Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.