Data fields for Search
You must join the EAP to use this feature.
You can search the Data Lake for indicators of compromise (IOCs) or for other data such as IP addresses or usernames. See Search.
The Schema pane on the Search page shows the data fields you can include in your search.
Each data field has a symbol next to it:
-
T is a text field. This is indexed when it reaches the Data Lake. You can search these fields without wildcards.
-
# is a number field. You must use wildcards when you search these fields.
Here's a full list of the data fields.
| Field type | Description |
|---|---|
| src_ip | IP address that started a connection to a secondary system |
| dest_ip | IP address to which a system connected |
| logon_type | Authentication method used to log on to an account |
| logon_process | Process used to log on to an account |
| logon_protocol | Protocol used to log on to an account |
| dest_username | Name of account that was invoked to take an action |
| password_last_set | Date of the most recent password reset |
| task_name | Name of the Windows Scheduled Task |
| file_path | File path of the file involved in the event |
| process_path | File path of the process that was run |
| url | URL that was accessed by the device |
| domain_name | Name of the domain that was accessed |
| command_line | Command line entry |
| parent_process_path | File path of the process that created this child process |
| parent_command_line | Previous command-line entry |
| win_src_domain | Name of Windows domain from which an account logon originated |
| win_dest_domain | Name of Windows domain that an account accessed |
| registry_path | File path of the registry file involved |
| dest_server | Target server that was accessed or changed |
| service_name | Name of the service involved |
| service_start_type | Startup type for the Windows service |
| service_type | Name of the service type involved |
| run_as_username | Username invoked to run a specific process |
| parent_process_id | Process ID of the process that created this child process |
| file_name | Name of the file involved |
| process_name | Name of the process involved |
| protocol | Protocol used to connect to a system or domain |
| dest_port | Port number used to receive data |
| event_id | Windows Event ID number |
| process_id | Process ID of the executed process |
| device_id | Device ID of the device on which activity occurred |
| device_make | Manufacturer OS type |
| device_type | Endpoint or server |
| device_ip | IP address on which activity occurred |
| device_mac | MAC address of device on which activity occurred |
| hostname | Hostname of device involved |
| username | User who is logged into the device |
| customer_id | Sophos Customer ID |
| sha1 | SHA-1 file hash |
| sha256 | SHA-256 file hash |
| sophos_process_id | Sophos Process ID of the process that was run |
| sophos_parent_process_id | Sophos Process ID of the process that created this child process |
| file_pua_score | File risk score based on the probability of the file being a Potentially Unwanted Application, as assessed by deep learning on the device |
| file_ml_score | File risk score based on the probability of the file being malware, as assessed by deep learning on the device |
| file_global_reputation | File risk score obtained from a SophosLabs file analysis |
| file_local_reputation | File risk score obtained from the local reputation data stored on the disk |
| data_source | Name of the vendor that generated the event |
| category | Type of activity the event is associated with |
| activity_type | OS Query Name |
| category_description | Description of the type of activity the event is associated with |
| time | Time at which the event occurred |
| signature_status | Status indicating whether or not code is signed |
| process_sid | Security ID of the account used to run the process |
| process_uid | User ID of the account used to run the process |
| process_gid | Group ID to which the account that ran the process belongs |
| file_created_by | Name of the original creator of the Microsoft Office file |
| product_name | Name of the Microsoft Office product involved |
| file_description | Description of the Microsoft Office file |
| file_version | Version number of the file involved |
| process_username | User name of the account used to run the process |
| original_filename | File name before a file name change |
| file_size | Size of the file involved |
| src_username | Username that invoked a secondary account to take an action |
| event_description | Description of the Windows event |
| parent_process_name | Name of the process that created this child process |