dictionary.json

{
  "caption": "Attribute Dictionary",
  "description": "The Attribute Dictionary defines attributes and includes references to the events and objects in which they are used.",
  "name": "dictionary",
  "attributes": {
    "access_list": {
      "caption": "Access List",
      "description": "The list of requested access rights.",
      "is_array": true,
      "type": "string_t"
    },
    "auth_factors": {
      "caption": "Authentication Factors",
      "description": "Describes a category of methods used for identity verification in an authentication attempt.",
      "is_array": true,
      "type": "auth_factor"
    },
    "access_mask": {
      "caption": "Access Mask",
      "description": "The access mask in a platform-native format.",
      "type": "integer_t"
    },
    "access_result": {
      "caption": "Access Check Result",
      "description": "The list of access check results.",
      "type": "json_t"
    },
    "accessed_time": {
      "caption": "Accessed Time",
      "description": "The time when the file was last accessed.",
      "type": "timestamp_t"
    },
    "accessor": {
      "caption": "Accessor",
      "description": "The name of the user who last accessed the object.",
      "type": "user"
    },
    "account": {
      "caption": "Account",
      "description": "The account object describes details about the account that was the source or target of the activity.",
      "type": "account"
    },
    "ack_reason": {
      "caption": "Acknowledgement Reason",
      "description": "An integer that provides a reason code or additional information about the acknowledgment result.",
      "type": "integer_t"
    },
    "ack_result": {
      "caption": "Acknowledgement Result",
      "description": "An integer that denotes the acknowledgment result of the DCE/RPC call.",
      "type": "integer_t"
    },
    "activity_id": {
      "caption": "Activity ID",
      "description": "The normalized identifier of the activity that triggered the event.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The event activity is not mapped. See the <code>activity_name</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The event activity is unknown."
        }
      },
      "sibling": "activity_name",
      "type": "integer_t"
    },
    "activity_name": {
      "caption": "Activity",
      "description": "The event activity name, as defined by the activity_id.",
      "type": "string_t"
    },
    "action": {
      "caption": "Action",
      "description": "The normalized caption of 'action_id' or the source specific action.",
      "type": "string_t" 
    },
    "action_id": {
      "caption": "Action ID",
      "description": "The normalized action taken by a control or other policy-based system leading to an outcome or disposition.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The action was not mapped. See the <code>action</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The action was unknown."
        },
        "1": {
          "caption": "Allowed",
          "description": "The activity was allowed."
        },
        "2": {
          "caption": "Denied",
          "description": "The attempted activity was denied."
        }
      },
      "type": "integer_t",
      "sibling": "action"
    },
    "actor": {
      "caption": "Actor",
      "description": "The actor object describes details about the user/role/process that was the source of the activity.",
      "type": "actor"
    },
    "actual_permissions": {
      "caption": "Actual Permissions",
      "description": "The permissions that were granted to the in a platform-native format.",
      "type": "integer_t"
    },
    "affected_code": {
      "caption": "Affected Code",
      "description": "List of Affected Code objects that describe details about code blocks identified as vulnerable.",
      "is_array": true,
      "type": "affected_code"
    },
    "affected_packages": {
      "caption": "Affected Software Packages",
      "description": "List of software packages identified as affected by a vulnerability/vulnerabilities.",
      "is_array": true,
      "type": "affected_package"
    },
    "alert": {
      "caption": "Client TLS Alert",
      "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
      "type": "integer_t"
    },
    "algorithm": {
      "caption": "Algorithm",
      "description": "The applicable algorithm, normalized to the caption of 'algorithm_id'. See specific usage.",
      "type": "string_t"
    },
    "algorithm_id": {
      "caption": "Algorithm ID",
      "description": "The identifier of the normalized algorithm. See specific usage.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The algorithm is not mapped. See the <code>algorithm</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The algorithm is unknown."
        }
      },
      "sibling": "algorithm",
      "type": "integer_t"
    },
    "analytic": {
      "caption": "Analytic",
      "description": "The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.",
      "type": "analytic"
    },
    "answers": {
      "caption": "DNS Answer",
      "description": "The Domain Name System (DNS) answers.",
      "is_array": true,
      "type": "dns_answer"
    },
    "api": {
      "caption": "API Details",
      "description": "Describes details about a typical API (Application Programming Interface) call.",
      "type": "api"
    },
    "app": {
      "caption": "Application",
      "description": "The application that reported the event.",
      "type": "product"
    },
    "app_name": {
      "caption": "Application Name",
      "description": "The name of the application that is associated with the event or object.",
      "type": "string_t"
    },
    "architecture": {
      "caption": "Architecture",
      "description": "Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.",
      "type": "string_t"
    },
    "args": {
      "caption": "HTTP Arguments",
      "description": "The arguments sent along with the HTTP request.",
      "type": "string_t"
    },
    "assignee": {
      "caption": "Assignee",
      "description": "The details of the user assigned to an Incident.",
      "type": "user"
    },
    "assignee_group": {
      "caption": "Assignee Group",
      "description": "The details of the group assigned to an Incident.",
      "type": "group"
    },
    "attacks": {
      "caption": "MITRE ATT&CK® Details",
      "description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
      "is_array": true,
      "type": "attack"
    },
    "attempt": {
      "caption": "Attempt",
      "description": "The delivery attempt.",
      "type": "integer_t"
    },
    "attributes": {
      "caption": "Attributes",
      "description": "The bitmask value that represents the file attributes.",
      "type": "integer_t"
    },
    "auth_protocol": {
      "caption": "Auth Protocol",
      "description": "The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "auth_protocol_id": {
      "caption": "Auth Protocol ID",
      "description": "The normalized identifier of the authentication protocol used to create the user session.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The authentication protocol is not mapped. See the <code>auth_protocol</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The authentication protocol is unknown."
        },
        "1": {
          "caption": "NTLM"
        },
        "10": {
          "caption": "RADIUS"
        },
        "2": {
          "caption": "Kerberos"
        },
        "3": {
          "caption": "Digest"
        },
        "4": {
          "caption": "OpenID"
        },
        "5": {
          "caption": "SAML"
        },
        "6": {
          "caption": "OAUTH 2.0"
        },
        "7": {
          "caption": "PAP"
        },
        "8": {
          "caption": "CHAP"
        },
        "9": {
          "caption": "EAP"
        }
      },
      "sibling": "auth_protocol",
      "type": "integer_t"
    },
    "auth_type": {
      "caption": "Authentication Type",
      "description": "The agreed upon authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "auth_type_id": {
      "caption": "Authentication Type ID",
      "description": "The normalized identifier of the agreed upon authentication type. See specific usage.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The authentication type is not mapped. See the <code>auth_type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The authentication type is unknown."
        }
      },
      "sibling": "auth_type",
      "type": "integer_t"
    },
    "authorizations": {
      "caption": "Authorization Information",
      "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
      "is_array": true,
      "type": "authorization"
    },
    "autoscale_uid": {
      "caption": "Autoscale UID",
      "description": "The unique identifier of the cloud autoscale configuration.",
      "type": "string_t"
    },
    "banner": {
      "caption": "SMTP Banner",
      "description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
      "type": "string_t"
    },
    "base_address": {
      "caption": "Base Address",
      "description": "The memory address where the module was loaded.",
      "type": "string_t"
    },
    "base_score": {
      "caption": "Base Score",
      "description": "The base score as reported by the event source. See specific usage.",
      "type": "float_t"
    },
    "bios_date": {
      "caption": "BIOS Date",
      "description": "The BIOS date. For example: <code>03/31/16</code>.",
      "type": "string_t"
    },
    "bios_manufacturer": {
      "caption": "BIOS Manufacturer",
      "description": "The BIOS manufacturer. For example: <code>LENOVO</code>.",
      "type": "string_t"
    },
    "bios_ver": {
      "caption": "BIOS Version",
      "description": "The BIOS version. For example: <code>LENOVO G5ETA2WW (2.62)</code>.",
      "type": "string_t"
    },
    "boundary": {
      "caption": "Boundary",
      "description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. <p> For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
      "type": "string_t"
    },
    "boundary_id": {
      "caption": "Boundary ID",
      "description": "<p>The normalized identifier of the boundary of the connection. </p><p> For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The boundary is not mapped. See the <code>boundary</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The connection boundary is unknown."
        },
        "1": {
          "caption": "Localhost",
          "description": "Local network traffic on the same endpoint."
        },
        "10": {
          "caption": "Gateway VPC",
          "description": "Through a gateway VPC endpoint (Nitro-based instances only)"
        },
        "11": {
          "caption": "Internet Gateway",
          "description": "Through an Internet gateway (Nitro-based instances only)"
        },
        "2": {
          "caption": "Internal",
          "description": "Internal network traffic between two endpoints inside network."
        },
        "3": {
          "caption": "External",
          "description": "External network traffic between two endpoints on the Internet or outside the network."
        },
        "4": {
          "caption": "Same VPC",
          "description": "Through another resource in the same VPC"
        },
        "5": {
          "caption": "Internet/VPC Gateway",
          "description": "Through an Internet gateway or a gateway VPC endpoint"
        },
        "6": {
          "caption": "Virtual Private Gateway",
          "description": "Through a virtual private gateway"
        },
        "7": {
          "caption": "Intra-region VPC",
          "description": "Through an intra-region VPC peering connection"
        },
        "8": {
          "caption": "Inter-region VPC",
          "description": "Through an inter-region VPC peering connection"
        },
        "9": {
          "caption": "Local Gateway",
          "description": "Through a local gateway"
        }
      },
      "sibling": "boundary",
      "type": "integer_t"
    },
    "build": {
      "caption": "OS Build",
      "description": "The operating system build number.",
      "type": "string_t"
    },
    "bulletin": {
      "caption": "Patch Bulletin",
      "description": "The vendor bulletin identifier.",
      "type": "string_t"
    },
    "bytes": {
      "caption": "Total Bytes",
      "description": "The total number of bytes (in and out).",
      "type": "long_t"
    },
    "bytes_in": {
      "caption": "Bytes In",
      "description": "The number of bytes sent from the destination to the source.",
      "type": "long_t"
    },
    "bytes_out": {
      "caption": "Bytes Out",
      "description": "The number of bytes sent from the source to the destination.",
      "type": "long_t"
    },
    "capabilities": {
      "caption": "Capabilities",
      "description": "A list of RDP capabilities.",
      "is_array": true,
      "type": "string_t"
    },
    "caption": {
      "caption": "Caption",
      "description": "A short description or caption of the device. For example: <code>Scanner 1</code> or <code>Database Manager</code>.",
      "type": "string_t"
    },
    "categories": {
      "caption": "Website Categorization",
      "description": "The Website categorization names, as defined by <code>category_ids</code> enum values.",
      "is_array": true,
      "type": "string_t"
    },
    "category": {
      "caption": "Category",
      "description": "The object category. See specific usage.",
      "type": "string_t"
    },
    "category_ids": {
      "caption": "Website Categorization IDs",
      "description": "The Website categorization identifies.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The Domain/URL category is not mapped. See the <code>categories</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The Domain/URL category is unknown."
        },
        "1": {
          "caption": "Adult/Mature Content"
        },
        "101": {
          "caption": "Spam"
        },
        "102": {
          "caption": "Potentially Unwanted Software"
        },
        "103": {
          "caption": "Dynamic DNS Host"
        },
        "106": {
          "caption": "E-Card/Invitations"
        },
        "107": {
          "caption": "Informational"
        },
        "108": {
          "caption": "Computer/Information Security"
        },
        "109": {
          "caption": "Internet Connected Devices"
        },
        "11": {
          "caption": "Gambling"
        },
        "110": {
          "caption": "Internet Telephony"
        },
        "111": {
          "caption": "Online Meetings"
        },
        "112": {
          "caption": "Media Sharing"
        },
        "113": {
          "caption": "Radio/Audio Streams"
        },
        "114": {
          "caption": "TV/Video Streams"
        },
        "118": {
          "caption": "Piracy/Copyright Concerns"
        },
        "121": {
          "caption": "Marijuana"
        },
        "14": {
          "caption": "Violence/Hate/Racism"
        },
        "15": {
          "caption": "Weapons"
        },
        "16": {
          "caption": "Abortion"
        },
        "17": {
          "caption": "Hacking"
        },
        "18": {
          "caption": "Phishing"
        },
        "20": {
          "caption": "Entertainment"
        },
        "21": {
          "caption": "Business/Economy"
        },
        "22": {
          "caption": "Alternative Spirituality/Belief"
        },
        "23": {
          "caption": "Alcohol"
        },
        "24": {
          "caption": "Tobacco"
        },
        "25": {
          "caption": "Controlled Substances"
        },
        "26": {
          "caption": "Child Pornography"
        },
        "27": {
          "caption": "Education"
        },
        "29": {
          "caption": "Charitable Organizations"
        },
        "3": {
          "caption": "Pornography"
        },
        "30": {
          "caption": "Art/Culture"
        },
        "31": {
          "caption": "Financial Services"
        },
        "32": {
          "caption": "Brokerage/Trading"
        },
        "33": {
          "caption": "Games"
        },
        "34": {
          "caption": "Government/Legal"
        },
        "35": {
          "caption": "Military"
        },
        "36": {
          "caption": "Political/Social Advocacy"
        },
        "37": {
          "caption": "Health"
        },
        "38": {
          "caption": "Technology/Internet"
        },
        "4": {
          "caption": "Sex Education"
        },
        "40": {
          "caption": "Search Engines/Portals"
        },
        "43": {
          "caption": "Malicious Sources/Malnets"
        },
        "44": {
          "caption": "Malicious Outbound Data/Botnets"
        },
        "45": {
          "caption": "Job Search/Careers"
        },
        "46": {
          "caption": "News/Media"
        },
        "47": {
          "caption": "Personals/Dating"
        },
        "49": {
          "caption": "Reference"
        },
        "5": {
          "caption": "Intimate Apparel/Swimsuit"
        },
        "50": {
          "caption": "Mixed Content/Potentially Adult"
        },
        "51": {
          "caption": "Chat (IM)/SMS"
        },
        "52": {
          "caption": "Email"
        },
        "53": {
          "caption": "Newsgroups/Forums"
        },
        "54": {
          "caption": "Religion"
        },
        "55": {
          "caption": "Social Networking"
        },
        "56": {
          "caption": "File Storage/Sharing"
        },
        "57": {
          "caption": "Remote Access Tools"
        },
        "58": {
          "caption": "Shopping"
        },
        "59": {
          "caption": "Auctions"
        },
        "6": {
          "caption": "Nudity"
        },
        "60": {
          "caption": "Real Estate"
        },
        "61": {
          "caption": "Society/Daily Living"
        },
        "63": {
          "caption": "Personal Sites"
        },
        "64": {
          "caption": "Restaurants/Dining/Food"
        },
        "65": {
          "caption": "Sports/Recreation"
        },
        "66": {
          "caption": "Travel"
        },
        "67": {
          "caption": "Vehicles"
        },
        "68": {
          "caption": "Humor/Jokes"
        },
        "7": {
          "caption": "Extreme"
        },
        "71": {
          "caption": "Software Downloads"
        },
        "83": {
          "caption": "Peer-to-Peer (P2P)"
        },
        "84": {
          "caption": "Audio/Video Clips"
        },
        "85": {
          "caption": "Office/Business Applications"
        },
        "86": {
          "caption": "Proxy Avoidance"
        },
        "87": {
          "caption": "For Kids"
        },
        "88": {
          "caption": "Web Ads/Analytics"
        },
        "89": {
          "caption": "Web Hosting"
        },
        "9": {
          "caption": "Scam/Questionable/Illegal"
        },
        "90": {
          "caption": "Uncategorized"
        },
        "92": {
          "caption": "Suspicious"
        },
        "93": {
          "caption": "Sexual Expression"
        },
        "95": {
          "caption": "Translation"
        },
        "96": {
          "caption": "Non-Viewable/Infrastructure"
        },
        "97": {
          "caption": "Content Servers"
        },
        "98": {
          "caption": "Placeholders"
        }
      },
      "is_array": true,
      "sibling": "categories",
      "type": "integer_t"
    },
    "category_name": {
      "caption": "Category",
      "description": "The event category name, as defined by category_uid value.",
      "type": "string_t"
    },
    "category_uid": {
      "caption": "Category ID",
      "description": "The category unique identifier of the event.",
      "sibling": "category_name",
      "type": "integer_t"
    },
    "cc": {
      "caption": "Cc",
      "description": "The email header Cc values, as defined by RFC 5322.",
      "is_array": true,
      "type": "email_t"
    },
    "certificate": {
      "caption": "Certificate",
      "description": "The certificate object containing information about the digital certificate.",
      "type": "certificate"
    },
    "certificate_chain": {
      "caption": "Certificate Chain",
      "description": "The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.",
      "is_array": true,
      "type": "string_t"
    },
    "chassis": {
      "caption": "Chassis",
      "description": "The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows <a target='_blank' href='https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemenclosure'>Windows Chassis Types</a>",
      "type": "string_t"
    },
    "chunks": {
      "caption": "Chunks",
      "description": "A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the total number of chunks (in and out).",
      "type": "long_t"
    },
    "chunks_in": {
      "caption": "Chunks In",
      "description": "A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the chunks sent from the destination to the source.",
      "type": "long_t"
    },
    "chunks_out": {
      "caption": "Chunks Out",
      "description": "A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the chunks sent from the source to the destination.",
      "type": "long_t"
    },
    "cipher": {
      "caption": "Cipher Suite",
      "description": "The negotiated cipher suite.",
      "type": "string_t"
    },
    "cis_benchmark_result": {
      "caption": "CIS Benchmark Result",
      "description": "The CIS benchmark result.",
      "type": "cis_benchmark_result"
    },
    "cis_benchmark": {
      "caption": "CIS Benchmark",
      "description": "The CIS Benchmark describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security (<a target='_blank' href='https://www.cisecurity.org/cis-benchmarks/'>CIS</a>).",
      "type": "cis_benchmark"
    },
    "cis_csc": {
      "caption": "CIS CSC",
      "description": "The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.",
      "is_array": true,
      "type": "cis_csc"
    },
    "cis_controls": {
      "caption": "CIS Controls",
      "description": "The CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.",
      "is_array": true,
      "type": "cis_control"
    },
    "city": {
      "caption": "City",
      "description": "The name of the city.",
      "type": "string_t"
    },
    "class": {
      "caption": "Class",
      "description": "The class name of the object. See specific usage.",
      "type": "string_t"
    },
    "class_name": {
      "caption": "Class",
      "description": "The event class name, as defined by class_uid value.",
      "type": "string_t"
    },
    "class_uid": {
      "caption": "Class ID",
      "description": "The unique identifier of a class. A Class describes the attributes available in an event.",
      "sibling": "class_name",
      "type": "integer_t"
    },
    "classification_ids": {
      "caption": "Classification IDs",
      "description": "The list of normalized identifiers of the malware classifications. Reference: <a target='_blank' href='https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oxlc4df65spl'>STIX Malware Types</a> ",
      "enum": {},
      "is_array": true,
      "sibling": "classifications",
      "type": "integer_t"
    },
    "classification": {
      "caption": "Classification",
      "description": "The classification as defined by the vendor.",
      "type": "string_t"
    },
    "classifications": {
      "caption": "Classifications",
      "description": "The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.",
      "is_array": true,
      "type": "string_t"
    },
    "client_ciphers": {
      "caption": "Client Cipher Suites",
      "description": "The client cipher suites that were exchanged during the TLS handshake negotiation.",
      "is_array": true,
      "type": "string_t"
    },
    "client_dialects": {
      "caption": "Client Dialects",
      "description": "The list of SMB dialects that the client speaks.",
      "is_array": true,
      "type": "string_t"
    },
    "client_hassh": {
      "caption": "Client HASSH",
      "description": "The Client HASSH fingerprinting object.",
      "type": "hassh"
    },
    "cloud": {
      "caption": "Cloud",
      "description": "Describes details about the Cloud environment where the event was originally created or logged.",
      "type": "cloud"
    },
    "cloud_partition": {
      "caption": "Cloud Partition",
      "description": "The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).",
      "type": "string_t"
    },
    "cmd_line": {
      "caption": "Command Line",
      "description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used",
      "type": "string_t"
    },
    "code": {
      "caption": "Response Code",
      "description": "The numeric response sent to a request.",
      "type": "integer_t"
    },
    "codes": {
      "caption": "Response Codes",
      "description": "The list of numeric responses sent to a request.",
      "is_array": true,
      "type": "integer_t"
    },
    "color_depth": {
      "caption": "Color Depth",
      "description": "The numeric color depth.",
      "type": "integer_t"
    },
    "command": {
      "caption": "Command",
      "description": "The command name.",
      "type": "string_t"
    },
    "command_response": {
      "caption": "Command Response",
      "description": "The response to the command.",
      "type": "string_t"
    },
    "command_responses": {
      "caption": "Command Responses",
      "description": "The responses to the command.",
      "is_array": true,
      "type": "string_t"
    },
    "command_uid": {
      "caption": "Command UID",
      "description": "The unique command identifier.",
      "type": "string_t"
    },
    "comment": {
      "caption": "Comment",
      "description": "The user-provided comment.",
      "type": "string_t"
    },
    "company_name": {
      "caption": "Company Name",
      "description": "The name of the company that published the file. For example: <code>Microsoft Corporation</code>.",
      "type": "string_t"
    },
    "compliance": {
      "caption": "Compliance",
      "description": "The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.",
      "type": "compliance"
    },
    "component": {
      "caption": "Component",
      "description": "<p>The name or relative pathname of a sub-component of the data object, if applicable. </p>For example: <code>attachment.doc</code>, <code>attachment.zip/bad.doc</code>, or <code>part.mime/part.cab/part.uue/part.doc</code>.",
      "type": "string_t"
    },
    "confidence": {
      "caption": "Confidence",
      "description": "The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "confidence_id": {
      "caption": "Confidence Id",
      "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The normalized confidence is unknown."
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "99": {
          "caption": "Other",
          "description": "The confidence is not mapped to the defined enum values. See the <code>confidence</code> attribute, which contains a data source specific value."
        }
      },
      "type": "integer_t"
    },
    "confidence_score": {
      "caption": "Confidence Score",
      "description": "The confidence score as reported by the event source.",
      "type": "integer_t"
    },
    "confidentiality": {
      "caption": "Confidentiality",
      "description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "confidentiality_id": {
      "caption": "Confidentiality ID",
      "description": "The normalized identifier of the file content confidentiality indicator.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The confidentiality is not mapped. See the <code>confidentiality</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The confidentiality is unknown."
        },
        "1": {
          "caption": "Not Confidential"
        },
        "2": {
          "caption": "Confidential"
        },
        "3": {
          "caption": "Secret"
        },
        "4": {
          "caption": "Top Secret"
        }
      },
      "sibling": "confidentiality",
      "type": "integer_t"
    },
    "connection_info": {
      "caption": "Connection Info",
      "description": "The network connection information.",
      "type": "network_connection_info"
    },
    "connection_uid": {
      "caption": "Connection Identifier",
      "description": "The network connection identifier.",
      "type": "string_t"
    },
    "container": {
      "caption": "Container",
      "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
      "type": "container"
    },
    "containers": {
      "caption": "Containers",
      "description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.",
      "is_array": true,
      "type": "container"
    },
    "content_type": {
      "caption": "HTTP Content Type",
      "description": "The request header that identifies the original <a target='_blank' href='https://www.iana.org/assignments/media-types/media-types.xhtml'>media type </a> of the resource (prior to any content encoding applied for sending).",
      "type": "string_t"
    },
    "continent": {
      "caption": "Continent",
      "description": "The name of the continent.",
      "type": "string_t"
    },
    "control": {
      "caption": "Security Control",
      "description": "A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.",
      "type": "string_t"
    },
    "coordinates": {
      "caption": "Coordinates",
      "description": "A two-element array, containing a longitude/latitude pair. The format conforms with <a target='_blank' href='https://geojson.org'>GeoJSON</a>. For example: <code>[-73.983, 40.719]</code>.",
      "is_array": true,
      "type": "float_t"
    },
    "correlation_uid": {
      "caption": "Correlation UID",
      "description": "The unique identifier used to correlate events.",
      "type": "string_t"
    },
    "cost_center": {
      "caption": "Cost Center",
      "description": "The cost center associated with the user.",
      "type": "string_t"
    },
    "count": {
      "caption": "Count",
      "description": "The number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.",
      "type": "integer_t"
    },
    "country": {
      "caption": "Country",
      "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see <a target='_blank' href='https://www.iso.org/obp/ui/#iso:pub:PUB500001:en' >ISO 3166-1 alpha-2 codes</a>.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>",
      "type": "string_t"
    },
    "cpe_name": {
      "caption": "The product CPE identifier",
      "description": "The Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.",
      "type": "string_t"
    },
    "cpu_bits": {
      "caption": "CPU Bits",
      "description": "The cpu architecture, the number of bits used for addressing in memory. For example: <code>32</code> or <code>64</code>.",
      "type": "integer_t"
    },
    "cpu_cores": {
      "caption": "CPU Cores",
      "description": "The number of processor cores in all installed processors. For Example: <code>42</code>.",
      "type": "integer_t"
    },
    "cpu_count": {
      "caption": "CPU Count",
      "description": "The number of physical processors on a system. For example: <code>1</code>.",
      "type": "integer_t"
    },
    "cpu_speed": {
      "caption": "Processor Speed",
      "description": "The speed of the processor in Mhz. For Example: <code>4200</code>.",
      "type": "integer_t"
    },
    "cpu_type": {
      "caption": "Processor Type",
      "description": "The processor type. For example: <code>x86 Family 6 Model 37 Stepping 5</code>.",
      "type": "string_t"
    },
    "create_mask": {
      "caption": "Create Mask",
      "description": "The original Windows mask that is required to create the object.",
      "type": "string_t"
    },
    "created_time": {
      "caption": "Created Time",
      "description": "The time when the object was created. See specific usage.",
      "type": "timestamp_t"
    },
    "creator": {
      "caption": "Creator",
      "description": "The user that created the object associated with event. See specific usage.",
      "type": "user"
    },
    "credential_uid": {
      "caption": "User Credential ID",
      "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
      "type": "string_t"
    },
    "criticality": {
      "caption": "Criticality",
      "description": "Criticality of a resource/object in question",
      "type": "string_t"
    },
    "security_level": {
      "caption": "Security Level",
      "description": "The current security level of the entity",
      "type": "string_t"
    },
    "security_level_id": {
      "caption": "Security Level ID",
      "description": "The current security level of the entity",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The security level is not mapped. See the <code>security_level</code> attribute, which contains data source specific values."
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Secure"
        },
        "2": {
          "caption": "At Risk"
        },
        "3": {
          "caption": "Compromised"
        }
      },
      "sibling": "security_level",
      "type": "integer_t"
    },
    "security_states": {
      "caption": "Security States",
      "description": "The current security states. See specific usage.",
      "is_array": true,
      "type": "security_state"
    },
    "customer_uid": {
      "@deprecated": {
        "message": "Use the <code> tenant_uid </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Customer UID",
      "description": "The unique customer identifier.",
      "type": "string_t"
    },
    "cve": {
      "caption": "CVE",
      "description": "The Common Vulnerabilities and Exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).",
      "type": "cve"
    },
    "cves": {
      "caption": "CVE List",
      "description": "List of Common Vulnerabilities and Exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).",
      "is_array": true,
      "type": "cve"
    },
    "cvss": {
      "caption": "CVSS Score",
      "description": "The CVSS object details Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) scores from the advisory that are related to the vulnerability.",
      "is_array": true,
      "type": "cvss"
    },
    "cwe": {
      "caption": "CWE",
      "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> catalog.",
      "type": "cwe"
    },
    "cwe_uid": {
      "@deprecated": {
        "message": "Use the <code> cwe </code> object attributes instead.",
        "since": "1.1.0"
      },
      "caption": "CWE UID",
      "description": "The <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> unique identifier. For example: <code>CWE-787</code>.",
      "type": "string_t"
    },
    "cwe_url": {
      "@deprecated": {
        "message": "Use the <code> cwe </code> object attributes instead.",
        "since": "1.1.0"
      },
      "caption": "CWE URL",
      "description": "Common Weakness Enumeration (CWE) definition URL. For example: <code>https://cwe.mitre.org/data/definitions/787.html</code>.",
      "type": "url_t"
    },
    "data": {
      "caption": "Data",
      "description": "The additional data that is associated with the event or object. See specific usage.",
      "type": "json_t"
    },
    "database": {
      "caption": "Database",
      "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
      "type": "database"
    },
    "databucket": {
      "caption": "Databucket",
      "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
      "type": "databucket"
    },
    "data_sources": {
      "caption": "Data Sources",
      "description": "A list of data sources utilized in generation of the finding.",
      "is_array": true,
      "type": "string_t"
    },
    "dce_rpc": {
      "caption": "Distributed Computing Environment/Remote Procedure Call (DCE/RPC)",
      "description": "The DCE/RPC object describes the remote procedure call system for distributed computing environments.",
      "type": "dce_rpc"
    },
    "decision": {
      "caption": "Authorization Decision/Outcome",
      "description": "Decision/outcome of the authorization mechanism (e.g. Approved, Denied)",
      "type": "string_t"
    },
    "delay": {
      "caption": "Root Delay",
      "description": "The total round-trip delay to the reference clock in milliseconds.",
      "type": "integer_t"
    },
    "deleted_time": {
      "caption": "Deleted Time",
      "description": "The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.",
      "type": "timestamp_t"
    },
    "delivered_to": {
      "caption": "Delivered To",
      "description": "The <strong>Delivered-To</strong> email header field.",
      "type": "email_t"
    },
    "depth": {
      "caption": "CVSS Depth",
      "description": "The CVSS depth represents a depth of the equation used to calculate CVSS score.",
      "enum": {
        "Base": {
          "caption": "Base"
        },
        "Environmental": {
          "caption": "Environmental"
        },
        "Temporal": {
          "caption": "Temporal"
        }
      },
      "type": "string_t"
    },
    "desc": {
      "caption": "Description",
      "description": "The description that pertains to the object or event. See specific usage.",
      "type": "string_t"
    },
    "desktop_display": {
      "caption": "Desktop Display",
      "description": "The desktop display affiliated with the event",
      "type": "display"
    },
    "details": {
      "caption": "Details",
      "description": "Details of an entity. See specific usage",
      "type": "string_t"
    },
    "detection_uid": {
      "caption": "Detection UID",
      "description": "The associated unique detection event identifier. For example: detection response events include the <b>Detection ID</b> of the original event.",
      "type": "string_t"
    },
    "developer_uid": {
      "caption": "Developer UID",
      "description": "The developer ID on the certificate that signed the file.",
      "type": "string_t"
    },
    "device": {
      "caption": "Device",
      "description": "An addressable device, computer system or host.",
      "type": "device"
    },
    "devices": {
      "caption": "Devices",
      "description": "The object describes details related to the list of devices.",
      "is_array": true,
      "type": "device"
    },
    "dialect": {
      "caption": "Dialect",
      "description": "The negotiated protocol dialect.",
      "type": "string_t"
    },
    "digest": {
      "caption": "Message Digest",
      "description": "The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.",
      "type": "fingerprint"
    },
    "direction": {
      "caption": "Direction",
      "description": "The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "direction_id": {
      "caption": "Direction ID",
      "description": "The normalized identifier of the direction of the initiated connection, traffic, or email.",
      "enum": {
        "0": {
          "description": "The connection direction is unknown.",
          "caption": "Unknown"
        },
        "1": {
          "description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network.",
          "caption": "Inbound"
        },
        "2": {
          "description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network.",
          "caption": "Outbound"
        },
        "3": {
          "description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network.",
          "caption": "Lateral"
        },
        "99": {
          "caption": "Other",
          "description": "The direction is not mapped. See the <code>direction</code> attribute, which contains a data source specific value."
        }
      },
      "sibling": "direction",
      "type": "integer_t"
    },
    "dispersion": {
      "caption": "Root Dispersion",
      "description": "The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.",
      "type": "integer_t"
    },
    "disposition": {
      "caption": "Disposition",
      "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "disposition_id": {
      "caption": "Disposition ID",
      "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The disposition is not mapped. See the <code>disposition</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The disposition is unknown."
        }
      },
      "sibling": "disposition",
      "type": "integer_t"
    },
    "dkim": {
      "caption": "DKIM Status",
      "description": "The DomainKeys Identified Mail (DKIM) status of the email.",
      "type": "string_t"
    },
    "dkim_domain": {
      "caption": "DKIM Domain",
      "description": "The DomainKeys Identified Mail (DKIM) signing domain of the email.",
      "type": "string_t"
    },
    "dkim_signature": {
      "caption": "DKIM Signature",
      "description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.",
      "type": "string_t"
    },
    "dmarc": {
      "caption": "DMARC Status",
      "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.",
      "type": "string_t"
    },
    "dmarc_override": {
      "caption": "DMARC Override",
      "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.",
      "type": "string_t"
    },
    "dmarc_policy": {
      "caption": "DMARC Policy",
      "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
      "type": "string_t"
    },
    "domain": {
      "caption": "Domain",
      "description": "The name of the domain.",
      "type": "string_t"
    },
    "driver": {
      "caption": "Kernel Driver",
      "description": "The driver that was loaded/unloaded into the kernel",
      "type": "kernel_driver"
    },
    "dst_endpoint": {
      "caption": "Destination Endpoint",
      "description": "The network destination endpoint.",
      "type": "network_endpoint"
    },
    "duration": {
      "caption": "Duration",
      "description": "The event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.",
      "type": "integer_t"
    },
    "edition": {
      "caption": "OS Edition",
      "description": "The operating system edition. For example: <code>Professional</code>.",
      "type": "string_t"
    },
    "email": {
      "caption": "Email",
      "description": "The email object.",
      "type": "email"
    },
    "email_addr": {
      "caption": "Email Address",
      "description": "The user's primary email address.",
      "type": "email_t"
    },
    "email_addrs": {
      "caption": "Email Addresses",
      "description": "A list of additional email addresses for the user.",
      "is_array": true,
      "type": "email_t"
    },
    "email_auth": {
      "caption": "Email Authentication",
      "description": "The SPF, DKIM and DMARC attributes of an email.",
      "type": "email_auth"
    },
    "email_uid": {
      "caption": "Email UID",
      "description": "The unique identifier of the email, used to correlate related email alert and activity events.",
      "type": "string_t"
    },
    "employee_uid": {
      "caption": "Employee ID",
      "description": "The employee identifier assigned to the user by the organization.",
      "type": "string_t"
    },
    "end_line": {
      "caption": "End Line",
      "description": "The line number of the last line of code block identified as vulnerable.",
      "type": "integer_t"
    },
    "end_time": {
      "caption": "End Time",
      "description": "The end time of a time period. See specific usage.",
      "type": "timestamp_t"
    },
    "endpoint_connections": {
      "caption": "Endpoint Connections",
      "description": "Contains information about network connection attempts. See specific usage.",
      "is_array": true,
      "type": "endpoint_connection"
    },
    "enrichments": {
      "caption": "Enrichments",
      "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>",
      "is_array": true,
      "type": "enrichment"
    },
    "entity": {
      "caption": "Entity",
      "description": "The managed entity that is being acted upon.",
      "type": "managed_entity"
    },
    "entity_result": {
      "caption": "Entity Result",
      "description": "The updated managed entity.",
      "type": "managed_entity"
    },
    "epoch": {
      "caption": "Epoch",
      "description": "The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.",
      "type": "integer_t"
    },
    "epss": {
      "caption": "EPSS",
      "description": "The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (<a target='_blank' href='https://www.first.org/epss/'>EPSS</a>).",
      "type": "epss"
    },
    "error": {
      "caption": "Error Code",
      "description": "Error Code",
      "type": "string_t"
    },
    "error_message": {
      "caption": "Error Message",
      "description": "Error Message",
      "type": "string_t"
    },
    "event_code": {
      "caption": "Event Code",
      "description": "The Event ID or Code that the product uses to describe the event.",
      "type": "string_t"
    },
    "evidence": {
      "@deprecated": {
        "message": "Use the <code> evidences </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Evidence",
      "description": "The data the finding exposes to the analyst.",
      "type": "json_t"
    },
    "evidences": {
      "caption": "Evidence Artifacts",
      "description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
      "is_array": true,
      "type": "evidences"
    },
    "exit_code": {
      "caption": "Exit Code",
      "description": "The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.",
      "type": "integer_t"
    },
    "expiration_reason": {
      "caption": "Expiration Reason",
      "description": "The expiration reason. See specific usage.",
      "type": "string_t"
    },
    "expiration_time": {
      "caption": "Expiration Time",
      "description": "The expiration time. See specific usage.",
      "type": "timestamp_t"
    },
    "extension": {
      "@deprecated": {
        "message": "Use the <code> extensions </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Schema Extension",
      "description": "The schema extension used to create the event.",
      "type": "extension"
    },
    "extensions": {
      "caption": "Schema Extensions",
      "description": "The schema extensions used to create the event.",
      "is_array": true,
      "type": "extension"
    },
    "extension_list": {
      "@deprecated": {
        "message": "Use the <code> tls_extension_list </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Extension List",
      "description": "The list of TLS extensions.",
      "is_array": true,
      "type": "tls_extension"
    },
    "factor_type": {
      "caption": "Factor Type",
      "description": "The type of authentication factor used in an authentication attempt.",
      "type": "string_t"
    },
    "factor_type_id": {
      "caption": "Factor Type ID",
      "description": "The normalized identifier for the authentication factor.",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "SMS",
          "description": "User receives and inputs a code sent to their mobile device via SMS text message."
        },
        "2": {
          "caption": "Security Question",
          "description": "The user responds to a security question as part of a question-based authentication factor"
        },
        "3": {
          "caption": "Phone Call",
          "description": "System calls the user's registered phone number and requires the user to answer and provide a response."
        },
        "4": {
          "caption": "Biometric",
          "description": "Devices that verify identity-based on user's physical identifiers, such as fingerprint scanners or retina scanners."
        },
        "5": {
          "caption": "Push Notification",
          "description": "Push notification is sent to user's registered device and requires the user to acknowledge."
        },
        "6": {
          "caption": "Hardware Token",
          "description": "Physical device that generates a code to be used for authentication."
        },
        "7": {
          "caption": "OTP",
          "description": "Application generates a one-time password (OTP) for use in authentication."
        },
        "8": {
          "caption": "Email",
          "description": "A code or link is sent to a user's registered email address."
        },
        "9": {
          "caption": "U2F",
          "description": "Typically involves a hardware token, which the user physically interacts with to authenticate."
        },
        "10": {
          "caption": "WebAuthn",
          "description": "Web-based API that enables users to register devices as authentication factors."
        },
        "11": {
          "caption": "Password",
          "description": "The user enters a password that they have previously established."
        },
        "99": {
          "caption": "Other"
        }
      },
      "sibling": "factor_type",
      "type": "integer_t"
    },
    "feature": {
      "caption": "Feature",
      "description": "The feature that reported the event.",
      "type": "feature"
    },
    "file": {
      "caption": "File",
      "description": "The file that pertains to the event or object. See specific usage.",
      "type": "file"
    },
    "file_diff": {
      "caption": "File Diff",
      "description": "File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.",
      "type": "string_t"
    },
    "file_result": {
      "caption": "File Result",
      "description": "The result of the file change. It should contain the new values of the changed attributes.",
      "type": "file"
    },
    "finding": {
      "caption": "Finding",
      "description": "The Finding object provides details about a finding/detection generated by a security tool.",
      "type": "finding"
    },
    "finding_info": {
      "caption": "Finding Information",
      "description": "Describes the supporting information about a generated finding.",
      "type": "finding_info"
    },
    "finding_info_list": {
      "caption": "Finding Information List",
      "description": "A list of <code>finding_info</code> objects associated to an incident.",
      "is_array": true,
      "type": "finding_info"
    },
    "fingerprint": {
      "caption": "Fingerprint",
      "description": "The digital fingerprint associated with an object.",
      "type": "fingerprint"
    },
    "fingerprints": {
      "caption": "Fingerprints",
      "description": "An array of digital fingerprint objects.",
      "is_array": true,
      "type": "fingerprint"
    },
    "firewall_rule": {
      "caption": "Firewall Rule",
      "description": "The firewall rule that triggered the event.",
      "type": "firewall_rule"
    },
    "first_seen_time": {
      "caption": "First Seen",
      "description": "The initial detection time of the activity or object. See specific usage",
      "type": "timestamp_t"
    },
    "fixed_in_version": {
      "caption": "Fixed In Version",
      "description": "The software package version in which a reported vulnerability was patched/fixed.",
      "type": "string_t"
    },
    "fix_available": {
      "@deprecated": {
        "message": "Use the <code> is_fix_available </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Fix Availability",
      "description": "Indicates if a fix is available for the reported vulnerability.",
      "type": "boolean_t"
    },
    "flag_ids": {
      "caption": "Communication Flag IDs",
      "description": "The list of normalized identifiers of the communication flag IDs.",
      "enum": {},
      "is_array": true,
      "sibling": "flags",
      "type": "integer_t"
    },
    "flags": {
      "caption": "Flags",
      "description": "The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.",
      "is_array": true,
      "type": "string_t"
    },
    "folder": {
      "caption": "Folder",
      "description": "The folder that pertains to the event.",
      "type": "file"
    },
    "from": {
      "caption": "From",
      "description": "The email header From values, as defined by RFC 5322.",
      "type": "email_t"
    },
    "full_name": {
      "caption": "Full Name",
      "description": "The full name of the person, as per the LDAP Common Name attribute (cn).",
      "type": "string_t"
    },
    "function_keys": {
      "caption": "Function Keys",
      "description": "The number of function keys on client keyboard.",
      "type": "integer_t"
    },
    "function_name": {
      "caption": "Function Name",
      "description": "The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.",
      "type": "string_t"
    },
    "given_name": {
      "caption": "Given Name",
      "description": "The given or first name of the user.",
      "type": "string_t"
    },
    "group": {
      "caption": "Group",
      "description": "The group object associated with an entity such as user, policy, or rule.",
      "type": "group"
    },
    "group_name": {
      "@deprecated": {
        "message": "Use the <code> group.name </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Group Name",
      "description": "The name of the group that the resource belongs to.",
      "type": "string_t"
    },
    "groups": {
      "caption": "Groups",
      "description": "The groups to which an entity belongs. See specific usage.",
      "is_array": true,
      "type": "group"
    },
    "handshake_dur": {
      "caption": "Handshake Duration",
      "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
      "type": "integer_t"
    },
    "hash": {
      "caption": "Hash",
      "description": "The hash attribute is the value of a digital fingerprint including information about its algorithm.",
      "type": "fingerprint"
    },
    "hashes": {
      "caption": "Hashes",
      "description": "An array of hash attributes.",
      "is_array": true,
      "type": "fingerprint"
    },
    "hire_time": {
      "caption": "Hire Time",
      "description": "The timestamp when the user was or will be hired by the organization.",
      "type": "timestamp_t"
    },
    "hostname": {
      "caption": "Hostname",
      "description": "The hostname of an endpoint or a device.",
      "type": "hostname_t"
    },
    "http_cookies": {
      "caption": "HTTP Cookies",
      "description": "The cookies object describes details about HTTP cookies",
      "is_array": true,
      "type": "http_cookie"
    },
    "http_headers": {
      "caption": "HTTP Headers",
      "description": "Additional HTTP headers of an HTTP request or response.",
      "is_array": true,
      "type": "http_header"
    },
    "http_method": {
      "caption": "HTTP Method",
      "description": "The HTTP request method indicates the desired action to be performed for a given resource. Expected values: <ul> <li>TRACE</li> <li>CONNECT</li> <li>OPTIONS</li> <li>HEAD</li> <li>DELETE</li> <li>POST</li> <li>PUT</li> <li>GET</li></ul>",
      "type": "string_t"
    },
    "http_only": {
      "@deprecated": {
        "message": "Use the <code> is_http_only </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "HTTP Only",
      "description": "A cookie attribute to make it inaccessible via JavaScript",
      "type": "boolean_t"
    },
    "http_request": {
      "caption": "HTTP Request",
      "description": "The HTTP Request Object documents attributes of a request made to a web server.",
      "type": "http_request"
    },
    "http_response": {
      "caption": "HTTP Response",
      "description": "The HTTP Response from a web server to a requester.",
      "type": "http_response"
    },
    "http_status": {
      "@deprecated": {
        "message": "Use the <code> http_response.code </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "HTTP Status",
      "description": "The Hypertext Transfer Protocol (HTTP) <a target='_blank' href='https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml'>status code</a> returned to the client.",
      "type": "integer_t"
    },
    "hw_info": {
      "caption": "Hardware Info",
      "description": "The endpoint hardware information.",
      "type": "device_hw_info"
    },
    "hypervisor": {
      "caption": "Hypervisor",
      "description": "The name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.",
      "type": "string_t"
    },
    "identifier_cookie": {
      "caption": "Identifier Cookie",
      "description": "The client identifier cookie during client/server exchange.",
      "type": "string_t"
    },
    "idp": {
      "caption": "Identity Provider",
      "description": "This object describes details about the Identity Provider used.",
      "type": "idp"
    },
    "image": {
      "caption": "Image",
      "description": "The image used as a template to run a container or virtual machine.",
      "type": "image"
    },
    "ime": {
      "caption": "IME",
      "description": "The Input Method Editor (IME) file name.",
      "type": "string_t"
    },
    "imei": {
      "caption": "IMEI",
      "description": "The International Mobile Station Equipment Identifier that is associated with the device.",
      "type": "string_t"
    },
    "impact": {
      "caption": "Impact",
      "description": "The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "impact_id": {
      "caption": "Impact ID",
      "description": "The normalized impact of the finding.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The normalized impact is unknown."
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "4": {
          "caption": "Critical"
        },
        "99": {
          "caption": "Other",
          "description": "The impact is not mapped. See the <code>impact</code> attribute, which contains a data source specific value."
        }
      },
      "sibling": "impact",
      "type": "integer_t"
    },
    "impact_score": {
      "caption": "Impact",
      "description": "The impact of the finding, valid range 0-100.",
      "type": "integer_t"
    },
    "injection_type": {
      "caption": "Injection Type",
      "description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "injection_type_id": {
      "caption": "Injection Type ID",
      "description": "The normalized identifier of the process injection method.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The injection type is not mapped. See the <code>injection_type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The injection type is unknown."
        },
        "1": {
          "caption": "Remote Thread"
        },
        "2": {
          "caption": "Load Library"
        }
      },
      "sibling": "injection_type",
      "type": "integer_t"
    },
    "instance_uid": {
      "caption": "Instance ID",
      "description": "The unique identifier of a VM instance.",
      "type": "string_t"
    },
    "integrity": {
      "caption": "Integrity",
      "description": "The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).",
      "type": "string_t"
    },
    "integrity_id": {
      "caption": "Integrity Level",
      "description": "The normalized identifier of the process integrity level (Windows only).",
      "sibling": "integrity",
      "enum": {},
      "type": "integer_t"
    },
    "interface_name": {
      "caption": "Network Interface Name",
      "description": "The name of the network interface (e.g. eth2).",
      "type": "string_t"
    },
    "interface_uid": {
      "caption": "Network Interface ID",
      "description": "The unique identifier of the network interface.",
      "type": "string_t"
    },
    "intermediate_ips": {
      "caption": "Intermediate IP Addresses",
      "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.",
      "is_array": true,
      "type": "ip_t"
    },
    "invoked_by": {
      "caption": "Invoked by",
      "description": "The name of the service that invoked the activity as described in the event.",
      "type": "string_t"
    },
    "ip": {
      "caption": "IP Address",
      "description": "The IP address, in either IPv4 or IPv6 format.",
      "type": "ip_t"
    },
    "is_cleartext": {
      "caption": "Cleartext Credentials",
      "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
      "type": "boolean_t"
    },
    "is_compliant": {
      "caption": "Compliant Device",
      "description": "The event occurred on a compliant device.",
      "type": "boolean_t"
    },
    "is_default": {
      "caption": "Default Value",
      "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
      "type": "boolean_t"
    },
    "is_exploit_available":{
      "caption": "Exploit Availability",
      "description": "Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.",
      "type": "boolean_t"
    },
    "is_fix_available": {
      "caption": "Fix Availability",
      "description": "Indicates if a fix is available for the reported vulnerability.",
      "type": "boolean_t"
    },
    "is_hotp": {
      "caption": "HMAC-based One-time Password (HOTP)",
      "description": "Whether the authentication factor is an HMAC-based One-time Password (HOTP).",
      "type": "boolean_t"
    },
    "is_http_only": {
      "caption": "HTTP Only",
      "description": "This attribute prevents the cookie from being accessed via JavaScript.",
      "type": "boolean_t"
    },
    "is_managed": {
      "caption": "Managed Device",
      "description": "The event occurred on a managed device.",
      "type": "boolean_t"
    },
    "is_mfa": {
      "caption": "Multi Factor Authentication",
      "description": "Indicates whether Multi Factor Authentication was used during authentication.",
      "type": "boolean_t"
    },
    "is_new_logon": {
      "caption": "New Logon",
      "description": "Indicates logon is from a device not seen before or a first time account logon.",
      "type": "boolean_t"
    },
    "is_on_premises": {
      "caption": "On Premises",
      "description": "The indication of whether the location is on premises.",
      "type": "boolean_t"
    },
    "is_personal": {
      "caption": "Personal Device",
      "description": "The event occurred on a personal device.",
      "type": "boolean_t"
    },
    "is_remote": {
      "caption": "Remote",
      "description": "The indication of whether the session is remote.",
      "type": "boolean_t"
    },
    "is_renewal": {
      "caption": "Renewal",
      "description": "The indication of whether this is a lease/session renewal event.",
      "type": "boolean_t"
    },
    "is_secure": {
      "caption": "Secure",
      "description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
      "type": "boolean_t"
    },
    "is_superseded": {
      "caption": "The patch is superseded.",
      "description": "The vendor patch has been replaced by another.",
      "type": "boolean_t"
    },
    "is_system": {
      "caption": "System",
      "description": "The indication of whether the object is part of the operating system.",
      "type": "boolean_t"
    },
    "is_trusted": {
      "caption": "Trusted Device",
      "description": "The event occurred on a trusted device.",
      "type": "boolean_t"
    },
    "is_totp": {
      "caption": "Time-based One-time Password (TOTP)",
      "description": "Whether the authentication factor is a Time-based One-time Password (TOTP).",
      "type": "boolean_t"
    },
    "is_vpn": {
      "caption": "VPN Session",
      "description": "The indication of whether the session is a VPN session.",
      "type": "boolean_t"
    },
    "isp": {
      "caption": "ISP",
      "description": "The name of the Internet Service Provider (ISP).",
      "type": "string_t"
    },
    "issuer": {
      "caption": "Issuer Details",
      "description": "The identifier of the issuer. See specific usage.",
      "type": "string_t"
    },
    "ja3_hash": {
      "caption": "JA3 Hash",
      "description": "The MD5 hash of a JA3 string.",
      "type": "fingerprint"
    },
    "ja3s_hash": {
      "caption": "JA3S Hash",
      "description": "The MD5 hash of a JA3S string.",
      "type": "fingerprint"
    },
    "job": {
      "caption": "Job",
      "description": "The job object that pertains to the event.",
      "type": "job"
    },
    "job_title": {
      "caption": "Job Title",
      "description": "The user's job title.",
      "type": "string_t"
    },
    "kb_articles": {
      "caption": "Knowledgebase Articles",
      "@deprecated": {
        "message": "Use the <code> kb_article_list </code> attribute instead.",
        "since": "1.1.0"
      },
      "description": "The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.",
      "is_array": true,
      "type": "string_t"
    },
    "kb_article_list": {
      "caption": "Knowledgebase Articles",
      "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.",
      "is_array": true,
      "type": "kb_article"
    },
    "kernel": {
      "caption": "Kernel",
      "description": "The kernel resource object that pertains to the event.",
      "type": "kernel"
    },
    "key_length": {
      "caption": "Key Length",
      "description": "The length of the encryption key.",
      "type": "integer_t"
    },
    "keyboard_info": {
      "caption": "Keyboard Information",
      "description": "The keyboard detailed information.",
      "type": "keyboard_info"
    },
    "keyboard_layout": {
      "caption": "Keyboard Layout",
      "description": "The keyboard locale identifier name (e.g., en-US).",
      "type": "string_t"
    },
    "keyboard_subtype": {
      "caption": "Keyboard Subtype",
      "description": "The keyboard numeric code.",
      "type": "integer_t"
    },
    "keyboard_type": {
      "caption": "Keyboard Type",
      "description": "The keyboard type (e.g., xt, ico).",
      "type": "string_t"
    },
    "kill_chain": {
      "caption": "Kill Chain",
      "description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.",
      "is_array": true,
      "type": "kill_chain_phase"
    },
    "labels": {
      "caption": "Labels",
      "description": "The list of labels attached to an event, object, or attribute.",
      "is_array": true,
      "type": "string_t"
    },
    "lang": {
      "caption": "Language",
      "description": "The two letter lower case language codes, as defined by <a target='_blank' href='https://en.wikipedia.org/wiki/ISO_639-1'>ISO 639-1</a>. For example: <code>en</code> (English), <code>de</code> (German), or <code>fr</code> (French).",
      "type": "string_t"
    },
    "last_login_time": {
      "caption": "Last Login",
      "description": "The last time when the user logged in.",
      "type": "timestamp_t"
    },
    "last_run_time": {
      "caption": "Last Run",
      "description": "The last run time of application or service. See specific usage.",
      "type": "timestamp_t"
    },
    "last_seen_time": {
      "caption": "Last Seen",
      "description": "The most recent detection time of the activity or object. See specific usage.",
      "type": "timestamp_t"
    },
    "latency": {
      "caption": "Latency",
      "description": "The HTTP response latency measured in milliseconds.",
      "type": "integer_t"
    },
    "ldap_cn": {
      "caption": "LDAP Common Name",
      "description": "The LDAP and X.500 <code>commonName</code> attribute, typically the full name of the person. For example, <code>John Doe</code>.",
      "type": "string_t"
    },
    "ldap_dn": {
      "caption": "LDAP Distinguished Name",
      "description": "The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, <code>cn=John Doe,ou=People,dc=example,dc=com</code>.",
      "type": "string_t"
    },
    "ldap_person": {
      "caption": "LDAP Person",
      "description": "The additional LDAP attributes that describe a person.",
      "type": "ldap_person"
    },
    "lease_dur": {
      "caption": "Lease Duration",
      "description": "This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.",
      "type": "integer_t"
    },
    "leave_time": {
      "caption": "Leave Time",
      "description": "The timestamp when the user left or will be leaving the organization.",
      "type": "timestamp_t"
    },
    "length": {
      "caption": "Response Length",
      "description": "The HTTP response length, in number of bytes.",
      "type": "integer_t"
    },
    "lineage": {
      "caption": "Lineage",
      "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: <code>['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']</code>.",
      "is_array": true,
      "type": "string_t"
    },
    "license": {
      "caption": "Software License",
      "description": "The name or identifier of the license applied on package or software. See <a target='_blank' href='https://spdx.org/licenses/'>SPDX License List</a>.",
      "type": "string_t"
    },
    "load_balancer": {
      "caption": "Load Balancer",
      "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
      "type": "load_balancer"
    },
    "load_type": {
      "caption": "Load Type",
      "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.",
      "type": "string_t"
    },
    "load_type_id": {
      "caption": "Load Type ID",
      "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.",
      "enum": {},
      "sibling": "load_type",
      "type": "integer_t"
    },
    "loaded_modules": {
      "caption": "Loaded Modules",
      "description": "The list of loaded module names.",
      "is_array": true,
      "type": "string_t"
    },
    "location": {
      "caption": "Geo Location",
      "description": "The detailed geographical location usually associated with an IP address.",
      "type": "location"
    },
    "log_level": {
      "caption": "Log Level",
      "description": "The audit level at which an event was generated.",
      "type": "string_t"
    },
    "log_name": {
      "caption": "Log Name",
      "description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.",
      "type": "string_t"
    },
    "log_provider": {
      "caption": "Log Provider",
      "description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.",
      "type": "string_t"
    },
    "log_version": {
      "caption": "Log Version",
      "description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.",
      "type": "string_t"
    },
    "logged_time": {
      "caption": "Logged Time",
      "description": "<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.",
      "type": "timestamp_t"
    },
    "loggers": {
      "caption": "Loggers",
      "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.",
      "is_array": true,
      "type": "logger"
    },
    "logon_process": {
      "caption": "Logon Process",
      "description": "The trusted process that validated the authentication credentials.",
      "type": "process"
    },
    "logon_type": {
      "caption": "Logon Type",
      "description": "The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "logon_type_id": {
      "caption": "Logon Type ID",
      "description": "The normalized logon type identifier.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The logon type is not mapped. See the <code>logon_type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "System",
          "description": "Used only by the System account, for example at system startup."
        },
        "10": {
          "caption": "Remote Interactive",
          "description": "A remote logon using Terminal Services or remote desktop application."
        },
        "11": {
          "caption": "Cached Interactive",
          "description": "A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials."
        },
        "12": {
          "caption": "Cached Remote Interactive",
          "description": "Same as Remote Interactive. This is used for internal auditing."
        },
        "13": {
          "caption": "Cached Unlock",
          "description": "Workstation logon."
        },
        "2": {
          "caption": "Interactive",
          "description": "A local logon to device console."
        },
        "3": {
          "caption": "Network",
          "description": "A user or device logged onto this device from the network."
        },
        "4": {
          "caption": "Batch",
          "description": "A batch server logon, where processes may be executing on behalf of a user without their direct intervention."
        },
        "5": {
          "caption": "OS Service",
          "description": "A logon by a service or daemon that was started by the OS."
        },
        "7": {
          "caption": "Unlock",
          "description": "A user unlocked the device."
        },
        "8": {
          "caption": "Network Cleartext",
          "description": "A user logged on to this device from the network. The user's password in the authentication package was not hashed."
        },
        "9": {
          "caption": "New Credentials",
          "description": "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
        }
      },
      "sibling": "logon_type",
      "type": "integer_t"
    },
    "mac": {
      "caption": "MAC Address",
      "description": "The Media Access Control (MAC) address that is associated with the network interface.",
      "type": "mac_t"
    },
    "malware": {
      "caption": "Malware",
      "description": "A list of Malware objects, describing details about the identified malware.",
      "is_array": true,
      "type": "malware"
    },
    "manager": {
      "caption": "Manager",
      "description": "The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.",
      "type": "user"
    },
    "message": {
      "caption": "Message",
      "description": "The description of the event/finding, as defined by the source.",
      "type": "string_t"
    },
    "message_uid": {
      "caption": "Message UID",
      "description": "The email header Message-Id value, as defined by RFC 5322.",
      "type": "string_t"
    },
    "metadata": {
      "caption": "Metadata",
      "description": "The metadata associated with the event or a finding.",
      "type": "metadata"
    },
    "metrics": {
      "caption": "Metrics",
      "description": "The general purpose metrics associated with the event. See specific usage.",
      "is_array": true,
      "type": "metric"
    },
    "mime_type": {
      "caption": "MIME type",
      "description": "The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.",
      "type": "string_t"
    },
    "model": {
      "caption": "Model",
      "description": "The peripheral device model.",
      "type": "string_t"
    },
    "modified_time": {
      "caption": "Modified Time",
      "description": "The time when the object was last modified. See specific usage.",
      "type": "timestamp_t"
    },
    "modifier": {
      "caption": "Modifier",
      "description": "The user that last modified the object associated with the event. See specific usage.",
      "type": "user"
    },
    "module": {
      "caption": "Module",
      "description": "The module that pertains to the event.",
      "type": "module"
    },
    "name": {
      "caption": "Name",
      "description": "The name of the entity. See specific usage.",
      "type": "string_t"
    },
    "namespace": {
      "caption": "Namespace",
      "description": "The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate.",
      "type": "string_t"
    },
    "namespace_pid": {
      "caption": "Namespace PID",
      "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
      "type": "integer_t"
    },
    "network_driver": {
      "caption": "Network Driver",
      "description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.",
      "type": "string_t"
    },
    "network_endpoint": {
      "caption": "Network Endpoint",
      "description": "The Network Endpoint object describes characteristics of a network endpoint. See specific usage.",
      "type": "network_endpoint"
    },
    "network_interfaces": {
      "caption": "Network Interfaces",
      "description": "The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.<p><b>Note:</b> The first element of the array is the network information that pertains to the event.</p>",
      "is_array": true,
      "type": "network_interface"
    },
    "next_run_time": {
      "caption": "Next Run",
      "description": "The next run time. See specific usage.",
      "type": "timestamp_t"
    },
    "nist": {
      "caption": "NIST List",
      "description": "The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.",
      "is_array": true,
      "type": "string_t"
    },
    "num_detections": {
      "caption": "Detections",
      "description": "The number of detections.",
      "type": "integer_t"
    },
    "num_files": {
      "caption": "Scanned Files",
      "description": "The number of files scanned.",
      "type": "integer_t"
    },
    "num_folders": {
      "caption": "Scanned Folders",
      "description": "The number of folders scanned.",
      "type": "integer_t"
    },
    "num_network_items": {
      "caption": "Scanned Network Items",
      "description": "The number of network items scanned.",
      "type": "integer_t"
    },
    "num_processes": {
      "caption": "Scanned Processes",
      "description": "The number of processes scanned.",
      "type": "integer_t"
    },
    "num_registry_items": {
      "caption": "Scanned Registry Items",
      "description": "The number of registry items scanned.",
      "type": "integer_t"
    },
    "num_resolutions": {
      "caption": "Resolutions",
      "description": "The number of items that were resolved.",
      "type": "integer_t"
    },
    "num_skipped_items": {
      "caption": "Skipped",
      "description": "The number of skipped items.",
      "type": "integer_t"
    },
    "num_trusted_items": {
      "caption": "Trusted",
      "description": "The number of trusted items.",
      "type": "integer_t"
    },
    "num_violations": {
      "caption": "Violations",
      "description": "The number of times the policy or rule was violated.",
      "type": "integer_t"
    },
    "observables": {
      "caption": "Observables",
      "description": "The observables associated with the event or a finding.",
      "is_array": true,
      "type": "observable"
    },
    "office_location": {
      "caption": "Office Location",
      "description": "The primary office location associated with the user. This could be any string and isn't a specific address. For example, <code>South East Virtual</code>.",
      "type": "string_t"
    },
    "opcode": {
      "caption": "DNS Opcode",
      "description": "The DNS opcode specifies the type of the query message.",
      "type": "string_t"
    },
    "opcode_id": {
      "caption": "DNS Opcode ID",
      "description": "The DNS opcode ID specifies the normalized query message type.",
      "enum": {
        "0": {
          "caption": "Query",
          "description": "Standard query"
        },
        "1": {
          "caption": "Inverse Query",
          "description": "Inverse query, obsolete"
        },
        "2": {
          "caption": "Status",
          "description": "Server status request"
        },
        "3": {
          "caption": "Reserved",
          "description": "Reserved, not used"
        },
        "4": {
          "caption": "Notify",
          "description": "Zone change notification"
        },
        "5": {
          "caption": "Update",
          "description": "Dynamic DNS update"
        },
        "6": {
          "caption": "DSO Message",
          "description": "DNS Stateful Operations (DSO)"
        }
      },
      "type": "integer_t"
    },
    "open_mask": {
      "caption": "Open Mask",
      "description": "The Windows options needed to open a registry key.",
      "type": "integer_t"
    },
    "open_type": {
      "caption": "Open Type",
      "description": "The file open type.",
      "type": "string_t"
    },
    "operation": {
      "caption": "Operation",
      "description": "Verb/Operation associated with the request",
      "type": "string_t"
    },
    "opnum": {
      "caption": "Opnum",
      "description": "An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.",
      "type": "integer_t"
    },
    "org": {
      "caption": "Organization",
      "description": "Organization and org unit relevant to the event or object.",
      "type": "organization"
    },
    "orchestrator": {
      "caption": "Orchestrator",
      "description": "The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.",
      "type": "string_t"
    },
    "ou_name": {
      "caption": "Org Unit Name",
      "description": "The name of the organizational unit, within an organization.  For example, Finance, IT, R&D",
      "type": "string_t"
    },
    "ou_uid": {
      "caption": "Org Unit ID",
      "description": "The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.",
      "type": "string_t"
    },
    "original_time": {
      "caption": "Original Time",
      "description": "The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.",
      "type": "string_t"
    },
    "os": {
      "caption": "OS",
      "description": "The endpoint operating system.",
      "type": "os"
    },
    "overall_score": {
      "caption": "Overall Score",
      "description": "The overall score as reported by the event source. See specific usage.",
      "type": "float_t"
    },
    "owner": {
      "caption": "Owner",
      "description": "The user that owns the file/object.",
      "type": "user"
    },
    "package": {
      "caption": "Software Package",
      "description": "The Software Package object describes details about a software package. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/'>d3f:SoftwarePackage</a>.",
      "type": "package"
    },
    "packages": {
      "@deprecated": {
        "message": "Use the <code> affected_packages </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Software Packages",
      "description": "List of vulnerable packages as identified by the security product",
      "is_array": true,
      "type": "package"
    },
    "package_manager": {
      "caption": "Package Manager",
      "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
      "type": "string_t"
    },
    "packet_uid": {
      "caption": "Packet UID",
      "description": "The packet identifier assigned by the protocol.",
      "type": "integer_t"
    },
    "packets": {
      "caption": "Total Packets",
      "description": "The total number of packets (in and out).",
      "type": "long_t"
    },
    "packets_in": {
      "caption": "Packets In",
      "description": "The number of packets sent from the destination to the source.",
      "type": "long_t"
    },
    "packets_out": {
      "caption": "Packets Out",
      "description": "The number of packets sent from the source to the destination.",
      "type": "long_t"
    },
    "parent_folder": {
      "caption": "Parent Folder",
      "description": "The parent folder in which the file resides. For example: <code>c:\\windows\\system32</code>",
      "type": "string_t"
    },
    "parent_process": {
      "caption": "Parent Process",
      "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
      "type": "process"
    },
    "path": {
      "caption": "Path",
      "description": "The path that pertains to the event or object. See specific usage.",
      "type": "string_t"
    },
    "percentile": {
      "caption": "EPSS Percentile",
      "description": "The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset.",
      "type": "float_t"
    },
    "peripheral_device": {
      "caption": "Peripheral Device",
      "description": "The peripheral device that triggered the event.",
      "type": "peripheral_device"
    },
    "permission": {
      "caption": "Permission",
      "description": "The IAM permission related to an event",
      "type": "string_t"
    },
    "phase": {
      "caption": "Kill Chain Phase",
      "description": "The cyber kill chain phase.",
      "type": "string_t"
    },
    "phase_id": {
      "caption": "Kill Chain Phase ID",
      "description": "The cyber kill chain phase identifier.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The kill chain phase is unknown."
        },
        "1": {
          "caption": "Reconnaissance",
          "description": "The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them."
        },
        "2": {
          "caption": "Weaponization",
          "description": "The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities."
        },
        "3": {
          "caption": "Delivery",
          "description": "The intruders will use various tactics, such as phishing, infected USB drives, etc."
        },
        "4": {
          "caption": "Exploitation",
          "description": "The intruders start leveraging vulnerabilities to executed code on the victim’s system."
        },
        "5": {
          "caption": "Installation",
          "description": "The intruders install malware on the victim’s system."
        },
        "6": {
          "caption": "Command & Control",
          "description": "Malware opens a command channel to enable the intruders to remotely manipulate the victim's system."
        },
        "7": {
          "caption": "Actions on Objectives",
          "description": "With hands-on keyboard access, intruders accomplish the mission’s goal."
        },
        "99": {
          "caption": "Other",
          "description": "The kill chain phase is not mapped. See the <code>phase</code> attribute, which contains a data source specific value."
        }
      },
      "type": "integer_t",
      "sibling": "phase"
    },
    "phone_number": {
        "caption": "Phone Number",
        "description": "The number associated with the phone.",
        "type": "string_t"
    },
    "phones": {
      "caption": "Phones",
      "description": "The phone numbers associated with the user",
      "type": "string_t",
      "is_array": true
    },
    "physical_height": {
      "caption": "Physical Height",
      "description": "The numeric physical height of display.",
      "type": "integer_t"
    },
    "physical_orientation": {
      "caption": "Physical Orientation",
      "description": "The numeric physical orientation of display.",
      "type": "integer_t"
    },
    "physical_width": {
      "caption": "Physical Width",
      "description": "The numeric physical width of display.",
      "type": "integer_t"
    },
    "pid": {
      "caption": "Process ID",
      "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.",
      "type": "integer_t"
    },
    "pod_uuid": {
      "caption": "Pod UUID",
      "description": "The unique identifier of the pod (or equivalent) that the container is executing on.",
      "type": "uuid_t"
    },
    "policy": {
      "caption": "Policy",
      "description": "Describes details of a policy. See specific usage.",
      "type": "policy"
    },
    "port": {
      "caption": "Port",
      "description": "The TCP/UDP port number associated with a connection. See specific usage.",
      "type": "port_t"
    },
    "postal_code": {
      "caption": "Postal Code",
      "description": "The postal code of the location.",
      "type": "string_t"
    },
    "precision": {
      "caption": "Precision",
      "description": "The numeric precision. See specific usage.",
      "type":  "integer_t"
    },
    "prev_security_level": {
      "caption": "Previous Security Level",
      "description": "The previous security level of the entity",
      "type": "string_t"
    },
    "prev_security_level_id": {
      "caption": "Previous Security Level ID",
      "description": "The previous security level of the entity",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The security level is not mapped. See the <code>prev_security_level</code> attribute, which contains data source specific values."
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Secure"
        },
        "2": {
          "caption": "At Risk"
        },
        "3": {
          "caption": "Compromised"
        }
      },
      "sibling": "prev_security_level",
      "type": "integer_t"
    },
    "prev_security_states": {
      "caption": "Previous Security States",
      "description": "The previous security states. See specific usage.",
      "is_array": true,
      "type": "security_state"
    },
    "priority": {
      "caption": "Priority",
      "description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "priority_id": {
      "caption": "Priority ID",
      "description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.",
      "enum": {
        "0": {
          "description": "No priority is assigned.",
          "caption": "Unknown"
        },
        "1": {
          "description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible.",
          "caption": "Low"
        },
        "2": {
          "description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available.",
          "caption": "Medium"
        },
        "3": {
          "description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.",
          "caption": "High"
        },
        "4": {
          "description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative.",
          "caption": "Critical"
        },
        "99": {
          "description": "The priority is not normalized.",
          "caption": "Other"
        }
      },
      "sibling": "priority",
      "type": "integer_t"
    },
    "privileges": {
      "caption": "Privileges",
      "description": "The user or group privileges.",
      "is_array": true,
      "type": "string_t"
    },
    "process": {
      "caption": "Process",
      "description": "The process object.",
      "type": "process"
    },
    "processed_time": {
      "caption": "Processed Time",
      "description": "The event processed time, such as an ETL operation.",
      "type": "timestamp_t"
    },
    "product": {
      "caption": "Product",
      "description": "The product that reported the event.",
      "type": "product"
    },
    "product_uid": {
      "caption": "Product Identifier",
      "description": "Unique Identifier of a product.",
      "type": "string_t"
    },
    "profiles": {
      "caption": "Profiles",
      "description": "The list of profiles used to create the event.",
      "is_array": true,
      "type": "string_t"
    },
    "project_uid": {
      "caption": "Project ID",
      "description": "The unique identifier of a Cloud project.",
      "type": "string_t"
    },
    "protocol_name": {
      "caption": "Protocol Name",
      "description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>tcp</code> or <code>udp</code>.",
      "type": "string_t"
    },
    "protocol_num": {
      "caption": "Protocol Number",
      "description": "The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>6</code> for TCP and <code>17</code> for UDP.",
      "type": "integer_t"
    },
    "protocol_ver": {
      "caption": "Protocol Version",
      "description": "The Protocol version, normalized to the caption of the protocol_ver_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "protocol_ver_id": {
      "caption": "Protocol Version ID",
      "description": "The normalized identifier of the Protocol version.",
      "enum": {},
      "sibling": "protocol_ver",
      "type": "integer_t"
    },
    "provider": {
      "caption": "Provider",
      "description": "The origin of information associated with the event. See specific usage.",
      "type": "string_t"
    },
    "proxy": {
      "@deprecated": {
        "message": "Use the <code> proxy_endpoint </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Proxy",
      "description": "The proxy (server) in a network connection.",
      "type": "network_proxy"
    },
    "proxy_endpoint": {
      "caption": "Proxy Endpoint",
      "description": "The proxy (server) in a network connection.",
      "type": "network_proxy"
    },
    "purl":{
      "caption": "Package URL",
      "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.",
      "type": "string_t"
    },
    "proxy_connection_info": {
      "caption": "Proxy Connection Info",
      "description": "The connection information from the proxy server to the remote server.",
      "type": "network_connection_info"
    },
    "proxy_http_request": {
      "caption": "Proxy HTTP Request",
      "description": "The HTTP Request from the proxy server to the remote server.",
      "type": "http_request"
    },
    "proxy_http_response": {
      "caption": "Proxy HTTP Response",
      "description": "The HTTP Response from the remote server to the proxy server.",
      "type": "http_response"
    },
    "proxy_tls": {
      "caption": "Proxy TLS",
      "description": "The TLS protocol negotiated between the proxy server and the remote server.",
      "type": "tls"
    },
    "proxy_traffic": {
      "caption": "Proxy Traffic",
      "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
      "type": "network_traffic"
    },
    "query": {
      "caption": "DNS Query",
      "description": "The Domain Name System (DNS) query.",
      "type": "dns_query"
    },
    "query_info": {
      "caption": "Query Info",
      "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.",
      "type": "query_info"
    },
    "query_string": {
      "caption": "HTTP Query String",
      "description": "The query portion of the URL. For example: the query portion of the URL <code>http://www.example.com/search?q=bad&sort=date</code> is <code>q=bad&sort=date</code>.",
      "type": "string_t"
    },
    "query_time": {
      "caption": "Query Time",
      "description": "The Domain Name System (DNS) query time.",
      "type": "timestamp_t"
    },
    "ram_size": {
      "caption": "RAM Size",
      "description": "The total amount of installed RAM, in Megabytes. For example: <code>2048</code>.",
      "type": "integer_t"
    },
    "raw_header": {
      "caption": "Raw Header",
      "description": "The email authentication header.",
      "type": "string_t"
    },
    "raw_data": {
      "caption": "Raw Data",
      "description": "The raw event/finding data as received from the source.",
      "type": "string_t"
    },
    "rcode": {
      "caption": "Response Code",
      "description": "The server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "rcode_id": {
      "caption": "Response Code ID",
      "description": "The normalized identifier of the server response code. See specific usage.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The DNS response code is not defined by the RFC. See the <code>rcode</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The DNS response code is unknown."
        }
      },
      "sibling": "rcode",
      "type": "integer_t"
    },
    "rdata": {
      "caption": "DNS RData",
      "description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.",
      "type": "string_t"
    },
    "references": {
      "caption": "References",
      "description": "A list of reference URLs supporting the finding/detection.",
      "is_array": true,
      "type": "string_t"
    },
    "referrer": {
      "caption": "HTTP Referrer",
      "description": "The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.",
      "type": "string_t"
    },
    "region": {
      "caption": "Region",
      "description": "The name or the code of a region. See specific usage.",
      "type": "string_t"
    },
    "registrar": {
      "caption": "Domain Registrar",
      "description": "The domain registrar.",
      "type": "string_t"
    },
    "related_analytics": {
      "caption": "Related Analytics",
      "description": "Describes analytics related to the analytic of a finding or detection as identified by the security product.",
      "is_array": true,
      "type": "analytic"
    },
    "related_events": {
      "caption": "Related Events",
      "description": "Describes events and/or other findings related to the finding as identified by the security product.",
      "is_array": true,
      "type": "related_event"
    },
    "related_vulnerabilities": {
      "caption": "Related Vulnerabilities",
      "description": "List of vulnerabilities that are related to this vulnerability.",
      "is_array": true,
      "type": "string_t"
    },
    "relay": {
      "caption": "Relay",
      "description": "The network relay that is associated with the event.",
      "type": "network_interface"
    },
    "release": {
      "caption": "Software Release Details",
      "description": "Release is the number of times a version of the software has been packaged.",
      "type": "string_t"
    },
    "remediation": {
      "caption": "Remediation Guidance",
      "description": "Describes the recommended remediation steps to address identified issue(s).",
      "type": "remediation"
    },
    "remote_display": {
      "caption": "Remote Display",
      "description": "The remote display affiliated with the event",
      "type": "display"
    },
    "reply_to": {
      "caption": "Reply To",
      "description": "The email header Reply-To values, as defined by RFC 5322.",
      "type": "email_t"
    },
    "reputation": {
      "caption": "Reputation Scores",
      "description": "Contains the original and normalized reputation scores.",
      "type": "reputation"
    },
    "request": {
      "caption": "API Request Details",
      "description": "General Purpose API Request Object. See specific usage",
      "type": "request"
    },
    "requested_permissions": {
      "caption": "Requested Permissions",
      "description": "The permissions mask that were requested by the process.",
      "type": "integer_t"
    },
    "requirements": {
      "caption": "Compliance Requirements",
      "description": "A list of requirements associated to a specific control in an industry or regulatory framework. e.g. <code> NIST.800-53.r5 AU-10 </code>",
      "is_array": true,
      "type": "string_t"
    },
    "resource": {
      "caption": "Resource",
      "description": "The target resource.",
      "type": "resource_details"
    },
    "resource_type": {
      "caption": "Resource Type",
      "description": "The resource type as defined by the event source.",
      "type": "string_t"
    },
    "resources": {
      "caption": "Resources Array",
      "description": "Describes details about resources that were affected by the activity/event.",
      "is_array": true,
      "type": "resource_details"
    },
    "resources_result": {
      "caption": "Resource Results Array",
      "description": "Updated resources after an activity/event.",
      "is_array": true,
      "type": "resource_details"
    },
    "response": {
      "caption": "API Response Details",
      "description": "General Purpose API Response Object. See specific usage.",
      "type": "response"
    },
    "response_time": {
      "caption": "Response Time",
      "description": "The Domain Name System (DNS) response time.",
      "type": "timestamp_t"
    },
    "risk_level": {
      "caption": "Risk Level",
      "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "risk_level_id": {
      "caption": "Risk Level ID",
      "description": "The normalized risk level id.",
      "enum": {
        "0": {
          "caption": "Info"
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "4": {
          "caption": "Critical"
        }
      },
      "sibling": "risk_level",
      "type": "integer_t"
    },
    "risk_score": {
      "caption": "Risk Score",
      "description": "The risk score as reported by the event source.",
      "type": "integer_t"
    },
    "rpc_interface": {
      "caption": "Remote Procedure Call Interface",
      "description": "The RPC Interface object describes the details pertaining to the remote procedure call interface.",
      "type": "rpc_interface"
    },
    "rule": {
      "caption": "Rule",
      "description": "The rules that reported the events.",
      "type": "rule"
    },
    "run_state": {
      "caption": "Run State",
      "description": "The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "run_state_id": {
      "caption": "Run State ID",
      "description": "The normalized identifier of the state of the job or service. See specific usage.",
      "enum": {},
      "sibling": "run_state",
      "type": "integer_t"
    },
    "runtime": {
      "caption": "Runtime",
      "description": "The backend running the container, such as containerd or cri-o.",
      "type": "string_t"
    },
    "samesite": {
      "caption": "SameSite",
      "description": "The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None",
      "type": "string_t"
    },
    "sandbox": {
      "caption": "Sandbox",
      "description": "The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.",
      "type": "string_t"
    },
    "sans": {
      "caption": "Subject Alternative Names",
      "description": "The list of subject alternative names that are secured by a specific certificate.",
      "is_array": true,
      "type": "san"
    },
    "scale_factor": {
      "caption": "Scale Factor",
      "description": "The numeric scale factor of display.",
      "type": "integer_t"
    },
    "scan": {
      "caption": "Scan",
      "description": "The Scan object describes characteristics of a scan.  See specific usage.",
      "type": "scan"
    },
    "schedule_uid": {
      "caption": "Schedule UID",
      "description": "The unique identifier of the schedule associated with a scan job.",
      "type": "string_t"
    },
    "scheme": {
      "caption": "Scheme",
      "description": "The scheme portion of the URL. For example: <code>http</code>, <code>https</code>, <code>ftp</code>, or <code>sftp</code>.",
      "type": "string_t"
    },
    "score": {
      "caption": "Reputation Score",
      "description": "The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "score_id": {
      "caption": "Reputation Score ID",
      "description": "The normalized reputation score identifier.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The reputation score is not mapped. See the <code>rep_score</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The reputation score is unknown."
        },
        "1": {
          "caption": "Very Safe",
          "description": "Long history of good behavior."
        },
        "10": {
          "caption": "Malicious",
          "description": "Proven evidence of maliciousness."
        },
        "2": {
          "caption": "Safe",
          "description": "Consistently good behavior."
        },
        "3": {
          "caption": "Probably Safe",
          "description": "Reasonable history of good behavior."
        },
        "4": {
          "caption": "Leans Safe",
          "description": "Starting to establish a history of normal behavior."
        },
        "5": {
          "caption": "May not be Safe",
          "description": "No established history of normal behavior."
        },
        "6": {
          "caption": "Exercise Caution",
          "description": "Starting to establish a history of suspicious or risky behavior."
        },
        "7": {
          "caption": "Suspicious/Risky",
          "description": "A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious)."
        },
        "8": {
          "caption": "Possibly Malicious",
          "description": "Strong possibility of maliciousness."
        },
        "9": {
          "caption": "Probably Malicious",
          "description": "Indicators of maliciousness."
        }
      },
      "sibling": "score",
      "type": "integer_t"
    },
    "secure": {
      "@deprecated": {
        "message": "Use the <code> is_secure </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Secure",
      "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.",
      "type": "boolean_t"
    },
    "security_descriptor": {
      "caption": "Security Descriptor",
      "description": "The object security descriptor.",
      "type": "string_t"
    },
    "security_questions": {
        "caption": "Security Questions",
        "description": "The question(s) provided to user for a question-based authentication factor.",
        "is_array": true,
        "type": "string_t"
    },
    "sequence": {
      "caption": "Sequence Number",
      "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.",
      "type": "integer_t"
    },
    "serial_number": {
      "caption": "Serial Number",
      "description": "The serial number that pertains to the object. See specific usage.",
      "type": "string_t"
    },
    "server_ciphers": {
      "caption": "Server Cipher Suites",
      "description": "The server cipher suites that were exchanged during the TLS handshake negotiation.",
      "is_array": true,
      "type": "string_t"
    },
    "server_hassh": {
      "caption": "Server HASSH",
      "description": "The Server HASSH fingerprinting object.",
      "type": "hassh"
    },
    "service": {
      "caption": "Service",
      "description": "The service that pertains to the event.",
      "type": "service"
    },
    "session": {
      "caption": "Session",
      "description": "The authenticated user or service session.",
      "type": "session"
    },
    "severity": {
      "caption": "Severity",
      "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
      "type": "string_t"
    },
    "severity_id": {
      "caption": "Severity ID",
      "description": "<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The event/finding severity is not mapped. See the <code>severity</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The event/finding severity is unknown."
        },
        "1": {
          "caption": "Informational",
          "description": "Informational message. No action required."
        },
        "2": {
          "caption": "Low",
          "description": "The user decides if action is needed."
        },
        "3": {
          "caption": "Medium",
          "description": "Action is required but the situation is not serious at this time."
        },
        "4": {
          "caption": "High",
          "description": "Action is required immediately."
        },
        "5": {
          "caption": "Critical",
          "description": "Action is required immediately and the scope is broad."
        },
        "6": {
          "caption": "Fatal",
          "description": "An error occurred but it is too late to take remedial action."
        }
      },
      "sibling": "severity",
      "type": "integer_t"
    },
    "share": {
      "caption": "Share",
      "description": "The SMB share name.",
      "type": "string_t"
    },
    "share_type": {
      "caption": "Share Type",
      "description": "The SMB share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "share_type_id": {
      "caption": "Share Type Id",
      "description": "The normalized identifier of the SMB share type.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The share type is not mapped. See the <code>share_type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The share type is unknown."
        },
        "1": {
          "caption": "File"
        },
        "2": {
          "caption": "Pipe"
        },
        "3": {
          "caption": "Print"
        }
      },
      "sibling": "share_type",
      "type": "integer_t"
    },
    "signature": {
      "caption": "Digital Signature",
      "description": "The digital signature of the file.",
      "type": "digital_signature"
    },
    "size": {
      "caption": "Size",
      "description": "The size of data, in bytes.",
      "type": "long_t"
    },
    "smtp_from": {
      "caption": "SMTP From",
      "description": "The value of the SMTP MAIL FROM command.",
      "type": "email_t"
    },
    "smtp_hello": {
      "caption": "SMTP Hello",
      "description": "The value of the SMTP HELO or EHLO command.",
      "type": "string_t"
    },
    "smtp_to": {
      "caption": "SMTP To",
      "description": "The value of the SMTP envelope RCPT TO command.",
      "is_array": true,
      "type": "email_t"
    },
    "sni": {
      "caption": "Server Name Indication",
      "description": " The Server Name Indication (SNI) extension sent by the client.",
      "type": "string_t"
    },
    "spf": {
      "caption": "SPF Status",
      "description": "The Sender Policy Framework (SPF) status of the email.",
      "type": "string_t"
    },
    "sp_name": {
      "caption": "OS Service Pack",
      "description": "The name of the latest Service Pack.",
      "type": "string_t"
    },
    "sp_ver": {
      "caption": "OS Service Pack Version",
      "description": "The version number of the latest Service Pack.",
      "type": "integer_t"
    },
    "src_endpoint": {
      "caption": "Source Endpoint",
      "description": "The network source endpoint.",
      "type": "network_endpoint"
    },
    "src_url": {
      "caption": "Source URL",
      "description": "The URL pointing towards the source of an entity. See specific usage.",
      "type": "url_t"
    },
    "standards":{
      "caption": "Security Standards",
      "description": "Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code>",
      "is_array": true,
      "type": "string_t"
    },
    "start_address": {
      "caption": "Start Address",
      "description": "The start address of the execution.",
      "type": "string_t"
    },
    "start_line": {
      "caption": "Start Line",
      "description": "The line number of the first line of code block identified as vulnerable.",
      "type": "integer_t"
    },
    "start_time": {
      "caption": "Start Time",
      "description": "The start time of a time period. See specific usage.",
      "type": "timestamp_t"
    },
    "state": {
      "caption": "State",
      "description": "The state of the event or object, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "state_id": {
      "caption": "State ID",
      "description": "The normalized state ID of the event or object. See specific usage.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The state is not mapped. See the <code>state</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The state is unknown."
        }
      },
      "sibling": "state",
      "type": "integer_t"
    },
    "status": {
      "caption": "Status",
      "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "status_code": {
      "caption": "Status Code",
      "description": "The event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.",
      "type": "string_t"
    },
    "status_detail": {
      "caption": "Status Details",
      "description": "The status details contains additional information about the event/finding outcome.",
      "type": "string_t"
    },
    "status_id": {
      "caption": "Status ID",
      "description": "The normalized identifier of the event status.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The event status is not mapped. See the <code>status</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The status is unknown."
        },
        "1": {
          "caption": "Success"
        },
        "2": {
          "caption": "Failure"
        }
      },
      "sibling": "status",
      "type": "integer_t"
    },
    "stratum": {
      "caption": "Stratum",
      "description": "The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.",
      "type": "string_t"
    },
    "stratum_id": {
      "caption": "Stratum ID",
      "description": "The normalized identifier of the stratum level, as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc5905.html'>RFC-5905</a>.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description":  "Unspecified or invalid."
        },
        "1": {
          "caption": "Primary Server",
          "description": "The highest precision primary server (e.g atomic clock or GPS)."
        },
        "2": {
          "caption": "Secondary Server",
          "description": "A secondary level server (possible values: 2-15)."
        },
        "16": {
          "caption": "Unsynchronized"
        },
        "17": {
          "caption": "Reserved",
          "description": "Reserved stratum (possible values: 17-255)."
        },
        "99": {
          "caption": "Other",
          "description": "The stratum level is not mapped. See the <code>stratum</code> attribute, which contains a data source specific value."
        }
      },
      "sibling": "stratum",
      "type": "integer_t"
    },
    "sub_technique": {
      "caption": "Sub Technique",
      "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",
      "type": "sub_technique"
    },
    "subdomain": {
      "caption": "Subdomain",
      "description": "The subdomain portion of the URL. For example: <code>sub</code> in <code>https://sub.example.com</code> or <code>sub2.sub1</code> in <code>https://sub2.sub1.example.com</code>.",
      "type": "string_t"
    },
    "subject": {
      "caption": "Subject Details",
      "description": "The identifier of the subject. See specific usage.",
      "type": "string_t"
    },
    "subnet": {
      "caption": "Subnet",
      "description": "The subnet mask.",
      "type": "subnet_t"
    },
    "subnet_prefix": {
      "caption": "Subnet Prefix Length",
      "description": "The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.",
      "type": "integer_t"
    },
    "subnet_uid": {
      "caption": "Subnet UID",
      "description": "The unique identifier of a virtual subnet.",
      "type": "string_t"
    },
    "supporting_data": {
      "caption": "Supporting Data",
      "description": "Additional data supporting a finding as provided by security tool",
      "type": "json_t"
    },
    "surname": {
      "caption": "Surname",
      "description": "The last or family name for the user.",
      "type": "string_t"
    },
    "is_suspected_breach": {
      "caption": "Suspected Breach",
      "description": "A determination based on analytics as to whether a potential breach was found.",
      "type": "boolean_t"
    },
    "svc_name": {
      "caption": "Service Name",
      "description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.",
      "type": "string_t"
    },
    "system_call": {
      "caption": "System Call",
      "description": "The system call that was invoked.",
      "type": "string_t"
    },
    "table": {
      "caption": "Table",
      "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.",
      "type": "table"
    },
    "tactic": {
      "caption": "Tactic",
      "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",
      "type": "tactic"
    },
    "tactics": {
      "@deprecated": {
        "message": "Use the <code> tactic </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Tactics",
      "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",
      "is_array": true,
      "type": "tactic"
    },
    "tag": {
      "caption": "Image Tag",
      "description": "The image tag. For example: <code>1.11-alpine</code>.",
      "type": "string_t"
    },
    "tcp_flags": {
      "caption": "TCP Flags",
      "description": "The network connection TCP header flags (i.e., control bits).",
      "type": "integer_t"
    },
    "technique": {
      "caption": "Technique",
      "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",
      "type": "technique"
    },
    "terminal": {
      "caption": "Terminal",
      "description": "The Pseudo Terminal. Ex: the tty or pts value.",
      "type": "string_t"
    },
    "terminated_time": {
      "caption": "Terminated Time",
      "description": "The time when the entity was terminated. See specific usage.",
      "type": "timestamp_t"
    },
    "tid": {
      "caption": "Thread ID",
      "description": "The Identifier of the thread associated with the event, as returned by the operating system.",
      "type": "integer_t"
    },
    "time": {
      "caption": "Event Time",
      "description": "The normalized event occurrence time or the finding creation time.",
      "type": "timestamp_t"
    },
    "timezone_offset": {
      "caption": "Timezone Offset",
      "description": "The number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.",
      "type": "integer_t"
    },
    "tenant_uid": {
      "caption": "Tenant UID",
      "description": "The unique tenant identifier.",
      "type": "string_t"
    },
    "title": {
      "caption": "Title",
      "description": "The title of an entity. See specific usage.",
      "type": "string_t"
    },
    "tls": {
      "caption": "TLS",
      "description": "The Transport Layer Security (TLS) attributes.",
      "type": "tls"
    },
    "tls_extension_list": {
      "caption": "TLS Extension List",
      "description": "The list of TLS extensions.",
      "is_array": true,
      "type": "tls_extension"
    },
    "to": {
      "caption": "To",
      "description": "The email header To values, as defined by RFC 5322.",
      "is_array": true,
      "type": "email_t"
    },
    "total": {
      "caption": "Total",
      "description": "The total number of items. See specific usage.",
      "type": "integer_t"
    },
    "traffic": {
      "caption": "Traffic",
      "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.",
      "type": "network_traffic"
    },
    "transaction_uid": {
      "caption": "Transaction UID",
      "description": "The unique identifier of the transaction.",
      "type": "string_t"
    },
    "transmit_time": {
      "caption": "Transmission Time",
      "description": "The event transmission time from one device to another.  See specific usage",
      "type": "timestamp_t"
    },
    "tree_uid": {
      "caption": "Tree UID",
      "description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
      "type": "string_t"
    },
    "ttl": {
      "caption": "TTL",
      "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.",
      "type": "integer_t"
    },
    "type": {
      "caption": "Type",
      "description": "The type of an object or value, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "type_id": {
      "caption": "Type ID",
      "description": "The normalized type identifier of an object. See specific usage.",
      "enum": {
        "99": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        }
      },
      "sibling": "type",
      "type": "integer_t"
    },
    "type_name": {
      "caption": "Type Name",
      "description": "The event/finding type name, as defined by the type_uid.",
      "type": "string_t"
    },
    "type_uid": {
      "caption": "Type ID",
      "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.",
      "sibling": "type_name",
      "type": "long_t"
    },
    "types": {
      "caption": "Types",
      "description": "The type/s of an entity. See specific usage.",
      "is_array": true,
      "type": "string_t"
    },
    "uid": {
      "caption": "Unique ID",
      "description": "The unique identifier. See specific usage.",
      "type": "string_t"
    },
    "uid_alt": {
      "caption": "Alternate ID",
      "description": "The alternate unique identifier. See specific usage.",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "object"
    },
    "url": {
      "caption": "URL",
      "description": "The URL object that pertains to the event or object. See specific usage.",
      "type": "url"
    },
    "url_string": {
      "caption": "URL String",
      "description": "The URL string. See RFC 1738. For example: <code>http://www.example.com/download/trouble.exe</code>.",
      "type": "url_t"
    },
    "user": {
      "caption": "User",
      "description": "The user that pertains to the event or object.",
      "type": "user"
    },
    "users": {
      "caption": "Users",
      "description": "The users that pertain to the event or object.",
      "is_array": true,
      "type": "user"
    },
    "user_agent": {
      "caption": "HTTP User-Agent",
      "description": "The request header that identifies the operating system and web browser.",
      "type": "string_t"
    },
    "user_result": {
      "caption": "User Result",
      "description": "The result of the user account change. It should contain the new values of the changed attributes.",
      "type": "user"
    },
    "uuid": {
      "caption": "UUID",
      "description": "The universally unique identifier. See specific usage.",
      "type": "uuid_t"
    },
    "value": {
      "caption": "Value",
      "description": "The value that pertains to the object. See specific usage.",
      "type": "string_t"
    },
    "vector_string": {
      "caption": "Vector String",
      "description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: <code>3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H</code>.",
      "type": "string_t"
    },
    "vendor_name": {
      "caption": "Vendor Name",
      "description": "The name of the vendor. See specific usage.",
      "type": "string_t"
    },
    "verdict": {
      "caption": "Verdict",
      "description": "The verdict assigned to an Incident finding.",
      "type": "string_t"
    },
    "verdict_id": {
      "caption": "Verdict ID",
      "description": "The normalized verdict of an Incident.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        },
        "1": {
          "caption": "False Positive",
          "description": "The incident is a false positive."
        },
        "2": {
          "caption": "True Positive",
          "description": "The incident is a true positive."
        },
        "3": {
          "caption": "Disregard",
          "description": "The incident can be disregarded as it is unimportant, an error or accident."
        },
        "4": {
          "caption": "Suspicious",
          "description": "The incident is suspicious."
        },
        "5": {
          "caption": "Benign",
          "description": "The incident is benign."
        },
        "6": {
          "caption": "Test",
          "description": "The incident is a test."
        },
        "7": {
          "caption": "Insufficient Data",
          "description": "The incident has insufficient data to make a verdict."
        },
        "8": {
          "caption": "Security Risk",
          "description": "The incident is a security risk."
        },
        "9": {
          "caption": "Managed Externally",
          "description": "The incident remediation or required actions are managed externally."
        },
        "10": {
          "caption": "Duplicate",
          "description": "The incident is a duplicate."
        },
        "99": {
        "caption": "Other",
        "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        }
      },
      "sibling": "verdict",
      "type": "integer_t"
    },
    "version": {
      "caption": "Version",
      "description": "The version that pertains to the event or object. See specific usage.",
      "type": "string_t"
    },
    "vlan_uid": {
      "caption": "VLAN",
      "description": "The Virtual LAN identifier.",
      "type": "string_t"
    },
    "vpc_uid": {
      "caption": "VPC UID",
      "description": "The unique identifier of the Virtual Private Cloud (VPC).",
      "type": "string_t"
    },
    "vulnerabilities": {
      "caption": "Vulnerabilities",
      "description": "This object describes vulnerabilities reported in a security finding.",
      "is_array": true,
      "type": "vulnerability"
    },
    "vulnerability": {
      "caption": "Vulnerability",
      "description": "The vulnerability object describes details related to the observed vulnerability",
      "type": "vulnerability"
    },
    "web_resources": {
      "caption": "Web Resources",
      "description": "Describes details about web resources that were affected by an activity/event.",
      "is_array": true,
      "type": "web_resource"
    },
    "web_resources_result": {
      "caption": "Web Resources Result",
      "description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.",
      "is_array": true,
      "type": "web_resource"
    },
    "x_forwarded_for": {
      "caption": "X-Forwarded-For",
      "description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.",
      "is_array": true,
      "type": "ip_t"
    },
    "x_originating_ip": {
      "caption": "X-Originating-IP",
      "description": "The X-Originating-IP header identifying the emails originating IP address(es).",
      "is_array": true,
      "type": "ip_t"
    },
    "xattributes": {
      "caption": "Extended Attributes",
      "description": "An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.</p>For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: </p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong> - name of the link associated to the file.</li><li><strong>hard_link_count</strong> - the number of links that are associated to the file.</li></ul>",
      "type": "object"
    },
    "zone": {
      "caption": "Network Zone",
      "description": "The network zone or LAN segment.",
      "type": "string_t"
    },
    "condition": {
      "caption": "Condition",
      "description": "The rule trigger condition for the rule. For example: SQL_INJECTION.",
      "type": "string_t"
    },
    "sensitivity": {
      "caption": "Sensitivity",
      "description": "The sensitivity of the firewall rule in the matched event. For example: HIGH.",
      "type": "string_t"
    },
    "match_location": {
      "caption": "Match Location",
      "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
      "type": "string_t"
    },
    "match_details": {
      "caption": "Match Details",
      "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.",
      "is_array": true,
      "type": "string_t"
    },
    "rate_limit": {
      "caption": "Rate Limit",
      "description": "The rate limit for a rate-based rule.",
      "type": "integer_t"
    }
  },
  "types": {
    "caption": "Data Types",
    "description": "The predefined data types. The data type specifies what kind of data a value can have.",
    "attributes": {
      "boolean_t": {
        "caption": "Boolean",
        "description": "Boolean value. One of <code>true</code> or <code>false</code>.",
        "values": [
          false,
          true
        ]
      },
      "bytestring_t": {
        "caption": "Byte String",
        "description": "Base64 encoded immutable byte sequence.",
        "type": "string_t",
        "type_name": "String"
      },
      "datetime_t": {
        "caption": "Datetime",
        "description": "The Internet Date/Time format as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc3339.html'>RFC-3339</a>. For example <code>1985-04-12T23:20:50.52Z</code>.",
        "regex": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(Z|[\\+-]\\d{2}:\\d{2})?$",
        "type": "string_t",
        "type_name": "String"
      },
      "email_t": {
        "caption": "Email Address",
        "description": "Email address. For example: <code>john_doe@example.com</code>.",
        "observable": 5,
        "regex": "^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$",
        "type": "string_t",
        "type_name": "String"
      },
      "file_hash_t": {
        "caption": "Hash",
        "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: <code>3172ac7e2b55cbb81f04a6e65855a628</code>.",
        "max_len": 64,
        "observable": 8,
        "type": "string_t",
        "type_name": "String"
      },
      "file_name_t": {
        "caption": "File Name",
        "description": "File name. For example: <code>text-file.txt</code>.",
        "observable": 7,
        "type": "string_t",
        "type_name": "String"
      },
      "float_t": {
        "caption": "Float",
        "description": "Real floating-point value. For example: <code>3.14</code>."
      },
      "hostname_t": {
        "caption": "Hostname",
        "description": "Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: <code>r2-d2.example.com</code>.",
        "observable": 1,
        "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$",
        "type": "string_t",
        "type_name": "String"
      },
      "integer_t": {
        "caption": "Integer",
        "description": "Signed integer value."
      },
      "ip_t": {
        "caption": "IP Address",
        "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, <code>192.168.200.24</code> or <code>2001:0db8:85a3:0000:0000:8a2e:0370:7334</code>.",
        "max_len": 40,
        "observable": 2,
        "regex": "((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))",
        "type": "string_t",
        "type_name": "String"
      },
      "json_t": {
        "caption": "JSON",
        "description": "Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See <a target='_blank' href='https://www.json.org'>www.json.org</a>."
      },
      "long_t": {
        "caption": "Long",
        "description": "8-byte long, signed integer value."
      },
      "mac_t": {
        "caption": "MAC Address",
        "description": "Media Access Control (MAC) address. For example: <code>18:36:F3:98:4F:9A</code>.",
        "max_len": 32,
        "observable": 3,
        "regex": "^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$",
        "type": "string_t",
        "type_name": "String"
      },
      "port_t": {
        "caption": "Port",
        "description": "The TCP/UDP port number. For example: <code>80</code> or <code>22</code>.",
        "range": [
          0,
          65535
        ],
        "type": "integer_t",
        "type_name": "Integer"
      },
      "process_name_t": {
        "caption": "Process Name",
        "description": "Process name. For example: <code>Notepad</code>.",
        "observable": 9,
        "type": "string_t",
        "type_name": "String"
      },
      "resource_uid_t": {
        "caption": "Resource UID",
        "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.",
        "max_len": 64,
        "observable": 10,
        "type": "string_t",
        "type_name": "String"
      },
      "string_t": {
        "caption": "String",
        "description": "UTF-8 encoded byte sequence.",
        "max_len": 65535
      },
      "subnet_t": {
        "caption": "Subnet",
      "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. <div>For example:<ul><li>192.168.1.0/24</li><li>2001:0db8:85a3:0000::/64</li></ul></div>",
        "max_len": 42,
        "type": "string_t",
        "type_name": "String"
      },
      "timestamp_t": {
        "caption": "Timestamp",
        "description": "The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example <code>1618524549901</code>.",
        "type": "long_t",
        "type_name": "Long"
      },
      "url_t": {
        "caption": "URL String",
        "description": "Uniform Resource Locator (URL) string. For example: <code>http://www.example.com/download/trouble.exe</code>.",
        "observable": 6,
        "type": "string_t",
        "type_name": "String"
      },
      "username_t": {
        "caption": "User Name",
        "description": "User name. For example: <code>john_doe</code>.",
        "observable": 4,
        "type": "string_t",
        "type_name": "String"
      },
      "uuid_t": {
        "caption": "UUID",
        "description": "128-bit universal unique identifier. For example: <code>123e4567-e89b-12d3-a456-42661417400</code>.",
        "regex": "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}",
        "type": "string_t",
        "type_name": "String"
      }
    }
  }
}