| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
host_device
|
\\Device\\HarddiskVolume2 | keyword | Identifier for a device (drive network adapter) connected to a system |
host_hostname
|
corpdc01, corpdc01.local, lab01.corpdomain.com | keyword (normalized:loweronly) | NetBIOS or dns hostname |
host_id
|
keyword | Host unique identifier (e.g. SID for Microsoft) | |
host_ip
|
10.1.2.3, fe80:5cc3:11:4::2c | ip | IPv4 and IPv6 addresses |
host_ipv6
|
fe80:5cc3:11:4::2c | ip | IPv6 addresses |
host_mac
|
02:a1:f9:c2:d5:04 | keyword | MAC address of host, colon-delimited and lower case |
host_reference
|
127.0.0.1, corpdc01, corpdc01.local, lab01.corpdomain.com | keyword (normalized:loweronly) | Mapped from host_ip or host_hostname in that order - allows a common field to reference for messages that do not provide both (note: CIDR search will not work against this field) |
host_region
|
us-east-1 | keyword | Name of region source device is located in |
host_type_version
|
keyword | Operating sytem version of host | |
host_virtfw_hostname
|
keyword/loweronly | For firewalls that operate as partitioned services this is the name of the logical device | |
host_virtfw_id
|
keyword | For firewalls that operate as partitioned services this is the ID value of the logical device | |
host_virtfw_uid
|
keyword | Unique identifier such as a UUID value representing a virtual host | |
host_vm_name
|
keyword | Virtual system name (not to be confused with the hostname) |
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
host_as_*
|
See: as_* fields | ||
host_category
|
keyword | Future: from entity mapping | |
host_geo_*
|
See: geo_* fields | ||
host_location_name
|
Chicago, US, Datacenter 01, Bismark - Finance | keyword | Field is derived either from an internal enterprise network definition or the Geo location fields if available |
host_priority
|
critical, high, medium, low | keyword | Future: from entity mapping |
host_priority_level
|
2 | byte | Numeric value representing the priority of the host device, 1 = low, 2 = medium, 3 = high, 4 = critical |
host_reference
|
IPv4,IPv6, hostname,fqdn | keyword (normalized:loweronly) | Automatically mapped from the following fields: host_ip, host_hostname, host_vm_name, host_mac |
host_type
|
keyword | Machine “type” |
