Onboarding and Self-Service


Arctic Wolf Unified Portal Data Exploration

Updated Feb 12, 2024

Data Explorer fields

In Data Explorer, you can limit your search to specific database fields. In the Add Search Fields section, you can add one or more database field sets or fields:

Field sets

Tip: For a description of each field, see Fields.

Field set Fields included
Domain
  • client.address
  • client.domain
  • host.domain
  • host.name
  • related.hosts
  • remote.address
  • remote.domain
  • remote.registered_domain
  • server.address
  • server.domain
  • url.domain
Event Code
  • ad.event.code
  • event.code
Hash
  • dll.hash.md5
  • dll.hash.sha1
  • dll.hash.sha256
  • file.hash.md5
  • file.hash.sha1
  • file.hash.sha256
  • process.hash.md5
  • process.hash.sha1
  • process.hash.sha256
  • process.parent.hash.md5
  • process.parent.hash.sha1
  • process.parent.hash.sha256
  • tls.client.hash.md5
  • tls.client.hash.sha1
  • tls.client.hash.sha256
  • tls.server.hash.md5
  • tls.server.hash.sha1
  • tls.server.hash.sha256
  • url.hash.md5
  • url.hash.sha1
  • url.hash.sha256
File Name
  • file.name
  • file.path
IP Address
  • client.address
  • client.domain
  • client.ip
  • client.nat.ip
  • host.domain
  • host.external_ip
  • host.ip
  • host.hostname
  • host.name
  • observer.ip
  • remote.ip
  • server.address
  • server.domain
  • server.ip
  • server.nat.ip
Log Source
  • event.module
  • event.provider
Process Name
  • process.command_line
  • process.executable
User
  • ad.event.origin.username
  • client.user.full_name
  • client.user.id
  • client.user.name
  • client.user.username
  • host.user.full_name
  • host.user.id
  • host.user.name
  • host.user.username
  • server.user.full_name
  • server.user.id
  • server.user.name
  • server.user.username
  • user.full_name
  • user.id
  • user.name
  • user.username

Fields

Field Description
@timestamp The date and time when the event occurred. If the log data that Arctic Wolf® receives does not include a date and time for the event, the date and time when Arctic Wolf received the log data. The @timestamp field is mandatory for all events.
@type If the event log is unparsed, the type of telemetry used to send event log data to Arctic Wolf. If the event log is a compound event, the type of incident or alert. Note: A compound event is a single event that contains multiple logical events. Compound events are events that the Arctic Wolf observation pipeline generates when it identifies a group of events as logically related.
ad.event.auth.logon_type The Windows Event logon type. See Audit logon events for more information.
ad.event.code The Windows Event ID. See Appendix L: Events to Monitor and Windows security audit events for more information.
ad.event.origin.username The name of the user or the computer that originated the event.
ad.event.title The event summary associated with the Windows Event ID. See Appendix L: Events to Monitor and Windows security audit events for more information.
auth.type A description of the authentication type.
client.address An IP address, a domain, or a Unix socket, if available. Client addresses are sometimes ambiguous. Some event logs that originate from ambiguous client addresses include this information.
client.as.number The autonomous system number (ASN) that uniquely identifies each network on the internet.
client.bytes The total number of bytes sent from the client to the server during the event.
client.domain The client domain.
client.geo.city_name The name of the city where the client is located.
client.geo.country_iso_code The ISO code for the country where the client is located.
client.geo.country_name The name of the country where the client is located.
client.ip The IPv4 or IPv6 address of the client.
client.ip_classification The classification of the client IP address as either internal, external, or multicast. The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal.
client.packets The total number of packets sent from the client to the server during the event.
client.port The port used on the client.
client.user.email The email address of the user.
client.user.full_name The full name of the user.
client.user.id The user ID.
client.user.name The username that identifies a user login or a short name for the user.
client.user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
client.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
cloud.client.geo.city_name The name of the city where the external IP address is located.
cloud.client.geo.country_name The ISO code for the country where the external IP address is located.
cloud.client.user.name The name of the user that completed the operation. To disambiguate this user name, view the user.id field.
cloud.event.name The name that an Arctic Wolf observation pipeline assigned the event.
cloud.resource.name The name of the resource that was changed or affected in the event. For example, the name of a file or user.
cloud.resource.path The file path of the resource that was changed or affected in the event. For example, the file path of an executable or a configuration file.
dns.answers.class The class of DNS data contained in the resource record.
dns.answers.data The data describing the resource. The meaning of this data depends on the type and class of the resource record.
dns.answers.ttl The number of seconds that a cache can keep the resource record before the record is discarded. A value of zero values mean that the data should not be cached.
dns.answers.type The type of data contained in the resource record.
dns.question.class The class of the record being queried.
dns.question.name The name of the record being queried.
dns.question.type The type of record being queried.
dns.question.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
dns.resolved_ip All IP addresses found in the dns.answers.data field. Arctic Wolf extracts the IP addresses from the dns.answers.data field to index them as IP addresses, which makes them easier to search for.
dns.response_code The DNS response code.
event.action The summary of the action described in the event log, according to the event source. For example, group-add, process-started, or file-created. The event.action field usually provides a more detailed summary than the event.category value.
event.category All categories that the event falls under. This value is an array that that enables the categorization of events that appear in more than one category. This field is closely related to event.type. The event.type values are subcategories of event.category values.
event.code The identification code for this event, if one exists. Some event sources use event codes to uniquely and unambiguously identify events, regardless of any wording adjustments in the event message over time or any language translations. Possible event.code field values are Windows Event IDs and Sysmon Event IDs. See Appendix L: Events to Monitor, Windows security audit events, and Sysmon v15.0: Events for more information.
event.dataset The name of the dataset, according to the event source. If an event source publishes more than one type of log or event, for example, access logs and error logs, you can use the event.dataset value to identify which dataset the event is a part of.
event.duration The duration of the event in nanoseconds. If the event.start and event.end values are available, the event.duration value is the difference between the event.start and event.end values.
event.end The date and time when the event ended or when the event source last observed the activity.
event.kind A high-level summary of the type of information that the event log contains. You can use the value in this field to decide how to handle events of the same kind. Events of the same kind might need a different data retention period or different access controls. This value can also indicate if log data for this kind of event is coming in at a regular interval or not.
event.module The name of the module this data is coming from, if applicable. The Arctic Wolf observation pipeline populates this field if your monitoring agent uses the concept of modules or plugins to process events from a specific source, for example, Apache logs.
event.outcome Whether the event represents a success or a failure from the perspective of the entity that caused the event, if applicable. Notes:
  • Not all events have an associated outcome.
  • In a set of correlated events, for example, a single transaction that occurs over multiple events, each event can have a different value.
  • In the case of a compound event, that is, a single event that contains multiple logical events, this field is populated with the value that best captures the overall success or failure of the series of events from the perspective of the entity that caused the series of events.
  • A compound event is not the same as a transaction that occurs over multiple events. A Data Explorer search result can include a compound event, whereas you might consider a group of separate events a transaction only after analyzing Data Explorer search results.
event.provider The source of the event log. Event transports such as Syslog or the Windows Event Log usually mention the source of an event. The identified source can be any of these values:
  • The name of the software that generated the event. For example, Sysmon or httpd.
  • The name of a subsystem of the operating system. For example, kernel or Microsoft-Windows-Security-Auditing.
event.reason An explanation of why the event happened. The event can be an action or an outcome. This explanation originates from the event source.
event.severity The severity level of the event, expressed as a number. This severity level originates from the event source. The meaning of this value depends on the event source and the use cases for this type of event classification.
event.start The date and time when the event started or when the event source first observed the activity.
event.type All applicable event types. This value is an array that that enables the categorization of events that have more than one event type. This field is closely related to event.category. The event.type values are subcategories of event.category values.
event.uuid A UUID that the Arctic Wolf observation pipeline assigns to an event log.
file.directory The folder where the file is located. This value includes the drive letter when appropriate.
file.hash.md5 The MD5 hash of the file.
file.hash.sha1 The SHA1 hash of the file.
file.hash.sha256 The SHA256 hash of the file.
file.mime_type The media type or MIME type of the file or stream of bytes, written as an IANA media type where possible. When more than one type is applicable, the most specific type should be used. See IANA Media Types for more information.
file.name The name of the file, including the extension but without the file path.
file.path The complete path to the file, including the file name. This value includes the drive letter when appropriate.
host.domain The name of the domain that the host is a member of. For example:
  • For a Windows machine, this name could be the Active Directory domain or NetBIOS domain name.
  • For a Linux machine, this name could be the domain of the LDAP provider.
host.external_ip The external IP address of the host.
host.geo.city_name The name of the city where the host is located.
host.geo.country_iso_code The ISO code for the country where the host is located.
host.geo.country_name The name of the country where the host is located.
host.hostname The name of the host. This name is usually the value that the hostname command outputs on a host machine that runs on a Unix-based operating system.
host.ip The IPv4 or IPv6 address of the host.
host.name The name of the host, according to the event source. This name is usually one of these values:
  • The value that the hostname command outputs on a host machine that runs on a Unix-based operating system.
  • The fully qualified domain name.
  • A name specified by the user.
host.os.family The operating system family of the host. For example, redhat, debian, freebsd, or windows.
host.user.email The email address of the user.
host.user.full_name The full name of the user.
host.user.id The user ID.
host.user.name The username that identifies a user login or a short name for the user.
host.user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
http.request.headers The key-value pairs for all headers in the HTTP request.
http.request.method The HTTP request method.
http.request.mime_type The media type or MIME type of the body of the request.
http.response.content_type The value of the HTTP response Content-Type header.
http.response.headers The key-value pairs for all headers in the HTTP response.
http.response.status_code The HTTP response status code.
labels Custom key-value pairs. Examples of custom key-value pairs are docker and k8s.
network.application The name of an application-level protocol. This name can be arbitrarily assigned to microservices or cloud service providers like Skype, ICQ, Facebook, and X (formerly Twitter). This field is populated if the vendor or service can be derived from information like the source or destination IP address owners, port numbers, or wire format.
network.bytes The total number of bytes transferred in both directions during the event.
network.direction The direction of the network traffic.
network.packets The total number of packets transferred in both directions during the event.
network.protocol The layer seven network protocol name. For example, http, lumberjack, or transport protocol.
network.transport The name of the transport layer. For example, udp, tcp, or ipv6-icmp.
observer.geo.city_name The name of the city where the event source is located.
observer.geo.country_iso_code The ISO code for the country where the event source is located.
observer.geo.country_name The name of the country where the event source is located.
observer.type The event source type. For example, forwarder, firewall, ids, ips, proxy, poller, sensor, or APM server.
organization.deployment.id The unique identifier that Arctic Wolf assigns to an Arctic Wolf appliance deployed within the organization.
organization.id The unique identifier that Arctic Wolf assigns to the organization.
organization.uuid An organization UUID that is specific to the Arctic Wolf Managed Risk service. This field is used for legacy data mapping.
process.command_line The complete command line that started the process, including the absolute path to the executable and all command arguments.
process.executable The absolute path to the process executable file.
process.hash.md5 The MD5 hash of the process executable file.
process.hash.sha1 The SHA1 hash of the process executable file.
process.hash.sha256 The SHA256 hash of the process executable file.
process.name The name of the process.
process.parent.command_line The complete command line that started the parent process, including the absolute path to the executable and all command arguments.
process.parent.executable The absolute path to the parent process executable file.
process.parent.hash.md5 The MD5 hash of the parent process executable file.
process.parent.hash.sha1 The SHA1 hash of the parent process executable file.
process.parent.hash.sha256 The SHA256 hash of the parent process executable file.
process.parent.name The name of the parent process.
process.parent.pid The parent process ID.
process.parent.ppid The grandparent process ID.
process.parent.working_directory The working directory of the parent process.
process.pid The process ID.
process.ppid The parent process ID.
process.working_directory The working directory of the process.
related.as.number All autonomous system numbers (ASNs) found in the event log. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.email All user email addresses listed in the event log. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.groups All the groups related to users that are associated with the event. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.hash All hashes found in the event log data. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.hosts All hostnames or other host identifiers observed during the event. Valid values include FQDNs, domain names, workstation names, or aliases. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.ip All IP addresses found in the event log data. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.url All URLs found in the event log data. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.user All usernames or other user identifiers found in the event log data. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
related.whois.registrant.name For all the domain names found in the event log data, the persons or organizations who registered the domain names, according to the WHOIS database. Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.
remote.address An IP address, a domain, or a Unix socket, if available. Remote addresses are sometimes ambiguous. Some event logs that originate from ambiguous remote addresses include this information.
remote.domain The domain of the remote system.
remote.ip The IPv4 or IPv6 address of the remote system.
remote.port The port used on the remote system.
remote.registered_domain The highest registered domain of the remote system without the subdomain.
rule.description The name of the schema or set of rules that generate analyzed events logs from raw log data that enters the Arctic Wolf observation pipeline.
rule.events.category How the Arctic Wolf observation pipeline categorized the analyzed event log.
rule.events.description A summary of the analyzed event log.
rule.events.identifier The identifier assigned to the analyzed event log if the event is escalated.
rule.events.tags The tags that the Arctic Wolf observation pipeline attached to the analyzed event log.
server.address An IP address, a domain, or a Unix socket, if available. Server addresses are sometimes ambiguous. Some event logs that originate from ambiguous server addresses include this information.
server.as.number The autonomous system number (ASN) that uniquely identifies each network on the internet.
server.as.organization.name The name of the organization associated with the server.
server.bytes The total number of bytes sent from the server to the client during the event.
server.domain The server domain.
server.geo.city_name The name of the city where the server is located.
server.geo.country_iso_code The ISO code for the country where the server is located.
server.geo.country_name The name of the country where the server is located.
server.ip The IPv4 or IPv6 address of the server.
server.ip_classification The classification of the server IP address as either internal, external, or multicast. The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal.
server.packets The total number of packets sent from the server to the client during the event.
server.port The port used on the server.
server.user.email The email address of the user.
server.user.full_name The full name of the user.
server.user.id The user ID.
server.user.name The username that identifies a user login or a short name for the user.
server.user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
server.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
service.name The name of the service that is configured to send log data to Arctic Wolf. A user in your organization usually assigns a name to the service that they configure to forward log data.
tags A list of keywords that the Arctic Wolf observation pipeline associated with the event log source.
threat.severity A CVSS score, which is a number ranging from zero to 10. A score of 10 indicates a risk of the highest severity. See NIST NVD Vulnerability Metrics for more information.
threat.tactic.name The name of the tactic, according to the MITRE ATT&CK® database, that the identified threat uses.
tls.client.hash.sha256 The fingerprint of the certificate that the client offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate.
tls.server.hash.sha256 The fingerprint of the certificate that the server offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate.
url.domain The domain of the URL. For example, https://www.arcticwolf.com. In some cases, a URL might refer to an IP address and port directly, without a domain name.
url.full The complete URL.
url.path The path of the request. For example, /search.
url.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
user.changes.email What the email address of the user was changed to.
user.changes.full_name What the full name of the user was changed to.
user.changes.id What the user ID was changed to.
user.changes.name What the username or the short name for the user was changed to.
user.changes.username What the username for the user was changed to. This field is an additional field to account for legacy systems.
user.effective.email The email address of the user whose role or privileges an administrator assumed.
user.effective.full_name The full name of the user whose role or privileges an administrator assumed.
user.effective.id The ID of the user whose role or privileges an administrator assumed.
user.effective.name The username or the short name for the user whose role or privileges an administrator assumed.
user.effective.username The username for the user whose role or privileges an administrator assumed. This field is an additional field to account for legacy systems.
user.email The email address of the user.
user.full_name The full name of the user.
user.id The user ID.
user.name The username that identifies a user login or a short name for the user.
user.target.email The email address of the user before an administrator changed it.
user.target.full_name The full name of the user before an administrator changed it.
user.target.id The ID of the user before an administrator changed it.
user.target.name The username or the short name for the user before an administrator changed it.
user.target.username The username for the user before an administrator changed it. This field is an additional field to account for legacy systems.
user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
user_agent.description The user agent in human-readable from.
user_agent.original The unparsed user-agent string.