Skip to main content
Sumo Logic

Schema Models

Learn about CSE schema models and the attributes in each.

This topic lists the CSE schema attributes in each schema model.

Audit

Attribute Type
action string
application string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
normalizedSeverity int
severity string
sourceUid string
success boolean
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

AuditChange

Attribute Type
action string
application string
changeTarget string
changeType string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
normalizedSeverity int
severity string
sourceUid string
success boolean
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

AuditFile

Attribute Type
action string
application string
device_hostname string
description string
device_ip string
device_mac string
device_natIp  string
device_uniqueId string
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType  string
file_path string
file_size  long
file_uid  string
normalizedSeverity int
severity  string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
success  boolean
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email  string
user_userId string
user_username  string

AuditResourceAccess

Attribute Type
action string
application string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
normalizedSeverity int
resource string
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
success boolean
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

Authentication

Attribute Type
action string
application string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
logonType string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
success boolean
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

AuthenticationPrivilegeEscalation

Attribute Type
action string
application string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
fromUser_authDomain string
fromUser_email string
fromUser_userId string
fromUser_username string
logonType string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
success boolean
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

Email

Attribute Type
action string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
email_messageId string
email_sender string
email_subject string
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
http_hostname string
http_method string
http_referer string
http_response_contentLength int
http_response_contentType string
http_response_statusCode int
http_response_statusText string
http_url string
http_userAgent string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

Endpoint

Attribute Type
action string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
normalizedSeverity int
severity string
sourceUid string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

EndpointModuleLoad

Attribute Type
normalizedSeverity int
file_size long
timestamp long
action string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_uid string
moduleType string
severity string
sourceUid string
threat_identifier string
threat_name string
threat_referenceUrl string
user_authDomain string
user_email string
user_userId string
user_username string

EndpointProcess

Attibute  Type
action string
baseImage string
commandLine string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
normalizedSeverity int
parentPid int
pid int
processUid string
severity string
sourceUid string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

Network

Attribute Type
action string
description string
dstDevice_hostname string
dstDevice_ip string
dstDevice_mac string
dstDevice_natIp string
dstDevice_uniqueId string
dstPort int
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
ipProtocol string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
srcPort int
tcpProtocol string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

NetworkDHCP

Attribute Type
action string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
dstDevice_hostname string
dstDevice_ip string
dstDevice_mac string
dstDevice_natIp string
dstDevice_uniqueId string
dstPort int
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
ipProtocol string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
srcPort int
tcpProtocol string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

NetworkDNS

Attribute Type
action string
description string
dns_query string
dns_queryDomain string
dns_queryType string
dns_reply string
dns_replyDomain string
dns_replyIp string
dns_returnCode string
dstDevice_hostname string
dstDevice_ip string
dstDevice_mac string
dstDevice_natIp string
dstDevice_uniqueId string
dstPort int
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
ipProtocol string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
srcPort int
tcpProtocol string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

NetworkFlow

Attribute Value
action string
bytesIn long
bytesOut long
description string
dstDevice_hostname string
dstDevice_ip string
dstDevice_mac string
dstDevice_natIp string
dstDevice_uniqueId string
dstPort int
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
flowState string
ipProtocol string
normalizedSeverity int
packetsIn long
packetsOut long
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
srcPort int
tcpProtocol string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

NetworkHTTP

Attribute Type
action string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
dstDevice_hostname string
dstDevice_ip string
dstDevice_mac string
dstDevice_natIp string
dstDevice_uniqueId string
dstPort int
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
http_hostname string
http_method string
http_referer string
http_response_contentLength int
http_response_contentType string
http_response_statusCode int
http_response_statusText string
http_url string
http_userAgent string
ipProtocol string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
srcPort int
tcpProtocol string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

NetworkProxy

Attribute Type
action string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
dstDevice_hostname string
dstDevice_ip string
dstDevice_mac string
dstDevice_natIp string
dstDevice_uniqueId string
dstPort int
file_basename string
file_hash_imphash string
file_hash_md5 string
file_hash_pehash string
file_hash_sha1 string
file_hash_sha256 string
file_hash_ssdeep string
file_mimeType string
file_path string
file_size long
file_uid string
http_hostname string
http_method string
http_referer string
http_response_contentLength int
http_response_contentType string
http_response_statusCode int
http_response_statusText string
http_url string
http_userAgent string
ipProtocol string
normalizedSeverity int
severity string
sourceUid string
srcDevice_hostname string
srcDevice_ip string
srcDevice_mac string
srcDevice_natIp string
srcDevice_uniqueId string
srcPort int
tcpProtocol string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

Notification

Attribute Type
application string
description string
device_hostname string
device_ip string
device_mac string
device_natIp string
device_uniqueId string
normalizedSeverity int
severity string
sourceUid string
threat_identifier string
threat_name string
threat_referenceUrl string
timestamp long
user_authDomain string
user_email string
user_userId string
user_username string

NotificationVulnerability

Attibute Type
application string
description string
device_hostname string
device_ip string
device_mac string
device_natip string
device_uniqueid string
normalizedseverity int
severity string
sourceuid string
threat_identifier string
threat_name string
threat_referenceurl string
timestamp long
user_authdomain string
user_email string
user_userid string
user_username string
vuln_bugtraq string
vuln_cert string
vuln_cve string
vuln_cvss string
vuln_name string
vuln_reference string