Skip to main content

USM Anywhere Advanced Query

Version 1

Updated this week

Introduction

USM Anywhere now supports advanced query capabilities, enabling users to write custom searches using SQL or PPL syntax. This new feature provides more flexibility and precision than traditional filters or orchestration rules, helping users uncover insights that may not be visible in standard dashboards.

Key capabilities include:

  • Custom Queries: Perform targeted searches across events, alarms, vulnerabilities, and more.

  • Saved Queries: Store and reuse queries for future investigations.

  • Flexible Output: View results in the USM Anywhere interface or export them as CSV files for offline analysis.

  • Scheduled Execution: Run queries automatically on a recurring schedule, output can be send via email.

This enhancement gives users greater control over their data and streamlines threat detection, reporting, and investigation workflows.


Submitting a Custom Query

Submitting a Custom Query

  • Log into USM Anywhere.

  • Under Data Sources, select Hunting Library.

Click on Create Custom Query.

This will bring you to the screen on which you can enter a custom query.


Entering a Query

To begin a custom search in USM Anywhere, navigate to the New Query field.

  • Enter a Query: Use either Structured Query Language (SQL) or Piped Processing Language (PPL) syntax.

  • Select Query Language: Use the dropdown to choose between SQL or PPL.

    • Note: The selected language must match the syntax of the query entered, or the query will not run.

  • Choose Time Range: Select the time range for your query (default is Last hour).

  • Run the Query: Click Search to execute the query.

  • View Results: Results will be displayed in the USM Anywhere UI and can also be exported (see Generate CSV Report section below).

If you’re unsure of a field name, refer to Appendix A – List of Fields (below) for a complete list of available queryable fields across Events, Alarms, Vulnerabilities, and more.


SQL Queries

SQL Syntax

USM Anywhere also supports queries written in Structured Query Language (SQL). For syntax guidance, refer to:

Supported SQL Clauses

The following SQL clauses are supported in custom queries:

  • SELECT (required)

  • FROM (required)

  • WHERE

  • GROUP BY

  • ORDER BY

  • LIMIT

  • Wildcard (*)

Unsupported SQL Clauses

The following SQL features are not supported:

  • JOINS statements

  • Nested SELECTS statements

Example SQL Query


Piped Processing Language (PPL) Queries

PPL Syntax

USM Anywhere also supports queries written in Piped Processing Language (PPL). For syntax guidance, refer to:

Example PPL Query


Saving a Query

Once a custom query has been saved, it can easily be run or modified in the future from Saved Custom Queries. To save a custom query:

Enter a custom query.

Click on the Save button.

Enter a name for the custom query.

Click on the Save Query button.

The query will now appear in Saved Custom Queries. Clicking on a saved custom query will automatically run the query and make it available for editing.


Favoriting a Query

You can mark saved queries as Favorites to keep them easily accessible at the top of your Saved Custom Queries list.

To favorite a query, check the Favorite box before saving it.

You can mark saved queries as Favorites to keep them easily accessible at the top of your Saved Custom Queries list.

Favorite Example: In the example below, queries B Query and Alarms Event Count were saved with the Favorite box selected. Queries C Query and A Query were saved without it.


Generating a CSV Report

You can export the results of a custom query as a CSV file for offline analysis or scheduled delivery.

Step 1: Run the Query

  • Enter a custom query in the New Query field.
    Note: You do not need to save the query to generate a CSV report.

  • Ensure the query syntax matches the selected language (SQL or PPL) in the dropdown. The report will not generate if there is a mismatch.

  • Click Generate CSV Report.

Step 2: Configure Report Settings

  • Schedule: (Optional) Set the report to run on a recurring schedule.
    This follows the same format as other scheduled reports in USM Anywhere. USM Anywhere Scheduled Reports

  • Email Addresses: Enter one or more email addresses to receive the report.
    Note: Press Enter after each email address. No commas or semicolons are needed.

  • Send to My Email Address: When selected, the logged-in user’s email is automatically added.
    Note: Manually typing your email also auto-checks this box.

  • Enable Link Expiration: When selected, the download link in the email will expire after 14 days.

Click Next to continue.

Step 3: Finalize and Run

  • Complete the remaining fields on the next Configure Report page.

  • Click Save & Run or Run to generate the report.

  • A download link will be sent to the email addresses provided.


Information to Support Query Writing

Use the following guidelines to understand which data types and fields are available for use in custom queries.

Supported Data Types

Custom queries can be run against the following data types:

  • Events

  • Alarms

  • Vulnerabilities

  • Console User Events

  • System Events

You can query any field within these data types.

Unsupported Data Types

The following data types are not supported for custom queries:

  • Orchestration Rules

  • Assets

  • Asset Groups

  • Users

  • Investigations

  • Pulses

Field Reference

For a complete list of fields available for querying by data type, refer to Appendix A – List of Fields.

Aggregations & Other Computation

  • All aggregations and computation must be performed directly within the custom query.

  • The user is not allowed to add any other calculations/operations within the custom query.

  • To perform such analysis, use the Generating a CSV Report (above) feature to export query results and process them offline.

Appendix A - List of Fields

Click on a field type below to navigate to the list of all fields available for a custom query.

All fields, in alphabetical order

access_control_outcome

access_key_id

account_id

account_name

account_vendor

adhoc_query_id

affected_family

affected_platform

affected_platforms

affected_products

alarm_connector_ids

alarm_connector_sources

alarm_destination_assset_ids

alarm_destination_cities

alarm_destination_countries

alarm_destination_ips

alarm_destination_latitudes

alarm_destination_longitudes

alarm_destination_names

alarm_destination_organisations

alarm_destination_user_account_ids

alarm_destination_user_ids

alarm_destination_zones

alarm_destinations

alarm_events_count

alarm_id

alarm_labels

alarm_outcome

alarm_response_codes

alarm_sensor_sources

alarm_source_asset_ids

alarm_source_cities

alarm_source_countries

alarm_source_ips

alarm_source_latitudes

alarm_source_longitudes

alarm_source_names

alarm_source_organisations

alarm_source_zones

alarm_sources

analysis_account_id

analysis_account_name

analysis_account_status

analysis_account_type

analysis_account_user_name

analysis_user_id

analysis_user_name

analysis_user_status

app_execution_parameters

app_id

app_name

app_type

application

application_protocol

application_type

asset_status

assumed_role

audit_reason

authentication_mode

authentication_package_name

authentication_type

base_event_count

blacklist_reference_url

bytes_in

bytes_out

certificate_issuer_name

certificate_serial_number

certificate_subject_name

confidence

connection_count

connector_id

connector_source

connector_source_file

container_cmd

container_cpu

container_id

container_image

container_image_id

container_memory

container_name

container_state

container_volume

contains_credit_card_number

content_category

control_id

current_pps

current_working_directory

customfield_*

customheader_*

datascience_alarm_threshold

datascience_alarm_threshold_99

datascience_alarm_threshold_low_confidence

datascience_alarm_threshold_medium_confidence

datascience_anomaly_score

datascience_inference_explanation

datascience_inference_type

datascience_tenant_event_threshold

destination_account_id

destination_additional_hostnames

destination_address

destination_address_6

destination_asn

destination_asset_id

destination_blacklist_activity

destination_blacklist_priority

destination_blacklist_reliability

destination_canonical

destination_city

destination_country

destination_datastore

destination_dns_domain

destination_fqdn

destination_hostname

destination_infrastructure_name

destination_infrastructure_type

destination_instance_id

destination_latitude

destination_longitude

destination_mac

destination_mac_vendor

destination_name

destination_nat_address

destination_nat_port

destination_netmask

destination_network

destination_ntdomain

destination_organisation

destination_port

destination_port_label

destination_post_nat_port

destination_pre_nat_port

destination_process

destination_process_id

destination_region

destination_registered_country

destination_service_name

destination_translated_address

destination_translated_port

destination_user_email

destination_user_group

destination_user_id

destination_user_privileges

destination_userid

destination_username

destination_vguest

destination_vhost

destination_vpc

destination_vpn

destination_zone

device_class

device_configuration

device_custom_date_1

device_custom_date_1_label

device_custom_date_2

device_custom_date_2_label

device_custom_number_1

device_custom_number_1_label

device_custom_number_2

device_custom_number_2_label

device_custom_number_3

device_custom_number_3_label

device_direction

device_dns_domain

device_event_category

device_external_id

device_facility

device_inbound_interface

device_name

device_nt_domain

device_outbound_interface

device_process_name

device_sender_address

device_sender_asset_id

device_vendor

dns_message

dns_rcode

dns_rrname

dns_rrtype

dns_server_address

dns_ttl

dns_type

duration

email_recipient

email_relay

email_sender

email_subject

environment_variable_key

environment_variable_value

error_code

error_message

event_action

event_activity

event_attack_id

event_attack_tactic

event_attack_technique

event_auth_action

event_auth_role

event_category

event_change

event_cve

event_description

event_description_url

event_group

event_group_job_id

event_name

event_outcome

event_priority

event_receipt_time

event_ref_date

event_ref_id

event_ref_score

event_ref_score_v2

event_ref_score_v3

event_ref_source

event_ref_version

event_severity

event_subcategory

event_type

event_violation

events

expires

external_id

file_hash

file_hash_algorithm

file_hash_md5

file_hash_sha1

file_hash_sha256

file_id

file_kb_size

file_modification_time

file_name

file_old_hash

file_old_id

file_old_modification_time

file_old_name

file_old_path

file_old_permission

file_old_size

file_owner

file_path

file_permission

file_type

full_message

gateway

global_list_name

global_list_value

group_policy

has_alarm

highlight_fields

http_hostname

http_referer

identity_group_name

identity_host_name

incident_id

instance_ids

instance_types

iocs

ip_addresses

k8s_dns_policy

k8s_node_name

k8s_priority

last_updated

level

log

malware_family

malware_variant

matched_value

mute

needs_enrichment

needs_internal_enrichment

new_value

node_id

node_name

num_containers

object_id

object_type

old_ip

operating_system

package_architecture

package_name

package_revision

package_source

package_version

packet_data

packet_payload

packet_type

packets_received

packets_sent

peak_pps

pefile_company

pefile_description

pefile_fileversion

pefile_product

playbook_execution_id

playbook_id

playbook_name

plugin

plugin_device

plugin_device_type

plugin_device_version

plugin_enrichment_script

plugin_family

plugin_parent

plugin_rule

plugin_version

policy

policy_address

pre_authentication_type

previous_value

priority

priority_label

project_id

protocol_version

received_from

registry_path

registry_value

relative_distinguished_name

rep_dev_canonical

rep_device_address

rep_device_address_6

rep_device_asset_id

rep_device_fqdn

rep_device_hostname

rep_device_inbound_interface

rep_device_instance_id

rep_device_mac

rep_device_model

rep_device_outbound_interface

rep_device_rule_id

rep_device_type

rep_device_vendor

rep_device_version

report_executed_category

report_executed_database

report_executed_database_index

report_executed_date

report_executed_format

report_executed_key

report_executed_parameters

report_executed_query

report_executed_state

report_executed_user

report_executed_uuid

reputation_score

request_content_type

request_cookies

request_http_version

request_method

request_referrer

request_url

request_user_agent

resource_provider

resource_uri

response_code

response_content_type

return_value

rule_attack_id

rule_attack_tactic

rule_attack_technique

rule_dictionary

rule_id

rule_intent

rule_method

rule_name

rule_strategy

rule_uuid

scheduled_task_id

security_group_id

security_group_name

sensor_event_rate

sensor_name

sensor_uuid

session

shared_resource_name

short_message

silent

source_account

source_account_id

source_account_name

source_additional_hostnames

source_address

source_address_6

source_asn

source_asset_id

source_blacklist_activity

source_blacklist_priority

source_blacklist_reliability

source_canonical

source_city

source_country

source_cpe

source_datacenter

source_datastore

source_dns_domain

source_fqdn

source_hostname

source_infrastructure_name

source_infrastructure_type

source_instance_id

source_latitude

source_location_id

source_location_name

source_longitude

source_mac

source_mac_vendor

source_name

source_nat_address

source_nat_port

source_netmask

source_network

source_ntdomain

source_organisation

source_port

source_port_label

source_post_nat_port

source_pre_nat_port

source_process

source_process_commandline

source_process_id

source_process_parent

source_process_parent_commandline

source_process_parent_process_id

source_region

source_registered_country

source_service_name

source_translated_address

source_translated_port

source_user_email

source_user_email_domain

source_user_group

source_user_id

source_user_privileges

source_userid

source_username

source_vhost

source_vpc

source_vpn

source_workstation

source_zone

ssh_authorized_key

ssh_client_proto

ssh_client_software

ssh_server_proto

ssh_server_software

stat_value

status

suppress_rule_id

suppress_rule_name

suppressed

syslog_source

system_event_type

tag

threat_intelligence_feed_name

threat_intelligence_matched_metadata

ticket_encryption_type

timeStamp

time_end

time_offset

time_start

time_zone

timestamp_arrived

timestamp_end

timestamp_occured

timestamp_occured_iso8601

timestamp_occurred

timestamp_os

timestamp_received

timestamp_received_iso8601

timestamp_start

timestamp_to_storage

tls_cipher

tls_fingerprint

tls_issuerdn

tls_sni

tls_subject

tls_version

total_disconnection_time

total_packets

transaction_status

transient

transport_protocol

ts_a_to_s

ts_o_to_r

ts_r_to_a

ts_r_to_i

ts_s_to_i

tty_terminal

used_hint

user_group_id

user_policy

user_realm

user_resource

user_resource_type

user_role

user_type

uuid

virtual_source_address

virtual_source_name

was_fuzzied

was_guessed

watchlist

wireless_ap

wireless_bssid

wireless_channel

wireless_encryption

wireless_ssid

x_att_tenant_subdomain

x_att_tenantid

Event Fields

access_control_outcome

access_key_id

account_id

account_name

account_vendor

adhoc_query_id

affected_family

affected_platform

affected_platforms

affected_products

alarm_events_count

app_id

app_name

app_type

application

application_protocol

application_type

asset_status

assumed_role

audit_reason

authentication_mode

authentication_package_name

authentication_type

base_event_count

blacklist_reference_url

bytes_in

bytes_out

certificate_issuer_name

certificate_serial_number

certificate_subject_name

confidence

connection_count

connector_id

connector_source

connector_source_file

container_cmd

container_cpu

container_id

container_image

container_image_id

container_memory

container_name

container_state

container_volume

contains_credit_card_number

content_category

control_id

current_pps

current_working_directory

customfield_0

customfield_1

customfield_10

customfield_11

customfield_12

customfield_13

customfield_14

customfield_15

customfield_16

customfield_17

customfield_18

customfield_19

customfield_2

customfield_20

customfield_21

customfield_22

customfield_23

customfield_24

customfield_25

customfield_26

customfield_27

customfield_28

customfield_29

customfield_3

customfield_30

customfield_4

customfield_5

customfield_6

customfield_7

customfield_8

customfield_9

customheader_0

customheader_1

customheader_10

customheader_11

customheader_12

customheader_13

customheader_14

customheader_15

customheader_16

customheader_17

customheader_18

customheader_19

customheader_2

customheader_20

customheader_21

customheader_22

customheader_23

customheader_24

customheader_25

customheader_26

customheader_27

customheader_28

customheader_29

customheader_3

customheader_30

customheader_4

customheader_5

customheader_6

customheader_7

customheader_8

customheader_9

datascience_alarm_threshold

datascience_alarm_threshold_99

datascience_alarm_threshold_low_confidence

datascience_alarm_threshold_medium_confidence

datascience_anomaly_score

datascience_inference_explanation

datascience_inference_type

datascience_tenant_event_threshold

destination_account_id

destination_additional_hostnames

destination_address

destination_address_6

destination_asn

destination_asset_id

destination_blacklist_activity

destination_blacklist_priority

destination_blacklist_reliability

destination_canonical

destination_city

destination_country

destination_datastore

destination_dns_domain

destination_fqdn

destination_hostname

destination_infrastructure_name

destination_infrastructure_type

destination_instance_id

destination_latitude

destination_longitude

destination_mac

destination_mac_vendor

destination_name

destination_nat_address

destination_nat_port

destination_netmask

destination_network

destination_ntdomain

destination_organisation

destination_port

destination_port_label

destination_post_nat_port

destination_pre_nat_port

destination_process

destination_process_id

destination_region

destination_registered_country

destination_service_name

destination_translated_address

destination_translated_port

destination_user_email

destination_user_group

destination_user_id

destination_user_privileges

destination_userid

destination_username

destination_vguest

destination_vhost

destination_vpc

destination_vpn

destination_zone

device_class

device_configuration

device_custom_date_1

device_custom_date_1_label

device_custom_date_2

device_custom_date_2_label

device_custom_number_1

device_custom_number_1_label

device_custom_number_2

device_custom_number_2_label

device_custom_number_3

device_custom_number_3_label

device_direction

device_dns_domain

device_event_category

device_external_id

device_facility

device_inbound_interface

device_name

device_nt_domain

device_outbound_interface

device_process_name

device_sender_address

device_sender_asset_id

device_vendor

dns_message

dns_rcode

dns_rrname

dns_rrtype

dns_server_address

dns_ttl

dns_type

duration

email_recipient

email_relay

email_sender

email_subject

environment_variable_key

environment_variable_value

error_code

error_message

event_action

event_activity

event_attack_id

event_attack_tactic

event_attack_technique

event_auth_action

event_auth_role

event_category

event_cve

event_description

event_description_url

event_group

event_name

event_outcome

event_priority

event_receipt_time

event_ref_date

event_ref_score

event_ref_source

event_severity

event_subcategory

event_type

event_violation

expires

external_id

file_hash

file_hash_algorithm

file_hash_md5

file_hash_sha1

file_hash_sha256

file_id

file_kb_size

file_modification_time

file_name

file_old_hash

file_old_id

file_old_modification_time

file_old_name

file_old_path

file_old_permission

file_old_size

file_owner

file_path

file_permission

file_type

full_message

gateway

global_list_name

global_list_value

group_policy

has_alarm

highlight_fields

http_hostname

http_referer

identity_group_name

identity_host_name

incident_id

instance_ids

instance_types

iocs

ip_addresses

k8s_dns_policy

k8s_node_name

k8s_priority

level

log

malware_family

malware_variant

matched_value

needs_enrichment

needs_internal_enrichment

num_containers

old_ip

operating_system

package_architecture

package_name

package_revision

package_source

package_version

packet_data

packet_payload

packet_type

packets_received

packets_sent

peak_pps

pefile_company

pefile_description

pefile_fileversion

pefile_product

plugin

plugin_device

plugin_device_type

plugin_device_version

plugin_enrichment_script

plugin_family

plugin_parent

plugin_rule

plugin_version

policy

policy_address

pre_authentication_type

project_id

protocol_version

received_from

registry_path

registry_value

relative_distinguished_name

rep_dev_canonical

rep_device_address

rep_device_address_6

rep_device_asset_id

rep_device_fqdn

rep_device_hostname

rep_device_inbound_interface

rep_device_instance_id

rep_device_mac

rep_device_model

rep_device_outbound_interface

rep_device_rule_id

rep_device_type

rep_device_vendor

rep_device_version

report_executed_date

reputation_score

request_content_type

request_cookies

request_http_version

request_method

request_referrer

request_url

request_user_agent

resource_provider

resource_uri

response_code

response_content_type

return_value

rule_id

rule_uuid

security_group_id

security_group_name

sensor_event_rate

sensor_name

sensor_uuid

session

shared_resource_name

short_message

silent

source_account

source_account_id

source_account_name

source_additional_hostnames

source_address

source_address_6

source_asn

source_asset_id

source_blacklist_activity

source_blacklist_priority

source_blacklist_reliability

source_canonical

source_city

source_country

source_cpe

source_datacenter

source_datastore

source_dns_domain

source_fqdn

source_hostname

source_infrastructure_name

source_infrastructure_type

source_instance_id

source_latitude

source_location_id

source_location_name

source_longitude

source_mac

source_mac_vendor

source_name

source_nat_address

source_nat_port

source_netmask

source_network

source_ntdomain

source_organisation

source_port

source_port_label

source_post_nat_port

source_pre_nat_port

source_process

source_process_commandline

source_process_id

source_process_parent

source_process_parent_commandline

source_process_parent_process_id

source_region

source_registered_country

source_service_name

source_translated_address

source_translated_port

source_user_email

source_user_email_domain

source_user_group

source_user_id

source_user_privileges

source_userid

source_username

source_vhost

source_vpc

source_vpn

source_workstation

source_zone

ssh_authorized_key

ssh_client_proto

ssh_client_software

ssh_server_proto

ssh_server_software

stat_value

status

suppress_rule_id

suppress_rule_name

suppressed

syslog_source

tag

threat_intelligence_feed_name

threat_intelligence_matched_metadata

ticket_encryption_type

timeStamp

time_end

time_offset

time_start

time_zone

timestamp_arrived

timestamp_end

timestamp_occured

timestamp_occured_iso8601

timestamp_occurred

timestamp_os

timestamp_received

timestamp_received_iso8601

timestamp_start

timestamp_to_storage

tls_cipher

tls_fingerprint

tls_issuerdn

tls_sni

tls_subject

tls_version

total_disconnection_time

total_packets

transaction_status

transient

transport_protocol

ts_a_to_s

ts_o_to_r

ts_r_to_a

ts_r_to_i

ts_s_to_i

tty_terminal

used_hint

user_group_id

user_policy

user_realm

user_resource

user_resource_type

user_role

user_type

uuid

virtual_source_address

virtual_source_name

was_fuzzied

was_guessed

watchlist

wireless_ap

wireless_bssid

wireless_channel

wireless_encryption

wireless_ssid

x_att_tenant_subdomain

x_att_tenantid

Alarm Fields

access_control_outcome

account_id

account_name

affected_platform

alarm_connector_ids

alarm_connector_sources

alarm_destination_assset_ids

alarm_destination_cities

alarm_destination_countries

alarm_destination_ips

alarm_destination_latitudes

alarm_destination_longitudes

alarm_destination_names

alarm_destination_organisations

alarm_destination_user_account_ids

alarm_destination_user_ids

alarm_destination_zones

alarm_destinations

alarm_events_count

alarm_labels

alarm_outcome

alarm_response_codes

alarm_sensor_sources

alarm_source_asset_ids

alarm_source_cities

alarm_source_countries

alarm_source_ips

alarm_source_latitudes

alarm_source_longitudes

alarm_source_names

alarm_source_organisations

alarm_source_zones

alarm_sources

app_id

app_type

assumed_role

audit_reason

authentication_mode

authentication_type

base_event_count

bytes_in

bytes_out

confidence

connection_count

contains_credit_card_number

current_pps

customfield_0

customfield_1

customfield_10

customfield_11

customfield_12

customfield_13

customfield_15

customfield_16

customfield_17

customfield_18

customfield_19

customfield_2

customfield_20

customfield_22

customfield_23

customfield_26

customfield_27

customfield_3

customfield_30

customfield_4

customfield_6

customfield_7

customfield_8

customheader_0

customheader_1

customheader_10

customheader_11

customheader_12

customheader_13

customheader_15

customheader_16

customheader_17

customheader_18

customheader_19

customheader_2

customheader_20

customheader_22

customheader_23

customheader_26

customheader_27

customheader_3

customheader_30

customheader_4

customheader_6

customheader_7

customheader_8

datascience_alarm_threshold

datascience_alarm_threshold_99

datascience_alarm_threshold_low_confidence

datascience_alarm_threshold_medium_confidence

datascience_anomaly_score

datascience_tenant_event_threshold

destination_account_id

destination_address

destination_asset_id

destination_canonical

destination_name

destination_nat_port

destination_organisation

destination_port

destination_post_nat_port

destination_pre_nat_port

destination_translated_port

destination_user_group

destination_user_id

destination_username

destination_zone

device_custom_number_1

device_custom_number_2

device_custom_number_3

dns_rcode

error_message

event_action

event_category

event_description

event_name

event_outcome

event_priority

event_receipt_time

event_ref_date

event_severity

event_subcategory

event_type

events

expires

file_hash_sha1

file_hash_sha256

file_name

file_path

file_type

has_alarm

highlight_fields

http_hostname

instance_ids

instance_types

iocs

last_updated

level

log

malware_family

malware_variant

mute

needs_enrichment

needs_internal_enrichment

packet_data

packet_type

packets_received

packets_sent

peak_pps

plugin

plugin_device

plugin_family

policy

priority

priority_label

rep_device_rule_id

report_executed_date

request_url

request_user_agent

response_code

rule_attack_id

rule_attack_tactic

rule_attack_technique

rule_dictionary

rule_id

rule_intent

rule_method

rule_name

rule_strategy

security_group_id

security_group_name

sensor_event_rate

sensor_uuid

silent

source_address

source_asset_id

source_canonical

source_country

source_hostname

source_mac

source_name

source_nat_port

source_network

source_ntdomain

source_organisation

source_port

source_post_nat_port

source_pre_nat_port

source_process

source_process_commandline

source_process_parent

source_translated_port

source_user_email

source_user_privileges

source_username

source_workstation

stat_value

status

suppressed

threat_intelligence_feed_name

time_end

time_start

timestamp_arrived

timestamp_end

timestamp_occured

timestamp_occured_iso8601

timestamp_occurred

timestamp_os

timestamp_received

timestamp_received_iso8601

timestamp_start

timestamp_to_storage

total_packets

transient

ts_a_to_s

ts_o_to_r

ts_r_to_a

ts_r_to_i

ts_s_to_i

used_hint

user_role

uuid

was_fuzzied

was_guessed

watchlist

x_att_tenant_subdomain

x_att_tenantid

System Event Fields

alarm_id

analysis_account_id

analysis_account_name

analysis_account_status

analysis_account_type

analysis_account_user_name

analysis_user_id

analysis_user_name

analysis_user_status

app_execution_parameters

app_id

app_name

app_type

connector_id

control_id

customfield_0

customfield_1

customfield_10

customfield_11

customfield_12

customfield_2

customfield_4

customfield_5

customfield_6

customfield_7

customfield_8

customfield_9

customheader_0

customheader_1

customheader_10

customheader_11

customheader_12

customheader_2

customheader_4

customheader_5

customheader_6

customheader_7

customheader_8

customheader_9

destination_user_email

event_action

event_change

event_description

event_group_job_id

event_name

event_outcome

event_type

full_message

needs_enrichment

needs_internal_enrichment

new_value

node_id

node_name

object_type

packet_type

playbook_execution_id

playbook_id

playbook_name

previous_value

rep_dev_canonical

rep_device_address

rep_device_asset_id

rep_device_fqdn

rep_device_hostname

report_executed_category

report_executed_database

report_executed_database_index

report_executed_date

report_executed_format

report_executed_key

report_executed_parameters

report_executed_query

report_executed_state

report_executed_user

report_executed_uuid

scheduled_task_id

sensor_event_rate

sensor_name

sensor_uuid

source_asset_id

source_canonical

source_infrastructure_type

source_name

source_user_email

suppressed

system_event_type

timestamp_arrived

timestamp_end

timestamp_occured

timestamp_occurred

timestamp_start

timestamp_to_storage

total_disconnection_time

transient

uuid

x_att_tenant_subdomain

x_att_tenantid

User Activity Fields

event_action

event_description

event_name

event_severity

expires

full_message

needs_enrichment

needs_internal_enrichment

new_value

object_id

object_type

packet_type

previous_value

sensor_event_rate

sensor_uuid

source_username

suppressed

timestamp_arrived

timestamp_occured

timestamp_occurred

timestamp_to_storage

transient

uuid

x_att_tenant_subdomain

x_att_tenantid

Vulnerability Fields

access_control_outcome

account_name

alarm_events_count

app_id

app_name

app_type

base_event_count

bytes_in

bytes_out

confidence

connection_count

contains_credit_card_number

current_pps

datascience_alarm_threshold

datascience_alarm_threshold_99

datascience_alarm_threshold_low_confidence

datascience_alarm_threshold_medium_confidence

datascience_anomaly_score

datascience_tenant_event_threshold

destination_address

destination_asset_id

destination_canonical

destination_city

destination_country

destination_fqdn

destination_hostname

destination_infrastructure_name

destination_infrastructure_type

destination_instance_id

destination_latitude

destination_longitude

destination_name

destination_nat_port

destination_organisation

destination_port

destination_post_nat_port

destination_pre_nat_port

destination_region

destination_registered_country

destination_translated_port

device_custom_number_1

device_custom_number_2

device_custom_number_3

dns_rcode

event_action

event_cve

event_description

event_description_url

event_group

event_name

event_priority

event_receipt_time

event_ref_id

event_ref_score

event_ref_score_v2

event_ref_score_v3

event_ref_source

event_ref_version

event_severity

event_type

expires

has_alarm

level

log

needs_enrichment

needs_internal_enrichment

packet_type

packets_received

packets_sent

peak_pps

plugin

plugin_device

plugin_family

rep_dev_canonical

rep_device_address

rep_device_asset_id

rep_device_fqdn

rep_device_hostname

rep_device_instance_id

report_executed_date

response_code

rule_id

sensor_event_rate

sensor_name

sensor_uuid

silent

source_address

source_asset_id

source_canonical

source_city

source_country

source_fqdn

source_hostname

source_infrastructure_name

source_infrastructure_type

source_instance_id

source_latitude

source_longitude

source_name

source_nat_port

source_organisation

source_port

source_post_nat_port

source_pre_nat_port

source_region

source_registered_country

source_translated_port

stat_value

suppressed

time_end

time_start

timestamp_arrived

timestamp_end

timestamp_occured

timestamp_occured_iso8601

timestamp_occurred

timestamp_os

timestamp_received

timestamp_received_iso8601

timestamp_start

timestamp_to_storage

total_packets

transient

ts_a_to_s

ts_o_to_r

ts_r_to_a

ts_r_to_i

ts_s_to_i

used_hint

uuid

was_fuzzied

was_guessed

x_att_tenant_subdomain

x_att_tenantid

Did this answer your question?