dictionary.json

{
  "caption": "Attribute Dictionary",
  "description": "The Attribute Dictionary defines attributes and includes references to the events and objects in which they are used.",
  "name": "dictionary",
  "attributes": {
    "access_list": {
      "caption": "Access List",
      "description": "The list of requested access rights.",
      "type": "string_t",
      "is_array": true
    },
    "access_mask": {
      "caption": "Access Mask",
      "description": "The access mask in a platform-native format.",
      "type": "integer_t"
    },
    "access_result": {
      "caption": "Access Check Result",
      "description": "The list of access check results.",
      "type": "json_t"
    },
    "accessed_time": {
      "caption": "Accessed Time",
      "description": "The time when the file was last accessed.",
      "type": "timestamp_t"
    },
    "accessor": {
      "caption": "Accessor",
      "description": "The name of the user who last accessed the object.",
      "type": "user"
    },
    "account": {
      "caption": "Account",
      "description": "The account object describes details about the account that was the source or target of the activity.",
      "type": "account"
    },
    "ack_reason": {
      "caption": "Acknowledgement Reason",
      "description": "An integer that provides a reason code or additional information about the acknowledgment result.",
      "type": "integer_t"
    },
    "ack_result": {
      "caption": "Acknowledgement Result",
      "description": "An integer that denotes the acknowledgment result of the DCE/RPC call.",
      "type": "integer_t"
    },
    "action": {
      "caption": "Action",
      "description": "The normalized caption of 'action_id' or the source specific action.",
      "type": "string_t"
    },
    "action_id": {
      "caption": "Action ID",
      "description": "The normalized action taken by a control or other policy-based system leading to an outcome or disposition.",
      "sibling": "action",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The action was unknown."
        },
        "1": {
          "caption": "Allowed",
          "description": "The activity was allowed."
        },
        "2": {
          "caption": "Denied",
          "description": "The attempted activity was denied."
        },
        "99": {
          "caption": "Other",
          "description": "The action was not mapped. See the <code>action</code> attribute, which contains a data source specific value."
        }
      }
    },
    "activity_id": {
      "caption": "Activity ID",
      "description": "The normalized identifier of the activity that triggered the event.",
      "sibling": "activity_name",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The event activity is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The event activity is not mapped. See the <code>activity_name</code> attribute, which contains a data source specific value."
        }
      },
      "suppress_checks": [
        "sibling_convention"
      ]
    },
    "activity_name": {
      "caption": "Activity",
      "description": "The event activity name, as defined by the activity_id.",
      "type": "string_t"
    },
    "actor": {
      "caption": "Actor",
      "description": "The actor object describes details about the user/role/process that was the source of the activity.",
      "type": "actor"
    },
    "actual_permissions": {
      "caption": "Actual Permissions",
      "description": "The permissions that were granted in a platform-native format. See specific usage.",
      "type": "integer_t"
    },
    "advisory": {
      "caption": "Security Advisory",
      "description": "Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor.",
      "type": "advisory"
    },
    "aerial_height": {
      "caption": "Aerial Height",
      "description": "Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.",
      "type": "string_t"
    },
    "affected_code": {
      "caption": "Affected Code",
      "description": "List of Affected Code objects that describe details about code blocks identified as vulnerable.",
      "type": "affected_code",
      "is_array": true
    },
    "affected_packages": {
      "caption": "Affected Software Packages",
      "description": "List of software packages identified as affected by a vulnerability/vulnerabilities.",
      "type": "affected_package",
      "is_array": true
    },
    "agent": {
      "caption": "Agent",
      "description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.",
      "type": "agent"
    },
    "agent_list": {
      "caption": "Agent List",
      "description": "A list of <code>agent</code> objects associated with a device, endpoint, or resource.",
      "type": "agent",
      "is_array": true
    },
    "alert": {
      "caption": "Client TLS Alert",
      "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
      "type": "integer_t"
    },
    "algorithm": {
      "caption": "Algorithm",
      "description": "The applicable algorithm, normalized to the caption of 'algorithm_id'. See specific usage.",
      "type": "string_t"
    },
    "algorithm_id": {
      "caption": "Algorithm ID",
      "description": "The normalized identifier of the algorithm. See specific usage.",
      "sibling": "algorithm",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The algorithm is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The algorithm is not mapped. See the <code>algorithm</code> attribute, which contains a data source specific value."
        }
      }
    },
    "altitude_ceiling": {
      "caption": "Altitude Ceiling",
      "description": "Maximum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.",
      "type": "string_t"
    },
    "altitude_floor": {
      "caption": "Altitude Floor",
      "description": "Minimum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.",
      "type": "string_t"
    },
    "analytic": {
      "caption": "Analytic",
      "description": "The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.",
      "type": "analytic"
    },
    "answers": {
      "caption": "DNS Answer",
      "description": "The Domain Name System (DNS) answers.",
      "type": "dns_answer",
      "is_array": true
    },
    "api": {
      "caption": "API Details",
      "description": "Describes details about a typical API (Application Programming Interface) call.",
      "type": "api"
    },
    "app": {
      "caption": "Application",
      "description": "The application that reported the event.",
      "type": "product"
    },
    "app_name": {
      "caption": "Application Name",
      "description": "The name of the application associated with the event or object.",
      "type": "string_t"
    },
    "app_uid": {
      "caption": "Application ID",
      "description": "The unique ID of the application associated with the event or object.",
      "type": "string_t"
    },
    "architecture": {
      "caption": "Architecture",
      "description": "Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.",
      "type": "string_t"
    },
    "args": {
      "caption": "HTTP Arguments",
      "description": "The arguments sent along with the HTTP request.",
      "type": "string_t"
    },
    "assignee": {
      "caption": "Assignee",
      "description": "The details of the user assigned to an Incident.",
      "type": "user"
    },
    "assignee_group": {
      "caption": "Assignee Group",
      "description": "The details of the group assigned to an Incident.",
      "type": "group"
    },
    "attacks": {
      "caption": "MITRE ATT&CK® Details",
      "description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
      "type": "attack",
      "is_array": true
    },
    "attempt": {
      "caption": "Attempt",
      "description": "The delivery attempt.",
      "type": "integer_t"
    },
    "attributes": {
      "caption": "Attributes",
      "description": "The bitmask value that represents the file attributes.",
      "type": "integer_t"
    },
    "auth_factors": {
      "caption": "Authentication Factors",
      "description": "Describes a category of methods used for identity verification in an authentication attempt.",
      "type": "auth_factor",
      "is_array": true
    },
    "auth_protocol": {
      "caption": "Auth Protocol",
      "description": "The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "auth_protocol_id": {
      "caption": "Auth Protocol ID",
      "description": "The normalized identifier of the authentication protocol used to create the user session.",
      "sibling": "auth_protocol",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The authentication protocol is unknown."
        },
        "1": {
          "caption": "NTLM"
        },
        "2": {
          "caption": "Kerberos"
        },
        "3": {
          "caption": "Digest"
        },
        "4": {
          "caption": "OpenID"
        },
        "5": {
          "caption": "SAML"
        },
        "6": {
          "caption": "OAUTH 2.0"
        },
        "7": {
          "caption": "PAP"
        },
        "8": {
          "caption": "CHAP"
        },
        "9": {
          "caption": "EAP"
        },
        "10": {
          "caption": "RADIUS"
        },
        "99": {
          "caption": "Other",
          "description": "The authentication protocol is not mapped. See the <code>auth_protocol</code> attribute, which contains a data source specific value."
        }
      }
    },
    "auth_type": {
      "caption": "Authentication Type",
      "description": "The agreed upon authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "auth_type_id": {
      "caption": "Authentication Type ID",
      "description": "The normalized identifier of the agreed upon authentication type. See specific usage.",
      "sibling": "auth_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The authentication type is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The authentication type is not mapped. See the <code>auth_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "authorizations": {
      "caption": "Authorization Information",
      "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
      "type": "authorization",
      "is_array": true
    },
    "autonomous_system": {
      "caption": "Autonomous System",
      "description": "The Autonomous System details associated with an IP address.",
      "type": "autonomous_system"
    },
    "autoscale_uid": {
      "caption": "Autoscale UID",
      "description": "The unique identifier of the cloud autoscale configuration.",
      "type": "string_t"
    },
    "avg_timespan": {
      "caption": "Average Timespan",
      "description": "The average time span of an activity.",
      "type": "timespan"
    },
    "banner": {
      "caption": "SMTP Banner",
      "description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
      "type": "string_t"
    },
    "base_address": {
      "caption": "Base Address",
      "description": "The memory address where the module was loaded.",
      "type": "string_t"
    },
    "base_score": {
      "caption": "Base Score",
      "description": "The base score as reported by the event source. See specific usage.",
      "type": "float_t"
    },
    "bios_date": {
      "caption": "BIOS Date",
      "description": "The BIOS date. For example: <code>03/31/16</code>.",
      "type": "string_t"
    },
    "bios_manufacturer": {
      "caption": "BIOS Manufacturer",
      "description": "The BIOS manufacturer. For example: <code>LENOVO</code>.",
      "type": "string_t"
    },
    "bios_ver": {
      "caption": "BIOS Version",
      "description": "The BIOS version. For example: <code>LENOVO G5ETA2WW (2.62)</code>.",
      "type": "string_t"
    },
    "body_length": {
      "caption": "Body Length not including header",
      "description": "The actual length of the HTTP response/request body, in number of bytes, independent of a potentially existing Content-Length header.",
      "type": "integer_t"
    },
    "boot_time": {
      "caption": "Boot Time",
      "description": "The time when the system was booted.",
      "type": "timestamp_t"
    },
    "boundary": {
      "caption": "Boundary",
      "description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. <p> For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
      "type": "string_t"
    },
    "boundary_id": {
      "caption": "Boundary ID",
      "description": "<p>The normalized identifier of the boundary of the connection. </p><p> For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",
      "sibling": "boundary",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The connection boundary is unknown."
        },
        "1": {
          "caption": "Localhost",
          "description": "Local network traffic on the same endpoint."
        },
        "2": {
          "caption": "Internal",
          "description": "Internal network traffic between two endpoints inside network."
        },
        "3": {
          "caption": "External",
          "description": "External network traffic between two endpoints on the Internet or outside the network."
        },
        "4": {
          "caption": "Same VPC",
          "description": "Through another resource in the same VPC"
        },
        "5": {
          "caption": "Internet/VPC Gateway",
          "description": "Through an Internet gateway or a gateway VPC endpoint"
        },
        "6": {
          "caption": "Virtual Private Gateway",
          "description": "Through a virtual private gateway"
        },
        "7": {
          "caption": "Intra-region VPC",
          "description": "Through an intra-region VPC peering connection"
        },
        "8": {
          "caption": "Inter-region VPC",
          "description": "Through an inter-region VPC peering connection"
        },
        "9": {
          "caption": "Local Gateway",
          "description": "Through a local gateway"
        },
        "10": {
          "caption": "Gateway VPC",
          "description": "Through a gateway VPC endpoint (Nitro-based instances only)"
        },
        "11": {
          "caption": "Internet Gateway",
          "description": "Through an Internet gateway (Nitro-based instances only)"
        },
        "99": {
          "caption": "Other",
          "description": "The boundary is not mapped. See the <code>boundary</code> attribute, which contains a data source specific value."
        }
      }
    },
    "build": {
      "caption": "OS Build",
      "description": "The operating system build number.",
      "type": "string_t"
    },
    "bulletin": {
      "caption": "Patch Bulletin",
      "description": "The vendor bulletin identifier.",
      "type": "string_t"
    },
    "bytes": {
      "caption": "Total Bytes",
      "description": "The total number of bytes (in and out).",
      "type": "long_t"
    },
    "bytes_in": {
      "caption": "Bytes In",
      "description": "The number of bytes sent from the destination to the source.",
      "type": "long_t"
    },
    "bytes_out": {
      "caption": "Bytes Out",
      "description": "The number of bytes sent from the source to the destination.",
      "type": "long_t"
    },
    "capabilities": {
      "caption": "Capabilities",
      "description": "A list of RDP capabilities.",
      "type": "string_t",
      "is_array": true
    },
    "caption": {
      "caption": "Caption",
      "description": "A short description or caption of the device. For example: <code>Scanner 1</code> or <code>Database Manager</code>.",
      "type": "string_t"
    },
    "categories": {
      "caption": "Website Categorization",
      "description": "The Website categorization names, as defined by <code>category_ids</code> enum values.",
      "type": "string_t",
      "is_array": true
    },
    "category": {
      "caption": "Category",
      "description": "The object category, normalized to the caption of <code>category_id</code>. See specific usage.",
      "type": "string_t"
    },
    "category_id": {
      "caption": "Category ID",
      "description": "The normalized identifier of the object category. See specific usage.",
      "sibling": "category",
      "type": "integer_t"
    },
    "category_ids": {
      "caption": "Website Categorization IDs",
      "description": "The Website categorization identifiers.",
      "sibling": "categories",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The Domain/URL category is unknown."
        },
        "1": {
          "caption": "Adult/Mature Content"
        },
        "3": {
          "caption": "Pornography"
        },
        "4": {
          "caption": "Sex Education"
        },
        "5": {
          "caption": "Intimate Apparel/Swimsuit"
        },
        "6": {
          "caption": "Nudity"
        },
        "7": {
          "caption": "Extreme"
        },
        "9": {
          "caption": "Scam/Questionable/Illegal"
        },
        "11": {
          "caption": "Gambling"
        },
        "14": {
          "caption": "Violence/Hate/Racism"
        },
        "15": {
          "caption": "Weapons"
        },
        "16": {
          "caption": "Abortion"
        },
        "17": {
          "caption": "Hacking"
        },
        "18": {
          "caption": "Phishing"
        },
        "20": {
          "caption": "Entertainment"
        },
        "21": {
          "caption": "Business/Economy"
        },
        "22": {
          "caption": "Alternative Spirituality/Belief"
        },
        "23": {
          "caption": "Alcohol"
        },
        "24": {
          "caption": "Tobacco"
        },
        "25": {
          "caption": "Controlled Substances"
        },
        "26": {
          "caption": "Child Pornography"
        },
        "27": {
          "caption": "Education"
        },
        "29": {
          "caption": "Charitable Organizations"
        },
        "30": {
          "caption": "Art/Culture"
        },
        "31": {
          "caption": "Financial Services"
        },
        "32": {
          "caption": "Brokerage/Trading"
        },
        "33": {
          "caption": "Games"
        },
        "34": {
          "caption": "Government/Legal"
        },
        "35": {
          "caption": "Military"
        },
        "36": {
          "caption": "Political/Social Advocacy"
        },
        "37": {
          "caption": "Health"
        },
        "38": {
          "caption": "Technology/Internet"
        },
        "40": {
          "caption": "Search Engines/Portals"
        },
        "43": {
          "caption": "Malicious Sources/Malnets"
        },
        "44": {
          "caption": "Malicious Outbound Data/Botnets"
        },
        "45": {
          "caption": "Job Search/Careers"
        },
        "46": {
          "caption": "News/Media"
        },
        "47": {
          "caption": "Personals/Dating"
        },
        "49": {
          "caption": "Reference"
        },
        "50": {
          "caption": "Mixed Content/Potentially Adult"
        },
        "51": {
          "caption": "Chat (IM)/SMS"
        },
        "52": {
          "caption": "Email"
        },
        "53": {
          "caption": "Newsgroups/Forums"
        },
        "54": {
          "caption": "Religion"
        },
        "55": {
          "caption": "Social Networking"
        },
        "56": {
          "caption": "File Storage/Sharing"
        },
        "57": {
          "caption": "Remote Access Tools"
        },
        "58": {
          "caption": "Shopping"
        },
        "59": {
          "caption": "Auctions"
        },
        "60": {
          "caption": "Real Estate"
        },
        "61": {
          "caption": "Society/Daily Living"
        },
        "63": {
          "caption": "Personal Sites"
        },
        "64": {
          "caption": "Restaurants/Dining/Food"
        },
        "65": {
          "caption": "Sports/Recreation"
        },
        "66": {
          "caption": "Travel"
        },
        "67": {
          "caption": "Vehicles"
        },
        "68": {
          "caption": "Humor/Jokes"
        },
        "71": {
          "caption": "Software Downloads"
        },
        "83": {
          "caption": "Peer-to-Peer (P2P)"
        },
        "84": {
          "caption": "Audio/Video Clips"
        },
        "85": {
          "caption": "Office/Business Applications"
        },
        "86": {
          "caption": "Proxy Avoidance"
        },
        "87": {
          "caption": "For Kids"
        },
        "88": {
          "caption": "Web Ads/Analytics"
        },
        "89": {
          "caption": "Web Hosting"
        },
        "90": {
          "caption": "Uncategorized"
        },
        "92": {
          "caption": "Suspicious"
        },
        "93": {
          "caption": "Sexual Expression"
        },
        "95": {
          "caption": "Translation"
        },
        "96": {
          "caption": "Non-Viewable/Infrastructure"
        },
        "97": {
          "caption": "Content Servers"
        },
        "98": {
          "caption": "Placeholders"
        },
        "99": {
          "caption": "Other",
          "description": "The Domain/URL category is not mapped. See the <code>categories</code> attribute, which contains a data source specific value."
        },
        "101": {
          "caption": "Spam"
        },
        "102": {
          "caption": "Potentially Unwanted Software"
        },
        "103": {
          "caption": "Dynamic DNS Host"
        },
        "106": {
          "caption": "E-Card/Invitations"
        },
        "107": {
          "caption": "Informational"
        },
        "108": {
          "caption": "Computer/Information Security"
        },
        "109": {
          "caption": "Internet Connected Devices"
        },
        "110": {
          "caption": "Internet Telephony"
        },
        "111": {
          "caption": "Online Meetings"
        },
        "112": {
          "caption": "Media Sharing"
        },
        "113": {
          "caption": "Radio/Audio Streams"
        },
        "114": {
          "caption": "TV/Video Streams"
        },
        "118": {
          "caption": "Piracy/Copyright Concerns"
        },
        "121": {
          "caption": "Marijuana"
        }
      },
      "is_array": true
    },
    "category_name": {
      "caption": "Category",
      "description": "The event category name, as defined by category_uid value.",
      "type": "string_t"
    },
    "category_uid": {
      "caption": "Category ID",
      "description": "The category unique identifier of the event.",
      "sibling": "category_name",
      "type": "integer_t"
    },
    "cc": {
      "caption": "Cc",
      "description": "The email header Cc values, as defined by RFC 5322.",
      "type": "email_t",
      "is_array": true
    },
    "certificate": {
      "caption": "Certificate",
      "description": "The certificate object containing information about the digital certificate.",
      "type": "certificate"
    },
    "certificate_chain": {
      "caption": "Certificate Chain",
      "description": "The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.",
      "type": "string_t",
      "is_array": true
    },
    "chassis": {
      "caption": "Chassis",
      "description": "The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows <a target='_blank' href='https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemenclosure'>Windows Chassis Types</a>",
      "type": "string_t"
    },
    "chunks": {
      "caption": "Chunks",
      "description": "A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the total number of chunks (in and out).",
      "type": "long_t"
    },
    "chunks_in": {
      "caption": "Chunks In",
      "description": "A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the chunks sent from the destination to the source.",
      "type": "long_t"
    },
    "chunks_out": {
      "caption": "Chunks Out",
      "description": "A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the chunks sent from the source to the destination.",
      "type": "long_t"
    },
    "cipher": {
      "caption": "Cipher Suite",
      "description": "The negotiated cipher suite.",
      "type": "string_t"
    },
    "cis_benchmark": {
      "caption": "CIS Benchmark",
      "description": "The CIS Benchmark describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security (<a target='_blank' href='https://www.cisecurity.org/cis-benchmarks/'>CIS</a>).",
      "type": "cis_benchmark"
    },
    "cis_benchmark_result": {
      "caption": "CIS Benchmark Result",
      "description": "The CIS benchmark result.",
      "type": "cis_benchmark_result"
    },
    "cis_controls": {
      "caption": "CIS Controls",
      "description": "The CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.",
      "type": "cis_control",
      "is_array": true
    },
    "cis_csc": {
      "caption": "CIS CSC",
      "description": "The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.",
      "type": "cis_csc",
      "is_array": true
    },
    "city": {
      "caption": "City",
      "description": "The name of the city.",
      "type": "string_t"
    },
    "class": {
      "caption": "Class",
      "description": "The class name of the object. See specific usage.",
      "type": "string_t"
    },
    "class_name": {
      "caption": "Class",
      "description": "The event class name, as defined by class_uid value.",
      "type": "string_t"
    },
    "class_uid": {
      "caption": "Class ID",
      "description": "The unique identifier of a class. A class describes the attributes available in an event.",
      "sibling": "class_name",
      "type": "integer_t"
    },
    "classification": {
      "caption": "Classification",
      "description": "The classification as defined by the vendor.",
      "type": "string_t"
    },
    "classification_ids": {
      "caption": "Classification IDs",
      "description": "The list of normalized classification identifiers. See specific usage.",
      "sibling": "classifications",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The classification is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The classification is not mapped. See the <code>classifications</code> attribute, which contains a data source specific value."
        }
      },
      "is_array": true
    },
    "classifications": {
      "caption": "Classifications",
      "description": "The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.",
      "type": "string_t",
      "is_array": true
    },
    "client_ciphers": {
      "caption": "Client Cipher Suites",
      "description": "The client cipher suites that were exchanged during the TLS handshake negotiation.",
      "type": "string_t",
      "is_array": true
    },
    "client_dialects": {
      "caption": "Client Dialects",
      "description": "The list of SMB dialects that the client speaks.",
      "type": "string_t",
      "is_array": true
    },
    "client_hassh": {
      "caption": "Client HASSH",
      "description": "The Client HASSH fingerprinting object.",
      "type": "hassh"
    },
    "cloud": {
      "caption": "Cloud",
      "description": "Describes details about the Cloud environment where the event was originally created or logged.",
      "type": "cloud"
    },
    "cloud_partition": {
      "caption": "Cloud Partition",
      "description": "The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).",
      "type": "string_t"
    },
    "cmd_line": {
      "observable": 13,
      "caption": "Command Line",
      "description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used.",
      "type": "string_t"
    },
    "code": {
      "caption": "Response Code",
      "description": "The numeric response sent to a request.",
      "type": "integer_t"
    },
    "codes": {
      "caption": "Response Codes",
      "description": "The list of numeric responses sent to a request.",
      "type": "integer_t",
      "is_array": true
    },
    "color_depth": {
      "caption": "Color Depth",
      "description": "The numeric color depth.",
      "type": "integer_t"
    },
    "command": {
      "caption": "Command",
      "description": "The command name.",
      "type": "string_t"
    },
    "command_response": {
      "caption": "Command Response",
      "description": "The response to the command.",
      "type": "string_t"
    },
    "command_responses": {
      "caption": "Command Responses",
      "description": "The responses to the command.",
      "type": "string_t",
      "is_array": true
    },
    "command_uid": {
      "caption": "Command UID",
      "description": "The unique command identifier.",
      "type": "string_t"
    },
    "comment": {
      "caption": "Comment",
      "description": "The user-provided comment.",
      "type": "string_t"
    },
    "community_uid": {
      "caption": "Community ID",
      "source": "community_id",
      "references": [{"url": "https://github.com/corelight/community-id-spec", "description": "Community ID definition."}],
      "description": "The Community ID of the network connection.",
      "type": "string_t"
    },
    "company_name": {
      "caption": "Company Name",
      "description": "The name of the company that published the file. For example: <code>Microsoft Corporation</code>.",
      "type": "string_t"
    },
    "compliance": {
      "caption": "Compliance",
      "description": "The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.",
      "type": "compliance"
    },
    "compliance_references": {
      "caption": "Compliance Standard References",
      "description": "A list of reference KB articles that provide information to help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.",
      "type": "kb_article",
      "is_array": true
    },
    "compliance_standards": {
      "caption": "Compliance Standards: Details",
      "description": "A list of established guidelines or criteria that define specific requirements an organization must follow.",
      "type": "kb_article",
      "is_array": true
    },
    "component": {
      "caption": "Component",
      "description": "The component of a data object. See specific usage.",
      "type": "string_t"
    },
    "condition": {
      "caption": "Condition",
      "description": "The rule trigger condition for the rule. For example: SQL_INJECTION.",
      "type": "string_t"
    },
    "confidence": {
      "caption": "Confidence",
      "description": "The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "confidence_id": {
      "caption": "Confidence ID",
      "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.",
      "sibling": "confidence",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The normalized confidence is unknown."
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "99": {
          "caption": "Other",
          "description": "The confidence is not mapped to the defined enum values. See the <code>confidence</code> attribute, which contains a data source specific value."
        }
      }
    },
    "confidence_score": {
      "caption": "Confidence Score",
      "description": "The confidence score as reported by the event source.",
      "type": "integer_t"
    },
    "confidentiality": {
      "caption": "Confidentiality",
      "description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "confidentiality_id": {
      "caption": "Confidentiality ID",
      "description": "The normalized identifier of the file content confidentiality indicator.",
      "sibling": "confidentiality",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The confidentiality is unknown."
        },
        "1": {
          "caption": "Not Confidential"
        },
        "2": {
          "caption": "Confidential"
        },
        "3": {
          "caption": "Secret"
        },
        "4": {
          "caption": "Top Secret"
        },
        "5": {
          "caption": "Private"
        },
        "6": {
          "caption": "Restricted"
        },
        "99": {
          "caption": "Other",
          "description": "The confidentiality is not mapped. See the <code>confidentiality</code> attribute, which contains a data source specific value."
        }
      }
    },
    "connection_info": {
      "caption": "Connection Info",
      "description": "The network connection information.",
      "type": "network_connection_info"
    },
    "connection_uid": {
      "caption": "Connection Identifier",
      "description": "The network connection identifier.",
      "type": "string_t"
    },
    "container": {
      "caption": "Container",
      "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
      "type": "container"
    },
    "containers": {
      "caption": "Containers",
      "description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.",
      "type": "container",
      "is_array": true
    },
    "content_type": {
      "caption": "HTTP Content Type",
      "description": "The request header that identifies the original <a target='_blank' href='https://www.iana.org/assignments/media-types/media-types.xhtml'>media type </a> of the resource (prior to any content encoding applied for sending).",
      "type": "string_t"
    },
    "continent": {
      "caption": "Continent",
      "description": "The name of the continent.",
      "type": "string_t"
    },
    "control": {
      "caption": "Security Control",
      "description": "A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.",
      "type": "string_t"
    },
    "control_parameters": {
      "caption": "Control Parameters",
      "description": "The list of control parameters evaluated in a Compliance check.",
      "type": "key_value_object",
      "is_array": true
    },
    "coordinates": {
      "caption": "Coordinates",
      "description": "A two-element array, containing a longitude/latitude pair. The format conforms with <a target='_blank' href='https://geojson.org'>GeoJSON</a>. For example: <code>[-73.983, 40.719]</code>.",
      "type": "float_t",
      "@deprecated": {
        "message": "Use specific <code> lat, long </code> attributes instead.",
        "since": "1.2.0"
      },
      "is_array": true
    },
    "correlation_uid": {
      "caption": "Correlation UID",
      "description": "The unique identifier used to correlate events.",
      "type": "string_t"
    },
    "cost_center": {
      "caption": "Cost Center",
      "description": "The cost center associated with the user.",
      "type": "string_t"
    },
    "count": {
      "caption": "Count",
      "description": "The number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.",
      "type": "integer_t"
    },
    "countermeasures": {
      "caption": "Countermeasures",
      "description": "The MITRE DEFEND™ Matrix Countermeasures associated with a remediation.",
      "type": "d3fend",
      "is_array": true
    },
    "country": {
      "observable": 14,
      "caption": "Country",
      "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see <a target='_blank' href='https://www.iso.org/obp/ui/#iso:pub:PUB500001:en' >ISO 3166-1 alpha-2 codes</a>.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>",
      "type": "string_t"
    },
    "cpe_name": {
      "caption": "The product CPE identifier",
      "description": "The Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.",
      "type": "string_t"
    },
    "cpu_bits": {
      "caption": "CPU Bits",
      "description": "The cpu architecture, the number of bits used for addressing in memory. For example: <code>32</code> or <code>64</code>.",
      "type": "integer_t"
    },
    "cpu_cores": {
      "caption": "CPU Cores",
      "description": "The number of processor cores in all installed processors. For Example: <code>42</code>.",
      "type": "integer_t"
    },
    "cpu_count": {
      "caption": "CPU Count",
      "description": "The number of physical processors on a system. For example: <code>1</code>.",
      "type": "integer_t"
    },
    "cpu_speed": {
      "caption": "Processor Speed",
      "description": "The speed of the processor in Mhz. For Example: <code>4200</code>.",
      "type": "integer_t"
    },
    "cpu_type": {
      "caption": "Processor Type",
      "description": "The processor type. For example: <code>x86 Family 6 Model 37 Stepping 5</code>.",
      "type": "string_t"
    },
    "create_mask": {
      "caption": "Create Mask",
      "description": "The original Windows mask that is required to create the object.",
      "type": "string_t"
    },
    "created_time": {
      "caption": "Created Time",
      "description": "The time when the object was created. See specific usage.",
      "type": "timestamp_t"
    },
    "creator": {
      "caption": "Creator",
      "description": "The user that created the object associated with event. See specific usage.",
      "type": "user"
    },
    "credential_uid": {
      "observable": 19,
      "caption": "User Credential ID",
      "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
      "type": "string_t"
    },
    "criticality": {
      "caption": "Criticality",
      "description": "Criticality of a resource/object in question",
      "type": "string_t"
    },
    "customer_uid": {
      "caption": "Customer UID",
      "description": "The unique customer identifier.",
      "type": "string_t",
      "@deprecated": {
        "message": "Use the <code> tenant_uid </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "cve": {
      "caption": "CVE",
      "description": "The Common Vulnerabilities and Exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>) identifiers for the vulnerability.",
      "type": "cve"
    },
    "cves": {
      "caption": "CVE List",
      "description": "List of Common Vulnerabilities and Exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).",
      "type": "cve",
      "is_array": true
    },
    "cvss": {
      "caption": "CVSS Score",
      "description": "The CVSS object details Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) scores from the advisory that are related to the vulnerability.",
      "type": "cvss",
      "is_array": true
    },
    "cwe": {
      "caption": "CWE",
      "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> catalog.",
      "type": "cwe"
    },
    "cwe_uid": {
      "caption": "CWE UID",
      "description": "The <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> unique identifier. For example: <code>CWE-787</code>.",
      "type": "string_t",
      "@deprecated": {
        "message": "Use the <code> related_cwes </code> object attributes instead.",
        "since": "1.1.0"
      }
    },
    "cwe_url": {
      "caption": "CWE URL",
      "description": "Common Weakness Enumeration (CWE) definition URL. For example: <code>https://cwe.mitre.org/data/definitions/787.html</code>.",
      "type": "url_t",
      "@deprecated": {
        "message": "Use the <code> related_cwes </code> object attributes instead.",
        "since": "1.1.0"
      }
    },
    "d3f_tactic": {
      "caption": "MITRE DEFEND™ Tactic",
      "description": "The D3FEND Tactic object describes the defensive tactic name associated with a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>.",
      "type": "d3f_tactic"
    },
    "d3f_technique": {
      "caption": "MITRE DEFEND™ Technique",
      "description": "The D3FEND Technique object describes the defensive technique ID and/or name associated with a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>.",
      "type": "d3f_technique"
    },
    "data": {
      "caption": "Data",
      "description": "The additional data that is associated with the event or object. See specific usage.",
      "type": "json_t"
    },
    "data_classification": {
      "caption": "Data Classification",
      "description": "The Data Classification object includes information about data classification levels and data category types.",
      "type": "data_classification"
    },
    "data_lifecycle_state": {
      "caption": "Data Lifecycle State",
      "description": "The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.",
      "type": "string_t"
    },
    "data_lifecycle_state_id": {
      "caption": "Data Lifecycle State ID",
      "description": "The stage or state that the data was in when it was assessed or scanned by a data security tool.",
      "sibling": "data_lifecycle_state",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The data lifecycle state is unknown."
        },
        "1": {
          "caption": "Data at-Rest",
          "description": "The data was stored on physical or logical media and was not actively moving through the network nor was being processed. E.g., data stored in a database, PDF files in a file share, or EHR records in object storage."
        },
        "2": {
          "caption": "Data in-Transit",
          "description": "The data was actively moving through the network or from one physical or logical location to another. E.g., emails being send, data replication or Change Data Capture (CDC) streams, or sensitive data processed on an API."
        },
        "3": {
          "caption": "Data in-Use",
          "description": "The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF."
        },
        "99": {
          "caption": "Other",
          "description": "The data lifecycle state is not mapped. See the <code>data_lifecycle_state</code> attribute, which contains a data source specific value."
        }
      }
    },
    "data_security": {
      "caption": "Data Security",
      "description": "The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).",
      "type": "data_security"
    },
    "data_sources": {
      "caption": "Data Sources",
      "description": "A list of data sources utilized in generation of the finding.",
      "type": "string_t",
      "is_array": true
    },
    "database": {
      "caption": "Database",
      "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
      "type": "database"
    },
    "databucket": {
      "caption": "Databucket",
      "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
      "type": "databucket"
    },
    "dce_rpc": {
      "caption": "Distributed Computing Environment/Remote Procedure Call (DCE/RPC)",
      "description": "The DCE/RPC object describes the remote procedure call system for distributed computing environments.",
      "type": "dce_rpc"
    },
    "decision": {
      "caption": "Authorization Decision/Outcome",
      "description": "Decision/outcome of the authorization mechanism (e.g. Approved, Denied)",
      "type": "string_t"
    },
    "delay": {
      "caption": "Root Delay",
      "description": "The total round-trip delay to the reference clock in milliseconds.",
      "type": "integer_t"
    },
    "deleted_time": {
      "caption": "Deleted Time",
      "description": "The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.",
      "type": "timestamp_t"
    },
    "delivered_to": {
      "caption": "Delivered To",
      "description": "The <strong>Delivered-To</strong> email header field.",
      "type": "email_t"
    },
    "depth": {
      "caption": "CVSS Depth",
      "description": "The CVSS depth represents a depth of the equation used to calculate CVSS score.",
      "type": "string_t",
      "enum": {
        "Base": {
          "caption": "Base"
        },
        "Environmental": {
          "caption": "Environmental"
        },
        "Temporal": {
          "caption": "Temporal"
        }
      }
    },
    "desc": {
      "caption": "Description",
      "description": "The description that pertains to the object or event. See specific usage.",
      "type": "string_t"
    },
    "desktop_display": {
      "caption": "Desktop Display",
      "description": "The desktop display affiliated with the event",
      "type": "display"
    },
    "details": {
      "caption": "Details",
      "description": "Details of an entity. See specific usage",
      "type": "string_t"
    },
    "detection_pattern": {
      "caption": "Detection Pattern",
      "description": "Specific pattern, algorithm, fingerprint, or model used for detection.",
      "type": "string_t"
    },
    "detection_system": {
      "caption": "Detection System",
      "description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.",
      "type": "string_t"
    },
    "detection_system_id": {
      "caption": "Detection System ID",
      "description": "The type of data security tool or system that the finding, detection, or alert originated from.",
      "sibling": "detection_system",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The type is not mapped. See the <code>detection_system</code> attribute, which contains a data source specific value."
        },
        "1": {
          "caption": "Endpoint",
          "description": "A dedicated agent or sensor installed on a device, either a dedicated data security tool or an Endpoint Detection & Response (EDR) tool that can detect sensitive data and/or enforce data security policies. E.g., Forcepoint DLP, Symantec DLP, Microsoft Defender for Endpoint (MDE)."
        },
        "2": {
          "caption": "DLP Gateway",
          "description": "A Data Loss Prevention (DLP) gateway that is positioned in-line of an information store such as a network share, a database, or otherwise that can detect sensitive data and/or enforce data security policies."
        },
        "3": {
          "caption": "Mobile Device Management",
          "description": "A Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tool that can detect sensitive data and/or enforce data security policies on mobile devices (e.g., cellphones, tablets, End User Devices [EUDs])."
        },
        "4": {
          "caption": "Data Discovery & Classification",
          "description": "A tool that actively identifies and classifies sensitive data in digital media and information stores in accordance with a policy or automated functionality. E.g, Amazon Macie, Microsoft Purview."
        },
        "5": {
          "caption": "Secure Web Gateway",
          "description": "A Secure Web Gateway (SWG) is any tool that can detect sensitive data and/or enforce data security policies at a network-edge such as within a proxy or firewall service."
        },
        "6": {
          "caption": "Secure Email Gateway",
          "description": "A Secure Email Gateway (SEG) is any tool that can detect sensitive data and/or enforce data security policies within email systems. E.g., Microsoft Defender for Office, Google Workspaces."
        },
        "7": {
          "caption": "Digital Rights Management",
          "description": "A Digital Rights Management (DRM) or a dedicated Information Rights Management (IRM) are tools which can detect sensitive data and/or enforce data security policies on digital media via policy or user access rights."
        },
        "8": {
          "caption": "Cloud Access Security Broker",
          "description": "A Cloud Access Security Broker (CASB) that can detect sensitive data and/or enforce data security policies in-line to cloud systems such as the public cloud or Software-as-a-Service (SaaS) tool. E.g., Forcepoint CASB, SkyHigh Security."
        },
        "9": {
          "caption": "Database Activity Monitoring",
          "description": "A Database Activity Monitoring (DAM) tool that can detect sensitive data and/or enforce data security policies as part of a dedicated database or warehouse monitoring solution."
        },
        "10": {
          "caption": "Application-Level DLP",
          "description": "A built in Data Loss Prevention (DLP) or other data security capability within a tool or platform such as an Enterprise Resource Planning (ERP) or Customer Relations Management (CRM) tool that can detect sensitive data and/or enforce data security policies."
        },
        "11": {
          "caption": "Developer Security",
          "description": "Any Developer Security tool such as an Infrastructure-as-Code (IAC) security scanner, Secrets Detection, or Secure Software Development Lifecycle (SSDLC) tool that can detect sensitive data and/or enforce data security policies. E.g., TruffleHog, GitGuardian, Git-Secrets."
        },
        "12": {
          "caption": "Data Security Posture Management",
          "description": "A Data Security Posture Management (DSPM) tool is a continuous monitoring and data discovery solution that can detect sensitive data and/or enforce data security policies for local and cloud environments. E.g., Cyera, Sentra, IBM Polar Security."
        },
        "99": {
          "caption": "Other",
          "description": "Any other type of detection system or a multi-variate system made up of several other systems."
        }
      }
    },
    "detection_uid": {
      "caption": "Detection UID",
      "description": "The associated unique detection event identifier. For example: detection response events include the <b>Detection ID</b> of the original event.",
      "type": "string_t"
    },
    "developer_uid": {
      "caption": "Developer UID",
      "description": "The developer ID on the certificate that signed the file.",
      "type": "string_t"
    },
    "device": {
      "caption": "Device",
      "description": "An addressable device, computer system or host.",
      "type": "device"
    },
    "devices": {
      "caption": "Devices",
      "description": "The object describes details related to the list of devices.",
      "type": "device",
      "is_array": true
    },
    "dialect": {
      "caption": "Dialect",
      "description": "The negotiated protocol dialect.",
      "type": "string_t"
    },
    "digest": {
      "caption": "Message Digest",
      "description": "The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.",
      "type": "fingerprint"
    },
    "direction": {
      "caption": "Direction",
      "description": "The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "direction_id": {
      "caption": "Direction ID",
      "description": "The normalized identifier of the direction of the initiated connection, traffic, or email.",
      "sibling": "direction",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The connection direction is unknown."
        },
        "1": {
          "caption": "Inbound",
          "description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network."
        },
        "2": {
          "caption": "Outbound",
          "description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network."
        },
        "3": {
          "caption": "Lateral",
          "description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network."
        },
        "99": {
          "caption": "Other",
          "description": "The direction is not mapped. See the <code>direction</code> attribute, which contains a data source specific value."
        }
      }
    },
    "dispersion": {
      "caption": "Root Dispersion",
      "description": "The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.",
      "type": "integer_t"
    },
    "disposition": {
      "caption": "Disposition",
      "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "disposition_id": {
      "caption": "Disposition ID",
      "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.",
      "sibling": "disposition",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The disposition is unknown."
        },
        "1": {
          "caption": "Allowed",
          "description": "Granted access or allowed the action to the protected resource."
        },
        "2": {
          "caption": "Blocked",
          "description": "Denied access or blocked the action to the protected resource."
        },
        "3": {
          "caption": "Quarantined",
          "description": "A suspicious file or other content was moved to a benign location."
        },
        "4": {
          "caption": "Isolated",
          "description": "A session was isolated on the network or within a browser."
        },
        "5": {
          "caption": "Deleted",
          "description": "A file or other content was deleted."
        },
        "6": {
          "caption": "Dropped",
          "description": "The request was detected as a threat and resulted in the connection being dropped."
        },
        "7": {
          "caption": "Custom Action",
          "description": "A custom action was executed such as running of a command script. Use the <code>message</code> attribute of the base class for details."
        },
        "8": {
          "caption": "Approved",
          "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from <code>1</code> 'Allowed'."
        },
        "9": {
          "caption": "Restored",
          "description": "A quarantined file or other content was restored to its original location."
        },
        "10": {
          "caption": "Exonerated",
          "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
        },
        "11": {
          "caption": "Corrected",
          "description": "A corrupt file or configuration was corrected."
        },
        "12": {
          "caption": "Partially Corrected",
          "description": "A corrupt file or configuration was partially corrected."
        },
        "13": {
          "caption": "Uncorrected",
          "description": "A corrupt file or configuration was not corrected."
        },
        "14": {
          "caption": "Delayed",
          "description": "An operation was delayed, for example if a restart was required to finish the operation."
        },
        "15": {
          "caption": "Detected",
          "description": "Suspicious activity or a policy violation was detected without further action."
        },
        "16": {
          "caption": "No Action",
          "description": "The outcome of an operation had no action taken."
        },
        "17": {
          "caption": "Logged",
          "description": "The operation or action was logged without further action."
        },
        "18": {
          "caption": "Tagged",
          "description": "A file or other entity was marked with extended attributes."
        },
        "19": {
          "caption": "Alert",
          "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
        },
        "20": {
          "caption": "Count",
          "description": "Counted the request or activity but did not determine whether to allow it or block it."
        },
        "21": {
          "caption": "Reset",
          "description": "The request was detected as a threat and resulted in the connection being reset."
        },
        "22": {
          "caption": "Captcha",
          "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
        },
        "23": {
          "caption": "Challenge",
          "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
        },
        "24": {
          "caption": "Access Revoked",
          "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the <code>Host</code> profile if the <code>User</code> or <code>Actor</code> requestor is not present in the event class."
        },
        "25": {
          "caption": "Rejected",
          "description": "A request or submission was rejected.  For example, when a form was improperly filled out and submitted. This is distinct from <code>2</code> 'Blocked'."
        },
        "26": {
          "caption": "Unauthorized",
          "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than <code>2</code> 'Blocked' and can be complemented with the <code>authorizations</code> attribute for more detail."
        },
        "27": {
          "caption": "Error",
          "description": "An error occurred during the processing of the activity or request. Use the <code>message</code> attribute of the base class for details."
        },
        "99": {
          "caption": "Other",
          "description": "The disposition is not mapped. See the <code>disposition</code> attribute, which contains a data source specific value."
        }
      }
    },
    "dkim": {
      "caption": "DKIM Status",
      "description": "The DomainKeys Identified Mail (DKIM) status of the email.",
      "type": "string_t"
    },
    "dkim_domain": {
      "caption": "DKIM Domain",
      "description": "The DomainKeys Identified Mail (DKIM) signing domain of the email.",
      "type": "string_t"
    },
    "dkim_signature": {
      "caption": "DKIM Signature",
      "description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.",
      "type": "string_t"
    },
    "dmarc": {
      "caption": "DMARC Status",
      "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.",
      "type": "string_t"
    },
    "dmarc_override": {
      "caption": "DMARC Override",
      "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.",
      "type": "string_t"
    },
    "dmarc_policy": {
      "caption": "DMARC Policy",
      "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
      "type": "string_t"
    },
    "dnssec_status": {
      "caption": "DNSSEC Status",
      "description": "The normalized value of dnssec_status_id.",
      "type": "string_t"
    },
    "dnssec_status_id": {
      "caption": "DNSSEC Status ID",
      "description": "Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.",
      "sibling": "dnssec_status",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The disposition is unknown."
        },
        "1": {
          "caption": "Signed",
          "description": "The related domain enables the signing of DNS records using DNSSEC."
        },
        "2": {
          "caption": "Unsigned",
          "description": "The related domain does not enable the signing of DNS records using DNSSEC."
        },
        "99": {
          "caption": "Other",
          "description": "The DNSSEC status is not mapped. See the <code>dnssec_status</code> attribute, which contains a data source specific value."
        }
      }
    },
    "domain": {
      "caption": "Domain",
      "description": "The name of the domain.",
      "type": "string_t"
    },
    "domain_contact": {
      "caption": "Domain Contact",
      "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
      "type": "domain_contact"
    },
    "domain_contacts": {
      "caption": "Domain Contacts",
      "description": "An array of <code>Domain Contact</code> objects.",
      "type": "domain_contact",
      "is_array": true
    },
    "driver": {
      "caption": "Kernel Driver",
      "description": "The driver that was loaded/unloaded into the kernel",
      "type": "kernel_driver"
    },
    "dst_endpoint": {
      "caption": "Destination Endpoint",
      "description": "The network destination endpoint.",
      "type": "network_endpoint"
    },
    "duration": {
      "caption": "Duration Milliseconds",
      "description": "This represents the duration of the activity in milliseconds. See specific usage.",
      "type": "long_t"
    },
    "duration_days": {
      "caption": "Duration Days",
      "description": "Represents the duration of the activity in days. See specific usage.",
      "type": "integer_t"
    },
    "duration_hours": {
      "caption": "Duration Hours",
      "description": "Represents the duration of the activity in hours. See specific usage.",
      "type": "integer_t"
    },
    "duration_mins": {
      "caption": "Duration Minutes",
      "description": "Represents the duration of the activity in minutes. See specific usage.",
      "type": "integer_t"
    },
    "duration_months": {
      "caption": "Duration Months",
      "description": "Represents the duration of the activity in months. See specific usage.",
      "type": "integer_t"
    },
    "duration_secs": {
      "caption": "Duration Seconds",
      "description": "Represents the duration of the activity in seconds. See specific usage.",
      "type": "integer_t"
    },
    "duration_weeks": {
      "caption": "Duration Weeks",
      "description": "Represents the duration of the activity in weeks. See specific usage.",
      "type": "integer_t"
    },
    "duration_years": {
      "caption": "Duration Years",
      "description": "Represents the duration of the activity in years. See specific usage.",
      "type": "integer_t"
    },
    "edition": {
      "caption": "OS Edition",
      "description": "The operating system edition. For example: <code>Professional</code>.",
      "type": "string_t"
    },
    "email": {
      "caption": "Email",
      "description": "The email object.",
      "type": "email"
    },
    "email_addr": {
      "caption": "Email Address",
      "description": "The user's primary email address.",
      "type": "email_t"
    },
    "email_addrs": {
      "caption": "Email Addresses",
      "description": "A list of additional email addresses for the user.",
      "type": "email_t",
      "is_array": true
    },
    "email_auth": {
      "caption": "Email Authentication",
      "description": "The SPF, DKIM and DMARC attributes of an email.",
      "type": "email_auth"
    },
    "email_uid": {
      "caption": "Email UID",
      "description": "The unique identifier of the email, used to correlate related email alert and activity events.",
      "type": "string_t"
    },
    "employee_uid": {
      "caption": "Employee ID",
      "description": "The employee identifier assigned to the user by the organization.",
      "type": "string_t"
    },
    "end_line": {
      "caption": "End Line",
      "description": "The line number of the last line of code block identified as vulnerable.",
      "type": "integer_t"
    },
    "end_time": {
      "caption": "End Time",
      "description": "The end time of a time period. See specific usage.",
      "type": "timestamp_t"
    },
    "endpoint_connections": {
      "caption": "Endpoint Connections",
      "description": "Contains information about network connection attempts. See specific usage.",
      "type": "endpoint_connection",
      "is_array": true
    },
    "enrichments": {
      "caption": "Enrichments",
      "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>",
      "type": "enrichment",
      "is_array": true
    },
    "entity": {
      "caption": "Entity",
      "description": "The managed entity that is being acted upon.",
      "type": "managed_entity"
    },
    "entity_result": {
      "caption": "Entity Result",
      "description": "The updated managed entity.",
      "type": "managed_entity"
    },
    "environment_variables": {
      "caption": "Environment Variables",
      "description": "An array of environment variables.",
      "type": "environment_variable",
      "is_array": true
    },
    "epoch": {
      "caption": "Epoch",
      "description": "The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.",
      "type": "integer_t"
    },
    "epss": {
      "caption": "EPSS",
      "description": "The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (<a target='_blank' href='https://www.first.org/epss/'>EPSS</a>).",
      "type": "epss"
    },
    "error": {
      "caption": "Error Code",
      "description": "Error Code",
      "type": "string_t"
    },
    "error_message": {
      "caption": "Error Message",
      "description": "Error Message",
      "type": "string_t"
    },
    "event_code": {
      "caption": "Event Code",
      "description": "The <code>Event ID, Code, or Name</code> that the product uses to primarily identify the event.",
      "type": "string_t"
    },
    "evidence": {
      "caption": "Evidence",
      "description": "The data the finding exposes to the analyst.",
      "type": "json_t",
      "@deprecated": {
        "message": "Use the <code> evidences </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "evidences": {
      "caption": "Evidence Artifacts",
      "description": "A collection of evidence artifacts associated to the activity/activities that triggered a finding. See specific usage.",
      "type": "evidences",
      "is_array": true
    },
    "exit_code": {
      "caption": "Exit Code",
      "description": "The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.",
      "type": "integer_t"
    },
    "expiration_reason": {
      "caption": "Expiration Reason",
      "description": "The expiration reason. See specific usage.",
      "type": "string_t"
    },
    "expiration_time": {
      "caption": "Expiration Time",
      "description": "The expiration time. See specific usage.",
      "type": "timestamp_t"
    },
    "exploit_last_seen_time": {
      "caption": "Exploit Last Seen Time",
      "description": "The time when the exploit was most recently observed.",
      "type": "timestamp_t"
    },
    "ext": {
      "caption": "Extension",
      "description": "The extension. See specific usage.",
      "type": "string_t"
    },
    "extension": {
      "caption": "Schema Extension",
      "description": "The schema extension used to create the event.",
      "type": "extension",
      "@deprecated": {
        "message": "Use the <code> extensions </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "extension_list": {
      "caption": "Extension List",
      "description": "The list of TLS extensions.",
      "type": "tls_extension",
      "@deprecated": {
        "message": "Use the <code> tls_extension_list </code> attribute instead.",
        "since": "1.1.0"
      },
      "is_array": true
    },
    "extensions": {
      "caption": "Schema Extensions",
      "description": "The schema extensions used to create the event.",
      "type": "extension",
      "is_array": true
    },
    "factor_type": {
      "caption": "Factor Type",
      "description": "The type of authentication factor used in an authentication attempt.",
      "type": "string_t"
    },
    "factor_type_id": {
      "caption": "Factor Type ID",
      "description": "The normalized identifier for the authentication factor.",
      "sibling": "factor_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "SMS",
          "description": "User receives and inputs a code sent to their mobile device via SMS text message."
        },
        "2": {
          "caption": "Security Question",
          "description": "The user responds to a security question as part of a question-based authentication factor"
        },
        "3": {
          "caption": "Phone Call",
          "description": "System calls the user's registered phone number and requires the user to answer and provide a response."
        },
        "4": {
          "caption": "Biometric",
          "description": "Devices that verify identity-based on user's physical identifiers, such as fingerprint scanners or retina scanners."
        },
        "5": {
          "caption": "Push Notification",
          "description": "Push notification is sent to user's registered device and requires the user to acknowledge."
        },
        "6": {
          "caption": "Hardware Token",
          "description": "Physical device that generates a code to be used for authentication."
        },
        "7": {
          "caption": "OTP",
          "description": "Application generates a one-time password (OTP) for use in authentication."
        },
        "8": {
          "caption": "Email",
          "description": "A code or link is sent to a user's registered email address."
        },
        "9": {
          "caption": "U2F",
          "description": "Typically involves a hardware token, which the user physically interacts with to authenticate."
        },
        "10": {
          "caption": "WebAuthn",
          "description": "Web-based API that enables users to register devices as authentication factors."
        },
        "11": {
          "caption": "Password",
          "description": "The user enters a password that they have previously established."
        },
        "99": {
          "caption": "Other"
        }
      }
    },
    "feature": {
      "caption": "Feature",
      "description": "The feature that reported the event.",
      "type": "feature"
    },
    "file": {
      "caption": "File",
      "description": "The file that pertains to the event or object. See specific usage.",
      "type": "file"
    },
    "file_diff": {
      "caption": "File Diff",
      "description": "File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.",
      "type": "string_t"
    },
    "file_result": {
      "caption": "File Result",
      "description": "The result of the file change. It should contain the new values of the changed attributes.",
      "type": "file"
    },
    "finding": {
      "caption": "Finding",
      "description": "The Finding object provides details about a finding/detection generated by a security tool.",
      "type": "finding"
    },
    "finding_info": {
      "caption": "Finding Information",
      "description": "Describes the supporting information about a generated finding.",
      "type": "finding_info"
    },
    "finding_info_list": {
      "caption": "Finding Information List",
      "description": "A list of <code>finding_info</code> objects associated to an incident.",
      "type": "finding_info",
      "is_array": true
    },
    "fingerprint": {
      "caption": "Fingerprint",
      "description": "The digital fingerprint associated with an object.",
      "type": "fingerprint"
    },
    "fingerprints": {
      "caption": "Fingerprints",
      "description": "An array of digital fingerprint objects.",
      "type": "fingerprint",
      "is_array": true
    },
    "firewall_rule": {
      "caption": "Firewall Rule",
      "description": "The firewall rule that triggered the event.",
      "type": "firewall_rule"
    },
    "first_seen_time": {
      "caption": "First Seen",
      "description": "The initial detection time of the activity or object. See specific usage",
      "type": "timestamp_t"
    },
    "fix_available": {
      "caption": "Fix Availability",
      "description": "Indicates if a fix is available for the reported vulnerability.",
      "type": "boolean_t",
      "@deprecated": {
        "message": "Use the <code> is_fix_available </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "fixed_in_version": {
      "caption": "Fixed In Version",
      "description": "The software package version in which a reported vulnerability was patched/fixed.",
      "type": "string_t"
    },
    "flag_ids": {
      "caption": "Communication Flag IDs",
      "description": "The list of normalized identifiers of the communication flag IDs. See specific usage.",
      "sibling": "flags",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The flag is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The flag is not mapped. See the <code>flags</code> attribute, which contains a data source specific value."
        }
      },
      "is_array": true
    },
    "flags": {
      "caption": "Flags",
      "description": "The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.",
      "type": "string_t",
      "is_array": true
    },
    "folder": {
      "caption": "Folder",
      "description": "The folder that pertains to the event.",
      "type": "file"
    },
    "forward_addr": {
      "caption": "Forwarding Address",
      "description": "The user's forwarding email address.",
      "type": "email_t"
    },
    "from": {
      "caption": "From",
      "description": "The email header From values, as defined by RFC 5322.",
      "type": "email_t"
    },
    "full_name": {
      "caption": "Full Name",
      "description": "The full name of the person, as per the LDAP Common Name attribute (cn).",
      "type": "string_t"
    },
    "function_keys": {
      "caption": "Function Keys",
      "description": "The number of function keys on client keyboard.",
      "type": "integer_t"
    },
    "function_name": {
      "caption": "Function Name",
      "description": "The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.",
      "type": "string_t"
    },
    "geodetic_altitude": {
      "caption": "Geodetic Altitude",
      "description": "The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.",
      "type": "string_t"
    },
    "geodetic_vertical_accuracy": {
      "caption": "Geodetic Vertical Accuracy",
      "description": "Provides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters.",
      "type": "string_t"
    },
    "geohash": {
      "caption": "Geohash",
      "description": "<p>Geohash of the geo-coordinates (latitude and longitude).</p><a target='_blank' href='https://en.wikipedia.org/wiki/Geohash'>Geohashing</a> is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.",
      "type": "string_t"
    },
    "given_name": {
      "caption": "Given Name",
      "description": "The given or first name of the user.",
      "type": "string_t"
    },
    "group": {
      "caption": "Group",
      "description": "The group object associated with an entity such as user, policy, or rule.",
      "type": "group"
    },
    "group_name": {
      "caption": "Group Name",
      "description": "The name of the group that the resource belongs to.",
      "type": "string_t",
      "@deprecated": {
        "message": "Use the <code> group.name </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "groups": {
      "caption": "Groups",
      "description": "The groups to which an entity belongs. See specific usage.",
      "type": "group",
      "is_array": true
    },
    "handshake_dur": {
      "caption": "Handshake Duration",
      "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
      "type": "integer_t"
    },
    "has_mfa": {
      "caption": "MFA Assigned",
      "description": "The user has a multi-factor or secondary-factor device assigned.",
      "type": "boolean_t"
    },
    "hash": {
      "caption": "Hash",
      "description": "The hash attribute is the value of a digital fingerprint including information about its algorithm.",
      "type": "fingerprint"
    },
    "hashes": {
      "caption": "Hashes",
      "description": "An array of hash attributes.",
      "type": "fingerprint",
      "is_array": true
    },
    "hire_time": {
      "caption": "Hire Time",
      "description": "The timestamp when the user was or will be hired by the organization.",
      "type": "timestamp_t"
    },
    "horizontal_accuracy": {
      "caption": "Horizontal Accuracy",
      "description": "Provides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters.",
      "type": "string_t"
    },
    "hostname": {
      "caption": "Hostname",
      "description": "The hostname of an endpoint or a device.",
      "type": "hostname_t"
    },
    "http_cookies": {
      "caption": "HTTP Cookies",
      "description": "The cookies object describes details about HTTP cookies",
      "type": "http_cookie",
      "is_array": true
    },
    "http_headers": {
      "caption": "HTTP Headers",
      "description": "Additional HTTP headers of an HTTP request or response.",
      "type": "http_header",
      "is_array": true
    },
    "http_method": {
      "caption": "HTTP Method",
      "description": "The HTTP request method indicates the desired action to be performed for a given resource. Expected values: <ul> <li>TRACE</li> <li>CONNECT</li> <li>OPTIONS</li> <li>HEAD</li> <li>DELETE</li> <li>POST</li> <li>PUT</li> <li>GET</li></ul>",
      "type": "string_t"
    },
    "http_only": {
      "caption": "HTTP Only",
      "description": "A cookie attribute to make it inaccessible via JavaScript",
      "type": "boolean_t",
      "@deprecated": {
        "message": "Use the <code> is_http_only </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "http_request": {
      "caption": "HTTP Request",
      "description": "The HTTP Request Object documents attributes of a request made to a web server.",
      "type": "http_request"
    },
    "http_response": {
      "caption": "HTTP Response",
      "description": "The HTTP Response from a web server to a requester.",
      "type": "http_response"
    },
    "http_status": {
      "caption": "HTTP Status",
      "description": "The Hypertext Transfer Protocol (HTTP) <a target='_blank' href='https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml'>status code</a> returned to the client.",
      "type": "integer_t",
      "@deprecated": {
        "message": "Use the <code> http_response.code </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "hw_info": {
      "caption": "Hardware Info",
      "description": "The endpoint hardware information.",
      "type": "device_hw_info"
    },
    "hypervisor": {
      "caption": "Hypervisor",
      "description": "The name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.",
      "type": "string_t"
    },
    "identifier_cookie": {
      "caption": "Identifier Cookie",
      "description": "The client identifier cookie during client/server exchange.",
      "type": "string_t"
    },
    "idp": {
      "caption": "Identity Provider",
      "description": "This object describes details about the Identity Provider used.",
      "type": "idp"
    },
    "image": {
      "caption": "Image",
      "description": "The image used as a template to run a container or virtual machine.",
      "type": "image"
    },
    "ime": {
      "caption": "IME",
      "description": "The Input Method Editor (IME) file name.",
      "type": "string_t"
    },
    "imei": {
      "caption": "IMEI",
      "description": "The International Mobile Station Equipment Identifier that is associated with the device.",
      "type": "string_t"
    },
    "impact": {
      "caption": "Impact",
      "description": "The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "impact_id": {
      "caption": "Impact ID",
      "description": "The normalized impact of the finding.",
      "sibling": "impact",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The normalized impact is unknown."
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "4": {
          "caption": "Critical"
        },
        "99": {
          "caption": "Other",
          "description": "The impact is not mapped. See the <code>impact</code> attribute, which contains a data source specific value."
        }
      }
    },
    "impact_score": {
      "caption": "Impact",
      "description": "The impact of the finding, valid range 0-100.",
      "type": "integer_t"
    },
    "injection_type": {
      "caption": "Injection Type",
      "description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "injection_type_id": {
      "caption": "Injection Type ID",
      "description": "The normalized identifier of the process injection method.",
      "sibling": "injection_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The injection type is unknown."
        },
        "1": {
          "caption": "Remote Thread"
        },
        "2": {
          "caption": "Load Library"
        },
        "3": {
          "caption": "Queue APC"
        },
        "99": {
          "caption": "Other",
          "description": "The injection type is not mapped. See the <code>injection_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "install_state": {
      "caption": "Install State",
      "description": "The install state, normalized to the caption of install_state_id. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "install_state_id": {
      "caption": "Install State ID",
      "description": "The normalized state of the install.",
      "sibling": "install_state",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The normalized install state is unknown."
        },
        "1": {
          "caption": "Installed",
          "description": "The item is installed."
        },
        "2": {
          "caption": "Not Installed",
          "description": "The item is not installed."
        },
        "3": {
          "caption": "Installed Pending Reboot",
          "description": "The item is installed pending reboot operation."
        },
        "99": {
          "caption": "Other",
          "description": "The install state is not mapped. See the <code>install_state</code> attribute, which contains a data source specific value."
        }
      }
    },
    "instance_uid": {
      "caption": "Instance ID",
      "description": "The unique identifier of a VM instance.",
      "type": "string_t"
    },
    "integrity": {
      "caption": "Integrity",
      "description": "The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).",
      "type": "string_t"
    },
    "integrity_id": {
      "caption": "Integrity Level",
      "description": "The normalized identifier of the process integrity level (Windows only).",
      "sibling": "integrity",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The integrity level is unknown."
        },
        "1": {
          "caption": "Untrusted"
        },
        "2": {
          "caption": "Low"
        },
        "3": {
          "caption": "Medium"
        },
        "4": {
          "caption": "High"
        },
        "5": {
          "caption": "System"
        },
        "6": {
          "caption": "Protected"
        },
        "99": {
          "caption": "Other",
          "description": "The integrity level is not mapped. See the <code>integrity</code> attribute, which contains a data source specific value."
        }
      }
    },
    "interface_name": {
      "caption": "Network Interface Name",
      "description": "The name of the network interface (e.g. eth2).",
      "type": "string_t"
    },
    "interface_uid": {
      "caption": "Network Interface ID",
      "description": "The unique identifier of the network interface.",
      "type": "string_t"
    },
    "intermediate_ips": {
      "caption": "Intermediate IP Addresses",
      "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.",
      "type": "ip_t",
      "is_array": true
    },
    "invoked_by": {
      "caption": "Invoked by",
      "description": "The name of the service that invoked the activity as described in the event.",
      "type": "string_t"
    },
    "ip": {
      "caption": "IP Address",
      "description": "The IP address, in either IPv4 or IPv6 format.",
      "type": "ip_t"
    },
    "is_alert": {
      "caption": "Alert",
      "description": "Indicates that the event is considered to be an alertable signal.",
      "type": "boolean_t"
    },
    "is_applied": {
      "caption": "Applied",
      "description": "A determination if a policy, rule, or enforcement action was applied.",
      "type": "boolean_t"
    },
    "is_cleartext": {
      "caption": "Cleartext Credentials",
      "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
      "type": "boolean_t"
    },
    "is_compliant": {
      "caption": "Compliant Device",
      "description": "The event occurred on a compliant device.",
      "type": "boolean_t"
    },
    "is_default": {
      "caption": "Default Value",
      "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
      "type": "boolean_t"
    },
    "is_deleted": {
      "caption": "Deleted",
      "description": "Indicates if the entity was deleted. See specific usage.",
      "type": "boolean_t"
    },
    "is_exploit_available": {
      "caption": "Exploit Availability",
      "description": "Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.",
      "type": "boolean_t"
    },
    "is_fix_available": {
      "caption": "Fix Availability",
      "description": "Indicates if a fix is available for the reported vulnerability.",
      "type": "boolean_t"
    },
    "is_hotp": {
      "caption": "HMAC-based One-time Password (HOTP)",
      "description": "Whether the authentication factor is an HMAC-based One-time Password (HOTP).",
      "type": "boolean_t"
    },
    "is_http_only": {
      "caption": "HTTP Only",
      "description": "This attribute prevents the cookie from being accessed via JavaScript.",
      "type": "boolean_t"
    },
    "is_managed": {
      "caption": "Managed Device",
      "description": "The event occurred on a managed device.",
      "type": "boolean_t"
    },
    "is_mfa": {
      "caption": "Multi Factor Authentication",
      "description": "Indicates whether Multi Factor Authentication was used during authentication.",
      "type": "boolean_t"
    },
    "is_new_logon": {
      "caption": "New Logon",
      "description": "Indicates logon is from a device not seen before or a first time account logon.",
      "type": "boolean_t"
    },
    "is_on_premises": {
      "caption": "On Premises",
      "description": "The indication of whether the location is on premises.",
      "type": "boolean_t"
    },
    "is_personal": {
      "caption": "Personal Device",
      "description": "The event occurred on a personal device.",
      "type": "boolean_t"
    },
    "is_public": {
      "caption": "Public",
      "description": "Determination of the public accessibility. See specific usage.",
      "type": "boolean_t"
    },
    "is_remote": {
      "caption": "Remote",
      "description": "The indication of whether the session is remote.",
      "type": "boolean_t"
    },
    "is_renewal": {
      "caption": "Renewal",
      "description": "The indication of whether this is a lease/session renewal event.",
      "type": "boolean_t"
    },
    "is_secure": {
      "caption": "Secure",
      "description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
      "type": "boolean_t"
    },
    "is_self_signed": {
      "caption": "Certificate Self-Signed",
      "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
      "type": "boolean_t"
    },
    "is_superseded": {
      "caption": "The patch is superseded.",
      "description": "The vendor patch has been replaced by another.",
      "type": "boolean_t"
    },
    "is_suspected_breach": {
      "caption": "Suspected Breach",
      "description": "A determination based on analytics as to whether a potential breach was found.",
      "type": "boolean_t"
    },
    "is_system": {
      "caption": "System",
      "description": "The indication of whether the object is part of the operating system.",
      "type": "boolean_t"
    },
    "is_totp": {
      "caption": "Time-based One-time Password (TOTP)",
      "description": "Whether the authentication factor is a Time-based One-time Password (TOTP).",
      "type": "boolean_t"
    },
    "is_truncated": {
      "caption": "Is Truncated",
      "description": "Indicates that an attribute has been truncated. See specific usage.",
      "type": "boolean_t"
    },
    "is_trusted": {
      "caption": "Trusted Device",
      "description": "The event occurred on a trusted device.",
      "type": "boolean_t"
    },
    "is_vpn": {
      "caption": "VPN Session",
      "description": "The indication of whether the session is a VPN session.",
      "type": "boolean_t"
    },
    "isp": {
      "caption": "ISP",
      "description": "The name of the Internet Service Provider (ISP).",
      "type": "string_t"
    },
    "issuer": {
      "caption": "Issuer Details",
      "description": "The identifier of the issuer. See specific usage.",
      "type": "string_t"
    },
    "ja3_hash": {
      "caption": "JA3 Hash",
      "description": "The MD5 hash of a JA3 string.",
      "type": "fingerprint"
    },
    "ja3s_hash": {
      "caption": "JA3S Hash",
      "description": "The MD5 hash of a JA3S string.",
      "type": "fingerprint"
    },
    "ja4_fingerprint_list": {
      "caption": "JA4+ Fingerprints",
      "description": "A list of the JA4+ network fingerprints.",
      "type": "ja4_fingerprint",
      "is_array": true
    },
    "job": {
      "caption": "Job",
      "description": "The job object that pertains to the event.",
      "type": "job"
    },
    "job_title": {
      "caption": "Job Title",
      "description": "The user's job title.",
      "type": "string_t"
    },
    "kb_article_list": {
      "caption": "Knowledgebase Articles",
      "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.",
      "type": "kb_article",
      "is_array": true
    },
    "kb_articles": {
      "caption": "Knowledgebase Articles",
      "description": "The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.",
      "type": "string_t",
      "@deprecated": {
        "message": "Use the <code> kb_article_list </code> attribute instead.",
        "since": "1.1.0"
      },
      "is_array": true
    },
    "kernel": {
      "caption": "Kernel",
      "description": "The kernel resource object that pertains to the event.",
      "type": "kernel"
    },
    "key_length": {
      "caption": "Key Length",
      "description": "The length of the encryption key.",
      "type": "integer_t"
    },
    "keyboard_info": {
      "caption": "Keyboard Information",
      "description": "The keyboard detailed information.",
      "type": "keyboard_info"
    },
    "keyboard_layout": {
      "caption": "Keyboard Layout",
      "description": "The keyboard locale identifier name (e.g., en-US).",
      "type": "string_t"
    },
    "keyboard_subtype": {
      "caption": "Keyboard Subtype",
      "description": "The keyboard numeric code.",
      "type": "integer_t"
    },
    "keyboard_type": {
      "caption": "Keyboard Type",
      "description": "The keyboard type (e.g., xt, ico).",
      "type": "string_t"
    },
    "kill_chain": {
      "caption": "Kill Chain",
      "description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.",
      "type": "kill_chain_phase",
      "is_array": true
    },
    "labels": {
      "caption": "Labels",
      "description": "The list of labels attached to an entity. See specific usage.",
      "type": "string_t",
      "is_array": true
    },
    "lang": {
      "caption": "Language",
      "description": "The two letter lower case language codes, as defined by <a target='_blank' href='https://en.wikipedia.org/wiki/ISO_639-1'>ISO 639-1</a>. For example: <code>en</code> (English), <code>de</code> (German), or <code>fr</code> (French).",
      "type": "string_t"
    },
    "last_login_time": {
      "caption": "Last Login",
      "description": "The last time when the user logged in.",
      "type": "timestamp_t"
    },
    "last_run_time": {
      "caption": "Last Run",
      "description": "The last run time of application or service. See specific usage.",
      "type": "timestamp_t"
    },
    "last_seen_time": {
      "caption": "Last Seen",
      "description": "The most recent detection time of the activity or object. See specific usage.",
      "type": "timestamp_t"
    },
    "lat": {
      "caption": "Latitude",
      "description": "The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: <code>42.361145</code>.",
      "type": "float_t"
    },
    "latency": {
      "caption": "Latency",
      "description": "The HTTP response latency measured in milliseconds.",
      "type": "integer_t"
    },
    "ldap_cn": {
      "caption": "LDAP Common Name",
      "description": "The LDAP and X.500 <code>commonName</code> attribute, typically the full name of the person. For example, <code>John Doe</code>.",
      "type": "string_t"
    },
    "ldap_dn": {
      "caption": "LDAP Distinguished Name",
      "description": "The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, <code>cn=John Doe,ou=People,dc=example,dc=com</code>.",
      "type": "string_t"
    },
    "ldap_person": {
      "caption": "LDAP Person",
      "description": "The additional LDAP attributes that describe a person.",
      "type": "ldap_person"
    },
    "lease_dur": {
      "caption": "Lease Duration",
      "description": "This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.",
      "type": "integer_t"
    },
    "leave_time": {
      "caption": "Leave Time",
      "description": "The timestamp when the user left or will be leaving the organization.",
      "type": "timestamp_t"
    },
    "length": {
      "caption": "Response Length",
      "description": "The HTTP response length, in number of bytes.",
      "type": "integer_t"
    },
    "license": {
      "caption": "Software License",
      "description": "The name or identifier of the license applied on package or software. See <a target='_blank' href='https://spdx.org/licenses/'>SPDX License List</a>.",
      "type": "string_t"
    },
    "lineage": {
      "caption": "Lineage",
      "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: <code>['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']</code>.",
      "type": "string_t",
      "is_array": true
    },
    "load_balancer": {
      "caption": "Load Balancer",
      "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
      "type": "load_balancer"
    },
    "load_type": {
      "caption": "Load Type",
      "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "load_type_id": {
      "caption": "Load Type ID",
      "description": "The normalized identifier of the load type. See specific usage.",
      "sibling": "load_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The load type is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The load type is not mapped. See the <code>load_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "loaded_modules": {
      "caption": "Loaded Modules",
      "description": "The list of loaded module names.",
      "type": "string_t",
      "is_array": true
    },
    "location": {
      "caption": "Geo Location",
      "description": "The detailed geographical location usually associated with an IP address.",
      "type": "location"
    },
    "locations": {
      "caption": "Geo Locations",
      "description": "A list of detailed geographical locations.",
      "is_array": true,
      "type": "location"
    },
    "log_level": {
      "caption": "Log Level",
      "description": "The audit level at which an event was generated.",
      "type": "string_t"
    },
    "log_name": {
      "caption": "Log Name",
      "description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.",
      "type": "string_t"
    },
    "log_provider": {
      "caption": "Log Provider",
      "description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.",
      "type": "string_t"
    },
    "log_type": {
      "caption": "Log Type",
      "description": "The log type, normalized to the caption of the <code>log_type_id</code> value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "log_type_id": {
      "caption": "Log Type ID",
      "description": "The normalized log type identifier.",
      "sibling": "log_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The log type is unknown."
        },
        "1": {
          "caption": "OS",
          "description": "The log type is an Operating System log."
        },
        "2": {
          "caption": "Application",
          "description": "The log type is an Application log."
        },
        "99": {
          "caption": "Other",
          "description": "The log type is not mapped. See the <code>log_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "log_version": {
      "caption": "Log Version",
      "description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.",
      "type": "string_t"
    },
    "logged_time": {
      "caption": "Logged Time",
      "description": "<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.",
      "type": "timestamp_t"
    },
    "loggers": {
      "caption": "Loggers",
      "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.",
      "type": "logger",
      "is_array": true
    },
    "logon_process": {
      "caption": "Logon Process",
      "description": "The trusted process that validated the authentication credentials.",
      "type": "process"
    },
    "logon_type": {
      "caption": "Logon Type",
      "description": "The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "logon_type_id": {
      "caption": "Logon Type ID",
      "description": "The normalized logon type identifier.",
      "sibling": "logon_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The logon type is unknown."
        },
        "1": {
          "caption": "System",
          "description": "Used only by the System account, for example at system startup."
        },
        "2": {
          "caption": "Interactive",
          "description": "A local logon to device console."
        },
        "3": {
          "caption": "Network",
          "description": "A user or device logged onto this device from the network."
        },
        "4": {
          "caption": "Batch",
          "description": "A batch server logon, where processes may be executing on behalf of a user without their direct intervention."
        },
        "5": {
          "caption": "OS Service",
          "description": "A logon by a service or daemon that was started by the OS."
        },
        "7": {
          "caption": "Unlock",
          "description": "A user unlocked the device."
        },
        "8": {
          "caption": "Network Cleartext",
          "description": "A user logged on to this device from the network. The user's password in the authentication package was not hashed."
        },
        "9": {
          "caption": "New Credentials",
          "description": "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
        },
        "10": {
          "caption": "Remote Interactive",
          "description": "A remote logon using Terminal Services or remote desktop application."
        },
        "11": {
          "caption": "Cached Interactive",
          "description": "A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials."
        },
        "12": {
          "caption": "Cached Remote Interactive",
          "description": "Same as Remote Interactive. This is used for internal auditing."
        },
        "13": {
          "caption": "Cached Unlock",
          "description": "Workstation logon."
        },
        "99": {
          "caption": "Other",
          "description": "The logon type is not mapped. See the <code>logon_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "long": {
      "caption": "Longitude",
      "description": "The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: <code>-71.057083</code>.",
      "type": "float_t"
    },
    "mac": {
      "caption": "MAC Address",
      "description": "The Media Access Control (MAC) address that is associated with the network interface.",
      "type": "mac_t"
    },
    "malware": {
      "caption": "Malware",
      "description": "A list of Malware objects, describing details about the identified malware.",
      "type": "malware",
      "is_array": true
    },
    "manager": {
      "caption": "Manager",
      "description": "The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.",
      "type": "user"
    },
    "match_details": {
      "caption": "Match Details",
      "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.",
      "type": "string_t",
      "is_array": true
    },
    "match_location": {
      "caption": "Match Location",
      "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
      "type": "string_t"
    },
    "message": {
      "caption": "Message",
      "description": "The description of the event/finding, as defined by the source.",
      "type": "string_t"
    },
    "message_uid": {
      "caption": "Message UID",
      "description": "The email header Message-ID value, as defined by RFC 5322.",
      "type": "string_t"
    },
    "metadata": {
      "caption": "Metadata",
      "description": "The metadata associated with the event or a finding.",
      "type": "metadata"
    },
    "metrics": {
      "caption": "Metrics",
      "description": "The general purpose metrics associated with the event. See specific usage.",
      "type": "metric",
      "is_array": true
    },
    "mime_type": {
      "caption": "MIME type",
      "description": "The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.",
      "type": "string_t"
    },
    "model": {
      "caption": "Model",
      "description": "The model name of an entity. See specific usage.",
      "type": "string_t"
    },
    "modified_time": {
      "caption": "Modified Time",
      "description": "The time when the object was last modified. See specific usage.",
      "type": "timestamp_t"
    },
    "modifier": {
      "caption": "Modifier",
      "description": "The user that last modified the object associated with the event. See specific usage.",
      "type": "user"
    },
    "module": {
      "caption": "Module",
      "description": "The module that pertains to the event.",
      "type": "module"
    },
    "name": {
      "caption": "Name",
      "description": "The name of the entity. See specific usage.",
      "type": "string_t"
    },
    "name_servers": {
      "caption": "Name Servers",
      "description": "A collection of name servers related to a domain registration or other record.",
      "type": "string_t",
      "is_array": true
    },
    "namespace": {
      "caption": "Namespace",
      "description": "The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate.",
      "type": "string_t"
    },
    "namespace_pid": {
      "caption": "Namespace PID",
      "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
      "type": "integer_t"
    },
    "network_driver": {
      "caption": "Network Driver",
      "description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.",
      "type": "string_t"
    },
    "network_endpoint": {
      "caption": "Network Endpoint",
      "description": "The Network Endpoint object describes characteristics of a network endpoint. See specific usage.",
      "type": "network_endpoint"
    },
    "network_interfaces": {
      "caption": "Network Interfaces",
      "description": "The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.<p><b>Note:</b> The first element of the array is the network information that pertains to the event.</p>",
      "type": "network_interface",
      "is_array": true
    },
    "next_run_time": {
      "caption": "Next Run",
      "description": "The next run time. See specific usage.",
      "type": "timestamp_t"
    },
    "nist": {
      "caption": "NIST List",
      "description": "The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.",
      "type": "string_t",
      "is_array": true
    },
    "num_detections": {
      "caption": "Detections",
      "description": "The number of detections.",
      "type": "integer_t"
    },
    "num_files": {
      "caption": "Scanned Files",
      "description": "The number of files scanned.",
      "type": "integer_t"
    },
    "num_folders": {
      "caption": "Scanned Folders",
      "description": "The number of folders scanned.",
      "type": "integer_t"
    },
    "num_network_items": {
      "caption": "Scanned Network Items",
      "description": "The number of network items scanned.",
      "type": "integer_t"
    },
    "num_processes": {
      "caption": "Scanned Processes",
      "description": "The number of processes scanned.",
      "type": "integer_t"
    },
    "num_registry_items": {
      "caption": "Scanned Registry Items",
      "description": "The number of registry items scanned.",
      "type": "integer_t"
    },
    "num_resolutions": {
      "caption": "Resolutions",
      "description": "The number of items that were resolved.",
      "type": "integer_t"
    },
    "num_skipped_items": {
      "caption": "Skipped",
      "description": "The number of skipped items.",
      "type": "integer_t"
    },
    "num_trusted_items": {
      "caption": "Trusted",
      "description": "The number of trusted items.",
      "type": "integer_t"
    },
    "num_violations": {
      "caption": "Violations",
      "description": "The number of times the policy or rule was violated.",
      "type": "integer_t"
    },
    "number": {
      "caption": "Number",
      "description": "The number of the entity. See specific usage.",
      "type": "integer_t"
    },
    "observables": {
      "caption": "Observables",
      "description": "The observables associated with the event or a finding.",
      "type": "observable",
      "is_array": true
    },
    "office_location": {
      "caption": "Office Location",
      "description": "The primary office location associated with the user. This could be any string and isn't a specific address. For example, <code>South East Virtual</code>.",
      "type": "string_t"
    },
    "opcode": {
      "caption": "DNS Opcode",
      "description": "The DNS opcode specifies the type of the query message.",
      "type": "string_t"
    },
    "opcode_id": {
      "caption": "DNS Opcode ID",
      "description": "The DNS opcode ID specifies the normalized query message type as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc5395.html'>RFC-5395</a>.",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Query",
          "description": "Standard query"
        },
        "1": {
          "caption": "Inverse Query",
          "description": "Inverse query, obsolete"
        },
        "2": {
          "caption": "Status",
          "description": "Server status request"
        },
        "3": {
          "caption": "Reserved",
          "description": "Reserved, not used"
        },
        "4": {
          "caption": "Notify",
          "description": "Zone change notification"
        },
        "5": {
          "caption": "Update",
          "description": "Dynamic DNS update"
        },
        "6": {
          "caption": "DSO Message",
          "description": "DNS Stateful Operations (DSO)"
        },
        "99": {
          "caption": "Other",
          "description": "The DNS Opcode is not defined by the RFC. See the <code>opcode</code> attribute, which contains a data source specific value."
        }
      },
      "suppress_checks": [
        "enum_convention"
      ]
    },
    "open_mask": {
      "caption": "Open Mask",
      "description": "The Windows options needed to open a registry key.",
      "type": "integer_t"
    },
    "open_type": {
      "caption": "Open Type",
      "description": "The file open type.",
      "type": "string_t"
    },
    "operation": {
      "caption": "Operation",
      "description": "Verb/Operation associated with the request",
      "type": "string_t"
    },
    "opnum": {
      "caption": "Opnum",
      "description": "An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.",
      "type": "integer_t"
    },
    "orchestrator": {
      "caption": "Orchestrator",
      "description": "The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.",
      "type": "string_t"
    },
    "org": {
      "caption": "Organization",
      "description": "Organization and org unit relevant to the event or object.",
      "type": "organization"
    },
    "original_time": {
      "caption": "Original Time",
      "description": "The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.",
      "type": "string_t"
    },
    "os": {
      "caption": "OS",
      "description": "The endpoint operating system.",
      "type": "os"
    },
    "osint": {
      "caption": "OSINT",
      "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
      "type": "osint",
      "is_array": true
    },
    "ou_name": {
      "caption": "Org Unit Name",
      "description": "The name of the organizational unit, within an organization.  For example, Finance, IT, R&D",
      "type": "string_t"
    },
    "ou_uid": {
      "caption": "Org Unit ID",
      "description": "The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.",
      "type": "string_t"
    },
    "overall_score": {
      "caption": "Overall Score",
      "description": "The overall score as reported by the event source. See specific usage.",
      "type": "float_t"
    },
    "owner": {
      "caption": "Owner",
      "description": "The user that owns the file/object.",
      "type": "user"
    },
    "package": {
      "caption": "Software Package",
      "description": "The Software Package object describes details about a software package. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/'>d3f:SoftwarePackage</a>.",
      "type": "package"
    },
    "package_manager": {
      "caption": "Package Manager",
      "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
      "type": "string_t"
    },
    "packages": {
      "caption": "Software Packages",
      "description": "List of vulnerable packages as identified by the security product",
      "type": "package",
      "@deprecated": {
        "message": "Use the <code> affected_packages </code> attribute instead.",
        "since": "1.1.0"
      },
      "is_array": true
    },
    "packet_uid": {
      "caption": "Packet UID",
      "description": "The packet identifier assigned by the protocol.",
      "type": "integer_t"
    },
    "packets": {
      "caption": "Total Packets",
      "description": "The total number of packets (in and out).",
      "type": "long_t"
    },
    "packets_in": {
      "caption": "Packets In",
      "description": "The number of packets sent from the destination to the source.",
      "type": "long_t"
    },
    "packets_out": {
      "caption": "Packets Out",
      "description": "The number of packets sent from the source to the destination.",
      "type": "long_t"
    },
    "parent_folder": {
      "caption": "Parent Folder",
      "description": "The parent folder in which the file resides. For example: <code>c:\\windows\\system32</code>",
      "type": "string_t"
    },
    "parent_process": {
      "caption": "Parent Process",
      "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
      "type": "process"
    },
    "parent_uid": {
      "caption": "Parent Unique ID",
      "description": "The unique identifier of an object's parent object. See specific usage.",
      "type": "string_t"
    },
    "path": {
      "caption": "Path",
      "description": "The path that pertains to the event or object. See specific usage.",
      "type": "string_t"
    },
    "pattern_match": {
      "caption": "Pattern Match",
      "description": "A text, binary, file name, or datastore that matched against a detection rule.",
      "type": "string_t"
    },
    "percentile": {
      "caption": "EPSS Percentile",
      "description": "The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset.",
      "type": "float_t"
    },
    "peripheral_device": {
      "caption": "Peripheral Device",
      "description": "The peripheral device that triggered the event.",
      "type": "peripheral_device"
    },
    "permission": {
      "caption": "Permission",
      "description": "The IAM permission related to an event",
      "type": "string_t"
    },
    "phase": {
      "caption": "Kill Chain Phase",
      "description": "The cyber kill chain phase.",
      "type": "string_t"
    },
    "phase_id": {
      "caption": "Kill Chain Phase ID",
      "description": "The cyber kill chain phase identifier.",
      "sibling": "phase",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The kill chain phase is unknown."
        },
        "1": {
          "caption": "Reconnaissance",
          "description": "The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them."
        },
        "2": {
          "caption": "Weaponization",
          "description": "The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities."
        },
        "3": {
          "caption": "Delivery",
          "description": "The intruders will use various tactics, such as phishing, infected USB drives, etc."
        },
        "4": {
          "caption": "Exploitation",
          "description": "The intruders start leveraging vulnerabilities to executed code on the victim’s system."
        },
        "5": {
          "caption": "Installation",
          "description": "The intruders install malware on the victim’s system."
        },
        "6": {
          "caption": "Command & Control",
          "description": "Malware opens a command channel to enable the intruders to remotely manipulate the victim's system."
        },
        "7": {
          "caption": "Actions on Objectives",
          "description": "With hands-on keyboard access, intruders accomplish the mission’s goal."
        },
        "99": {
          "caption": "Other",
          "description": "The kill chain phase is not mapped. See the <code>phase</code> attribute, which contains a data source specific value."
        }
      }
    },
    "phone_number": {
      "caption": "Phone Number",
      "description": "The number associated with the phone.",
      "type": "string_t"
    },
    "phones": {
      "caption": "Phones",
      "description": "The phone numbers associated with the user",
      "type": "string_t",
      "is_array": true
    },
    "physical_height": {
      "caption": "Physical Height",
      "description": "The numeric physical height of display.",
      "type": "integer_t"
    },
    "physical_orientation": {
      "caption": "Physical Orientation",
      "description": "The numeric physical orientation of display.",
      "type": "integer_t"
    },
    "physical_width": {
      "caption": "Physical Width",
      "description": "The numeric physical width of display.",
      "type": "integer_t"
    },
    "pid": {
      "observable": 15,
      "caption": "Process ID",
      "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.",
      "type": "integer_t"
    },
    "pod_uuid": {
      "caption": "Pod UUID",
      "description": "The unique identifier of the pod (or equivalent) that the container is executing on.",
      "type": "uuid_t"
    },
    "policies": {
      "caption": "Policies",
      "description": "An array of <code>Policy</code> objects.",
      "type": "policy",
      "is_array": true
    },
    "policy": {
      "caption": "Policy",
      "description": "Describes details of a policy. See specific usage.",
      "type": "policy"
    },
    "port": {
      "caption": "Port",
      "description": "The TCP/UDP port number associated with a connection. See specific usage.",
      "type": "port_t"
    },
    "postal_code": {
      "caption": "Postal Code",
      "description": "The postal code of the location.",
      "type": "string_t"
    },
    "precision": {
      "caption": "Precision",
      "description": "The numeric precision. See specific usage.",
      "type": "integer_t"
    },
    "pressure_altitude": {
      "caption": "Pressure Altitude",
      "description": "The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.",
      "type": "string_t"
    },
    "prev_security_level": {
      "caption": "Previous Security Level",
      "description": "The previous security level of the entity",
      "type": "string_t"
    },
    "prev_security_level_id": {
      "caption": "Previous Security Level ID",
      "description": "The previous security level of the entity",
      "sibling": "prev_security_level",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Secure"
        },
        "2": {
          "caption": "At Risk"
        },
        "3": {
          "caption": "Compromised"
        },
        "99": {
          "caption": "Other",
          "description": "The security level is not mapped. See the <code>prev_security_level</code> attribute, which contains data source specific values."
        }
      }
    },
    "prev_security_states": {
      "caption": "Previous Security States",
      "description": "The previous security states. See specific usage.",
      "type": "security_state",
      "is_array": true
    },
    "priority": {
      "caption": "Priority",
      "description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "priority_id": {
      "caption": "Priority ID",
      "description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.",
      "sibling": "priority",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "No priority is assigned."
        },
        "1": {
          "caption": "Low",
          "description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible."
        },
        "2": {
          "caption": "Medium",
          "description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available."
        },
        "3": {
          "caption": "High",
          "description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible."
        },
        "4": {
          "caption": "Critical",
          "description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative."
        },
        "99": {
          "caption": "Other",
          "description": "The priority is not normalized."
        }
      }
    },
    "privileges": {
      "caption": "Privileges",
      "description": "The user or group privileges.",
      "type": "string_t",
      "is_array": true
    },
    "process": {
      "caption": "Process",
      "description": "The process object.",
      "type": "process"
    },
    "processed_time": {
      "caption": "Processed Time",
      "description": "The event processed time, such as an ETL operation.",
      "type": "timestamp_t"
    },
    "product": {
      "caption": "Product",
      "description": "The product that reported the event.",
      "type": "product"
    },
    "product_uid": {
      "caption": "Product Identifier",
      "description": "Unique Identifier of a product.",
      "type": "string_t"
    },
    "profiles": {
      "caption": "Profiles",
      "description": "The list of profiles used to create the event.  Profiles should be referenced by their <code>name</code> attribute for core profiles, or <code>extension/name</code> for profiles from extensions.",
      "type": "string_t",
      "is_array": true
    },
    "project_uid": {
      "caption": "Project ID",
      "description": "The unique identifier of a Cloud project.",
      "type": "string_t",
      "@deprecated": {
        "message": "Use the <code> account.uid </code> attribute instead.",
        "since": "1.4.0"
      }
    },
    "protocol_name": {
      "caption": "Protocol Name",
      "description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>tcp</code> or <code>udp</code>.",
      "type": "string_t"
    },
    "protocol_num": {
      "caption": "Protocol Number",
      "description": "The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>6</code> for TCP and <code>17</code> for UDP.",
      "type": "integer_t"
    },
    "protocol_ver": {
      "caption": "Protocol Version",
      "description": "The Protocol version, normalized to the caption of the protocol_ver_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "protocol_ver_id": {
      "caption": "Protocol Version ID",
      "description": "The normalized identifier of the Protocol version. See specific usage.",
      "sibling": "protocol_ver",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The protocol version is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The protocol version is not mapped. See the <code>protocol_ver</code> attribute, which contains a data source specific value."
        }
      }
    },
    "provider": {
      "caption": "Provider",
      "description": "The origin of information associated with the event. See specific usage.",
      "type": "string_t"
    },
    "proxy": {
      "caption": "Proxy",
      "description": "The proxy (server) in a network connection.",
      "type": "network_proxy",
      "@deprecated": {
        "message": "Use the <code> proxy_endpoint </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "proxy_connection_info": {
      "caption": "Proxy Connection Info",
      "description": "The connection information from the proxy server to the remote server.",
      "type": "network_connection_info"
    },
    "proxy_endpoint": {
      "caption": "Proxy Endpoint",
      "description": "The proxy (server) in a network connection.",
      "type": "network_proxy"
    },
    "proxy_http_request": {
      "caption": "Proxy HTTP Request",
      "description": "The HTTP Request from the proxy server to the remote server.",
      "type": "http_request"
    },
    "proxy_http_response": {
      "caption": "Proxy HTTP Response",
      "description": "The HTTP Response from the remote server to the proxy server.",
      "type": "http_response"
    },
    "proxy_tls": {
      "caption": "Proxy TLS",
      "description": "The TLS protocol negotiated between the proxy server and the remote server.",
      "type": "tls"
    },
    "proxy_traffic": {
      "caption": "Proxy Traffic",
      "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
      "type": "network_traffic"
    },
    "purl": {
      "caption": "Package URL",
      "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.",
      "type": "string_t"
    },
    "query": {
      "caption": "DNS Query",
      "description": "The Domain Name System (DNS) query.",
      "type": "dns_query"
    },
    "query_info": {
      "caption": "Query Info",
      "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.",
      "type": "query_info"
    },
    "query_result": {
      "caption": "Query Result",
      "description": "The result of the query.",
      "type": "string_t"
    },
    "query_result_id": {
      "caption": "Query Result ID",
      "description": "The normalized identifier of the query result.",
      "sibling": "query_result",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The query result is unknown."
        },
        "1": {
          "caption": "Exists",
          "description": "The target was found."
        },
        "2": {
          "caption": "Partial",
          "description": "The target was partially found."
        },
        "3": {
          "caption": "Does not exist",
          "description": "The target was not found."
        },
        "4": {
          "caption": "Error",
          "description": "The discovery attempt failed."
        },
        "5": {
          "caption": "Unsupported",
          "description": "Discovery of the target was not supported."
        },
        "99": {
          "caption": "Other",
          "description": "The query result is not mapped. See the <code>query_result</code> attribute, which contains a data source specific value."
        }
      }
    },
    "query_string": {
      "caption": "HTTP Query String",
      "description": "The query portion of the URL. For example: the query portion of the URL <code>http://www.example.com/search?q=bad&sort=date</code> is <code>q=bad&sort=date</code>.",
      "type": "string_t"
    },
    "query_time": {
      "caption": "Query Time",
      "description": "The Domain Name System (DNS) query time.",
      "type": "timestamp_t"
    },
    "radius": {
      "caption": "Radius",
      "description": "Farthest horizontal distance from the reported location at which any UA in a group may be located (meters). Also allows defining the area where an Intent-Based Network Participant operation is taking place. Default: 0 m.",
      "type": "string_t"
    },
    "ram_size": {
      "caption": "RAM Size",
      "description": "The total amount of installed RAM, in Megabytes. For example: <code>2048</code>.",
      "type": "integer_t"
    },
    "rate_limit": {
      "caption": "Rate Limit",
      "description": "The rate limit for a rate-based rule.",
      "type": "integer_t"
    },
    "raw_data": {
      "caption": "Raw Data",
      "description": "The raw event/finding data as received from the source.",
      "type": "string_t"
    },
    "raw_header": {
      "caption": "Raw Header",
      "description": "The email authentication header.",
      "type": "string_t"
    },
    "rcode": {
      "caption": "Response Code",
      "description": "The server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "rcode_id": {
      "caption": "Response Code ID",
      "description": "The normalized identifier of the server response code. See specific usage.",
      "sibling": "rcode",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The DNS response code is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The DNS response code is not defined by the RFC. See the <code>rcode</code> attribute, which contains a data source specific value."
        }
      }
    },
    "rdata": {
      "caption": "DNS RData",
      "description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.",
      "type": "string_t"
    },
    "references": {
      "caption": "References",
      "description": "A list of reference URLs supporting the finding/detection.",
      "type": "string_t",
      "is_array": true
    },
    "referrer": {
      "caption": "HTTP Referrer",
      "description": "The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.",
      "type": "string_t"
    },
    "region": {
      "caption": "Region",
      "description": "The name or the code of a region. See specific usage.",
      "type": "string_t"
    },
    "registrar": {
      "caption": "Domain Registrar",
      "description": "The domain registrar.",
      "type": "string_t"
    },
    "related_analytics": {
      "caption": "Related Analytics",
      "description": "Describes analytics related to the analytic of a finding or detection as identified by the security product.",
      "type": "analytic",
      "is_array": true
    },
    "related_cves": {
      "caption": "Related CVEs",
      "description": "Describes Common Vulnerabilities and Exposures <a target='_blank' href='https://cve.mitre.org/'>(CVE)</a> entries that are related to an entity. See specific usage.",
      "type": "cve",
      "is_array": true
    },
    "related_cwes": {
      "caption": "Related CWEs",
      "description": "Describes Common Weakness Enumeration <a target='_blank' href='https://cwe.mitre.org/'>(CWE)</a> entries that are related to an entity. See specific usage.",
      "type": "cwe",
      "is_array": true
    },
    "related_events": {
      "caption": "Related Events",
      "description": "Describes events and/or other findings related to the finding as identified by the security product.",
      "type": "related_event",
      "is_array": true
    },
    "related_vulnerabilities": {
      "caption": "Related Vulnerability IDs",
      "description": "List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability.",
      "type": "string_t",
      "is_array": true
    },
    "relay": {
      "caption": "Relay",
      "description": "The network relay that is associated with the event.",
      "type": "network_interface"
    },
    "release": {
      "caption": "Software Release Details",
      "description": "Release is the number of times a version of the software has been packaged.",
      "type": "string_t"
    },
    "remediation": {
      "caption": "Remediation Guidance",
      "description": "Describes the recommended remediation steps to address identified issue(s).",
      "type": "remediation"
    },
    "remote_display": {
      "caption": "Remote Display",
      "description": "The remote display affiliated with the event",
      "type": "display"
    },
    "reply_to": {
      "caption": "Reply To",
      "description": "The email header Reply-To values, as defined by RFC 5322.",
      "type": "email_t"
    },
    "reputation": {
      "caption": "Reputation Scores",
      "description": "Contains the original and normalized reputation scores.",
      "type": "reputation"
    },
    "request": {
      "caption": "API Request Details",
      "description": "General Purpose API Request Object. See specific usage",
      "type": "request"
    },
    "requested_permissions": {
      "caption": "Requested Permissions",
      "description": "The permissions mask. See specific usage.",
      "type": "integer_t"
    },
    "requirements": {
      "caption": "Compliance Requirements",
      "description": "A list of requirements associated to a specific control in an industry or regulatory framework. e.g. <code> NIST.800-53.r5 AU-10 </code>",
      "type": "string_t",
      "is_array": true
    },
    "resource": {
      "caption": "Resource",
      "description": "The target resource.",
      "type": "resource_details"
    },
    "resource_type": {
      "caption": "Resource Type",
      "description": "The resource type as defined by the event source.",
      "type": "string_t"
    },
    "resources": {
      "caption": "Resources Array",
      "description": "Describes details about resources that were affected by the activity/event.",
      "type": "resource_details",
      "is_array": true
    },
    "resources_result": {
      "caption": "Resource Results Array",
      "description": "Updated resources after an activity/event.",
      "type": "resource_details",
      "is_array": true
    },
    "response": {
      "caption": "API Response Details",
      "description": "General Purpose API Response Object. See specific usage.",
      "type": "response"
    },
    "response_time": {
      "caption": "Response Time",
      "description": "The Domain Name System (DNS) response time.",
      "type": "timestamp_t"
    },
    "risk_details": {
      "caption": "Risk Details",
      "description": "Describes the risk associated with the finding.",
      "type": "string_t"
    },
    "risk_level": {
      "caption": "Risk Level",
      "description": "The risk level, normalized to the caption of the risk_level_id value.",
      "type": "string_t"
    },
    "risk_level_id": {
      "caption": "Risk Level ID",
      "description": "The normalized risk level id.",
      "sibling": "risk_level",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Info"
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "4": {
          "caption": "Critical"
        },
        "99": {
          "caption": "Other",
          "description": "The risk level is not mapped. See the <code>risk_level</code> attribute, which contains a data source specific value."
        }
      },
      "suppress_checks": [
        "enum_convention"
      ]
    },
    "risk_score": {
      "caption": "Risk Score",
      "description": "The risk score as reported by the event source.",
      "type": "integer_t"
    },
    "rpc_interface": {
      "caption": "Remote Procedure Call Interface",
      "description": "The RPC Interface object describes the details pertaining to the remote procedure call interface.",
      "type": "rpc_interface"
    },
    "rule": {
      "caption": "Rule",
      "description": "The rules that reported the events.",
      "type": "rule"
    },
    "run_mode_ids": {
      "caption": "Run Mode IDs",
      "description": "The list of normalized identifiers that describe application attributes when it is running. See specific usage.",
      "sibling": "run_modes",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The run mode is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The run mode is not mapped. See the <code>run_modes</code> attribute, which contains data source specific values."
        }
      },
      "is_array": true
    },
    "run_modes": {
      "caption": "Run Modes",
      "description": "The list of run_modes, normalized to the captions of the run_mode_ids values.  In the case of 'Other', they are defined by the event source. See specific usage.",
      "type": "string_t",
      "is_array": true
    },
    "run_state": {
      "caption": "Run State",
      "description": "The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "run_state_id": {
      "caption": "Run State ID",
      "description": "The normalized identifier of the state of the job or service. See specific usage.",
      "sibling": "run_state",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The run state is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The run state is not mapped. See the <code>run_state</code> attribute, which contains a data source specific value."
        }
      }
    },
    "runtime": {
      "caption": "Runtime",
      "description": "The backend running the container, such as containerd or cri-o.",
      "type": "string_t"
    },
    "samesite": {
      "caption": "SameSite",
      "description": "The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None",
      "type": "string_t"
    },
    "sandbox": {
      "caption": "Sandbox",
      "description": "The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.",
      "type": "string_t"
    },
    "sans": {
      "caption": "Subject Alternative Names",
      "description": "The list of subject alternative names that are secured by a specific certificate.",
      "type": "san",
      "is_array": true
    },
    "scale_factor": {
      "caption": "Scale Factor",
      "description": "The numeric scale factor of display.",
      "type": "integer_t"
    },
    "scan": {
      "caption": "Scan",
      "description": "The Scan object describes characteristics of a scan.  See specific usage.",
      "type": "scan"
    },
    "schedule_uid": {
      "caption": "Schedule UID",
      "description": "The unique identifier of the schedule associated with a scan job.",
      "type": "string_t"
    },
    "scheme": {
      "caption": "Scheme",
      "description": "The scheme portion of the URL. For example: <code>http</code>, <code>https</code>, <code>ftp</code>, or <code>sftp</code>.",
      "type": "string_t"
    },
    "score": {
      "caption": "Reputation Score",
      "description": "The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "score_id": {
      "caption": "Reputation Score ID",
      "description": "The normalized reputation score identifier.",
      "sibling": "score",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The reputation score is unknown."
        },
        "1": {
          "caption": "Very Safe",
          "description": "Long history of good behavior."
        },
        "2": {
          "caption": "Safe",
          "description": "Consistently good behavior."
        },
        "3": {
          "caption": "Probably Safe",
          "description": "Reasonable history of good behavior."
        },
        "4": {
          "caption": "Leans Safe",
          "description": "Starting to establish a history of normal behavior."
        },
        "5": {
          "caption": "May not be Safe",
          "description": "No established history of normal behavior."
        },
        "6": {
          "caption": "Exercise Caution",
          "description": "Starting to establish a history of suspicious or risky behavior."
        },
        "7": {
          "caption": "Suspicious/Risky",
          "description": "A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious)."
        },
        "8": {
          "caption": "Possibly Malicious",
          "description": "Strong possibility of maliciousness."
        },
        "9": {
          "caption": "Probably Malicious",
          "description": "Indicators of maliciousness."
        },
        "10": {
          "caption": "Malicious",
          "description": "Proven evidence of maliciousness."
        },
        "99": {
          "caption": "Other",
          "description": "The reputation score is not mapped. See the <code>rep_score</code> attribute, which contains a data source specific value."
        }
      }
    },
    "script": {
      "caption": "Script",
      "description": "The script object.",
      "type": "script"
    },
    "script_content": {
      "observable": 36,
      "caption": "Script Content",
      "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.",
      "type": "long_string"
    },
    "section_a": {
      "caption": "JA4 Section A",
      "description": "The 'a' section of the JA4 fingerprint.",
      "type": "string_t"
    },
    "section_b": {
      "caption": "JA4 Section B",
      "description": "The 'b' section of the JA4 fingerprint.",
      "type": "string_t"
    },
    "section_c": {
      "caption": "JA4 Section C",
      "description": "The 'c' section of the JA4 fingerprint.",
      "type": "string_t"
    },
    "section_d": {
      "caption": "JA4 Section D",
      "description": "The 'd' section of the JA4 fingerprint.",
      "type": "string_t"
    },
    "secure": {
      "caption": "Secure",
      "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.",
      "type": "boolean_t",
      "@deprecated": {
        "message": "Use the <code> is_secure </code> attribute instead.",
        "since": "1.1.0"
      }
    },
    "security_descriptor": {
      "caption": "Security Descriptor",
      "description": "The object security descriptor.",
      "type": "string_t"
    },
    "security_level": {
      "caption": "Security Level",
      "description": "The current security level of the entity",
      "type": "string_t"
    },
    "security_level_id": {
      "caption": "Security Level ID",
      "description": "The current security level of the entity",
      "sibling": "security_level",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Secure"
        },
        "2": {
          "caption": "At Risk"
        },
        "3": {
          "caption": "Compromised"
        },
        "99": {
          "caption": "Other",
          "description": "The security level is not mapped. See the <code>security_level</code> attribute, which contains data source specific values."
        }
      }
    },
    "security_questions": {
      "caption": "Security Questions",
      "description": "The question(s) provided to user for a question-based authentication factor.",
      "type": "string_t",
      "is_array": true
    },
    "security_states": {
      "caption": "Security States",
      "description": "The current security states. See specific usage.",
      "type": "security_state",
      "is_array": true
    },
    "sensitivity": {
      "caption": "Sensitivity",
      "description": "The sensitivity of the firewall rule in the matched event. For example: HIGH.",
      "type": "string_t"
    },
    "sequence": {
      "caption": "Sequence Number",
      "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.",
      "type": "integer_t"
    },
    "serial_number": {
      "caption": "Serial Number",
      "description": "The serial number that pertains to the object. See specific usage.",
      "type": "string_t",
      "observable": 37
    },
    "server_ciphers": {
      "caption": "Server Cipher Suites",
      "description": "The server cipher suites that were exchanged during the TLS handshake negotiation.",
      "type": "string_t",
      "is_array": true
    },
    "server_hassh": {
      "caption": "Server HASSH",
      "description": "The Server HASSH fingerprinting object.",
      "type": "hassh"
    },
    "service": {
      "caption": "Service",
      "description": "The service that pertains to the event.",
      "type": "service"
    },
    "session": {
      "caption": "Session",
      "description": "The authenticated user or service session.",
      "type": "session"
    },
    "severity": {
      "caption": "Severity",
      "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
      "type": "string_t"
    },
    "severity_id": {
      "caption": "Severity ID",
      "description": "<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.",
      "sibling": "severity",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The event/finding severity is unknown."
        },
        "1": {
          "caption": "Informational",
          "description": "Informational message. No action required."
        },
        "2": {
          "caption": "Low",
          "description": "The user decides if action is needed."
        },
        "3": {
          "caption": "Medium",
          "description": "Action is required but the situation is not serious at this time."
        },
        "4": {
          "caption": "High",
          "description": "Action is required immediately."
        },
        "5": {
          "caption": "Critical",
          "description": "Action is required immediately and the scope is broad."
        },
        "6": {
          "caption": "Fatal",
          "description": "An error occurred but it is too late to take remedial action."
        },
        "99": {
          "caption": "Other",
          "description": "The event/finding severity is not mapped. See the <code>severity</code> attribute, which contains a data source specific value."
        }
      }
    },
    "share": {
      "caption": "Share",
      "description": "The share name. See specific usage.",
      "type": "string_t"
    },
    "share_type": {
      "caption": "Share Type",
      "description": "The share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "share_type_id": {
      "caption": "Share Type ID",
      "description": "The normalized identifier of the share type.",
      "sibling": "share_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The share type is unknown."
        },
        "1": {
          "caption": "File"
        },
        "2": {
          "caption": "Pipe"
        },
        "3": {
          "caption": "Print"
        },
        "99": {
          "caption": "Other",
          "description": "The share type is not mapped. See the <code>share_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "short_desc": {
      "caption": "Short Description",
      "description": "The short description that pertains to the object or event. See specific usage.",
      "type": "string_t"
    },
    "signature": {
      "caption": "Digital Signature",
      "description": "The digital signature of the file.",
      "type": "digital_signature"
    },
    "signatures": {
      "caption": "Digital Signatures",
      "description": "A collection of <code>Digital Signature</code> objects.",
      "type": "digital_signature",
      "is_array": true
    },
    "size": {
      "caption": "Size",
      "description": "The size of data, in bytes.",
      "type": "long_t"
    },
    "smtp_from": {
      "caption": "SMTP From",
      "description": "The value of the SMTP MAIL FROM command.",
      "type": "email_t"
    },
    "smtp_hello": {
      "caption": "SMTP Hello",
      "description": "The value of the SMTP HELO or EHLO command.",
      "type": "string_t"
    },
    "smtp_to": {
      "caption": "SMTP To",
      "description": "The value of the SMTP envelope RCPT TO command.",
      "type": "email_t",
      "is_array": true
    },
    "sni": {
      "caption": "Server Name Indication",
      "description": " The Server Name Indication (SNI) extension sent by the client.",
      "type": "string_t"
    },
    "sp_name": {
      "caption": "OS Service Pack",
      "description": "The name of the latest Service Pack.",
      "type": "string_t"
    },
    "sp_ver": {
      "caption": "OS Service Pack Version",
      "description": "The version number of the latest Service Pack.",
      "type": "integer_t"
    },
    "speed": {
      "caption": "Speed",
      "description": "Ground speed of flight. This value is provided in meters per second with a minimum resolution of 0.25 m/s. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: 255 m/s</code>.",
      "type": "string_t"
    },
    "speed_accuracy": {
      "caption": "Speed Accuracy",
      "description": "Provides quality/containment on horizontal ground speed. Measured in meters/second.",
      "type": "string_t"
    },
    "spf": {
      "caption": "SPF Status",
      "description": "The Sender Policy Framework (SPF) status of the email.",
      "type": "string_t"
    },
    "src_endpoint": {
      "caption": "Source Endpoint",
      "description": "The network source endpoint.",
      "type": "network_endpoint"
    },
    "src_url": {
      "caption": "Source URL",
      "description": "The URL pointing towards the source of an entity. See specific usage.",
      "type": "url_t"
    },
    "standards": {
      "caption": "Compliance Standards: List",
      "description": "Compliance standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code>",
      "type": "string_t",
      "is_array": true
    },
    "start_address": {
      "caption": "Start Address",
      "description": "The start address of the execution.",
      "type": "string_t"
    },
    "start_line": {
      "caption": "Start Line",
      "description": "The line number of the first line of code block identified as vulnerable.",
      "type": "integer_t"
    },
    "start_time": {
      "caption": "Start Time",
      "description": "The start time of a time period. See specific usage.",
      "type": "timestamp_t"
    },
    "start_type": {
      "caption": "Start Type",
      "description": "The start type of a service, driver, or application.",
      "type": "string_t"
    },
    "start_type_id": {
      "caption": "Start Type ID",
      "description": "The start type ID of a service or application.",
      "sibling": "start_type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The start type is unknown."
        },
        "1": {
          "caption": "Auto",
          "description": "Service started automatically during system startup."
        },
        "2": {
          "caption": "Boot",
          "description": "Device driver started by the system loader."
        },
        "3": {
          "caption": "On Demand",
          "description": "Started on demand. For example, by the Windows Service Control Manager when a process calls the <i>StartService</i> function."
        },
        "4": {
          "caption": "Disabled",
          "description": "The service is disabled, and cannot be started."
        },
        "5": {
          "caption": "All Logins",
          "description": "Started on all user logins."
        },
        "6": {
          "caption": "Specific User Login",
          "description": "Started on specific user logins."
        },
        "7": {
          "caption": "Scheduled",
          "description": "Stared according to a schedule."
        },
        "8": {
          "caption": "System Changed",
          "description": "Started when a system item, such as a file or registry key, changes."
        },
        "99": {
          "caption": "Other",
          "description": "The start type is not mapped. See the <code>start_type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "startup_item": {
      "caption": "Startup Item",
      "description": "The startup item object describes an application component that has associated startup criteria and configurations.",
      "type": "startup_item"
    },
    "state": {
      "caption": "State",
      "description": "The state of the event or object, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "state_id": {
      "caption": "State ID",
      "description": "The normalized state ID of the event or object. See specific usage.",
      "sibling": "state",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The state is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The state is not mapped. See the <code>state</code> attribute, which contains a data source specific value."
        }
      }
    },
    "status": {
      "caption": "Status",
      "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
      "type": "string_t"
    },
    "status_code": {
      "caption": "Status Code",
      "description": "The event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.",
      "type": "string_t"
    },
    "status_detail": {
      "caption": "Status Detail",
      "description": "The status detail contains additional information about the event/finding outcome.",
      "type": "string_t"
    },
    "status_details": {
      "caption": "Status Details",
      "description": "A list of descriptions, containing additional information about the event/finding status.",
      "type": "string_t",
      "is_array": true
    },
    "status_id": {
      "caption": "Status ID",
      "description": "The normalized identifier of the event status.",
      "sibling": "status",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The status is unknown."
        },
        "1": {
          "caption": "Success"
        },
        "2": {
          "caption": "Failure"
        },
        "99": {
          "caption": "Other",
          "description": "The event status is not mapped. See the <code>status</code> attribute, which contains a data source specific value."
        }
      }
    },
    "stratum": {
      "caption": "Stratum",
      "description": "The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.",
      "type": "string_t"
    },
    "stratum_id": {
      "caption": "Stratum ID",
      "description": "The normalized identifier of the stratum level, as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc5905.html'>RFC-5905</a>.",
      "sibling": "stratum",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "Unspecified or invalid."
        },
        "1": {
          "caption": "Primary Server",
          "description": "The highest precision primary server (e.g atomic clock or GPS)."
        },
        "2": {
          "caption": "Secondary Server",
          "description": "A secondary level server (possible values: 2-15)."
        },
        "16": {
          "caption": "Unsynchronized"
        },
        "17": {
          "caption": "Reserved",
          "description": "Reserved stratum (possible values: 17-255)."
        },
        "99": {
          "caption": "Other",
          "description": "The stratum level is not mapped. See the <code>stratum</code> attribute, which contains a data source specific value."
        }
      }
    },
    "sub_technique": {
      "caption": "Sub Technique",
      "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.",
      "type": "sub_technique"
    },
    "subdomain": {
      "caption": "Subdomain",
      "description": "The subdomain portion of the URL. For example: <code>sub</code> in <code>https://sub.example.com</code> or <code>sub2.sub1</code> in <code>https://sub2.sub1.example.com</code>.",
      "type": "string_t"
    },
    "subdomains": {
      "caption": "Subdomains",
      "description": "An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).",
      "type": "string_t",
      "is_array": true
    },
    "subject": {
      "caption": "Subject Details",
      "description": "The identifier of the subject. See specific usage.",
      "type": "string_t"
    },
    "subnet": {
      "caption": "Subnet",
      "description": "The subnet mask.",
      "type": "subnet_t"
    },
    "subnet_prefix": {
      "caption": "Subnet Prefix Length",
      "description": "The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.",
      "type": "integer_t"
    },
    "subnet_uid": {
      "caption": "Subnet UID",
      "description": "The unique identifier of a virtual subnet.",
      "type": "string_t"
    },
    "supporting_data": {
      "caption": "Supporting Data",
      "description": "Additional data supporting a finding as provided by security tool",
      "type": "json_t"
    },
    "surname": {
      "caption": "Surname",
      "description": "The last or family name for the user.",
      "type": "string_t"
    },
    "svc_name": {
      "caption": "Service Name",
      "description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.",
      "type": "string_t"
    },
    "system_call": {
      "caption": "System Call",
      "description": "The system call that was invoked.",
      "type": "string_t"
    },
    "table": {
      "caption": "Table",
      "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.",
      "type": "table"
    },
    "tactic": {
      "caption": "Tactic",
      "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.",
      "type": "tactic"
    },
    "tactics": {
      "caption": "Tactics",
      "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.",
      "type": "tactic",
      "@deprecated": {
        "message": "Use the <code> tactic </code> attribute instead.",
        "since": "1.1.0"
      },
      "is_array": true
    },
    "tag": {
      "caption": "Image Tag",
      "description": "The image tag. For example: <code>1.11-alpine</code>.",
      "type": "string_t",
      "@deprecated": {
        "message": "Use the <code> labels or tags </code> attribute instead.",
        "since": "1.4.0"
      }
    },
    "tags": {
      "caption": "Tags",
      "description": "The list of tags; <code>{key:value}</code> pairs attached to an entity. A Tag may be used to categorize, filter, and search for entities. For e.g. <code>\"Environment\": \"Production\"</code>, <code>\"Owner\": \"007\"</code>. See specific usage.",
      "type": "key_value_object",
      "is_array": true
    },
    "tcp_flags": {
      "caption": "TCP Flags",
      "description": "The network connection TCP header flags (i.e., control bits).",
      "type": "integer_t"
    },
    "technique": {
      "caption": "Technique",
      "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.",
      "type": "technique"
    },
    "tenant_uid": {
      "caption": "Tenant UID",
      "description": "The unique tenant identifier.",
      "type": "string_t"
    },
    "terminal": {
      "caption": "Terminal",
      "description": "The Pseudo Terminal. Ex: the tty or pts value.",
      "type": "string_t"
    },
    "terminated_time": {
      "caption": "Terminated Time",
      "description": "The time when the entity was terminated. See specific usage.",
      "type": "timestamp_t"
    },
    "ticket": {
      "caption": "Ticket",
      "description": "The linked ticket in the ticketing system.",
      "type": "ticket"
    },
    "tid": {
      "caption": "Thread ID",
      "description": "The Identifier of the thread associated with the event, as returned by the operating system.",
      "type": "integer_t"
    },
    "time": {
      "caption": "Event Time",
      "description": "The normalized event occurrence time or the finding creation time.",
      "type": "timestamp_t"
    },
    "timezone_offset": {
      "caption": "Timezone Offset",
      "description": "The number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.",
      "type": "integer_t"
    },
    "title": {
      "caption": "Title",
      "description": "The title of an entity. See specific usage.",
      "type": "string_t"
    },
    "tlp": {
      "caption": "Traffic Light Protocol",
      "description": "The <a target='_blank' href='https://www.first.org/tlp/'>Traffic Light Protocol</a> was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
      "type": "string_t"
    },
    "tls": {
      "caption": "TLS",
      "description": "The Transport Layer Security (TLS) attributes.",
      "type": "tls"
    },
    "tls_extension_list": {
      "caption": "TLS Extension List",
      "description": "The list of TLS extensions.",
      "type": "tls_extension",
      "is_array": true
    },
    "to": {
      "caption": "To",
      "description": "The email header To values, as defined by RFC 5322.",
      "type": "email_t",
      "is_array": true
    },
    "total": {
      "caption": "Total",
      "description": "The total number of items. See specific usage.",
      "type": "integer_t"
    },
    "track_direction": {
      "caption": "Track Direction",
      "description": "Direction of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value",
      "type": "string_t"
    },
    "traffic": {
      "caption": "Traffic",
      "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.",
      "type": "network_traffic"
    },
    "transaction_uid": {
      "caption": "Transaction UID",
      "description": "The unique identifier of the transaction.",
      "type": "string_t"
    },
    "transmit_time": {
      "caption": "Transmission Time",
      "description": "The event transmission time from one device to another.  See specific usage.",
      "type": "timestamp_t"
    },
    "tree_uid": {
      "caption": "Tree UID",
      "description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
      "type": "string_t"
    },
    "ttl": {
      "caption": "TTL",
      "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.",
      "type": "integer_t"
    },
    "tunnel_interface": {
      "caption": "Interface",
      "description": "The information about the tunnel interface. See specific usage.",
      "type": "network_interface"
    },
    "tunnel_type": {
      "caption": "Type",
      "description": "The tunnel type. See specific usage.",
      "type": "string_t"
    },
    "tunnel_type_id": {
      "caption": "Type",
      "description": "The normalized tunnel type ID.",
      "sibling": "tunnel_type",
      "type": "integer_t"
    },
    "type": {
      "caption": "Type",
      "description": "The type of an object or value, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "type_id": {
      "caption": "Type ID",
      "description": "The normalized type identifier of an object. See specific usage.",
      "sibling": "type",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        },
        "99": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "type_name": {
      "caption": "Type Name",
      "description": "The event/finding type name, as defined by the type_uid.",
      "type": "string_t"
    },
    "type_uid": {
      "caption": "Type ID",
      "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.",
      "sibling": "type_name",
      "type": "long_t"
    },
    "types": {
      "caption": "Types",
      "description": "The type/s of an entity. See specific usage.",
      "type": "string_t",
      "is_array": true
    },
    "unmanned_aerial_system": {
      "caption": "Unmanned Aerial System",
      "description": "The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) <a target='_blank' href='https://cdn.standards.iteh.ai/samples/112830/71297057ac42432880a203654f213709/ASTM-F3411-22a.pdf'>ASTM F3411-22a</a>.",
      "type": "unmanned_aerial_system"
    },
    "unmanned_system_operator": {
      "caption": "Unmanned Systems Operator",
      "description": "The human or machine operator of an Unmanned System.",
      "type": "user"
    },
    "unmanned_system_operating_area": {
      "caption": "UAS Operating Area",
      "description": "The UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.",
      "type": "unmanned_system_operating_area"
    },
    "uid": {
      "caption": "Unique ID",
      "description": "The unique identifier. See specific usage.",
      "type": "string_t"
    },
    "uid_alt": {
      "caption": "Alternate ID",
      "description": "The alternate unique identifier. See specific usage.",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "object"
    },
    "unmanned_system_operator": {
      "caption": "Unmanned Systems Operator",
      "description": "The human or machine operator of an UAS",
      "type": "user"
    },
    "untruncated_size": {
      "caption": "Untruncated Size",
      "description": "The size in bytes of an attribute before truncation. See specific usage.",
      "type": "integer_t"
    },
    "url": {
      "caption": "URL",
      "description": "The URL object that pertains to the event or object. See specific usage.",
      "type": "url"
    },
    "url_string": {
      "caption": "URL String",
      "description": "The URL string. See RFC 1738. For example: <code>http://www.example.com/download/trouble.exe</code>.",
      "type": "url_t"
    },
    "user": {
      "caption": "User",
      "description": "The user that pertains to the event or object.",
      "type": "user"
    },
    "user_agent": {
      "observable": 16,
      "caption": "HTTP User-Agent",
      "description": "The request header that identifies the operating system and web browser.",
      "type": "string_t"
    },
    "user_result": {
      "caption": "User Result",
      "description": "The result of the user account change. It should contain the new values of the changed attributes.",
      "type": "user"
    },
    "users": {
      "caption": "Users",
      "description": "The users that pertain to the event or object.",
      "type": "user",
      "is_array": true
    },
    "uuid": {
      "caption": "UUID",
      "description": "The universally unique identifier. See specific usage.",
      "type": "uuid_t"
    },
    "value": {
      "caption": "Value",
      "description": "The value that pertains to the object. See specific usage.",
      "type": "string_t"
    },
    "variable_name": {
      "caption": "Variable Name",
      "description": "The name of a variable. See specific usage.",
      "type": "long_string"
    },
    "variable_value": {
      "caption": "Variable Value",
      "description": "The value of a variable. See specific usage.",
      "type": "long_string"
    },
    "vector_string": {
      "caption": "Vector String",
      "description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: <code>3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H</code>.",
      "type": "string_t"
    },
    "vendor_name": {
      "caption": "Vendor Name",
      "description": "The name of the vendor. See specific usage.",
      "type": "string_t"
    },
    "verdict": {
      "caption": "Verdict",
      "description": "The verdict assigned to an Incident finding.",
      "type": "string_t"
    },
    "verdict_id": {
      "caption": "Verdict ID",
      "description": "The normalized verdict of an Incident.",
      "sibling": "verdict",
      "type": "integer_t",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        },
        "1": {
          "caption": "False Positive",
          "description": "The incident is a false positive."
        },
        "2": {
          "caption": "True Positive",
          "description": "The incident is a true positive."
        },
        "3": {
          "caption": "Disregard",
          "description": "The incident can be disregarded as it is unimportant, an error or accident."
        },
        "4": {
          "caption": "Suspicious",
          "description": "The incident is suspicious."
        },
        "5": {
          "caption": "Benign",
          "description": "The incident is benign."
        },
        "6": {
          "caption": "Test",
          "description": "The incident is a test."
        },
        "7": {
          "caption": "Insufficient Data",
          "description": "The incident has insufficient data to make a verdict."
        },
        "8": {
          "caption": "Security Risk",
          "description": "The incident is a security risk."
        },
        "9": {
          "caption": "Managed Externally",
          "description": "The incident remediation or required actions are managed externally."
        },
        "10": {
          "caption": "Duplicate",
          "description": "The incident is a duplicate."
        },
        "99": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        }
      }
    },
    "version": {
      "caption": "Version",
      "description": "The version that pertains to the event or object. See specific usage.",
      "type": "string_t"
    },
    "vertical_speed": {
      "caption": "Vertical Speed",
      "description": "Vertical speed upward relative to the WGS-84 datum, measured in meters per second. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: 63 m/s</code>.",
      "type": "string_t"
    },
    "vlan_uid": {
      "caption": "VLAN",
      "description": "The Virtual LAN identifier.",
      "type": "string_t"
    },
    "vpc_uid": {
      "caption": "VPC UID",
      "description": "The unique identifier of the Virtual Private Cloud (VPC).",
      "type": "string_t"
    },
    "vulnerabilities": {
      "caption": "Vulnerabilities",
      "description": "This object describes vulnerabilities reported in a security finding.",
      "type": "vulnerability",
      "is_array": true
    },
    "vulnerability": {
      "caption": "Vulnerability",
      "description": "The vulnerability object describes details related to the observed vulnerability",
      "type": "vulnerability"
    },
    "web_resources": {
      "caption": "Web Resources",
      "description": "Describes details about web resources that were affected by an activity/event.",
      "type": "web_resource",
      "is_array": true
    },
    "web_resources_result": {
      "caption": "Web Resources Result",
      "description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.",
      "type": "web_resource",
      "is_array": true
    },
    "whois": {
      "caption": "WHOIS",
      "description": "The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
      "type": "whois"
    },
    "working_directory": {
      "caption": "Working Directory",
      "description": "The working directory of a process.",
      "type": "string_t"
    },
    "x_forwarded_for": {
      "caption": "X-Forwarded-For",
      "description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.",
      "type": "ip_t",
      "is_array": true
    },
    "x_originating_ip": {
      "caption": "X-Originating-IP",
      "description": "The X-Originating-IP header identifying the emails originating IP address(es).",
      "type": "ip_t",
      "is_array": true
    },
    "xattributes": {
      "caption": "Extended Attributes",
      "description": "An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.</p>For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: </p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong> - name of the link associated to the file.</li><li><strong>hard_link_count</strong> - the number of links that are associated to the file.</li></ul>",
      "type": "object"
    },
    "zone": {
      "caption": "Network Zone",
      "description": "The network zone or LAN segment.",
      "type": "string_t"
    }
  },
  "types": {
    "caption": "Data Types",
    "description": "The data types available in OCSF. Each data type specifies constraints in the form regular expressions, max lengths or value limits. Implementors of OCSF should ensure they abide to these constraints.",
    "attributes": {
      "boolean_t": {
        "caption": "Boolean",
        "description": "Boolean value. One of <code>true</code> or <code>false</code>.",
        "values": [
          false,
          true
        ]
      },
      "bytestring_t": {
        "caption": "Byte String",
        "description": "Base64 encoded immutable byte sequence.",
        "type": "string_t",
        "type_name": "String"
      },
      "datetime_t": {
        "caption": "Datetime",
        "description": "The Internet Date/Time format as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc3339.html'>RFC-3339</a>. For example:<br><code>2024-09-10T23:20:50.520Z</code>,<br><code>2024-09-10 23:20:50.520789Z</code>.",
        "regex": "^\\d{4}-\\d{2}-\\d{2}[Tt]\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?([Zz]|[\\+-]\\d{2}:\\d{2})?$",
        "type": "string_t",
        "type_name": "String"
      },
      "email_t": {
        "observable": 5,
        "caption": "Email Address",
        "description": "Email address. For example:<br><code>john_doe@example.com</code>.",
        "regex": "^[a-zA-Z0-9!#$%&'*+-/=?^_`{|}~.]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$",
        "type": "string_t",
        "type_name": "String"
      },
      "file_hash_t": {
        "observable": 8,
        "caption": "Hash",
        "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example:<br> MD5: <code>3172ac7e2b55cbb81f04a6e65855a628</code>.",
        "regex": "^[a-fA-F0-9]+$",
        "type": "string_t",
        "type_name": "String"
      },
      "file_name_t": {
        "observable": 7,
        "caption": "File Name",
        "description": "File name. For example:<br><code>text-file.txt</code>.",
        "type": "string_t",
        "type_name": "String"
      },
      "float_t": {
        "caption": "Float",
        "description": "Real floating-point value. For example:<br><code>3.14</code>."
      },
      "hostname_t": {
        "observable": 1,
        "caption": "Hostname",
        "description": "Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:<br><code>r2-d2.example.com.</code>,<br><code>mx.example.com</code>",
        "type": "string_t",
        "type_name": "String"
      },
      "integer_t": {
        "caption": "Integer",
        "description": "Signed integer value."
      },
      "ip_t": {
        "max_len": 40,
        "observable": 2,
        "caption": "IP Address",
        "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:<br><code>192.168.200.24</code>, <br> <code>2001:0db8:85a3:0000:0000:8a2e:0370:7334</code>.",
        "regex": "((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))",
        "type": "string_t",
        "type_name": "String"
      },
      "json_t": {
        "caption": "JSON",
        "description": "Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See <a target='_blank' href='https://www.json.org'>www.json.org</a>."
      },
      "long_t": {
        "caption": "Long",
        "description": "8-byte long, signed integer value."
      },
      "mac_t": {
        "max_len": 32,
        "observable": 3,
        "caption": "MAC Address",
        "description": "Media Access Control (MAC) address. For example:<br><code>18:36:F3:98:4F:9A</code>.",
        "regex": "^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$",
        "type": "string_t",
        "type_name": "String"
      },
      "port_t": {
        "observable": 11,
        "caption": "Port",
        "description": "The TCP/UDP port number. For example:<br><code>80</code>,<br><code>22</code>.",
        "type": "integer_t",
        "type_name": "Integer",
        "range": [
          0,
          65535
        ]
      },
      "process_name_t": {
        "observable": 9,
        "caption": "Process Name",
        "description": "Process name. For example:<br><code>Notepad</code>.",
        "type": "string_t",
        "type_name": "String"
      },
      "resource_uid_t": {
        "observable": 10,
        "caption": "Resource UID",
        "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.",
        "type": "string_t",
        "type_name": "String"
      },
      "string_t": {
        "caption": "String",
        "description": "UTF-8 encoded byte sequence."
      },
      "subnet_t": {
        "max_len": 42,
        "observable": 12,
        "caption": "Subnet",
        "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:<br><code>192.168.1.0/24</code>,<br><code>2001:0db8:85a3:0000::/64</code>",
        "type": "string_t",
        "type_name": "String"
      },
      "timestamp_t": {
        "caption": "Timestamp",
        "description": "The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:<br><code>1618524549901</code>.",
        "type": "long_t",
        "type_name": "Long"
      },
      "url_t": {
        "observable": 6,
        "caption": "URL String",
        "description": "Uniform Resource Locator (URL) string. For example:<br><code>http://www.example.com/download/trouble.exe</code>.",
        "type": "string_t",
        "type_name": "String"
      },
      "username_t": {
        "observable": 4,
        "caption": "User Name",
        "description": "User name. For example:<br><code>john_doe</code>.",
        "type": "string_t",
        "type_name": "String"
      },
      "uuid_t": {
        "caption": "UUID",
        "description": "128-bit universal unique identifier. For example:<br><code>123e4567-e89b-12d3-a456-42661417400</code>.",
        "regex": "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}",
        "type": "string_t",
        "type_name": "String"
      }
    }
  }
}