description: The category the event falls into
description: The event details
description: The array of event data
description: The event start time.
description: The event end time.
description: The event type description eg - launched new binary.
description: The event alert ID.
description: The origin of the event eg - AWS, User.
description: The model that triggered an alert.
description: The map of related fields to the detection alert.
description: Any user based info involved in an alert.
description: Hostname field
description: Username field
description: Any application based info involved in an alert.
description: Application field
- name: HAS_EXTERNAL_CONNS
description: HasExternalConns field
description: IsClient field
description: IsServer field
- name: EARLIEST_KNOWN_TIME
description: EarliestKnownTime field
description: Any machine based info involved in an alert.
description: Hostname field
description: ExternalIP field
description: InstanceID field
description: InstanceName field
description: CPUPercentage field
description: InternalIPAddress field
description: IsExternal field
description: Any container based info involved in an alert.
description: ImageRepo field
description: ImageTag field
- name: HAS_EXTERNAL_CONNS
description: HasExternalConns field
description: IsClient field
description: IsServer field
description: FirstSeenTime field
description: PodNamespace field
description: PodIPAddress field
description: Any dns based info involved in an alert.
description: Hostname field
description: PortList field
description: TotalINBytes field
description: TotalOUTBytes field
description: Any ip based info involved in an alert.
description: SourceIPAddress field
description: TotalINBytes field
description: TotalOUTBytes field
description: ThreatTags field
description: ThreatSource field
description: Country field
description: Region field
description: PortList field
description: FirstSeenTime field
description: Any process based info involved in an alert.
description: Hostname field
description: ProcessID field
- name: PROCESS_START_TIME
description: ProcessStartTime field
description: CommandLine field
description: CPUPercentage field
description: Any filehash based info involved in an alert.
description: FiledataHash field
description: MachineCount field
description: EXEPathList field
description: FirstSeenTime field
description: ISKnownBad field
description: Any executable filepath information.
description: EXEPath field
description: FirstSeenTime field
- name: LAST_FILEDATA_HASH
description: LastFileDataHash field
- name: LAST_PACKAGE_NAME
description: LastPackageName field
description: LastVersion field
description: LastFileOwner field
description: Source IP based information.
description: SourceIPAddress field
description: Region field
description: Country field
description: The service and endpoint.
description: EventSource field
description: EventName field
description: Regional based information.
description: Region field
description: RecipientAccountID field
description: Cloudtrail user information.
description: Username field
description: AccountID field
description: APIList field
description: RegionList field
description: AccessKeyID field
description: Resource values.
description: Receiver account info.
description: RecipientAccountID field
description: AccountAlias field
description: Status field
description: EVALType field
description: EVALGUID field
description: Custom Rule info.
- name: LAST_UPDATED_TIME
description: LastUpdatedTime field
- name: LAST_UPDATED_USER
description: LastUpdatedUser field
description: DisplayFilter field
description: RuleGUID field
description: Violation Ref.
description: Reason field
description: Resource field
description: A reason for the violation.
description: Reason field
description: The severity level of the alert
description: The event start time.
timeFormat: strftime=%d %b %Y %H:%M %Z