Skip to main content
Click on a field type below to navigate to the list of fields available for a custom query.
access_control_outcomeaccess_key_idaccount_idaccount_nameaccount_vendoradhoc_query_idaffected_familyaffected_platformaffected_platformsaffected_productsalarm_connector_idsalarm_connector_sourcesalarm_destination_assset_idsalarm_destination_citiesalarm_destination_countriesalarm_destination_ipsalarm_destination_latitudesalarm_destination_longitudesalarm_destination_namesalarm_destination_organisationsalarm_destination_user_account_idsalarm_destination_user_idsalarm_destination_zonesalarm_destinationsalarm_events_countalarm_idalarm_labelsalarm_outcomealarm_response_codesalarm_sensor_sourcesalarm_source_asset_idsalarm_source_citiesalarm_source_countriesalarm_source_ipsalarm_source_latitudesalarm_source_longitudesalarm_source_namesalarm_source_organisationsalarm_source_zonesalarm_sourcesanalysis_account_idanalysis_account_nameanalysis_account_statusanalysis_account_typeanalysis_account_user_nameanalysis_user_idanalysis_user_nameanalysis_user_statusapp_execution_parametersapp_idapp_nameapp_typeapplicationapplication_protocolapplication_typeasset_statusassumed_roleaudit_reasonauthentication_modeauthentication_package_nameauthentication_typebase_event_countblacklist_reference_urlbytes_inbytes_outcertificate_issuer_namecertificate_serial_numbercertificate_subject_nameconfidenceconnection_countconnector_idconnector_sourceconnector_source_filecontainer_cmdcontainer_cpucontainer_idcontainer_imagecontainer_image_idcontainer_memorycontainer_namecontainer_statecontainer_volumecontains_credit_card_numbercontent_categorycontrol_idcurrent_ppscurrent_working_directorycustomfield_*customheader_*datascience_alarm_thresholddatascience_alarm_threshold_99datascience_alarm_threshold_low_confidencedatascience_alarm_threshold_medium_confidencedatascience_anomaly_scoredatascience_inference_explanationdatascience_inference_typedatascience_tenant_event_thresholddestination_account_iddestination_additional_hostnamesdestination_addressdestination_address_6destination_asndestination_asset_iddestination_blacklist_activitydestination_blacklist_prioritydestination_blacklist_reliabilitydestination_canonicaldestination_citydestination_countrydestination_datastoredestination_dns_domaindestination_fqdndestination_hostnamedestination_infrastructure_namedestination_infrastructure_typedestination_instance_iddestination_latitudedestination_longitudedestination_macdestination_mac_vendordestination_namedestination_nat_addressdestination_nat_portdestination_netmaskdestination_networkdestination_ntdomaindestination_organisationdestination_portdestination_port_labeldestination_post_nat_portdestination_pre_nat_portdestination_processdestination_process_iddestination_regiondestination_registered_countrydestination_service_namedestination_translated_addressdestination_translated_portdestination_user_emaildestination_user_groupdestination_user_iddestination_user_privilegesdestination_useriddestination_usernamedestination_vguestdestination_vhostdestination_vpcdestination_vpndestination_zonedevice_classdevice_configurationdevice_custom_date_1device_custom_date_1_labeldevice_custom_date_2device_custom_date_2_labeldevice_custom_number_1device_custom_number_1_labeldevice_custom_number_2device_custom_number_2_labeldevice_custom_number_3device_custom_number_3_labeldevice_directiondevice_dns_domaindevice_event_categorydevice_external_iddevice_facilitydevice_inbound_interfacedevice_namedevice_nt_domaindevice_outbound_interfacedevice_process_namedevice_sender_addressdevice_sender_asset_iddevice_vendordns_messagedns_rcodedns_rrnamedns_rrtypedns_server_addressdns_ttldns_typedurationemail_recipientemail_relayemail_senderemail_subjectenvironment_variable_keyenvironment_variable_valueerror_codeerror_messageevent_actionevent_activityevent_attack_idevent_attack_tacticevent_attack_techniqueevent_auth_actionevent_auth_roleevent_categoryevent_changeevent_cveevent_descriptionevent_description_urlevent_groupevent_group_job_idevent_nameevent_outcomeevent_priorityevent_receipt_timeevent_ref_dateevent_ref_idevent_ref_scoreevent_ref_score_v2event_ref_score_v3event_ref_sourceevent_ref_versionevent_severityevent_subcategoryevent_typeevent_violationeventsexpiresexternal_idfile_hashfile_hash_algorithmfile_hash_md5file_hash_sha1file_hash_sha256file_idfile_kb_sizefile_modification_timefile_namefile_old_hashfile_old_idfile_old_modification_timefile_old_namefile_old_pathfile_old_permissionfile_old_sizefile_ownerfile_pathfile_permissionfile_typefull_messagegatewayglobal_list_nameglobal_list_valuegroup_policyhas_alarmhighlight_fieldshttp_hostnamehttp_refereridentity_group_nameidentity_host_nameincident_idinstance_idsinstance_typesiocsip_addressesk8s_dns_policyk8s_node_namek8s_prioritylast_updatedlevellogmalware_familymalware_variantmatched_valuemuteneeds_enrichmentneeds_internal_enrichmentnew_valuenode_idnode_namenum_containersobject_idobject_typeold_ipoperating_systempackage_architecturepackage_namepackage_revisionpackage_sourcepackage_versionpacket_datapacket_payloadpacket_typepackets_receivedpackets_sentpeak_ppspefile_companypefile_descriptionpefile_fileversionpefile_productplaybook_execution_idplaybook_idplaybook_namepluginplugin_deviceplugin_device_typeplugin_device_versionplugin_enrichment_scriptplugin_familyplugin_parentplugin_ruleplugin_versionpolicypolicy_addresspre_authentication_typeprevious_valueprioritypriority_labelproject_idprotocol_versionreceived_fromregistry_pathregistry_valuerelative_distinguished_namerep_dev_canonicalrep_device_addressrep_device_address_6rep_device_asset_idrep_device_fqdnrep_device_hostnamerep_device_inbound_interfacerep_device_instance_idrep_device_macrep_device_modelrep_device_outbound_interfacerep_device_rule_idrep_device_typerep_device_vendorrep_device_versionreport_executed_categoryreport_executed_databasereport_executed_database_indexreport_executed_datereport_executed_formatreport_executed_keyreport_executed_parametersreport_executed_queryreport_executed_statereport_executed_userreport_executed_uuidreputation_scorerequest_content_typerequest_cookiesrequest_http_versionrequest_methodrequest_referrerrequest_urlrequest_user_agentresource_providerresource_uriresponse_coderesponse_content_typereturn_valuerule_attack_idrule_attack_tacticrule_attack_techniquerule_dictionaryrule_idrule_intentrule_methodrule_namerule_strategyrule_uuidscheduled_task_idsecurity_group_idsecurity_group_namesensor_event_ratesensor_namesensor_uuidsessionshared_resource_nameshort_messagesilentsource_accountsource_account_idsource_account_namesource_additional_hostnamessource_addresssource_address_6source_asnsource_asset_idsource_blacklist_activitysource_blacklist_prioritysource_blacklist_reliabilitysource_canonicalsource_citysource_countrysource_cpesource_datacentersource_datastoresource_dns_domainsource_fqdnsource_hostnamesource_infrastructure_namesource_infrastructure_typesource_instance_idsource_latitudesource_location_idsource_location_namesource_longitudesource_macsource_mac_vendorsource_namesource_nat_addresssource_nat_portsource_netmasksource_networksource_ntdomainsource_organisationsource_portsource_port_labelsource_post_nat_portsource_pre_nat_portsource_processsource_process_commandlinesource_process_idsource_process_parentsource_process_parent_commandlinesource_process_parent_process_idsource_regionsource_registered_countrysource_service_namesource_translated_addresssource_translated_portsource_user_emailsource_user_email_domainsource_user_groupsource_user_idsource_user_privilegessource_useridsource_usernamesource_vhostsource_vpcsource_vpnsource_workstationsource_zonessh_authorized_keyssh_client_protossh_client_softwaressh_server_protossh_server_softwarestat_valuestatussuppress_rule_idsuppress_rule_namesuppressedsyslog_sourcesystem_event_typetagthreat_intelligence_feed_namethreat_intelligence_matched_metadataticket_encryption_typetimeStamptime_endtime_offsettime_starttime_zonetimestamp_arrivedtimestamp_endtimestamp_occuredtimestamp_occured_iso8601timestamp_occurredtimestamp_ostimestamp_receivedtimestamp_received_iso8601timestamp_starttimestamp_to_storagetls_ciphertls_fingerprinttls_issuerdntls_snitls_subjecttls_versiontotal_disconnection_timetotal_packetstransaction_statustransienttransport_protocolts_a_to_sts_o_to_rts_r_to_ats_r_to_its_s_to_itty_terminalused_hintuser_group_iduser_policyuser_realmuser_resourceuser_resource_typeuser_roleuser_typeuuidvirtual_source_addressvirtual_source_namewas_fuzziedwas_guessedwatchlistwireless_apwireless_bssidwireless_channelwireless_encryptionwireless_ssidx_att_tenant_subdomainx_att_tenantid
access_control_outcomeaccess_key_idaccount_idaccount_nameaccount_vendoradhoc_query_idaffected_familyaffected_platformaffected_platformsaffected_productsalarm_events_countapp_idapp_nameapp_typeapplicationapplication_protocolapplication_typeasset_statusassumed_roleaudit_reasonauthentication_modeauthentication_package_nameauthentication_typebase_event_countblacklist_reference_urlbytes_inbytes_outcertificate_issuer_namecertificate_serial_numbercertificate_subject_nameconfidenceconnection_countconnector_idconnector_sourceconnector_source_filecontainer_cmdcontainer_cpucontainer_idcontainer_imagecontainer_image_idcontainer_memorycontainer_namecontainer_statecontainer_volumecontains_credit_card_numbercontent_categorycontrol_idcurrent_ppscurrent_working_directorycustomfield_0customfield_1customfield_10customfield_11customfield_12customfield_13customfield_14customfield_15customfield_16customfield_17customfield_18customfield_19customfield_2customfield_20customfield_21customfield_22customfield_23customfield_24customfield_25customfield_26customfield_27customfield_28customfield_29customfield_3customfield_30customfield_4customfield_5customfield_6customfield_7customfield_8customfield_9customheader_0customheader_1customheader_10customheader_11customheader_12customheader_13customheader_14customheader_15customheader_16customheader_17customheader_18customheader_19customheader_2customheader_20customheader_21customheader_22customheader_23customheader_24customheader_25customheader_26customheader_27customheader_28customheader_29customheader_3customheader_30customheader_4customheader_5customheader_6customheader_7customheader_8customheader_9datascience_alarm_thresholddatascience_alarm_threshold_99datascience_alarm_threshold_low_confidencedatascience_alarm_threshold_medium_confidencedatascience_anomaly_scoredatascience_inference_explanationdatascience_inference_typedatascience_tenant_event_thresholddestination_account_iddestination_additional_hostnamesdestination_addressdestination_address_6destination_asndestination_asset_iddestination_blacklist_activitydestination_blacklist_prioritydestination_blacklist_reliabilitydestination_canonicaldestination_citydestination_countrydestination_datastoredestination_dns_domaindestination_fqdndestination_hostnamedestination_infrastructure_namedestination_infrastructure_typedestination_instance_iddestination_latitudedestination_longitudedestination_macdestination_mac_vendordestination_namedestination_nat_addressdestination_nat_portdestination_netmaskdestination_networkdestination_ntdomaindestination_organisationdestination_portdestination_port_labeldestination_post_nat_portdestination_pre_nat_portdestination_processdestination_process_iddestination_regiondestination_registered_countrydestination_service_namedestination_translated_addressdestination_translated_portdestination_user_emaildestination_user_groupdestination_user_iddestination_user_privilegesdestination_useriddestination_usernamedestination_vguestdestination_vhostdestination_vpcdestination_vpndestination_zonedevice_classdevice_configurationdevice_custom_date_1device_custom_date_1_labeldevice_custom_date_2device_custom_date_2_labeldevice_custom_number_1device_custom_number_1_labeldevice_custom_number_2device_custom_number_2_labeldevice_custom_number_3device_custom_number_3_labeldevice_directiondevice_dns_domaindevice_event_categorydevice_external_iddevice_facilitydevice_inbound_interfacedevice_namedevice_nt_domaindevice_outbound_interfacedevice_process_namedevice_sender_addressdevice_sender_asset_iddevice_vendordns_messagedns_rcodedns_rrnamedns_rrtypedns_server_addressdns_ttldns_typedurationemail_recipientemail_relayemail_senderemail_subjectenvironment_variable_keyenvironment_variable_valueerror_codeerror_messageevent_actionevent_activityevent_attack_idevent_attack_tacticevent_attack_techniqueevent_auth_actionevent_auth_roleevent_categoryevent_cveevent_descriptionevent_description_urlevent_groupevent_nameevent_outcomeevent_priorityevent_receipt_timeevent_ref_dateevent_ref_scoreevent_ref_sourceevent_severityevent_subcategoryevent_typeevent_violationexpiresexternal_idfile_hashfile_hash_algorithmfile_hash_md5file_hash_sha1file_hash_sha256file_idfile_kb_sizefile_modification_timefile_namefile_old_hashfile_old_idfile_old_modification_timefile_old_namefile_old_pathfile_old_permissionfile_old_sizefile_ownerfile_pathfile_permissionfile_typefull_messagegatewayglobal_list_nameglobal_list_valuegroup_policyhas_alarmhighlight_fieldshttp_hostnamehttp_refereridentity_group_nameidentity_host_nameincident_idinstance_idsinstance_typesiocsip_addressesk8s_dns_policyk8s_node_namek8s_prioritylevellogmalware_familymalware_variantmatched_valueneeds_enrichmentneeds_internal_enrichmentnum_containersold_ipoperating_systempackage_architecturepackage_namepackage_revisionpackage_sourcepackage_versionpacket_datapacket_payloadpacket_typepackets_receivedpackets_sentpeak_ppspefile_companypefile_descriptionpefile_fileversionpefile_productpluginplugin_deviceplugin_device_typeplugin_device_versionplugin_enrichment_scriptplugin_familyplugin_parentplugin_ruleplugin_versionpolicypolicy_addresspre_authentication_typeproject_idprotocol_versionreceived_fromregistry_pathregistry_valuerelative_distinguished_namerep_dev_canonicalrep_device_addressrep_device_address_6rep_device_asset_idrep_device_fqdnrep_device_hostnamerep_device_inbound_interfacerep_device_instance_idrep_device_macrep_device_modelrep_device_outbound_interfacerep_device_rule_idrep_device_typerep_device_vendorrep_device_versionreport_executed_datereputation_scorerequest_content_typerequest_cookiesrequest_http_versionrequest_methodrequest_referrerrequest_urlrequest_user_agentresource_providerresource_uriresponse_coderesponse_content_typereturn_valuerule_idrule_uuidsecurity_group_idsecurity_group_namesensor_event_ratesensor_namesensor_uuidsessionshared_resource_nameshort_messagesilentsource_accountsource_account_idsource_account_namesource_additional_hostnamessource_addresssource_address_6source_asnsource_asset_idsource_blacklist_activitysource_blacklist_prioritysource_blacklist_reliabilitysource_canonicalsource_citysource_countrysource_cpesource_datacentersource_datastoresource_dns_domainsource_fqdnsource_hostnamesource_infrastructure_namesource_infrastructure_typesource_instance_idsource_latitudesource_location_idsource_location_namesource_longitudesource_macsource_mac_vendorsource_namesource_nat_addresssource_nat_portsource_netmasksource_networksource_ntdomainsource_organisationsource_portsource_port_labelsource_post_nat_portsource_pre_nat_portsource_processsource_process_commandlinesource_process_idsource_process_parentsource_process_parent_commandlinesource_process_parent_process_idsource_regionsource_registered_countrysource_service_namesource_translated_addresssource_translated_portsource_user_emailsource_user_email_domainsource_user_groupsource_user_idsource_user_privilegessource_useridsource_usernamesource_vhostsource_vpcsource_vpnsource_workstationsource_zonessh_authorized_keyssh_client_protossh_client_softwaressh_server_protossh_server_softwarestat_valuestatussuppress_rule_idsuppress_rule_namesuppressedsyslog_sourcetagthreat_intelligence_feed_namethreat_intelligence_matched_metadataticket_encryption_typetimeStamptime_endtime_offsettime_starttime_zonetimestamp_arrivedtimestamp_endtimestamp_occuredtimestamp_occured_iso8601timestamp_occurredtimestamp_ostimestamp_receivedtimestamp_received_iso8601timestamp_starttimestamp_to_storagetls_ciphertls_fingerprinttls_issuerdntls_snitls_subjecttls_versiontotal_disconnection_timetotal_packetstransaction_statustransienttransport_protocolts_a_to_sts_o_to_rts_r_to_ats_r_to_its_s_to_itty_terminalused_hintuser_group_iduser_policyuser_realmuser_resourceuser_resource_typeuser_roleuser_typeuuidvirtual_source_addressvirtual_source_namewas_fuzziedwas_guessedwatchlistwireless_apwireless_bssidwireless_channelwireless_encryptionwireless_ssidx_att_tenant_subdomainx_att_tenantid
access_control_outcomeaccount_idaccount_nameaffected_platformalarm_connector_idsalarm_connector_sourcesalarm_destination_assset_idsalarm_destination_citiesalarm_destination_countriesalarm_destination_ipsalarm_destination_latitudesalarm_destination_longitudesalarm_destination_namesalarm_destination_organisationsalarm_destination_user_account_idsalarm_destination_user_idsalarm_destination_zonesalarm_destinationsalarm_events_countalarm_labelsalarm_outcomealarm_response_codesalarm_sensor_sourcesalarm_source_asset_idsalarm_source_citiesalarm_source_countriesalarm_source_ipsalarm_source_latitudesalarm_source_longitudesalarm_source_namesalarm_source_organisationsalarm_source_zonesalarm_sourcesapp_idapp_typeassumed_roleaudit_reasonauthentication_modeauthentication_typebase_event_countbytes_inbytes_outconfidenceconnection_countcontains_credit_card_numbercurrent_ppscustomfield_0customfield_1customfield_10customfield_11customfield_12customfield_13customfield_15customfield_16customfield_17customfield_18customfield_19customfield_2customfield_20customfield_22customfield_23customfield_26customfield_27customfield_3customfield_30customfield_4customfield_6customfield_7customfield_8customheader_0customheader_1customheader_10customheader_11customheader_12customheader_13customheader_15customheader_16customheader_17customheader_18customheader_19customheader_2customheader_20customheader_22customheader_23customheader_26customheader_27customheader_3customheader_30customheader_4customheader_6customheader_7customheader_8datascience_alarm_thresholddatascience_alarm_threshold_99datascience_alarm_threshold_low_confidencedatascience_alarm_threshold_medium_confidencedatascience_anomaly_scoredatascience_tenant_event_thresholddestination_account_iddestination_addressdestination_asset_iddestination_canonicaldestination_namedestination_nat_portdestination_organisationdestination_portdestination_post_nat_portdestination_pre_nat_portdestination_translated_portdestination_user_groupdestination_user_iddestination_usernamedestination_zonedevice_custom_number_1device_custom_number_2device_custom_number_3dns_rcodeerror_messageevent_actionevent_categoryevent_descriptionevent_nameevent_outcomeevent_priorityevent_receipt_timeevent_ref_dateevent_severityevent_subcategoryevent_typeeventsexpiresfile_hash_sha1file_hash_sha256file_namefile_pathfile_typehas_alarmhighlight_fieldshttp_hostnameinstance_idsinstance_typesiocslast_updatedlevellogmalware_familymalware_variantmuteneeds_enrichmentneeds_internal_enrichmentpacket_datapacket_typepackets_receivedpackets_sentpeak_ppspluginplugin_deviceplugin_familypolicyprioritypriority_labelrep_device_rule_idreport_executed_daterequest_urlrequest_user_agentresponse_coderule_attack_idrule_attack_tacticrule_attack_techniquerule_dictionaryrule_idrule_intentrule_methodrule_namerule_strategysecurity_group_idsecurity_group_namesensor_event_ratesensor_uuidsilentsource_addresssource_asset_idsource_canonicalsource_countrysource_hostnamesource_macsource_namesource_nat_portsource_networksource_ntdomainsource_organisationsource_portsource_post_nat_portsource_pre_nat_portsource_processsource_process_commandlinesource_process_parentsource_translated_portsource_user_emailsource_user_privilegessource_usernamesource_workstationstat_valuestatussuppressedthreat_intelligence_feed_nametime_endtime_starttimestamp_arrivedtimestamp_endtimestamp_occuredtimestamp_occured_iso8601timestamp_occurredtimestamp_ostimestamp_receivedtimestamp_received_iso8601timestamp_starttimestamp_to_storagetotal_packetstransientts_a_to_sts_o_to_rts_r_to_ats_r_to_its_s_to_iused_hintuser_roleuuidwas_fuzziedwas_guessedwatchlistx_att_tenant_subdomainx_att_tenantid
alarm_idanalysis_account_idanalysis_account_nameanalysis_account_statusanalysis_account_typeanalysis_account_user_nameanalysis_user_idanalysis_user_nameanalysis_user_statusapp_execution_parametersapp_idapp_nameapp_typeconnector_idcontrol_idcustomfield_0customfield_1customfield_10customfield_11customfield_12customfield_2customfield_4customfield_5customfield_6customfield_7customfield_8customfield_9customheader_0customheader_1customheader_10customheader_11customheader_12customheader_2customheader_4customheader_5customheader_6customheader_7customheader_8customheader_9destination_user_emailevent_actionevent_changeevent_descriptionevent_group_job_idevent_nameevent_outcomeevent_typefull_messageneeds_enrichmentneeds_internal_enrichmentnew_valuenode_idnode_nameobject_typepacket_typeplaybook_execution_idplaybook_idplaybook_nameprevious_valuerep_dev_canonicalrep_device_addressrep_device_asset_idrep_device_fqdnrep_device_hostnamereport_executed_categoryreport_executed_databasereport_executed_database_indexreport_executed_datereport_executed_formatreport_executed_keyreport_executed_parametersreport_executed_queryreport_executed_statereport_executed_userreport_executed_uuidscheduled_task_idsensor_event_ratesensor_namesensor_uuidsource_asset_idsource_canonicalsource_infrastructure_typesource_namesource_user_emailsuppressedsystem_event_typetimestamp_arrivedtimestamp_endtimestamp_occuredtimestamp_occurredtimestamp_starttimestamp_to_storagetotal_disconnection_timetransientuuidx_att_tenant_subdomainx_att_tenantid
event_actionevent_descriptionevent_nameevent_severityexpiresfull_messageneeds_enrichmentneeds_internal_enrichmentnew_valueobject_idobject_typepacket_typeprevious_valuesensor_event_ratesensor_uuidsource_usernamesuppressedtimestamp_arrivedtimestamp_occuredtimestamp_occurredtimestamp_to_storagetransientuuidx_att_tenant_subdomainx_att_tenantid
access_control_outcomeaccount_namealarm_events_countapp_idapp_nameapp_typebase_event_countbytes_inbytes_outconfidenceconnection_countcontains_credit_card_numbercurrent_ppsdatascience_alarm_thresholddatascience_alarm_threshold_99datascience_alarm_threshold_low_confidencedatascience_alarm_threshold_medium_confidencedatascience_anomaly_scoredatascience_tenant_event_thresholddestination_addressdestination_asset_iddestination_canonicaldestination_citydestination_countrydestination_fqdndestination_hostnamedestination_infrastructure_namedestination_infrastructure_typedestination_instance_iddestination_latitudedestination_longitudedestination_namedestination_nat_portdestination_organisationdestination_portdestination_post_nat_portdestination_pre_nat_portdestination_regiondestination_registered_countrydestination_translated_portdevice_custom_number_1device_custom_number_2device_custom_number_3dns_rcodeevent_actionevent_cveevent_descriptionevent_description_urlevent_groupevent_nameevent_priorityevent_receipt_timeevent_ref_idevent_ref_scoreevent_ref_score_v2event_ref_score_v3event_ref_sourceevent_ref_versionevent_severityevent_typeexpireshas_alarmlevellogneeds_enrichmentneeds_internal_enrichmentpacket_typepackets_receivedpackets_sentpeak_ppspluginplugin_deviceplugin_familyrep_dev_canonicalrep_device_addressrep_device_asset_idrep_device_fqdnrep_device_hostnamerep_device_instance_idreport_executed_dateresponse_coderule_idsensor_event_ratesensor_namesensor_uuidsilentsource_addresssource_asset_idsource_canonicalsource_citysource_countrysource_fqdnsource_hostnamesource_infrastructure_namesource_infrastructure_typesource_instance_idsource_latitudesource_longitudesource_namesource_nat_portsource_organisationsource_portsource_post_nat_portsource_pre_nat_portsource_regionsource_registered_countrysource_translated_portstat_valuesuppressedtime_endtime_starttimestamp_arrivedtimestamp_endtimestamp_occuredtimestamp_occured_iso8601timestamp_occurredtimestamp_ostimestamp_receivedtimestamp_received_iso8601timestamp_starttimestamp_to_storagetotal_packetstransientts_a_to_sts_o_to_rts_r_to_ats_r_to_its_s_to_iused_hintuuidwas_fuzziedwas_guessedx_att_tenant_subdomainx_att_tenantid