Data Explorer fields

In Data Explorer, you can use individual Data Explorer fields or field sets to narrow your search:
  • Field — You can limit your search for a specific term to a single Data Explorer field. Fields are written in lower case and include periods and underscores. For example, remote.registered_domain. For more information, see Fields.
  • Field set — A field set allows you to search for a term in a group of related Data Explorer fields. Field sets are written in title case. For example, Event Code. For more information, see Field sets.
    Tip: If you don't know the name of the Data Explorer field that contains your search term, try searching a field set.

Field sets

Tip: For a description of each field, see Fields.

Field set

Fields included

Country
  • client.geo.country_iso_code

Domain
  • related.hosts — which contains arrays of these fields and their values:
    • client.address
    • client.domain
    • host.domain
    • host.hostname
    • host.name
    • server address
    • server.domain
  • remote.address
  • remote.domain
  • remote.registered_domain
  • url.domain

Event Code
  • ad.event.code
  • event.code

Hash
  • related.hash — which contains arrays of these fields and their values:
    • file.hash.md5
    • file.hash.sha1
    • file.hash.sha256
    • process.hash.md5
    • process.hash.sha1
    • process.hash.sha256
    • process.parent.hash.md5
    • process.parent.hash.sha1
    • process.parent.hash.sha256
    • tls.client.hash.sha256
    • tls.server.hash.sha256

File Name
  • file.name
  • file.path

IP Address
  • related.hosts — which contains arrays of these fields and their values:
    • client.address
    • client.domain
    • host.domain
    • host.hostname
    • host.name
    • server address
    • server.domain
  • related.ip — which is contains arrays of these fields and their values:
    • client.ip
    • server.ip
    • host.ip
    • host.external_ip
    • remote.ip

Log Source
  • event.module
  • event.provider

Login Status
  • event.outcome

Process Name
  • process.command_line
  • process.executable

User
  • related.user — which contains arrays of these fields and their values:
    • ad.event.origin.username
    • client.user.full_name
    • client.user.id
    • client.user.name
    • client.user.username
    • host.user.full_name
    • host.user.id
    • host.user.name
    • host.user.username
    • server.user.full_name
    • server.user.id
    • server.user.name
    • server.user.username
    • user.full_name
    • user.id
    • user.name
    • user.username

Fields

Field

Description

@timestamp

The date and time when the event occurred. If the log data that Arctic Wolf® receives does not include a date and time for the event, the date and time when Arctic Wolf received the log data. The @timestamp field is mandatory for all events.

@type

If the event log is a compound event, the type of incident or alert. Otherwise, the type of telemetry used to send event log data to Arctic Wolf.

Note: A compound event is a single event that contains multiple logical events. Compound events are events that the Arctic Wolf observation pipeline generates when it identifies a group of events as logically related.

ad.event.auth.logon_type

The Windows Event logon type. For more information, see Audit logon events.

ad.event.code
The Windows Event ID. For more information, see:

ad.event.origin.username

The name of the user or the computer that originated the event.

ad.event.title
The event summary associated with the Windows Event ID. For more information, see:

auth.type

A description of the authentication type.

client.address

An IP address, a domain, or a Unix socket, if available. Client addresses are sometimes ambiguous. Some event logs that originate from ambiguous client addresses include this information.

client.as.number

The autonomous system number (ASN) that uniquely identifies each network on the internet.

client.bytes

The total number of bytes sent from the client to the server during the event.

client.domain

The client domain.

client.geo.city_name

The name of the city where the client is located.

client.geo.country_iso_code

The ISO code for the country where the client is located.

client.geo.country_name

The name of the country where the client is located.

client.ip

The IPv4 or IPv6 address of the client.

client.ip_classification

The classification of the client IP address as internal, external, or multicast. The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal.

client.packets

The total number of packets sent from the client to the server during the event.

client.port

The port used on the client.

client.user.email

The email address of the user.

client.user.full_name

The full name of the user.

client.user.id

The user ID.

client.user.name

The username that identifies a user login or a short name for the user.

client.user.username

The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.

client.whois.registrant.organization

The person or organization who registered the domain name, according to the WHOIS database.

cloud.client.geo.city_name

The name of the city where the external IP address is located.

cloud.client.geo.country_name

The ISO code for the country where the external IP address is located.

cloud.client.user.name

The name of the user that completed the operation. To disambiguate this user name, view the user.id field.

cloud.event.name

The name that an Arctic Wolf observation pipeline assigned the event.

cloud.resource.name

The name of the resource that was changed or affected in the event. For example, the name of a file or user.

cloud.resource.path

The file path of the resource that was changed or affected in the event. For example, the file path of an executable or a configuration file.

dns.answers.class

The class of DNS data contained in the resource record.

dns.answers.data

The data describing the resource. The meaning of this data depends on the type and class of the resource record.

dns.answers.ttl

The number of seconds that a cache can keep the resource record before the record is discarded. A value of zero values mean that the data should not be cached.

dns.answers.type

The type of data contained in the resource record.

dns.question.class

The class of the record being queried.

dns.question.name

The name of the record being queried.

dns.question.type

The type of record being queried.

dns.question.whois.registrant.organization

The person or organization who registered the domain name, according to the WHOIS database.

dns.resolved_ip

All IP addresses found in the dns.answers.data field. Arctic Wolf extracts the IP addresses from the dns.answers.data field to index them as IP addresses, which makes them easier to search for.

dns.response_code

The DNS response code.

event.action

The summary of the action described in the event log, according to the event source. For example, group-add, process-started, or file-created. The event.action field usually provides a more detailed summary than the event.category value.

event.category

All categories that the event falls under. This value is an array that that enables the categorization of events that appear in more than one category. This field is closely related to event.type. The event.type values are subcategories of event.category values.

event.code
The identification code for this event, if one exists. Some event sources use event codes to uniquely and unambiguously identify events, regardless of any wording adjustments in the event message over time or any language translations. Possible event.code field values are Windows Event IDs and Sysmon Event IDs. For more information, see:

event.dataset

The name of the dataset, according to the event source. If an event source publishes more than one type of log or event, for example, access logs and error logs, you can use the event.dataset value to identify which dataset the event is a part of.

event.duration

The duration of the event in nanoseconds. If the event.start and event.end values are available, the event.duration value is the difference between the event.start and event.end values.

event.end

The date and time when the event ended or when the event source last observed the activity.

event.kind

A high-level summary of the type of information that the event log contains. You can use the value in this field to decide how to handle events of the same kind. Events of the same kind might need a different data retention period or different access controls. This value can also indicate if log data for this kind of event is coming in at a regular interval or not.

event.module

The name of the module this data is coming from, if applicable. The Arctic Wolf observation pipeline populates this field if your monitoring agent uses the concept of modules or plugins to process events from a specific source, for example, Apache logs.

event.outcome

Whether the event represents a success or a failure from the perspective of the entity that caused the event, if applicable.

Note:
  • Not all events have an associated outcome.
  • In a set of correlated events, for example, a single transaction that occurs over multiple events, each event can have a different value.
  • In the case of a compound event, that is, a single event that contains multiple logical events, this field is populated with the value that best captures the overall success or failure of the series of events from the perspective of the entity that caused the series of events.
  • A compound event is not the same as a transaction that occurs over multiple events. A Data Explorer search result can include a compound event, whereas you might consider a group of separate events a transaction only after analyzing Data Explorer search results.

event.provider
The source of the event log. Event transports such as Syslog or the Windows Event Log usually mention the source of an event. The identified source can be any of these values:
  • The name of the software that generated the event. For example, Sysmon or httpd.
  • The name of a subsystem of the operating system. For example, kernel or Microsoft-Windows-Security-Auditing.

event.reason

An explanation of why the event happened. The event can be an action or an outcome. This explanation originates from the event source.

event.severity

The severity level of the event, expressed as a number. This severity level originates from the event source. The meaning of this value depends on the event source and the use cases for this type of event classification.

event.start

The date and time when the event started or when the event source first observed the activity.

event.type

All applicable event types. This value is an array that that enables the categorization of events that have more than one event type. This field is closely related to event.category. The event.type values are subcategories of event.category values.

event.uuid

A UUID that the Arctic Wolf observation pipeline assigns to an event log.

file.directory

The folder where the file is located. This value includes the drive letter when appropriate.

file.hash.md5

The MD5 hash of the file.

file.hash.sha1

The SHA1 hash of the file.

file.hash.sha256

The SHA256 hash of the file.

file.mime_type

The media type or MIME type of the file or stream of bytes, written as an IANA media type where possible. When more than one type is applicable, the most specific type should be used. For more information, see IANA Media Types.

file.name

The name of the file, including the extension but without the file path.

file.path

The complete path to the file, including the file name. This value includes the drive letter when appropriate.

host.domain
The name of the domain that the host is a member of. For example:
  • For a Windows machine, this name could be the Active Directory domain or NetBIOS domain name.
  • For a Linux machine, this name could be the domain of the LDAP provider.

host.external_ip

The external IP address of the host.

host.geo.city_name

The name of the city where the host is located.

host.geo.country_iso_code

The ISO code for the country where the host is located.

host.geo.country_name

The name of the country where the host is located.

host.hostname

The name of the host. This name is usually the value that the hostname command outputs on a host machine that runs on a Unix-based operating system.

host.ip

The IPv4 or IPv6 address of the host.

host.name
The name of the host, according to the event source. This name is usually one of these values:
  • The value that the hostname command outputs on a host machine that runs on a Unix-based operating system.
  • The fully qualified domain name.
  • A name specified by the user.

host.os.family

The operating system family of the host. For example, redhat, debian, freebsd, or windows.

host.user.email

The email address of the user.

host.user.full_name

The full name of the user.

host.user.id

The user ID.

host.user.name

The username that identifies a user login or a short name for the user.

host.user.username

The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.

http.request.headers

The key-value pairs for all headers in the HTTP request.

http.request.method

The HTTP request method.

http.request.mime_type

The media type or MIME type of the body of the request.

http.response.content_type

The value of the HTTP response Content-Type header.

http.response.headers

The key-value pairs for all headers in the HTTP response.

http.response.status_code

The HTTP response status code.

labels

Custom key-value pairs. Examples of custom key-value pairs are docker and k8s.

network.application

The name of an application-level protocol. This name can be arbitrarily assigned to microservices or cloud service providers like Skype, ICQ, Facebook, and X (formerly Twitter). This field is populated if the vendor or service can be derived from information like the source or destination IP address owners, port numbers, or wire format.

network.bytes

The total number of bytes transferred in both directions during the event.

network.direction

The direction of the network traffic.

network.packets

The total number of packets transferred in both directions during the event.

network.protocol

The layer seven network protocol name. For example, http, lumberjack, or transport protocol.

network.transport

The name of the transport layer. For example, udp, tcp, or ipv6-icmp.

observer.geo.city_name

The name of the city where the event source is located.

observer.geo.country_iso_code

The ISO code for the country where the event source is located.

observer.geo.country_name

The name of the country where the event source is located.

observer.type

The event source type. For example, forwarder, firewall, ids, ips, proxy, poller, sensor, or APM server.

organization.deployment.id

The unique identifier that Arctic Wolf assigns to an Arctic Wolf appliance deployed within the organization.

organization.id

The unique identifier that Arctic Wolf assigns to the organization.

organization.uuid

An organization UUID that is specific to the Arctic Wolf Managed Risk service. This field is used for legacy data mapping.

process.command_line

The complete command line that started the process, including the absolute path to the executable and all command arguments.

process.executable

The absolute path to the process executable file.

process.hash.md5

The MD5 hash of the process executable file.

process.hash.sha1

The SHA1 hash of the process executable file.

process.hash.sha256

The SHA256 hash of the process executable file.

process.name

The name of the process.

process.parent.command_line

The complete command line that started the parent process, including the absolute path to the executable and all command arguments.

process.parent.executable

The absolute path to the parent process executable file.

process.parent.hash.md5

The MD5 hash of the parent process executable file.

process.parent.hash.sha1

The SHA1 hash of the parent process executable file.

process.parent.hash.sha256

The SHA256 hash of the parent process executable file.

process.parent.name

The name of the parent process.

process.parent.pid

The parent process ID.

process.parent.ppid

The grandparent process ID.

process.parent.working_directory

The working directory of the parent process.

process.pid

The process ID.

process.ppid

The parent process ID.

process.working_directory

The working directory of the process.

related.as.number

All autonomous system numbers (ASNs) found in the event log.

related.as.number contains arrays of these fields and their values:
  • client.as.number
  • server.as.number
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.email

All user email addresses listed in the event log.

related.email contains arrays of these fields and their values:
  • client.user.email
  • host.user.email
  • server.user.email
  • user.email
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.groups

All groups related to users that are associated with the event.

Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.hash

All hashes found in the event log data.

related.hash contains arrays of these fields and their values:
  • file.hash.md5
  • file.hash.sha1
  • file.hash.sha256
  • process.hash.md5
  • process.hash.sha1
  • process.hash.sha256
  • process.parent.hash.md5
  • process.parent.hash.sha1
  • process.parent.hash.sha256
  • tls.client.hash.sha256
  • tls.server.hash.sha256
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.hosts

All hostnames or other host identifiers observed during the event. Valid values include FQDNs, domain names, workstation names, or aliases.

related.hosts contains arrays of these fields and their values:
  • client.address
  • client.domain
  • host.domain
  • host.hostname
  • host.name
  • server.address
  • server.domain
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.ip

All IP addresses found in the event log data.

related.ip contains arrays of these fields and their values:
  • client.ip
  • host.external_ip
  • host.ip
  • remote.ip
  • server.ip
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.url

All URLs to external systems where you can investigate the event.

related.url contains an array of fields that store these types of URLs. These URLs usually originate from the log source.

Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.user

All usernames or other user identifiers found in the event log data.

related.user contains arrays of these fields and their values:
  • ad.event.origin.username
  • client.user.full_name
  • client.user.id
  • client.user.name
  • client.user.username
  • host.user.full_name
  • host.user.id
  • host.user.name
  • host.user.username
  • server.user.full_name
  • server.user.id
  • server.user.name
  • server.user.username
  • user.full_name
  • user.id
  • user.name
  • user.username
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.whois.registrant.name

For all the domain names found in the event log data, the persons or organizations who registered the domain names, according to the WHOIS database.

related.whois.registrant.name contains arrays of multiple whois.registrant.name fields and their field values.

Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

related.whois.registrant.organization

The person or organization who registered the domain name, according to the WHOIS database.

related.whois.registrant.organization contains arrays of these fields and their values:
  • client.whois.registrant.organization
  • dns.question.whois.registrant.organization
  • server.whois.registrant.organization
  • url.whois.registrant.organization
Tip: A related field allows you to search all Data Explorer fields that contain similar or related information of the same data type. Examples of related fields are related.ip and related.user. If you don't know the name of the Data Explorer field that contains your search term, you can search a related field.

remote.address

An IP address, a domain, or a Unix socket, if available. Remote addresses are sometimes ambiguous. Some event logs that originate from ambiguous remote addresses include this information.

remote.domain

The domain of the remote system.

remote.ip

The IPv4 or IPv6 address of the remote system.

remote.port

The port used on the remote system.

remote.registered_domain

The highest registered domain of the remote system without the subdomain.

rule.description

The name of the schema or set of rules that generate analyzed events logs from raw log data that enters the Arctic Wolf observation pipeline.

rule.events.category

How the Arctic Wolf observation pipeline categorized the analyzed event log.

rule.events.description

A summary of the analyzed event log.

rule.events.identifier

The identifier assigned to the analyzed event log if the event is escalated.

rule.events.tags

The tags that the Arctic Wolf observation pipeline attached to the analyzed event log.

server.address

An IP address, a domain, or a Unix socket, if available. Server addresses are sometimes ambiguous. Some event logs that originate from ambiguous server addresses include this information.

server.as.number

The autonomous system number (ASN) that uniquely identifies each network on the internet.

server.as.organization.name

The name of the organization associated with the server.

server.bytes

The total number of bytes sent from the server to the client during the event.

server.domain

The server domain.

server.geo.city_name

The name of the city where the server is located.

server.geo.country_iso_code

The ISO code for the country where the server is located.

server.geo.country_name

The name of the country where the server is located.

server.ip

The IPv4 or IPv6 address of the server.

server.ip_classification

The classification of the server IP address as internal, external, or multicast. The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal.

server.packets

The total number of packets sent from the server to the client during the event.

server.port

The port used on the server.

server.user.email

The email address of the user.

server.user.full_name

The full name of the user.

server.user.id

The user ID.

server.user.name

The username that identifies a user login or a short name for the user.

server.user.username

The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.

server.whois.registrant.organization

The person or organization who registered the domain name, according to the WHOIS database.

service.name

The name of the service that is configured to send log data to Arctic Wolf. A user in your organization usually assigns a name to the service that they configure to forward log data.

tags

A list of keywords that the Arctic Wolf observation pipeline associated with the event log source.

threat.severity

A CVSS score, which is a number ranging from zero to 10. A score of 10 indicates a risk of the highest severity. For more information, see NIST NVD Vulnerability Metrics.

threat.tactic.name

The name of the tactic, according to the MITRE ATT&CK® database, that the identified threat uses.

tls.client.hash.sha256

The fingerprint of the certificate that the client offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate.

tls.server.hash.sha256

The fingerprint of the certificate that the server offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate.

url.domain

The domain of the URL. For example, https://www.arcticwolf.com. In some cases, a URL might refer to an IP address and port directly, without a domain name.

url.full

The complete URL.

url.path

The path of the request. For example, /search.

url.whois.registrant.organization

The person or organization who registered the domain name, according to the WHOIS database.

user.changes.email

What the email address of the user was changed to.

user.changes.full_name

What the full name of the user was changed to.

user.changes.id

What the user ID was changed to.

user.changes.name

What the username or the short name for the user was changed to.

user.changes.username

What the username for the user was changed to. This field is an additional field to account for legacy systems.

user.effective.email

The email address of the user whose role or privileges an administrator assumed.

user.effective.full_name

The full name of the user whose role or privileges an administrator assumed.

user.effective.id

The ID of the user whose role or privileges an administrator assumed.

user.effective.name

The username or the short name for the user whose role or privileges an administrator assumed.

user.effective.username

The username for the user whose role or privileges an administrator assumed. This field is an additional field to account for legacy systems.

user.email

The email address of the user.

user.full_name

The full name of the user.

user.id

The user ID.

user.name

The username that identifies a user login or a short name for the user.

user.target.email

The email address of the user before an administrator changed it.

user.target.full_name

The full name of the user before an administrator changed it.

user.target.id

The ID of the user before an administrator changed it.

user.target.name

The username or the short name for the user before an administrator changed it.

user.target.username

The username for the user before an administrator changed it. This field is an additional field to account for legacy systems.

user.username

The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.

user_agent.description

The user agent in human-readable from.

user_agent.original

The unparsed user-agent string.