Introduction
USM Anywhere now supports advanced query capabilities, enabling users to write custom searches using SQL or PPL syntax. This new feature provides more flexibility and precision than traditional filters or orchestration rules, helping users uncover insights that may not be visible in standard dashboards.
Key capabilities include:
Custom Queries: Perform targeted searches across events, alarms, vulnerabilities, and more.
Saved Queries: Store and reuse queries for future investigations.
Flexible Output: View results in the USM Anywhere interface or export them as CSV files for offline analysis.
Scheduled Execution: Run queries automatically on a recurring schedule, output can be send via email.
This enhancement gives users greater control over their data and streamlines threat detection, reporting, and investigation workflows.
Submitting a Custom Query
Submitting a Custom Query
Log into USM Anywhere.
Under Data Sources, select Hunting Library.
Click on Create Custom Query.
This will bring you to the screen on which you can enter a custom query.
Entering a Query
To begin a custom search in USM Anywhere, navigate to the New Query field.
Enter a Query: Use either Structured Query Language (SQL) or Piped Processing Language (PPL) syntax.
Select Query Language: Use the dropdown to choose between SQL or PPL.
Note: The selected language must match the syntax of the query entered, or the query will not run.
Choose Time Range: Select the time range for your query (default is Last hour).
Run the Query: Click Search to execute the query.
View Results: Results will be displayed in the USM Anywhere UI and can also be exported (see Generate CSV Report section below).
If you’re unsure of a field name, refer to Appendix A – List of Fields (below) for a complete list of available queryable fields across Events, Alarms, Vulnerabilities, and more.
SQL Queries
SQL Syntax
USM Anywhere also supports queries written in Structured Query Language (SQL). For syntax guidance, refer to:
Supported SQL Clauses
The following SQL clauses are supported in custom queries:
SELECT (required)
FROM (required)
WHERE
GROUP BY
ORDER BY
LIMIT
Wildcard (*)
Unsupported SQL Clauses
The following SQL features are not supported:
JOINS statements
Nested SELECTS statements
Example SQL Query
Piped Processing Language (PPL) Queries
PPL Syntax
USM Anywhere also supports queries written in Piped Processing Language (PPL). For syntax guidance, refer to:
Example PPL Query
Saving a Query
Once a custom query has been saved, it can easily be run or modified in the future from Saved Custom Queries. To save a custom query:
Enter a custom query.
Click on the Save button.
Enter a name for the custom query.
Click on the Save Query button.
The query will now appear in Saved Custom Queries. Clicking on a saved custom query will automatically run the query and make it available for editing.
Favoriting a Query
You can mark saved queries as Favorites to keep them easily accessible at the top of your Saved Custom Queries list.
To favorite a query, check the Favorite box before saving it.
You can mark saved queries as Favorites to keep them easily accessible at the top of your Saved Custom Queries list.
Favorite Example: In the example below, queries B Query and Alarms Event Count were saved with the Favorite box selected. Queries C Query and A Query were saved without it.
Generating a CSV Report
You can export the results of a custom query as a CSV file for offline analysis or scheduled delivery.
Step 1: Run the Query
Enter a custom query in the New Query field.
Note: You do not need to save the query to generate a CSV report.Ensure the query syntax matches the selected language (SQL or PPL) in the dropdown. The report will not generate if there is a mismatch.
Click Generate CSV Report.
Step 2: Configure Report Settings
Schedule: (Optional) Set the report to run on a recurring schedule.
This follows the same format as other scheduled reports in USM Anywhere. USM Anywhere Scheduled ReportsEmail Addresses: Enter one or more email addresses to receive the report.
Note: Press Enter after each email address. No commas or semicolons are needed.Send to My Email Address: When selected, the logged-in user’s email is automatically added.
Note: Manually typing your email also auto-checks this box.Enable Link Expiration: When selected, the download link in the email will expire after 14 days.
Click Next to continue.
Step 3: Finalize and Run
Complete the remaining fields on the next Configure Report page.
Click Save & Run or Run to generate the report.
A download link will be sent to the email addresses provided.
Information to Support Query Writing
Use the following guidelines to understand which data types and fields are available for use in custom queries.
Supported Data Types
Custom queries can be run against the following data types:
Events
Alarms
Vulnerabilities
Console User Events
System Events
You can query any field within these data types.
Unsupported Data Types
The following data types are not supported for custom queries:
Orchestration Rules
Assets
Asset Groups
Users
Investigations
Pulses
Field Reference
For a complete list of fields available for querying by data type, refer to Appendix A – List of Fields.
Aggregations & Other Computation
All aggregations and computation must be performed directly within the custom query.
The user is not allowed to add any other calculations/operations within the custom query.
To perform such analysis, use the Generating a CSV Report (above) feature to export query results and process them offline.
Appendix A - List of Fields
Appendix A - List of Fields
Click on a field type below to navigate to the list of all fields available for a custom query.
All fields, in alphabetical order
All fields, in alphabetical order
access_control_outcome access_key_id account_id account_name account_vendor adhoc_query_id affected_family affected_platform affected_platforms affected_products alarm_connector_ids alarm_connector_sources alarm_destination_assset_ids alarm_destination_cities alarm_destination_countries alarm_destination_ips alarm_destination_latitudes alarm_destination_longitudes alarm_destination_names alarm_destination_organisations alarm_destination_user_account_ids alarm_destination_user_ids alarm_destination_zones alarm_destinations alarm_events_count alarm_id alarm_labels alarm_outcome alarm_response_codes alarm_sensor_sources alarm_source_asset_ids alarm_source_cities alarm_source_countries alarm_source_ips alarm_source_latitudes alarm_source_longitudes alarm_source_names alarm_source_organisations alarm_source_zones alarm_sources analysis_account_id analysis_account_name analysis_account_status analysis_account_type analysis_account_user_name analysis_user_id analysis_user_name analysis_user_status app_execution_parameters app_id app_name app_type application application_protocol application_type asset_status assumed_role audit_reason authentication_mode authentication_package_name authentication_type base_event_count blacklist_reference_url bytes_in bytes_out certificate_issuer_name certificate_serial_number certificate_subject_name confidence connection_count connector_id connector_source connector_source_file container_cmd container_cpu container_id container_image container_image_id container_memory container_name container_state container_volume contains_credit_card_number content_category control_id current_pps current_working_directory customfield_* customheader_* datascience_alarm_threshold datascience_alarm_threshold_99 datascience_alarm_threshold_low_confidence datascience_alarm_threshold_medium_confidence datascience_anomaly_score datascience_inference_explanation datascience_inference_type datascience_tenant_event_threshold destination_account_id destination_additional_hostnames destination_address destination_address_6 destination_asn destination_asset_id destination_blacklist_activity destination_blacklist_priority destination_blacklist_reliability destination_canonical destination_city destination_country destination_datastore destination_dns_domain destination_fqdn destination_hostname destination_infrastructure_name destination_infrastructure_type destination_instance_id destination_latitude destination_longitude destination_mac destination_mac_vendor destination_name destination_nat_address destination_nat_port destination_netmask destination_network destination_ntdomain destination_organisation destination_port destination_port_label destination_post_nat_port destination_pre_nat_port destination_process destination_process_id destination_region destination_registered_country destination_service_name destination_translated_address destination_translated_port destination_user_email destination_user_group destination_user_id destination_user_privileges destination_userid destination_username destination_vguest destination_vhost destination_vpc destination_vpn destination_zone device_class device_configuration device_custom_date_1 device_custom_date_1_label device_custom_date_2 device_custom_date_2_label device_custom_number_1 device_custom_number_1_label device_custom_number_2 device_custom_number_2_label device_custom_number_3 device_custom_number_3_label device_direction device_dns_domain device_event_category device_external_id device_facility device_inbound_interface device_name device_nt_domain device_outbound_interface device_process_name device_sender_address device_sender_asset_id device_vendor dns_message dns_rcode dns_rrname dns_rrtype dns_server_address dns_ttl dns_type duration email_recipient email_relay email_sender email_subject environment_variable_key environment_variable_value error_code error_message event_action event_activity event_attack_id event_attack_tactic event_attack_technique event_auth_action event_auth_role event_category event_change event_cve event_description event_description_url event_group event_group_job_id event_name event_outcome event_priority event_receipt_time event_ref_date event_ref_id event_ref_score event_ref_score_v2 event_ref_score_v3 event_ref_source event_ref_version event_severity event_subcategory event_type event_violation events expires external_id file_hash file_hash_algorithm file_hash_md5 file_hash_sha1 file_hash_sha256 file_id file_kb_size file_modification_time file_name file_old_hash file_old_id file_old_modification_time file_old_name file_old_path file_old_permission file_old_size file_owner file_path file_permission file_type full_message gateway global_list_name global_list_value group_policy has_alarm highlight_fields http_hostname http_referer identity_group_name identity_host_name incident_id instance_ids instance_types iocs ip_addresses k8s_dns_policy k8s_node_name k8s_priority last_updated level log malware_family malware_variant matched_value mute needs_enrichment needs_internal_enrichment new_value node_id node_name num_containers object_id object_type old_ip operating_system package_architecture package_name package_revision package_source package_version packet_data packet_payload packet_type packets_received packets_sent peak_pps pefile_company pefile_description pefile_fileversion pefile_product playbook_execution_id playbook_id playbook_name plugin plugin_device plugin_device_type plugin_device_version plugin_enrichment_script plugin_family plugin_parent plugin_rule plugin_version policy policy_address pre_authentication_type previous_value priority priority_label project_id protocol_version received_from registry_path registry_value relative_distinguished_name rep_dev_canonical rep_device_address rep_device_address_6 rep_device_asset_id rep_device_fqdn rep_device_hostname rep_device_inbound_interface rep_device_instance_id rep_device_mac rep_device_model rep_device_outbound_interface rep_device_rule_id rep_device_type rep_device_vendor rep_device_version report_executed_category report_executed_database report_executed_database_index report_executed_date report_executed_format report_executed_key report_executed_parameters report_executed_query report_executed_state report_executed_user report_executed_uuid reputation_score request_content_type request_cookies request_http_version request_method request_referrer request_url request_user_agent resource_provider resource_uri response_code response_content_type return_value rule_attack_id rule_attack_tactic rule_attack_technique rule_dictionary rule_id rule_intent rule_method rule_name rule_strategy rule_uuid scheduled_task_id security_group_id security_group_name sensor_event_rate sensor_name sensor_uuid session shared_resource_name short_message silent source_account source_account_id source_account_name source_additional_hostnames source_address source_address_6 source_asn source_asset_id source_blacklist_activity source_blacklist_priority source_blacklist_reliability source_canonical source_city source_country source_cpe source_datacenter source_datastore source_dns_domain source_fqdn source_hostname source_infrastructure_name source_infrastructure_type source_instance_id source_latitude source_location_id source_location_name source_longitude source_mac source_mac_vendor source_name source_nat_address source_nat_port source_netmask source_network source_ntdomain source_organisation source_port source_port_label source_post_nat_port source_pre_nat_port source_process source_process_commandline source_process_id source_process_parent source_process_parent_commandline source_process_parent_process_id source_region source_registered_country source_service_name source_translated_address source_translated_port source_user_email source_user_email_domain source_user_group source_user_id source_user_privileges source_userid source_username source_vhost source_vpc source_vpn source_workstation source_zone ssh_authorized_key ssh_client_proto ssh_client_software ssh_server_proto ssh_server_software stat_value status suppress_rule_id suppress_rule_name suppressed syslog_source system_event_type tag threat_intelligence_feed_name threat_intelligence_matched_metadata ticket_encryption_type timeStamp time_end time_offset time_start time_zone timestamp_arrived timestamp_end timestamp_occured timestamp_occured_iso8601 timestamp_occurred timestamp_os timestamp_received timestamp_received_iso8601 timestamp_start timestamp_to_storage tls_cipher tls_fingerprint tls_issuerdn tls_sni tls_subject tls_version total_disconnection_time total_packets transaction_status transient transport_protocol ts_a_to_s ts_o_to_r ts_r_to_a ts_r_to_i ts_s_to_i tty_terminal used_hint user_group_id user_policy user_realm user_resource user_resource_type user_role user_type uuid virtual_source_address virtual_source_name was_fuzzied was_guessed watchlist wireless_ap wireless_bssid wireless_channel wireless_encryption wireless_ssid x_att_tenant_subdomain x_att_tenantid |
Event Fields
Event Fields
access_control_outcome access_key_id account_id account_name account_vendor adhoc_query_id affected_family affected_platform affected_platforms affected_products alarm_events_count app_id app_name app_type application application_protocol application_type asset_status assumed_role audit_reason authentication_mode authentication_package_name authentication_type base_event_count blacklist_reference_url bytes_in bytes_out certificate_issuer_name certificate_serial_number certificate_subject_name confidence connection_count connector_id connector_source connector_source_file container_cmd container_cpu container_id container_image container_image_id container_memory container_name container_state container_volume contains_credit_card_number content_category control_id current_pps current_working_directory customfield_0 customfield_1 customfield_10 customfield_11 customfield_12 customfield_13 customfield_14 customfield_15 customfield_16 customfield_17 customfield_18 customfield_19 customfield_2 customfield_20 customfield_21 customfield_22 customfield_23 customfield_24 customfield_25 customfield_26 customfield_27 customfield_28 customfield_29 customfield_3 customfield_30 customfield_4 customfield_5 customfield_6 customfield_7 customfield_8 customfield_9 customheader_0 customheader_1 customheader_10 customheader_11 customheader_12 customheader_13 customheader_14 customheader_15 customheader_16 customheader_17 customheader_18 customheader_19 customheader_2 customheader_20 customheader_21 customheader_22 customheader_23 customheader_24 customheader_25 customheader_26 customheader_27 customheader_28 customheader_29 customheader_3 customheader_30 customheader_4 customheader_5 customheader_6 customheader_7 customheader_8 customheader_9 datascience_alarm_threshold datascience_alarm_threshold_99 datascience_alarm_threshold_low_confidence datascience_alarm_threshold_medium_confidence datascience_anomaly_score datascience_inference_explanation datascience_inference_type datascience_tenant_event_threshold destination_account_id destination_additional_hostnames destination_address destination_address_6 destination_asn destination_asset_id destination_blacklist_activity destination_blacklist_priority destination_blacklist_reliability destination_canonical destination_city destination_country destination_datastore destination_dns_domain destination_fqdn destination_hostname destination_infrastructure_name destination_infrastructure_type destination_instance_id destination_latitude destination_longitude destination_mac destination_mac_vendor destination_name destination_nat_address destination_nat_port destination_netmask destination_network destination_ntdomain destination_organisation destination_port destination_port_label destination_post_nat_port destination_pre_nat_port destination_process destination_process_id destination_region destination_registered_country destination_service_name destination_translated_address destination_translated_port destination_user_email destination_user_group destination_user_id destination_user_privileges destination_userid destination_username destination_vguest destination_vhost destination_vpc destination_vpn destination_zone device_class device_configuration device_custom_date_1 device_custom_date_1_label device_custom_date_2 device_custom_date_2_label device_custom_number_1 device_custom_number_1_label device_custom_number_2 device_custom_number_2_label device_custom_number_3 device_custom_number_3_label device_direction device_dns_domain device_event_category device_external_id device_facility device_inbound_interface device_name device_nt_domain device_outbound_interface device_process_name device_sender_address device_sender_asset_id device_vendor dns_message dns_rcode dns_rrname dns_rrtype dns_server_address dns_ttl dns_type duration email_recipient email_relay email_sender email_subject environment_variable_key environment_variable_value error_code error_message event_action event_activity event_attack_id event_attack_tactic event_attack_technique event_auth_action event_auth_role event_category event_cve event_description event_description_url event_group event_name event_outcome event_priority event_receipt_time event_ref_date event_ref_score event_ref_source event_severity event_subcategory event_type event_violation expires external_id file_hash file_hash_algorithm file_hash_md5 file_hash_sha1 file_hash_sha256 file_id file_kb_size file_modification_time file_name file_old_hash file_old_id file_old_modification_time file_old_name file_old_path file_old_permission file_old_size file_owner file_path file_permission file_type full_message gateway global_list_name global_list_value group_policy has_alarm highlight_fields http_hostname http_referer identity_group_name identity_host_name incident_id instance_ids instance_types iocs ip_addresses k8s_dns_policy k8s_node_name k8s_priority level log malware_family malware_variant matched_value needs_enrichment needs_internal_enrichment num_containers old_ip operating_system package_architecture package_name package_revision package_source package_version packet_data packet_payload packet_type packets_received packets_sent peak_pps pefile_company pefile_description pefile_fileversion pefile_product plugin plugin_device plugin_device_type plugin_device_version plugin_enrichment_script plugin_family plugin_parent plugin_rule plugin_version policy policy_address pre_authentication_type project_id protocol_version received_from registry_path registry_value relative_distinguished_name rep_dev_canonical rep_device_address rep_device_address_6 rep_device_asset_id rep_device_fqdn rep_device_hostname rep_device_inbound_interface rep_device_instance_id rep_device_mac rep_device_model rep_device_outbound_interface rep_device_rule_id rep_device_type rep_device_vendor rep_device_version report_executed_date reputation_score request_content_type request_cookies request_http_version request_method request_referrer request_url request_user_agent resource_provider resource_uri response_code response_content_type return_value rule_id rule_uuid security_group_id security_group_name sensor_event_rate sensor_name sensor_uuid session shared_resource_name short_message silent source_account source_account_id source_account_name source_additional_hostnames source_address source_address_6 source_asn source_asset_id source_blacklist_activity source_blacklist_priority source_blacklist_reliability source_canonical source_city source_country source_cpe source_datacenter source_datastore source_dns_domain source_fqdn source_hostname source_infrastructure_name source_infrastructure_type source_instance_id source_latitude source_location_id source_location_name source_longitude source_mac source_mac_vendor source_name source_nat_address source_nat_port source_netmask source_network source_ntdomain source_organisation source_port source_port_label source_post_nat_port source_pre_nat_port source_process source_process_commandline source_process_id source_process_parent source_process_parent_commandline source_process_parent_process_id source_region source_registered_country source_service_name source_translated_address source_translated_port source_user_email source_user_email_domain source_user_group source_user_id source_user_privileges source_userid source_username source_vhost source_vpc source_vpn source_workstation source_zone ssh_authorized_key ssh_client_proto ssh_client_software ssh_server_proto ssh_server_software stat_value status suppress_rule_id suppress_rule_name suppressed syslog_source tag threat_intelligence_feed_name threat_intelligence_matched_metadata ticket_encryption_type timeStamp time_end time_offset time_start time_zone timestamp_arrived timestamp_end timestamp_occured timestamp_occured_iso8601 timestamp_occurred timestamp_os timestamp_received timestamp_received_iso8601 timestamp_start timestamp_to_storage tls_cipher tls_fingerprint tls_issuerdn tls_sni tls_subject tls_version total_disconnection_time total_packets transaction_status transient transport_protocol ts_a_to_s ts_o_to_r ts_r_to_a ts_r_to_i ts_s_to_i tty_terminal used_hint user_group_id user_policy user_realm user_resource user_resource_type user_role user_type uuid virtual_source_address virtual_source_name was_fuzzied was_guessed watchlist wireless_ap wireless_bssid wireless_channel wireless_encryption wireless_ssid x_att_tenant_subdomain x_att_tenantid |
Alarm Fields
Alarm Fields
access_control_outcome account_id account_name affected_platform alarm_connector_ids alarm_connector_sources alarm_destination_assset_ids alarm_destination_cities alarm_destination_countries alarm_destination_ips alarm_destination_latitudes alarm_destination_longitudes alarm_destination_names alarm_destination_organisations alarm_destination_user_account_ids alarm_destination_user_ids alarm_destination_zones alarm_destinations alarm_events_count alarm_labels alarm_outcome alarm_response_codes alarm_sensor_sources alarm_source_asset_ids alarm_source_cities alarm_source_countries alarm_source_ips alarm_source_latitudes alarm_source_longitudes alarm_source_names alarm_source_organisations alarm_source_zones alarm_sources app_id app_type assumed_role audit_reason authentication_mode authentication_type base_event_count bytes_in bytes_out confidence connection_count contains_credit_card_number current_pps customfield_0 customfield_1 customfield_10 customfield_11 customfield_12 customfield_13 customfield_15 customfield_16 customfield_17 customfield_18 customfield_19 customfield_2 customfield_20 customfield_22 customfield_23 customfield_26 customfield_27 customfield_3 customfield_30 customfield_4 customfield_6 customfield_7 customfield_8 customheader_0 customheader_1 customheader_10 customheader_11 customheader_12 customheader_13 customheader_15 customheader_16 customheader_17 customheader_18 customheader_19 customheader_2 customheader_20 customheader_22 customheader_23 customheader_26 customheader_27 customheader_3 customheader_30 customheader_4 customheader_6 customheader_7 customheader_8 datascience_alarm_threshold datascience_alarm_threshold_99 datascience_alarm_threshold_low_confidence datascience_alarm_threshold_medium_confidence datascience_anomaly_score datascience_tenant_event_threshold destination_account_id destination_address destination_asset_id destination_canonical destination_name destination_nat_port destination_organisation destination_port destination_post_nat_port destination_pre_nat_port destination_translated_port destination_user_group destination_user_id destination_username destination_zone device_custom_number_1 device_custom_number_2 device_custom_number_3 dns_rcode error_message event_action event_category event_description event_name event_outcome event_priority event_receipt_time event_ref_date event_severity event_subcategory event_type events expires file_hash_sha1 file_hash_sha256 file_name file_path file_type has_alarm highlight_fields http_hostname instance_ids instance_types iocs last_updated level log malware_family malware_variant mute needs_enrichment needs_internal_enrichment packet_data packet_type packets_received packets_sent peak_pps plugin plugin_device plugin_family policy priority priority_label rep_device_rule_id report_executed_date request_url request_user_agent response_code rule_attack_id rule_attack_tactic rule_attack_technique rule_dictionary rule_id rule_intent rule_method rule_name rule_strategy security_group_id security_group_name sensor_event_rate sensor_uuid silent source_address source_asset_id source_canonical source_country source_hostname source_mac source_name source_nat_port source_network source_ntdomain source_organisation source_port source_post_nat_port source_pre_nat_port source_process source_process_commandline source_process_parent source_translated_port source_user_email source_user_privileges source_username source_workstation stat_value status suppressed threat_intelligence_feed_name time_end time_start timestamp_arrived timestamp_end timestamp_occured timestamp_occured_iso8601 timestamp_occurred timestamp_os timestamp_received timestamp_received_iso8601 timestamp_start timestamp_to_storage total_packets transient ts_a_to_s ts_o_to_r ts_r_to_a ts_r_to_i ts_s_to_i used_hint user_role uuid was_fuzzied was_guessed watchlist x_att_tenant_subdomain x_att_tenantid |
System Event Fields
System Event Fields
alarm_id analysis_account_id analysis_account_name analysis_account_status analysis_account_type analysis_account_user_name analysis_user_id analysis_user_name analysis_user_status app_execution_parameters app_id app_name app_type connector_id control_id customfield_0 customfield_1 customfield_10 customfield_11 customfield_12 customfield_2 customfield_4 customfield_5 customfield_6 customfield_7 customfield_8 customfield_9 customheader_0 customheader_1 customheader_10 customheader_11 customheader_12 customheader_2 customheader_4 customheader_5 customheader_6 customheader_7 customheader_8 customheader_9 destination_user_email event_action event_change event_description event_group_job_id event_name event_outcome event_type full_message needs_enrichment needs_internal_enrichment new_value node_id node_name object_type packet_type playbook_execution_id playbook_id playbook_name previous_value rep_dev_canonical rep_device_address rep_device_asset_id rep_device_fqdn rep_device_hostname report_executed_category report_executed_database report_executed_database_index report_executed_date report_executed_format report_executed_key report_executed_parameters report_executed_query report_executed_state report_executed_user report_executed_uuid scheduled_task_id sensor_event_rate sensor_name sensor_uuid source_asset_id source_canonical source_infrastructure_type source_name source_user_email suppressed system_event_type timestamp_arrived timestamp_end timestamp_occured timestamp_occurred timestamp_start timestamp_to_storage total_disconnection_time transient uuid x_att_tenant_subdomain x_att_tenantid |
User Activity Fields
User Activity Fields
event_action event_description event_name event_severity expires full_message needs_enrichment needs_internal_enrichment new_value object_id object_type packet_type previous_value sensor_event_rate sensor_uuid source_username suppressed timestamp_arrived timestamp_occured timestamp_occurred timestamp_to_storage transient uuid x_att_tenant_subdomain x_att_tenantid |
Vulnerability Fields
Vulnerability Fields
access_control_outcome account_name alarm_events_count app_id app_name app_type base_event_count bytes_in bytes_out confidence connection_count contains_credit_card_number current_pps datascience_alarm_threshold datascience_alarm_threshold_99 datascience_alarm_threshold_low_confidence datascience_alarm_threshold_medium_confidence datascience_anomaly_score datascience_tenant_event_threshold destination_address destination_asset_id destination_canonical destination_city destination_country destination_fqdn destination_hostname destination_infrastructure_name destination_infrastructure_type destination_instance_id destination_latitude destination_longitude destination_name destination_nat_port destination_organisation destination_port destination_post_nat_port destination_pre_nat_port destination_region destination_registered_country destination_translated_port device_custom_number_1 device_custom_number_2 device_custom_number_3 dns_rcode event_action event_cve event_description event_description_url event_group event_name event_priority event_receipt_time event_ref_id event_ref_score event_ref_score_v2 event_ref_score_v3 event_ref_source event_ref_version event_severity event_type expires has_alarm level log needs_enrichment needs_internal_enrichment packet_type packets_received packets_sent peak_pps plugin plugin_device plugin_family rep_dev_canonical rep_device_address rep_device_asset_id rep_device_fqdn rep_device_hostname rep_device_instance_id report_executed_date response_code rule_id sensor_event_rate sensor_name sensor_uuid silent source_address source_asset_id source_canonical source_city source_country source_fqdn source_hostname source_infrastructure_name source_infrastructure_type source_instance_id source_latitude source_longitude source_name source_nat_port source_organisation source_port source_post_nat_port source_pre_nat_port source_region source_registered_country source_translated_port stat_value suppressed time_end time_start timestamp_arrived timestamp_end timestamp_occured timestamp_occured_iso8601 timestamp_occurred timestamp_os timestamp_received timestamp_received_iso8601 timestamp_start timestamp_to_storage total_packets transient ts_a_to_s ts_o_to_r ts_r_to_a ts_r_to_i ts_s_to_i used_hint uuid was_fuzzied was_guessed x_att_tenant_subdomain x_att_tenantid |