Skip to content

OperatingSystem Schema🔗

Note

Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.

OperatingSystem🔗

Field Type Parser Field Description
arch OperatingSystem.Arch arch$
os OperatingSystem.OS os$
metaos OperatingSystem.MetaOS metaos$

OperatingSystem.Arch🔗

Name Number Description
ARCH_UNKNOWN 0
ARCH_x86 1
ARCH_x64 2
ARCH_ARM64 3 POWERPC RISC TI-86

OperatingSystem.MetaOS🔗

Name Number Description
METAOS_NONE 0 This identifier should help us identify how to handle things like path separators.
METAOS_POSIX 1
METAOS_WINDOWS 2 BSD DARWIN

OperatingSystem.OS🔗

Name Number Description
OS_UNKNOWN 0
OS_MAC 1
OS_LINUX 2
OS_WINDOWS 3
OS_IPHONE 4
OS_ANDROID 5
OS_IPAD 6