コンテンツにスキップ

論理型🔗

データレイク検索における論理型は、特定のフィールドカテゴリに対応する適切なデータスキーマのフィールド名にマッピングされる特別なフィールドです。論理型は、各スキーマごとに個別のフィールド名を覚えて指定する必要をなくすために設計されています。論理型は @ プレフィックスで示されます。@<論理型名> で指定された論理型は、関連するすべてのイベントフィールドを自動的に検索します。

論理型のマッピング🔗

以下の表は、参照用のすべての論理型マッピングを含みます。

論理型 スキーマ フィールド
@command apicall commandline
auth commandline
filemod commandline
process commandline, commandline_decoded
threadinjection commandline
@domain detection entities prefix: ipDomain, targetAuthDomainName, sourceAuthDomainName, authDomainName
auth target_domain_name, source_domain_name, extra_targetoutbounddomainname
dnsquery query_name
@hash detection entities prefix: fileMd5, fileSha1, fileSha256, programMd5, programSha1, programSha256, programSha512
auth process_file_hash, process_file_hash.md5, process_file_hash.sha1, process_file_hash.sha256, process_file_hash.sha512
filemod file_hash, parent_process_file_hash.md5, parent_process_file_hash.sha1, parent_process_file_hash.sha256, parent_process_file_hash.sha512, process_file_hash.md5, process_file_hash.sha1, process_file_hash.sha256, process_file_hash.sha512, file_hash.md5, file_hash.sha1, file_hash.sha256, file_hash.sha512
@hash process program_hash.md5, program_hash.sha1, program_hash.sha256, program_hash.sha512, target_program.sha1_hash, host_program.sha1_hash
@host detection entities prefix: hostName
auth target_host_name, extra_targetservername, extra_workstationname
managementevent client_hostname, client_hostname_fqdn, target_hostname, target_hostname_fqdn
process process, computer_name
@ip detection entities prefix: destIpAddress, destIpGeo, ipAddress, sourceIpAddress, sourceIpGeo
auth target_address, source_address
cloudaudit source_address
dnsquery source_address, destination_address
http source_address, destination_address, true_source_address
netflow source_address, destination_address, source_nat_address, destination_nat_address
nids source_address, destination_address
@mac http source_mac, destination_mac
netflow source_mac, destination_mac
@path detection entities prefix: fileName
auth process_filename
command host_program.path, host_program.user_path, host_program.native_path, program.path, program.user_path, program.native_path
fileinfo path, user_path, native_path
filemod file_name
managementevent script_file_path
memoryallocation file.path, file.user_path, file.native_path
persistence file.path, file.user_path, file.native_path, command.host_program.path, command.host_program.user_path, command.host_program.native_path, command.program.path, command.program.user_path, command.program.native_path, service.image_path, scheduled_task.action.path, shortcut.relative_path, shortcut.working_directory, shortcut.target_path, shortcut.file.path, shortcut.file.user_path, shortcut.file.native_path
process image_path, parent_image_path, allocations.file.path, allocations.file.user_path, allocations.file.native_path, modules.file.path, modules.file.user_path, modules.file.native_path, host_program.path, target_program.path, host_module.file.path, host_module.file.user_path, host_module.file.native_path
processmodule file.path, file.user_path, file.native_path
scheduledtask action.path
scriptblock interpreter_path
service image_path
shortcut relative_path, working_directory, target_path, file.path, file.user_path, file.native_path
threadinjection source_process_name, target_process_name
@port auth target_port, source_port
http source_port, destination_port
netflow source_port, destination_port, source_nat_port, destination_nat_port
nids source_port, destination_port
@raw すべてのイベントタイプ original_data (完全な生ログ/メッセージ)
@url cloudaudit resources.resource_id
@user detection entities prefix: userName
auth target_user_name, source_user_name, extra_targetoutboundusername, extra_userprincipalname, extra_virtualaccount, extra_subject_domain_user_id, extra_target_domain_user_id
cloudaudit user_name
managementevent username
process username