-3 | mcafee-wg-kv-http-session-success-mwgaccess3 |
+| s-mwg-proxy-3-denied | mcafee-wg-kv-http-session-fail-accesdenied |
+| s-mwg-web-activity | mcafee-wg-kv-http-session-authenticationmethod |
+| s-n3k-dhcp | n3k-n-kv-dhcp-session-success-time |
+| s-nac-failed-logon | cisco-ise-kv-endpoint-authentication-fail-attempts |
+| s-nac-failed-logon-1 | cisco-ise-kv-radius-traffic-fail-deviceadministrationfailed |
+| s-nac-failed-logon-2 | cisco-ise-kv-radius-traffic-fail-cisefailedattempt |
+| s-nac-logon | cisco-ise-kv-radius-traffic-success-authsucceeded |
+| s-nac-logon-1 | cisco-ise-kv-radius-traffic-success-deviceadminstrationsucceeded |
+| s-nac-logon-2 | cisco-ise-cef-radius-traffic-success-cisepassedauth |
+| s-nasuni-file-delete | nasuni-n-csv-file-delete-success-deletefile |
+| s-nasuni-file-delete-1 | nasuni-n-csv-file-delete-success-deletedirectory |
+| s-nasuni-file-permission-change | nasuni-n-csv-file-permission-modify-success-dosattribute |
+| s-nasuni-file-permission-change-1 | nasuni-n-csv-file-permission-modify-success-extendedattributes |
+| s-nasuni-file-permission-change-2 | nasuni-n-csv-file-permission-modify-success-setacl |
+| s-nasuni-file-write | nasuni-n-csv-file-write-success-writetofile |
+| s-nasuni-file-write-1 | nasuni-n-csv-file-write-success-rename |
+| s-nasuni-file-write-2 | nasuni-n-csv-file-write-success-truncatefile |
+| s-net2door-badge-access | paxton-net2door-json-physical-location-access-peripheralname |
+| s-netscaler-auth-failed | citrix-cgateway-str-endpoint-authentication-fail-failedlogin |
+| s-netskope-activity | netskope-sc-json-file-auditlogevent |
+| s-netskope-login | netskope-sc-json-app-login-success-loginsuccessful-1 |
+| s-o365-dlp-alert | microsoft-defenderep-json-alert-trigger-success-dlprulematch |
+| s-o365-dlp-alert-1 | microsoft-defenderep-json-alert-trigger-success-dlprulematch-1 |
+| s-o365-dlp-alert-2 | microsoft-defenderep-sk4-alert-trigger-success-dlpmatchrule |
+| s-oam-app-login | oracle-am-str-app-login-authn |
+| s-oam-app-login-1 | oracle-am-str-app-login-success-auth |
+| s-okta-app-activity | okta-amfa-json-app-app |
+| s-okta-app-login | okta-amfa-json-app-login-success-singlesignon-1 |
+| s-okta-app-login-1 | okta-amfa-json-endpoint-login-success-userlogin |
+| s-okta-app-login-2 | okta-amfa-json-endpoint-login-success-authenticateuser |
+| s-okta-app-login-3 | okta-amfa-json-app-login-success-evaluatesignon-1 |
+| s-okta-app-login-4 | okta-amfa-json-app-login-success-oauth2signon |
+| s-okta-failed-app-login | okta-amfa-json-app-login-fail-signinfailure |
+| s-okta-failed-login | okta-amfa-json-app-login-fail-userlogintookta |
+| s-okta-failed-login-1 | okta-amfa-json-app-login-fail-authenticateuserviainbounddelauth |
+| s-okta-failed-login-2 | okta-amfa-json-app-login-fail-authenticateuserwithadagent |
+| s-okta-failed-login-3 | okta-amfa-json-app-login-fail-useraccountlock |
+| s-okta-failed-login-4 | okta-amfa-mix-app-login-fail-suspiciousactivity |
+| s-onelogin-app-activity | onelogin-o-json-app-login-success-applogin |
+| s-onelogin-system-info | onelogin-o-json-app-notification-lastslogin |
+| s-onguard-physical-badge-access | lenel-og-kv-physical-location-access-accessgranted-1 |
+| s-onguard-physical-badge-access-2 | lenel-og-json-physical-location-access-success-panelname |
+| s-opendns-dns-response | cisco-umbrela-json-dns-response-success-12ptr |
+| s-opendns-dns-response-1 | cisco-umbrella-json-dns-response-success-6soa |
+| s-opendns-dns-response-10 | cisco-umbrella-json-dns-response-success-allowednaptr |
+| s-opendns-dns-response-2 | cisco-umbrella-json-dns-response-success-28aaaa |
+| s-opendns-dns-response-3 | cisco-umbrella-json-dns-response-success-16txt |
+| s-opendns-dns-response-4 | cisco-umbrella-json-dns-response-success-allowedother |
+| s-opendns-dns-response-5 | cisco-umbrella-cef-dns-response-success-allowed |
+| s-opendns-dns-response-6 | cisco-umbrella-json-dns-response-success-blocked |
+| s-opendns-dns-response-7 | cisco-umbrella-json-dns-response-success-allowedns |
+| s-opendns-dns-response-8 | cisco-umbrella-json-dns-response-success-allowedcname |
+| s-opendns-dns-response-9 | cisco-umbrella-json-dns-response-success-allowedmx |
+| s-oracle-db-activity | oracle-db-kv-database-query-success-actionname-1 |
+| s-oracle-db-activity-2 | oracle-db-kv-database-query-success-dbid |
+| s-oracle-db-execute-1 | oracle-db-json-database-query-success-userhost |
+| s-oracle-db-login | oracle-db-kv-database-login-success-logon |
+| s-oracle-db-login-1 | oracle-o-kv-database-login-success-dbx |
+| s-oracle-db-login-2 | oracle-db-json-databse-login-success-osuserhost |
+| s-oracle-db-logon | "oracle-db-xml-database-login-success-dbauth |
+| s-oracle-db-query | "oracle-db-xml-databse-query-success-account |
+| s-oracle-db-query-1 | oracle-db-str-database-query-success-sysdba |
+| s-oracle-db-select-1 | oracle-db-json-database-query-success-osusername |
+| s-owa-activity | microsoft-exchange-str-app-activity-success-isaweblog |
+| s-pan-correlation-alert | pan-wildfire-csv-alert-trigger-success-correlationalert |
+| s-pan-incident-alert | pan-aperture-sk4-alert-trigger-success-incident |
+| s-pan-networks-file-activity | pan-aperture-json-file-activitymonitoring |
+| s-pan-policyviolation-alert | pan-aperture-sk4-alert-trigger-success-policyviolation |
+| s-pan-security-alert | pan-aperture-sk4-alert-trigger-success-incident-1 |
+| s-pan-vpn-start-1 | pan-gp-mix-vpn-login-success-authsucc |
+| s-panngwf-spyware-alert | pan-ngfw-mix-alert-trigger-success-spywarealert |
+| s-pantraps-alert | pan-tesm-kv-alert-trigger-success-alerttrigger |
+| s-phantom-dlp-email-in | phantom-p-kv-email-receive-success-emailreceived |
+| s-pharos-print-activity | pharos-p-kv-printer-activity-success-activity |
+| s-physical-access-unknown | badge-b-csv-physical-location-access-success-dooraccessgranted |
+| s-physical-access-unknown-1 | badge-b-csv-physical-location-access-success-cardexitgranted |
+| s-physical-badge-access | badge-b-kv-physical-location-access-accessevent |
+| s-physical-badge-access-2 | badge-b-kv-physical-location-access-success-cardadmitted |
+| s-physical-badge-access-3 | lenel-og-kv-physical-location-access-evdescr |
+| s-physical-badge-access-4 | badge-b-kv-physical-location-access-success-accesssuccess |
+| s-physical-badge-access-5 | badge-b-json-physical-location-access-fail-badge |
+| s-physical-badge-access-6 | badge-b-json-physical-location-access-accessdescription |
+| s-physical-badge-access-7 | badge-b-csv-physical-location-access-success-cardadmitted |
+| s-physical-badge-access-8 | badge-b-kv-physical-location-access-success-badgevalid |
+| s-physical-badge-access-9 | badge-b-kv-physical-location-access-success-physicallocationaccess |
+| s-pictureperfect-badge-access | pictureperfect-pp-str-physical-location-access-success-pp |
+| s-ping-app-login | pingidentity-pi-json-app-login-success-sso |
+| s-ping-auth-attempt | pingidentity-pi-json-vpn-authentication-success-inprogress |
+| s-ping-auth-attempt-4 | pingidentity-pi-str-endpoint-login-fail-inprogress |
+| s-ping-auth-failed | pingidentity-pi-json-app-authentication-fail-failure-2 |
+| s-ping-auth-successful | pingidentity-pi-json-vpn-authentication-success-authnattempt-1 |
+| s-ping-failed-app-login | pingidentity-pi-json-app-login-fail-sso |
+| s-ping-sso | pingidentity-pi-kv-app-login-success-sso |
+| s-postfix-dlp-email | postfix-postfix-str-email-subject |
+| s-postfix-dlp-email-1 | postfix-postfix-mix-email-sent |
+| s-process-alert-carbonblack | vmware-carbonblackedr-cef-alert-trigger-success-watchlist |
+| s-process-alert-carbonblack-1 | vmware-carbonblackedr-json-alert-trigger-success-feed |
+| s-process-alert-carbonblack-2 | vmware-carbonblackedr-kv-alert-trigger-success-watchlistid |
+| s-process-created-carbonblack | vmware-carbonblackedr-leef-process-create-success-sensor |
+| s-process-network-carbonblack | vmware-carbonblackedr-json-network-session-success-netconn |
+| s-process-network-carbonblack-1 | vmware-carbonblackceedr-sk4-network-session-success-edr |
+| s-proofpoint-email-alert | "proofpoint-tap-cef-email-receive-fail-threatinsight |
+| s-proofpoint-email-alert-2 | proofpoint-tap-cef-email-receive-fail-threatstatus |
+| s-proofpoint-email-alert-3 | proofpoint-tap-json-email-receive-fail-proofpointtapmessagesblocked |
+| s-proofpoint-email-alert-4 | proofpoint-tap-json-email-emailthreat |
+| s-proofpoint-email-in | proofpoint-tap-kv-email-receive-mailreceived |
+| s-proofpoint-email-in-1 | proofpoint-tap-sk4-email-receive-threatdetected |
+| s-proofpoint-email-in-2 | proofpoint-tap-json-email-receive-emailthreat-1 |
+| s-prowatch-badge-access | honeywell-pw-kv-physical-location-access-success-refidtyp |
+| s-prowatch-badge-access-2 | honeywell-pw-kv-physical-location-access-success-cardno |
+| s-prowatch-badge-access-3 | honeywell-pw-kv-physical-location-access-success-accessgranted |
+| s-pulsesecure-account-deleted | juniper-ps-str-user-delete-fail-firewall |
+| s-pulsesecure-vpn-login | juniper-ps-kv-vpn-login-success-firewall-2 |
+| s-quest-directory-access | questsoftware-caad-cef-ds-object-create-success-changeauditor |
+| s-quest-failed-logon | questsoftware-caad-kv-endpoint-login-fail-failed |
+| s-radius-wireless-nac-logon | microsoft-nps-kv-radius-traffic-success-6272 |
+| s-rapid7-security-alert | nexpose-insightvm-kv-alert-trigger-success-solutionsummary |
+| s-safesend-dlp-email-alert | safesend-s-kv-email-send-success-emailexternal |
+| s-sailpoint-app-activity | sailpoint-identitynow-json-app-none |
+| s-sailpoint-auth | sailpoint-identitynow-json-endpoint-authentication-application |
+| s-sailpoint-fam-file-delete | sailpoint-fam-cef-file-delete-success-netapp |
+| s-sailpoint-fam-file-perimssion-change | sailpoint-fam-cef-file-permission-modify-success-netapp |
+| s-sailpoint-fam-file-read | sailpoint-fam-cef-file-read-success-netapp |
+| s-sailpoint-fam-file-write | sailpoint-fam-cef-file-write-success-netapp |
+| s-sailpoint-fam-file-write-1 | sailpoint-fam-cef-file-write-success-createfile |
+| s-sailpoint-fam-file-write-2 | sailpoint-fam-cef-file-write-success-renamefile |
+| s-sailpoint-fam-file-write-3 | sailpoint-fam-cef-file-write-success-createfolder |
+| s-sailpoint-launch | sailpoint-identitynow-json-app-login-success-launchapp |
+| s-sailpoint-pwd | sailpoint-identitynow-json-app-activity-null |
+| s-sailpoint-sso | sailpoint-identitynow-json-app-login-success-ssoapp |
+| s-sailpointsiq-ad-account-creation | sailpoint-securityiq-kv-user-create-success-create |
+| s-sailpointsiq-ad-account-deleted | sailpoint-securityiq-str-user-delete-fail-user |
+| s-sailpointsiq-ad-account-lockout | sailpoint-securityiq-str-user-delete-fail-accountlock |
+| s-sailpointsiq-ad-account-passwd-reset | sailpoint-securityiq-kv-user-password-reset-success-resetpassword |
+| s-sailpointsiq-netappcifs-file-delete | sailpoint-securityiq-kv-file-delete-success-deletefile |
+| s-sailpointsiq-netappcifs-file-open | sailpoint-securityiq-kv-file-read-success-openfile |
+| s-sailpointsiq-netappcifs-file-read | sailpoint-securityiq-kv-file-read-success-readfile |
+| s-sailpointsiq-netappcifs-file-write | sailpoint-securityiq-kv-file-write-success-writefile |
+| s-sailpointsiq-netappcifs-folder-create | sailpoint-securityiq-kv-file-write-success-createfolder |
+| s-sailpointsiq-netappcifs-folder-delete | sailpoint-securityiq-kv-file-delete-success-deletefolder |
+| s-sailpointsiq-onedrive-file-delete | sailpoint-securityiq-kv-file-delete-success-filedeleted |
+| s-sailpointsiq-onedrive-file-download | sailpoint-securityiq-kv-file-download-success-filedownloaded |
+| s-sailpointsiq-onedrive-file-read | sailpoint-securityiq-kv-file-read-success-filepreviewed |
+| s-sailpointsiq-onedrive-file-upload | sailpoint-securityiq-kv-file-upload-success-fileuploaded |
+| s-sailpointsiq-onedrive-file-write | sailpoint-securityiq-kv-file-write-success-filemodified |
+| s-sailpointsiq-onedrive-folder-create | sailpoint-securityiq-kv-file-write-success-foldercreated |
+| s-sailpointsiq-onedrive-folder-delete | sailpoint-securityiq-kv-file-delete-success-folderdeleted |
+| s-sailpointsiq-onedrive-folder-modify | sailpoint-securityiq-kv-file-write-success-foldermodified |
+| s-sailpointsiq-sponline-file-operations | sailpoint-securityiq-kv-file-success-sharepointonline |
+| s-sailpointsiq-sponpremise-file-delete | sailpoint-securityiq-kv-file-delete-success-sharepoint |
+| s-sailpointsiq-windowsfs-file-read | sailpoint-securityiq-kv-file-read-success-readfile-1 |
+| s-sailpointsiq-windowsfs-member-added | sailpoint-securityiq-kv-group-member-add-success-winfileserver |
+| s-sailpointsiq-windowsfs-member-removed | sailpoint-securityiq-kv-group-member-remove-success-memberremoved |
+| s-sailpointsiq-windowsfs-perm-add-file | sailpoint-securityiq-kv-file-permission-modify-success-addfile |
+| s-sailpointsiq-windowsfs-perm-add-folder | sailpoint-securityiq-kv-file-permission-modify-success-addfolder |
+| s-sailpointsiq-windowsfs-perm-remove-file | sailpoint-securityiq-kv-file-permission-modify-success-removefile |
+| s-sailpointsiq-windowsfs-perm-remove-folder | sailpoint-securityiq-kv-file-permission-modify-success-fileserver |
+| s-salesforce-app-login | salesforce-sf-kv-app-login-logingeoid |
+| s-scep-epp-alert | microsoft-defenderep-kv-alert-trigger-success-systemcenterep-1 |
+| s-securesphere-db-alert | imperva-securesphere-kv-alert-trigger-success-alert |
+| s-securesphere-db-login | imperva-securesphere-kv-database-login-success-userauth |
+| s-securesphere-db-login-1 | imperva-securesphere-kv-database-login-fail-login |
+| s-securesphere-db-query | imperva-securesphere-kv-database-query-success-databasequery |
+| s-sendmail-email-antivirus | unix-sm-str-email-virusclean |
+| s-sendmail-email-attachment | unix-sm-kv-email-attach |
+| s-sendmail-email-client | unix-sm-kv-email-client |
+| s-sendmail-email-from | unix-sm-kv-email-send |
+| s-sendmail-email-recipients | unix-sm-kv-email-envelopesender |
+| s-sendmail-email-stat | unix-sm-kv-email-delay |
+| s-sep-mobile-alert | symantec-endpointprotection-json-alert-trigger-success-malware |
+| s-sep-mobile-alert-1 | symantec-endpointprotection-json-alert-trigger-success-malware-1 |
+| s-sep-mobile-alert-2 | symantec-endpointprotection-sk4-alert-trigger-success-devicecompromised |
+| s-sep-mobile-alert-3 | symantec-endpointprotection-sk4-alert-trigger-success-network |
+| s-sep-mobile-alert-4 | symantec-endpointprotection-sk4-alert-trigger-success-vulnerableos |
+| s-sep-mobile-alert-5 | symantec-endpointprotection-sk4-alert-trigger-success-unwantedapp |
+| s-shibboleth-sso | shibboleth-s-str-app-login-success-shibbolethaudit |
+| s-shibboleth-sso-1 | shibboleth-s-str-app-login-success-3877 |
+| s-shibboleth-sso-2 | shibboleth-s-kv-app-notification-warn |
+| s-skyfence-activity | forcepoint-casb-cef-app-activity-skyfence |
+| s-skyfence-alert | forcepoint-casb-cef-alert-trigger-success-alert |
+| s-skyfence-login | forcepoint-casb-kv-app-login-fail-login |
+| s-skysea-app-activity | skysea-cv-csv-app-activity-success-appactivity |
+| s-skysea-app-activity-1 | skysea-cv-str-app-activity-success-appactivity |
+| s-skysea-dlp-email-alert | skysea-cv-csv-email-send-success |
+| s-skysea-file-access | skysea-cv-csv-file-success-fileactivity |
+| s-skysea-file-copied | skysea-cv-csv-file-write-success-fileactivity |
+| s-skysea-file-download | skysea-cv-csv-file-download-success-web |
+| s-skysea-file-operations | skysea-cv-csv-file-success-fileactivity-1 |
+| s-skysea-file-upload | skysea-cv-csv-file-upload-success-web |
+| s-skysea-print-activity | skysea-cv-csv-printer-activity-success-printactivity |
+| s-skysea-process-created-1 | skysea-cv-csv-process-create-success-user |
+| s-skysea-process-created-2 | skysea-cv-csv-process-create-success-processcreated |
+| s-skysea-security-alert | skysea-cv-kv-alert-trigger-success-tcp |
+| s-skysea-share-access | skysea-cv-str-share-access-success-foldersharing |
+| s-skysea-usb-activity | skysea-cv-csv-peripheral-storage-activity-success-usbactivity |
+| s-skysea-web-activity | skysea-cv-csv-http-session-web |
+| s-skysea-web-activity-1 | skysea-cv-csv-http-session-success-web |
+| s-skysea-web-activity-2 | skysea-cv-csv-http-session-success-webaccess |
+| s-snowflake-db-login-1 | snowflake-s-kv-database-login-success-login |
+| s-snowflake-db-query-1 | snowflake-s-kv-database-query-success-databasequery |
+| s-sonicwall-failed-vpn-login | dell-sw-kv-vpn-login-fail-sslvpn |
+| s-sonicwall-failed-vpn-login-2 | dell-sw-kv-vpn-login-fail-140 |
+| s-sonicwall-remote-logon | dell-sw-kv-rdp-traffic-success-sslvpn |
+| s-sonicwall-vpn-end | dell-sw-kv-vpn-logout-success-sslvpn |
+| s-sonicwall-vpn-end-1 | sonicwall-sw-kv-vpn-logout-success-sslvpn |
+| s-sonicwall-vpn-login-2 | sonicwall-sw-kv-vpn-login-success-1080 |
+| s-sonicwall-vpn-start | dell-sw-kv-vpn-login-success-userloginsuccessful |
+| s-sonicwall-vpn-start-1 | dell-sw-kv-vpn-login-success-netextenderconnected |
+| s-sophos-network-connection | sophos-xgfirewall-kv-network-traffic-success-firewallrule |
+| s-splunkstream-dns-query | splunk-stream-json-dns-request-success-query |
+| s-splunkstream-dns-response | splunk-stream-json-dns-response-success-messagetype |
+| s-ssh-login-failed | unix-unix-str-endpoint-login-fail-invaliduser |
+| s-stealthwatch-network-alert | cisco-securenetworkanalytics-kv-alert-trigger-success-stealth |
+| s-stream-dhcp | splunk-s-json-dhcp-session-success-dhcpack |
+| s-svn-app-activity | apache-subversion-mix-app-activity-get |
+| s-svn-app-activity-1 | apache-subversion-mix-app-activity-headsvn |
+| s-svn-app-activity-2 | apache-subversion-mix-app-activity-headsvn-1 |
+| s-svn-app-activity-3 | apache-subversion-mix-app-activity-optionssvn |
+| s-svn-app-activity-4 | apache-subversion-mix-app-activity-postsvn |
+| s-svn-app-activity-5 | apache-subversion-str-app-activity-svn |
+| s-svn-app-activity-6 | apache-subversion-mix-app-activity-proppatchsvn |
+| s-svn-app-activity-7 | apache-subversion-mix-app-activity-putsvn |
+| s-svn-app-activity-8 | apache-subversion-mix-app-activity-reportsvn |
+| s-swipes-badge-access | swipes-s-kv-physical-location-access-success-swipes |
+| s-symantec-auth-failed | symantec-vip-str-endpoint-login-fail-auth |
+| s-symantec-auth-failed-1 | symantec-vip-str-endpoint-login-fail-accessreject |
+| s-symantec-auth-failed-2 | symantec-vip-str-endpoint-login-fail-accessreject-1 |
+| s-symantec-auth-successful | symantec-vip-str-endpoint-login-success-auth |
+| s-symantec-auth-successful-1 | symantec-vip-kv-endpoint-login-success-authentication |
+| s-symantec-dlp-alert | symantec-dlp-cef-email-send-success-emailsend |
+| s-symantec-dlp-alert-1 | symantec-dlp-csv-alert-trigger-success-https |
+| s-symantec-dlp-email-alert | symantec-dlp-str-email-send-success-smtp |
+| s-symantec-email-alert | symantec-esc-json-email-send-success-fileincluded |
+| s-symantec-epp-alert | symantec-endpointprotection-csv-alert-trigger-success-threatnum |
+| s-symantec-network-alert | symantec-endpointprotection-kv-alert-trigger-success-scanning |
+| s-symantec-process-alert | symantec-endpointprotection-kv-alert-trigger-success-rule |
+| s-symantec-security-alert | symantec-endpointprotection-kv-alert-trigger-success-symantecepproactive |
+| s-symantec-security-alert-1 | symantec-endpointprotection-kv-alert-trigger-success-symantecepsecurity |
+| s-symantec-security-alert-2 | symantec-endpointprotection-kv-alert-trigger-success-symanteceprisk-1 |
+| s-symantec-web-activity | symantec-fireglass-kv-http-session-urlcategories |
+| s-symantec-web-activity-1 | symantec-fireglass-json-http-session-networkrequest |
+| s-tanium-cli-execution | tanium-cp-kv-process-create-success-cliexecutionlog |
+| s-tanium-process-alert-1 | tanium-cp-sk4-alert-trigger-success-maliciousfiles |
+| s-tanium-security-alert | tanium-cp-kv-alert-trigger-success-eventdetect |
+| s-tanium-security-alert-2 | tanium-cp-json-alert-trigger-success-eventprocess |
+| s-tanium-security-alert-3 | tanium-cp-json-alert-trigger-success-security |
+| s-tanium-security-alert-4 | tanium-cp-json-alert-trigger-success-eventtrace |
+| s-tanium-security-alert-5 | tanium-cp-json-alert-trigger-success-taniumdetect |
+| s-tanium-security-alert-6 | tanium-cp-sk4-alert-trigger-success-taniumindex |
+| s-tanium-security-alert-7 | tanium-cp-sk4-alert-trigger-success-shellhashes |
+| s-titanftp-app-activity-1 | titanftp-t-str-app-activity-success-sshfxprealpath |
+| s-titanftp-app-activity-2 | titanftp-t-str-app-activity-success-sshfxpstat |
+| s-titanftp-app-activity-3 | titanftp-t-str-app-activity-success-sshfxpsetstat |
+| s-titanftp-app-activity-4 | titanftp-t-str-app-activity-success-sshfxplstat |
+| s-titanftp-file-delete | titanftp-t-str-file-delete-success-sshfxpremove |
+| s-titanftp-file-read-1 | titanftp-t-str-file-read-success-sshfxpopendir |
+| s-titanftp-file-read-2 | titanftp-t-str-file-read-success-sshfxpopen |
+| s-trendmicro-epp-alert | trendmicro-officescan-kv-alert-trigger-success-trendmicro |
+| s-trendmicro-epp-alert-1 | trendmicro-officescan-kv-alert-trigger-success-callbackdetected |
+| s-trendmicro-epp-alert-2 | trendmicro-officescan-kv-alert-trigger-success-officescanserver |
+| s-trendmicro-security-alert | trendmicro-officescan-kv-alert-trigger-success-tmcm |
+| s-trendmicro-security-alert-1 | trendmicro-officescan-kv-alert-trigger-success-graywarefound |
+| s-trendmicro-security-alert-2 | trendmicro-officescan-kv-alert-trigger-success-ccca |
+| s-trendmicro-security-alert-3 | trendmicro-officescan-kv-alert-trigger-success-contentfiltering |
+| s-trusteer-epp-alert | ibm-em-kv-alert-trigger-success-securitytrusteer |
+| s-unix-auth-event | unix-unix-str-endpoint-login-authentication |
+| s-unix-dhcp-2 | unix-dhcpd-str-dhcp-discover-nofreeleases |
+| s-unix-dhcp-3 | unix-dhcpd-str-dhcp-traffic-dhcpd |
+| s-viscount-badge-access | viscount-i-kv-physical-location-access-cardaccess |
+| s-vontu-dlp-alert | symantec-dlp-kv-alert-trigger-success-dlpincident |
+| s-vontu-dlp-email-alert | symantec-dlp-kv-email-send-success-emailsend |
+| s-vontu-email-dlp | symantec-dlp-kv-alert-trigger-success-smtp |
+| s-windows-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4625-7 |
+| s-windows-4648 | microsoft-evsecurity-kv-endpoint-login-success-4648 |
+| s-windows-4672 | microsoft-evsecurity-kv-user-privilege-modify-fail-4672 |
+| s-windows-4673 | microsoft-evsecurity-kv-user-privilege-modify-fail-4673-1 |
+| s-windows-4674 | microsoft-evsecurity-kv-user-privilege-use-success-data |
+| s-windows-4688 | microsoft-evsecurity-kv-process-create-success-4688-3 |
+| s-windows-4771 | microsoft-evsecurity-kv-endpoint-login-fail-4771 |
+| s-windows-4776 | microsoft-evsecurity-kv-endpoint-login-4776-4 |
+| s-windows-5140 | microsoft-evsecurity-kv-share-access-5140 |
+| s-windows-5157 | microsoft-evsecurity-kv-network-session-fail-5157 |
+| s-windows-5157-2 | microsoft-evsecurity-kv-network-session-fail-5157-1 |
+| s-windows-event-1102 | microsoft-evsecurity-kv-log-clear-success-1102-3 |
+| s-windows-event-4624 | microsoft-evsecurity-kv-endpoint-success-4624 |
+| s-windows-event-4625 | microsoft-evsecurity-kv-wls-endpoint-login-fail-4625-1 |
+| s-windows-event-4648 | microsoft-evsecurity-kv-endpoint-login-success-4648-4 |
+| s-windows-event-4672 | microsoft-evsecurity-kv-user-privilege-use-success-4672 |
+| s-windows-event-4673 | microsoft-evsecurity-kv-user-privilege-use-success-4673 |
+| s-windows-event-4674 | microsoft-evsecurity-kv-user-privilege-use-success-wls |
+| s-windows-event-4688 | microsoft-evsecurity-kv-process-create-success-4688wls |
+| s-windows-event-4697 | microsoft-evsecurity-csv-service-create-success-4697 |
+| s-windows-event-4719 | microsoft-evsecurity-kv-audit-policy-modify-success-4719-3 |
+| s-windows-event-4720 | microsoft-evsecurity-kv-user-create-success-4720-2 |
+| s-windows-event-4722 | microsoft-evsecurity-kv-user-enable-success-4722-1 |
+| s-windows-event-4723 | microsoft-evsecurity-kv-user-password-modify-4723-3 |
+| s-windows-event-4724 | microsoft-evsecurity-kv-user-password-reset-success-4724-1 |
+| s-windows-event-4725 | microsoft-evsecurity-kv-user-disable-success-4725-1 |
+| s-windows-event-4728 | microsoft-evsecurity-kv-group-member-add-success-4728-1 |
+| s-windows-event-4729 | microsoft-evsecurity-kv-group-member-remove-success-4729 |
+| s-windows-event-4732 | microsoft-evsecurity-kv-group-member-add-success-4732-1 |
+| s-windows-event-4733 | microsoft-evsecurity-kv-group-member-remove-success-4733 |
+| s-windows-event-4740 | microsoft-evsecurity-kv-user-delete-fail-4740 |
+| s-windows-event-4776 | microsoft-evsecurity-kv-endpoint-login-4776-3 |
+| s-windows-event-4778 | microsoft-evsecurity-kv-endpoint-login-success-4778 |
+| s-windows-event-4779 | microsoft-evsecurity-kv-endpoint-logout-success-4779-1 |
+| s-windows-event-4780 | microsoft-evsecurity-kv-ds-object-modify-success-4780 |
+| s-windows-event-4800 | microsoft-evsecurity-kv-endpoint-lock-success-4800-2 |
+| s-windows-event-4801 | microsoft-evsecurity-kv-endpoint-unlock-success-4801-2 |
+| s-windows-event-5140 | microsoft-evsecurity-kv-share-access-success-5140-4 |
+| s-windows-event-528 | microsoft-evsecurity-kv-endpoint-success-528-1 |
+| s-windows-event-534 | microsoft-evsecurity-kv-endpoint-login-fail-534 |
+| s-windows-event-540 | microsoft-evsecurity-json-endpoint-login-success-540-1 |
+| s-windows-event-552 | microsoft-evsecurity-kv-endpoint-login-success-552 |
+| s-windows-event-576 | microsoft-evsecurity-kv-user-privilege-use-success-576 |
+| s-windows-event-578 | microsoft-windows-kv-user-privilege-use-success-578 |
+| s-windows-event-601 | microsoft-evsecurity-kv-process-create-success-601 |
+| s-windows-event-602 | microsoft-evsecurity-kv-scheduled-task-create-success-602 |
+| s-windows-event-626 | microsoft-windows-kv-user-enable-success-626 |
+| s-windows-event-627 | microsoft-evsecurity-kv-user-password-modify-627-1 |
+| s-windows-event-629 | microsoft-evsecurity-kv-user-disable-success-629-1 |
+| s-windows-event-633 | microsoft-evsecurity-kv-group-member-remove-success-633 |
+| s-windows-event-636 | microsoft-evsecurity-kv-group-member-add-success-636 |
+| s-windows-event-637 | microsoft-evsecurity-kv-group-member-remove-success-637 |
+| s-windows-event-644 | microsoft-evsecurity-kv-user-delete-fail-logtype |
+| s-windows-process-created | microsoft-windows-kv-process-create-success-processid |
+| s-xenapp-ica-login | citrix-cvapps-kv-app-login-success-active |
+| s-xendesktop-remote-logon | citrix-cvdesktop-kv-endpoint-login-success-dnsname |
+| s-xml-10 | "microsoft-evapp-xml-endpoint-notification-10 |
+| s-xml-100 | "microsoft-evapp-xml-process-create-100 |
+| s-xml-1000 | "microsoft-evapp-xml-endpoint-notification-1000 |
+| s-xml-1000-1 | "microsoft-evapp-xml-endpoint-notification-1000-1 |
+| s-xml-101 | "microsoft-evapp-xml-endpoint-activity-101 |
+| s-xml-1030 | "microsoft-evsystem-xml-policy-apply-fail-1030 |
+| s-xml-1085 | "microsoft-evsystem-xml-endpoint-notification-1085 |
+| s-xml-1096 | "microsoft-evsystem-xml-policy-apply-fail-1096 |
+| s-xml-1102 | microsoft-evsecurity-xml-log-clear-success-1102-1 |
+| s-xml-1112 | "microsoft-evsystem-xml-policy-apply-fail-1112 |
+| s-xml-1196 | "microsoft-evsystem-xml-endpoint-notification-1196 |
+| s-xml-120 | "microsoft-evapp-xml-process-create-fail-120 |
+| s-xml-1200 | "microsoft-evsecurity-xml-app-authentication-1200 |
+| s-xml-1200-1 | microsoft-evsecurity-xml-app-authentication-success-1200 |
+| s-xml-1201-1 | microsoft-evsecurity-xml-app-authentication-fail-1201 |
+| s-xml-1202 | "microsoft-evsecurity-xml-app-authentication-1202 |
+| s-xml-1202-1 | microsoft-evsecurity-xml-app-authentication-success-1202 |
+| s-xml-1203 | "microsoft-evsecurity-xml-app-authentication-fail-1203 |
+| s-xml-1203-1 | microsoft-evsecurity-xml-app-authentication-fail-1203-1 |
+| s-xml-129 | "microsoft-evsystem-xml-endpoint-time-modify-fail-129 |
+| s-xml-134 | "microsoft-evsystem-xml-endpoint-time-modify-fail-134 |
+| s-xml-1500 | "microsoft-evsystem-xml-policy-apply-1500 |
+| s-xml-1530 | "microsoft-evapp-xml-endpoint-notification-1530 |
+| s-xml-1534 | "microsoft-evapp-xml-endpoint-notification-1534 |
+| s-xml-2039 | "cisco-ac-xml-vpn-login-success-2039 |
+| s-xml-219 | "microsoft-evsystem-xml-driver-load-fail-219 |
+| s-xml-225 | "microsoft-evsystem-xml-driver-load-fail-225 |
+| s-xml-299 | "microsoft-evsecurity-xml-app-authentication-299 |
+| s-xml-3001 | "cisco-ac-xml-app-notification-3001 |
+| s-xml-3009 | "microsoft-evapp-xml-endpoint-notification-3009 |
+| s-xml-3013 | "microsoft-evapp-xml-endpoint-notification-3013 |
+| s-xml-33370 | "microsoft-evapp-xml-certificate-request-fail-33370 |
+| s-xml-40 | "microsoft-evsystem-xml-policy-apply-fail-40 |
+| s-xml-403 | "microsoft-evsecurity-xml-http-request-403 |
+| s-xml-404 | "microsoft-evsecurity-xml-http-response-404 |
+| s-xml-4098 | "microsoft-evapp-xml-policy-apply-fail-4098 |
+| s-xml-410 | "microsoft-evsecurity-xml-app-notification-410 |
+| s-xml-411 | "microsoft-evsecurity-xml-app-authentication-fail-411 |
+| s-xml-412 | "microsoft-evsecurity-xml-app-authentication-412 |
+| s-xml-431 | "microsoft-evsecurity-xml-app-notification-431 |
+| s-xml-4627 | "microsoft-evsecurity-xml-endpoint-notification-4627 |
+| s-xml-4627-1 | "microsoft-evsecurity-xml-endpoint-notification-success-4627 |
+| s-xml-4634 | "microsoft-evsecurity-xml-endpoint-logout-4634 |
+| s-xml-4647 | "microsoft-evsecurity-xml-endpoint-logout-4647 |
+| s-xml-4653 | "microsoft-evsecurity-xml-endpoint-notification-4653 |
+| s-xml-4656 | "microsoft-evsecurity-xml-handle-request-4656 |
+| s-xml-4656-netapp | "netapp-n-xml-alert-trigger-success-4656 |
+| s-xml-4660 | "microsoft-evsecurity-xml-endpoint-activity-4660 |
+| s-xml-4660-netapp | "netapp-n-xml-file-delete-success-4660 |
+| s-xml-4663 | "microsoft-evsecurity-xml-file-success-4663-1 |
+| s-xml-4664 | "microsoft-evsecurity-xml-link-create-4664 |
+| s-xml-4670 | "microsoft-evsecurity-xml-file-permission-modify-4670 |
+| s-xml-4696 | "microsoft-evsecurity-xml-process-token-assign-4696 |
+| s-xml-4697 | "microsoft-evsecurity-xml-service-create-success-4697 |
+| s-xml-4698 | "microsoft-evsecurity-xml-scheduled-task-create-success-4698-1 |
+| s-xml-4701 | "microsoft-evsecurity-xml-scheduled-task-disable-4701 |
+| s-xml-4720 | "microsoft-evsecurity-xml-user-create-success-4720 |
+| s-xml-4723 | "microsoft-evsecurity-xml-user-password-modify-4723 |
+| s-xml-4724 | "microsoft-evsecurity-xml-user-password-reset-success-4724 |
+| s-xml-4725 | "microsoft-evsecurity-xml-user-disable-success-4725 |
+| s-xml-4726 | "microsoft-evsecurity-xml-user-delete-success-4726-1 |
+| s-xml-4740 | "microsoft-evsecurity-xml-user-lock-success-4740 |
+| s-xml-4770 | "microsoft-evsecurity-xml-endpoint-login-success-4770 |
+| s-xml-4771 | "microsoft-evsecurity-xml-endpoint-login-fail-4771 |
+| s-xml-4774 | "microsoft-evsecurity-xml-endpoint-authentication-4774 |
+| s-xml-49152 | "microsoft-evsystem-xml-network-notification-49152 |
+| s-xml-4931 | "microsoft-evsecurity-xml-ds-replication-modify-4931-1 |
+| s-xml-4948 | "microsoft-evsecurity-xml-policy-modify-4948 |
+| s-xml-4954 | "microsoft-evsecurity-xml-policy-apply-4954 |
+| s-xml-4965 | "microsoft-evsecurity-xml-endpoint-notification-4965 |
+| s-xml-49754 | "microsoft-evapp-xml-certificate-request-fail-49754 |
+| s-xml-4985 | "microsoft-evsecurity-xml-endpoint-notification-4985 |
+| s-xml-5 | "sentinelone-evsentinelone-xml-app-notification-5 |
+| s-xml-500 | "microsoft-evsecurity-xml-app-notification-500 |
+| s-xml-5005 | "cisco-ac-xml-app-notification-5005 |
+| s-xml-501 | "microsoft-evsecurity-xml-app-notification-501 |
+| s-xml-510 | "microsoft-evsecurity-xml-app-notification-510 |
+| s-xml-5379 | "microsoft-evsecurity-xml-password-read-5379 |
+| s-xml-5447 | "microsoft-evsecurity-xml-policy-modify-5447-2 |
+| s-xml-5447-1 | "microsoft-evsecurity-xml-policy-modify-5447-1 |
+| s-xml-5612 | "microsoft-evapp-xml-process-close-5612 |
+| s-xml-5889 | "microsoft-evsecurity-xml-endpoint-activity-success-5889 |
+| s-xml-5890 | "microsoft-evsecurity-xml-endpoint-notification-5890 |
+| s-xml-5973 | microsoft-evapp-xml-app-activity-success-5973 |
+| s-xml-6 | microsoft-evsecurity-xml-vpn-authentication-fail-6 |
+| s-xml-6398 | "microsoft-evapp-xml-endpoint-notification-6398 |
+| s-xml-64 | "microsoft-evcertsc-xml-certificate-expire-64 |
+| s-xml-7045 | "microsoft-evsystem-xml-service-create-success-7045 |
+| s-xml-8019 | "microsoft-evsecurity-xml-dns-record-create-fail-8019 |
+| s-xml-9999 | "microsoft-evsecurity-xml-file-rename-9999 |
+| s-xml-config-change | "microsoft-evapp-xml-configuration-modify-16028 |
+| s-xml-object-access-2003 | "microsoft-evbferf-xml-network-notification-success-2003 |
+| s-xml-object-access-4690 | "microsoft-evsecurity-xml-handle-copy-4690 |
+| s-xml-object-access-4755 | "microsoft-evsecurity-xml-group-modify-success-4755 |
+| s-xml-object-access-4759 | "microsoft-evsecurity-xml-group-create-success-4759 |
+| s-xml-object-access-4760 | "microsoft-evsecurity-xml-group-modify-success-4760 |
+| s-xml-object-access-4761 | "microsoft-evsecurity-xml-group-member-add-4761 |
+| s-xml-object-access-4762 | "microsoft-evsecurity-xml-member-remove-success-4762 |
+| s-xml-object-access-5058 | "microsoft-evsecurity-xml-file-5058 |
+| s-xml-object-access-5059 | "microsoft-evsecurity-xml-key-migrate-5059 |
+| s-xml-object-access-5061 | "microsoft-evsecurity-xml-key-5061 |
+| s-xml-object-access-5061-2 | "microsoft-evsecurity-xml-key-5061-1 |
+| s-xml-object-access-6278 | "microsoft-evsecurity-xml-endpoint-authentication-6278 |
+| s-xml-system-info-1 | "microsoft-evapp-xml-endpoint-activity-esent |
+| s-xml-system-info-10 | "microsoft-evapp-xml-app-activity-msexchangeis |
+| s-xml-system-info-11 | "microsoft-evapp-xml-app-activity-mailboxreplication |
+| s-xml-system-info-12 | "microsoft-evapp-xml-app-activity-midtierstorage |
+| s-xml-system-info-13 | "microsoft-evapp-xml-app-activity-owa |
+| s-xml-system-info-14 | "microsoft-evapp-xml-app-activity-msexchangerepl |
+| s-xml-system-info-15 | "microsoft-evapp-xml-app-activity-transport |
+| s-xml-system-info-16 | "microsoft-evapp-xml-app-activity-transportdelivery |
+| s-xml-system-info-17 | "microsoft-evapp-xml-app-activity-transportsearch |
+| s-xml-system-info-18 | "microsoft-evapp-xml-app-activity-transportsubmission |
+| s-xml-system-info-19 | "microsoft-evapp-xml-database-activity-sql |
+| s-xml-system-info-2 | "microsoft-evapp-xml-endpoint-activity-filter |
+| s-xml-system-info-20 | "microsoft-evsecurity-xml-endpoint-activity-dfssvc |
+| s-xml-system-info-21 | "microsoft-evsystem-xml-endpoint-activity-microsoftwindowswas |
+| s-xml-system-info-22 | "microsoft-evsystem-xml-endpoint-activity-schannel |
+| s-xml-system-info-23 | "microsoft-evsystem-xml-endpoint-activity-servicecontrolmanager |
+| s-xml-system-info-3 | "microsoft-evapp-xml-endpoint-activity-perflib |
+| s-xml-system-info-4 | "microsoft-evapp-xml-app-activity-adaccess |
+| s-xml-system-info-5 | "microsoft-evapp-xml-app-activity-applicationlogic |
+| s-xml-system-info-6 | "microsoft-evapp-xml-app-activity-assistants |
+| s-xml-system-info-7 | "microsoft-evapp-xml-app-activity-certificatenotification |
+| s-xml-system-info-8 | "microsoft-evapp-xml-app-activity-common |
+| s-xml-system-info-9 | "microsoft-evapp-xml-app-activity-frontendhttpproxy |
+| s-xml-windows-member-1 | "microsoft-evsecurity-xml-group-member-add-success-4728 |
+| s-xml-windows-member-10 | "microsoft-windows-xml-vpn-logout-success-1018 |
+| s-xml-windows-member-11 | "microsoft-windows-xml-vpn-login-success-1017 |
+| s-xml-windows-member-13 | "microsoft-evdhcpserver-xml-vpn-login-success-4303 |
+| s-xml-windows-member-14 | "microsoft-windows-xml-vpn-logout-success-4304 |
+| s-xml-windows-member-15 | "microsoft-evsecurity-xml-configuration-modify-success-4742 |
+| s-xml-windows-member-16 | "microsoft-evsecurity-xml-configuration-modify-success-eventid4957 |
+| s-xml-windows-member-2 | "microsoft-evsecurity-xml-group-member-add-success-4732 |
+| s-xml-windows-member-3 | "microsoft-evsecurity-kv-group-member-add-success-4756-1 |
+| s-xml-windows-member-4 | "microsoft-evsecurity-xml-group-member-remove-success-4729 |
+| s-xml-windows-member-4756 | "microsoft-evsecurity-kv-group-member-add-success-4756-2 |
+| s-xml-windows-member-4757 | "microsoft-evsecurity-json-group-member-remove-success-4757-1 |
+| s-xml-windows-member-5 | "microsoft-evsecurity-xml-group-member-remove-success-4733 |
+| s-xml-windows-member-6 | "microsoft-evsecurity-json-group-member-remove-success-4757 |
+| s-xml-windows-member-7 | "microsoft-windows-xml-vpn-login-success-2002 |
+| s-xml-windows-member-8 | "microsoft-windows-xml-vpn-logout-success-2001 |
+| s-xml-windows-member-9 | "microsoft-windows-xml-vpn-login-success-2000 |
+| s-zscaler-dlp-alert | zscaler-ia-kv-alert-trigger-success-dlp |
+| s-zscaler-dlp-alert-1 | zscaler-ia-kv-alert-trigger-success-alerttrigeerd |
+| s-zscaler-web-activity | zscaler-ia-str-http-session-dlpengine |
+| s-zscaler-web-activity-1 | zscaler-ia-json-http-session-https |
+| s-zscaler-web-activity-2 | zscaler-ia-kv-http-session-cleantransaction |
+| s-zscaler-web-activity-3 | zscaler-ia-kv-http-session-login |
+| s-zscaler-web-activity-4 | zscaler-ia-json-http-session-allowed |
+| s-zscaler-web-activity-5 | zscaler-ia-kv-http-session-https |
+| s-zscaler-web-activity-6 | zscaler-ia-cef-http-session-recordid |
+| s-zscaler-web-activity-7 | zscaler-ia-kv-http-session-url |
+| s-zscaler-web-activity-8 | zscaler-ia-json-http-session-transactionsize |
+| saas-suricata-json | suricata-s-json-alert-trigger-success-proto |
+| safecom-print-activity | hp-safecom-kv-printer-activity-success-300183 |
+| safend-dlp-alert | safend-dps-kv-alert-trigger-success-safenddataprotection |
+| safend-usb-insert | safend-dps-kv-peripheral-storage-insert-success-allowed |
+| safend-usb-read | safend-dps-kv-file-read-success-read |
+| safend-usb-write | safend-dps-kv-file-write-success-write |
+| safeword-auth-successful | securecomputing-safeword-kv-endpoint-authentication-success-authverify |
+| sail-file-operation | sailpoint-securityiq-csv-file-operation |
+| sailpoint-account-password-change | sailpoint-iiq-json-user-password-modify-success-target |
+| sailpoint-app-activity-1 | sailpoint-identitynow-json-app-login-success-ssoattributes |
+| sailpoint-app-activity-2 | sailpoint-identitynow-json-app-activity-success-usermanagement |
+| sailpoint-app-activity-3 | sailpoint-identityiq-json-app-activity-success-appactivity |
+| sailpoint-auth | sailpoint-identitynow-json-endpoint-authentication-auth |
+| sailpoint-failed-app-login | sailpoint-identityiq-json-app-login-fail-faillogin |
+| sailpoint-password-change | sailpoint-identitynow-json-user-password-modify-passwordactivity |
+| salesforce-app-login | salesforce-sf-csv-app-login-success-loginsuccess |
+| salesforce-failed-app-login | salesforce-sf-csv-app-login-fail-invalidpassword |
+| sangfor-network-alert | sangfor-ngaf-kv-alert-trigger-success-ips |
+| sangfor-web-activity | sangfor-ngaf-kv-http-session-websitebrowsing |
+| sap-account-password-change | sap-s-cef-user-password-modify-success-loginforsso |
+| sap-app-activity | sap-s-kv-app-activity-success-sapuser |
+| sap-app-login | sap-s-cef-app-login-success-dialoglogonsuccessful |
+| sap-failed-app-login | sap-s-cef-app-login-fail-dialoglogonfailed |
+| sap-logout | sap-s-cef-app-logout-userlogoff |
+| sap-network-connection | sap-s-kv-network-session-functioncall |
+| sap-network-connection-1 | sap-s-cef-network-session-rfccallsuccess |
+| sap-remote-logon | sap-s-cef-endpoint-login-success-cpiclogonsuccessful |
+| sap-remote-logon-1 | sap-s-cef-endpoint-login-fail-cpiclogonfail |
+| sap-system-event | sap-s-cef-app-notification-reportstarted |
+| sap-system-event-1 | sap-s-cef-app-notification-transactionstarted |
+| sap-system-event-2 | sap-s-cef-app-notification-messagecu1 |
+| sap-system-event-3 | sap-s-cef-app-notification-accessbyrfc |
+| sap-system-event-4 | sap-s-cef-app-notification-transactionfailed |
+| sap-system-event-5 | sap-s-cef-app-notification-success-duz |
+| sap-system-info | sap-s-cef-app-activity-secude |
+| seclore-file-permission-change | seclore-s-json-file-permission-modify-success-1 |
+| seclore-file-permission-change-1 | seclore-s-json-file-permission-modify-success-6 |
+| seclore-file-permission-change-2 | seclore-s-json-file-permission-modify-success-7 |
+| seclore-file-print | seclore-s-json-printer-activity-machinename |
+| seclore-file-read | seclore-s-json-file-read-success-13 |
+| seclore-file-read-1 | seclore-s-json-file-read-success-2 |
+| seclore-file-share | seclore-s-json-file-share-offlineaccessright |
+| seclore-file-write | seclore-s-json-file-write-success-3 |
+| secure-auth-event-20100 | secureauth-login-kv-app-notification-20100 |
+| secure-auth-event-20990 | secureauth-login-kv-app-notification-20990 |
+| secure-auth-event-21000 | secureauth-login-kv-app-notification-21000 |
+| secure-auth-event-21010 | secureauth-login-kv-app-notification-21010 |
+| secure-auth-event-22600 | secureauth-login-kv-app-authentication-fail-22600 |
+| secure-auth-event-23000 | secureauth-login-kv-app-notification-23000 |
+| secure-auth-event-23800 | secureauth-login-kv-app-notification-23800 |
+| secure-auth-event-24000 | secureauth-login-kv-app-notification-24000 |
+| secure-auth-event-24010 | secureauth-login-kv-app-notification-24010 |
+| secure-auth-event-24120 | secureauth-login-kv-app-authentication-24120 |
+| secure-auth-event-41600 | secureauth-login-kv-app-notification-41600 |
+| secure-auth-event-41690 | secureauth-login-kv-http-request-41690 |
+| secure-auth-event-51080 | secureauth-login-kv-app-notification-51080 |
+| secure-auth-event-51150 | secureauth-login-kv-app-authentication-fail-51150 |
+| secure-auth-event-51170 | secureauth-login-kv-app-authentication-51170 |
+| secure-auth-event-52010 | secureauth-login-kv-app-notification-52010 |
+| secure-auth-event-52018 | secureauth-login-kv-app-notification-success-52018 |
+| secure-auth-event-52019 | secureauth-login-kv-app-notification-success-52019 |
+| secure-auth-event-52020 | secureauth-login-kv-app-notification-52020 |
+| secure-auth-event-52060 | secureauth-login-kv-app-notification-52060 |
+| secure-auth-event-52070 | secureauth-login-kv-app-notification-52070 |
+| secure-auth-event-53100 | secureauth-login-kv-app-notification-53100 |
+| secure-auth-event-53110 | secureauth-login-kv-app-notification-53110 |
+| secure-auth-event-53120 | secureauth-login-kv-app-notification-53120 |
+| secure-auth-event-53502 | secureauth-login-kv-app-notification-53502 |
+| secure-auth-event-53540 | secureauth-login-kv-app-notification-success-53540 |
+| secure-auth-event-53550 | secureauth-login-kv-app-notification-success-53550 |
+| secure-auth-event-53560 | secureauth-login-kv-app-notification-success-53560 |
+| secure-auth-event-60701 | secureauth-login-kv-app-notification-success-60701 |
+| secure-auth-event-90010 | secureauth-login-kv-app-login-90010 |
+| secure-auth-event-90020 | secureauth-login-kv-app-notification-90020 |
+| secure-auth-event-90030 | secureauth-login-kv-app-notification-90030 |
+| secure-auth-event-90040 | secureauth-login-kv-app-notification-90040 |
+| secure-auth-event-92020 | secureauth-login-kv-app-notification-success-92020 |
+| secure-auth-event-92030 | secureauth-login-kv-app-notification-success-92030 |
+| secure-auth-event-92300 | secureauth-login-kv-app-notification-success-92300 |
+| secure-auth-event-92301 | secureauth-login-kv-app-notification-success-92301 |
+| secure-auth-event-92302 | secureauth-login-kv-app-notification-success-92302 |
+| secure-auth-event-92303 | secureauth-login-kv-app-notification-success-92303 |
+| secure-auth-event-92304 | secureauth-login-kv-app-notification-success-92304 |
+| secure-auth-event-92306 | secureauth-login-kv-app-notification-success-92306 |
+| secure-auth-failed-event-21070 | secureauth-login-kv-user-read-fail-21070 |
+| secure-auth-failed-event-22610 | secureauth-login-kv-app-authentication-fail-22610 |
+| secure-auth-failed-event-22910 | secureauth-login-kv-app-authentication-fail-22910 |
+| secure-auth-failed-event-24210 | secureauth-login-kv-app-authentication-fail-24210 |
+| secure-auth-failed-event-24220 | secureauth-login-kv-app-authentication-fail-24220 |
+| secure-auth-failed-event-41501 | secureauth-login-kv-app-authentication-fail-41501 |
+| secure-envoy-failed | securenvoy-semfa-kv-endpoint-login-fail-denied |
+| secure-envoy-successful | securenvoy-semfa-kv-endpoint-authentication-success-passcodeok |
+| secure-system-login | tufin-securetrack-str-endpoint-login-success-securetrack |
+| secure-system-policy-info | tufin-securetrack-kv-policy-modify-saved |
+| secure-system-policy-info-1 | tufin-securetrack-kv-app-notification-fetched |
+| secure-system-policy-info-2 | tufin-securetrack-str-app-notification-tufinos |
+| secureauth-app-login | "secureauth-login-xml-app-login-success-priority |
+| secureauth-auth-successful | secureauth-login-cef-endpoint-login-success-20990 |
+| secureauth-auth-successful-1 | secureauth-login-kv-endpoint-login-success-20000 |
+| secureauth-leef-auth-attempt | secureauth-login-leef-app-activity |
+| secureauth-system-info | secureauth-login-cef-app-activity-appactivity |
+| secureauth-system-info-1 | "secureauth-login-xml-app-authentication-browserfingerprint |
+| secureauth-system-session-end | secureauth-login-leef-app-logout-end |
+| secureauth-system-session-start | secureauth-login-leef-endpoint-login-success-sessionstart |
+| securelink-app-activity | securelink-s-json-app-activity-success-accessed |
+| securelink-app-login | securelink-s-str-app-login-success-connected |
+| securelink-app-logout | securelink-s-str-app-logout-disconnectedfrom |
+| securelink-login | securelink-s-str-app-login-success-loggedin |
+| securelink-login-failed | securelink-s-str-app-login-fail-loginfailed |
+| securelink-logout | securelink-s-kv-app-logout-logout |
+| securelink-system-info | securelink-s-kv-app-activity-appactivity |
+| securesphere-alert | imperva-securesphere-kv-alert-trigger-success-securespherealert |
+| securesphere-alert-1 | imperva-securesphere-kv-alert-trigger-success-alertinfo |
+| securesphere-db-alert | imperva-securesphere-kv-alert-trigger-success-sql |
+| securesphere-db-alert-2 | imperva-securesphere-kv-alert-trigger-success-violateditem |
+| securesphere-db-cuseqsv | imperva-securesphere-kv-database-login-success-sqlerror |
+| securesphere-db-failed-login | imperva-securesphere-kv-database-login-fail-false |
+| securesphere-db-failed-login-1 | imperva-securesphere-json-database-login-fail-sqlfailedlogin |
+| securesphere-db-failed-login-2 | imperva-securesphere-json-database-login-fail-sql |
+| securesphere-db-failed-login-3 | imperva-securesphere-cef-database-login-fail-false |
+| securesphere-db-json | imperva-securesphere-json-database-query-success-sqlerror |
+| securesphere-db-login | imperva-securesphere-kv-database-login-success-login-1 |
+| securesphere-db-login-2 | imperva-securesphere-cef-database-login-success-login-2 |
+| securesphere-db-query | imperva-securesphere-kv-database-query-success-query |
+| securesphere-db-query-2 | imperva-securesphere-kv-database-query-success-query-1 |
+| securesphere-logout | imperva-securesphere-cef-app-logout-success-userloggedout |
+| securesphere-system-1 | imperva-securesphere-str-configuration-modify-success-configurationchanged |
+| securesphere-system-2 | imperva-securesphere-str-policy-modify-policychanged |
+| securesphere-system-3 | imperva-securesphere-cef-app-activity-systemevent |
+| securityexpert-badge-access | securityexpert-se-kv-physical-location-access-success-physicallocationaccess-1 |
+| semperis-dsp-app-login | semperis-dsp-kv-app-login-logintodsp |
+| semperis-dsp-app-login-1 | semperis-dsp-str-app-login-success-logindsp |
+| semperis-dsp-ds-access | semperis-dsp-str-ds-object-create-success-createobject |
+| semperis-dsp-ds-access-1 | semperis-dsp-str-ds-object-delete-success-deleteobject |
+| semperis-dsp-ds-access-2 | semperis-dsp-str-ds-object-modify-success-modifyobject |
+| semperis-dsp-ds-access-3 | semperis-dsp-str-ds-object-move-success-moveobject |
+| semperis-dsp-privileged-object-access | semperis-dsp-kv-user-privilege-use-success-permissionchanges |
+| semperis-dsp-system-info | semperis-dsp-kv-endpoint-notification-success-indicatorfound |
+| semperis-dsp-system-info-1 | semperis-dsp-kv-endpoint-notification-success-indicatorfailed |
+| sendmail-email-from | unix-sm-kv-email-send-success-from |
+| sendmail-email-to | unix-sm-kv-email-send-success-to |
+| sentinel-ips-alert | sentinelips-sips-cef-alert-trigger-success-outpost |
+| sentinelone-dns-query | sentinelone-singularityp-cef-dns-request-success-ndns |
+| sentinelone-dns-response | sentinelone-singularityp-sk4-dns-response-success-dns |
+| sentinelone-dns-response-1 | sentinelone-singularityp-kv-dns-response-success-dns |
+| sentinelone-file-create | sentinelone-singularityp-cef-file-write-success-filecreation |
+| sentinelone-file-create-1 | sentinelone-singularityp-cef-file-write-success-deep |
+| sentinelone-file-delete | sentinelone-singularityp-cef-file-delete-success-dproc |
+| sentinelone-file-delete-1 | sentinelone-singularityp-cef-file-delete-success-filedeletion |
+| sentinelone-file-modify | sentinelone-singularityp-cef-file-write-success-dproc |
+| sentinelone-file-modify-1 | sentinelone-singularityp-cef-file-write-success-endpoint |
+| sentinelone-network-connection | sentinelone-singularityp-kv-network-traffic-ntcpv4 |
+| sentinelone-network-connection-1 | sentinelone-singularityp-kv-network-traffic-ntcpv4-2 |
+| sentinelone-network-connection-2 | sentinelone-singularityp-cef-network-traffic-success-tcpv4listen |
+| sentinelone-process-alert | sentinelone-singularityp-json-alert-trigger-success-rulename |
+| sentinelone-process-created | sentinelone-singularityp-cef-process-create-success-processcreation |
+| sentinelone-process-created-1 | sentinelone-singularityp-cef-process-create-success-visibility |
+| sentinelone-process-exit | sentinelone-singularityp-mix-process-close-processexit |
+| sentinelone-process-terminated | sentinelone-singularityp-sk4-process-close-success-processtermination |
+| sentinelone-reg-key-delete | sentinelone-singularityp-sk4-registry-delete-regkeydelete |
+| sentinelone-reg-key-updated | sentinelone-singularityp-sk4-registry-modify-regkeysecuritychanged |
+| sentinelone-security-alert | sentinelone-singularityp-json-alert-trigger-success-annotation |
+| sentinelone-security-alert-1 | sentinelone-singularityp-kv-app-activity-success-malware |
+| sentinelone-security-alert-10 | sentinelone-singularityp-json-alert-trigger-success-threatname |
+| sentinelone-security-alert-2 | sentinelone-singularityp-json-alert-trigger-success-process |
+| sentinelone-security-alert-3 | sentinelone-singularityp-json-alert-trigger-success-packed |
+| sentinelone-security-alert-4 | sentinelone-singularityp-json-alert-trigger-success-security |
+| sentinelone-security-alert-5 | sentinelone-singularityp-json-alert-trigger-success-url |
+| sentinelone-security-alert-6 | sentinelone-singularityp-json-alert-trigger-success-classification |
+| sentinelone-security-alert-7 | sentinelone-singularityp-json-alert-trigger-success-backdoor |
+| sentinelone-security-alert-8 | sentinelone-singularityp-json-alert-trigger-success-virus |
+| sentinelone-security-alert-9 | sentinelone-singularityp-json-alert-trigger-success-ransomware |
+| sentinelone-singularityp-json-system-event | sentinelone-singularityp-json-scheduled_task-scheduledtask |
+| sentinelone-system-event | sentinelone-singularityp-sk4-registry-create-regkeycreate |
+| sentinelone-system-event-1 | sentinelone-singularityp-sk4-registry-create-regvaluecreate |
+| sentinelone-system-event-10 | sentinelone-singularityp-sk4-scheduled-task-start-schedtaskstart |
+| sentinelone-system-event-11 | sentinelone-singularityp-sk4-scheduled-task-start-schedtasktrigger |
+| sentinelone-system-event-2 | sentinelone-singularityp-sk4-registry-delete-regvaluedelete |
+| sentinelone-system-event-3 | sentinelone-singularityp-sk4-registry-modify-regvaluemodified |
+| sentinelone-system-event-4 | sentinelone-singularityp-sk4-scheduled-task-start-success-schedtaskstart |
+| sentinelone-system-event-5 | sentinelone-singularityp-cef-scheduled-task-start-schedtasktrigger |
+| sentinelone-system-event-6 | sentinelone-singularityp-cef-registry-modify-regvaluemodified |
+| sentinelone-system-event-7 | sentinelone-singularityp-sk4-process-close-success-processtermination-1 |
+| sentinelone-system-event-8 | sentinelone-singularityp-sk4-process-close-processexit |
+| sentinelone-system-event-9 | sentinelone-singularityp-sk4-registry-delete-regvaluedelete-1 |
+| sentinelone-system-info | sentinelone-singularityp-json-app-notification-success-agentid |
+| sentinelone-system-info-1 | sentinelone-singularityp-json-app-notification-success-accountname |
+| sentinelone-task-delete | sentinelone-singularityp-sk4-scheduled_task-delete-success-schedtaskdelete |
+| sentinelone-task-register | sentinelone-singularityp-cef-scheduled-task-create-success-schedtaskregister |
+| sentinelone-task-update | sentinelone-singularityp-cef-scheduled-task-create-success-schedtaskupdate-1 |
+| sentinelone-task-update-1 | sentinelone-singularityp-json-scheduled-task-create-success-schedtaskupdate |
+| sentinelone-task-update-2 | sentinelone-singularityp-cef-scheduled-task-create-success-schedtaskstart |
+| sentinelone-web-activity | sentinelone-s-cef-http-session-success-visibility |
+| sentinelone-web-activity-1 | sentinelone-singularityp-kv-http-session-success-endpoint |
+| sentinelone-web-activity-2 | sentinelone-s-cef-http-session-success-visibility-1 |
+| sfdc-app-activity | salesforce-sf-kv-app-activity-success-appactivity |
+| sfdc-app-login | salesforce-sf-json-app-login-success-loginurl |
+| sfdc-app-login-1 | salesforce-sf-kv-app-login-login |
+| sftp-app-login | sftp-s-csv-app-login-success-loginsuccess |
+| sftp-failed-app-login | sftp-s-csv-app-login-fail-loginfail |
+| sftp-file-close | unix-unix-str-file-read-success-close |
+| sftp-file-delete | sftp-s-csv-file-delete-success-filedeleted |
+| sftp-file-download | sftp-s-csv-file-download-success-filedownloaded |
+| sftp-file-open | unix-unix-str-file-read-success-open |
+| sftp-file-read | sftp-s-csv-file-read-success-openeddirectory |
+| sftp-file-rename | unix-unix-str-file-write-success |
+| sftp-file-upload | sftp-s-csv-file-upload-success-fileuploaded |
+| sftp-file-write-1 | sftp-s-csv-file-write-success-renamed |
+| sftp-file-write-2 | sftp-s-csv-file-write-success-directorycreated |
+| sftp-logout | sftp-s-csv-ftp-close-sessionclosed |
+| sftp-remote-logon | unix-unix-str-ssh-traffic-success-sftpsessionopened |
+| sftp-session-closed | unix-unix-str-ssh-close-success-sessionclosed |
+| sftp-system-event | sftp-s-csv-app-notification-toomanyfailures |
+| shibboleth-auth-successful | shibboleth-s-str-endpoint-login-success-saml |
+| shibboleth-password-change | shibboleth-s-str-user-password-modify-success-passwordchange |
+| siebel-db-query | "oracle-db-xml-database-query-success-siebel |
+| sigsci-system-activity | sigsci-sigsci-kv-app-activity-authenticate |
+| sigsci-web-activity | sigsci-sigsci-json-http-session-uri |
+| sigsci-web-activity-1 | sigsci-sigsci-json-http-session-servername |
+| silverfort-auth-failed | silverfort-s-kv-endpoint-login-fail-request |
+| silverfort-auth-successful | silverfort-s-cef-endpoint-authentication-success-adminconsole |
+| siteminder-auth-attempt | siteminder-symantecsm-str-endpoint-authentication-auth |
+| siteminder-auth-failed | siteminder-symantecsm-str-endpoint-login-fail-authattempt |
+| siteminder-auth-failed-1 | siteminder-symantecsm-kv-endpoint-authentication-fail-authreject |
+| siteminder-auth-successful | siteminder-symantecsm-kv-endpoint-authentication-success-authaccept |
+| siteminder-vpn-logout | siteminder-symantecsm-str-app-logout-success-authlogout |
+| siteminder-web-activity-1 | siteminder-symantecsm-kv-http-request-success-azaccept |
+| siteminder-web-activity-2 | siteminder-symantecsm-kv-http-request-success-validateaccept |
+| siteminder-web-activity-3 | siteminder-symantecsm-kv-app-activity-azreject |
+| sitespect-web-activity | sitespect-s-json-http-session-clusterid |
+| sk4-bitglass-cloudsummary | bitglass-casb-sk4-alert-trigger-success-cloudsummary |
+| sk4-json-4611 | microsoft-evsecurity-sk4-endpoint-notification-success-4611 |
+| sk4-json-4647 | microsoft-evsecurity-sk4-endpoint-logout-success-4647 |
+| sk4-json-4662 | microsoft-evsecurity-cef-ds-object-activity-success-4662-1 |
+| sk4-json-4697 | microsoft-evsecurity-cef-service-create-success-4697 |
+| sk4-json-4720 | microsoft-evsecurity-cef-user-create-success-4720-1 |
+| sk4-json-4722 | microsoft-evsecurity-cef-user-enable-success-4722-1 |
+| sk4-json-4724 | microsoft-evsecurity-cef-user-password-reset-success-4724-1 |
+| sk4-json-4725 | microsoft-evsecurity-cef-user-disable-success-4725-1 |
+| sk4-json-4727 | microsoft-evsecurity-sk4-group-create-success-4727 |
+| sk4-json-4737 | microsoft-evsecurity-sk4-group-modify-success-4737 |
+| sk4-json-4767 | microsoft-evsecurity-cef-user-unlock-success-4767 |
+| sk4-json-4779 | microsoft-evsecurity-cef-endpoint-logout-success-4779 |
+| sk4-json-4781 | microsoft-evsecurity-sk4-user-name-modify-4781 |
+| sk4-json-4800 | microsoft-evsecurity-cef-endpoint-lock-success-4800-1 |
+| sk4-json-4801 | microsoft-evsecurity-cef-endpoint-unlock-success-4801-1 |
+| sk4-json-4985 | microsoft-evsecurity-sk4-endpoint-notification-success-4985 |
+| sk4-json-5137 | microsoft-evsecurity-cef-ds-object-create-success-5137 |
+| sk4-json-5141 | microsoft-evsecurity-cef-ds-object-delete-success-5141 |
+| sk4-json-member-added-2008 | microsoft-evsecurity-cef-group-member-add-success-4728 |
+| sk4-json-member-removed-2008 | microsoft-evsecurity-sk4-group-member-remove-success-2008 |
+| sk4-json-unix-account-created | unix-unix-kv-user-create-success-useradd-1 |
+| sk4-workday-app-auth-failed | workday-wd-cef-endpoint-login-fail-proxyusername |
+| sk4-workday-app-login | workday-wd-cef-app-login-success-authentication |
+| sk4-workday-failed-app-login | workday-wd-cef-app-login-fail-expired |
+| skyformation-cloudflare-waf | cloudflare-waf-sk4-http-session-firewallmatchesactions |
+| skyformation-cloudflare-waf-1 | cloudflare-waf-cef-http-session-firewall |
+| skyformation-cloudflare-waf-2 | cloudflare-waf-cef-http-session-clientip |
+| skyformation-cloudflare-waf-3 | cloudflare-waf-cef-http-session-success-securityactions |
+| skyformation-cloudflare-waf-4 | cloudflare-waf-cef-http-session-success-securityactions-1 |
+| skyformation-prisma-app-activity | pan-prisma-sk4-app-activity-prismacloud |
+| skyformation-prisma-security-alert | pan-prisma-sk4-alert-trigger-success-prismacloud |
+| skyformation-prisma-security-alert-2 | pan-prisma-sk4-alert-trigger-success-prismacloud-1 |
+| skyformation-siem-settings-event | exabeam-search-cef-app-notification-settings |
+| skyhigh-dlp-alert | mcafee-sncasb-kv-alert-trigger-success-timeupdated |
+| skyhigh-dlp-alert-1 | mcafee-sncasb-kv-alert-trigger-success-hierarchy |
+| skyhigh-dlp-alert-2 | mcafee-sncasb-kv-alert-trigger-success-useraction |
+| slack-app-activity-1 | slack-s-json-app-activity-success-customtosaccepted |
+| slack-app-activity-2 | slack-s-json-app-activity-success-fileshared |
+| slack-app-activity-3 | slack-s-json-app-activity-success-privatechannelcreated |
+| slack-app-activity-4 | slack-s-json-app-activity-success-publicchannelcreated |
+| slack-app-activity-5 | slack-s-json-app-activity-success-userchanneljoin |
+| slack-app-activity-6 | slack-s-json-app-activity-success-userchannelleave |
+| slack-app-activity-7 | slack-s-json-app-activity-success-userdeactivated |
+| slack-app-activity-8 | slack-s-json-app-activity-success-userlogout |
+| slack-app-login | slack-s-json-app-login-success-userlogin |
+| slack-file-download | slack-s-json-file-download-success-filedownloaded |
+| slack-file-upload | slack-s-json-file-upload-success-fileuploaded |
+| smartdashboard-app-login | checkpoint-ngfw-kv-app-login-success-smartdashboard |
+| snare-1102 | microsoft-evsecurity-kv-log-clear-success-1102-1 |
+| snare-4719 | microsoft-evsecurity-kv-audit-policy-modify-success-4719-1 |
+| snare-517 | microsoft-evsecurity-kv-log-clear-success-auditlogclear |
+| snare-576 | microsoft-windows-kv-user-privilege-assign-success-576-1 |
+| snare-577 | microsoft-windows-kv-user-privilege-use-success-577 |
+| snare-578 | microsoft-windows-str-user-privilege-use-success-privileged |
+| snare-592 | microsoft-evsecurity-str-process-create-success-592 |
+| snare-612 | microsoft-evsecurity-kv-audit_policy-modify-success-auditpolicychange |
+| snare-cef-member-added-2008 | microsoft-evsecurity-cef-group-member-add-success-snare |
+| snare-unix-su-1 | unix-unix-str-user-switch-success-accountswitch |
+| snare-unix-su-2 | unix-unix-str-user-switch-success-su |
+| snort-alert | snort-s-str-alert-trigger-success-classification |
+| snort-network-alert | snort-s-json-alert-trigger-success-idssnort |
+| snort-network-alert-1 | snort-s-str-alert-trigger-success-snortids |
+| snort-network-alert-2 | snort-s-str-alert-trigger-success-portsweep |
+| snort-network-alert-3 | snort-s-str-alert-trigger-success-priority |
+| snow-app-activity | servicenow-s-kv-app-activity-success-operation |
+| solaris-audit-process | oracle-solaris-str-process-create-702911 |
+| solaris-audit-process-1 | oracle-solaris-csv-endpoint-activity-auditnotice |
+| sonicwall-dhcp | dell-sw-mix-app-activity-assignedipaddress |
+| sonicwall-dns-query | dell-sw-kv-dns-request-success-1481 |
+| sonicwall-dns-response | dell-sw-kv-dns-response-1482 |
+| sonicwall-fw-network-alert | dell-sw-kv-alert-trigger-success-networkalert |
+| sonicwall-fw-network-alert-1 | dell-sw-kv-alert-trigger-success-security |
+| sonicwall-fw-network-alert-2 | sonicwall-sw-kv-alert-trigger-success-2 |
+| sonicwall-fw-web-activity | dell-sw-kv-http-session-category |
+| sonicwall-network-connection-start | dell-sw-kv-network-start-98 |
+| sonicwall-network-connection-stop | dell-sw-kv-network-session-537 |
+| sonicwall-network-info | dell-sw-kv-app-activity-appactivity |
+| sonicwall-system-info | dell-sw-kv-app-notification-success-firewall |
+| sophos-app-activity-1 | sophos-ep-json-alert-trigger-detected-1 |
+| sophos-app-activity-failed | sophos-ep-kv-app-activity-fail-blocked |
+| sophos-app-activity-failed-1 | sophos-ep-kv-app-activity-fail-adwareorpua |
+| sophos-app-login | sophos-xgfirewall-kv-app-login-success-sfw |
+| sophos-app-logout | sophos-xgfirewall-kv-app-logout-success-loggedout |
+| sophos-app-system-events | sophos-ep-kv-alert-trigger-web |
+| sophos-app-system-events-1 | sophos-ep-kv-app-activity-success-appsystemevent |
+| sophos-app-usb-insert | sophos-ep-kv-peripheral-storage-insert-success-usb |
+| sophos-config-change-1 | sophos-ep-cef-app-notification-updatesuccess |
+| sophos-config-change-2 | sophos-ep-mix-app-notification-updatefailure |
+| sophos-config-change-3 | sophos-ep-mix-app-notification-savdisabled |
+| sophos-config-change-4 | sophos-ep-json-app-notification-savenabled |
+| sophos-dlp-alert-1 | sophos-ep-json-alert-trigger-success-deviceblocked |
+| sophos-epp-logwriter-alert | sophos-ep-kv-alert-trigger-success-virus |
+| sophos-leef-epp-dlp-alert | sophos-ep-leef-alert-trigger-success-datacontrol |
+| sophos-leef-epp-usb-activity | sophos-ep-leef-file-write-success-devicecontrol |
+| sophos-leef-epp-usb-activity-2 | sophos-ep-leef-file-write-success-datacontrol |
+| sophos-leef-epp-usb-block | sophos-ep-leef-alert-trigger-success-devicecontrol |
+| sophos-leef-epp-virus-alert | sophos-ep-leef-alert-trigger-success-spyware |
+| sophos-leef-epp-web-alert | sophos-ep-leef-alert-trigger-success-enterpriseconsole |
+| sophos-network-alert | sophos-ep-kv-alert-trigger-success-devicecontrol |
+| sophos-network-connection | sophos-xgfirewall-kv-vpn-login-logout-sfw |
+| sophos-network-connection-1 | sophos-ep-sk4-network-traffic-fail-blocked |
+| sophos-network-connection-2 | sophos-utm-kv-network-traffic-ulogd |
+| sophos-network-connection-3 | sophos-ep-kv-network-traffic-fail-blocked-1 |
+| sophos-policy | sophos-ep-json-app-notification-nocompliant |
+| sophos-proxy | sophos-utm-kv-http-session-req |
+| sophos-proxy-1 | sophos-utm-kv-http-session-success-access |
+| sophos-proxy-2 | sophos-utm-kv-http-session-fail-requestblocked |
+| sophos-safeguard-activity | sophos-safeguard-kv-app-activity-appactivity |
+| sophos-security-alert | sophos-ep-json-alert-trigger-success-webcontrolviolation |
+| sophos-security-alert-1 | sophos-ep-sk4-alert-trigger-success-endpointevent |
+| sophos-security-alert-2 | sophos-ep-json-alert-trigger-success-applicationblocked |
+| sophos-system-event | sophos-ep-json-app-notification-updaterebootrequired |
+| sophos-system-event-1 | sophos-ep-sk4-app-notification-success-updaterebooturgentlyrequired |
+| sophos-system-event-2 | sophos-ep-mix-app-notification-compliant |
+| sophos-system-event-3 | sophos-ep-cef-app-notification-outofdate |
+| sophos-system-event-4 | sophos-ep-mix-app-notification-servicenotrunning |
+| sophos-system-event-5 | sophos-ep-mix-app-notification-servicerestored |
+| sophos-system-event-6 | sophos-ep-mix-endpoint-scan-savscancomplete |
+| sophos-system-event-7 | sophos-ep-sk4-app-notification-success-corereboot |
+| sophos-system-event-8 | sophos-ep-sk4-app-notification-success-corepuareboot |
+| sophos-threat-alert | sophos-ep-kv-alert-trigger-success-alerttriggerd |
+| sophos-threat-alert-1 | sophos-ep-kv-alert-trigger-success-728 |
+| sophos-usb-insert | sophos-ep-json-peripheral-storage-insert-success-peripheral |
+| sophos-web-alert | sophos-ep-json-http-session-fail-endpoint |
+| source-fire-network-alert-1 | cisco-sourcefire-kv-alert-trigger-classification |
+| sourcefire-estreamer-alert | cisco-fp-str-alert-trigger-success-eventusec |
+| sourcefire-estreamer-alert-2 | cisco-fp-csv-alert-trigger-success-primarydetectionengine |
+| sourcefire-network-alert | cisco-fp-json-alert-trigger-success-connectiontimestamp |
+| sourcefire-network-alert-1 | cisco-fp-json-alert-trigger-success-sinkhole |
+| sourcefire-network-alert-2 | cisco-fp-kv-alert-trigger-success-interfaceingress |
+| sourcefire-network-alert-3 | cisco-fp-kv-alert-trigger-success-acpolicy |
+| sourcefire-network-alert-4 | cisco-fp-json-alert-trigger-success-netbiosssn |
+| sourcefire-network-alert-5 | cisco-fp-json-alert-trigger-success-portsecurity |
+| sourcefire-proxy | cisco-fp-kv-http-session-sfims |
+| sourcefire-proxy-1 | cisco-fp-kv-http-session-policy |
+| sourcefire-security-alert | cisco-fp-str-alert-trigger-success-impact |
+| spanish-raw-4624 | microsoft-evsecurity-kv-endpoint-spanish-4624 |
+| spanish-raw-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4625-4 |
+| spanish-raw-4634 | microsoft-evsecurity-kv-endpoint-logout-success-4634 |
+| spanish-raw-4672 | microsoft-evsecurity-kv-user-privilege-assign-success-4672 |
+| spanish-raw-4688 | microsoft-evsecurity-kv-process-create-success-4688-4 |
+| spanish-raw-4689 | microsoft-evsecurity-kv-process-close-success-4689-3 |
+| specops-account-password-reset | "specops-spr-xml-user-password-reset-success-passwordresetsucceeded |
+| specops-account-unlocked | "specops-spr-xml-user-unlock-success-unlock |
+| splunk-app-activity | splunk-ses-kv-app-activity-searchname |
+| splunk-app-activity-1 | splunk-ses-kv-app-activity-sendmodaction |
+| squid-web-activity | squid-s-str-http-session-squidaccess |
+| squid-web-activity-1 | squid-s-str-http-session-squidwebactivity |
+| squid-web-activity-2 | squid-s-csv-http-session-evt |
+| squid-web-activity-3 | squid-s-str-http-session-squid |
+| squid-web-activity-4 | squid-s-json-http-session-responsestatus |
+| squid-web-activity-5 | squid-s-str-http-session-squidproxy |
+| ssh-remote-logon | linux-ssh-json-ssh-traffic-success-sshlogon |
+| ssh-vectra-meta-data | vectra-cs-kv-ssh-traffic-success-metadatassh |
+| stealthintercept-auth-failed | stealthbits-s-kv-vpn-login-fail-failedlogin |
+| stealthintercept-auth-successful | stealthbits-s-kv-vpn-login-success-loginsucceed |
+| stealthwatch-network-alert | cisco-securenwanalytics-kv-alert-trigger-success-stealthwatch |
+| stealthwatch-network-alert-1 | cisco-securenwanalytics-kv-alert-trigger-success-additionalinfo |
+| stealthwatch-network-alert-2 | cisco-securenwanalytics-str-alert-trigger-success-z |
+| stealthwatch-network-alert-3 | cisco-securenwanalytics-cef-alert-trigger-success-fcdvc |
+| stealthwatch-network-alert-4 | cisco-securenwanalytics-cef-alert-trigger-success-src |
+| sterling-adapter-runtime | ibm-sbi-csv-app-activity-runtimestate |
+| sterling-app-activity | ibm-sbi-csv-app-activity-success-sterling |
+| sterling-change-logging | ibm-sbi-csv-configuration-modify-sterling |
+| sterling-failed-authorization | ibm-sbi-str-app-authentication-fail-authorizationfailed |
+| sterling-failed-logon-1 | ibm-sbi-str-endpoint-login-fail-authfailed |
+| sterling-failed-logon-2 | ibm-sbi-str-endpoint-login-fail-loginfailure |
+| sterling-ldap-authentication | ibm-sbi-str-app-authentication-success-authenticationpolicy |
+| sterling-member-added | ibm-sbi-str-group-member-add-success-addgroup |
+| sterling-member-removed | ibm-sbi-csv-group-member-remove-success-sterling |
+| sterling-modified-system-nm | ibm-sbi-str-app-activity-systemname |
+| sterling-no-login-fail | ibm-sbi-csv-app-notification-success-nologinfailures |
+| sterling-register-jndi | ibm-sbi-csv-app-notification-jnditree |
+| sterling-remote-logon | ibm-sbi-kv-endpoint-login-success-usersessioncreated |
+| sterling-remove-jndi | ibm-sbi-csv-app-activity-removejndi |
+| sterling-shutdown-adapter | ibm-sbi-csv-service-stop-stateless |
+| sterling-soft-stop | ibm-sbi-csv-service-stop-softstop |
+| successfactors-app-activity-1 | sap-sf-mix-group-create-mulee |
+| successfactors-app-activity-2 | sap-sf-mix-group-modify-mulee |
+| successfactors-app-activity-3 | sap-sf-mix-app-activity-processmulee |
+| successfactors-app-activity-4 | sap-sf-mix-group-modify-update |
+| successfactors-app-login | sap-sf-mix-app-login-mulee-1 |
+| successfactors-auth-success | sap-sf-mix-app-authentication-success-authenticate |
+| suricata-network-alert | suricata-ids-str-alert-trigger-success-idsalert |
+| suricata-network-alert-1 | suricata-s-json-alert-trigger-success-pdsuricata |
+| suricata-network-alert-2 | suricata-ids-json-alert-trigger-success-signature |
+| suricata-network-alert-3 | suricata-s-json-alert-trigger-success-suricata |
+| swift-account-password-change | swift-s-cef-user-password-modify-success-passwordchanged |
+| swift-account-password-change-failed | swift-s-cef-user-password-modify-fail-changefailed |
+| swift-app-login | swift-s-cef-app-login-success-signon |
+| swift-app-login-1 | swift-s-cef-app-login-success-web |
+| swift-app-login-failed | swift-s-cef-app-login-fail-loginfailure |
+| swift-app-logout | swift-s-cef-app-logout-success-signoff |
+| swift-app-logout-1 | swift-s-cef-app-logout-success-alliance |
+| swift-system-info | swift-s-cef-app-notification-webplatform |
+| swivel-authentication-activity | swivel-swivel-str-app-activity-success-pinsafe |
+| swivel-authentication-failed | swivel-swivel-str-app-login-fail-info |
+| swivel-authentication-success | swivel-swivel-str-app-login-success-info |
+| symantec-account-config-change | symantec-csp-csv-configuration-modify-success-configurationchanged |
+| symantec-account-member-added | symantec-csp-kv-group-member-add-success-usercreated |
+| symantec-account-member-removed | symantec-csp-json-group-member-remove-success-userdeleted |
+| symantec-account-switch-failed | symantec-csp-json-endpoint-login-fail-failedsuto |
+| symantec-account-switch-success | symantec-csp-kv-user-switch-success-successfulsu |
+| symantec-alert-jp | symantec-endpointprotection-csv-alert-trigger-success-securityriskfound |
+| symantec-alert-jp-1 | symantec-endpointprotection-csv-alert-trigger-success-sonaralloweddetection |
+| symantec-alert-jp-2 | symantec-endpointprotection-csv-alert-trigger-success-virusfound |
+| symantec-alert-jp-3 | symantec-endpointprotection-csv-alert-trigger-success-potentialriskfound |
+| symantec-app-activity | symantec-vip-json-app-checkforchallenge |
+| symantec-app-activity-1 | symantec-edr-json-app-activity-success-scanstarted |
+| symantec-app-activity-2 | symantec-edr-json-app-activity-success-informationsubmitted |
+| symantec-atp-alert | symantec-atp-cef-alert-trigger-success-atpu |
+| symantec-authentication-successful | symantec-edr-json-endpoint-login-success-signedoktaauthenticationflow |
+| symantec-av-dlp-alert | symantec-endpointprotection-kv-network-traffic-block |
+| symantec-av-dlp-alert-cn | symantec-ep-csv-network-traffic-success-localremoteoperation |
+| symantec-cloud-activity | symantec-cloudsoc-cef-file-activity-symanteccloudsoc |
+| symantec-cloud-dlp-alert | symantec-cloudsoc-sk4-alert-trigger-success-fromdetect |
+| symantec-dlp-alert | symantec-dlp-kv-alert-trigger-success-riskseverity |
+| symantec-dlp-alert-1 | symantec-dlp-kv-alert-trigger-success-endpoint |
+| symantec-dlp-alert-2 | symantec-dlp-kv-alert-trigger-success-incidentid |
+| symantec-dlp-cit-alert | symantec-dlp-str-alert-trigger-success-blocked |
+| symantec-dlp-email-alert-in | symantec-dlp-kv-email-receive-success-emailreceive |
+| symantec-edr-alert-1 | symantec-atp-json-alert-trigger-success-datasourceurlreferer |
+| symantec-edr-alert-2 | symantec-atp-json-alert-trigger-success-symcdeviceaction |
+| symantec-edr-system-info | symantec-endpointprotection-kv-app-activity-category |
+| symantec-edr-system-info-1 | symantec-endpointprotection-cef-endpoint-notification-success-infosubmitted |
+| symantec-email-alert-out | symantec-dlp-kv-email-send-success-smtp |
+| symantec-epp-alert | symantec-endpointprotection-kv-alert-trigger-success-requestedaction |
+| symantec-epp-alert-chinese | symantec-endpointprotection-csv-alert-trigger-success-requestedaction |
+| symantec-epp-alert-japanese | symantec-endpointprotection-csv-alert-trigger-success-cids |
+| symantec-epp-cef-alert | symantec-endpointprotection-cef-alert-trigger-success-alerttrigger |
+| symantec-epp-cef-alert-2 | symantec-endpointprotection-cef-alert-trigger-success-intrusiondetected |
+| symantec-epp-network-alert | symantec-endpointprotection-kv-alert-trigger-success-scanningyourcomputer |
+| symantec-epp-network-alert-1 | symantec-endpointprotection-kv-alert-trigger-success-denialofservice |
+| symantec-epp-network-alert-2 | symantec-endpointprotection-kv-network-traffic-fail-block |
+| symantec-epp-network-alert-3 | symantec-endpointprotection-kv-alert-trigger-success-arpreplydetected |
+| symantec-epp-network-connection | symantec-endpointprotection-csv-network-traffic-fail-bloques |
+| symantec-epp-ntp-alert | symantec-endpointprotection-kv-alert-trigger-success-cidssignaturestring |
+| symantec-epp-ntp-alert-chinese | symantec-endpointprotection-csv-alert-trigger-success-characterstring |
+| symantec-epp-usb-activity-1 | symantec-endpointprotection-csv-file-write-success-fichier |
+| symantec-file-alert | symantec-atp-json-alert-trigger-success-8031004 |
+| symantec-file-delete | symantec-atp-json-file-delete-success-8003 |
+| symantec-file-delete-2 | symantec-atp-json-file-delete-success-8004 |
+| symantec-file-write | symantec-atp-json-file-write-success-8003 |
+| symantec-file-write-2 | symantec-atp-json-file-write-success-8003-1 |
+| symantec-file-write-3 | symantec-atp-json-file-write-success-8003-2 |
+| symantec-file-write-4 | symantec-atp-json-file-write-success-8003-3 |
+| symantec-file-write-5 | symantec-atp-json-file-write-success-8003-4 |
+| symantec-file-write-6 | symantec-atp-json-alert-trigger-8003006 |
+| symantec-group-created | symantec-csp-kv-group-member-add-success-groupcreated |
+| symantec-group-member-changed | symantec-csp-kv-configuration-modify-success-groupmembershipchanged |
+| symantec-group-member-deleted | symantec-csp-json-group-member-remove-success-groupdeleted |
+| symantec-icdx-network-alert | symantec-endpointprotection-cef-alert-trigger-success-networkdetection |
+| symantec-icdx-process-alert | symantec-endpointprotection-cef-alert-trigger-success-hostprocessdetection |
+| symantec-icdx-security-alert | symantec-endpointprotection-cef-alert-trigger-success-scan |
+| symantec-local-logon-failed | symantec-csp-json-endpoint-login-fail-failedlogin |
+| symantec-local-logon-success | symantec-csp-json-endpoint-login-success-userloggedin |
+| symantec-logout | symantec-edr-json-app-logout-success-signedoutinactive |
+| symantec-logout-1 | symantec-edr-json-app-logout-success-signedoutcloudconsol |
+| symantec-message-alert | symantec-dlp-kv-alert-trigger-success-dlphost |
+| symantec-network-connection | symantec-endpointprotection-kv-network-traffic-fail-rule |
+| symantec-network-connection-1 | symantec-endpointprotection-str-network-traffic-fail-location |
+| symantec-network-connection-2 | symantec-endpointprotection-kv-network-traffic-location |
+| symantec-primary-group-changed | symantec-csp-kv-configuration-modify-success-primarygroupchanged |
+| symantec-print-activity | symantec-dlp-str-printer-activity-success-faxincident |
+| symantec-process-created | symantec-atp-json-process-create-success-8001001 |
+| symantec-remote-logon | symantec-atp-json-endpoint-login-fail-8007001 |
+| symantec-security-alert | symantec-dlp-json-alert-trigger-success-virussrc |
+| symantec-security-alert-1 | symantec-esc-json-alert-trigger-success-squrlrecipient |
+| symantec-security-alert-2 | symantec-endpointprotection-kv-alert-trigger-success-symanteceprisk |
+| symantec-security-alert-3 | symantec-endpointprotection-kv-alert-trigger-success-registryread |
+| symantec-security-alert-french | symantec-endpointprotection-kv-alert-trigger-success-detecte |
+| symantec-system-info-1 | symantec-edr-json-app-notification-success-detectedonstream |
+| symantec-system-info-2 | symantec-edr-json-app-notification-success-liveupdatesession |
+| symantec-system-info-3 | symantec-edr-json-app-notification-success-update |
+| symantec-system-info-4 | symantec-edr-json-app-notification-success-scancomplete |
+| symantec-usb-activity | symantec-dlp-kv-alert-trigger-success-policyviolated |
+| symantec-usb-block | symantec-endpointprotection-csv-peripheral-storage-activity-fail-blocked |
+| symantec-usb-delete | symantec-dlp-csv-file-write-success-filedelete |
+| symantec-usb-delete-1 | symantec-dlp-json-peripheral-storage-activity-success-filedelete |
+| symantec-usb-insert | symantec-dlp-kv-peripheral-storage-insert-success-devicewas |
+| symantec-usb-insert-1 | symantec-dlp-kv-peripheral-storage-insert-success-allowedthedevice |
+| symantec-usb-read | symantec-dlp-csv-file-read-success-filread |
+| symantec-usb-read-1 | symantec-dlp-json-file-read-success-fileread |
+| symantec-usb-write | symantec-dlp-csv-file-write-success-filewrite |
+| symantec-usb-write-1 | symantec-dlp-csv-file-write-success-usbtransfer |
+| symantec-usb-write-2 | symantec-dlp-json-file-write-success-filewrite |
+| symantec-web-activity | symantec-wss-cef-http-session-request |
+| symantec-web-activity-1 | symantec-wss-sk4-http-session-symantecwss |
+| symantec-web-activity-2 | symantec-fireglass-cef-http-session-url |
+| symantec-web-activity-3 | symantec-wss-sk4-http-session-denied |
+| symantec-web-activity-4 | symantec-wss-sk4-http-session-proxied |
+| symantec-web-activity-5 | symantec-wss-sk4-http-session-observed |
+| syslog-4625-ch | microsoft-evsecurity-kv-endpoint-login-fail-4625-5 |
+| syslog-4648 | microsoft-evsecurity-kv-endpoint-user-success-4648 |
+| syslog-4689 | microsoft-evsecurity-kv-process-close-success-4689-1 |
+| syslog-4689-1 | microsoft-evsecurity-kv-process-close-success-4689-2 |
+| syslog-4768-ch | microsoft-evsecurity-kv-endpoint-login-4768-5 |
+| syslog-4769-ch | microsoft-evsecurity-kv-endpoint-login-4769-5 |
+| syslog-4774 | microsoft-evsecurity-kv-endpoint-authentication-4774-1 |
+| syslog-4776-ch | microsoft-evsecurity-kv-endpoint-login-4776-5 |
+| syslog-4776-multiline | microsoft-evsecurity-kv-endpoint-login-fail-4776 |
+| syslog-4985 | microsoft-evsecurity-kv-endpoint-notification-4985-1 |
+| syslog-5140-ch | microsoft-evsecurity-kv-share-access-success-5140-3 |
+| syslog-5145-ch | microsoft-evsecurity-kv-share-access-5145-9 |
+| syslog-5156-ch | microsoft-evsecurity-kv-network-session-success-5156-1 |
+| syslog-5158 | microsoft-evsecurity-mix-network-session-success-5158 |
+| syslog-barracuda-email | barracuda-esg-str-email-send-receive-scan |
+| syslog-bit9-file-alert | vmware-carbonblackedr-kv-alert-trigger-success-alerttriggerd |
+| syslog-brightmail-email-accept | symantec-esc-str-email-accept |
+| syslog-brightmail-email-attachment | symantec-esc-str-email-attachment |
+| syslog-brightmail-email-attachment-1 | symantec-esc-str-email-attachment-1 |
+| syslog-brightmail-email-bytes | symantec-esc-str-email-bytes |
+| syslog-brightmail-email-delivery | symantec-esc-str-email-delivery |
+| syslog-brightmail-email-direction | symantec-esc-str-email-direction |
+| syslog-brightmail-email-in | symantec-esc-str-email-receive-success-emailreceived |
+| syslog-brightmail-email-recipient | symantec-esc-str-email-recipient |
+| syslog-brightmail-email-return-path | symantec-esc-str-email-returnpath |
+| syslog-brightmail-email-sender | symantec-esc-str-email-sender |
+| syslog-brightmail-email-subject | symantec-esc-str-email-subject |
+| syslog-checkpoint-app-login | checkpoint-ngfw-kv-app-login-success-appiname |
+| syslog-checkpoint-app-login-1 | checkpoint-ngfw-kv-app-login-success-appiname-1 |
+| syslog-checkpoint-network-alert | checkpoint-tp-kv-alert-trigger-success-monitor |
+| syslog-cisco-cta-security-alert | cisco-amp-kv-alert-trigger-success-toolcta |
+| syslog-cisco-wsa-web-activity | cisco-securewebapp-str-http-session-accesslog |
+| syslog-cisco-wsa-web-activity-nxlog | cisco-securewebapp-str-http-session-fail-nxlog |
+| syslog-config-change | "microsoft-sysmon-xml-dll-load-6 |
+| syslog-config-change-1 | microsoft-sysmon-str-driver-load-6 |
+| syslog-dhcpd-1 | unix-unixdhcpd-json-dhcp-session-success-dhcppackon |
+| syslog-dhcpd-2 | unix-unixdhcpd-json-dhcp-session-success-dhcprequest |
+| syslog-dhcpd-3 | unix-unixdhcpd-json-dhcp-session-success-program |
+| syslog-dhcpd-4 | unix-unixdhcpd-str-dhcp-session-success-dhcpd |
+| syslog-f5-dns-query | f5-bigipdns-str-dns-request-success-qid |
+| syslog-f5-dns-query-1 | f5-bigipdns-kv-dns-request-response-success-dns |
+| syslog-f5-dns-response | f5-bigipdns-str-dns-response-success-to |
+| syslog-file-operations | "microsoft-sysmon-xml-file-time-modify-2 |
+| syslog-inky-phishing-security-alert | inky-ap-json-alert-trigger-success-inkyevent-1 |
+| syslog-inky-phishing-security-alert-1 | inky-ap-json-alert-trigger-success-inkyevent |
+| syslog-json-4663 | microsoft-evsecurity-json-file-success-4663 |
+| syslog-json-4720 | microsoft-evsecurity-json-user-create-success-4720 |
+| syslog-json-4722 | microsoft-evsecurity-json-user-enable-success-4722 |
+| syslog-json-4723 | microsoft-evsecurity-json-user-password-modify-4723-1 |
+| syslog-json-4724 | microsoft-evsecurity-json-user-password-reset-success-4724 |
+| syslog-json-4725 | microsoft-evsecurity-json-user-disable-success-4725-2 |
+| syslog-json-4740 | microsoft-evsecurity-json-user-lock-success-4740 |
+| syslog-json-4767 | microsoft-evsecurity-json-user-unlock-success-4767 |
+| syslog-json-member-added-2008 | microsoft-evsecurity-json-group-member-add-success-sourcemoduletype |
+| syslog-juniper-vpn-connect | juniper-ps-str-vpn-login-success-connected-2 |
+| syslog-juniper-vpn-login-failed | juniper-ps-mix-vpn-login-fail-hostchecker |
+| syslog-juniper-vpn-realm | juniper-ps-mix-vpn-login-success-passed |
+| syslog-juniper-vpn-realm-1 | "juniper-ps-cef-vpn-login-success-passed |
+| syslog-juniper-vpn-relogin | juniper-ps-str-vpn-logout-success-loggedout |
+| syslog-l7-app-activity-get | kemp-loadmaster-str-app-activity-success-user |
+| syslog-l7-app-activity-post | kemp-loadmaster-str-app-activity-success-requestedpost |
+| syslog-l7-remote-logon | kemp-loadmaster-str-endpoint-login-success-loggedon |
+| syslog-l7-security-alert | kemp-loadmaster-str-alert-trigger-success-attempted |
+| syslog-liebsoft-account-switch | beyondtrust-privmgmt-kv-user-switch-success-passwordretrieved |
+| syslog-liebsoft-account-switch-1 | beyondtrust-b-kv-user-switch-success-passwordcheckedout |
+| syslog-malwarebytes-security-alert | malwarebytes-ep-json-alert-trigger-success-attackmodules |
+| syslog-mcafee-dlp-email-alert | mcafee-dlp-str-email-send-fail-dlponditions |
+| syslog-mcafee-epo-alert | mcafee-es-csv-alert-trigger-success-epolicyorchestrator |
+| syslog-mcafee-epo-dlp-alert | mcafee-dlp-json-alert-trigger-success-analyzerdlp |
+| syslog-mcafee-network-alert | mcafee-nsm-str-alert-trigger-success-attack |
+| syslog-mcafee-usb-activity | mcafee-es-str-file-write-success-usbconditions |
+| syslog-microsoft-dhcp | microsoft-windows-cef-dhcp-session-success-dhcpserver |
+| syslog-microsoft-print-activity | microsoft-evprintservice-str-printer-activity-success-printed |
+| syslog-microsoft-print-activity-1 | microsoft-evprintservice-kv-printer-activity-success-307 |
+| syslog-morphisec-security-alert | morphisec-eptp-json-alert-trigger-success-protectorip |
+| syslog-mysql-dbquery | mysql-m-csv-database-query-success-query |
+| syslog-mysql-dbwrite | mysql-m-csv-database-query-success-write |
+| syslog-physical-badge-access | badge-b-csv-physical-location-access-success-ocardadmitted |
+| syslog-physical-badge-access-1 | lenel-og-kv-physical-location-access-accessgranted |
+| syslog-process-terminated | "microsoft-sysmon-xml-process-close-5-1 |
+| syslog-pulsesecure-vpn-connect | "juniper-ps-cef-vpn-login-success-connected |
+| syslog-qip-dhcp | nokia-vqip-str-dhcp-session-success-qip |
+| syslog-r-authmgr-auth-successful | dell-rsaauthmngr-str-endpoint-login-success-ucm |
+| syslog-ricoh-print-activity | ricoh-r-kv-printer-activity-success-3 |
+| syslog-rsa-auth-failed | dell-rsaauthmngr-kv-endpoint-authentication-fail-userauthz |
+| syslog-rsa-auth-successful | dell-rsaauthmngr-kv-endpoint-authentication-success-userauthz |
+| syslog-rsa-logout | dell-rsaauthmngr-kv-app-logout-success-sessionremoved |
+| syslog-sophos-snmp-alert-belongs | sophos-ep-kv-alert-trigger-success-variablebindings |
+| syslog-sophos-snmp-alert-detected | sophos-ep-kv-alert-trigger-success-alertdetected |
+| syslog-sophos-snmp-denied | sophos-ep-kv-alert-trigger-success-accessdenied |
+| syslog-ssomgr-app-activity | kemp-loadmaster-kv-app-activity-success-ssoauthtokenreused |
+| syslog-steelhead-rpch-ssh | riverbedsteelhead-rs-kv-network-notification-sport |
+| syslog-steelhead-smbsign-cfe | riverbedsteelhead-rs-str-app-notification-smbsign |
+| syslog-symantec-dlp-alert | symantec-dlp-kv-email-send-success-endpointmachine |
+| syslog-symantec-dlp-alert-1 | symantec-dlp-str-email-send-success-emailsend |
+| syslog-symantec-dlp-alert-2 | symantec-dlp-str-alert-trigger-success-threatitp |
+| syslog-symantec-dlp-alert-3 | symantec-dlp-kv-email-send-success-emailsend-1 |
+| syslog-symantec-dlp-alert-4 | symantec-dlp-kv-email-send-success-emailsend-2 |
+| syslog-symantec-dlp-alert-5 | symantec-dlp-json-alert-trigger-success-rule |
+| syslog-symantec-dlp-alert-6 | symantec-dlp-kv-alert-trigger-success-monitorname |
+| syslog-symantec-dlp-alert-7 | symantec-dlp-kv-email-send-success-emailsend-3 |
+| syslog-symantec-mss-alert | symantec-mss-csv-alert-trigger-success-alertconditions |
+| syslog-symantec-system-info | symantec-dlp-str-app-notification-vontusystemevent |
+| syslog-symantec-usb-write | symantec-dlp-cef-file-write-success-usbdrives |
+| syslog-system-info | "microsoft-sysmon-xml-service-state-modify-4 |
+| syslog-vontu-dlp-alert | symantec-dlp-kv-email-send-incident |
+| syslog-xceedium-failed-login | xceedium-x-csv-app-login-fail-baduserid |
+| syslog-xceedium-login | xceedium-x-csv-app-login-success-loggedin |
+| syslog-xsuite-remote-logon | xsuite-x-kv-endpoint-login-success-connected |
+| sysmon-file-create | microsoft-sysmon-kv-file-write-success-filecreate |
+| sysmon-file-create-2 | microsoft-sysmon-json-kv-file-time-modify-timechanged |
+| sysmon-file-delete | microsoft-sysmon-kv-file-delete-success-filedelete |
+| sysmon-file-write-1 | microsoft-sysmon-json-registry-12 |
+| sysmon-file-write-2 | microsoft-sysmon-json-file-stream-create-15 |
+| sysmon-file-write-3 | microsoft-sysmon-kv-registry-success-12 |
+| sysmon-file-write-4 | microsoft-evapp-kv-app-notification-success-1001 |
+| sysmon-image-loaded | microsoft-sysmon-kv-dll-load-success-7 |
+| sysmon-process-created | microsoft-sysmon-kv-process-create-success-processcreate |
+| sysmon-process-created-1 | microsoft-sysmon-kv-process-create-success-createremotethread |
+| sysmon-process-created-2 | microsoft-sysmon-kv-process-create-success-processcreate-1 |
+| sysmon-process-network | microsoft-sysmon-kv-mul-network-session-success-detected |
+| sysmon-process-terminated | microsoft-sysmon-kv-process-close-success-processterminated |
+| sysmon-process-terminated-1 | microsoft-sysmon-kv-process-close-terminated-1 |
+| sysmon-registry-set | microsoft-sysmon-kv-registry-modify-success-registryvalueset |
+| sysmon-registry-set-1 | microsoft-sysmon-json-registry-create-success-valuesettask13 |
+| sysmon-registry-set-2 | microsoft-sysmon-mix-registry-create-success-valueset |
+| sysmon-system-info | microsoft-sysmon-json-log-4 |
+| sysmon-system-info-1 | "microsoft-sysmon-xml-process-pipe-create-17 |
+| sysmon-system-info-2 | microsoft-sysmon-kv-endpoint-notification-success-255 |
+| sysmon-windows-dns-query | microsoft-windows-kv-dns-request-success-query |
+| system-event-attempt-to-duplicate | microsoft-evsecurity-kv-handle-copy-attempttoduplicateobj |
+| system-event-process-exited | microsoft-evsecurity-kv-process-close-processexited |
+| system-event-unable-to-log | microsoft-evsecurity-str-endpoint-notification-unabletologeventstosecuritylog |
+| system-event-unable-to-log-1 | microsoft-evsecurity-kv-endpoint-notification-521 |
\ No newline at end of file
diff --git a/ParsersLegacy/t_parsers.md b/ParsersLegacy/t_parsers.md
new file mode 100644
index 0000000..4c40606
--- /dev/null
+++ b/ParsersLegacy/t_parsers.md
@@ -0,0 +1,69 @@
+| Old Parser Name | New Parser Name |
+| -------------------------------------- | --------------------------------------------------------------- |
+| tanium-auth | tanium-cp-kv-app-authentication-exabeamlogoneventest |
+| tanium-cloud-app-activity | tanium-cpp-json-app-activity-success-packagespecaudit |
+| tanium-cloud-app-activity-1 | tanium-cpp-json-app-activity-success-savedactionaudit |
+| tanium-cloud-app-login | tanium-cpp-json-app-login-success-createobject |
+| tanium-cloud-failed-app-login | tanium-cpp-json-app-login-fail-failedcreateobject |
+| tanium-dns-response | tanium-cp-kv-dns-response-success-tanium |
+| tanium-file-delete | tanium-im-kv-file-delete-success-deletepath |
+| tanium-file-delete-1 | tanium-im-json-file-delete-success-filedelete |
+| tanium-file-owner-change | tanium-im-kv-file-permission-modify-success-ownershipchange |
+| tanium-file-permission-change | tanium-im-kv-file-permission-modify-success-permissionchange |
+| tanium-file-permission-change-1 | tanium-im-json-file-permission-modify-success-permission |
+| tanium-file-rename | tanium-im-kv-file-write-success-renamepath |
+| tanium-file-write | tanium-im-kv-file-write-success-write |
+| tanium-file-write-1 | tanium-im-json-file-write-success-filecreate |
+| tanium-file-write-2 | tanium-im-json-file-write-success-filewrite |
+| tanium-file-write-3 | tanium-im-json-file-write-success-filemove |
+| tanium-inteldb | tanium-tr-json-database-activity-inteldb |
+| tanium-network-connection-failed | tanium-im-json-network-traffic-fail-networkdisconnect |
+| tanium-network-connection-successful | tanium-im-json-network-traffic-success-networkconnect |
+| tanium-network-connection-successful-1 | tanium-im-json-network-traffic-success-networkaccept |
+| tanium-new-file-create | tanium-im-kv-file-write-success-createnewfile |
+| tanium-process-alert | tanium-ep-json-alert-trigger-success-accountenumeration |
+| tanium-process-created | tanium-cp-kv-process-create-success-processcreationstest |
+| tanium-process-created-1 | tanium-im-json-process-create-success-processstart |
+| tanium-task | tanium-cp-json-app-activity-success-task |
+| tanium-traceconnections | tanium-cp-json-app-activity-success-traceconnections |
+| tanium-traceexports | tanium-cp-json-app-activity-success-traceexports |
+| tanium-tracefile | tanium-cp-json-file-success-tracefile |
+| tanium-tracemoduleserversettings | tanium-cp-json-app-activity-success-tracemoduleserversettings |
+| tanium-tracesnapshots | tanium-cp-json-app-activity-success-tracesnapshots |
+| tenable-security-alert | tenable-t-json-alert-trigger-success-dcerpcservice |
+| tenable-security-alert-1 | tenable-t-sk4-alert-trigger-success-dcerpcservice-1 |
+| teradata-database-req2 | teradata-rdbms-str-database-query-success-req2 |
+| teradata-database-req4 | teradata-rdbms-str-database-query-success-req4 |
+| teradata-database-req8 | teradata-rdbms-str-database-login-success-req8 |
+| tfcs-web-activity | hashicorp-terraform-str-http-session-web |
+| threatblockr-dns-response | threatblockr-t-kv-dns-response-success-dnsresplog |
+| threatblockr-network-connection | threatblockr-t-kv-network-traffic-packatlog |
+| thycotic-account-switch | delinea-secretserver-cef-user-switch-success-checkout |
+| thycotic-app-activity | delinea-ss-cef-app-activity-success-thycotic |
+| thycotic-app-login | delinea-ss-cef-app-login-success-userlogin |
+| thycotic-failed-app-login | delinea-ss-cef-app-login-fail-userloginfail |
+| thycotic-system-event-1 | delinea-ss-cef-app-start-systemlog |
+| thycotic-system-event-2 | delinea-ss-cef-endpoint-scan-wmifailed |
+| thycotic-system-event-3 | delinea-ss-cef-app-notification-systemlog |
+| thycotic-system-event-4 | delinea-ss-cef-app-activity-synchronize |
+| timelox-badge-access | timelox-t-json-physical-location-access-doorgroupname |
+| tippingpoint-sms-alert | trendmicro-tippingpoint-str-alert-trigger-success-tcp |
+| tmg-proxy | microsoft-wap-kv-http-session-rawtable |
+| trapx-alert | trapx-t-cef-alert-trigger-success-scandetected |
+| trapx-network-alert | trapx-t-cef-alert-trigger-success-botccdetected |
+| trapx-network-alert-1 | trapx-t-cef-alert-trigger-success-tornodeaccess |
+| trend-micro-alert-1 | trendmicro-officescan-kv-alert-trigger-success-logvirus |
+| trend-micro-alert-2 | trendmicro-officescan-kv-alert-trigger-success-logbehavior |
+| trend-micro-alert-3 | trendmicro-officescan-kv-alert-trigger-success-logdevicecontrol |
+| trend-micro-alert-4 | trendmicro-officescan-kv-alert-trigger-success-logpredictive |
+| trend-micro-alert-5 | trendmicro-officescan-kv-alert-trigger-success-logspyware |
+| trend-micro-alert-6 | trendmicro-officescan-kv-alert-trigger-success-logurlfiltering |
+| trend-micro-alert-7 | trendmicro-officescan-kv-alert-trigger-success-webreputation |
+| trend-micro-alert-8 | trendmicro-officescan-kv-alert-trigger-success-lognetworkvirus |
+| trendmicro-cef-alert | trendmicro-officescan-cef-email-send-success-controlmanager |
+| trendmicro-cef-web-activity | trendmicro-officescan-cef-http-session-success-controlmanager |
+| trendmicro-network-conn-failed | trendmicro-ds-cef-network-traffic-fail-idsdeny |
+| trendmicro-network-conn-successful | trendmicro-ds-kv-network-traffic-success-detectonly |
+| trendmicro-network-connection | trendmicro-ds-cef-network-traffic-trendmicrodstenant |
+| tripwire-file-alert-1 | tripwire-t-str-alert-trigger-success-modifyfile |
+| tripwire-file-alert-2 | tripwire-t-kv-alert-trigger-success-accessed |
\ No newline at end of file
diff --git a/ParsersLegacy/u_parsers.md b/ParsersLegacy/u_parsers.md
new file mode 100644
index 0000000..189838c
--- /dev/null
+++ b/ParsersLegacy/u_parsers.md
@@ -0,0 +1,202 @@
+| Old Parser Name | New Parser Name |
+| ------------------------------------ | -------------------------------------------------------------- |
+| u-4688 | microsoft-evsecurity-kv-process-create-success-4688-2 |
+| u-680 | microsoft-evsecurity-kv-endpoint-login-680-2 |
+| u-duo-auth-json | cisco-duo-kv-endpoint-authentication-auth |
+| u-google-app-login | google-workspace-json-app-login-success-authorize |
+| u-google-auth-failed | google-workspace-cef-app-login-fail-failure |
+| u-google-auth-successful | google-workspace-cef-app-login-success-loginsuccess |
+| u-googlecalendar-app-activity | google-workspace-json-app-activity-success-calendar |
+| u-googledrive-file-activity | google-workspace-cef-file-success-drive |
+| u-googledrive-file-permission-change | google-workspace-cef-file-permission-modify-success-aclchange |
+| u-mcafee-epo-alert | "mcafee-es-xml-alert-trigger-success-analyzerversion |
+| u-member-added-2008 | microsoft-evsecurity-kv-group-member-add-success-47-1 |
+| u-member-removed-2008 | microsoft-evsecurity-json-group-member-remove-success-47 |
+| u-okta-app-login | okta-amfa-kv-app-login-success-singlesignon |
+| u-okta-failed-app-login | okta-amfa-kv-app-login-fail-signinfailure |
+| unix-access-control | unix-unix-sk4-endpoint-authentication-credacq |
+| unix-access-control-2 | unix-unix-sk4-endpoint-authentication-creddisp |
+| unix-access-control-3 | unix-unix-sk4-endpoint-authentication-credrefr |
+| unix-access-control-4 | unix-unix-sk4-endpoint-authentication-useracct |
+| unix-account-created | unix-unix-kv-user-create-useradd |
+| unix-account-created-1 | unix-unix-str-group-member-add-success-useradd |
+| unix-account-created-failed | unix-unix-str-user-create-fail-failedaddinguser |
+| unix-account-deleted | unix-unix-str-user-delete-userdel |
+| unix-account-keyinit | unix-unix-str-user-switch-success-userswitch |
+| unix-account-lockout | unix-unix-str-user-delete-fail-auth |
+| unix-account-switch-1 | unix-unix-cef-user-switch-success-userstart |
+| unix-account-switch-json | unix-unix-json-user-switch-success-session |
+| unix-app-activity | unix-unix-str-app-activity-sftp |
+| unix-app-activity-2 | unix-unix-kv-app-notification-alertcertificate |
+| unix-app-activity-3 | unix-unix-kv-app-notification-unknowncommand |
+| unix-app-activity-4 | unix-unix-kv-network-close-stopssl |
+| unix-app-activity-5 | unix-unix-kv-app-notification-sslversioninfo |
+| unix-as | unix-unix-str-user-switch-success-pam_unix |
+| unix-audispd-remote-logon | unix-unix-kv-endpoint-login-userlogin |
+| unix-audispd-remote-logon-1 | unix-unix-kv-endpoint-login-userstart |
+| unix-audispd-system-info | unix-unix-kv-endpoint-notification-proctitle |
+| unix-auditd-account-created | unix-auditd-kv-user-create-success-adduser |
+| unix-auditd-account-created-id | unix-auditd-kv-user-create-success-addgroup |
+| unix-auditd-account-deleted | unix-auditd-kv-user-delete-success-deleteuser |
+| unix-auditd-account-switch | unix-auditd-kv-user-switch-success-sessionopen |
+| unix-auditd-account-switch-1 | unix-unixauditd-json-user-switch-success-sessionopen |
+| unix-auditd-cred-refr | unix-ad-kv-endpoint-authentication-credrefr |
+| unix-auditd-grp-pw-change | unix-unixauditd-kv-user-password-modify-success-grpmgmt |
+| unix-auditd-login | unix-unix-kv-ssh-traffic-sshuserauth |
+| unix-auditd-login-1 | unix-unixauditd-json-endpoint-login-authentication |
+| unix-auditd-login-2 | unix-unix-kv-endpoint-login-success-userauth |
+| unix-auditd-member-added | unix-unix-kv-group-member-add-success-auditd |
+| unix-auditd-member-added-2 | unix-ad-kv-group-member-add-success-usermgmt |
+| unix-auditd-member-added-3 | unix-unix-kv-group-member-add-success-auditd-1 |
+| unix-auditd-member-removed | unix-unixauditd-kv-group-member-remove-success-usermgmt |
+| unix-auditd-password | unix-ad-kv-user-password-success-changepassword |
+| unix-auditd-setcred | unix-ad-kv-endpoint-authentication-credacq |
+| unix-auditd-setcred-2 | unix-ad-kv-endpoint-authentication-creddisp |
+| unix-auditd-user-acct | unix-ad-kv-endpoint-authentication-accounting |
+| unix-auditd-user-end | unix-auditd-kv-endpoint-logout-userend |
+| unix-auth-attempt | unix-unix-str-endpoint-authentication-check |
+| unix-auth-event-1 | unix-unix-str-endpoint-login-success-authsucceede |
+| unix-auth-event-2 | unix-unix-kv-endpoint-login-success-httpd |
+| unix-auth-failed | unix-unix-str-endpoint-login-fail-check |
+| unix-auth-failed-1 | unix-unix-kv-endpoint-login-fail-su |
+| unix-auth-failed-2 | unix-unixauditd-kv-endpoint-login-fail-authenticationfailure |
+| unix-auth-failed-3 | unix-unix-kv-endpoint-login-fail-passwd |
+| unix-auth-failed-4 | unix-unix-str-endpoint-login-fail-expiredpassword |
+| unix-auth-failed-5 | unix-unix-kv-endpoint-login-fail-ruser |
+| unix-authentication-fail | unix-unix-str-endpoint-login-fail-user |
+| unix-authentication-failed-1 | unix-unix-str-endpoint-login-fail-failedpamweblogin |
+| unix-authentication-successful | unix-unix-str-endpoint-login-success-successfulpamweblogin |
+| unix-change-file-ownership-failed | unix-unix-kv-file-owner-modify-success-invalidgroup |
+| unix-dlp-email-out | unix-unix-kv-email-send-success-smtp |
+| unix-failed-identification | unix-unix-str-endpoint-authentication-sshdnotreceiveid |
+| unix-failed-logon-1 | unix-unix-str-endpoint-login-fail-invaliduser-1 |
+| unix-failed-logon-10 | unix-unix-str-endpoint-login-fail-unablesshd |
+| unix-failed-logon-11 | unix-unix-str-endpoint-login-fail-noauth |
+| unix-failed-logon-12 | unix-unix-str-endpoint-login-fail-authfail |
+| unix-failed-logon-13 | unix-unix-str-endpoint-login-fail-failedtologin |
+| unix-failed-logon-2 | unix-unix-str-endpoint-login-fail-failedpasswordfor |
+| unix-failed-logon-3 | unix-unix-str-endpoint-login-fail-failedpassword |
+| unix-failed-logon-4 | unix-unix-str-endpoint-login-fail-failpass |
+| unix-failed-logon-5 | unix-unix-str-endpoint-login-fail-failedpublickeyfor |
+| unix-failed-logon-6 | unix-unix-str-endpoint-login-fail-maxauth |
+| unix-failed-logon-7 | unix-unix-str-endpoint-login-fail-manyauthfail |
+| unix-failed-logon-8 | unix-unix-str-endpoint-login-fail-sshfail |
+| unix-failed-logon-9 | unix-unix-kv-endpoint-login-fail-logindenied |
+| unix-file-operation | unix-unix-kv-file-success-objtype |
+| unix-file-permission-denied | unix-ad-kv-endpoint-notification-permissioncheck |
+| unix-file-permission-denied-2 | unix-unix-sk4-endpoint-notification-avc |
+| unix-group-added | unix-unix-kv-group-member-add-success-groupadd |
+| unix-group-change | unix-unix-str-group-modify-groupmod |
+| unix-group-change-1 | unix-unix-str-group-delete-success-groupdel |
+| unix-group-change-2 | unix-unix-str-group-create-success-groupadd |
+| unix-local-logon | unix-unix-str-endpoint-login-success-startedsession |
+| unix-local-logon-1 | unix-unix-kv-endpoint-login-success-auid |
+| unix-local-logon-2 | unix-unix-cef-endpoint-login-success-login |
+| unix-logout | unix-unix-str-endpoint-logout-success-sessionlogout |
+| unix-logout-1 | unix-unix-str-endpoint-logout-sshclosedconnection |
+| unix-logout-10 | unix-unix-kv-ftp-close-success-timeoutsession |
+| unix-logout-2 | unix-unix-str-endpoint-logout-sshconnectionclosed |
+| unix-logout-3 | unix-unix-str-endpoint-logout-success-loggedoutfrom |
+| unix-logout-4 | unix-unix-str-endpoint-logout-success-sshsdisconnect |
+| unix-logout-5 | unix-unix-str-endpoint-logout-success-loggedout |
+| unix-logout-6 | unix-unix-kv-ftp-close-ftporsslconnectionclosed |
+| unix-logout-7 | unix-unix-str-network-close-ftpconnectionclosed |
+| unix-logout-8 | unix-unix-str-endpoint-logout-sshfailedtostart |
+| unix-logout-9 | unix-unix-kv-ftp-close-success-connectionaborted |
+| unix-member-added | unix-unix-str-group-member-add-success-usermod-1 |
+| unix-netfilter-audit-info | unix-ad-kv-endpoint-notification-netfiltercfg |
+| unix-network-connection | unix-unix-str-network-start-snmpd |
+| unix-network-connection-failed | unix-unix-str-network-traffic-fail-packetsendfail |
+| unix-network-connection-failed-1 | unix-unix-str-network-close-unexpectedmessage |
+| unix-pam-ssh-login | unix-unix-kv-endpoint-login-sshdauth |
+| unix-password-change | unix-unix-str-user-password-modify-success-changeuser |
+| unix-password-change-1 | unix-unix-str-user-password-modify-success-changepasswd |
+| unix-password-change-2 | unix-unix-str-user-password-modify-success-chage |
+| unix-password-change-3 | unix-unix-str-user-password-modify-success-keyring |
+| unix-password-change-4 | unix-unix-str-user-password-modify-fail-keyringpassword |
+| unix-priv-command-5 | unix-unix-str-process-create-success-executed |
+| unix-process-created | delinea-centrifyis-kv-process-create-success-unixname |
+| unix-process-created-1 | unix-unix-cef-process-create-success-syscall |
+| unix-process-created-failed | unix-unix-cef-process-create-fail-syscall |
+| unix-process-creation-failure | unix-ad-kv-process-create-fail-syscall |
+| unix-remote-access | unix-unix-kv-endpoint-login-success-logonsuccess |
+| unix-remote-logon-1 | unix-unix-kv-ssh-traffic-success-sftpstarted |
+| unix-remote-logon-2 | unix-unix-str-endpoint-login-success-shelllogin |
+| unix-remote-logon-3 | unix-unix-str-endpoint-login-success-sshsconnect |
+| unix-remote-logon-4 | unix-unix-str-endpoint-authentication-success-acceptedpassword |
+| unix-remote-logon-5 | unix-unix-kv-ftp-start-ftps |
+| unix-remote-logon-6 | unix-unix-kv-ftp-start-ftp |
+| unix-secureworks-security-alert | secureworks-isensor-kv-alert-trigger-success-useragentdetected |
+| unix-security-alert | unix-unix-str-alert-trigger-sshdbreakinattempt |
+| unix-smbd-file-share-outcome | unix-unix-str-endpoint-authentication-smbdunabletovalidate |
+| unix-ssh-fail-38 | unix-unix-str-endpoint-login-fail-ssh38 |
+| unix-ssh-login | unix-unix-kv-ssh-traffic-success-completedauth |
+| unix-ssh-login-2 | unix-unix-str-endpoint-login-sshconnectionestablished |
+| unix-ssh-login-failed | unix-unix-str-endpoint-authentication-sshdnotreceiveid |
+| unix-ssh-login-failed-1 | unix-unix-str-endpoint-login-sshdrefusedconnect |
+| unix-ssh-login-failed-2 | unix-unix-str-endpoint-login-fail-sshdauthfailed |
+| unix-ssh-login-failed-json | unix-unix-json-endpoint-login-fail-sshd |
+| unix-ssh-login-failed-json-1 | unix-unix-json-endpoint-login-fail-unabletonegotiate |
+| unix-ssh-login-json | unix-unix-mix-endpoint-login-success-acceptedpublickeyfor |
+| unix-ssh-login-json-1 | unix-unix-sk4-endpoint-login-success-linuxsyslogevent |
+| unix-ssh-logout | unix-unix-str-endpoint-logout-disconnected |
+| unix-ssh-logout-1 | unix-unix-str-endpoint-logout-sshdreceiveddisconnect |
+| unix-ssh-logout-2 | unix-unix-str-endpoint-logout-sshdconnectionclosed |
+| unix-ssh-logout-3 | unix-unix-str-endpoint-logout-sshddisconnected |
+| unix-sshd-fail-34 | unix-unix-str-endpoint-activity-fail-sshdfatal |
+| unix-sshd-logout-1 | unix-unix-str-endpoint-logout-success-connectionclosed |
+| unix-sshd-logout-2 | unix-unix-str-endpoint-logout-success-receiveddisconnect |
+| unix-su | unix-unix-str-endpoint-notification-pamunix |
+| unix-su-1 | unix-unix-str-endpoint-notification-auth |
+| unix-su-37 | unix-unix-str-user-switch-success-messageforwarded |
+| unix-system-event-1 | unix-unix-kv-endpoint-activity-success-shellcmd |
+| unix-system-event-2 | unix-unix-str-app-notification-success-stpnotifiedtc |
+| unix-system-event-3 | unix-unix-kv-endpoint-activity-fail-shellcmdmatchfail |
+| unix-system-event-4 | unix-unix-str-app-notification-success-phonymodule |
+| unix-system-event-5 | unix-unix-str-app-notification-success-loginfo |
+| unix-system-event-6 | unix-unix-str-endpoint-time-modify-success-stratumchanged |
+| unix-system-event-7 | unix-unix-str-endpoint-notification-success-statistics |
+| unix-system-event-8 | unix-unix-str-app-notification-success-drvdebug |
+| unix-system-events | unix-unix-str-endpoint-activity-system |
+| unix-system-info | unix-unix-mix-endpoint-logout-sessionclosed |
+| unix-system-info-1 | unix-unix-str-endpoint-notification-passwordexpire |
+| unix-system-info-10 | unix-unix-str-endpoint-activity-success-rgmanager |
+| unix-system-info-11 | unix-unix-str-endpoint-login-sshdconnectionfrom |
+| unix-system-info-12 | unix-unix-str-app-activity-sftp-server |
+| unix-system-info-13 | unix-unix-kv-endpoint-activity-success-postfix |
+| unix-system-info-14 | unix-unix-str-endpoint-notification-sshdset |
+| unix-system-info-15 | unix-unix-str-scheduled-task-start-anacron |
+| unix-system-info-16 | unix-unix-str-endpoint-notification-kernelusb |
+| unix-system-info-17 | "unix-unix-str-scheduled-task-start-anacronjob |
+| unix-system-info-2 | unix-unix-kv-endpoint-activity-success-puppetagent |
+| unix-system-info-20 | unix-unix-sk4-service-stop-success-servicestop |
+| unix-system-info-21 | unix-unix-sk4-endpoint-logout-success-sessionclose |
+| unix-system-info-3 | unix-unix-str-endpoint-authentication-sshderrorretrieve |
+| unix-system-info-4 | unix-unix-str-endpoint-activity-success-chroot |
+| unix-system-info-5 | unix-unix-str-user-modify-usermod |
+| unix-system-info-6 | unix-unix-str-app-activity-gofer |
+| unix-system-info-7 | unix-unix-kv-endpoint-notification-success-powerpath |
+| unix-system-info-8 | unix-unix-str-endpoint-activity-kernel |
+| unix-system-info-9 | "unix-unix-str-smtp-close-lostconnection |
+| unix-system-info-audit | unix-unix-kv-endpoint-activity-success-auditid |
+| unix-system-info-auditd | unix-ad-str-endpoint-activity-auditd |
+| unix-system-info-cron | unix-unix-str-endpoint-notification-success-cron |
+| unix-system-info-crond | "unix-unix-str-scheduled-task-start-crond |
+| unix-system-info-rsyslogd-2177 | unix-rsyslog-str-network-notification-2177 |
+| unix-system-info-sshd | "unix-unix-str-endpoint-login-sshdsessionopen |
+| unix-system-info-stat | unix-unix-json-endpoint-activity-success-command |
+| unix-system-info-su | unix-unix-str-user-switch-su |
+| unix-system-info-sudo | unix-unix-str-endpoint-activity-sudo |
+| unix-system-info-systemd | unix-unix-str-endpoint-activity-systemd |
+| unix-system-info-unix | unix-unix-str-endpoint-activity-success-unixid |
+| unix-system_info-18 | unix-unix-sk4-endpoint-notification-proctitle |
+| unix-system_info-19 | unix-unix-sk4-service-start-servicestart |
+| unix-xinetd-info | unix-unix-str-app-activity-xinetd |
+| unix-xntpd-30 | unix-unix-str-endpoint-time-modify-synchronized |
+| upm-account-switch | unix-privmgmt-str-user-switch-success-acceptedsu |
+| upm-failed-account-switch | unix-privmgmt-kv-user-switch-fail-upmlog |
+| ur-authmgr-account-lockout | dell-rsaauthmngr-csv-user-lock-success-authlockout |
+| ur-authmgr-auth-failed | dell-rsaauthmngr-csv-endpoint-login-fail-13002 |
+| ur-authmgr-auth-failed-addition | dell-rsaauthmngr-csv-endpoint-login-fail-auth |
+| ur-authmgr-auth-successful | dell-rsaauthmngr-csv-endpoint-login-success-13002 |
+| usb-file-write | usb-u-csv-peripheral-storage-activity-success-activity |
\ No newline at end of file
diff --git a/ParsersLegacy/v_parsers.md b/ParsersLegacy/v_parsers.md
new file mode 100644
index 0000000..7d46f3d
--- /dev/null
+++ b/ParsersLegacy/v_parsers.md
@@ -0,0 +1,115 @@
+| Old Parser Name | New Parser Name |
+| --------------------------------------- | ----------------------------------------------------------------- |
+| varonis-dlp-alert-1 | varonis-dsp-json-alert-trigger-success-varonisinc |
+| varonis-dlp-alert-2 | varonis-dsp-kv-alert-trigger-success-alerttriggerd |
+| varonis-file-activity | varonis-dsp-kv-file-success-changedpermissions |
+| vbcorp-security-alert | vbcorp-v-kv-alert-trigger-success-vbcorp-1 |
+| vbcorp-security-alert-1 | vbcorp-v-kv-alert-trigger-success-vbcorp |
+| vcenter-sphere-auth | vcenter-vcenter-str-app-authentication-success-authenticateduser |
+| vectra-activity-1 | vectra-cd-json-app-activity-success-appactivity |
+| vectra-alert | vectra-cd-kv-alert-trigger-success-detection |
+| vectra-alert-1 | vectra-cd-cef-alert-trigger-success-detect |
+| vectra-alert-3 | vectra-cd-json-alert-trigger-success-headendaddr |
+| vectra-authentication-attempt | vectra-cs-kv-app-authentication-success-resultcode |
+| vectra-dlp-email-alert | vectra-cs-kv-email-send-success-metadatasmtp |
+| vectra-file-operations | vectra-cs-kv-file-write-success-metadatasmbfiles |
+| vectra-ldap-meta-data-system-info | vectra-cs-kv-network-session-success-ldap |
+| vectra-ntlm-logon | vectra-cs-kv-endpoint-login-success-metadatantlm |
+| vectra-system-info | vectra-cd-kv-app-notification-account |
+| vectra-web-activity | vectra-cs-kv-http-session-httpsessioninfo |
+| viascope-ipscan | viascope-ipscan-cef-app-activity-ipscan |
+| virtru-email-encryption-alert | virtru-v-json-alert-trigger-success-security-policy |
+| visma-physical-access | visma-megaflex-json-physical-location-access-accesspoint |
+| vm-nsx-config-create | vmware-nsx-str-configuration-modify-success-configcreate |
+| vm-nsx-config-delete | vmware-nsx-str-configuration-modify-success-configdelete |
+| vm-nsx-config-update | vmware-nsx-str-configuration-modify-success-configupdate |
+| vmware-account-lockout | vmware-horizon-str-app-authentication-view |
+| vmware-allocated-machine | vmware-horizon-str-endpoint-authentication-success-allocated |
+| vmware-app-login | vmware-horizon-str-app-login-success-loggedin |
+| vmware-auth-set-ip | vmware-horizon-csv-endpoint-login-success-tunnelservice |
+| vmware-auth-successful | vmware-horizon-csv-endpoint-login-success-user |
+| vmware-disconnected-from-machine | vmware-view-str-endpoint-logout-success-disconnected |
+| vmware-esxi-login | vmware-esxi-str-endpoint-login-success-loggedin-1 |
+| vmware-esxi-login-1 | vmware-esxi-str-endpoint-login-success-loggedin |
+| vmware-esxi-logout | vmware-esxi-kv-app-logout-success-loggedout |
+| vmware-esxi-logout-1 | vmware-esxi-str-app-logout-loggedout |
+| vmware-esxi-logout-2 | vmware-esxi-str-app-logout-hostd |
+| vmware-esxi-remote-logon | vmware-esxi-str-app-login-loggedin |
+| vmware-esxi-system-event | vmware-esxi-str-app-activity-vpxd |
+| vmware-esxi-system-event-1 | vmware-esxi-str-app-activity-hostd |
+| vmware-esxi-system-event-10 | vmware-esxi-str-file-read-fail-storagermfail |
+| vmware-esxi-system-event-11 | vmware-esxi-str-app-activity-success-storagermstatfile |
+| vmware-esxi-system-event-12 | vmware-esxi-str-file-read-success-storagermopen |
+| vmware-esxi-system-event-13 | vmware-esxi-str-file-read-fail-storagermopenread |
+| vmware-esxi-system-event-14 | vmware-esxi-str-file-read-fail-storagermerroropenfile |
+| vmware-esxi-system-event-15 | vmware-esxi-str-file-read-fail-storagermopenslotfile |
+| vmware-esxi-system-event-16 | vmware-esxi-str-app-notification-success-storagermfailreplaceslot |
+| vmware-esxi-system-event-17 | vmware-esxi-str-app-notification-success-storagermreplace |
+| vmware-esxi-system-event-2 | vmware-esxi-str-app-activity-vpxa |
+| vmware-esxi-system-event-3 | vmware-esxi-str-http-close-6876 |
+| vmware-esxi-system-event-4 | vmware-esxi-mix-app-activity-sub |
+| vmware-esxi-system-event-5 | vmware-esxi-str-app-notification-lookingfordc |
+| vmware-esxi-system-event-6 | vmware-esxi-str-http-session-fail-iofiltervpd |
+| vmware-esxi-system-event-7 | vmware-esxi-str-app-activity-hostd-1 |
+| vmware-esxi-system-event-8 | vmware-esxi-str-app-notification-success-vmfscorrupted |
+| vmware-esxi-system-event-9 | vmware-esxi-str-app-notification-success-fil3invalid |
+| vmware-failed-auth | vmware-horizon-str-endpoint-login-fail-view |
+| vmware-failed-logon | vmware-vcenter-str-endpoint-login-fail-vpxd |
+| vmware-horizon-logon | vmware-horizon-kv-endpoint-login-success-applicationrequest |
+| vmware-id-manager-activation-token | vmware-idm-json-app-activity-success-activationtoken |
+| vmware-id-manager-app-preferences | vmware-idm-json-app-activity-success-organizationid |
+| vmware-id-manager-device | vmware-idm-json-app-activity-success-device |
+| vmware-id-manager-failed-login | vmware-idm-json-app-login-fail-loginerror |
+| vmware-id-manager-launch | vmware-idm-json-app-activity-success-launch |
+| vmware-id-manager-login | vmware-idm-json-app-login-success-login |
+| vmware-id-manager-logout | vmware-idm-json-app-logout-success-logout |
+| vmware-id-manager-oauh2-authorize | vmware-idm-json-app-activity-success-vidm |
+| vmware-id-manager-oauth | vmware-idm-json-app-activity-success-oauth2 |
+| vmware-id-manager-oauth2-client | vmware-idm-json-app-activity-success-oauth2client |
+| vmware-id-manager-obj-access | vmware-idm-json-user-privilege-use-success-vidm |
+| vmware-id-manager-one-time-access-token | vmware-idm-json-app-activity-success-onetimeaccesstoken |
+| vmware-id-manager-redirect-denied | vmware-idm-json-app-activity-redirectdenied |
+| vmware-id-manager-saml-artifact-create | vmware-idm-json-app-activity-success-samlartifactcreate |
+| vmware-id-manager-saml-request | vmware-idm-json-app-activity-success-samlrequest |
+| vmware-id-manager-saml-validation | vmware-idm-json-app-activity-success-samlvalidation |
+| vmware-id-manager-user | vmware-idm-json-app-activity-success-user |
+| vmware-logged-off | vmware-view-str-app-logout-success-loggedoff |
+| vmware-logged-off-machine | vmware-horizon-str-endpoint-logout-success-loggedoff |
+| vmware-logout | vmware-horizon-str-app-logout-success-loggedout |
+| vmware-nsx-system-info | vmware-nsx-str-app-activity-nsxedge |
+| vmware-remote-logon | vmware-horizon-str-endpoint-login-success-startingchannel |
+| vmware-remote-logon-1 | vmware-horizon-str-endpoint-login-fail-session |
+| vmware-ssh-login | vmware-esxi-str-endpoint-login-success-accepted |
+| vmware-system-info-1 | vmware-horizon-str-endpoint-authentication-success-requestedpool |
+| vmware-system-info-2 | vmware-horizon-str-app-notification-success-failed |
+| vmware-system-info-3 | vmware-horizon-str-endpoint-login-fail-unable |
+| vmware-system-info-4 | vmware-horizon-str-app-notification-success-maximum |
+| vmware-system-info-5 | vmware-horizon-kv-app-activity-success-module |
+| vmware-vcenter-activity | vmware-vcenter-json-app-login-success-viewcenter |
+| vmware-vcenter-login | vmware-vcenter-json-endpoint-login-success-userauthenticated |
+| vmware-view-app-activity | vmware-view-kv-app-activity-success-desktopid |
+| vmware-view-app-activity-1 | vmware-view-str-app-activity-success-application |
+| vmware-view-app-login | vmware-view-str-app-login-success-viewuser |
+| vmware-view-failed-login | vmware-view-kv-app-login-fail-viewuserauthfailed |
+| vmware-view-login | vmware-view-kv-app-login-success-viewuserloggedin |
+| vmware-view-logout | vmware-view-kv-app-logout-success-userloggedout |
+| vmware-view-logout-1 | vmware-view-str-app-logout-success-loggedout |
+| vmware-view-password-change | vmware-view-kv-user-password-modify-success-pwdchanged |
+| vmware-view-remote-logon | vmware-view-kv-endpoint-login-success-agentconnected |
+| vmware-view-remote-logon-1 | vmware-view-str-endpoint-login-fail-viewuser |
+| vmware-view-system-info | vmware-view-str-app-notification-expired |
+| vmware-view-system-info-1 | vmware-view-str-app-notification-success-reconfigured |
+| vmware-view-system-info-2 | vmware-view-str-endpoint-delete-success-deleted |
+| vmware-view-system-info-3 | vmware-view-str-app-notification-success-shutdown |
+| vmware-view-system-info-4 | vmware-view-str-app-notification-success-connection |
+| vmware-view-system-info-5 | vmware-view-str-endpoint-login-success-reconnected |
+| vmware-view-system-info-6 | vmware-view-str-app-authentication-fail-denied |
+| vmware-view-system-info-7 | vmware-view-str-endpoint-authentication-success-application |
+| vmware-view-system-info-8 | vmware-view-str-app-authentication-fail-rejected |
+| vontu-dlp | symantec-dlp-kv-alert-trigger-success-blocked |
+| vontu-dlp-1 | symantec-dlp-kv-alert-trigger-success-dlpalert |
+| vontu-email-dlp | symantec-dlp-kv-email-send-confidentialdata |
+| vontu-email-dlp-1 | symantec-dlp-kv-alert-trigger-success-smtp-1 |
+| vontu-email-dlp-2 | symantec-dlp-kv-email-send-sender |
+| vormetric-app-activity | vormetric-v-cef-app-activity-appactivity |
+| vormetric-file-operations | vormetric-v-kv-file-read-success-code |
\ No newline at end of file
diff --git a/ParsersLegacy/w_parsers.md b/ParsersLegacy/w_parsers.md
new file mode 100644
index 0000000..f910b20
--- /dev/null
+++ b/ParsersLegacy/w_parsers.md
@@ -0,0 +1,185 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------------------- | ------------------------------------------------------------------------------- |
+| watchguard-event-2 | watchguard-w-kv-network-traffic-firewall-1 |
+| watchguard-event-3 | watchguard-w-kv-network-traffic-firewall-2 |
+| watchguard-system-info | watchguard-w-str-app-notification-appinfo |
+| watchguard-web-activity | watchguard-w-kv-http-session-success-httprequest |
+| watchguard-web-activity-1 | watchguard-w-kv-http-session-httpsrequest |
+| watchguard-web-activity-2 | watchguard-w-kv-http-session-success-proxyallow |
+| watchguard-web-activity-deny | watchguard-w-kv-http-session-fail-proxydeny |
+| watchguard-web-activity-drop | watchguard-w-kv-http-session-fail-proxydrop |
+| wazuh-4624 | microsoft-evsecurity-json-endpoint-login-success-4624-5 |
+| wazuh-4625 | wazuh-evsecurity-kv-endpoint-login-fail-4625 |
+| wazuh-4634 | microsoft-evsecurity-json-endpoint-logout-success-4634-2 |
+| wazuh-4656 | microsoft-evsecurity-json-handle-request-success-4656 |
+| wazuh-4673 | microsoft-evsecurity-json-user-privilege-use-success-wazuhalerts |
+| wazuh-4738 | microsoft-evsecurity-json-ds-object-modify-success-4738-1 |
+| wazuh-4767 | microsoft-evsecurity-json-user-unlock-success-4767-3 |
+| wazuh-4776 | microsoft-evsecurity-json-endpoint-login-windows |
+| wazuh-4779 | microsoft-evsecurity-json-endpoint-logout-success-4779-1 |
+| wazuh-general-catch-all | wazuh-w-json-endpoint-activity-success-wazuhalerts |
+| wazuh-kernel-usb-insert | wazuh-w-json-peripheral_storage-insert-success-wazuhalerts |
+| wazuh-ossec-rootcheck-alert | ossec-o-json-alert-trigger-success-anomalydetection |
+| wazuh-pam-auth-fail | unix-unix-json-endpoint-authentication-fail-userloginfail |
+| wazuh-ping-app-login-2 | pingidentity-pi-json-app-login-success-sso-1 |
+| wazuh-ping-auth-attempt | pingidentity-pi-json-app-authentication-success-wazuhalerts |
+| wazuh-sql-login | microsoft-windows-json-app-login-wazuhalerts |
+| wazuh-ssh-catch-all | unix-unix-json-endpoint-activity-success-parent |
+| wazuh-ssh-failed-login | unix-unix-json-endpoint-login-fail-sshd-1 |
+| wazuh-ssh-failed-login-2 | unix-unix-json-endpoint-login-fail-authfailures |
+| wazuh-ssh-login | unix-unix-json-ssh-traffic-success-wazuhalerts |
+| wazuh-sys-auth-fail | unix-unix-json-endpoint-authentication-fail-userauthfail |
+| wazuh-syscheck | ossec-o-json-app-activity-success-wazuhalerts |
+| wazuh-system-info | wazuh-w-cef-app-activity-success-wazuhalerts |
+| wazuh-system-info-2 | wazuh-w-cef-app-notification-success-wazuhalerts |
+| wazuh-unix-as | unix-unix-json-user-switch-success-sessionopenforuser |
+| wazuh-unix-chkpwd-fail | unix-unix-json-endpoint-login-fail-passwordcheckfailed |
+| wazuh-unix-password-change | unix-unix-json-user-password-modify-success-changedpassword |
+| wazuh-unix-su | unix-unix-json-user-switch-success-wazuhalerts |
+| wazuh-unix-sudo | unix-unix-json-user-switch-success-sudo |
+| wazuh-unix-sudo-su | unix-unix-json-user-switch-success-wazuhalerts-1 |
+| wazuh-unix-sudo-su-2 | unix-unix-json-user-switch-success-wazuhalerts-2 |
+| wazuh-usb-disconnect | wazuh-w-json-peripheral_storage-remove-success-usbdevicedisconnected |
+| wazuh-windows-catch-all | wazuh-w-json-endpoint-activity-success-wazuhalerts-1 |
+| wazuh-windows-security-catch-all | wazuh-w-json-endpoint-activity-success-typewazuhalerts |
+| wdac-process-alert-3076 | microsoft-wdac-str-alert-trigger-success-3076 |
+| wdac-security-alert-3089 | microsoft-wdac-str-alert-trigger-success-3089 |
+| wdac-system-event-3033 | microsoft-wdac-str-endpoint-notification-success-3033 |
+| wdac-system-event-3099 | microsoft-wdac-str-endpoint-notification-success-3099 |
+| weblogin-app-activity | weblogin-w-kv-app-notification-webactivity |
+| weblogin-app-activity-1 | weblogin-w-kv-http-session-success-httpredirect |
+| websense-dlp-email-alert-in | forcepoint-wsg-cef-email-receive-success-subjectmessage |
+| websense-proxy | forcepoint-wsg-cef-http-session-security |
+| websense-proxy-1 | forcepoint-wsg-leef-http-session-webactivity |
+| websense-proxy-2 | forcepoint-wsg-kv-http-session-webactivity |
+| websense-proxy-3 | forcepoint-wsg-kv-http-session-websensewsg |
+| websense-usb-activity | forcepoint-dlp-cef-peripheral_storage-insert-success-removablemedia |
+| win-def-mal-detect | microsoft-defenderep-kv-alert-trigger-success-virus |
+| win-disable-device | "microsoft-windows-xml-peripheral-storage-activity-success-devicewasdisable |
+| win-disable-device-request | "microsoft-windows-xml-peripheral-storage-activity-success-disable |
+| win-enable-device | "microsoft-evsecurity-xml-peripheral-storage-insert-success-enabledevice |
+| win-enable-device-request | "microsoft-windows-xml-peripheral-storage-activity-success-enableadevice |
+| win-external-device-recog | "microsoft-evsecurity-xml-peripheral-storage-insert-success-devicewasrecognized |
+| win-external-device-recog-1 | microsoft-evsecurity-kv-peripheralstorage-insert-success-6416 |
+| win-powershell-command | "microsoft-evpowershell-xml-process-create-success-4103 |
+| windows-1102 | microsoft-evsecurity-kv-http-request-success-1102 |
+| windows-4768-1 | microsoft-evsecurity-json-endpoint-login-4768-1 |
+| windows-4793 | microsoft-evsecurity-kv-endpoint-notification-success-4793-1 |
+| windows-4954 | microsoft-evsecurity-kv-policy-apply-4954 |
+| windows-6144 | microsoft-evsecurity-kv-policy-apply-6144 |
+| windows-6145 | microsoft-evsecurity-kv-policy-apply-fail-6145 |
+| windows-defender-endpoint-1 | microsoft-defenderep-str-app-notification-upandrunning |
+| windows-defender-endpoint-10 | microsoft-defenderep-str-app-notification-avsignatureupdated |
+| windows-defender-endpoint-11 | microsoft-defenderep-str-endpoint-scan-scanhasstarted |
+| windows-defender-endpoint-12 | microsoft-defenderep-str-app-notification-stateupdated |
+| windows-defender-endpoint-13 | microsoft-defenderep-kv-app-notification-scanfinished |
+| windows-defender-endpoint-14 | microsoft-defenderep-str-app-notification-versionupdated-1 |
+| windows-defender-endpoint-15 | microsoft-defenderep-str-app-notification-encounterederror |
+| windows-defender-endpoint-2 | microsoft-defenderep-str-configuration-modify-config-changed |
+| windows-defender-endpoint-3 | microsoft-defenderep-str-app-notification-clienthealthreport |
+| windows-defender-endpoint-4 | microsoft-defenderep-str-endpoint-scan-fail-scanstopped |
+| windows-defender-endpoint-5 | microsoft-defenderep-str-app-notification-versionupdated |
+| windows-defender-endpoint-6 | microsoft-defenderep-kv-endpoint-scan-updated |
+| windows-defender-endpoint-7 | microsoft-defenderep-kv-endpoint-scan-success-scanstarted |
+| windows-defender-endpoint-8 | microsoft-defenderep-str-endpoint-scan-scanfinished |
+| windows-defender-endpoint-9 | microsoft-defenderep-str-app-notification-removedhistory |
+| windows-dns-network-connection | microsoft-windows-kv-network-traffic-success-networkconn-1 |
+| windows-dns-query | microsoft-windows-str-dns-request-success-udpquesinfo |
+| windows-dns-query-1 | microsoft-windows-str-dns-request-success-packetqm |
+| windows-dns-query-2 | microsoft-windows-kv-dns-request-success-response |
+| windows-dns-query-3 | microsoft-windows-str-dns-request-success-queryq |
+| windows-dns-query-4 | microsoft-windows-str-dns-request-success-packetu |
+| windows-dns-query-5 | microsoft-windows-str-dns-request-success-packetn |
+| windows-dns-response | microsoft-windows-kv-dns-response-success-udpresponseinfo |
+| windows-dns-response-1 | microsoft-windows-str-dns-response-success-packetrq |
+| windows-dns-response-2 | microsoft-windows-kv-dns-response-success-flags |
+| windows-dns-response-3 | microsoft-windows-str-dns-response-success-packetru |
+| windows-events-4624 | microsoft-evsecurity-json-endpoint-login-success-4624-6 |
+| windows-events-4648 | microsoft-evsecurity-kv-endpoint-login-success-4648-2 |
+| windows-events-4672 | microsoft-evsecurity-json-user-privilege-assign-success-4672-2 |
+| windows-events-4696 | microsoft-evsecurity-json-process-token-assign-success-4696 |
+| windows-events-4769 | microsoft-evsecurity-json-endpoint-login-4769-8 |
+| windows-events-4776 | microsoft-evsecurity-json-endpoint-login-fail-4776 |
+| windows-kinesis-firehose-4624 | microsoft-evsecurity-sk4-endpoint-login-success-4624 |
+| windows-kinesis-firehose-5145 | microsoft-evsecurity-sk4-share-access-5145-8 |
+| windows-kinesis-firehose-5156 | microsoft-evsecurity-sk4-network-session-success-5156 |
+| windows-powershell-800 | microsoft-evdnsserver-kv-process-create-success-800-2 |
+| windows-rdp-login | "microsoft-evterminalservicesgateway-xml-endpoint-login-terminalservice-21 |
+| windows-server-system-events | microsoft-evapp-kv-endpoint-activity-success-1530 |
+| windows-system-info | microsoft-evsystem-kv-endpoint-notification-success-notification |
+| windows-system-info-10 | microsoft-evdirservice-kv-app-notification-success-1865 |
+| windows-system-info-11 | microsoft-evdirservice-kv-app-notification-success-1311 |
+| windows-system-info-12 | microsoft-evdirservice-kv-app-notification-success-1566 |
+| windows-system-info-13 | microsoft-evdirservice-kv-app-notification-success-1864 |
+| windows-system-info-14 | microsoft-evdirservice-kv-app-notification-success-701 |
+| windows-system-info-15 | microsoft-evdirservice-kv-app-notification-success-700 |
+| windows-system-info-16 | microsoft-evdfsrep-kv-ds-replication-start-fail-5008 |
+| windows-system-info-17 | microsoft-evdirservice-kv-app-notification-success-1162 |
+| windows-system-info-18 | microsoft-evdfsrep-kv-ds-replication-fail-5014 |
+| windows-system-info-19 | microsoft-evdfsrep-kv-ds-replication-start-success-5004 |
+| windows-system-info-2 | microsoft-evsecurity-kv-endpoint-activity-success-4665 |
+| windows-system-info-20 | microsoft-evdirservice-kv-app-notification-success-3041 |
+| windows-system-info-21 | microsoft-evdirservice-kv-app-notification-success-2887 |
+| windows-system-info-3 | microsoft-evsecurity-kv-endpoint-activity-success-4666 |
+| windows-system-info-4 | microsoft-evsecurity-kv-endpoint-activity-success-4667 |
+| windows-system-info-5 | microsoft-evsecurity-kv-endpoint-activity-success-26401 |
+| windows-system-info-6 | microsoft-evkernelio-str-endpoint-activity-success-endpointactivity |
+| windows-system-info-7 | microsoft-evliveid-kv-endpoint-activity-success-endpointactivity |
+| windows-system-info-8 | microsoft-evknownfolders-str-endpoint-activity-success-endpointactivity |
+| windows-system-info-9 | microsoft-evlp-str-endpoint-activity-success-endpointactivity |
+| windows-vpn-login-4979 | microsoft-directaccess-csv-vpn-login-success-4979 |
+| windows-vpn-login-4981 | microsoft-directaccess-csv-vpn-login-success-4981 |
+| windows-vpn-login-failed-4654 | microsoft-directaccess-csv-vpn-login-fail-4654 |
+| windows-vpn-logout-4655 | microsoft-evsecurity-csv-network-close-success-4655 |
+| windows-xml-1400 | "microsoft-evapp-xml-endpoint-notification-success-1400 |
+| windows-xml-2580 | "microsoft-evsecurity-xml-endpoint-notification-success-2580 |
+| windows-xml-2581 | "microsoft-evsecurity-xml-endpoint-notification-success-2581 |
+| windows-xml-4674 | "microsoft-evsecurity-xml-user-privilege-use-success-4674 |
+| windows-xml-4691 | "microsoft-evsecurity-xml-endpoint-activity-success-4691 |
+| windows-xml-4700 | "microsoft-evsecurity-xml-scheduled-task-create-success-4700 |
+| windows-xml-4720 | "microsoft-evsecurity-xml-user-create-success-4720-2 |
+| windows-xml-4722 | "microsoft-evsecurity-xml-user-enable-success-4722 |
+| windows-xml-4735-1 | "microsoft-evsecurity-xml-group-modify-success-4735-3 |
+| windows-xml-4742 | "microsoft-evsecurity-xml-ds-object-modify-success-4742 |
+| windows-xml-4780 | "microsoft-evsecurity-xml-endpoint-notification-success-4780 |
+| windows-xml-4886 | "microsoft-evsecurity-xml-certificate-request-success-4886 |
+| windows-xml-4887 | "microsoft-evsecurity-xml-certificate-create-success-4887 |
+| windows-xml-4911 | "microsoft-evsecurity-xml-endpoint-activity-success-4911 |
+| windows-xml-4952 | "microsoft-evsecurity-xml-endpoint-notification-success-4952 |
+| windows-xml-4954 | "microsoft-evsecurity-xml-policy-apply-success-4954 |
+| windows-xml-6145 | "microsoft-evsecurity-xml-policy-apply-fail-6145 |
+| windows-xml-98 | "microsoft-windows-xml-endpoint-notification-success-98 |
+| windows-xml-member-added-2008 | "microsoft-evsecurity-xml-group-member-add-success-eventid47 |
+| windows-xml-powershell-800 | "microsoft-evdnsserver-xml-process-create-success-800-1 |
+| windows-xml-powershell-process-created | "microsoft-evterminalservicesgateway-xml-process-create-success-400 |
+| windows-xml-powershell-process-created-1 | "microsoft-evsecurity-xml-process-create-success-600 |
+| windows-xml-powershell-process-created-2 | "microsoft-evpowershell-xml-process-create-success-4103 |
+| wininit-process-info-12 | "windows-evsystem-xml-endpoint-notification-12 |
+| wiz-app-login | wiz-w-json-app-login-success-federatedauth |
+| wiz-delete-user | wiz-w-csv-user-delete-success-deleteuser |
+| wiz-system-info-1 | wiz-w-mix-app-notification-success-finalizecicdscan |
+| wiz-system-info-2 | wiz-w-mix-app-notification-success-initiatedisk |
+| wls-4611 | microsoft-evsecurity-csv-endpoint-notification-success-4611 |
+| wls-4624 | microsoft-evsecurity-kv-endpoint-login-success-4624-5 |
+| wls-4625 | microsoft-evsecurity-kv-endpoint-login-fail-4625-6 |
+| wls-4663 | microsoft-evsecurity-kv-file-read-success-4663 |
+| wls-4688 | microsoft-evsecurity-kv-process-create-success-4688wls |
+| wls-4720 | microsoft-evsecurity-kv-user-create-success-4720-2 |
+| wls-4723 | microsoft-evsecurity-kv-user-password-modify-4723-3 |
+| wls-4724 | microsoft-evsecurity-kv-user-password-reset-success-4724-3 |
+| wls-4725 | microsoft-evsecurity-kv-user-disable-success-4725-1 |
+| wls-4726 | microsoft-evsecurity-kv-user-delete-fail-wls |
+| wls-4740 | microsoft-evsecurity-kv-user-lock-success-4740-2 |
+| wls-4768 | microsoft-evsecurity-kv-endpoint-login-4768-6 |
+| wls-4769 | microsoft-evsecurity-kv-endpoint-login-4769-3 |
+| wls-4771 | microsoft-evsecurity-kv-endpoint-login-fail-4771-2 |
+| wls-4776 | microsoft-evsecurity-kv-endpoint-login-4776-3 |
+| wls-627 | microsoft-evsecurity-kv-user-password-modify-627-2 |
+| wls-644 | microsoft-evsecurity-kv-user-delete-fail-644 |
+| wls-675 | microsoft-evsecurity-kv-endpoint-login-fail-675 |
+| wls-member-added-2008-notype | microsoft-evsecurity-kv-group-member-add-success-wls |
+| wls-windows-privileged-access | microsoft-evsecurity-kv-user-privilege-success-467 |
+| workday-app-activity-1 | workday-wd-json-app-activity-success-activityaction |
+| workday-app-activity-2 | workday-wd-json-app-activity-success-appactivity |
+| workday-app-login-1 | workday-wd-json-app-login-success-startnewsession |
+| workday-app-login-2 | workday-wd-json-app-login-success-startnewsession-1 |
\ No newline at end of file
diff --git a/ParsersLegacy/x_parsers.md b/ParsersLegacy/x_parsers.md
new file mode 100644
index 0000000..2f52ca4
--- /dev/null
+++ b/ParsersLegacy/x_parsers.md
@@ -0,0 +1,197 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------------- | ----------------------------------------------------------------- |
+| xams-failed-app-login | xiting-x-cef-app-login-fail-gescheitert |
+| xams-system-info | xiting-x-cef-app-activity-success-xams |
+| xerox-print | xerox-x-kv-printer-activity-success-colorduplexcount |
+| xml-10000 | "microsoft-evazureadppdca-xml-dll-load-success-10000 |
+| xml-10014 | "microsoft-azuread-xml-user-password-modify-success-10014 |
+| xml-10015 | "microsoft-azuread-xml-user-password-reset-success-10015 |
+| xml-10016 | "microsoft-evsystem-xml-dcom-activate-fail-10016 |
+| xml-10016-1 | "microsoft-azuread-xml-user-password-modify-fail-10016 |
+| xml-10017 | "microsoft-evazureadppdca-xml-user-password-reset-fail-10017 |
+| xml-10024 | "microsoft-azuread-xml-user-password-modify-success-10024 |
+| xml-10025 | "microsoft-azuread-xml-user-password-reset-success-10025 |
+| xml-1009 | "microsoft-defenderep-xml-alert-trigger-success-1009 |
+| xml-104 | "microsoft-windows-xml-log-clear-success-104 |
+| xml-1074 | "microsoft-evsystem-xml-endpoint-stop-1074 |
+| xml-1100 | "microsoft-evsecurity-xml-log-disable-1100 |
+| xml-1101 | "microsoft-evsecurity-xml-endpoint-notification-1101 |
+| xml-1102 | "microsoft-evsecurity-xml-log-clear-success-1102 |
+| xml-1102-1 | microsoft-evsecurity-kv-log-clear-success-logfileclear |
+| xml-1105 | "microsoft-evsecurity-xml-log-backup-1105 |
+| xml-1116 | "microsoft-defenderep-kv-alert-trigger-success-1116 |
+| xml-1117 | "microsoft-defenderep-kv-alert-trigger-success-1117 |
+| xml-1149 | "microsoft-evadfs-xml-rdp-traffic-success-1149 |
+| xml-1310 | "microsoft-evsecurity-xml-endpoint-login-fail-1310 |
+| xml-16 | "microsoft-evsystem-xml-endpoint-notification-16 |
+| xml-20000 | "microsoft-evazureadppdca-xml-service-start-success-20000 |
+| xml-20001 | microsoft-evsystem-xml-endpoint-notification-success-20001 |
+| xml-30002 | "microsoft-azuread-xml-user-password-modify-fail-30002 |
+| xml-30003 | "microsoft-evazureadppdca-xml-user-password-reset-fail-30003 |
+| xml-30004 | "microsoft-azuread-xml-user-password-modify-fail-30004 |
+| xml-30005 | "microsoft-evazureadppdca-xml-user-password-reset-fail-30005 |
+| xml-30009 | "microsoft-azuread-xml-user-password-reset-success-30009 |
+| xml-30010 | "microsoft-azuread-xml-user-password-modify-success-30010 |
+| xml-30026 | "microsoft-azuread-xml-user-password-modify-fail-30026 |
+| xml-30027 | "microsoft-evazureadppdca-xml-user-password-reset-fail-30027 |
+| xml-30028 | "microsoft-azuread-xml-user-password-modify-success-30028 |
+| xml-30029 | "microsoft-azuread-xml-user-password-reset-success-30029 |
+| xml-30030 | "microsoft-evazureadppdca-xml-app-authentication-success-30030 |
+| xml-30035 | "microsoft-evazureadppdca-xml-endpoint-activity-success-30035 |
+| xml-30036 | "microsoft-evazureadppdca-xml-endpoint-activity-fail-30036 |
+| xml-30038 | "microsoft-evazureadppdca-xml-endpoint-notification-success-30038 |
+| xml-30042 | "microsoft-evazureadppdca-xml-endpoint-notification-success-30042 |
+| xml-30043 | "microsoft-evazureadppdca-xml-endpoint-activity-success-30043 |
+| xml-30044 | "microsoft-evazureadppdca-xml-endpoint-activity-fail-30044 |
+| xml-4608 | "microsoft-evsecurity-xml-endpoint-start-4608 |
+| xml-4610 | "microsoft-evsecurity-xml-dll-load-4610 |
+| xml-4611 | "microsoft-evsecurity-xml-endpoint-notification-4611 |
+| xml-4614 | "microsoft-evsecurity-xml-dll-load-4614 |
+| xml-4616 | "microsoft-evsecurity-xml-endpoint-time-modify-4616 |
+| xml-4622 | "microsoft-evsecurity-xml-service-create-success-4622 |
+| xml-4624 | "microsoft-evsecurity-xml-endpoint-login-success-4624 |
+| xml-4624-1 | "microsoft-evsecurity-cef-endpoint-login-success-4624-1 |
+| xml-4625 | "microsoft-evsecurity-xml-endpoint-login-fail-4625 |
+| xml-4625-1 | "microsoft-evsecurity-xml-endpoint-login-fail-4625-1 |
+| xml-4627 | "microsoft-evsecurity-xml-endpoint-notification-4627-1 |
+| xml-4634-1 | "microsoft-evsecurity-cef-endpoint-logout-4634 |
+| xml-4648 | "microsoft-evsecurity-xml-user-switch-success-4648 |
+| xml-4649 | "microsoft-evsecurity-xml-alert-trigger-success-4649 |
+| xml-4653 | "microsoft-evsecurity-xml-endpoint-notification-4653-1 |
+| xml-4654 | "microsoft-evsecurity-xml-endpoint-notification-4654 |
+| xml-4655 | "microsoft-evsecurity-xml-endpoint-activity-4655 |
+| xml-4657 | "microsoft-evsecurity-xml-registry-create-success-4657 |
+| xml-4659 | "microsoft-evsecurity-xml-handle-request-4659 |
+| xml-4662 | "microsoft-evsecurity-xml-ds-object-activity-success-4662 |
+| xml-4662-jp | "microsoft-evsecurity-xml-ds-object-activity-success-4662-1 |
+| xml-4663 | "microsoft-evsecurity-xml-file-read-success-4663 |
+| xml-4670 | "microsoft-evsecurity-xml-file-permission-modify-4670-2 |
+| xml-4670-1 | "microsoft-evsecurity-xml-file-permission-modify-4670-1 |
+| xml-4672 | "microsoft-evsecurity-xml-user-privilege-assign-success-4672 |
+| xml-4673 | "microsoft-evsecurity-xml-user-privilege-assign-success-4673-1 |
+| xml-4674 | "microsoft-evsecurity-xml-user-privilege-use-success-4674-1 |
+| xml-4674-1 | "microsoft-evsecurity-cef-user-privilege-use-success-4674-2 |
+| xml-4688 | "microsoft-evsecurity-xml-process-create-success-4688 |
+| xml-4689 | "microsoft-evsecurity-xml-process-close-4689 |
+| xml-4695 | "microsoft-evsecurity-xml-endpoint-notification-4695 |
+| xml-4699 | "microsoft-evsecurity-xml-scheduled-task-delete-4699 |
+| xml-4702 | "microsoft-evsecurity-xml-scheduled-task-modify-4702-2 |
+| xml-4702-1 | "microsoft-evsecurity-xml-scheduled-task-modify-4702-1 |
+| xml-4702-2 | "microsoft-evsecurity-xml-scheduled-task-modify-taskupdated |
+| xml-4703 | "microsoft-evsecurity-xml-user-privilege-modify-4703 |
+| xml-4719 | "microsoft-evsecurity-xml-audit-policy-modify-success-4719 |
+| xml-4731 | microsoft-evsecurity-xml-group-create-success-4731 |
+| xml-4735 | "microsoft-evsecurity-xml-group-modify-success-4735-1 |
+| xml-4738 | "microsoft-evsecurity-xml-ds-object-modify-success-4738 |
+| xml-4739 | microsoft-windows-mix-configuration-modify-success-4739 |
+| xml-4742-jp | "microsoft-evsecurity-xml-ds-object-activity-success-4742 |
+| xml-4767 | "microsoft-evsecurity-xml-user-unlock-success-4767 |
+| xml-4768 | "microsoft-evsecurity-xml-endpoint-login-4768 |
+| xml-4769 | "microsoft-evsecurity-xml-endpoint-login-4769 |
+| xml-4769-1 | "microsoft-evsecurity-xml-endpoint-login-4769-2 |
+| xml-4776 | "microsoft-evsecurity-xml-endpoint-login-4776 |
+| xml-4778 | "microsoft-evsecurity-xml-rdp-traffic-success-4778 |
+| xml-4779 | "microsoft-evsecurity-xml-endpoint-logout-success-4779 |
+| xml-4793 | "microsoft-evsecurity-xml-endpoint-notification-4793 |
+| xml-4797 | "microsoft-evsecurity-xml-endpoint-notification-4797 |
+| xml-4798 | "microsoft-evsecurity-xml-group-list-4798-1 |
+| xml-4798-1 | "microsoft-evsecurity-xml-group-list-4798 |
+| xml-4799 | "microsoft-evsecurity-xml-group-member-list-4799-1 |
+| xml-4800 | "microsoft-evsecurity-xml-endpoint-lock-success-4800 |
+| xml-4801 | "microsoft-evsecurity-xml-endpoint-unlock-success-4801 |
+| xml-4816 | "microsoft-evsecurity-xml-network-notfication-4816 |
+| xml-4822 | "microsoft-evsecurity-xml-endpoint-authentication-fail-4822 |
+| xml-4825 | "microsoft-windows-xml-endpoint-login-fail-4825 |
+| xml-4826 | "microsoft-evsecurity-xml-configuration-load-4826 |
+| xml-4902 | "microsoft-evsecurity-xml-endpoint-notification-4902 |
+| xml-4904 | "microsoft-evsecurity-xml-audit-policy-modify-4904 |
+| xml-4905 | "microsoft-evsecurity-xml-audit-policy-modify-4905 |
+| xml-4907 | "microsoft-evsecurity-xml-audit-policy-modify-4907 |
+| xml-4946 | "microsoft-evsecurity-xml-policy-modify-4946 |
+| xml-4981 | "microsoft-evsecurity-xml-network-session-success-4981 |
+| xml-4984 | "microsoft-evsecurity-xml-network-session-fail-4984 |
+| xml-5024 | "microsoft-evsecurity-xml-endpoint-notification-5024 |
+| xml-5031 | "microsoft-evsecurity-xml-endpoint-notification-5031 |
+| xml-5033 | "microsoft-evsecurity-xml-endpoint-notification-5033 |
+| xml-5038 | "microsoft-evsecurity-xml-driver-load-fail-5038 |
+| xml-5058 | "microsoft-evsecurity-xml-file-5058-1 |
+| xml-5059 | "microsoft-evsecurity-xml-key-migrate-5059-1 |
+| xml-5061 | "microsoft-evsecurity-xml-key-5061-2 |
+| xml-5136 | "microsoft-evsecurity-xml-ds-object-modify-success-5136 |
+| xml-5137 | "microsoft-evsecurity-xml-ds-object-create-success-5137 |
+| xml-5138 | "microsoft-evsecurity-xml-ds-object-restore-success-5138 |
+| xml-5139 | "microsoft-evsecurity-xml-ds-object-move-success-5139 |
+| xml-5140 | "microsoft-evsecurity-xml-share-access-success-5140 |
+| xml-5141 | "microsoft-evsecurity-xml-ds-object-delete-success-5141 |
+| xml-5143 | "microsoft-evsecurity-xml-share-modify-success-5143 |
+| xml-5144 | "microsoft-evsecurity-xml-share-delete-success-5144 |
+| xml-5145 | "microsoft-evsecurity-xml-share-access-5145 |
+| xml-5145-1 | "microsoft-evsecurity-xml-share-access-5145-1 |
+| xml-5152 | "microsoft-evsecurity-xml-network-traffic-fail-5152 |
+| xml-5154 | "microsoft-evsecurity-xml-network-listen-5154 |
+| xml-5156 | "microsoft-evsecurity-xml-network-session-success-5156 |
+| xml-5157 | "microsoft-evsecurity-xml-network-session-fail-5157 |
+| xml-5158 | "microsoft-evsecurity-xml-network-session-success-5158 |
+| xml-5447 | "microsoft-evsecurity-xml-policy-modify-5447 |
+| xml-5451 | "microsoft-evsecurity-xml-endpoint-activity-5451 |
+| xml-5478 | "microsoft-evsecurity-xml-service-create-success-5478 |
+| xml-5723 | "microsoft-evsystem-xml-endpoint-authentication-fail-5723 |
+| xml-5823 | "microsoft-evsystem-xml-endpoint-password-modify-5823 |
+| xml-5829 | "microsoft-evsystem-xml-alert-trigger-5829 |
+| xml-5861 | "microsoft-evsystem-xml-process-create-success-5861 |
+| xml-6005 | "microsoft-evsystem-xml-service-start-6005 |
+| xml-6006 | "microsoft-evsystem-xml-log-disable-6006 |
+| xml-6144 | "microsoft-evsecurity-xml-policy-apply-6144 |
+| xml-6272 | "microsoft-evnps-xml-radius-traffic-success-6272 |
+| xml-6417 | "microsoft-evsecurity-xml-endpoint-notification-6417 |
+| xml-8004 | "microsoft-evntlm-xml-endpoint-login-fail-8004 |
+| xml-8015 | "microsoft-evsecurity-xml-dns-record-create-fail-8015 |
+| xml-8018 | "microsoft-evsecurity-xml-dns-record-create-fail-8018 |
+| xml-email-saas-o365-alert | "microsoft-o365-xml-email-send-success-office365 |
+| xml-iis-6200-web-activity | "microsoft-iis-xml-http-session-6200 |
+| xml-member-removed-2008 | "microsoft-evsecurity-xml-group-member-remove-success-eventid |
+| xml-microsoft-dns-query | "microsoft-evdnsserver-xml-dns-request-success-256 |
+| xml-mssql-database-login | "microsoft-mssql-xml-database-login-qualifiers |
+| xml-mssql-database-login-1 | "microsoft-mssql-xml-database-login-audit |
+| xml-netapp-4659 | "microsoft-evsecurity-xml-handle-request-success-4659 |
+| xml-nps-logon | "microsoft-evsecurity-xml-radius-traffic-627 |
+| xml-powershell-4104 | "microsoft-evpowershell-xml-script-execute-success-4104 |
+| xml-powershell-4105 | "microsoft-evpowershell-xml-script-execute-4105 |
+| xml-powershell-4106 | "microsoft-evpowershell-xml-endpoint-notification-4106 |
+| xml-sophos-security-alert | "sophos-ep-xml-alert-trigger-success-antivirus |
+| xml-sysmon-alert | "microsoft-sysmon-xml-alert-trigger-success-25 |
+| xml-sysmon-config-change | "microsoft-sysmon-xml-log-4 |
+| xml-sysmon-config-change-1 | "microsoft-sysmon-xml-dll-load-7 |
+| xml-sysmon-dns-query | "microsoft-sysmon-xml-dns-request-success-query |
+| xml-sysmon-file-create | "microsoft-sysmon-xml-file-write-success-11 |
+| xml-sysmon-file-write | "microsoft-sysmon-xml-file-write-success-13 |
+| xml-sysmon-file-write-1 | "microsoft-sysmon-xml-registry-12 |
+| xml-sysmon-file-write-2 | "microsoft-sysmon-xml-file-stream-create-15 |
+| xml-sysmon-file-write-3 | "microsoft-sysmon-xml-file-time-modify-2-1 |
+| xml-sysmon-process-created | "microsoft-sysmon-xml-process-create-success-processcreate |
+| xml-sysmon-process-created-1 | "microsoft-sysmon-xml-process-create-success-processcreate-1 |
+| xml-sysmon-process-created-2 | "microsoft-sysmon-xml-process-create-success-processcreate-2 |
+| xml-sysmon-process-terminated | "microsoft-sysmon-xml-process-close-5 |
+| xml-windows-defender-av-1000 | "microsoft-defenderep-xml-endpoint-scan-success-1000 |
+| xml-windows-defender-av-1001 | "microsoft-defenderep-xml-endpoint-scan-success-1001 |
+| xml-windows-defender-av-1002 | "microsoft-defenderep-xml-endpoint-scan-success-1002 |
+| xml-windows-defender-av-1013 | "microsoft-defenderep-xml-report-create-success-1013 |
+| xml-windows-defender-av-1150 | "microsoft-defenderep-xml-app-notification-success-1150 |
+| xml-windows-defender-av-1151 | "microsoft-defenderep-xml-report-create-success-1151 |
+| xml-windows-defender-av-2000 | "microsoft-defenderep-xml-configuration-modify-success-2000 |
+| xml-windows-defender-av-2010 | "microsoft-defenderep-xml-configuration-modify-success-2010 |
+| xml-windows-defender-av-2011 | "microsoft-defenderep-xml-configuration-modify-success-2011 |
+| xml-windows-defender-av-5007 | "microsoft-defenderep-xml-configuration-modify-success-5007 |
+| xml-windows-event-3150 | "microsoft-evdnsserver-xml-app-notification-3150 |
+| xml-windows-event-5502 | "microsoft-evdnsserver-xml-dns-traffic-fail-5502 |
+| xml-windows-event-6001 | "microsoft-evdnsserver-xml-network-notification-6001 |
+| xml-windows-event-6004 | "microsoft-evdnsserver-xml-network-notification-6004 |
+| xml-windows-event-6522 | "microsoft-evdnsserver-xml-network-notification-6522 |
+| xml-windows-event-7050 | "microsoft-evdnsserver-xml-dns-response-fail-7050 |
+| xml-windows-events-1 | "microsoft-windows-xml-app-activity-success-10036 |
+| xplan-csv-failed-physical-access-1 | xplan-x-csv-physical-location-access-fail-accessdenied |
+| xplan-csv-failed-physical-access-2 | xplan-x-csv-physical-location-access-fail-cardexpired |
+| xplan-csv-failed-physical-access-3 | xplan-x-csv-physical-location-access-fail-cardresend |
+| xplan-csv-failed-physical-access-4 | xplan-x-csv-physical-location-access-fail-passbackattemped |
+| xplan-csv-physical-access-1 | xplan-x-csv-physical-location-access-success-accessgranted |
+| xplan-csv-physical-access-2 | xplan-x-csv-physical-location-access-success-controlrelinquished |
\ No newline at end of file
diff --git a/ParsersLegacy/y_parsers.md b/ParsersLegacy/y_parsers.md
new file mode 100644
index 0000000..b9fdf0a
--- /dev/null
+++ b/ParsersLegacy/y_parsers.md
@@ -0,0 +1 @@
+| Old Parser Name | New Parser Name || --------------- | --------------- |
diff --git a/ParsersLegacy/z_parsers.md b/ParsersLegacy/z_parsers.md
new file mode 100644
index 0000000..3836170
--- /dev/null
+++ b/ParsersLegacy/z_parsers.md
@@ -0,0 +1,38 @@
+| Old Parser Name | New Parser Name |
+| ---------------------------------------- | ------------------------------------------------------------------- |
+| zebra-wlm-system-info | extremenetworks-zwlanm-str-endpoint-notification-success-filesystem |
+| zimperium-mobile-endpoint-security-alert | zimperium-mtd-json-alert-trigger-success-threatuuid |
+| zoom-login | zoom-z-sk4-app-login-success-signin |
+| zoom-meeting-created | zoom-z-json-meeting-create-success-created |
+| zoom-meeting-ended | zoom-z-json-meeting-end-success-ended |
+| zoom-meeting-participant-joined | zoom-z-json-meeting-member-join-success-participant |
+| zoom-meeting-started | zoom-z-json-meeting-start-success-started |
+| zoom-meeting-updated | zoom-z-json-meeting-modify-success-updated |
+| zoom-operations-activity | zoom-z-sk4-app-activity-success-operator |
+| zscaler-account-lockout | zscaler-pa-json-user-lock-success-accountlock |
+| zscaler-account-unlocked | zscaler-pa-json-user-unlock-success-accountunlock |
+| zscaler-activity | zscaler-ia-json-network-traffic-success-internalreason |
+| zscaler-app-activity | zscaler-pa-json-app-activity-success-create |
+| zscaler-app-activity-1 | zscaler-pa-json-app-activity-success-update |
+| zscaler-app-activity-2 | zscaler-pa-json-app-activity-success-delete |
+| zscaler-app-login | zscaler-pa-json-app-login-success-signin |
+| zscaler-app-logout | zscaler-pa-json-app-logout-success-sessiontimeout |
+| zscaler-app-logout-1 | zscaler-pa-json-app-logout-success-signout |
+| zscaler-dlp-alert-1 | zscaler-ia-kv-alert-trigger-success-dlpenginenames |
+| zscaler-dlp-alert-2 | zscaler-ia-json-alert-trigger-success-zscalernsscasb |
+| zscaler-dns-response | zscaler-ia-kv-dns-response-success-allow |
+| zscaler-dns-response-1 | zscaler-ia-json-dns-response-success-deviceowner |
+| zscaler-failed-app-login | zscaler-pa-json-app-login-fail-signinfailure |
+| zscaler-firewall | zscaler-ia-kv-network-session-firewall |
+| zscaler-firewall-1 | zscaler-ia-json-network-traffic-event |
+| zscaler-network-connection | zscaler-ia-cef-network-traffic-oneclickrule |
+| zscaler-network-connection-1 | zscaler-ia-cef-network-traffic-blocked |
+| zscaler-proxy | zscaler-ia-cef-http-session-mcafeeesm |
+| zscaler-status | zscaler-ia-json-app-login-success-sessionstatus |
+| zscaler-system-info | zscaler-ia-str-app-notification-success-memoryinfo |
+| zscaler-vpn-activity | zscaler-pa-json-vpn-login-success-doubleencryption |
+| zscaler-vpn-end | zscaler-pa-csv-vpn-logout-success-disconnected |
+| zscaler-vpn-end-1 | zscaler-pa-json-vpn-logout-success-username |
+| zscaler-vpn-start | zscaler-pa-str-vpn-login-success-authenticate |
+| zscaler-vpn-user | zscaler-pa-csv-vpn-logout-success-connection |
+| zscaler-web-activity-7 | zscaler-ia-kv-http-session-zscaler |
\ No newline at end of file
diff --git a/Platforms_Landscapes.md b/Platforms_Landscapes.md
new file mode 100644
index 0000000..c02a854
--- /dev/null
+++ b/Platforms_Landscapes.md
@@ -0,0 +1,78 @@
+ Platforms by Landscapes
+========================
+
+| Landscape | Platforms |
+| ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| File Systems and Object Storage | nutanix
|
+| Unified Endpoint Management (UEM) | citrix endpoint management
|
+| access management | auth0
onelogin
ping identity
pingone
pingfederate
duo access
entrust identity enterprise
okta adaptive mfa
oracle access management
symantec vip
active directory federation services
cloud akamai
securid
shibboleth
fortiauthenticator
secureauth idp
secureauth login
symantec siteminder
onewelcome
jumpcloud directory services & insights
jumpcloud
appsense application manager
f5 access policy manager
banyan security
microsoft intune
|
+| asset management | lanscope cat
apex one
|
+| backup & recovery | rubrik cloud data management
cds
|
+| cloud | aws
gcp
azure
microsoft 365
oracle public cloud
google workspace
extreamcloud iq
azure monitor
|
+| cloud access security broker (casb) | bitglass casb
symantec cloudsoc
netskope security cloud
palo alto aperture
skyhigh networks casb
forcepoint casb
ermetic cloud infrastructure security
cisco cloudlock
netskope casb
|
+| cloud-native application protection platform (cnapp) | microsoft defender for cloud
wiz
prisma cloud
prisma access
tanium cloud platform
|
+| code management | atlassian bitbucket
perforce
github
gitlab
|
+| communication platform | zoom
slack
teams
anywhere365
cisco unified cm
|
+| credential manager | lastpass
password manager pro
specops password
beyondtrust password safe
password reset portal
adssp
|
+| crm (customer relationship management) | salesforce
zendesk
|
+| data warehouse | aws redshift
|
+| database | mariadb
azure database for mysql
teradata rdbms
sonarg
snowflake
cassandra db
postgresql
mssql
oracle database
db2
sybase
mongodb
progress database
mysql
apache cassandra
osquery
amazon rds
|
+| database security | apache ranger
mcafee dam
|
+| directory service | microsoft ad
opendj
sunone
edirectory
azure active directory
openldap
|
+| dlp (data leak protection) | symantec dlp
digital guardian network dlp
cyberhaven dlp
forcepoint dlp
infowatch traffic monitor
rsa dlp
gtb technologies dlp
ibm infosphere guardium
|
+| edr (endpoint detection & response) | carbon black ces
cortex xdr
falcon
cisco secure endpoint
digital guardian endpoint protection
carbon black edr
fireeye endpoint security (hx)
singularity platform
tanium core platform
endgame edr
symantec advanced threat protection
cyberhaven cloud data security
alert logic mdr
mvision edr
trapx deceptiongrid
cylance optics
|
+| electronic signature (esignature) | onespan sign
docusign esignature
signnow
|
+| email | microsoft exchange
yahoo mail
hcl notes
unix sendmail
postfix
hmailserver
email
|
+| email security | mimecast secure email gateway
symantec email security
proofpoint enterprise protection
cisco ironport email
trend micro scanmail
barracuda email security gateway
mcafee email gateway
cisco secure email
clearswift secure email gateway
abnormal security
virtru
inky anti-phishing
fireeye etp
mcafee email protection
imsva
check point avanan
cofense phishme
armorblox
kaspersky secure mail gateway
tessian cloud email security
|
+| endpoint | windows
unix
openvms
solaris
z/os
macos
ios
linux
|
+| endpoint auditing | unix named
sysmon
unix dhcpd
oracle
event viewer - azureadpasswordprotection-dcagent
auditd
exabeam
code42
|
+| epp (endpoint protection platform) | cylance protect
symantec endpoint protection
blackberry protect
check point anti-malware
lumension
gravityzone
eset endpoint security
sophos endpoint protection
traps endpoint security manager
deep security
mcafee endpoint security
kaspersky endpoint security for business
check point endpoint security
sentinelone
malwarebytes endpoint protection
microsoft defender for endpoint
officescan
morphisec breach prevention platform
bromium secure platform
airlock allowlisting
cybereason malop
vbcorp
kaspersky av
absolute dds
|
+| erp (enterprise resource planning) | sap
workday
|
+| event management & forwarding | search
quest change auditor for active directory
microfocus arcsight
netwrix
quest intrust
esector defesa logger
citrix gateway connector for exchange activesync
skyformation
|
+| file integrity monitoring | nnt changetracker
cimtrak
tripwire fim
|
+| file sharing | box cloud content management
netdocs
netapp
nasuni
imanage
emc isilon
cohesity dataplatform
synology nas
egnyte
hpe 3par storeserv
dropbox
kiteworks
citrix sharefile
|
+| file transfer | moveit transfer
titanftp
axway gateway
sftp
ftp
goanywhere mft
liquidfiles
|
+| firewall | check point ngfw
sangfor ngaf
cisco meraki mx appliance
fortinet enterprise firewall
juniper srx series
fortinet utm
palo alto ngfw
cisco pix
watchguard
cisco asa
cisco firepower
fortigate
sonicwall
barracuda cloudgen firewall
forcepoint ngfw
huawei unified security gateway
threatblockr
|
+| honeypot | botsink
trapx
|
+| human capital management (hcm) | successfactors
|
+| identity administration (idm\iam) | one identity manager
micro focus netiq identity manager
imprivata
identitynow
vmware identity manager
xceedium
securelink
sailpoint iiq
|
+| infrastructure monitoring? | sysdig monitor
|
+| insider risk management | observeit
microsoft advanced threat analytics
cyberhaven insider risk management
reveal
forcepoint insider threat
proofpoint insider threat management
|
+| iot security | armis platform
netskope iot security
|
+| ip address management (ipam) | infoblox nios
bloxone ddi
|
+| ips (intrusion prevention system) | mcafee network security platform
cisco sourcefire
proventia network ips
sentinel ips
suricata
trend micro tippingpoint
fidelis xps
damballa failsafe
zimperium mtd
|
+| load balancer | kemp loadmaster
alteon
avi networks software load balancer
amazon route 53
|
+| managed detection and response (mdr) | red canary mdr
vigilance
|
+| mobile management | vmware airwatch
simplemdm mobile device management
airwatch mobile device management
ibm mobile connect
mobileiron
lookout
|
+| ndr (network detection and response) | extrahop reveal(x)
protectwise ndr
awake security
|
+| network | network
fireeye network security (nx)
|
+| network access control (nac) | cisco ise
cisco acs
microsoft network policy server
forescout counteract
packetfence
viascope ipscan
aruba clearpass policy manager
portnox
|
+| network analyzer | cloudflare insights
zeek
|
+| network automation and orchestration | msdhcp
f5 big-ip dns
|
+| network devices | cisco ios
hpe comware
aruba wireless controller
arubaos
avaya ethernet routing switch
unifi access point
|
+| network management | zebra wlan management
ruckus
|
+| network performance monitoring | splunk stream
nagios
|
+| network security policy management (nspm) | tufin securetrack
algosec firewall analyzer
panorama
firemon
|
+| operational technology security | ctd
|
+| other | icdb
cisco dhcp
weblogin
vormetric
vmware nsx
usb
fileauditor
fast enterprises gentax
sailpoint fam
emp
edocs
clearsense
servicenow
seclore
ruid
powersentry
postscript
phantom
aruba mobility master
apc
adaxes
safend dps
stealthintercept
namespace rdirectory
onapsis
leap
jh
terraform
tanium threat response
vectra cognito detect
filesite
ibm resource access control facility
trello
dxc technology
sterling b2b integrator
rstudio server
chcom
rundeck
xsuite
ibm datapower
swift
hp virtual connect enterprise manager
riverbed steelhead
stealthbits stealth defend
claimcenter
zlock
xams
picture perfect
procad
imss
contrast security
sun one
withsecure policy manager
symantec
apache tomcat
apache subversion
xplan
f-secure client security
buildkite
cortex xsoar
|
+| personalization engines | sitespect
|
+| physical access control | onguard
net2door
lyrix
lenel onguard
kaba exos
johnson controls p2000
icpam
honeywell win-pak
honeywell siama
honeywell pro-watch
identiv
accessit universal.net
timelox
generic badge access
galaxy
datawatch
symmetry access control
swipes
siemens access control
securityexpert
ccure building management system
brivo
rs2 technologies
rightcrowd
aviglion acm
badge
sensormatik
gallagher access control
vanderbilt
genetec
|
+| printer | lexmark
hp safecom
hp laserjet printer
ricoh printer
asupim
xps
xerox
|
+| printing management | ysoft
|
+| privilege access management | osirium
megaflex
mastersam pam
thycotic software secret server
beyondtrust
ca privileged access manager server control
centrify infrastructure services
hashicorp vault
powertech identity & access manager
cyberark privilege access manager
cyberark endpoint privilege manager
powertech identity and access manager
beyondtrust privileged identity
click studios passwordstate
admin by request
pam360
|
+| proxy | moveit dmz
|
+| remote access | apache guacamole
microsoft rras
hp integrated lights-out
secomea
|
+| sandboxing | deep discovery inspector
check point threat emulation
lastline
|
+| security configuration management (scm) | tripwire enterprise
aws ssm
|
+| security services edge (sse) | zscaler internet access
interscan web security
appomni saas security
proxysg
cisco gateway
websense security gateway
suridata saas security posture management
proofpoint casb
blue coat proxysg
skyhigh security cloud
|
+| siem (security information and event management) | qradar siem
logrhythm
eyeinspect
darktrace
skysea clientview
rsa netwitness platform
splunk se
epic siem
netwrix auditor
varonis data security platform
exabeam aa
wazuh
exabeam cr
akamai siem
ibm sense
fireeye helix
exabeam ng analytics
|
+| social networks | facebook
linkedin
google plus
|
+| software-defined networking | aci
|
+| threat intelligence | palo alto wildfire
centurylink managed security service
|
+| user authentication | silverfort authentication platform
securenvoy multi-factor authentication
swivel
rsa authentication manager
rsa adaptive authentication
centrify authentication service
centrify zero trust privilege services
thales
secure computing safeword
digipass for apps
gemalto mfa
azure mfa
ibm security trusteer
|
+| virtualization | citrix virtual apps
citrix virtual desktop
vmware view
vmware esxi
vcenter
gcp - cloud compute
aws - ec2
ovirt
vmware horizon
imvsa
openshift
|
+| vpn (virtual private network) | check point security gateway
nortel contivity vpn
netmotion wireless
ncp
citrix gateway
cognitas crosslink
open vpn
securenet
cato cloud
avaya vpn
zscaler private access
fortinet vpn
ivanti pulse secure
globalprotect
any connect
barracuda cloudgen access
meraki asa
microsoft routing and remote access service
|
+| vulnerability assessment | tenable.io
uptycs endpoint security and vulnerability management
rapid7 insightvm
vicarius vrx
|
+| waf | airlock waf
magento waf
imperva securesphere
imperva web application firewall
f5 application security manager
sigsci
imperva incapsula
citrix web app firewall
cloudflare waf
f5 advanced web application firewall
|
+| web server | microsoft iis
httpd
nonstop
ibm mainframe
|
+| workload protection | carbon black app control
illumio core
cisco adc
|
\ No newline at end of file
diff --git a/Subjects/Subject_Interface.md b/Subjects/Subject_Interface.md
index 30aa345..eed9d87 100644
--- a/Subjects/Subject_Interface.md
+++ b/Subjects/Subject_Interface.md
@@ -9,11 +9,7 @@ This core interface defines the subject element. It details the minimum field re
| Subject | Description | Fields | Core | Detection | Informational |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | -------- | --------- | ------------- |
-| alert | Alert represents any security alert, whether anomaly, correlation or third party | alert_severity | ✓ | | |
-| | | alert_source | ✓ | | |
-| | | alert_subject | | | ✓ |
-| | | alert_name | ✓ | | |
-| | | alert_type | ✓ | | |
+| alert | Alert represents any security alert, whether anomaly, correlation or third party | alert_name | ✓ | ✓ | |
| app | The app subject represents applications and contains activities directed straightly towards them | No fields defined for this subject | | | |
| arp | Address Resolution Protocol (ARP) is a network protocol used to map IP addresses to fixed MAC addresses over a network. This subject represents ARP traffic related activities. | src_ip | | ✓ | |
| | | src_mac | | | ✓ |
@@ -21,24 +17,36 @@ This core interface defines the subject element. It details the minimum field re
| | | dest_ip | | ✓ | |
| | | operation | | | ✓ |
| audit_policy | An audit policy is a unique configuration given either globally or per service, that defines what type of audit logs will be generated\recorded and be transferred to a log | audit_policy_name | ✓ | | |
+| | | local_user_name | | | |
+| | | src_host | | ✓ | |
+| | | user | | ✓ | |
| branch | A git branch represents an instance of a specific commit to a project | branch_name | | ✓ | |
| bucket | A bucket is the storage container which holds files and data in cloud storage solutions | bucket_name | | | ✓ |
| call | A call is a phonecall, any personal call that is not a meeting, general VOIP sessions any other type of personal video chat session that is not a meeting. | dest_user | | ✓ | |
| | | user | ✓ | ✓ | |
+| case | A security incident represents an open case in security products, which are interacted on and expanded by users. | case_name | ✓ | ✓ | |
| certificate | A digital certificate is an object that is used to prove the authenticity of a device, server, or user through the use of cryptography | No fields defined for this subject | | | |
| channel | A channel is a conversation space in communication apps, dedicated to a specific topic of interest. A channel contains multiple people and allows them to share messages and calls. For example - Slack channels, Team teams channels... | channel_name | ✓ | ✓ | |
| | | domain | | ✓ | |
+| | | domain_user_name | | | |
| | | user | ✓ | ✓ | |
| clipboard | A clipboard is an endpoint object that is used as a buffer that store short-term information in activities such as 'copy' and 'cut'. | No fields defined for this subject | | | |
| cluster | A cluster is used in virutalization solutions to represent a group of vm hosts. | cluster_name | ✓ | ✓ | |
| configuration | A configuration is a global setting given to a program or an app, which can define how the system should work, look like or be enforced. | No fields defined for this subject | | | |
-| database | The database subject represents a database interface and the resources it contains | No fields defined for this subject | | | |
+| context_source | A context source normalizes contextual data collected from external sources, which can then be used to enrich events or provide context in investigations | No fields defined for this subject | | | |
+| database | The database subject represents a database interface and the resources it contains | src_ip | | ✓ | |
+| | | db_name | | ✓ | |
+| | | local_user_name | | | |
+| | | db_operation | | ✓ | |
+| | | src_host | | ✓ | |
+| | | user | ✓ | ✓ | |
| datacenter | A datacenter is a group of datastores that contain VMs and general storage in virutalization solutions. | datacenter_name | ✓ | ✓ | |
| datastore | A datastore represents the storage space that is used by\to support virtualization resources (VMs). For example - VMWare datastores, OVirt storage domains... | datastore_name | | ✓ | |
-| dcom | DCOM (Distributed Component Object Model) objects are Windows endpoint components that allow COM objects to communicate with each other over the network | clsid | ✓ | | |
-| | | appid | | ✓ | |
+| dcom | DCOM (Distributed Component Object Model) objects are Windows endpoint components that allow COM objects to communicate with each other over the network | cls_id | ✓ | | |
| | | domain | | ✓ | |
+| | | domain_user_name | | | |
| | | src_host | ✓ | | |
+| | | app_id | | ✓ | |
| | | user | | ✓ | |
| dhcp | Dynamic Host Configuration Protocol (DHCP) is a network protocol used to automatically assign a client with an IP address. This subject represents DHCP traffic related activities. | src_ip | ✓ | ✓ | |
| | | src_port | | | ✓ |
@@ -69,66 +77,105 @@ This core interface defines the subject element. It details the minimum field re
| dns_record | A DNS record is an object used in DNS servers or configurations to store\cache the results of a DNS translation. | dns_record_type | | | ✓ |
| driver | A driver is a software component that lets the operating system and a device communicate with each other by running code in the kernel. A driver usually has a file extension ending in .sys | driver_name | | | ✓ |
| ds | The directory service (DS) subject represents a directory service interface and contains activities that are unique to the DS system | No fields defined for this subject | | | |
-| ds_object | A directory service object represents every entity that can exist in a directory service configuration, such as OUs or even groups and users. This subject is only used in cases where we aren't sure what was the original subject. | ds_name | | ✓ | |
+| ds_object | A directory service object represents every entity that can exist in a directory service configuration, such as OUs or even groups and users. This subject is only used in cases where we aren't sure what was the original subject. | ds_object_type | | ✓ | |
+| | | ds_name | | ✓ | |
| | | ds_object_dn | | ✓ | |
+| | | local_user_name | | | |
+| | | access_list | | | ✓ |
+| | | src_host | | ✓ | |
+| | | ds_object_ou | | | ✓ |
| | | ds_object_class | ✓ | ✓ | |
| | | ds_type | | ✓ | |
+| | | attribute | | ✓ | |
| | | ds_object_name | | | ✓ |
-| | | ds_object_ou | | | ✓ |
+| | | user | | ✓ | |
+| | | properties | | ✓ | |
| email | An email is a mail message that is sent or received over a computer network | domain | | | ✓ |
+| | | domain_user_name | | | |
| | | user | ✓ | | |
| email_rule | An email rule is used to automatically perform specific actions on emails that are being received by a user. | rule_id | | ✓ | |
| | | rule | | ✓ | |
| endpoint | The endpoint subject represents an endpoint machine and the objects that can represent said machine inside different applications. | dest_host | | ✓ | |
| file | A file is a storage object on endpoints and applications, that contains content, data or settings that can be written into it or read from it. | file_path | | ✓ | |
| | | file_ext | | ✓ | |
+| | | access | | ✓ | |
| | | file_name | ✓ | | |
+| | | bytes | | ✓ | |
| | | file_dir | | ✓ | |
+| | | local_user_name | | | |
+| | | dest_host | | ✓ | |
+| | | src_host | | ✓ | |
+| | | user | | ✓ | |
| folder | A folder is a logical object used to store or contain other types of objects beneath in. Note that this subject is not used for file folders. | folder_name | ✓ | ✓ | |
| ftp | File transfer protocel (FTP) is a network protocol used to transmitting files over the network. This subject represents FTP traffic related activities. | src_ip | | ✓ | |
| function | An automation function is a cloud object, allowing for automated resource management with cloud commands in the form of a function code | No fields defined for this subject | | | |
| group | A group is a collection of user accounts or any other type of member, which can globally define their configuration, settings or role in the system. | group_domain | | | ✓ |
-| | | group_name | ✓ | | |
+| | | group_name | ✓ | ✓ | |
| handle | A Windows handle is an object that represnets the access point to a single object in memory. Processes in Windows must request a handle before they can directly access resources such as files or other processes; | handle_id | | | ✓ |
| hook | A hook\webhook represents a function that is subscribed to an event and triggers once it occurs. Multiple platforms allow the creation of hooks such as GitHub webhooks or Windows SetWindowsHook... | No fields defined for this subject | | | |
-| http | Hyper Text Transfer Protocol (HTTP) is a network protocol used for web requests and communications. This subject represents HTTP (and built upon protocols like HTTPS) traffic related activities. | src_ip | | ✓ | |
+| http | Hyper Text Transfer Protocol (HTTP) is a network protocol used for web requests and communications. This subject represents HTTP (and built upon protocols like HTTPS) traffic related activities. | os | | ✓ | |
+| | | method | | ✓ | |
+| | | bytes_in | | ✓ | |
+| | | local_user_name | | | |
+| | | src_host | | ✓ | |
+| | | url | | ✓ | |
+| | | src_ip | | ✓ | |
| | | src_port | | | ✓ |
+| | | protocol | | ✓ | |
| | | uri_path | | ✓ | |
| | | uri_query | | ✓ | |
| | | top_domain | | ✓ | |
+| | | bytes_out | | ✓ | |
| | | web_domain | | ✓ | |
+| | | process_name | | ✓ | |
| | | dest_ip | | ✓ | |
+| | | browser | | ✓ | |
+| | | dest_host | | ✓ | |
+| | | categories | | ✓ | |
+| | | category | | ✓ | |
| | | user | | ✓ | |
-| | | dest_port | | | ✓ |
-| | | url | | ✓ | |
+| | | dest_port | | ✓ | ✓ |
+| | | direction | | ✓ | |
+| | | http_response_code | | ✓ | |
| image | A machine image is a virtualization resource that stores all the properties and data from a VM and is used to launch new instances. | image_name | ✓ | | |
-| incident | A security incident represents an open case in security products, which are interacted on and expanded by users. | incident_name | ✓ | ✓ | |
| ip | The IP subject represents an IP record\object used by assignment servers to manage IP assignments and dispensation. | No fields defined for this subject | | | |
| key | A key represents a global credential key object that is not necessarily associated with a user. These objects are usually stored in vaults. | No fields defined for this subject | | | |
| link | A link (shell link\hard link\soft link...) is an endpoint object used to redirect to another endpoint object whenever accessed. For example - a file shortcut. | No fields defined for this subject | | | |
| log | A log (audit log) is a program or a service that collects audit data from an environment and keeps record of it. | log_name | ✓ | | |
+| log_account | A log account represents a container of resources within a cloud vendor, and is used to connect and transfer logs into an application | No fields defined for this subject | | | |
| log_source | A log source is the representation of a connection between an audit log and an application, as represented by the application. | log_source | | | ✓ |
| mailbox | A mailbox is the destination to which email messages are delivered. | mailbox_name | ✓ | ✓ | |
| meeting | A meeting represents an instance of a web conference meeting, which allows a group of users to video chat and share screens. | meeting_host_id | | ✓ | |
| | | domain | | ✓ | |
+| | | domain_user_name | | | |
| | | meeting_name | ✓ | ✓ | |
| | | user | ✓ | ✓ | |
| message | A message represents a single text message or a post in in-person communication channels, like Teams or Whatsapp. | domain | | ✓ | |
+| | | domain_user_name | | | |
| | | user | ✓ | ✓ | |
-| network | The network subject represents all unclassified network traffic and protocols | src_ip | | ✓ | |
+| network | The network subject represents all unclassified network traffic and protocols | src_mac | | ✓ | |
+| | | dest_mac | | ✓ | |
+| | | src_host | | ✓ | |
+| | | src_ip | | ✓ | |
| | | src_port | | ✓ | |
-| | | src_mac | | ✓ | |
| | | protocol | | ✓ | |
-| | | dest_mac | | ✓ | |
+| | | bytes_out | | ✓ | |
| | | bytes | | ✓ | |
+| | | process_name | | ✓ | |
| | | dest_ip | | ✓ | |
+| | | dest_host | | ✓ | |
+| | | action | | | ✓ |
| | | dest_port | | ✓ | |
+| | | direction | | ✓ | |
+| parser | A parser is an Exabeam configuration that defines log value extractions and mappings. | No fields defined for this subject | | | |
| password | A password represents a global password object that is not necessarily associated with a user. These objects are usually stored in vaults. | user | | ✓ | |
| peripheral_storage | A peripheral storage device is an external hardware device used for storing files and data such as USB, CD/DVD, or a HD. | device_id | | ✓ | |
+| | | local_user_name | | | |
| | | device_type | | | ✓ |
| | | src_host | ✓ | ✓ | |
-| physical_location | A physical location represents a location in a building or a workplace like a door, a gate, or a room. | location_building | | | ✓ |
-| | | location_city | | | ✓ |
+| | | user | ✓ | ✓ | |
+| physical_location | A physical location represents a location in a building or a workplace like a door, a gate, or a room. | location_building | | ✓ | ✓ |
+| | | location_city | | ✓ | ✓ |
| | | employee_id | | | ✓ |
| | | badge_id | | ✓ | |
| | | location_door | ✓ | ✓ | |
@@ -138,7 +185,7 @@ This core interface defines the subject element. It details the minimum field re
| printer | A printer is an external device which performs the functions of printing\copying\faxing\etc.. on files and documents. | No fields defined for this subject | | | |
| process | A process is an endpoint structure that represents an instance of a program that was executed and is now running. | process_id | | | ✓ |
| | | dest_process_id | | | ✓ |
-| | | process_name | ✓ | | |
+| | | process_name | ✓ | ✓ | |
| | | dest_process_path | | ✓ | |
| | | dest_process_command_line | | ✓ | |
| | | process_dir | | ✓ | |
@@ -149,12 +196,24 @@ This core interface defines the subject element. It details the minimum field re
| | | dest_process_dir | | ✓ | |
| radius | Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. | src_ip | ✓ | ✓ | |
| | | src_port | | ✓ | |
+| | | protocol | | ✓ | |
+| | | bytes_out | | ✓ | |
+| | | process_name | | ✓ | |
| | | dest_ip | ✓ | ✓ | |
+| | | dest_host | | ✓ | |
+| | | src_host | | ✓ | |
| | | dest_port | | ✓ | |
+| | | direction | | ✓ | |
| rdp | Remote Desktop Protocol (RDP) is a network protocol which provides a user with a graphical interface to connect to another computer over a network connection. This subject represents RDP traffic related activities. | src_ip | ✓ | ✓ | |
| | | src_port | | ✓ | |
+| | | protocol | | ✓ | |
+| | | bytes_out | | ✓ | |
+| | | process_name | | ✓ | |
| | | dest_ip | ✓ | ✓ | |
+| | | dest_host | | ✓ | |
+| | | src_host | | ✓ | |
| | | dest_port | | ✓ | |
+| | | direction | | ✓ | |
| registry | The registry contains all objects under the Windows registry, such as keys and values. This activity records all operation on registry objects such as setting a registry value or creating a new key. | registry_details_type | | ✓ | |
| | | registry_key | ✓ | ✓ | |
| | | registry_value | | ✓ | |
@@ -169,7 +228,8 @@ This core interface defines the subject element. It details the minimum field re
| rule | A security rule represents an instace of a detection condition stored in an object on a security product, meant to trigger once the conditions are met. | rule | ✓ | ✓ | |
| scheduled_task | A scheduled task is an object that is scheduled to trigger and execute a program or run certain commands. | task_name | ✓ | ✓ | |
| | | src_host | ✓ | ✓ | |
-| script | A script is a human readable representation of a coding langauge, which is executed by interpretes or compilers rather the directly by a machine. | No fields defined for this subject | | | |
+| script | A script is a human readable representation of a coding langauge, which is executed by interpretes or compilers rather the directly by a machine. | script_type | | ✓ | |
+| | | script_name | | ✓ | |
| secret | Secrets are a type of digital authenticaiton credentials used by accounts to identify against resources and applicatons. | secret | ✓ | ✓ | |
| service | A service is an endpoint object that represents a program or a process that runs in the background and quitely performs automated tasks. For example - Windows services or Unix daemon. | service_name | ✓ | ✓ | |
| | | src_host | ✓ | ✓ | |
@@ -190,8 +250,9 @@ This core interface defines the subject element. It details the minimum field re
| | | src_port | | ✓ | |
| | | dest_ip | ✓ | ✓ | |
| | | dest_port | | ✓ | |
-| user | A user account is the identity given to a person or a machine with which they can interact with the environment. | dest_domain | | | ✓ |
-| | | dest_user | ✓ | | |
+| user | A user account is the identity given to a person or a machine with which they can interact with the environment. | dest_domain_user_name | | | |
+| | | dest_domain | | ✓ | ✓ |
+| | | dest_user | ✓ | ✓ | |
| vm_host | A virtual machine host is the server that runs the virtual machines' hypervisors. | vm_host_name | ✓ | ✓ | |
| vm_pool | A virtual machine pool is a group of vm objects that share a common source. The VM pool contains the configuration of the VMs inside it. | vm_pool_name | ✓ | | |
| vm_template | A virtual machine template is used in virtualization solutions to create a common structure from which VMs can be created | vm_template_name | ✓ | ✓ | |
diff --git a/Universal/Universal_Interface.md b/Universal/Universal_Interface.md
index 6749e27..3356274 100644
--- a/Universal/Universal_Interface.md
+++ b/Universal/Universal_Interface.md
@@ -10,6 +10,7 @@ The universal interface defines a set of global fields. These are fields that ar
| Field | Core | Detection | Informational |
| ---------------- | -------- | --------- | ------------- |
+| activity | ✓ | | |
| activity_type | ✓ | | |
| host | | | ✓ |
| landscape | | ✓ | |