Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Common Information Model Impact on Fields

The following table lists fields that have changed in the new common information model structure. Some fields represent changes in name or definition to legacy fields. Others are brand new fields in the common information model that did not previously exist in the legacy structure.

Legacy Field

New Field Name or Definition

user

Represents a user.

The user field usually indicates the source user who initiated an activity. To indicate a user who is the subject, use dest_user.

src_host

For use when the host is the source of an operation OR the host is where the operation originated.

dest_host

For use when the host is the destination of the operation.

src_ip

For use when the IP is the source of the operation OR the IP is where the operation originated.

dest_ip

For use when the IP is the destination of the operation.

pid

New name: process_id

activity

New name: operation

service

New name: service_name

access

Represents the access type that was requested when a resource (such as a file or process) was opened or was granted a handle. However, if a field represents:

  • the name of an operation, use operation instead.

  • the permissions of a file, use permissions instead.

For an example of how access rights are specified, see Generic Access Rights - Win32 apps.

user_id

For use to identify a user only in a generic form of authentication. For SID, GUID, or other known authentication formats, use more specific fields such as user_sid or user_guid.

email_address

Represents the email_user plus the email_domain, where email is an email address and not a user name. User name and user email are not necessarily the same. For example a user email might be [email protected] while the user name is jdoe.

New field: email_user

New field: email_domain

user_email

Use email_address instead.

sender

Use email_address instead.

dest_email_address

Represents the dest_email_user plus the dest_email_domain, where email is an email address and not a user name. User name and email address are not necessarily the same. For example a user email might be [email protected] while the user name is jdoe.

New field: dest_email_user

New field: dest_email_domain

receiver

Use dest_email_address instead.

attachment

New name: email_attachment

subject

New name: email_subject

user_fullname

New name: full_name

user_firstname

New name: first_name

user_lastname

New name: last_name

fullname

New name: full_name

firstname

New name: first_name

lastname

New name: last_name

file_parent

New name: file_dir

file_size

New name: bytes

bytes_num

New name: bytes

target_user

New name: email_subject

command_line

New name: process_command_line

parent_process_cmd

New name: parent_process_command_line

parent_command_line

New name: parent_process_command_line

name

Deprecated.

reason

Deprecated.

creation_time

New name: time_created

full_url

New name: url

grandparent_process

New name: grandparent_process_name

activity_type

New name: operation_type

status

New name: result

account

New name: dest_user

account_name

New name: dest_user

rule_name

New name: rule

database_*

New name: db_*

os_user

New name: user

is_dok

If this field exists for a file event and has a value of true, the file event was most likely performed on a peripheral storage device.

login_type

Represents the type of login (such as remote, local, batch, service).

authentication_type

Represents the type of authentication (such as kerberos, mfa)

conn_id

New name: connection_id

device

In most cases, use device_name instead. However, in existing parsers the meaning can vary. Use other field names as appropriate, such as device_id or device_model.

group

New name: group_name

policy

In most cases, use policy_name instead. However, in existing parsers the meaning can vary. Use other field names as appropriate, such as policy_id or policy_arn.

accesses

Use access instead.

domain

In most cases, use user_domain. However, in existing parsers the meaning can vary. Use other field names as appropriate, such as email_domain or web_domain.

log_name

Represents the name of the logging service. This field name will be deprecated in the future and be replaced by the product field.

log_id

Use event_id instead.

record_id

Use event_id instead.

event_id

Represents a unique identifier for a single generated event, not to be confused with event_code. For example, 11223344.

event_name

Represents the name of the operation recorded in the event. This field should correlate directly to the event_code.

event_code

Represents an identifier for the operation type recorded in the event, not to be confused with event_id. For example, 4624.

sub_event_type

New name: event_subtype

log_source

Represents the service that provided the data to the log. In event viewer, this is the event provider field. In cloud audit logs, this is identical to the cloud service field.

event_type

New name: event_category

log_type

New name: event_category

event_category

In cases where a single log source provides multiple categories of events, this field represents the category that belongs to the event.

missing_bytes

New name: missed_bytes

bytes_recieved

New name: bytes_in

bytes_send

New name: bytes_out

total_bytes

New name: bytes

conn_state

New name: connection_state

conn_uids

New name: connection_uid

connect_type

New name: connection_type

sconnection_id

New name: source_connection_id

age_of_conn

New name: connection_age

dest_service

New name: dest_service_name

identitygroup

New name: identity_group

user_group

New name: user_group_name

logon_id

New name: login_id

logon_type

New name: login_type

dest_logon_id

New name: dest_login_id

logon_type_text

New name: login_type_text

blockinggroupname

New name: blocking_group_name

result_code

Use http_response_code for http-session and web-activity event types.

subcategory

New name: sub_category

sid

New name: user_sid

uid

New name: user_uid

uids

New name: user_uids

uuid

New name: user_uid

alert_name

Represents the name of the alert, if an alert occurred.

alert_type

Represents the classification of an alert, according to the vendor.

alert_subject

Represents the subject (from the subject interface list) that was the cause of an alert trigger. For example, if an alert was triggered because of a process, the alert_subject would be "process."

alert_severity

Represents the severity of an alert, according to the vendor.

alert_source

Represents the origin of the alert. The origin can be a third-party, a correlation rule, or an anomaly alert.

action

Represents the action taken against an event, as parsed (such as allowed, blocked, quarantined). Replaces the use of outcome.

result

Represents the result of an event's occurrence, as parsed (such as succeeded, failed). Replaces the use of outcome.