Host Fields
Field Name Example Values Field Type Notes
host_device \Device\HarddiskVolume2 keyword Identifier for a device (drive, network adapter) connected to a system
host_hostname corpdc01, corpdc01.local, keyword (normalized:loweronly) NetBIOS or dns hostname
host_id   keyword Host unique identifier (e.g. SID for Microsoft)
host_ip, fe80:5cc3:11:4::2c ip IPv4 and IPv6 addresses
host_ipv6 fe80:5cc3:11:4::2c ip IPv6 addresses
host_mac 02:a1:f9:c2:d5:04 keyword MAC address of host, colon-delimited and lower case
host_reference, corpdc01, corpdc01.local, keyword (normalized:loweronly) Mapped from host_ip or host_hostname in that order - allows a common field to reference for messages that do not provide both (note: CIDR search will not work against this field)
host_region us-east-1 keyword Name of region source device is located in
host_type_version   keyword Operating sytem version of host
host_virtfw_hostname   keyword/loweronly For firewalls that operate as partitioned services this is the name of the logical device
host_virtfw_id   keyword For firewalls that operate as partitioned services this is the ID value of the logical device
host_virtfw_uid   keyword Unique identifier such as a UUID value representing a virtual host
host_vm_name   keyword Virtual system name (not to be confused with the hostname)
Derived and Enriched Fields (values will be derived or added from external sources)
Field Name Example Values Field Type Notes
host_as_*     See: as_* fields
host_category   keyword Future: from entity mapping
host_geo_*     See: geo_* fields
host_location_name Chicago, US, Datacenter 01, Bismark - Finance keyword Field is derived either from an internal enterprise network definition or the Geo location fields if availble
host_priority critical, high, medium, low keyword Future: from entity mapping
host_priority_level 2 byte Numeric value representing the priority of the host device, 1 = low, 2 = medium, 3 = high, 4 = critical
host_reference IPv4,IPv6, hostname,fqdn keyword (normalized:loweronly) Automatically mapped from the following fields: host_ip, host_hostname, host_vm_name, host_mac
host_type   keyword Machine “type”