Logical Types🔗
Logical types in Data Lake Search are special fields that map to field names under the appropriate data schemas for that particular field category. Logical types are designed to alleviate the need to remember and specify each individual field name for each pertinent schema. Logical types are denoted with the @ prefix. A logical type, specified with @<logical type name>, automatically queries all relevant event fields.
Logical Type Mappings🔗
The following table contains all logical type mappings for reference:
| Logical type | Schema | Fields |
|---|---|---|
@command |
apicall | commandline |
| auth | commandline |
|
| filemod | commandline |
|
| process | commandline, commandline_decoded |
|
| threadinjection | commandline |
|
@domain |
detection | entities prefix: ipDomain, targetAuthDomainName, sourceAuthDomainName, authDomainName |
| auth | target_domain_name, source_domain_name, extra_targetoutbounddomainname |
|
| dnsquery | query_name |
|
@hash |
detection | entities prefix: fileMd5, fileSha1, fileSha256, programMd5, programSha1, programSha256, programSha512 |
| auth | process_file_hash, process_file_hash.md5, process_file_hash.sha1, process_file_hash.sha256, process_file_hash.sha512 |
|
| filemod | file_hash, parent_process_file_hash.md5, parent_process_file_hash.sha1, parent_process_file_hash.sha256, parent_process_file_hash.sha512, process_file_hash.md5, process_file_hash.sha1, process_file_hash.sha256, process_file_hash.sha512, file_hash.md5, file_hash.sha1, file_hash.sha256, file_hash.sha512 |
|
@hash |
process | program_hash.md5, program_hash.sha1, program_hash.sha256, program_hash.sha512, target_program.sha1_hash, host_program.sha1_hash |
@host |
detection | entities prefix: hostName |
| auth | target_host_name, extra_targetservername, extra_workstationname |
|
| managementevent | client_hostname, client_hostname_fqdn, target_hostname, target_hostname_fqdn |
|
| process | process, computer_name |
|
@ip |
detection | entities prefix: destIpAddress, destIpGeo, ipAddress, sourceIpAddress, sourceIpGeo |
| auth | target_address, source_address |
|
| cloudaudit | source_address |
|
| dnsquery | source_address, destination_address |
|
| http | source_address, destination_address, true_source_address |
|
| netflow | source_address, destination_address, source_nat_address, destination_nat_address |
|
| nids | source_address, destination_address |
|
@mac |
http | source_mac, destination_mac |
| netflow | source_mac, destination_mac |
|
@path |
detection | entities prefix: fileName |
| auth | process_filename |
|
| command | host_program.path, host_program.user_path, host_program.native_path, program.path, program.user_path, program.native_path |
|
| fileinfo | path, user_path, native_path |
|
| filemod | file_name |
|
| managementevent | script_file_path |
|
| memoryallocation | file.path, file.user_path, file.native_path |
|
| persistence | file.path, file.user_path, file.native_path, command.host_program.path, command.host_program.user_path, command.host_program.native_path, command.program.path, command.program.user_path, command.program.native_path, service.image_path, scheduled_task.action.path, shortcut.relative_path, shortcut.working_directory, shortcut.target_path, shortcut.file.path, shortcut.file.user_path, shortcut.file.native_path |
|
| process | image_path, parent_image_path, allocations.file.path, allocations.file.user_path, allocations.file.native_path, modules.file.path, modules.file.user_path, modules.file.native_path, host_program.path, target_program.path, host_module.file.path, host_module.file.user_path, host_module.file.native_path |
|
| processmodule | file.path, file.user_path, file.native_path |
|
| scheduledtask | action.path |
|
| scriptblock | interpreter_path |
|
| service | image_path |
|
| shortcut | relative_path, working_directory, target_path, file.path, file.user_path, file.native_path |
|
| threadinjection | source_process_name, target_process_name |
|
@port |
auth | target_port, source_port |
| http | source_port, destination_port |
|
| netflow | source_port, destination_port, source_nat_port, destination_nat_port |
|
| nids | source_port, destination_port |
|
@raw |
All event types | original_data (full raw log/message) |
@url |
cloudaudit | resources.resource_id |
@user |
detection | entities prefix: userName |
| auth | target_user_name, source_user_name, extra_targetoutboundusername, extra_userprincipalname, extra_virtualaccount, extra_subject_domain_user_id, extra_target_domain_user_id |
|
| cloudaudit | user_name |
|
| managementevent | username |
|
| process | username |