dictionary.json

{
  "caption": "Attribute Dictionary",
  "description": "The Attribute Dictionary defines attributes and includes references to the events and objects in which they are used.",
  "name": "dictionary",
  "attributes": {
    "_raw_data": {
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "string_t"
    },
    "_time": {
      "caption": "Event Time",
      "description": "The normalized event occurrence time.",
      "type": "timestamp_t"
    },
    "_uid": {
      "caption": "Event UID",
      "description": "The logging system-assigned unique identifier of an event instance.",
      "type": "string_t"
    },
    "access_complexity_id": {
      "caption": "Access Complexity (AC)",
      "description": "The Access Complexity Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "access_list": {
      "caption": "Access List",
      "description": "The list of requested access rights.",
      "is_array": true,
      "type": "string_t"
    },
    "access_mask": {
      "caption": "Access Mask",
      "description": "The access mask in a platform-native format.",
      "type": "integer_t"
    },
    "access_result": {
      "caption": "Access Check Result",
      "description": "The list of access check results.",
      "type": "object"
    },
    "access_vector_id": {
      "caption": "Access Vector (AV)",
      "description": "The Access Vector Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "accessed_time": {
      "caption": "Accessed",
      "description": "The time that the file was last accessed.",
      "type": "timestamp_t"
    },
    "accessor": {
      "caption": "Accessor",
      "description": "The name of the user who last accessed the object.",
      "type": "string_t"
    },
    "account_type": {
      "caption": "Account Type ID",
      "description": "The user account type (e.g. AWS, LDAP, Windows account, etc.).",
      "type": "string_t"
    },
    "account_type_id": {
      "caption": "Account Type ID",
      "description": "The user account type identifier (e.g. AWS, LDAP, Windows account, etc.).",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The user account type is not mapped."
        },
        "0": {
          "caption": "Unknown",
          "description": "The user account type is unknown."
        },
        "1": {
          "caption": "LDAP Account"
        },
        "2": {
          "caption": "Windows Account"
        },
        "3": {
          "caption": "AWS IAM Account"
        },
        "4": {
          "caption": "GCP Account"
        },
        "5": {
          "caption": "Azure AD Account"
        }
      },
      "type": "integer_t"
    },
    "account_uid": {
      "caption": "Account UID",
      "description": "The unique identifier of the account(e.g. AWS Account ID).",
      "type": "string_t"
    },
    "activity": {
      "caption": "Activity",
      "description": "The original activity that triggered the alert event.",
      "type": "string_t"
    },
    "activity_id": {
      "caption": "Activity ID",
      "description": "The normalized identifier of the activity that triggered the alert event.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The event activity is not mapped."
        },
        "0": {
          "caption": "Unknown",
          "description": "The event activity is unknown."
        }
      },
      "type": "integer_t"
    },
    "actor_process": {
      "caption": "Actor Process",
      "description": "The process that performed the operation or action on the target object. For example, the process that could have created a new file or violated a policy.",
      "type": "process"
    },
    "actual_permissions": {
      "caption": "Actual Permissions",
      "description": "The permissions that were granted to the in a platform-native format.",
      "type": "integer_t"
    },
    "alert": {
      "caption": "Client TLS Alert",
      "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
      "type": "integer_t"
    },
    "algorithm": {
      "caption": "Algorithm",
      "description": "The original hash algorithm, as reported by the event source, which was used to create the digital fingerprint.",
      "type": "string_t"
    },
    "algorithm_id": {
      "caption": "Algorithm ID",
      "description": "The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.",
      "enum": {
        "-1": {
          "caption": "Other"
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "MD5",
          "description": "MD5 message-digest algorithm producing a 128-bit (16-byte) hash value."
        },
        "2": {
          "caption": "SHA-1",
          "description": "Secure Hash Algorithm 1 producing a 160-bit (20-byte) hash value."
        },
        "3": {
          "caption": "SHA-256",
          "description": "Secure Hash Algorithm 2 producing a 256-bit (32-byte) hash value."
        },
        "4": {
          "caption": "SHA-512",
          "description": "Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value."
        },
        "5": {
          "caption": "CTPH",
          "description": "The ssdeep generated fuzzy checksum. Also known as Context Triggered Piecewise Hash (CTPH)."
        }
      },
      "type": "integer_t"
    },
    "answers": {
      "caption": "DNS Answer",
      "description": "The Domain Name System (DNS) answers.",
      "is_array": true,
      "type": "dns_answer"
    },
    "api": {
      "caption": "API details",
      "description": "API object details information pertaining to the API calls",
      "type": "api"
    },
    "app_name": {
      "caption": "Application Name",
      "description": "The name of the application that is associated with the event or object.",
      "type": "string_t"
    },
    "args": {
      "caption": "HTTP Arguments",
      "description": "The arguments sent along with the HTTP request.",
      "type": "string_t"
    },
    "assignee": {
      "caption": "Assignee",
      "description": "The name of the user who is assigned to the incident.",
      "type": "string_t"
    },
    "attack_complexity_id": {
      "caption": "Attack Complexity",
      "description": "The conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
      "type": "integer_t"
    },
    "attack_vector_id": {
      "caption": "Attack Vector (AV)",
      "description": "The Attack Vector Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "attacks": {
      "caption": "Attacks",
      "description": "An array of attacks associated with an event.",
      "is_array": true,
      "type": "attack"
    },
    "attributes": {
      "caption": "Attributes",
      "description": "The bitmask value that represents the file attributes.",
      "type": "integer_t"
    },
    "auth_protocol": {
      "caption": "Auth Protocol",
      "description": "The authentication protocol as reported by the event source.",
      "type": "string_t"
    },
    "auth_protocol_id": {
      "caption": "Auth Protocol ID",
      "description": "The authentication protocol used to create the user session.",
      "enum": {
        "-1": {
          "caption": "Other"
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "NTLM"
        },
        "10": {
          "caption": "RADIUS"
        },
        "2": {
          "caption": "Kerberos"
        },
        "3": {
          "caption": "Digest"
        },
        "4": {
          "caption": "OpenID"
        },
        "5": {
          "caption": "SAML"
        },
        "6": {
          "caption": "OAUTH 2.0"
        },
        "7": {
          "caption": "PAP"
        },
        "8": {
          "caption": "CHAP"
        },
        "9": {
          "caption": "EAP"
        }
      },
      "type": "integer_t"
    },
    "authentication_id": {
      "caption": "Authentication (Au)",
      "description": "The Authentication Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "authorization": {
      "caption": "Authorization Information",
      "description": "Authorization object provides details related to Authorization",
      "type": "authorization"
    },
    "autoscale_uid": {
      "caption": "Autoscale UID",
      "description": "The unique identifier of the cloud autoscale configuration.",
      "type": "string_t"
    },
    "availability_id": {
      "caption": "Availability (A)",
      "description": "The Availability Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "availability_impact_id": {
      "caption": "Availability Impact (A)",
      "description": "The Availability Impact Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "availability_requirement_id": {
      "caption": "Availability Requirement (AR)",
      "description": "The Availability Requirement Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "base_address": {
      "caption": "Base Address",
      "description": "The memory address where the module was loaded.",
      "type": "string_t"
    },
    "bios_date": {
      "caption": "BIOS Date",
      "description": "The BIOS date. For example: <code>03/31/16</code>.",
      "type": "string_t"
    },
    "bios_manufacturer": {
      "caption": "BIOS Manufacturer",
      "description": "The BIOS manufacturer. For example: <code>LENOVO</code>.",
      "type": "string_t"
    },
    "bios_ver": {
      "caption": "BIOS Version",
      "description": "The BIOS version. For example: <code>LENOVO G5ETA2WW (2.62)</code>.",
      "type": "string_t"
    },
    "build": {
      "caption": "OS Build",
      "description": "The operating system build number.",
      "type": "string_t"
    },
    "bytes": {
      "caption": "Total Bytes",
      "default": 0,
      "description": "The total number of bytes (in and out).",
      "type": "long_t"
    },
    "bytes_in": {
      "caption": "Bytes In",
      "default": 0,
      "description": "The number of bytes sent from the destination to the source.",
      "type": "long_t"
    },
    "bytes_out": {
      "caption": "Bytes Out",
      "default": 0,
      "description": "The number of bytes sent from the source to the destination.",
      "type": "long_t"
    },
    "capabilities": {
      "caption": "Capabilities",
      "description": "A list of RDP capabilities.",
      "is_array": true,
      "type": "string_t"
    },
    "caption": {
      "caption": "Caption",
      "description": "A short description or caption of the device. For example: <code>Scanner 1</code> or <code>Database Manager</code>.",
      "type": "string_t"
    },
    "categories": {
      "caption": "Domain/URL Categories",
      "description": "A list of Domain or URL categories.",
      "is_array": true,
      "type": "string_t"
    },
    "category": {
      "caption": "Category",
      "description": "The object category. See specific usage.",
      "type": "string_t"
    },
    "category_ids": {
      "caption": "Domain/URL Category IDs",
      "description": "An array of domain or URL category identifies.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The Domain/URL category is not mapped. See the <code>categories</code> attribute, which may contain a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The Domain/URL category is unknown."
        },
        "1": {
          "caption": "Adult/Mature Content"
        },
        "101": {
          "caption": "Spam"
        },
        "102": {
          "caption": "Potentially Unwanted Software"
        },
        "103": {
          "caption": "Dynamic DNS Host"
        },
        "106": {
          "caption": "E-Card/Invitations"
        },
        "107": {
          "caption": "Informational"
        },
        "108": {
          "caption": "Computer/Information Security"
        },
        "109": {
          "caption": "Internet Connected Devices"
        },
        "11": {
          "caption": "Gambling"
        },
        "110": {
          "caption": "Internet Telephony"
        },
        "111": {
          "caption": "Online Meetings"
        },
        "112": {
          "caption": "Media Sharing"
        },
        "113": {
          "caption": "Radio/Audio Streams"
        },
        "114": {
          "caption": "TV/Video Streams"
        },
        "118": {
          "caption": "Piracy/Copyright Concerns"
        },
        "121": {
          "caption": "Marijuana"
        },
        "14": {
          "caption": "Violence/Hate/Racism"
        },
        "15": {
          "caption": "Weapons"
        },
        "16": {
          "caption": "Abortion"
        },
        "17": {
          "caption": "Hacking"
        },
        "18": {
          "caption": "Phishing"
        },
        "20": {
          "caption": "Entertainment"
        },
        "21": {
          "caption": "Business/Economy"
        },
        "22": {
          "caption": "Alternative Spirituality/Belief"
        },
        "23": {
          "caption": "Alcohol"
        },
        "24": {
          "caption": "Tobacco"
        },
        "25": {
          "caption": "Controlled Substances"
        },
        "26": {
          "caption": "Child Pornography"
        },
        "27": {
          "caption": "Education"
        },
        "29": {
          "caption": "Charitable Organizations"
        },
        "3": {
          "caption": "Pornography"
        },
        "30": {
          "caption": "Art/Culture"
        },
        "31": {
          "caption": "Financial Services"
        },
        "32": {
          "caption": "Brokerage/Trading"
        },
        "33": {
          "caption": "Games"
        },
        "34": {
          "caption": "Government/Legal"
        },
        "35": {
          "caption": "Military"
        },
        "36": {
          "caption": "Political/Social Advocacy"
        },
        "37": {
          "caption": "Health"
        },
        "38": {
          "caption": "Technology/Internet"
        },
        "4": {
          "caption": "Sex Education"
        },
        "40": {
          "caption": "Search Engines/Portals"
        },
        "43": {
          "caption": "Malicious Sources/Malnets"
        },
        "44": {
          "caption": "Malicious Outbound Data/Botnets"
        },
        "45": {
          "caption": "Job Search/Careers"
        },
        "46": {
          "caption": "News/Media"
        },
        "47": {
          "caption": "Personals/Dating"
        },
        "49": {
          "caption": "Reference"
        },
        "5": {
          "caption": "Intimate Apparel/Swimsuit"
        },
        "50": {
          "caption": "Mixed Content/Potentially Adult"
        },
        "51": {
          "caption": "Chat (IM)/SMS"
        },
        "52": {
          "caption": "Email"
        },
        "53": {
          "caption": "Newsgroups/Forums"
        },
        "54": {
          "caption": "Religion"
        },
        "55": {
          "caption": "Social Networking"
        },
        "56": {
          "caption": "File Storage/Sharing"
        },
        "57": {
          "caption": "Remote Access Tools"
        },
        "58": {
          "caption": "Shopping"
        },
        "59": {
          "caption": "Auctions"
        },
        "6": {
          "caption": "Nudity"
        },
        "60": {
          "caption": "Real Estate"
        },
        "61": {
          "caption": "Society/Daily Living"
        },
        "63": {
          "caption": "Personal Sites"
        },
        "64": {
          "caption": "Restaurants/Dining/Food"
        },
        "65": {
          "caption": "Sports/Recreation"
        },
        "66": {
          "caption": "Travel"
        },
        "67": {
          "caption": "Vehicles"
        },
        "68": {
          "caption": "Humor/Jokes"
        },
        "7": {
          "caption": "Extreme"
        },
        "71": {
          "caption": "Software Downloads"
        },
        "83": {
          "caption": "Peer-to-Peer (P2P)"
        },
        "84": {
          "caption": "Audio/Video Clips"
        },
        "85": {
          "caption": "Office/Business Applications"
        },
        "86": {
          "caption": "Proxy Avoidance"
        },
        "87": {
          "caption": "For Kids"
        },
        "88": {
          "caption": "Web Ads/Analytics"
        },
        "89": {
          "caption": "Web Hosting"
        },
        "9": {
          "caption": "Scam/Questionable/Illegal"
        },
        "90": {
          "caption": "Uncategorized"
        },
        "92": {
          "caption": "Suspicious"
        },
        "93": {
          "caption": "Sexual Expression"
        },
        "95": {
          "caption": "Translation"
        },
        "96": {
          "caption": "Non-Viewable/Infrastructure"
        },
        "97": {
          "caption": "Content Servers"
        },
        "98": {
          "caption": "Placeholders"
        }
      },
      "is_array": true,
      "sibling": "categories",
      "type": "integer_t"
    },
    "category_name": {
      "caption": "Category",
      "description": "The category name of the event.",
      "type": "string_t"
    },
    "category_uid": {
      "caption": "Category ID",
      "default": 0,
      "description": "The category unique identifier of the event.",
      "sibling": "category_name",
      "type": "integer_t"
    },
    "certificate": {
      "caption": "Certificate",
      "description": "The certificate object containing information about the digital certificate.",
      "type": "certificate"
    },
    "certificate_chain": {
      "caption": "Certificate Chain",
      "description": "The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.",
      "is_array": true,
      "type": "string_t"
    },
    "chassis": {
      "caption": "Chassis",
      "description": "The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows <a target='_blank' href='https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemenclosure'>Windows Chassis Types</a>",
      "type": "string_t"
    },
    "cipher": {
      "caption": "Cipher Suite",
      "description": "The negotiated cipher suite.",
      "type": "string_t"
    },
    "cis20": {
      "caption": "CIS 20 List",
      "description": "The CIS 20 is a list of 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.",
      "is_array": true,
      "type": "string_t"
    },
    "cis_benchmark_result": {
      "caption": "CIS Benchmark Result",
      "description": "The CIS benchmark result.",
      "type": "cis_benchmark_result"
    },
    "city": {
      "caption": "City",
      "description": "The name of the city.",
      "type": "string_t"
    },
    "class": {
      "caption": "Class",
      "description": "The class name of the object. See specific usage.",
      "type": "string_t"
    },
    "class_name": {
      "caption": "Class",
      "description": "The class name of the event.",
      "type": "string_t"
    },
    "class_uid": {
      "caption": "Class ID",
      "default": 0,
      "description": "The class identifier describes the attributes available in an event.",
      "sibling": "class_name",
      "type": "integer_t"
    },
    "classification_ids": {
      "caption": "Classification IDs",
      "description": "An array of malware classifications. Reference: <a target='_blank' href='https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oxlc4df65spl'>STIX Malware Types</a> ",
      "is_array": true,
      "sibling": "classifications",
      "type": "integer_t"
    },
    "classifications": {
      "caption": "Classifications",
      "description": "The malware classifications.",
      "is_array": true,
      "type": "string_t"
    },
    "client": {
      "caption": "Client",
      "description": "The client object pertaining to the client/server exchange.",
      "type": "client"
    },
    "client_ciphers": {
      "caption": "Client Cipher Suites",
      "description": "The client cipher suites that were exchanged during the TLS handshake negotiation.",
      "is_array": true,
      "type": "string_t"
    },
    "client_dialects": {
      "caption": "Client Dialects",
      "description": "The list of SMB dialects that the client speaks.",
      "is_array": true,
      "type": "string_t"
    },
    "cloud": {
      "caption": "Cloud",
      "description": "The cloud where the event was originally created or logged.",
      "type": "cloud"
    },
    "cloud_partition": {
      "caption": "Cloud Partition",
      "description": "The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).",
      "type": "string_t"
    },
    "cmd_line": {
      "caption": "Command Line",
      "description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used",
      "type": "string_t"
    },
    "code": {
      "caption": "Response Code",
      "description": "The numeric response sent to a request.",
      "type": "integer_t"
    },
    "codes": {
      "caption": "Response Codes",
      "description": "The list of numeric responses sent to a request.",
      "is_array": true,
      "type": "integer_t"
    },
    "collateral_damage_potential_id": {
      "caption": "Collateral Damage Potential (CDP)",
      "description": "The Collateral Damage Potential Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "color_depth": {
      "caption": "Color Depth",
      "description": "The numeric color depth.",
      "type": "integer_t"
    },
    "command": {
      "caption": "Command",
      "description": "The command name.",
      "type": "string_t"
    },
    "command_response": {
      "caption": "Command Response",
      "description": "The response to the command.",
      "type": "string_t"
    },
    "command_responses": {
      "caption": "Command Responses",
      "description": "The responses to the command.",
      "is_array": true,
      "type": "string_t"
    },
    "comment": {
      "caption": "Comment",
      "description": "The user-provided comment.",
      "type": "string_t"
    },
    "company_name": {
      "caption": "Company Name",
      "description": "The name of the company that published the file. For example: <code>Microsoft Corporation</code>.",
      "type": "string_t"
    },
    "compliance": {
      "caption": "Compliance",
      "description": "The complaince object describes compliance related details",
      "type": "compliance"
    },
    "component": {
      "caption": "Component",
      "description": "The name or relative pathname of a sub-component of the data object, if applicable. </p>For example: <code>attachment.doc</code>, <code>attachment.zip/bad.doc</code>, or <code>part.mime/part.cab/part.uue/part.doc</code>.",
      "type": "string_t"
    },
    "confidence": {
      "caption": "Confidence",
      "description": "The confidence of the reported finding as a percentage: 0%-100%.",
      "type": "integer_t"
    },
    "confidence_id": {
      "caption": "Confidence ID",
      "description": "The normalized confidence level refers to the accuracy of the rule that created the finding. A rule with a low confidence level means that the detection scope is wide and may create finding reports that may not be malicious in nature.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The confidence is not mapped to the defined enum values. See the <code>confidence</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "No confidence is assigned."
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        }
      },
      "type": "integer_t"
    },
    "confidentiality": {
      "caption": "Confidentiality",
      "description": "The file content confidentiality.",
      "type": "string_t"
    },
    "confidentiality_id": {
      "caption": "Confidentiality ID",
      "description": "The file content confidentiality indicator.",
      "enum": {
        "-1": {
          "caption": "Other"
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Not Confidential"
        },
        "2": {
          "caption": "Confidential"
        },
        "3": {
          "caption": "Secret"
        },
        "4": {
          "caption": "Top Secret"
        }
      },
      "type": "integer_t"
    },
    "confidentiality_impact_id": {
      "caption": "Confidentiality Impact (C)",
      "description": "The Confidentiality Impact Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "confidentiality_requirement_id": {
      "caption": "Confidentiality Requirement (CR)",
      "description": "The Confidentiality Requirement Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "connection_info": {
      "caption": "Connection Info",
      "description": "The network connection information.",
      "type": "network_connection_info"
    },
    "connection_uid": {
      "caption": "Connection Identifier",
      "description": "The network connection identifier.",
      "type": "string_t"
    },
    "container": {
      "caption": "Container",
      "description": "The container information.",
      "type": "container"
    },
    "content_type": {
      "caption": "HTTP Content Type",
      "description": "The request header that identifies the original <a target='_blank' href='https://www.iana.org/assignments/media-types/media-types.xhtml'>media type </a> of the resource (prior to any content encoding applied for sending).",
      "type": "string_t"
    },
    "continent": {
      "caption": "Continent",
      "description": "The name of the continent.",
      "type": "string_t"
    },
    "coordinates": {
      "caption": "Coordinates",
      "description": "A two-element array, containing a longitude/latitude pair. The format conforms with <a target='_blank' href='https://geojson.org'>GeoJSON</a>. For example: <code>[-73.983, 40.719]</code>.",
      "is_array": true,
      "type": "float_t"
    },
    "correlation_uid": {
      "caption": "Correlation UID",
      "description": "The unique identifier used to correlate events.",
      "type": "string_t"
    },
    "count": {
      "caption": "Count",
      "default": 1,
      "description": "The number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.",
      "type": "integer_t"
    },
    "country": {
      "caption": "Country",
      "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see <a target='_blank' href='https://www.iso.org/obp/ui/#iso:pub:PUB500001:en' >ISO 3166-1 alpha-2 codes</a>.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>",
      "type": "string_t"
    },
    "cpu_bits": {
      "caption": "CPU Bits",
      "description": "The cpu architecture, the number of bits used for addressing in memory. For example: <code>32</code> or <code>64</code>.",
      "type": "integer_t"
    },
    "cpu_cores": {
      "caption": "CPU Cores",
      "description": "The number of processor cores in all installed processors. For Example: <code>42</code>.",
      "type": "integer_t"
    },
    "cpu_count": {
      "caption": "CPU Count",
      "description": "The number of physical processors on a system. For example: <code>1</code>.",
      "type": "integer_t"
    },
    "cpu_speed": {
      "caption": "Processor Type",
      "description": "The speed of the processor in Mhz. For Example: <code>4200</code>.",
      "type": "integer_t"
    },
    "cpu_type": {
      "caption": "Processor Type",
      "description": "The processor type. For example: <code>x86 Family 6 Model 37 Stepping 5</code>.",
      "type": "string_t"
    },
    "create_mask": {
      "caption": "Create Mask",
      "description": "The original Windows mask that is required to create the object.",
      "type": "string_t"
    },
    "creation_time": {
      "caption": "Creation Time",
      "description": "The time that the object was created. See specific usage.",
      "type": "timestamp_t"
    },
    "creator": {
      "caption": "Creator",
      "description": "The user that created the object associated with event. See specific usage.",
      "type": "string_t"
    },
    "creator_name": {
      "caption": "Creator Name",
      "description": "The name of the user who created the incident.",
      "type": "string_t"
    },
    "credential_uid": {
      "caption": "User Credential ID",
      "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
      "type": "string_t"
    },
    "criticality": {
      "caption": "Criticality",
      "description": "Criticality of a resource/object in question",
      "type": "string_t"
    },
    "customer_uid": {
      "caption": "Customer UID",
      "description": "The unique customer identifier.",
      "type": "string_t"
    },
    "cve_uids": {
      "caption": "CVE UIDs",
      "description": "The common vulnerabilities and exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>) unique identifiers.",
      "is_array": true,
      "type": "string_t"
    },
    "cvss": {
      "caption": "CVSS Scores",
      "description": "The CVSS object details Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) scores from the advisory that are related to the vulnerability.",
      "type": "cvss"
    },
    "data": {
      "caption": "Data",
      "description": "The additional data that is associated with the event or object. See specific usage.",
      "type": "json_t"
    },
    "data_container": {
      "caption": "Data Container",
      "description": "The name of the data container (e.g. bucket name for AWS/GCP and blob name for Azure).",
      "type": "string_t"
    },
    "dce_rpc": {
      "caption": "Distributed Computing Environment/Remote Procedure Call (DCE/RPC)",
      "description": "The DCE/RPC object describes the remote procedure call system for distributed computing environments.",
      "type": "dce_rpc"
    },
    "decision": {
      "caption": "Authorization Decision/Outcome",
      "description": "Decision/outcome of the authorization mechanism (e.g. Approved, Denied)",
      "type": "string_t"
    },
    "depth_id": {
      "caption": "CVSS Depth",
      "description": "The Depth of the equation used to calculate Common Vulnerability Scoring System (CVSS) score.",
      "type": "integer_t"
    },
    "desc": {
      "caption": "Description",
      "description": "The description that pertains to the object or event. See specific usage.",
      "type": "string_t"
    },
    "desktop_display": {
      "caption": "Desktop Display",
      "description": "The desktop display affiliated with the event",
      "type": "display"
    },
    "details": {
      "caption": "Details",
      "description": "Details of an entity. See specific usage",
      "type": "string_t"
    },
    "detection_uid": {
      "caption": "Detection UID",
      "description": "The associated unique detection event identifier. For example: detection response events include the <b>Detection ID</b> of the original event.",
      "type": "string_t"
    },
    "developer_uid": {
      "caption": "Developer UID",
      "description": "The developer ID on the certificate that signed the file.",
      "type": "string_t"
    },
    "device": {
      "caption": "Device",
      "description": "The device that reported the event.",
      "type": "device"
    },
    "dialect": {
      "caption": "Dialect",
      "description": "The negotiated protocol dialect.",
      "type": "string_t"
    },
    "direction": {
      "caption": "Direction",
      "description": "The direction of the initiated connection, traffic, or email.",
      "type": "string_t"
    },
    "direction_id": {
      "caption": "Direction ID",
      "description": "The direction of the initiated connection, traffic, or email.",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "The direction is unknown."
        },
        "1": {
          "caption": "Inbound",
          "description": "Inbound, from the Internet or outside network destined for services on the inside network."
        },
        "2": {
          "caption": "Outbound",
          "description": "Outbound, from inside the network destined for services on the Internet or outside network."
        }
      },
      "type": "integer_t"
    },
    "disposition": {
      "caption": "Disposition",
      "description": "When malware is detected, then <code>disposition_id</code> describes the action taken by the security product.",
      "type": "string_t"
    },
    "disposition_id": {
      "caption": "Disposition ID",
      "description": "When malware is detected, then <code>disposition_id</code> describes the action taken by the security product.",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Blocked"
        },
        "2": {
          "caption": "Allowed"
        },
        "3": {
          "caption": "No Action"
        },
        "4": {
          "caption": "Logged"
        },
        "5": {
          "caption": "Command Script Run"
        },
        "6": {
          "caption": "Corrected"
        },
        "7": {
          "caption": "Partially Corrected"
        },
        "8": {
          "caption": "Uncorrected"
        },
        "10": {
          "description": "Requires reboot to finish the operation.",
          "caption": "Delayed"
        },
        "11": {
          "caption": "Detected"
        },
        "12": {
          "caption": "Quarantined"
        },
        "13": {
          "caption": "Restored"
        },
        "14": {
          "description": "No longer suspicious (re-scored).",
          "caption": "Exonerated"
        },
        "15": {
          "description": "Marked with extended attributes.",
          "caption": "Tagged"
        }
      },
      "type": "integer_t"
    },
    "dn": {
      "caption": "Distinguished Name",
      "description": "The distinguished name.",
      "type": "string_t"
    },
    "dns_id": {
      "caption": "DNS UID",
      "description": "The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.",
      "type": "integer_t"
    },
    "domain": {
      "caption": "Domain",
      "description": "The name of the domain.",
      "type": "string_t"
    },
    "domain_info": {
      "caption": "Domain Information",
      "description": "The registration information pertaining to a domain.",
      "type": "domain_info"
    },
    "dst_endpoint": {
      "caption": "Destination Endpoint",
      "description": "The network destination endpoint.",
      "type": "network_endpoint"
    },
    "dst_user": {
      "caption": "Destination User",
      "description": "The user that was a target of an activity.",
      "type": "user"
    },
    "duration": {
      "caption": "Duration",
      "description": "The event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.",
      "type": "integer_t"
    },
    "edition": {
      "caption": "OS Edition",
      "description": "The operating system edition. For example: <code>Professional</code>.",
      "type": "string_t"
    },
    "email_addr": {
      "caption": "Email Address",
      "description": "The user's email address.",
      "type": "email_t"
    },
    "end_time": {
      "caption": "End Time",
      "description": "The end time of a time period. See specific usage.",
      "type": "timestamp_t"
    },
    "enrichments": {
      "caption": "Enrichments",
      "description": "The additional information from an external data source, which is associated with the event. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>",
      "is_array": true,
      "type": "enrichment"
    },
    "entity": {
      "caption": "Entity",
      "description": "The managed entity that is being acted upon.",
      "type": "managed_entity"
    },
    "entity_result": {
      "caption": "Entity Result",
      "description": "The updated managed entity.",
      "type": "managed_entity"
    },
    "error": {
      "caption": "Error Code",
      "description": "Error Code",
      "type": "string_t"
    },
    "error_message": {
      "caption": "Error Message",
      "description": "Error Message",
      "type": "string_t"
    },
    "event_source": {
      "caption": "Event Source",
      "description": "The event source from which the event originates.",
      "type": "event_source"
    },
    "exit_code": {
      "caption": "Exit Code",
      "description": "The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.",
      "type": "integer_t"
    },
    "expiration_time": {
      "caption": "Expiration Time",
      "description": "The expiration time. See specific usage.",
      "type": "timestamp_t"
    },
    "exploit_code_maturity_id": {
      "caption": "Exploit Code Maturity (E)",
      "description": "The Exploit Code Maturity Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "exploitability_id": {
      "caption": "Exploitability (E)",
      "description": "The Exploitability Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "exposed_port": {
      "caption": "Port",
      "description": "The IP port number exposed by container. For example 0.0.0.0:49155-> <<exposed_port>>/tcp",
      "type": "port_t"
    },
    "extension_list": {
      "caption": "Extension List",
      "description": "The list of TLS extensions",
      "is_array": true,
      "type": "tls_extension"
    },
    "facility": {
      "caption": "Facility",
      "description": "The subsystem or application that is providing the event data.",
      "type": "string_t"
    },
    "facility_detail": {
      "caption": "Facility Detail",
      "description": "Additional detail about the source facility. For example, details could include a the name of a particular application instance (such as a database name) or a path to a monitored log file.",
      "type": "string_t"
    },
    "facility_uid": {
      "caption": "Facility UID",
      "description": "The unique identifier of the facility.",
      "type": "string_t"
    },
    "feature": {
      "caption": "Feature",
      "description": "The feature that reported the event.",
      "type": "feature"
    },
    "file": {
      "caption": "File",
      "description": "The file that pertains to the event or object. See specific usage.",
      "type": "file"
    },
    "file_diff": {
      "caption": "File Diff",
      "description": "File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.",
      "type": "string_t"
    },
    "file_result": {
      "caption": "File Result",
      "description": "The result of the file change. It should contain the new values of the changed attributes.",
      "type": "file"
    },
    "finding": {
      "caption": "Finding",
      "description": "Finding object provides details related to a finding generated by security tool",
      "type": "finding"
    },
    "fingerprint": {
      "caption": "Fingerprint",
      "description": "The digital fingerprint associated with an object.",
      "type": "fingerprint"
    },
    "fingerprints": {
      "caption": "Fingerprints",
      "description": "An array of digital fingerprint objects.",
      "is_array": true,
      "type": "fingerprint"
    },
    "first_occurence": {
      "caption": "First Occurence",
      "description": "Indicates when an entity is first observed.",
      "type": "timestamp_t"
    },
    "flag_ids": {
      "caption": "Communication Flag IDs",
      "description": "The list of communication flag IDs.",
      "is_array": true,
      "type": "integer_t"
    },
    "flags": {
      "caption": "Flags",
      "description": "The list of communication flags.",
      "is_array": true,
      "type": "string_t"
    },
    "folder": {
      "caption": "Folder",
      "description": "The folder that pertains to the event.",
      "type": "file"
    },
    "folder_result": {
      "caption": "Folder Result",
      "description": "The result of the folder change. It should contain the new values of the changed attributes.",
      "type": "file"
    },
    "full_name": {
      "caption": "Full Name",
      "description": "The full name of a user.",
      "type": "string_t"
    },
    "function_keys": {
      "caption": "Function Keys",
      "description": "The number of function keys on client keyboard.",
      "type": "integer_t"
    },
    "function_name": {
      "caption": "Function Name",
      "description": "The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.",
      "type": "string_t"
    },
    "gateway_ip": {
      "caption": "Gateway IP Address",
      "description": "The gateway IP address. For example: <code>10.0.0.1</code>.",
      "type": "ip_t"
    },
    "gateway_mac": {
      "caption": "Gateway MAC Address",
      "description": "The gateway media access control (MAC) address.",
      "type": "mac_t"
    },
    "group": {
      "caption": "Group",
      "description": "The group object associated with an entity such as user, policy, or rule.",
      "type": "group"
    },
    "group_name": {
      "caption": "Group Name",
      "description": "The name of the group that the resource belongs to.",
      "type": "string_t"
    },
    "groups": {
      "caption": "Groups",
      "description": "The groups to which an entity belongs. See specific usage.",
      "is_array": true,
      "type": "group"
    },
    "handshake_time": {
      "caption": "Handshake Time",
      "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
      "type": "integer_t"
    },
    "hassh": {
      "caption": "HASSH",
      "description": "The HASSH fingerprinting object.",
      "type": "hassh"
    },
    "home_dir": {
      "caption": "Home",
      "description": "The user's home folder.",
      "type": "path_t"
    },
    "hostname": {
      "caption": "Hostname",
      "description": "The hostname of an endpoint or a device.",
      "type": "hostname_t"
    },
    "http_cookies": {
      "caption": "HTTP Cookies",
      "description": "The cookies object describes details about HTTP cookies",
      "is_array": true,
      "type": "http_cookie"
    },
    "http_headers": {
      "caption": "HTTP Headers",
      "description": "Additional HTTP headers of an HTTP request or response.",
      "is_array": true,
      "type": "http_header"
    },
    "http_method": {
      "caption": "HTTP Method",
      "description": "The HTTP request method indicates the desired action to be performed for a given resource. Expected values: <ul> <li>TRACE</li> <li>CONNECT</li> <li>OPTIONS</li> <li>HEAD</li> <li>DELETE</li> <li>POST</li> <li>PUT</li> <li>GET</li></ul>",
      "type": "string_t"
    },
    "http_only": {
      "caption": "HTTP Only",
      "description": "A cookie attribute to make it inaccessible via JavaScript",
      "type": "boolean_t"
    },
    "http_request": {
      "caption": "HTTP Request",
      "description": "The HTTP Request made to a web server.",
      "type": "http_request"
    },
    "http_response": {
      "caption": "HTTP Response",
      "description": "The HTTP Response from a web server to a requester.",
      "type": "http_response"
    },
    "http_status": {
      "caption": "HTTP Status",
      "description": "The Hypertext Transfer Protocol (HTTP) <a target='_blank' href='https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml'>status code</a> returned to the client.",
      "type": "integer_t"
    },
    "hw_info": {
      "caption": "Hardware Info",
      "description": "The device hardware information.",
      "type": "device_hw_info"
    },
    "hypervisor": {
      "caption": "Hypervisor",
      "description": "The name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.",
      "type": "string_t"
    },
    "identifier_cookie": {
      "caption": "Identifier Cookie",
      "description": "The client identifier cookie during client/server exchange.",
      "type": "string_t"
    },
    "identity": {
      "caption": "Identity",
      "description": "Identity Object details AuthN, AuthZ information pertaining to the event",
      "type": "identity"
    },
    "idp": {
      "caption": "Identity Provider",
      "description": "IDP object descivbes details pertaining to the Identity Provider used",
      "type": "idp"
    },
    "image": {
      "caption": "Image",
      "description": "The image used as a template to run a container or virtual machine.",
      "type": "image"
    },
    "ime": {
      "caption": "IME",
      "description": "The Input Method Editor (IME) file name.",
      "type": "string_t"
    },
    "imei": {
      "caption": "IMEI",
      "description": "The International Mobile Station Equipment Identifier that is associated with the device.",
      "type": "string_t"
    },
    "injection_type": {
      "caption": "Injection Type",
      "description": "The process injection method.",
      "type": "string_t"
    },
    "injection_type_id": {
      "caption": "Injection Type ID",
      "description": "The normalized process injection type identifier.",
      "enum": {
        "-1": {
          "caption": "Other"
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Remote Thread"
        },
        "2": {
          "caption": "Accessibility APIs"
        },
        "3": {
          "caption": "Process Manipulation APIs"
        }
      },
      "type": "integer_t"
    },
    "instance_uid": {
      "caption": "Instance ID",
      "description": "The unique identifier of a VM instance.",
      "type": "string_t"
    },
    "integrity": {
      "caption": "Integrity",
      "description": "The process integrity (Windows only).",
      "type": "string_t"
    },
    "integrity_id": {
      "caption": "Integrity Level",
      "description": "The process integrity level (Windows only).",
      "type": "integer_t"
    },
    "integrity_impact_id": {
      "caption": "Integrity Impact (I)",
      "description": "The Integrity Impact Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "integrity_requirement_id": {
      "caption": "Integrity Requirement (IR)",
      "description": "The Integrity Requirement Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "interface_uid": {
      "caption": "Network Interface ID",
      "description": "The unique identifier of the network interface.",
      "type": "string_t"
    },
    "intermediate_ips": {
      "caption": "Intermediate IP Addresses",
      "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.",
      "is_array": true,
      "type": "ip_t"
    },
    "invoked_by": {
      "caption": "Invoked by",
      "description": "The name of the service that made the request",
      "type": "string_t"
    },
    "ip": {
      "caption": "IP Address",
      "description": "The IP address, in either IPv4 or IPv6 format.",
      "type": "ip_t"
    },
    "is_cleartext": {
      "caption": "Cleartext Credentials",
      "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
      "type": "boolean_t"
    },
    "is_compliant": {
      "caption": "Compliant Device",
      "description": "The event occurred on a compliant device.",
      "type": "boolean_t"
    },
    "is_default": {
      "caption": "Default Value",
      "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
      "type": "boolean_t"
    },
    "is_managed": {
      "caption": "Managed Device",
      "description": "The event occurred on a managed device.",
      "type": "boolean_t"
    },
    "is_on_premises": {
      "caption": "On Premises",
      "description": "The indication of whether the location is on premises.",
      "type": "boolean_t"
    },
    "is_personal": {
      "caption": "Personal Device",
      "description": "The event occurred on a personal device.",
      "type": "boolean_t"
    },
    "is_remote": {
      "caption": "Remote",
      "description": "The indication of whether the session is remote.",
      "type": "boolean_t"
    },
    "is_renewal": {
      "caption": "Renewal",
      "description": "The indication of whether this is a lease/session renewal event.",
      "type": "boolean_t"
    },
    "is_system": {
      "caption": "System",
      "description": "The indication of whether the object is part of the operating system.",
      "type": "boolean_t"
    },
    "is_trusted": {
      "caption": "Trusted Device",
      "description": "The event occurred on a trusted device.",
      "type": "boolean_t"
    },
    "is_user_present": {
      "caption": "User Present",
      "description": "The indication of whether the user was logged on at event generation time.",
      "type": "boolean_t"
    },
    "isp": {
      "caption": "ISP",
      "description": "The name of the Internet Service Provider (ISP).",
      "type": "string_t"
    },
    "issuer_dn": {
      "caption": "Issuer Distinguished Name",
      "description": "The certificate issuer distinguished name.",
      "type": "string_t"
    },
    "issuer_name": {
      "caption": "Issuer Name",
      "description": "The certificate issuer name.",
      "type": "string_t"
    },
    "ja3_fingerprint": {
      "caption": "JA3 Fingerprint",
      "description": "The fingerprint of JA3 string.",
      "type": "fingerprint"
    },
    "ja3_string": {
      "caption": "JA3 String",
      "description": "The JA3 string.",
      "type": "string_t"
    },
    "ja3s_fingerprint": {
      "caption": "JAS3 Fingerprint",
      "description": "The fingerprint of JAS3 string.",
      "type": "fingerprint"
    },
    "ja3s_string": {
      "caption": "JAS3 String",
      "description": "The JAS3 string.",
      "type": "string_t"
    },
    "job": {
      "caption": "Job",
      "description": "The job object that pertains to the event.",
      "type": "job"
    },
    "kb_articles": {
      "caption": "Knowledgebase Articles",
      "description": "The KB article/s related to the entity",
      "is_array": true,
      "type": "string_t"
    },
    "kernel": {
      "caption": "Kernel",
      "description": "The kernel resource object that pertains to the event.",
      "type": "kernel"
    },
    "key_length": {
      "caption": "Key Length",
      "description": "The length of the encryption key.",
      "type": "integer_t"
    },
    "keyboard_info": {
      "caption": "Keyboard Information",
      "description": "The keyboard detailed information.",
      "type": "keyboard_info"
    },
    "keyboard_layout": {
      "caption": "Keyboard Layout",
      "description": "The keyboard locale identifier name (e.g., en-US).",
      "type": "string_t"
    },
    "keyboard_subtype": {
      "caption": "Keyboard Subtype",
      "description": "The keyboard numeric code.",
      "type": "integer_t"
    },
    "keyboard_type": {
      "caption": "Keyboard Type",
      "description": "The keyboard type (e.g., xt, ico).",
      "type": "string_t"
    },
    "kill_chain_phase": {
      "caption": "Kill Chain Phase",
      "description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> phase.",
      "type": "string_t"
    },
    "kill_chain_phase_id": {
      "caption": "Kill Chain Phase ID",
      "description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> phase identifier.",
      "enum": {
        "-1": {
          "caption": "Other"
        },
        "0": {
          "caption": "Unknown",
          "description": "The kill chain phase is unknown."
        },
        "1": {
          "caption": "Reconnaissance",
          "description": "The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them."
        },
        "2": {
          "caption": "Weaponization",
          "description": "The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities."
        },
        "3": {
          "caption": "Delivery",
          "description": "The intruders will use various tactics, such as phishing, infected USB drives, etc."
        },
        "4": {
          "caption": "Exploitation",
          "description": "The intruders start leveraging vulnerabilities to executed code on the victim’s system."
        },
        "5": {
          "caption": "Installation",
          "description": "The intruders install malware on the victim’s system."
        },
        "6": {
          "caption": "Command & Control",
          "description": "Malware opens a command channel to enable the intruders to remotely manipulate the victim's system."
        },
        "7": {
          "caption": "Actions on Objectives",
          "description": "With hands-on keyboard access, intruders accomplish the mission’s goal."
        }
      },
      "type": "integer_t"
    },
    "labels": {
      "caption": "Labels",
      "description": "The list of labels attached to an event, object, or attribute.",
      "is_array": true,
      "type": "string_t"
    },
    "lang": {
      "caption": "Language",
      "description": "The two letter lower case language codes, as defined by <a target='_blank' href='https://en.wikipedia.org/wiki/ISO_639-1'>ISO 639-1</a>. For example: <code>en</code> (English), <code>de</code> (German), or <code>fr</code> (French).",
      "type": "string_t"
    },
    "last_occurence": {
      "caption": "Last Occurence",
      "description": "Indicates when an entity was most recently observed.",
      "type": "timestamp_t"
    },
    "last_run_time": {
      "caption": "Last Run",
      "description": "The last run time of application or service. See specific usage.",
      "type": "timestamp_t"
    },
    "latency": {
      "caption": "Latency",
      "description": "TODO: The HTTP response latency. In seconds, milliseconds, etc.?",
      "type": "integer_t"
    },
    "lease_time": {
      "caption": "Lease Time",
      "description": "This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1)",
      "type": "integer_t"
    },
    "length": {
      "caption": "Response Length",
      "description": "The HTTP response length, in number of bytes.",
      "type": "integer_t"
    },
    "lineage": {
      "caption": "Lineage",
      "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: <code>['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']</code>",
      "is_array": true,
      "type": "string_t"
    },
    "load_type": {
      "caption": "Load Type",
      "description": "The load type describes how the module was loaded in memory.",
      "type": "string_t"
    },
    "load_type_id": {
      "caption": "Load Type ID",
      "description": "The load type identifies how the module was loaded in memory.",
      "type": "integer_t"
    },
    "loaded_modules": {
      "caption": "Loaded Modules",
      "description": "The list of loaded module names.",
      "is_array": true,
      "type": "string_t"
    },
    "location": {
      "caption": "Detailed Geo Location",
      "description": "The detailed geographical location usually associated with an IP address.",
      "type": "location"
    },
    "logged_time": {
      "caption": "Logged Time",
      "description": "The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.",
      "type": "timestamp_t"
    },
    "logon_process": {
      "caption": "Logon Process",
      "description": "The trusted process that validated the authentication credentials.",
      "type": "process"
    },
    "logon_type": {
      "caption": "Logon Type",
      "description": "The logon type.",
      "type": "string_t"
    },
    "logon_type_id": {
      "caption": "Logon Type ID",
      "description": "The normalized logon type identifier.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "Other logon type."
        },
        "0": {
          "caption": "System",
          "description": "Used only by the System account, for example at system startup."
        },
        "10": {
          "caption": "Remote Interactive",
          "description": "A remote logon using Terminal Services or remote desktop application."
        },
        "11": {
          "caption": "Cached Interactive",
          "description": "A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials."
        },
        "12": {
          "caption": "Cached Remote Interactive",
          "description": "Same as Remote Interactive. This is used for internal auditing."
        },
        "13": {
          "caption": "Cached Unlock",
          "description": "Workstation logon."
        },
        "2": {
          "caption": "Interactive",
          "description": "A local logon to device console."
        },
        "3": {
          "caption": "Network",
          "description": "A user or device logged onto this device from the network."
        },
        "4": {
          "caption": "Batch",
          "description": "A batch server logon, where processes may be executing on behalf of a user without their direct intervention."
        },
        "5": {
          "caption": "OS Service",
          "description": "A logon by a service or daemon that was started by the OS."
        },
        "7": {
          "caption": "Unlock",
          "description": "A user unlocked the device."
        },
        "8": {
          "caption": "Network Cleartext",
          "description": "A user logged on to this device from the network. The user's password in the authentication package was not hashed."
        },
        "9": {
          "caption": "New Credentials",
          "description": "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
        }
      },
      "type": "integer_t"
    },
    "mac": {
      "caption": "MAC Address",
      "description": "The Media Access Control (MAC) address that is associated with the network interface.",
      "type": "mac_t"
    },
    "malware": {
      "caption": "Malware",
      "description": "The list of malware identified by a finding.",
      "is_array": true,
      "type": "malware"
    },
    "md5": {
      "caption": "MD5",
      "description": "The MD5 checksum of the file content.",
      "type": "file_hash_t"
    },
    "message": {
      "caption": "Message",
      "description": "The description of the event, as defined by the event source.",
      "type": "string_t"
    },
    "metadata": {
      "caption": "Metadata",
      "description": "The metadata associated with the event.",
      "type": "metadata"
    },
    "mfa": {
      "caption": "Multi Factor Authentication",
      "description": "The Multi Factor Authentication was used during authentication.",
      "type": "boolean_t"
    },
    "mime_type": {
      "caption": "MIME type",
      "description": "The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.",
      "type": "string_t"
    },
    "model": {
      "caption": "Model",
      "description": "The peripheral device model.",
      "type": "string_t"
    },
    "modified_attack_complexity_id": {
      "caption": "Modified Attack Complexity (MAC)",
      "description": "The Modified Attack Complexity Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_attack_vector_id": {
      "caption": "Modified Attack Vector (MAV)",
      "description": "The Modified Attack Vector Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_availability_id": {
      "caption": "Modified Availability (MA)",
      "description": "The Modified Availability Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_confidentiality_id": {
      "caption": "Modified Confidentiality (MC)",
      "description": "The Modified Confidentiality Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_integrity_id": {
      "caption": "Modified Integrity (MI)",
      "description": "The Modified Integrity Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_privileges_required_id": {
      "caption": "Modified Privileges Required (MPR)",
      "description": "The Modified Privileges Required Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_scope_id": {
      "caption": "Modified Scope (MS)",
      "description": "The Modified Scope Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modified_time": {
      "caption": "Modified Time",
      "description": "The time when the object was last modified. See specific usage.",
      "type": "timestamp_t"
    },
    "modified_user_interaction_id": {
      "caption": "Modified User Interaction (MUI)",
      "description": "The Modified User Interaction Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "modifier": {
      "caption": "Modifier",
      "description": "The user that last modified the object associated with the event. See specific usage.",
      "type": "string_t"
    },
    "module": {
      "caption": "Module",
      "description": "The module that pertains to the event.",
      "type": "module"
    },
    "name": {
      "caption": "Name",
      "description": "The name of the entity. See specific usage.",
      "type": "string_t"
    },
    "namespace": {
      "caption": "Namespace",
      "description": "The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate.",
      "type": "string_t"
    },
    "network_driver": {
      "caption": "Network Driver",
      "description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.",
      "type": "string_t"
    },
    "network_endpoint": {
      "caption": "Network Endpoint",
      "description": "The network endpoint.",
      "type": "network_endpoint"
    },
    "network_interface": {
      "caption": "Network Interface",
      "description": "The network interface that is associated with the device.",
      "type": "network_interface"
    },
    "network_interfaces": {
      "caption": "Network Interfaces",
      "description": "The network interfaces that are associated with the device, one for each MAC address/IP address combination.<p><b>Note:</b> The first element of the array is the network information that pertains to the event.</p>",
      "is_array": true,
      "type": "network_interface"
    },
    "next_run_time": {
      "caption": "Next Run",
      "description": "The next run time. See specific usage.",
      "type": "timestamp_t"
    },
    "nist": {
      "caption": "NIST List",
      "description": "The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.",
      "is_array": true,
      "type": "string_t"
    },
    "observables": {
      "caption": "Observables",
      "description": "The observables associated with the event.",
      "is_array": true,
      "type": "observable"
    },
    "opcode": {
      "caption": "DNS Opcode",
      "description": "The DNS opcode specifies the type of the query message.",
      "enum": {
        "0": {
          "caption": "Query",
          "description": "Standard query"
        },
        "1": {
          "caption": "Inverse Query",
          "description": "Inverse query, obsolete"
        },
        "2": {
          "caption": "Status",
          "description": "Server status request"
        },
        "3": {
          "caption": "Reserved",
          "description": "Reserved, not used"
        },
        "4": {
          "caption": "Notify",
          "description": "Zone change notification"
        },
        "5": {
          "caption": "Update",
          "description": "Dynamic DNS update"
        },
        "6": {
          "caption": "DSO Message",
          "description": "DNS Stateful Operations (DSO)"
        }
      },
      "type": "integer_t"
    },
    "open_mask": {
      "caption": "Open Mask",
      "description": "The Windows options needed to open a registry key.",
      "type": "integer_t"
    },
    "open_type": {
      "caption": "Open Type",
      "description": "The file open type.",
      "type": "string_t"
    },
    "operation": {
      "caption": "Operation",
      "description": "Verb/Operation associated with the request",
      "type": "string_t"
    },
    "opnum": {
      "caption": "Opnum",
      "description": "An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.",
      "type": "integer_t"
    },
    "orchestrator": {
      "caption": "Orchestrator",
      "description": "The orchestrator managing the container, such as ECS, EKS, K8s, OpenShift, None.",
      "type": "string_t"
    },
    "org_uid": {
      "caption": "Org ID",
      "description": "The unique identifier of the organization to which the user belongs. For example, Active Directory or AWS Org ID.",
      "type": "string_t"
    },
    "org_unit": {
      "caption": "Org Unit",
      "description": "The name of the organization to which the user belongs.",
      "type": "string_t"
    },
    "os": {
      "caption": "OS",
      "description": "The device operation system.",
      "type": "os"
    },
    "outcome": {
      "caption": "Outcome",
      "description": "The outcome of the event, as defined by the event source.",
      "type": "string_t"
    },
    "outcome_id": {
      "caption": "Outcome ID",
      "description": "The outcome ID of the event.",
      "enum": {
        "-1": {
          "caption": "Other"
        },
        "0": {
          "caption": "Unknown"
        }
      },
      "type": "integer_t"
    },
    "owner": {
      "caption": "Owner",
      "description": "The user that owns the file.",
      "type": "string_t"
    },
    "owner_name": {
      "caption": "Owner Name",
      "description": "The name of the service or user account that owns the resource.",
      "type": "string_t"
    },
    "packages": {
      "caption": "Related Packages",
      "description": "List of vulnerable packages as identified by the security product",
      "is_array": true,
      "type": "string_t"
    },
    "packets": {
      "caption": "Total Packets",
      "default": 0,
      "description": "The total number of packets (in and out).",
      "type": "long_t"
    },
    "packets_in": {
      "caption": "Packets In",
      "default": 0,
      "description": "The number of packets sent from the destination to the source.",
      "type": "long_t"
    },
    "packets_out": {
      "caption": "Packets Out",
      "default": 0,
      "description": "The number of packets sent from the source to the destination.",
      "type": "long_t"
    },
    "parent_categories": {
      "caption": "Parent Categories",
      "description": "An array of parent URL categories.",
      "is_array": true,
      "type": "string_t"
    },
    "parent_folder": {
      "caption": "Parent Folder",
      "description": "The parent folder in which the file resides. For example: <code>c:\\windows\\system32</code>",
      "type": "path_t"
    },
    "parent_process": {
      "caption": "Parent Process",
      "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
      "type": "process"
    },
    "path": {
      "caption": "Path",
      "description": "The path that pertains to the event or object. See specific usage.",
      "type": "path_t"
    },
    "peripheral_device": {
      "caption": "Peripheral Device",
      "description": "The peripheral device that triggered the event.",
      "type": "peripheral_device"
    },
    "permission": {
      "caption": "Permission",
      "description": "The IAM permission related to an event",
      "type": "string_t"
    },
    "physical_height": {
      "caption": "Physical Height",
      "description": "The numeric physical height of display.",
      "type": "integer_t"
    },
    "physical_orientation": {
      "caption": "Physical Orientation",
      "description": "The numeric physical orientation of display.",
      "type": "integer_t"
    },
    "physical_width": {
      "caption": "Physical Width",
      "description": "The numeric physical width of display.",
      "type": "integer_t"
    },
    "pid": {
      "caption": "Process ID",
      "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.",
      "type": "integer_t"
    },
    "port": {
      "caption": "Port",
      "description": "The IP port number associated with a connection. See specific usage.",
      "type": "port_t"
    },
    "postal_code": {
      "caption": "Postal Code",
      "description": "The postal code of the location.",
      "type": "string_t"
    },
    "prefix": {
      "caption": "Prefix",
      "description": "The domain prefix.",
      "type": "string_t"
    },
    "priority": {
      "caption": "Priority",
      "description": "The original priority, as defined by the event source.",
      "type": "integer_t"
    },
    "priority_id": {
      "caption": "Priority ID",
      "description": "The normalized priority. See specific usage.",
      "enum": {},
      "type": "integer_t"
    },
    "privileges": {
      "caption": "Privileges",
      "description": "The user or group privileges.",
      "is_array": true,
      "type": "string_t"
    },
    "privileges_required_id": {
      "caption": "Privileges Required",
      "description": "The level of privileges an attacker must possess before successfully exploiting the vulnerability.",
      "enum": {},
      "type": "integer_t"
    },
    "process": {
      "caption": "Process",
      "description": "The process object.",
      "type": "process"
    },
    "processed_time": {
      "caption": "Processed Time",
      "description": "The event processed time, such as an ETL operation.",
      "type": "timestamp_t"
    },
    "product": {
      "caption": "Product",
      "description": "The product that reported the event.",
      "type": "product"
    },
    "product_uid": {
      "caption": "Product Identifier",
      "description": "Unique Identifier of a product.",
      "type": "string_t"
    },
    "profiles": {
      "caption": "Profiles",
      "description": "The list of profiles used to create the event.",
      "is_array": true,
      "type": "string_t"
    },
    "project_uid": {
      "caption": "Project ID",
      "description": "Cloud project identifier.",
      "type": "string_t"
    },
    "protocol_name": {
      "caption": "Protocol Name",
      "description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>tcp</code> or <code>udp</code>.",
      "type": "string_t"
    },
    "protocol_num": {
      "caption": "Protocol Number",
      "description": "The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See <a target='_blank' href='https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'>Protocol Numbers</a>. For example: <code>6</code> for TCP and <code>17</code> for UDP.",
      "type": "integer_t"
    },
    "protocol_ver": {
      "caption": "Protocol Version",
      "description": "The Protocol version.",
      "type": "string_t"
    },
    "protocol_ver_id": {
      "caption": "Protocol Version ID",
      "description": "The Protocol version identifier.",
      "type": "integer_t"
    },
    "provider": {
      "caption": "Provider",
      "description": "The origin of information associated with the event. See specific usage.",
      "type": "string_t"
    },
    "proxy": {
      "caption": "Proxy",
      "description": "If a proxy connection is present, the connection from the client to the proxy server.",
      "type": "network_proxy"
    },
    "public_ip": {
      "caption": "Public IP",
      "description": "The public IP address.<p><b>Note:</b> The <b>Device Public IP</b> is populated with the value of the <i>x-forwarded-for</i> message header, if present.</p>.",
      "type": "ip_t"
    },
    "quarantine_uid": {
      "caption": "Quarantine UID",
      "description": "The unique identifier of the item that was quarantined or restored from quarantine.",
      "type": "string_t"
    },
    "query": {
      "caption": "DNS Query",
      "description": "The Domain Name System (DNS) query.",
      "type": "dns_query"
    },
    "query_string": {
      "caption": "HTTP Query String",
      "description": "The query portion of the URL. For example: the query portion of the URL <code>http://www.example.com/search?q=bad&sort=date</code> is <code>q=bad&sort=date</code>.",
      "type": "string_t"
    },
    "query_time": {
      "caption": "Query Time",
      "description": "The Domain Name System (DNS) query time.",
      "type": "timestamp_t"
    },
    "ram_size": {
      "caption": "RAM Size",
      "description": "The ctotal amount of installed RAM, in Megabytes. For example: <code>2048</code>.",
      "type": "integer_t"
    },
    "rcode": {
      "caption": "Response Code",
      "description": "The DNS server response code. See <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc6895'>RFC-6895</a>.",
      "type": "string_t"
    },
    "rcode_id": {
      "caption": "Response Code ID",
      "description": "The DNS server response code id. See <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc6895'>RFC-6895</a>.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The dns response code is not defined by the RFC."
        },
        "0": {
          "caption": "NoError",
          "description": "No Error."
        },
        "1": {
          "caption": "FormError",
          "description": "Format Error."
        },
        "10": {
          "caption": "NotZone",
          "description": "Name not contained in zone."
        },
        "11": {
          "caption": "DSOTYPENI",
          "description": "DSO-TYPE Not Implemented."
        },
        "16": {
          "caption": "BADSIG_VERS",
          "description": "TSIG Signature Failure or Bad OPT Version."
        },
        "17": {
          "caption": "BADKEY",
          "description": "Key not recognized."
        },
        "18": {
          "caption": "BADTIME",
          "description": "Signature out of time window."
        },
        "19": {
          "caption": "BADMODE",
          "description": "Bad TKEY Mode."
        },
        "2": {
          "caption": "ServError",
          "description": "Server Failure."
        },
        "20": {
          "caption": "BADNAME",
          "description": "Duplicate key name."
        },
        "21": {
          "caption": "BADALG",
          "description": "Algorithm not supported."
        },
        "22": {
          "caption": "BADTRUNC",
          "description": "Bad Truncation."
        },
        "23": {
          "caption": "BADCOOKIE",
          "description": "Bad/missing Server Cookie."
        },
        "24": {
          "caption": "Unassigned",
          "description": "The codes deemed to be unassigned by the RFC (unassigned codes: 12-15, 24-3840, 4096-65534)."
        },
        "25": {
          "caption": "Reserved",
          "description": "The codes deemed to be reserved by the RFC (codes: 3841-4095, 65535)."
        },
        "3": {
          "caption": "NXDomain",
          "description": "Non-Existent Domain."
        },
        "4": {
          "caption": "NotImp",
          "description": "Not Implemented."
        },
        "5": {
          "caption": "Refused",
          "description": "Query Refused."
        },
        "6": {
          "caption": "YXDomain",
          "description": "Name Exists when it should not."
        },
        "7": {
          "caption": "YXRRSet",
          "description": "RR Set Exists when it should not."
        },
        "8": {
          "caption": "NXRRSet",
          "description": "RR Set that should exist does not."
        },
        "9": {
          "caption": "NotAuth",
          "description": "Not Authorized or Server Not Authoritative for zone."
        }
      },
      "type": "integer_t"
    },
    "rdata": {
      "caption": "DNS RData",
      "description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.",
      "type": "string_t"
    },
    "ref_event_code": {
      "caption": "Reference Event Code",
      "description": "The event code/ID, as defined by the event source. It is used to identify the type of event. For example, the Windows event Code or ID.",
      "type": "string_t"
    },
    "ref_event_name": {
      "caption": "Reference Event Name",
      "description": "The event name, as defined by the event source.",
      "type": "string_t"
    },
    "ref_event_uid": {
      "caption": "Reference Event ID",
      "description": "The event instance identifier, as defined by the event source. It is the index of the event in an external event log. For example, the Windows EventRecordID.",
      "type": "string_t"
    },
    "ref_time": {
      "caption": "Original Time",
      "description": "The original event time as reported by the event source.",
      "type": "string_t"
    },
    "ref_uid": {
      "caption": "Reference UID",
      "description": "The reference to a unique identifier, managed by an external system.",
      "type": "string_t"
    },
    "references": {
      "caption": "References",
      "description": "Supporting reference URLs",
      "is_array": true,
      "type": "string_t"
    },
    "referrer": {
      "caption": "HTTP Referrer",
      "description": "The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.",
      "type": "string_t"
    },
    "reg_key": {
      "caption": "Registry Key",
      "description": "The registry key.",
      "type": "registry_key"
    },
    "reg_key_result": {
      "caption": "Registry Key Result",
      "description": "The result of the registry key change. It should contain the new values of the changed attributes.",
      "type": "registry_key"
    },
    "reg_value": {
      "caption": "Registry Value",
      "description": "The registry value.",
      "type": "registry_value"
    },
    "reg_value_result": {
      "caption": "Registry Value Result",
      "description": "The result of the registry value change. It should contain the new values of the changed attributes.",
      "type": "registry_value"
    },
    "region": {
      "caption": "Region",
      "description": "The name or the code of a region. See specific usage.",
      "type": "string_t"
    },
    "registrar": {
      "caption": "Domain Registrar",
      "description": "The domain registrar.",
      "type": "string_t"
    },
    "related_findings": {
      "caption": "Related Findings",
      "description": "Describes findings related to a finding as identified by the security product.",
      "is_array": true,
      "type": "related_findings"
    },
    "related_vulnerabilities": {
      "caption": "Related Vulnerabilities",
      "description": "List of vulnerabilities that are related to this vulnerability.",
      "is_array": true,
      "type": "string_t"
    },
    "relay": {
      "caption": "Relay",
      "description": "The network relay that is associated with the event.",
      "type": "network_interface"
    },
    "remediation": {
      "caption": "Remediation",
      "description": "The remediation recommendations on how to fix the identified issue(s).",
      "type": "remediation"
    },
    "remediation_level_id": {
      "caption": "Remediation Level (RL)",
      "description": "The Remediation Level Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "remote_display": {
      "caption": "Remote Display",
      "description": "The remote display affiliated with the event",
      "type": "display"
    },
    "report_confidence_id": {
      "caption": "Report Confidence (RC)",
      "description": "The Report Confidence Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "reputation": {
      "caption": "Original and Normalized Reputation Scores",
      "description": "Contains the original and normalized reputation scores.",
      "type": "reputation"
    },
    "request": {
      "caption": "API Request Details",
      "description": "General Purpose API Request Object. See specific usage",
      "type": "request"
    },
    "requested_permissions": {
      "caption": "Requested Permissions",
      "description": "The permissions mask that were requested by the process.",
      "type": "integer_t"
    },
    "requirements": {
      "caption": "Requirements",
      "description": "A list of applicable compliance requirements for which this finding is related to.",
      "is_array": true,
      "type": "string_t"
    },
    "resolved_ip": {
      "caption": "IP Address",
      "description": "The resolved IP address, in either IPv4 or IPv6 format. For example, Layer 4 load balancer translated IP address.",
      "type": "ip_t"
    },
    "resource": {
      "caption": "Resource",
      "description": "The target resource.",
      "type": "resource"
    },
    "resource_type": {
      "caption": "Resource Type",
      "description": "The context in which a resource was retrieved in a web request.",
      "type": "string_t"
    },
    "resource_uid": {
      "caption": "Resource ID",
      "description": "The unique identifier of a cloud resource. For example, S3 Bucket name, EC2 Instance Id.",
      "type": "resource_uid_t"
    },
    "resources": {
      "caption": "Resources Array",
      "description": "A list of resources associated to an event.",
      "is_array": true,
      "type": "resource"
    },
    "response": {
      "caption": "API Response Details",
      "description": "General Purpose API Response Object. See specific usage.",
      "type": "response"
    },
    "response_time": {
      "caption": "Response Time",
      "description": "The Domain Name System (DNS) response time.",
      "type": "timestamp_t"
    },
    "risk": {
      "caption": "Risk",
      "description": "The Common Vulnerability Scoring System (CVSS) calculated risk.",
      "type": "float_t"
    },
    "risk_level": {
      "caption": "Risk Level",
      "description": "The normalized risk level.",
      "type": "string_t"
    },
    "risk_level_id": {
      "caption": "Risk Level ID",
      "description": "The normalized risk level id.",
      "enum": {
        "0": {
          "caption": "Info"
        },
        "1": {
          "caption": "Low"
        },
        "2": {
          "caption": "Medium"
        },
        "3": {
          "caption": "High"
        },
        "4": {
          "caption": "Critical"
        }
      },
      "type": "integer_t"
    },
    "risk_score": {
      "caption": "Risk Score",
      "description": "The original risk score as reported by the event source.",
      "type": "integer_t"
    },
    "rule": {
      "caption": "Rule",
      "description": "The rules that reported the events.",
      "type": "rule"
    },
    "run_as": {
      "caption": "Run-As User",
      "description": "The user account the process is running as, for when a user is impersonating another user.",
      "type": "user"
    },
    "run_state": {
      "caption": "Run State",
      "description": "The state of the job or service. See specific usage.",
      "type": "string_t"
    },
    "run_state_id": {
      "caption": "Run State ID",
      "description": "The state of the job or service. See specific usage.",
      "type": "integer_t"
    },
    "runtime": {
      "caption": "Runtime",
      "description": "The runtime managing this container.",
      "type": "string_t"
    },
    "samesite": {
      "caption": "SameSite",
      "description": "The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None",
      "type": "string_t"
    },
    "sandbox": {
      "caption": "Sandbox",
      "description": "The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.",
      "type": "string_t"
    },
    "sans": {
      "caption": "Subject Alternative Names",
      "description": "The list of subject alternative names that are secured by a specific certificate.",
      "is_array": true,
      "type": "san"
    },
    "scale_factor": {
      "caption": "Scale Factor",
      "description": "The numeric scale factor of display.",
      "type": "integer_t"
    },
    "scheme": {
      "caption": "Scheme",
      "description": "The scheme portion of the URL. For example: <code>http</code>, <code>https</code>, <code>ftp</code>, or <code>sftp</code>.",
      "type": "string_t"
    },
    "scope_id": {
      "caption": "Scope (S)",
      "description": "The Scope Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "score": {
      "caption": "Reputation Score",
      "description": "The original reputation score as reported by the event source.",
      "type": "integer_t"
    },
    "score_id": {
      "caption": "Reputation Score ID",
      "description": "The normalized reputation score identifier.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The reputation score is not mapped. See the <code>rep_score</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The reputation score is unknown."
        },
        "1": {
          "caption": "Very Safe",
          "description": "Long history of good behavior."
        },
        "10": {
          "caption": "Malicious",
          "description": "Proven evidence of maliciousness."
        },
        "2": {
          "caption": "Safe",
          "description": "Consistently good behavior."
        },
        "3": {
          "caption": "Probably Safe",
          "description": "Reasonable history of good behavior."
        },
        "4": {
          "caption": "Leans Safe",
          "description": "Starting to establish a history of normal behavior."
        },
        "5": {
          "caption": "May not be Safe",
          "description": "No established history of normal behavior."
        },
        "6": {
          "caption": "Exercise Caution",
          "description": "Starting to establish a history of suspicious or risky behavior."
        },
        "8": {
          "caption": "Possibly Malicious",
          "description": "Strong possibility of maliciousness."
        },
        "9": {
          "caption": "Probably Malicious",
          "description": "Indicators of maliciousness."
        }
      },
      "type": "integer_t"
    },
    "secure": {
      "caption": "Secure",
      "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.",
      "type": "boolean_t"
    },
    "security_descriptor": {
      "caption": "Security Descriptor",
      "description": "The object security descriptor.",
      "type": "string_t"
    },
    "sequence": {
      "caption": "Sequence Number",
      "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.",
      "type": "integer_t"
    },
    "serial_number": {
      "caption": "Serial Number",
      "description": "The serial number that pertains to the object. See specific usage.",
      "type": "string_t"
    },
    "server": {
      "caption": "Server",
      "description": "The server object pertaining to the client/server exchange.",
      "type": "server"
    },
    "server_ciphers": {
      "caption": "Server Cipher Suites",
      "description": "The server cipher suites that were exchanged during the TLS handshake negotiation.",
      "is_array": true,
      "type": "string_t"
    },
    "service": {
      "caption": "Service",
      "description": "The service that pertains to the event.",
      "type": "service"
    },
    "session": {
      "caption": "Session",
      "description": "The session information.",
      "type": "session"
    },
    "session_uid": {
      "caption": "Session UID",
      "description": "The unique ID of the user session, as reported by the OS.",
      "type": "string_t"
    },
    "severity": {
      "caption": "Severity",
      "description": "The original event severity, as defined by the event source.</p>The severity is a measurement the effort and expense required to manage and resolve an event or incident.",
      "type": "string_t"
    },
    "severity_id": {
      "caption": "Severity ID",
      "description": "The normalized event severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The event severity is not mapped. See the <code>severity</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The event severity is not known."
        },
        "1": {
          "caption": "Informational",
          "description": "Informational message. No action required."
        },
        "2": {
          "caption": "Low",
          "description": "The user decides if action is needed."
        },
        "3": {
          "caption": "Medium",
          "description": "Action is required but the situation is not serious at this time."
        },
        "4": {
          "caption": "High",
          "description": "Action is required immediately."
        },
        "5": {
          "caption": "Critical",
          "description": "Action is required immediately and the scope is broad."
        },
        "6": {
          "caption": "Fatal",
          "description": "An error occurred but it is too late to take remedial action."
        }
      },
      "type": "integer_t"
    },
    "sha1": {
      "caption": "SHA-1",
      "description": "The SHA-1 checksum of the file content.",
      "type": "file_hash_t"
    },
    "sha2": {
      "caption": "SHA-256",
      "description": "The SHA-256 checksum of the file content.",
      "type": "file_hash_t"
    },
    "share": {
      "caption": "Share",
      "description": "The SMB share name.",
      "type": "string_t"
    },
    "share_type": {
      "caption": "Share Type",
      "description": "The SMB share type.",
      "type": "string_t"
    },
    "shell": {
      "caption": "Shell",
      "description": "The user's login shell.",
      "type": "string_t"
    },
    "signature": {
      "caption": "Digital Signature",
      "description": "The digital signature of the file.",
      "type": "digital_signature"
    },
    "size": {
      "caption": "Size",
      "description": "The size of data, in bytes.",
      "type": "long_t"
    },
    "sni": {
      "caption": "Server Name Indication",
      "description": " The Server Name Indication (SNI) extension sent by the client.",
      "type": "string_t"
    },
    "sp_name": {
      "caption": "OS Service Pack",
      "description": "The name of the latest Service Pack.",
      "type": "string_t"
    },
    "sp_ver": {
      "caption": "OS Service Pack Version",
      "description": "The version number of the latest Service Pack.",
      "type": "integer_t"
    },
    "src_endpoint": {
      "caption": "Source Endpoint",
      "description": "The network source endpoint.",
      "type": "network_endpoint"
    },
    "src_url": {
      "caption": "Source URL",
      "description": "The URL pointing towards the source of an entity. See specific usage.",
      "type": "string_t"
    },
    "src_user": {
      "caption": "Source User",
      "description": "The existing user from which an activity was initiated.",
      "type": "user"
    },
    "start_time": {
      "caption": "Start Time",
      "description": "The start time of a time period. See specific usage.",
      "type": "timestamp_t"
    },
    "state": {
      "caption": "State",
      "description": "The state of the event or object, as defined by the event source. See specific usage.",
      "type": "string_t"
    },
    "state_id": {
      "caption": "State ID",
      "description": "The state ID of the event or object. See specific usage.",
      "type": "integer_t"
    },
    "status": {
      "caption": "Status",
      "description": "The event status, as reported by the event source.",
      "type": "string_t"
    },
    "status_code": {
      "caption": "Status Code",
      "description": "The event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.",
      "type": "string_t"
    },
    "status_detail": {
      "caption": "Status Details",
      "description": "The status details contains additional information about the event outcome.",
      "type": "string_t"
    },
    "status_id": {
      "caption": "Status ID",
      "description": "The cross-platform normalized status of the activity or alert reported by the event.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The event status is not mapped. See the <code>status</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Success"
        },
        "2": {
          "caption": "Failure"
        }
      },
      "type": "integer_t"
    },
    "subject_dn": {
      "caption": "Subject Distinguished Name",
      "description": "The certificate subject distinguished name.",
      "type": "string_t"
    },
    "subnet": {
      "caption": "Subnet",
      "description": "The subnet mask.",
      "type": "subnet_t"
    },
    "subnet_uid": {
      "caption": "Subnet UID",
      "description": "The unique identifier of a virtual subnet.",
      "type": "string_t"
    },
    "supporting_data": {
      "caption": "Supporting Data",
      "description": "Additional data supporting a finding as provided by security tool",
      "is_array": true,
      "type": "json_t"
    },
    "svc_name": {
      "caption": "Service Name",
      "description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.",
      "type": "string_t"
    },
    "system_call": {
      "caption": "System Call",
      "description": "The system call that was invoked.",
      "type": "string_t"
    },
    "tactics": {
      "caption": "Tactics",
      "description": "The a list of tactic ID's that are associated with the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",
      "is_array": true,
      "type": "string_t"
    },
    "tag": {
      "caption": "Image Tag",
      "description": "The image tag. For example: <code>1.11-alpine</code>.",
      "type": "string_t"
    },
    "target_distribution_id": {
      "caption": "Target Distribution (TD)",
      "description": "The Target Distribution Common Vulnerability Scoring System (CVSS) metric.",
      "type": "integer_t"
    },
    "tcp_flags": {
      "caption": "TCP Flags",
      "description": "The network connection TCP header flags (i.e., control bits).",
      "type": "integer_t"
    },
    "technique_name": {
      "caption": "Technique Name",
      "description": "The name of the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>. For example: <code>Drive-by Compromise</code>.",
      "type": "string_t"
    },
    "technique_uid": {
      "caption": "Technique ID",
      "description": "The unique identifier of the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>. For example: <code>T1189</code>.",
      "type": "string_t"
    },
    "termination_time": {
      "caption": "Termination Time",
      "description": "The time that the entity was terminated. See specific usage.",
      "type": "timestamp_t"
    },
    "text": {
      "caption": "URL Text",
      "description": "The URL. For example: <code>http://www.example.com/download/trouble.exe</code>.",
      "type": "url_t"
    },
    "tid": {
      "caption": "Thread ID",
      "description": "The Identifier of the thread associated with the event, as returned by the operating system.",
      "type": "integer_t"
    },
    "timezone_offset": {
      "caption": "Timezone Offset",
      "description": "The number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.",
      "type": "integer_t"
    },
    "title": {
      "caption": "Title",
      "description": "The title of an entity. See specific usage.",
      "type": "string_t"
    },
    "tls": {
      "caption": "TLS",
      "description": "The Transport Layer Security (TLS) attributes.",
      "type": "tls"
    },
    "traffic": {
      "caption": "Traffic",
      "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.",
      "type": "network_traffic"
    },
    "traffic_path": {
      "caption": "Traffic Path",
      "description": "The boundary of the connection. For cloud connections, this translates to the traffic-path (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.",
      "type": "string_t"
    },
    "traffic_path_id": {
      "caption": "Traffic Path ID",
      "description": "The boundary of the connection. For cloud connections, this translates to the traffic-path (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Local",
          "description": "Local network traffic on the same endpoint."
        },
        "10": {
          "caption": "Gateway VPC",
          "description": "Through a gateway VPC endpoint (Nitro-based instances only)"
        },
        "11": {
          "caption": "Internet Gateway",
          "description": "Through an Internet gateway (Nitro-based instances only)"
        },
        "2": {
          "caption": "Internal",
          "description": "Internal network traffic between two endpoints inside network."
        },
        "3": {
          "caption": "External",
          "description": "External network traffic between two endpoints on the Internet or outside the network."
        },
        "4": {
          "caption": "Same VPC",
          "description": "Through another resource in the same VPC"
        },
        "5": {
          "caption": "Internet/VPC Gateway",
          "description": "Through an Internet gateway or a gateway VPC endpoint"
        },
        "6": {
          "caption": "Virtual Private Gateway",
          "description": "Through a virtual private gateway"
        },
        "7": {
          "caption": "Intra-region VPC",
          "description": "Through an intra-region VPC peering connection"
        },
        "8": {
          "caption": "Inter-region VPC",
          "description": "Through an inter-region VPC peering connection"
        },
        "9": {
          "caption": "Local Gateway",
          "description": "Through a local gateway"
        }
      },
      "type": "integer_t"
    },
    "transaction_uid": {
      "caption": "Transaction UID",
      "description": "The unique identifier of the transaction.",
      "type": "string_t"
    },
    "tree_uid": {
      "caption": "Tree UID",
      "description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
      "type": "string_t"
    },
    "ttl": {
      "caption": "TTL",
      "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.",
      "type": "integer_t"
    },
    "type": {
      "caption": "Type",
      "description": "The type of an object or value. See specific usage.",
      "type": "string_t"
    },
    "type_id": {
      "caption": "Type ID",
      "default": 0,
      "description": "The type identifier of an object. See specific usage.",
      "enum": {
        "-1": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which may contain a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        }
      },
      "type": "integer_t"
    },
    "type_name": {
      "caption": "Type Name",
      "description": "The event type name, as defined by the type_uid.",
      "type": "string_t"
    },
    "type_uid": {
      "caption": "Type ID",
      "description": "The event type ID identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.",
      "sibling": "type_name",
      "type": "integer_t"
    },
    "types": {
      "caption": "Types",
      "description": "The type/s of an entity. See specific usage.",
      "is_array": true,
      "type": "string_t"
    },
    "uid": {
      "caption": "Unique ID",
      "description": "The unique identifier. See specific usage.",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "object"
    },
    "update_time": {
      "caption": "Update Time",
      "description": "A Timestamp indicating when an entity was last updated.",
      "type": "timestamp_t"
    },
    "url": {
      "caption": "URL",
      "description": "The URL object that pertains to the event or object. See specific usage.",
      "type": "url"
    },
    "user": {
      "caption": "User",
      "description": "The user that pertains to the event or object.",
      "type": "user"
    },
    "user_agent": {
      "caption": "HTTP User-Agent",
      "description": "The request header that identifies the operating system and web browser.",
      "type": "string_t"
    },
    "user_interaction_id": {
      "caption": "User Interaction",
      "description": "The requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
      "type": "integer_t"
    },
    "user_result": {
      "caption": "User Result",
      "description": "The result of the user account change. It should contain the new values of the changed attributes.",
      "type": "user"
    },
    "uuid": {
      "caption": "UUID",
      "description": "The universally unique identifier. See specific usage.",
      "type": "string_t"
    },
    "value": {
      "caption": "Value",
      "description": "The value that pertains to the object. See specific usage.",
      "type": "string_t"
    },
    "vector_string": {
      "caption": "Vector String",
      "description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.",
      "type": "string_t"
    },
    "vendor": {
      "caption": "Vendor",
      "description": "The vendor that pertains to the object. See specific usage.",
      "type": "string_t"
    },
    "version": {
      "caption": "Version",
      "description": "The version that pertains to the event or object. See specific usage.",
      "type": "string_t"
    },
    "virtual_machine": {
      "caption": "Virtual Machine",
      "description": "The object describes details related to the Virtual Machine.",
      "type": "virtual_machine"
    },
    "virtual_machines": {
      "caption": "Virtual Machines",
      "description": "The object describes details related to the list of Virtual Machines.",
      "is_array": true,
      "type": "virtual_machine"
    },
    "vlan_uid": {
      "caption": "VLAN",
      "description": "The Virtual LAN identifier.",
      "type": "string_t"
    },
    "vpc_uid": {
      "caption": "VPC UID",
      "description": "The unique identifier of the Virtual Private Cloud (VPC).",
      "type": "string_t"
    },
    "vulnerabilities": {
      "caption": "Vulnerbailities",
      "description": "This object describes vulnerabilities reported in a security finding",
      "is_array": true,
      "type": "vulnerability"
    },
    "vulnerability": {
      "caption": "Vulnerability",
      "description": "The vulnerability object describes details related to the observed vulnerability",
      "type": "vulnerability"
    },
    "x_forwarded_for": {
      "caption": "X-Forwarded-For",
      "description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.",
      "is_array": true,
      "type": "ip_t"
    },
    "xattributes": {
      "caption": "Extended Attributes",
      "description": "An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.</p>For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: </p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong> - name of the link associated to the file.</li><li><strong>hard_link_count</strong> - the number of links that are associated to the file.</li></ul>",
      "type": "object"
    },
    "zone": {
      "caption": "Network Zone",
      "description": "The network zone or LAN segment.",
      "type": "string_t"
    }
  },
  "types": {
    "caption": "Data Types",
    "description": "The predefined data types. The data type specifies what kind of data a value can have.",
    "attributes": {
      "boolean_t": {
        "caption": "Boolean",
        "description": "Boolean value. One of <code>true</code> or <code>false</code>.",
        "values": [
          false,
          true
        ]
      },
      "email_t": {
        "caption": "Email Address",
        "description": "Email address. For example: <code>john_doe@example.com</code>.",
        "observable": 5,
        "regex": "^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$",
        "type": "string_t",
        "type_name": "String"
      },
      "file_hash_t": {
        "caption": "File Hash",
        "description": "File hash. A unique value that corresponds to the content of the file.",
        "max_len": 64,
        "observable": 8,
        "type_name": "String"
      },
      "file_name_t": {
        "caption": "File Name",
        "description": "File name. For example: <code>text-file.txt</code>.",
        "observable": 7,
        "regex": "^[a-zA-Z0-9._ -]+$",
        "type": "string_t",
        "type_name": "String"
      },
      "float_t": {
        "caption": "Float",
        "description": "Real floating-point value. For example: <code>3.14</code>."
      },
      "hostname_t": {
        "caption": "Hostname",
        "description": "Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: <code>r2-d2.example.com</code>.",
        "observable": 1,
        "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$",
        "type": "string_t",
        "type_name": "String"
      },
      "integer_t": {
        "caption": "Integer",
        "description": "Signed integer value."
      },
      "ip_t": {
        "caption": "IP Address",
        "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format.",
        "max_len": 40,
        "observable": 2,
        "regex": "/^(?>(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?)|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3}))$/iD",
        "type": "string_t",
        "type_name": "String"
      },
      "json_t": {
        "caption": "JSON",
        "description": "Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See <a target='_blank' href='https://www.json.org'>www.json.org</a>."
      },
      "long_t": {
        "caption": "Long",
        "description": "8-byte long, signed integer value."
      },
      "mac_t": {
        "caption": "MAC Address",
        "description": "Media Access Control (MAC) address. For example: <code>18:36:F3:98:4F:9A</code>.",
        "max_len": 32,
        "observable": 3,
        "regex": "^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$",
        "type": "string_t",
        "type_name": "String"
      },
      "object_t": {
        "caption": "Object",
        "description": "Object is an unordered set of name/value pairs. For example: <code>{ip: 92.24.47.250, type: IP Address}</code>"
      },
      "path_t": {
        "caption": "Path Name",
        "description": "File or folder full path name. For example: <code>/home/user/tmp/text-file.txt</code>.",
        "regex": "^[\\pL0-9_]+[\\pL0-9 ~!@#%&*\\-./_]*$",
        "type": "string_t",
        "type_name": "String"
      },
      "port_t": {
        "caption": "IP Port",
        "description": "IP TCP/UDP port number. For example: <code>80</code> or <code>22</code>.",
        "range": [
          0,
          65535
        ],
        "type": "integer_t",
        "type_name": "Integer"
      },
      "process_name_t": {
        "caption": "Process Name",
        "description": "Process name. For example: <code>Notepad</code>.",
        "observable": 9,
        "type": "string_t",
        "type_name": "String"
      },
      "resource_uid_t": {
        "caption": "Resource UID",
        "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.",
        "max_len": 64,
        "observable": 10,
        "type_name": "String"
      },
      "string_t": {
        "caption": "String",
        "description": "UTF-8 encoded byte sequence.",
        "max_len": 65535
      },
      "subnet_t": {
        "caption": "Subnet",
        "description": "Subnet mask in Classless Inter-Domain Routing (CIDR) notation. For example <code>192.168.200.0/24</code>.",
        "max_len": 40,
        "type_name": "String"
      },
      "datetime_t": {
        "caption": "Datetime",
        "description": "The Internet Date/Time format as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc3339.html'>RFC-3339</a>. For example <code>1985-04-12T23:20:50.52Z</code>.",
        "regex": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}%3A\\d{2}(?:.\\d+)?[A-Z]?(?:[.-](?:08:\\d{2}|\\d{2}[A-Z]))?$",
        "type": "string_t",
        "type_name": "String"
      },
      "timestamp_t": {
        "caption": "Timestamp",
        "description": "The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example <code>1618524549901</code>.",
        "type": "long_t",
        "type_name": "Long"
      },
      "url_t": {
        "caption": "URL String",
        "description": "Uniform Resource Locator (URL) string. For example: <code>http://www.example.com/download/trouble.exe</code>.",
        "observable": 6,
        "type": "string_t",
        "type_name": "String"
      },
      "username_t": {
        "caption": "User Name",
        "description": "User name. For example: <code>john_doe</code>.",
        "observable": 4,
        "type": "string_t",
        "type_name": "String"
      }
    }
  }
}