Contribute in GitHub:
Edit online
Domain model and view definitions
The events and events_all predefined views represent the most commonly used query items in the QRadar data lake. Use the views to simplify your queries and reduce query costs.
View: events
The events view contains a limited number of columns and is most efficient for querying general purpose events.
| Column Name | Datatype | Description |
|---|---|---|
| original_time | datetime | Original Time. |
| data_source_name | string | User provided data source name. |
| name | string | Name of the event. |
| user_id | string | User Id. |
| low_level_categories | dynamic: int Array | Low Level Categories. |
| src_ip | long | Value. |
| src_port | int | Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| dst_ip | long | Value. |
| dst_port | int | Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| severity | int | Severity. |
| event_uuid | string | Internal event identifier. |
| payload | string | Raw event payload. |
View: alerts
The alerts view contains a limited number of columns and is most efficient for querying general purpose alerts.
| Column Name | Datatype | Description |
|---|---|---|
| original_time | datetime | Original Time. |
| data_source_name | string | User provided data source name. |
| name | string | Name of the event. |
| user_id | string | User Id. |
| low_level_categories | dynamic: int Array | Low Level Categories. |
| src_ip | long | Value. |
| src_port | int | Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| dst_ip | long | Value. |
| dst_port | int | Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| severity | int | Severity. |
| event_uuid | string | Internal event identifier. |
| payload | string | Raw event payload. |
View: network_events
The default view to search for more network oriented events.
| Column Name | Datatype | Description |
|---|---|---|
| original_time | datetime | Original Time. |
| data_source_name | string | User provided data source name. |
| name | string | Name of the event. |
| user_id | string | User id. |
| low_level_categories | dynamic: int Array | Low Level Categories. |
| protocols | dynamic: string Array | Specifies the protocols observed in the network traffic, along with their corresponding state. |
| src_ip | long | Value. |
| src_port | int | Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| src_byte_count | int | Specifies the number of bytes sent from the source to the destination. |
| src_packets | long | Specifies the number of packets sent from the source to the destination. |
| dst_ip | long | Value. |
| dst_port | int | Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| dst_byte_count | int | Specifies the number of bytes sent from the destination to the source. |
| dst_packets | long | Specifies the number of packets sent destination to the source. |
| severity | int | Severity. |
| event_uuid | string | Internal event identifier. |
| payload | string | Raw event payload. |
View: events_all
The events_all view is suitable for searching for any type of event or alert. All columns are available.
Important: To minimize the query cost, always provide an explicit list of columns to project.
| Column Name | Datatype | Description |
|---|---|---|
| account_context | string | Context. |
| account_login | string | Account login. |
| account_type | string | Account type. |
| additional_header_fields_key | dynamic: string Array | Email Message Additional header fields key. |
| additional_header_fields_value | dynamic: string Array | Email Message Additional header fields value. |
| agent_version | string | Endpoint Agent version. |
| anomaly_expected_value | string | Anomaly expected value. |
| anomaly_observed_value | string | Anomaly observed value. |
| anomaly_score | int | Anomaly Score. |
| anomaly_timestamp | long | Anomaly Timestamp. |
| bios_manufacturer | string | Endpoint BIOS manufacturer. |
| bios_version | string | Endpoint BIOS version. |
| correlation_description | string | Correlation Description. |
| correlation_id | string | Correlation unique identifier represented as a string. |
| correlation_source | string | Correlation Source. |
| correlation_timestamp | long | Correlation Timestamp. |
| created_by_id | int | Created By Analytics Id |
| created_by_type | int | Created By Analytics Type. 'NONE'=1,'SEARCH_BASED_RULE'=2,'REALTIME_RULE'=3,'BEHAVIORAL_RULE'=4 |
| created_by_version | int | Created By Analytics Version. |
| credibility | int | Credibility. |
| data_source_id | string | Data Source Id. |
| data_source_type_categories | dynamic: int Array | Data Source Type Categories. |
| data_source_type_id | int | Data Source Type Id. |
| description | string | Event Description. |
| dir_contains_ref | string | Directory Contains References. |
| dir_context | string | Directory Context. |
| dir_id | string | Directory unique identifier represented as a string. |
| dir_path | string | Directory Path. |
| dir_path_enc | string | Directory Path Encoding. |
| dir_time_observed | long | Directory Time Observed. |
| domain_context | string | Context. |
| domain_id | string | Domain Name unique identifier represented as a string. |
| domain_resolves_to_ref | string | List of references resolves to. |
| domain_value | string | Domain Name. |
| dst_byte_count | int | Specifies the number of bytes sent from the destination to the source. |
| dst_ip | long | Destination IPv4 Address. |
| dst_ipv6 | string | Destination IPv6 Address. |
| dst_packets | long | Specifies the number of packets sent destination to the source. |
| dst_port | int | Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| dst_ref | string | Specifies the destination of the network traffic, as a reference to one or more Observable Objects. |
| email_addr_belongs_to_ref | string | Email Address List of references belongs to. |
| email_addr_context | string | Email Address Context. |
| email_addr_id | string | Email Address unique identifier represented as a string. |
| email_addr_name | string | Email Address Display Name. |
| email_addr_value | string | Email Address. |
| email_msg_bcc_ref | string | Email Message Bcc refs. |
| email_msg_cc_ref | string | Email Message Cc refs. |
| email_msg_content_type | dynamic: string Array | Email Message Content type. |
| email_msg_date | long | Email Message Date. |
| email_msg_from_ref | string | Email Message From ref. |
| email_msg_id | string | Email Message Unique identifier represented as a string. |
| email_msg_sender_ref | string | Email Message Sender ref. |
| email_msg_subject | string | Email Message Subject. |
| email_msg_to_ref | string | Email Message To refs. |
| endpoint_context | string | Endpoint Context. |
| endpoint_device_id | string | Endpoint Device id. |
| endpoint_first_seen | long | First seen. |
| endpoint_group_ids | dynamic: string Array | Endpoint Group ids. |
| endpoint_groups | dynamic: string Array | Endpoint Groups. |
| endpoint_hostname | string | Endpoint Hostname. |
| endpoint_id | string | Endpoint Unique identifier represented as a string. |
| endpoint_last_seen | long | Last seen. |
| endpoint_mac_ref | string | Endpoint MAC references. |
| enrichment_category | string | Enrichment Category. |
| enrichment_description | string | Enrichment Description. |
| enrichment_id | string | Enrichment Unique identifier represented as a string. |
| enrichment_module | string | Enrichment Module. |
| enrichment_severity | int | Enrichment Severity. |
| enrichment_timestamp | long | Enrichment Timestamp. |
| event_type | int | Event type 1=Event or 2=Alert. |
| event_uuid | string | Internal event identifier. |
| external_alert_id | string | External Alert Id. |
| external_credibility | string | External Credibility. |
| external_detection_id | string | External Detection Id. |
| external_severity | string | External Severity. |
| file_contains_ref | string | File Contains references. |
| file_context | string | File Context. |
| file_id | string | File Unique identifier represented as a string. |
| file_md5_hash | string | MD5 hashing algorithm. |
| file_mime_type | string | File mime type. |
| file_modified_time | long | File Modified Time. |
| file_name | string | File Name. |
| file_path | string | Full File Path. |
| file_parent_contains_ref | string | Parent File Contains references. |
| file_parent_context | string | Parent File Context. |
| file_parent_directory_ref | string | File Parent directory reference. |
| file_parent_path | string | Full Parent File Path. |
| file_parent_id | string | Parent File Unique identifier represented as a string. |
| file_parent_md5_hash | string | MD5 hashing algorithm. |
| file_parent_mime_type | string | Parent File mime type. |
| file_parent_name | string | Parent File Name. |
| file_parent_parent_directory_ref | string | Parent File Parent directory reference. |
| file_parent_sha1_hash | string | SHA_1 hashing algorithm. |
| file_parent_sha256_hash | string | SHA_256 hashing algorithm. |
| file_parent_imphash | string | IPHASH hashing algorithm. |
| file_parent_size | long | Parent File Size. |
| file_sha1_hash | string | SHA_1 hashing algorithm. |
| file_sha256_hash | string | SHA_256 hashing algorithm. |
| file_imphash | string | IMPHASH hashing algorithm. |
| file_size | long | File Size. |
| internal_account_id | string | Internal Account Id. |
| investigation_query | string | Anomaly Investigation Query. |
| ip6_context | string | IPv6 Address Context. |
| ip6_dst_context | string | Destination IPv6 Address Context. |
| ip6_dst_id | string | Destination IPv6 Address Unique identifier represented as a string. |
| ip6_dst_resolves_to_ref | string | Destination IPv6 Address List of references resolves to. |
| ip6_id | string | IPv6 Address Unique identifier represented as a string. |
| ip6_resolves_to_ref | string | IPv6 Address List of references resolves to. |
| ip6_src_context | string | Source IPv6 Address Context. |
| ip6_src_id | string | Source IPv6 Address Unique identifier represented as a string. |
| ip6_src_resolves_to_ref | string | Source IPv6 Address List of references resolves to. |
| ip6_value | string | IPv6 Address. |
| ip_context | string | IPv4 Address Context. |
| ip_dst_belongs_to_ref | string | Destination IPv4 Address List of references belongs to. |
| ip_dst_context | string | Destination IPv4 Address Context. |
| ip_dst_id | string | Destination IPv4 Address Unique identifier represented as a string. |
| ip_dst_resolves_to_ref | string | Destination IPv4 Address List of references resolves to. |
| ip_id | string | IPv4 Address Unique identifier represented as a string. |
| ip_resolves_to_ref | string | IPv4 Address List of references resolves to. |
| ip_src_context | string | Source IPv4 Address Context. |
| ip_src_id | string | Source IPv4 Address Unique identifier represented as a string. |
| ip_src_resolves_to_ref | string | Source IPv4 Address List of references resolves to. |
| ip_value | long | IPv4 Address. |
| is_multipart | bool | Email Message Is multipart. |
| low_level_categories | dynamic: int Array | Low Level Categories. |
| mac_context | string | MAC Address Context. |
| mac_dst_context | string | Destination MAC Address Context. |
| mac_dst_id | string | Destination MAC Address Unique identifier represented as a string. |
| mac_dst_value | string | Specifies a single MAC address. |
| mac_id | string | MAC Address Unique identifier represented as a string. |
| mac_src_context | string | Source MAC Address Context. |
| mac_src_id | string | Source MAC Address Unique identifier represented as a string. |
| mac_src_value | string | Specifies a single MAC address. |
| mac_time_observed | long | MAC Address Time Observed. |
| mac_value | string | Specifies a single MAC address. |
| matched_ids | dynamic: int Array | Matched By Analytics Id. |
| matched_types | dynamic: int Array | Matched By Analytics - Is Full or Partial |
| message_body | dynamic: string Array | Email Message Body. |
| message_context | string | Email Message Context. |
| message_id | string | Email Message id. |
| mitre_ids | dynamic: string Array | Mitre Ids. |
| multipart_body | dynamic: string Array | Multipart Body. |
| multipart_body_raw_ref | dynamic: string Array | Multipart Body raw reference. |
| multipart_content_disposition | dynamic: string Array | Multipart Content disposition. |
| multipart_content_type | dynamic: string Array | Multipart Content type. |
| mutex_context | string | Mutex Context. |
| name | string | Name. |
| original_time | long | Original Time. |
| os_software_ref | string | Endpoint OS Software reference. |
| parse_time | long | Parse Time. |
| parsing_aborted_timeout_data_source_type_ids | dynamic: int Array | Parsing Aborted Timeout Data Source Type Id. |
| payload | string | Raw event payload. |
| payload_data_format | string | Format of the event payload. |
| payload_size_bytes | int | Size of the event payload in bytes. |
| post_nat_dst_port | int | Network Traffic Post nat dst port. |
| post_nat_src_port | int | Network Traffic Post nat src port. |
| pre_nat_dst_port | int | Network Traffic Pre nat dst port. |
| pre_nat_src_port | int | Network Traffic Pre nat src port. |
| process_command_line | string | Specifies the full command line used in executing the process, including the process name (depending on the operating system). |
| process_context | string | Process Context. |
| process_created_time | long | Specifies the date/time at which the process was created. |
| process_creator_user_ref | string | Specifies the user that created the process, as a reference to a User Account Object. |
| process_id | string | Process Unique identifier represented as a string. |
| process_image_ref | string | Process Image reference. |
| process_is_hidden | bool | Specifies whether the process is hidden. |
| process_name | string | Process name. |
| process_opened_connection_ref | string | Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects. |
| process_parent_child_ref | string | Parent Process Environment variables keys. |
| process_parent_command_line | string | Parent Process Command line. |
| process_parent_context | string | Parent Process Context. |
| process_parent_created_time | long | Parent Process Created time. |
| process_parent_creator_user_ref | string | Parent Process Creator user reference. |
| process_parent_id | string | Parent Process Unique identifier represented as a string. |
| process_parent_image_ref | string | Parent Process Image reference. |
| process_parent_is_hidden | bool | Parent Process Is Hidden. |
| process_parent_name | string | Parent Process name. |
| process_parent_opened_connection_ref | string | Parent Process Opened connection reference. |
| process_parent_parent_ref | string | Parent Process Parent reference. |
| process_parent_pid | int | Parent Process PID. |
| process_parent_pipe_name | String | Parent Process Pipe Name |
| process_parent_ref | string | Process Parent reference. |
| process_parent_time_observed | long | Parent Process Time Observed. |
| process_pid | int | Specifies the Process ID, or PID, of the process. |
| process_pipe_name | String | Pipe Name. |
| protocols | dynamic: string Array | Specifies the protocols observed in the network traffic, along with their corresponding state. |
| qid | long | QID. |
| qid_data_source_type_id | int | QID Data Source Type Id. |
| qid_event_category | string | QID Event Category. |
| qid_event_id | string | QID Event Id. |
| receive_time | long | Receive Time. |
| reg_context | string | Windows Registry Key Context. |
| reg_creator_user_ref | string | Creator user reference. |
| reg_data | string | Registry Key Values Data. |
| reg_data_type | string | Registry Key Values Data type. |
| reg_id | string | Unique identifier represented as a string. |
| reg_key | string | Windows Registry Key. |
| reg_value_name | string | Registry Key Values Name. |
| response_action_system | string | Response Action System. |
| response_category | string | Response Category. |
| response_description | string | Response Description. |
| response_id | string | Response Unique identifier represented as a string. |
| response_source_system | string | Response Source System. |
| response_timestamp | long | Response Timestamp. |
| retention_bucket | uint8 | Retention Bucket. |
| sending_ip | string | Sending IP value. |
| severity | int | Severity. |
| software_context | string | Software Context. |
| software_id | string | Software Unique identifier represented as a string. |
| software_name | string | Software Name. |
| software_vendor | string | Software Vendor. |
| software_version | string | Software Version. |
| src_byte_count | int | Specifies the number of bytes sent from the source to the destination. |
| src_ip | long | Source IPv4 Address. |
| src_ipv6 | string | Source IPv6 Address. |
| src_packets | long | Specifies the number of packets sent from the source to the destination. |
| src_port | int | Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. |
| src_ref | string | Specifies the source of the network traffic, as a reference to one or more Observable Objects. |
| storage_time | long | Storage Time. |
| target_account_context | string | Target User Account Context. |
| target_account_login | string | Account login. |
| target_account_type | string | Account type. |
| target_credential_last_changed | long | Credential last changed. |
| target_data_source_identifier | string | Target Data Source Identifier. |
| target_user | string | Target User Account Display name. |
| traffic_context | string | Network Traffic Context. |
| traffic_end_time | long | Specifies the date/time the network traffic ended, if known. |
| traffic_id | string | Network Traffic Unique identifier represented as a string. |
| traffic_start_time | long | Specifies the date/time the network traffic was initiated, if known. |
| truncated | bool | Indicator if payload has been truncated. |
| update_time | long | Update Time. |
| url_context | string | URL Context. |
| url_id | string | URL Unique identifier represented as a string. |
| url_value | string | URL. |
| user | string | User Account Display name. |
| user_account_id | string | User Account Unique identifier represented as a string. |
| user_account_target_id | string | Target User Account Unique identifier represented as a string. |
| user_gid | int | GID. |
| user_groups | dynamic: string Array | Groups. |
| user_home_dir | string | Home directory. |
| user_id | string | User id. |
| user_is_privileged | bool | Is privileged. |
| user_is_service_account | bool | Is service account. |
| user_shell | string | Shell. |
| user_target_id | string | User id. |
| user_target_is_privileged | bool | Is privileged. |
| user_target_is_service_account | bool | Is service account. |