Skip to main content
Sumo Logic

Schema Attributes

This topic defines the attributes in CSE Schema v3.  

action

Description Indicates the action taken by the monitored product (the log producer) when something not good occurred. For example, a firewall log may indicate a bad network packet and firewall will block the connection.
Type string
Can be set by mapping true
Enrichment field  
Models supported Audit, Authentication, Network, Endpoint, Email

application

Description The name of the software that is the subject of this message.

Of interest to those who write mappers: Sometimes this software is the source of the message. In other cases a single source may produce messages related to many different applications and must name them explicitly.
Type string
Mapped field true
Enrichment field  
Models supported Authentication, Audit, Notification

baseImage

Description The base image of a process, for example, notepad.exe.
Type string
Mapped field true
Enrichment field  
Models supported EndpointProcess

bytesIn

Description Amount of the data received in bytes.
Type long
Mapped field yes
Enrichment field  
Models supported NetworkFlowNetworkProxy

bytesOut

Description Amount of the data sent in bytes.
Type long
Mapped field yes
Enrichment field  
Models supported NetworkFlowNetworkProxy

changeTarget

Description The user account that was affected by a change.
Type string
Mapped field true
Enrichment field  
Models supported AuditChange

changeType

Description Type of change the user made.
Type string
Mapped field true
Enrichment field  
Models supported AuditChange

commandLine

Description The command run by the user using a shell.
Type string
Mapped field true
Enrichment field  
Models supported EndpointProcess

description

Description The description of the log event.
Type string
Mapped field yes
Enrichment field  
Models supported  

device_hostname

Description Name associated with device on the network. If name normalization occurs this will be the normalized name.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification
Set by Value Normalization yes

device_hostname_raw

Description The value of hostname set during mapping.
Type string
Mapped field  
Enrichment field true
Models supported  

device_ip

Description The native assigned IP address of the device.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field yes
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_city

Description City for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_countryCode

Description Country code for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_countryName

Description Country for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value.
Type long
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_isInternal

Description Indicates whether the IP address is internal or external. True if internal, False if external.
Type boolean
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_region

Description State or Territory for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_ip_version

Description The version of IP protocol (4 or 6).
Type int
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_mac

Description The hardware identification number that uniquely identifies the device on a network
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp

Description The external IP in cases where the internal IP goes through network address translation.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_city

Description City for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_countryCode

Description Country code for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_countryName

Description Country name for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value
Type long
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_isInternal

Description Indicates whether the IP address is internal or external. True if internal, False if external. Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type boolean
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_region

Description State or Territory for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_natIp_version

Description The version of IP protocol, 4 or 6.
Type ing
Mapped field  
Enrichment field true
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

device_uniqueId

Description The source-specific identifier for device, if available. This is frequently an instance id in cloud environments.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, Email, Endpoint, Network, NetworkDHCP, NetworkHTTP, NetworkProxy, NetworkDNSNetworkFlow, Notification

dns_query

Description The entire request made from the client machine to the DNS server.
Type string
Mapped field true
Enrichment field  
Models supported NetworkDNS

dns_queryDomain

Description This should be conditionally populated if the DNS request contains a domain.
Type string
Mapped field true
Enrichment field  
Models supported NetworkDNS

dns_queryDomain_alexaRank

Description Domain ranking in the alexa top 10k sites. NULL if not in the list.
Type long
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_queryDomain_entropyFqdn

Description The entropy calculation of the fqdn field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_queryDomain_entropyRootDomain

Description The entropy calculation of the rootDomain field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_queryDomain_entropySubDomain

Description The entropy calculation of the subdomain.
Type double
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_queryDomain_fqdn

Description The fully qualified domain name, for example, somehost.sumologic.com.
Type string
Mapped field  
Enrichment field true
Models supported  

dns_queryDomain_possibleDga

Description Whether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Type boolean
Mapped field  
Enrichment field true
   

dns_queryDomain_possibleDynDns

Description A likely dynamically (not static) IP address is associated with this domain.
Type boolean
Mapped field  
Enrichment field true
Models supported  

dns_queryDomain_rootDomain

Description The root domain of hostname in the domain, for example, sumologic.com.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_queryDomain_tld

Description The top-level-domain field of the domain name, for example, com, net, org, and so on.
Type string
Mapped field  
Enrichment field true
   

dns_queryType

Description The type of query that was made by the client machine.
Type string
Mapped field yes
Enrichment field  
Models supported NetworkDNS

dns_reply

Description The DNS reply which can be a single record or multiple records concatenated into a string.
Type string
Mapped field true
Enrichment field  
Models supported NetworkDNS

dns_replyDomain

Description This should be conditionally populated if the DNS reply is a domain.
Type string
Mapped field true
Enrichment field  
Models supported  

dns_replyDomain_alexaRank

Description Domain ranking in the alexa top 10k sites. NULL if not in the list.
Type long
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyDomain_entropyFqdn

Description The entropy calculation of the fqdn field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyDomain_entropyRootDomain

Description The entropy calculation of the rootDomain field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyDomain_entropySubDomain

Description The entropy calculation of the subDomain field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyDomain_fqdn

Description The fully qualified domain name, for example, somehost.sumologic.com.
Type string
Mapped field  
Enrichment field true
Models supported  

dns_replyDomain_possibleDga

Description Whether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Type boolean
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyDomain_possibleDynDns

Description A likely dynamically (not static) IP address is associated with this domain.
Type boolean
Mapped field  
Enrichment field true
Models supported  

dns_replyDomain_rootDomain

Description The root domain of hostname in the domain, for example, sumologic.com.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyDomain_tld

Description The top-level-domain field of the domain name, for example, com, net, org, and so on.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp

Description This should be conditionally populated if the DNS reply is an IP address.
Type string
Mapped field true
Enrichment field  
Models supported  

dns_replyIp_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field  
Models supported NetworkDNS

dns_replyIp_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_city

Description City associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported  

dns_replyIp_countryCode

Description Country code associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_countryName

Description Country name associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value
Type long
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_isInternal

Description Signifies whether the IP address is internal or external. True if internal, False if external.
Type boolean
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported  

dns_replyIp_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field yes
Enrichment field true
Models supported NetworkDNS

dns_replyIp_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_replyIp_region

Description State or Territory for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field yes
Enrichment field true
Models supported NetworkDNS

dns_replyIp_version

Description The version of IP protocol, 4 or 6.
Type int
Mapped field  
Enrichment field true
Models supported NetworkDNS

dns_returnCode

Description Code indicating the outcome of a DNS request.
Type stromg
Mapped field true
Enrichment field  
Models supported NetworkDNS

dstDevice_hostname

Description Name associated with device on the network. If name normalization occurs this will be the normalized name.
Type string
Mapped field true
Enrichment field  
Models supported Network
Set by Value Normalization true

dstDevice_hostname_raw

Description The value of hostname set during mapping.
Type string
Mapped field  
Enrichment field true
Models supported  

dstDevice_ip

Description The native assigned IP address of the device.
Type string
Mapped field true
Enrichment field  
Models supported Network

dstDevice_ip_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported  

dstDevice_ip_city

Description City associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_countryCode

Description Country code associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported  

dstDevice_ip_countryName

Description Country name associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value.
Type long
Mapped field  
Enrichment field true
Models supported  

dstDevice_ip_isInternal

Description Indicates whether the IP address is internal or external. True if internal, False if external.
Type boolean
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_region

Description State or Territory for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_ip_version

Description The version of IP protocol, 4 or 6.
Type int
Mapped field  
Enrichment field true
Models supported Network

dstDevice_mac

Description The hardware identification number that uniquely identifies the device on a network
Type string
Mapped field true
Enrichment field  
Models supported Network

dstDevice_natIp

Description The external IP in cases where the internal IP goes through network address translation.
Type string
Mapped field true
Enrichment field  
Models supported Network

dstDevice_natIp_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field true
Models supported Network

dstDevice_natIp_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field  
Models supported Network

dstDevice_natIp_city

Description City associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_natIp_countryCode

Description Country code associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported  

dstDevice_natIp_countryName

Description Country name associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_natIp_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value
Type long
Mapped field  
Enrichment field true
Models supported Network

dstDevice_natIp_isInternal

Description Signifies whether the IP address is internal or external. True if internal, False if external.
Type boolean
Mapped field  
Enrichment field true
Models supported  

dstDevice_natIp_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_natIp_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported  

dstDevice_natIp_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported Network

dstDevice_natIp_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported  

dstDevice_natIp_region

Description State or Territory for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported  

dstDevice_natIp_version

Description The version of IP protocol, 4 or 6.
Type int
Mapped field  
Enrichment field true
Models supported Network

dstDevice_uniqueId

Description The source-specific identifier for device, if available. This is frequently an instance id in cloud environments.
Type string
Mapped field true
Enrichment field  
Models supported Network

dstPort

Description The destination port for the network transaction.
Type int
Mapped field true
Enrichment field  
Models supported NetworkNetworkProxy

email_messageId

Description Unique identifier of the email.
Type string
Mapped field true
Enrichment field  
Models supported Email

email_sender

Description Email of the user that sent the email.
Type string
Mapped field true
Enrichment field  
Models supported Email

email_subject

Description Subject of the email.
Type string
Mapped field true
Enrichment field  
Models supported Email

fields

Description This is a general purpose container for all un-mapped data from the log line.
Type map[string]string
Mapped field  
Enrichment field  
Models supported  

file_basename

Description The base file name plus extension (if present) minus any path components.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_hash_imphash

Description File hash created using the IMPHASH algorithm.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_hash_md5

Description File hash created using the MD5 algorithm.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_hash_pehash

Description File hash created using the PEHASH algorithm.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_hash_sha1

Description File hash created using the SH1 algorithm.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_hash_sha256

Description File hash created using the SHA256 algorithm.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_hash_ssdeep

Description File hash created using the SSDEEP algorithm.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_mimeType

Description Two-part identifier for file formats and format contents transmitted on the Internet.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_path

Description The full path (if possible) of the file.  This field may contain partial paths and serves as the general place holder for path fields.
Type string
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_size

Description Count of bytes taken up by the file.
Type long
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

file_uid

Description The data source-specific unique identifier for the file.
Type  
Mapped field true
Enrichment field  
Models supported AuditFile, Endpoint, Email, Network

flowState

Description The state of the flow when the netflow log was generated.
Type string
Mapped field true
Enrichment field  
Models supported NetworkFlow

friendlyName

Description Name of the table the data is mapped to. Always Record for V3.
Type string
Mapped field  
Enrichment field  
Models supported  

fromUser_authDomain

Description The domain associated with this particular user, for example, sumologic.com, sumologic.local, and so on.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationPrivilegeEscalation

fromUser_email

Description The  email address assigned to this user.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationPrivilegeEscalation

fromUser_userId

Description The source-unique identifier for the user account.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationPrivilegeEscalation

fromUser_username

Description The name commonly used to identify the user. May include the domain. If name normalization occurs, this will be the normalized name.
Type string
Mapped field  
Enrichment field  
Models supported AuthenticationPrivilegeEscalation
Set by Value Normalization true

fromUser_username_raw

Description The value of username set during mapping.
Type string
Mapped field  
Enrichment field true
Models supported  

http_hostname

Description Hostname from the client request
Type string
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_method

Description Type of request being made, for example, GET or POST.
Type string
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_referer

Description Identifies the address of the webpage (i.e. the URI or IRI) which is linked to the resource being requested.
Type string
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_alexaRank

Description The domain's rank among the top 10k sites by Alexa traffic rank. NULL if not in the list.
Type long
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_entropyRootDomain

Description The entropy calculation of the rootDomain field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_fqdn

Description The fully qualified domain name in the URL (e.g. somehost.sumologic.com).
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_path

Description The path component of a URL, for example, somepath/something.
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_possibleDga

Description Whether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Type boolean
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_possibleDynDns

Description A likely dynamically (not static) IP address is associated with this domain.
Type boolean
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_protocol

Description The URL protocol, for example, https.
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_referer_rootDomain

Description The root domain of hostname in the URL (e.g. sumologic.com).
Type string
Mapped field  
Enrichment field true
Models supported  

http_referer_tld

Description The top-level-domain field of the domain name in the URL, for example, com, net, org, and so on.
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_response_contentLength

Description The number of bytes of data in the body of the response
Type int
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_response_contentType

Description The format of the data in the HTTP response.
Type string
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_response_statusCode

Description The HTTP response code for a request.
Type int
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_response_statusText

Description Contains the status message corresponding to the status code.
Type string
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_url

Description URL to which the request was made.
Type string
Mapped field true
Enrichment field  
Models supported NetworkHTTP, NetworkProxyEmail

http_url_alexaRank

Description The domain's rank among the top 10k sites by Alexa traffic rank. NULL if not in the list.
Type long
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_entropyFqdn

Description The entropy calculation of the fqdn field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_entropyRootDomain

Description The entropy calculation of the rootDomain field.
Type double
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_fqdn

Description The fully qualified domain name in the URL, for example, somehost.sumologic.com.
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_path

Description The path component of a URL (e.g. somepath/something)
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_possibleDga

Description Whether or not this domain is potentially a Domain Generation Algorithm created domain based on our backend analytics.
Type boolean
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_possibleDynDns

Description A likely dynamically (not static) IP address is associated with this domain.
Type boolean
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_protocol

Description The URL protocol, for example, https.
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_url_tld

Description The top-level-domain field of the domain name in the URL, for example com, net, org, and so on.
Type string
Mapped field  
Enrichment field true
Models supported NetworkHTTP, NetworkProxyEmail

http_userAgent

Description Software agent that is acting on behalf of a user.
Type string
Mapped field true
Enrichment field  
Models supported  

ipProtocol

Description The network protocol used in the traffic that generated the log event.
Type string
Mapped field true
Enrichment field  
Models supported  

listMatches

Description Name(s) of the match list(s) that a value in the log matched on.
Type array[string]
Mapped field  
Enrichment field true
Models supported  

logonType

Description The type of authentication or logon that occurred.
Type string
Mapped field true
Enrichment field  
Models supported Authentication

matchedItems

Description Value(s) in the match list(s) that an a value in the log matched on.
Type array[MatchedItem]
Mapped field  
Enrichment field true
Models supported  

metadata_defaultTz

Description Default timezone for timestamp parsing.
Type int
Mapped field  
Enrichment field  
Models supported all

metadata_deviceEventId

Description Event type given by the vendor for the log.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_mapperName

Description Sumo Logic CSE mapper name used to normalize the log.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_mapperUid

Description UID for the Sumo Logic CSE mapper used to normalize the log.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_parseTime

Description The time at which the log line was parsed into a record by the parser and mapper service in milliseconds since epoch.
Type long
Mapped field  
Enrichment field  
Models supported all

metadata_product

Description The specific product name of the data source. Note the name of the company who created the product is the metadata_vendor field.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_productGuid

Description UID for the normalized vendor + product combination for the log.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_receiptTime

Description The time at which the log line was received by the log sensor in milliseconds since epoch.
Type long
Mapped field  
Enrichment field  
Models supported all

metadata_schemaVersion

Description The current schema version (3).
Type int
Mapped field  
Enrichment field  
Models supported all

metadata_sensorId

Description UID of the Sumo Logic sensor used to ingest the log.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_sensorZone

Description A name propagated from the sensors. In the case where sensors are installed in environments with overlapping IP address spaces, this is used to distinguish two identical IP addresses from each other.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_sourceCategory

Description The Sumo Logic source category for the data.
Type string
Mapped field  
Enrichment field  
Models supported all

metadata_vendor

Description The name of the company responsible for the data source. Note the name of the product is in the metadata_product field.
Type  
Mapped field  
Enrichment field  
Models supported all

moduleType

Description The type of module being loaded on an endpoint, kernelspace or userspace.
Type string
Mapped field true
Enrichment field  
Models supported EndpointModuleLoad

normalizedSeverity

Description A normalized severity score, on a 1-5 scale with 1 being Informational and 5 being Critical.
Type int
Mapped field true
Enrichment field  
Models supported all

normalizedSeverity_description

Description A string representing the severity.
Type string
Mapped field  
Enrichment field true
Models supported  

objectType

Description The name of the top level schema object type, for example, Authentication, Audit, Endpoint, Network, Notification, and so on.
Type string
Mapped field  
Enrichment field  
Models supported  

packetsIn

Description The count of packets received in a network connection.
Type long
Mapped field true
Enrichment field  
Models supported NetworkFlow

packetsOut

Description The count of packets sent in a network connection.
Type ing
Mapped field true
Enrichment field  
Models supported NetworkFlow

parentBaseImage

Description The base image name of a parent process, for example, notepad.exe.
Type string
Mapped field true
Enrichment field  
Models supported EndpointProcess

parentCommandLine

Description The command line of a parent process.
Type string
Mapped field true
Enrichment field  
Models supported EndpointProcess

parentPid

Description The process id of the program that initiated a process.
Type int
Mapped field true
Enrichment field  
Models supported EndpointProcess

pid

Description The process id of the process itself.
Type int
Mapped field  
Enrichment field  
Models supported EndpointProcess

processUid

Description A unique process identifier provided by the source record.
Type string
Mapped field true
Enrichment field  
Models supported EndpointProcess

resource

Description A generic place holder for the resource being accessed within a log.
Type string
Mapped field true
Enrichment field  
Models supported AuditResourceAccess

severity

Description The source-specific severity level with no normalization.
Type string
Mapped field true
Enrichment field  
Models supported  

sourceUid

Description A UID that is defined by the record itself. Each record is assigned a UID during mapping, but this is the unique identifier field that may exist within an originating message.
Type string
Mapped field true
Enrichment field  
Models supported all

srcDevice_hostname

Description Name associated with device on the network. If name normalization occurs this will be the normalized name.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork
Set by Value Normalization     true

srcDevice_hostname_raw

Description The value of hostname set during mapping.
Type string
Mapped field  
Enrichment field true
Models supported  

srcDevice_ip

Description The native assigned IP address of the device.
Type string
Mapped field true
Enrichment field  
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_city

Description City for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_countryCode

Description Country Code for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_countryName

Description Country Name for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value
Type long
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_isInternal

Description Signifies whether the IP address is internal or external. True if internal, False if external.
Type boolean
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_ip_region

Description State or Territory for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field trueAuthentication, AuditAuditResourceAccess, Email, EndpointNetwork
Models supported  

srcDevice_ip_version

Description The version of IP protocol, 4 or 6.
Type int
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_mac

Description The hardware identification number that uniquely identifies the device on a network
Type string
Mapped field true
Enrichment field  
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp

Description The external IP in cases where the internal IP goes through network address translation.
Type string
Mapped field true
Enrichment field  
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_asnNumber

Description An autonomous system number for the IP address based on the MaxMind GeoIP database.
Type int
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_asnOrg

Description Organization associated with the IP address address based on the MaxMind GeoIP database.
Type  
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_city

Description City associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_countryCode

Description Country Code associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_countryName

Description Country Name associated with the IP address address based on the MaxMind GeoIP database.
 
Type string
Mapped field  
Enrichment field  
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_ipv4IntValue

Description The ipv4 address stored as an unsigned 64-bit integer value
Type long
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_isInternal

Description Indicates whether the IP address is internal or external. True if internal, False if external.
Type boolean
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_isp

Description Internet Service Provider for the IP address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_latitude

Description Latitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported Authentication, Audit, AuditResourceAccess, Email, Endpoint, Network

srcDevice_natIp_location

Description This value is populated based on the Network Blocks you have uploaded. When there is a match, it will be populated with the network block label.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_longitude

Description Longitude for the IP address based on the MaxMind GeoIP database.
Type float
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_region

Description State or Territory associated with the IP address address based on the MaxMind GeoIP database.
Type string
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_natIp_version

Description The version of IP protocol, 4 or 6.
Type int
Mapped field  
Enrichment field true
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcDevice_uniqueId

Description The source specific identifier for device (if available). This is frequently an instance id in cloud environments.
Type string
Mapped field true
Enrichment field  
Models supported Authentication, AuditAuditResourceAccess, Email, EndpointNetwork

srcPort

Description The port used to initiate a network connection.
Type ing
Mapped field true
Enrichment field  
Models supported NetworkNetworkProxy

success

Description Boolean value to show whether or not an action was successful.
Type boolean
Mapped field true
Enrichment field  
Models supported Authentication, Audit

tcpProtocol

Description Application layer protocol used to establish the connection.
Type string
Mapped field true
Enrichment field  
Models supported  

threat_identifier

Description The identifier or indicator specific to a threat.  Generally speaking this should be populated with an indicator value.
Type string
Mapped field true
Enrichment field  
Models supported all

threat_name

Description Name of the threat.
Type string
Mapped field true
Enrichment field  
Models supported all

threat_referenceUrl

Description A external URL that can provide more information about the threat. This should NOT be the URL that represents an observed HTTP request.
Type string
Mapped field true
Enrichment field  
Models supported all

timestamp

Description The timestamp of the event in milliseconds since epoch.
Type long
Mapped field true
Enrichment field  
Models supported all

uid

Description UID for the parsed record in Sumo Logic CSE.
Type string
Mapped field  
Enrichment field  
Models supported  

user_authDomain

Description The domain associated with this particular user. (e.g. sumologic.com, sumologic.local)
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, EndpointEmail, NetworkNotification

user_email

Description The associated email address assigned to this user.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, EndpointEmail, NetworkNotification

user_userId

Description The source-unique identifier for the user account.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, EndpointEmail, NetworkNotification

user_username

Description The name commonly used to identify the user. May include the domain. If name normalization occurs, this will be the normalized name.
Type string
Mapped field true
Enrichment field  
Models supported AuthenticationAudit, EndpointEmail, NetworkNotification
Set by Value Normalization true

user_username_raw

Description The value of username set during mapping.
Type string
Mapped field  
Enrichment field true
Models supported  

vuln_bugtraq

Description BugTraq is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities.
Type string
Mapped field true
Enrichment field  
Models supported Notification Vulnerability

vuln_cert

Description CERT Coordination Center (CERT/CC) prioritizes coordination efforts on vulnerabilities.
Type string
Mapped field true
Enrichment field  
Models supported Notification Vulnerability

vuln_cve

Description Common Vulnerabilities and Exposures identifier for the vulnerability.
Type string
Mapped field true
Enrichment field  
Models supported Notification Vulnerability

vuln_cvss

Description CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.
Type string
Mapped field true
Enrichment field  
Models supported Notification Vulnerability

vuln_name

Description Name of the vulnerability.
Type string
Mapped field true
Enrichment field  
Models supported Notification Vulnerability

vuln_reference

Description Location to find more information on the vulnerability.
Type string
Mapped field true
Enrichment field  
Models supported Notification Vulnerability