# Investigate API metadata schema reference Use this reference to identify available tables and fields when writing queries via `POST /api/v3.4/investigations/`. All table names require the `._all` suffix. Struct fields must use dot-notation in `WHERE` and `ORDER BY` clauses (e.g. `id.resp_h`, not `resp_h`). Use `timestamp` for time-based filtering in all tables. {% hint style="success" icon="lightbulb" %} **Tip**: This reference is written for the Investigate API, but the table and field names are identical to those used in the **SQL Search** or **Basic Search Filters** within the Investigate UI in the Vectra console). If you're building queries directly in the UI rather than via the API, this document applies equally — use the same table names, field names, and dot-notation rules. {% endhint %} ## Query Constraints #### Network Tables (`network.*._all`) | Constraint | Value | | ------------------ | ------------------------------------------------------------------------------------- | | Max lookback | 14 days | | Max rows per query | 1,000 | | `LIMIT` clause | Required in every query | | Supported clauses | `SELECT`, `FROM`, `WHERE`, `ORDER BY`, `LIMIT`, `UNION ALL` | | Prohibited | `JOIN`, plain `UNION`, subqueries, `GROUP BY`, `HAVING`, `INSERT`, `UPDATE`, `DELETE` | #### Cloud Tables (`aws.*._all`, `azurecp.*._all`, `entra.*._all`, `m365.*._all`) | Constraint | Value | | ------------------ | ---------------------------------------------------------- | | Max lookback | 14 days | | Max rows per query | 1,000 | | `LIMIT` clause | Required in every query | | Supported clauses | `SELECT`, `FROM`, `WHERE`, `ORDER BY`, `LIMIT`, `GROUP BY` | > **Struct dot-notation required** — In `WHERE` and `ORDER BY`, always use dot-notation for struct fields (e.g. `id.resp_h`, `user_identity.type`, `actor.name`). Using flat field names returns a 400 error. ## Available Tables #### Network * network.beacon.\_all * network.dce\_rpc.\_all * network.dhcp.\_all * network.dns.\_all * network.http.\_all * network.isession.\_all * network.kerberos.\_all * network.ldap.\_all * network.match.\_all * network.ntlm.\_all * network.radius.\_all * network.rdp.\_all * network.smb\_files.\_all * network.smb\_mapping.\_all * network.ssh.\_all * network.ssl.\_all * network.x509.\_all #### AWS * aws.cloudtrail.\_all #### Azure Control Plane * azurecp.operations.\_all #### Microsoft Entra ID * entra.signins.\_all * entra.directoryaudits.\_all #### Microsoft 365 * m365.exchange.\_all * m365.sharepoint.\_all * m365.general.\_all * m365.active\_directory.\_all ## Network Network metadata tables capture raw protocol-level activity observed by Vectra sensors on your network. Use these tables to investigate host behavior, lateral movement, command-and-control activity, and data exfiltration across protocols including DNS, HTTP, Kerberos, LDAP, SMB, and more. ### network.beacon.\_all Aggregated beaconing pattern records — periodic automated sessions from internal hosts to external destinations, summarised per beacon\_uid. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `orig_huid` | `string` | ✓ | Originator host LUID | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ------------------ | --------------- | ----------------- | ------------------------------------------------------------------------------- | | `beacon_uid` | `string` | ✓ | Unique identifier for this beacon aggregate | | `beacon_type` | `string` | ✓ | Beacon classification. Known value: `single_resp_multiple_sessions` | | `duration` | `number` | | Total duration of the beacon\_uid in milliseconds | | `first_event_time` | `timestamp` | | Timestamp of the first observed session for this beacon\_uid | | `last_event_time` | `timestamp` | | Timestamp of the last observed session for this beacon\_uid | | `ja3` | `string` | | JA3 hash of the TLS client fingerprint based on SSL parameters | | `orig_ip_bytes` | `number` | | Total bytes sent originator → responder across all sessions in this beacon\_uid | | `proto` | `number` | | L4 protocol number — 6 (TCP), 17 (UDP) | | `proto_name` | `string` | | L4 protocol name — `"TCP"` or `"UDP"` | | `resp_domains` | `array[string]` | | Responder domains observed across sessions in this beacon\_uid | | `resp_ip_bytes` | `number` | | Total bytes sent responder → originator across all sessions in this beacon\_uid | | `service` | `string` | | Inferred application service (e.g. `"tls"`, `"http"`) | | `session_count` | `number` | | Number of individual sessions aggregated into this beacon\_uid | ### network.dce\_rpc.\_all Microsoft DCE/RPC protocol records — each row is one RPC call, useful for detecting lateral movement, credential abuse, and remote execution via Windows RPC interfaces. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ----------- | -------- | ----------------- | ------------------------------------------------------------------------------------------------ | | `username` | `string` | ✓ | Username or account name observed. Names ending in `$` are machine accounts. | | `hostname` | `string` | ✓ | Hostname on which the user logged in | | `domain` | `string` | ✓ | Domain of the host | | `rtt` | `number` | | Round-trip time of request–response in microseconds | | `endpoint` | `string` | | Endpoint (interface) name looked up from UUID (e.g. `lsarpc`, `IXnRemote`, `IWbemLoginClientID`) | | `operation` | `string` | | Operation seen in the call (e.g. `LsarLookupSids3`, `RemoteCreateInstance`) | ### network.dhcp.\_all DHCP transaction records — tracks IP-to-hostname and IP-to-MAC mappings over time. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `orig_huid` | `string` | ✓ | Originator host LUID | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ---------------- | --------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------- | | `mac` | `string` | | MAC address from the DHCP request | | `assigned_ip` | `string` | | IP address assigned in the DHCP response | | `trans_id` | `number` | | DHCP transaction ID | | `lease_time` | `number` | | DHCP lease time in seconds (DHCP Option 51) | | `server_addr` | `string` | | DHCP server IP address. **Note:** PDF documents this field as `dhcp_server_ip` — actual live field name is `server_addr`. | | `dns_server_ips` | `array[string]` | ✓ | DNS server IPs from DHCP Option 6 | | `hour` | `number` | ✓ | Hour of day (0–23) for the record. Not documented in PDF. | *** ### network.dns.\_all DNS query and response records — provide visibility into domain resolution activity, including queries, responses, and resolution outcomes. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | --------------- | --------------- | ----------------- | ---------------------------------------------------------------------------------------------------- | | `proto` | `number` | | Protocol of DNS transaction — 6 (TCP) or 17 (UDP) | | `trans_id` | `number` | | 16-bit transaction ID assigned by DNS client | | `query` | `string` | | Domain name queried. PDF note: may contain base64-encoded data if the domain contains invalid UTF-8. | | `qclass` | `number` | | Query class value (e.g. 1 = Internet \[IN]) | | `qclass_name` | `string` | | Query class name (e.g. `"Internet (IN)"`) | | `qtype` | `number` | | Query type value (e.g. 1=A, 28=AAAA, 12=PTR, 16=TXT) | | `qtype_name` | `string` | | Query type name (e.g. `"A"`, `"AAAA"`, `"PTR"`, `"TXT"`) | | `rcode` | `number` | | Response code value | | `rcode_name` | `string` | | Response code name (e.g. `"NoError"`, `"NXDOMAIN"`, `"NODATA"`) | | `rejected` | `boolean` | | True if the DNS query was rejected by the server | | `total_answers` | `number` | | Total number of resource records in the reply answer section | | `total_replies` | `number` | | Total number of resource records in reply answer, authority, and additional sections | | `saw_query` | `boolean` | | True if the full DNS query was observed | | `saw_reply` | `boolean` | | True if the full DNS reply was observed | | `answers` | `array[string]` | | List of answers to the query. May contain base64-encoded data if answers contain invalid UTF-8. | | `answers_error` | `string` | ✓ | Error information for answer parsing failures. Not documented in PDF. | | `auth` | `array[string]` | | List of authoritative responses for the query | | `ttls` | `array[number]` | | List of TTL values from the answers. PDF: `TTLs` | | `aa` | `boolean` | | Authoritative answer — True if server is authoritative for the query. PDF: `AA` | | `tc` | `boolean` | | Truncation flag — True if the message was truncated. PDF: `TC` | | `rd` | `boolean` | | Recursion desired — True if recursive lookup requested. PDF: `RD` | | `ra` | `boolean` | | Recursion available — True if server supports recursive queries. PDF: `RA` | ### network.http.\_all HTTP session records — URIs, methods, user-agents, response codes, and data volumes. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ------------------------------ | --------------- | ----------------- | ---------------------------------------------------------------------------------------- | | `method` | `string` | | HTTP request method (e.g. `"GET"`, `"POST"`, `"PUT"`) | | `host` | `string` | | Value of the Host header, truncated to 256 bytes | | `host_multihomed` | `boolean` | ✓ | True if the Host header IP is observed associated with multiple IPs | | `uri` | `string` | | URI in the request, truncated to 512 bytes | | `referrer` | `string` | | Referrer header value, truncated to 256 bytes | | `user_agent` | `string` | | User-Agent header value, truncated to 512 bytes | | `request_body_len` | `number` | | HTTP payload bytes in request | | `response_body_len` | `number` | | HTTP payload bytes in response | | `status_code` | `number` | | HTTP response status code (e.g. 200, 404, 500) | | `status_msg` | `string` | | HTTP response status message (e.g. `"OK"`, `"Not Found"`) | | `resp_filename` | `string` | | Name of the file returned by the server, if any | | `proxied` | `array[string]` | | Value of X-Forwarded-For header (e.g. `X-FORWARDED-FOR -> 10.10.15.192`) | | `is_proxied` | `boolean` | ✓ | True if the request is a proxied request | | `orig_mime_types` | `array[string]` | | Content-Type headers in originator request | | `resp_mime_types` | `array[string]` | | Content-Type headers in response (truncated to 256 bytes) | | `cookie` | `string` | ✓ | Value of the Cookie header, truncated to 256 bytes | | `response_content_disposition` | `string` | | Value of Content-Disposition header in response (e.g. `attachment; filename="file.jpg"`) | | `request_header_count` | `number` | ✓ | Count of headers in request | | `response_header_count` | `number` | ✓ | Count of headers in response | | `cookie_vars` | `array[string]` | ✓ | Variables in the cookie field (without values) | | `orig_ip_bytes` | `number` | ✓ | Bytes sent by originator to responder | | `resp_ip_bytes` | `number` | ✓ | Bytes sent by responder to originator | | `orig_pkts` | `number` | ✓ | Number of packets sent from originator to responder | | `resp_pkts` | `number` | | Number of packets sent from responder to originator | | `request_cache_control` | `string` | ✓ | Cache-Control header in request (truncated to 256 bytes) | | `response_cache_control` | `string` | ✓ | Cache-Control header in response (truncated to 256 bytes) | | `response_expires` | `string` | ✓ | Expires header in response | | `ja4h` | `string` | | JA4H fingerprint of the HTTP client | | `accept` | `string` | | Value of the Accept header, truncated to 256 bytes | | `accept_encoding` | `string` | | Value of the Accept-Encoding header, truncated to 256 bytes | | `post_data` | `string` | | Binary data of the POST request body, truncated to 2 KB | ### network.isession.\_all IP sessions across all protocols — the broadest network table, highest volume; use for traffic baselines and protocol analysis. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ------------------------------- | --------------- | ----------------- | -------------------------------------------------------------------------------------------------------- | | `proto` | `number` | | IP protocol number (6=TCP, 17=UDP, 1=ICMP) | | `proto_name` | `string` | | Protocol name — `"TCP"`, `"UDP"`, `"ICMP"` | | `service` | `string` | | Inferred application service (e.g. `"dns"`, `"http"`, `"tls"`, `"ssl"`) | | `duration` | `number` | | Session duration in milliseconds | | `conn_state` | `string` | | Zeek connection state code — see Key Notes for values | | `orig_pkts` | `number` | | Packet count, originator → responder | | `orig_ip_bytes` | `number` | | IP byte count, originator → responder | | `resp_pkts` | `number` | | Packet count, responder → originator | | `resp_ip_bytes` | `number` | | IP byte count, responder → originator | | `resp_domain` | `string` | ✓ | Calculated from TLS SNI, HTTP Host, or the destination IP name (in this exact order) PDF: `resp_domain*` | | `resp_multihomed` | `boolean` | ✓ | True if responder IP resolves to multiple hosts | | `orig_vlan_id` | `number` | ✓ | VLAN ID for originator segment | | `resp_vlan_id` | `number` | ✓ | VLAN ID for responder segment | | `first_orig_resp_pkt_time` | `timestamp` | ✓ | Timestamp of first packet: originator → responder | | `first_resp_orig_pkt_time` | `timestamp` | ✓ | Timestamp of first packet: responder → originator | | `first_orig_resp_data_pkt_time` | `timestamp` | ✓ | Timestamp of first data packet: originator → responder | | `first_resp_orig_data_pkt_time` | `timestamp` | ✓ | Timestamp of first data packet: responder → originator | | `session_start_time` | `timestamp` | | Session start timestamp (second precision) | | `first_orig_resp_data_pkt` | `string` | ✓ | First data payload, originator → responder (base64 encoded) | | `first_resp_orig_data_pkt` | `string` | ✓ | First data payload, responder → originator (base64 encoded) | | `application` | `array[string]` | | Detected application layer protocols (e.g. `["http2"]`) | | `dir_confidence` | `number` | ✓ | Confidence score (0–100) for traffic direction classification | | `ja4lc` | `string` | | JA4L fingerprint of the client's light distance | | `ja4ls` | `string` | | JA4LS fingerprint of the server's light distance | | `ja4t` | `string` | | JA4T fingerprint of the client's TCP SYN packet | | `ja4ts` | `string` | | JA4TS fingerprint of the server's TCP SYN ACK packet(s) | | `proxy_to_internal_dst` | `boolean` | ✓ | True if session is proxied to an internal destination | | `client_luid_proxy` | `boolean` | ✓ | True if the source address of the connection has been learned as a proxy | | `server_luid_proxy` | `boolean` | ✓ | True if the destination address of the connection has been learned as a proxy | ### network.kerberos.\_all Kerberos authentication events — including AS-REQ and TGS-REQ flows — provide visibility into ticket-issuance patterns and support security investigations of Kerberos-based attack techniques. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ------------------------------ | --------------- | ----------------- | ---------------------------------------------------------------------------------------------------------- | | `data_source` | `string` | | Source of the record — `"network"` or `"log"` | | `request_type` | `string` | | Type of Kerberos request — `"AS"` (initial auth) or `"TGS"` (service ticket) | | `client` | `string` | | Client name including realm (e.g. `Administrator/ARCHER.LOCAL`) | | `service` | `string` | | Service being requested including realm (e.g. `krbtgt/ARCHER.LOCAL`) | | `success` | `boolean` | | True if the Kerberos request was successful | | `error_code` | `number` | | Error code if not a success | | `error_msg` | `string` | | Error message if not a success | | `protocol` | `number` | ✓ | L4 protocol — 6 (TCP) or 17 (UDP). Note: field is named `protocol` not `proto` in this table. | | `reply_timestamp` | `timestamp` | ✓ | Timestamp of the Kerberos reply message | | `orig_host_observed_privilege` | `number` | ✓ | Privilege level observed for account operating from this host. Scores: Low (1,2), Medium (3–7), High (8,9) | | `req_ciphers` | `array[string]` | | Ordered list of encryption types requested by the client | | `rep_cipher` | `string` | | Encryption type selected in the reply message | | `account_uid` | `string` | ✓ | Account unique identifier in `principal@REALM` format | | `service_uid` | `string` | ✓ | Service unique identifier in `principal@REALM` format | | `account_privilege` | `number` | ✓ | Privilege level of the account. Scores: Low (1,2), Medium (3–7), High (8,9) | | `service_privilege` | `number` | ✓ | Privilege level of the service. Scores: Low (1,2), Medium (3–7), High (8,9) | | `ticket_cipher` | `string` | | Ticket cipher observed on AS-REP and TGS-REP replies | | `as_req_padata_types` | `array[number]` | | PA-DATA type integers from AS-REQ messages (max 12) | | `as_req_padata_types_string` | `array[string]` | | Human-readable PA-DATA type names for AS-REQ messages | | `as_rep_padata_types` | `array[number]` | | PA-DATA type integers from AS-REP messages (max 12) | | `as_rep_padata_types_string` | `array[string]` | | Human-readable PA-DATA type names for AS-REP messages | | `as_req_padata_count` | `number` | | Total PA-DATA entries seen in AS-REQ prior to truncation | | `as_rep_padata_count` | `number` | | Total PA-DATA entries seen in AS-REP prior to truncation | ### network.ldap.\_all LDAP query records — directory lookups, reconnaissance, and sensitive attribute access. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ------------------------------ | --------------- | ----------------- | ------------------------------------------------------------------------------------------- | | `message_id` | `number` | | LDAP message ID | | `base_object` | `string` | | Base of the subtree in which the search is constrained | | `query_scope` | `string` | | Scope of the target subtree (e.g. `baseObject`, `singleLevel`, `wholeSubtree`) | | `query` | `string` | | LDAP filter criteria. May contain base64-encoded data if the filter contains invalid UTF-8. | | `result` | `string` | | Result of the LDAP operation (e.g. `"success"`) | | `result_code` | `number` | | LDAP result code | | `matched_dn` | `string` | | Matched distinguished name (populated on some error responses) | | `error` | `string` | | Error message if an error occurred (e.g. `"0000208D: NameErr ..."`) | | `duration` | `number` | | Duration of the LDAP session | | `request_bytes` | `number` | | Number of bytes in the request | | `response_bytes` | `number` | | Number of bytes in the response | | `is_close` | `boolean` | | True if the connection close was observed | | `is_query` | `boolean` | | True if the operation was a query (search request) | | `attributes` | `array[string]` | | Set of attributes requested in the search | | `bind_error_count` | `number` | | Count of bind errors (failed authentication attempts) | | `logon_failure_error_count` | `number` | | Count of logon failure errors | | `result_count` | `number` | | Count of entries returned in the result | | `encrypted_sasl_payload_count` | `number` | | Count of encrypted SASL payloads encountered (if SASL encryption is in use) | ### network.match.\_all Vectra AI Match events — Suricata-based IDS alerts generated from network traffic, exposing signature matches and associated EVE JSON metadata. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ----------------------------------- | --------------- | ----------------- | ------------------------------------------------------------------------------ | | `app_proto` | `string` | | Application protocol inferred for this alert (e.g. `"tls"`, `"http"`, `"dns"`) | | `alert` | `struct` | | Suricata alert details (see sub-fields below) | | `alert.category` | `string` | | Alert category (e.g. `"Generic Protocol Command Decode"`, `"Malware"`) | | `alert.signature_id` | `number` | | Suricata rule signature ID (SID) | | `alert.rev` | `number` | | Signature revision number | | `alert.signature` | `string` | | Signature name / message text | | `alert.severity` | `number` | | Alert severity level (1=Critical, 2=Major, 3=Minor) | | `alert.rule` | `string` | | The full rule text that fired the alert | | `alert.metadata` | `struct` | | Additional signature metadata | | `alert.metadata.attack_target` | `array[string]` | | Affected component (Client, Server, Both, Other) | | `alert.metadata.created_at` | `array[string]` | | Date the signature was created | | `alert.metadata.deployment` | `array[string]` | | Where the signature should be deployed | | `alert.metadata.malware_family` | `array[string]` | | Associated malware family name | | `alert.metadata.tag` | `array[string]` | | Signature tags | | `alert.metadata.updated_at` | `array[string]` | | Date of last signature update | | `alert.metadata.signature_severity` | `array[string]` | | Severity metadata from the signature author | | `payload` | `string` | | Base64-encoded packet payload that triggered the alert | | `payload_printable` | `string` | | ASCII printable representation of the payload | | `packet` | `string` | | Base64-encoded full packet | | `flow` | `struct` | | Suricata flow counters for the associated network flow | | `flow.bytes_toclient` | `number` | | Bytes sent toward the client in this flow | | `flow.bytes_toserver` | `number` | | Bytes sent toward the server in this flow | | `flow.pkts_toclient` | `number` | | Packets sent toward the client in this flow | | `flow.pkts_toserver` | `number` | | Packets sent toward the server in this flow | | `flow.src_ip` | `string` | | Source IP for this flow | | `flow.src_port` | `number` | | Source port for this flow | | `flow.dest_ip` | `string` | | Destination IP for this flow | | `flow.dest_port` | `number` | | Destination port for this flow | | `flow.start` | `string` | | Flow start timestamp (ISO 8601 string) | | `direction` | `string` | | Traffic direction of the alert — `"to_client"` or `"to_server"` | | `dns` | `struct` | | DNS protocol data if alert is DNS-related (null otherwise) | | `http` | `struct` | | HTTP protocol data if alert is HTTP-related (null otherwise) | | `tls` | `struct` | | TLS protocol data if alert is TLS-related (null otherwise) | | `ftp` | `struct` | | FTP protocol data if alert is FTP-related (null otherwise) | | `ftp_data` | `struct` | | FTP data channel details (null otherwise) | | `smb` | `struct` | | SMB protocol data if alert is SMB-related (null otherwise) | | `ssh` | `struct` | | SSH protocol data if alert is SSH-related (null otherwise) | | `rdp` | `struct` | | RDP protocol data if alert is RDP-related (null otherwise) | | `anomaly` | `struct` | | Anomaly data if alert is anomaly-based (null otherwise) | | `bittorrent_dht` | `struct` | | BitTorrent DHT data (null otherwise) | | `rfb` | `struct` | | RFB/VNC protocol data (null otherwise) | | `mqtt` | `struct` | | MQTT protocol data (null otherwise) | | `http2` | `struct` | | HTTP/2 protocol data (null otherwise) | | `pgsql` | `struct` | | PostgreSQL protocol data (null otherwise) | | `ike` | `struct` | | IKE/IPsec protocol data (null otherwise) | | `modbus` | `struct` | | Modbus ICS protocol data (null otherwise) | | `quic` | `struct` | | QUIC protocol data (null otherwise) | | `dhcp` | `struct` | | DHCP protocol data (null otherwise) | ### network.ntlm.\_all NTLM authentication events — provide visibility into NTLM authentication activity, including account usage patterns, authentication outcomes, and legacy protocol usage. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ---------- | --------- | ----------------- | ------------------------------------------------------------------------------------------ | | `username` | `string` | | Username or account name used in authentication. Names ending in `$` are machine accounts. | | `hostname` | `string` | | Hostname on which the user is authenticating | | `domain` | `string` | | Domain of the host | | `status` | `number` | | NTLM status code in the response | | `success` | `boolean` | | True if the NTLM authentication was successful | ### network.radius.\_all RADIUS authentication events — VPN and wireless authentication records. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | -------------------------- | ----------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | `username` | `string` | | Username observed in the RADIUS message | | `mac` | `string` | | MAC address observed as a field in the RADIUS message | | `framed_address` | `string` | | Endpoint requesting authentication (from the request) | | `framed_ip_address` | `string` | | IP address of the endpoint device connecting to the system | | `framed_ipv6_prefix` | `string` | | Framed IPv6 prefix for the user | | `framed_protocol` | `string` | | Framed Protocol used when the user connects | | `framed_interface` | `string` | | Interface used when the user connects | | `result` | `string` | | Success or failed authentication | | `logged` | `boolean` | | True if the request was previously logged | | `connect_info` | `string` | | Connection speed or other connection-related information | | `reply_msg` | `string` | | Reply message from the server challenge (shown to authenticating user) | | `reply_timestamp` | `timestamp` | | Timestamp when the reply message was received | | `ttl` | `number` | | Duration between the first request and either the Access-Accept message or an error. Empty if neither request nor response was seen. | | `account_authentic` | `string` | | How the user was authenticated | | `account_session_id` | `string` | | Unique ID identifying the RADIUS Accounting Session (sent in a separate packet) | | `account_session_time` | `number` | | Duration of service received by user | | `account_input_octets` | `number` | | Bytes received | | `account_output_octets` | `number` | | Bytes sent | | `account_input_gigawords` | `number` | | How many times the Acct-Input counter has rolled over for input | | `account_output_gigawords` | `number` | | How many times the Acct-Input counter has rolled over for output | | `account_input_packets` | `number` | | Packets received | | `account_output_packets` | `number` | | Packets sent | | `account_delay_time` | `number` | | How long the sender has been trying to send the message | | `radius_type` | `string` | | Value indicating access or accounting request | | `calling_station_id` | `string` | | Identifier of the calling station | | `service_type` | `string` | | Type of service the user has requested | | `nas_identifier` | `string` | | Role the authenticating client is requesting | | `nas_ip_address` | `string` | | IP address format — can be the IP of the Device, Endpoint, or Intermediate system | | `nas_port` | `number` | | Physical port number of the device authenticating the user | | `nas_port_id` | `string` | | Text string identifying the port provided by the client | | `nas_port_type` | `string` | | Type of medium of the port (e.g. `Ethernet`, `Wifi`) | | `idle_timeout` | `number` | | Maximum time a session can be idle before disconnection | | `session_timeout` | `number` | | Maximum session length | | `password_seen` | `boolean` | | True if a password was observed in the message | | `filter_id` | `string` | | Identifies any ACL in use | | `tunnel_client` | `string` | | Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel (from Tunnel-Client-Endpoint attribute) | | `delegated_ipv6_prefix` | `string` | | IPv6 pool from which the IPv6 address was assigned | | `src_luid` | `string` | ✓ | LUID of the RADIUS client | | `dst_luid` | `string` | ✓ | LUID of the RADIUS server | | `src_display_name` | `string` | ✓ | DNS name of the source | | `dst_display_name` | `string` | ✓ | DNS name of the destination | | `src_host_luid` | `string` | ✓ | ID of the source host | | `dst_host_luid` | `string` | ✓ | ID of the destination host | | `src_luid_external` | `boolean` | ✓ | True if the source is external | | `dst_luid_external` | `boolean` | ✓ | True if the destination is external | | `event_timestamp` | `timestamp` | ✓ | Timestamp from the device (vs `timestamp` from Vectra) | ### network.rdp.\_all RDP session records — provide visibility into remote desktop connections, including client attributes and session characteristics. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ------------------------ | -------- | ----------------- | ------------------------------------------------------------------------------------------------ | | `cookie` | `string` | | Cookie value used by the client (often contains the username) | | `keyboard_layout` | `string` | | Keyboard layout/language of the client machine (e.g. `"US"`, `"encrypted RDP keyboard"`) | | `client_build` | `string` | | RDP client version used by the client machine. Value is `"Unknown"` if the session is encrypted. | | `client_name` | `string` | | Name of the client machine | | `client_dig_protocol_id` | `number` | | Protocol ID of the client's digital channel. Not documented in PDF. | | `client_dig_product_id` | `string` | | Product ID of the client machine | | `desktop_width` | `number` | | Desktop width of the client machine in pixels. Value is `0` if encrypted. | | `desktop_height` | `number` | | Desktop height of the client machine in pixels. Value is `0` if encrypted. | | `result` | `string` | | Connection result — `"encrypted"` if the session is NLA/TLS-encrypted, otherwise empty | ### network.smb\_files.\_all SMB file operation records — file reads, writes, and deletes on network shares. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ----------------- | --------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------- | | `username` | `string` | ✓ | Username or account name logged in. Names ending in `$` are machine accounts. | | `hostname` | `string` | ✓ | Hostname of the SMB client | | `domain` | `string` | ✓ | Domain of the SMB server | | `action` | `string` | | Action taken on the file (e.g. `SMB::READ`, `SMB::WRITE`, `SMB::FILE_DELETE`, `SMB::FILE_RENAME`, `SMB::LOGOFF`) | | `path` | `string` | | Path of the tree this file was transferred to or from | | `name` | `string` | | Filename if one was observed | | `prev_name` | `string` | | If a rename action was observed, the file's previous name | | `version` | `string` | | SMB version — `"SMBv1"` or `"SMBv2"` | | `delete_on_close` | `boolean` | ✓ | True if the `delete_on_close` attribute is enabled. If enabled, a file close action may delete the file if it is the last close. | ### network.smb\_mapping.\_all SMB share mapping events — network share connections and disconnections. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Column | Type | Vectra-specific\* | Description | | ---------- | -------- | ----------------- | ----------------------------------------------------------------------------- | | `username` | `string` | ✓ | Username or account name logged in. Names ending in `$` are machine accounts. | | `hostname` | `string` | ✓ | Hostname of the SMB client | | `domain` | `string` | ✓ | Domain of the SMB server | | `service` | `string` | | Type of the tree (share type) — e.g. `named_pipe`, `disk`, `IPC` | | `path` | `string` | | Name of the tree path (share path, e.g. `\\dc01.archer.local\IPC$`) | | `version` | `string` | | SMB version — `"SMBv1"` or `"SMBv2"` | ### network.ssh.\_all SSH session records — inbound and outbound SSH, cipher suites, and HASSH fingerprints. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Field | Type | Description | | ----------------- | ------- | --------------------------------------------------------------------------------------------------- | | `version` | integer | SSH protocol version (1 or 2). SSHv1 is deprecated and insecure. | | `client` | string | Client SSH software banner (e.g., `SSH-2.0-PuTTY_Release_0.83`) | | `server` | string | Server SSH software banner (e.g., `SSH-2.0-OpenSSH_9.2p1 Debian-2`) | | `cipher_alg` | string | Negotiated encryption cipher algorithm (e.g., `aes256-ctr`, `chacha20-poly1305@openssh.com`) | | `mac_alg` | string | Negotiated MAC (message authentication code) algorithm (e.g., `hmac-sha2-256`) | | `compression_alg` | string | Negotiated compression algorithm (typically `none`) | | `kex_alg` | string | Negotiated key exchange algorithm (e.g., `sntrup761x25519-sha512@openssh.com`, `curve25519-sha256`) | | `host_key_alg` | string | Host key algorithm (e.g., `ssh-ed25519`, `ecdsa-sha2-nistp256`, `ssh-rsa`) | | `hassh` | string | HASSH fingerprint of the client key exchange — MD5 of client algorithm lists | | `hassh_server` | string | HASSH-S fingerprint of the server key exchange | | `host_key` | string | Server's host key (base64 encoded). May be empty string. Tracks key reuse across IPs. | ### network.ssl.\_all TLS/SSL session records — provide visibility into encrypted session attributes, including TLS fingerprinting (e.g., JA3, JA3S, JA4), certificates, and negotiated cipher suites. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Field | Type | Description | | ------------------------ | ------- | ---------------------------------------------------------------------------------------------------------- | | `server_name` | string | SNI — hostname the client requested. Cleartext even in TLS 1.3. Null = direct IP or ECH. | | `next_protocol` | string | ALPN negotiated application protocol (e.g., `h2`, `http/1.1`). Empty if not negotiated. | | `established` | boolean | True if TLS handshake completed successfully | | `cipher` | string | Negotiated cipher suite (e.g., `TLS_AES_256_GCM_SHA384`) | | `version_num` | integer | Negotiated TLS version as integer (e.g., `772` = TLS 1.3, `771` = TLS 1.2) | | `version` | string | Negotiated TLS version as string (e.g., `TLS1.3`, `TLS1.2`, `SSLv3`) | | `curve` | string | ECDH curve negotiated (e.g., `x25519`, `prime256v1`). `[unknown (0)]` or empty for non-ECDH. | | `issuer` | string | Issuer DN from the server's leaf certificate (flat string, not a struct sub-field) | | `subject` | string | Subject DN from the server's leaf certificate (flat string, not a struct sub-field) | | `client_issuer` | string | Issuer DN from client certificate (mutual TLS). Empty if no client cert. | | `client_subject` | string | Subject DN from client certificate (mutual TLS). Empty if no client cert. | | `client_version_num` | integer | Highest TLS version offered by the client in ClientHello (e.g., `771` = TLS 1.2 offered) | | `client_version` | string | Client's offered TLS version as string (e.g., `TLS1.2`) | | `client_extension` | array | List of TLS extension IDs offered by the client (integers) | | `client_curve_num` | array | List of elliptic curve IDs supported by the client (integers) | | `client_ec_point_format` | array | Supported EC point formats from client (integers, e.g., `[0]` = uncompressed) | | `ja3` | string | JA3 fingerprint — MD5 of client TLS ClientHello parameters | | `server_extensions` | array | List of TLS extension IDs in the server's ServerHello (integers) | | `ja3s` | string | JA3S fingerprint — MD5 of server TLS ServerHello parameters | | `application` | array | Application identifiers (typically empty; may contain layer-7 context) | | `ja4` | string | JA4 fingerprint — newer, more robust TLS client fingerprint (e.g., `t13d1517h2_8daaf6152771_b6f405a00624`) | | `ja4s` | string | JA4S fingerprint — server-side JA4 (e.g., `t130200_1302_a56c5b993250`) | | `proxy_to_internal_dst` | boolean | True if this TLS session was proxied to an internal destination | | `client_luid_proxy` | boolean | True if the client side used a proxy LUID | | `server_luid_proxy` | boolean | True if the server side used a proxy LUID | ### network.x509.\_all X.509 certificate records — provide visibility into certificate attributes, including subject, issuer, validity period, and self-signed status, enabling analysis of certificate usage and trust characteristics. #### Common Fields | Column | Type | Vectra-specific\* | Description | | ------------------------- | ----------- | ----------------- | -------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | `string` | ✓ | Sensor/connector identifier. Not documented in the Vectra metadata PDF. | | `id` | `struct` | | Session 5-tuple | | `id.ip_ver` | `string` | | IP version — `"ipv4"` or `"ipv6"` | | `id.orig_h` | `string` | | Originator (client) IP address | | `id.orig_p` | `number` | | Originator source port | | `id.resp_h` | `string` | | Responder (server) IP address | | `id.resp_p` | `number` | | Responder destination port | | `timestamp` | `timestamp` | | Record timestamp (PDF documents as `ts` — use `timestamp` in all queries) | | `uid` | `string` | | Unique session/connection ID (Zeek UID) | | `sensor_uid` | `string` | ✓ | Short sensor identifier | | `local_orig` | `boolean` | | True if originator IP is internal/RFC-1918 | | `local_resp` | `boolean` | | True if responder IP is internal/RFC-1918 | | `orig_sluid` | `string` | ✓ | Originator subnet LUID | | `resp_sluid` | `string` | ✓ | Responder subnet LUID (empty for external hosts) | | `orig_huid` | `string` | ✓ | Originator host LUID | | `resp_huid` | `string` | ✓ | Responder host LUID (null for external hosts) | | `orig_hostname` | `struct` | ✓ | Vectra host record for originator | | `orig_hostname.id` | `number` | ✓ | Vectra host entity ID — links to `GET /api/v3.4/hosts/{id}` | | `orig_hostname.name` | `string` | ✓ | Host display name | | `orig_hostname.host_luid` | `string` | ✓ | Host LUID | | `resp_hostname` | `struct` | ✓ | Vectra host record for responder (null fields for external IPs) | | `resp_hostname.id` | `number` | ✓ | Vectra host entity ID | | `resp_hostname.name` | `string` | ✓ | Host display name | | `resp_hostname.host_luid` | `string` | ✓ | Host LUID | | `dt` | `string` | ✓ | Date partition field (YYYY-MM-DD). Use `timestamp` for sub-day precision. Not documented in the Vectra metadata PDF. | #### Table-Specific Fields | Field | Type | Description | | ----------------------- | ------- | ------------------------------------------------------------------------------------------------------------------ | | `certificate` | struct | Full certificate details — sub-fields listed below | | `basic_constraints` | struct | X.509 Basic Constraints extension — sub-fields listed below | | `san` | struct | Subject Alternative Names — sub-fields listed below | | `application` | array | Application identifiers (typically empty) | | `ja4x` | string | JA4X certificate fingerprint — fingerprints the certificate itself (issuer, public key algorithm, SAN count, etc.) | | `proxy_to_internal_dst` | boolean | True if the TLS session was proxied to an internal destination | | `client_luid_proxy` | boolean | True if the client side used a proxy LUID | | `server_luid_proxy` | boolean | True if the server side used a proxy LUID | ## AWS AWS tables capture API activity recorded by AWS CloudTrail across your Amazon Web Services environment. Use these tables to investigate IAM changes, role assumptions, resource access, and other control-plane and data-plane events across AWS accounts and regions. ### aws.cloudtrail.\_all Records every AWS API call and console action captured by CloudTrail — management events (IAM changes, role assumptions, resource creation/deletion) and data events (S3 object operations, Lambda invocations, etc.). Each row is one API event tied to an IAM identity, enriched with Vectra entity resolution. #### Common Fields | Field | Type | Description | | ------------------ | --------- | ------------------------------------------------------------------------------------------------- | | `vectra_connector` | string | Vectra connector identifier | | `timestamp` | timestamp | Vectra-normalised event timestamp — **use this in WHERE / ORDER BY** | | `event_time` | timestamp | Raw CloudTrail event timestamp (UTC). Same value as `timestamp`. Use `timestamp` for consistency. | | `dt` | date | Partition date | | `year` | integer | Partition year | | `month` | integer | Partition month (01-12) | | `day` | integer | Partition day (01-31) | | `hour` | integer | Partition hour (0-23) | | `vectra` | struct | Vectra entity enrichment. See note below. | #### Core Event Fields | Field | Type | Description | | ------------------ | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use this for filtering** | | `event_time` | TIMESTAMP | Raw AWS event time (typically identical to `timestamp`) | | `event_id` | VARCHAR | Unique CloudTrail event UUID | | `event_version` | VARCHAR | CloudTrail event format version (e.g. `1.11`) | | `event_source` | VARCHAR | AWS service that processed the call (e.g. `s3.amazonaws.com`, `iam.amazonaws.com`) | | `event_name` | VARCHAR | API action name (e.g. `PutObject`, `AssumeRole`, `CreateUser`) | | `event_type` | VARCHAR | `AwsApiCall`, `AwsConsoleAction`, `AwsServiceEvent`, etc. | | `event_category` | VARCHAR | `Management` or `Data` | | `aws_region` | VARCHAR | AWS region where the event occurred (e.g. `us-east-1`) | | `read_only` | STRING | `'true'` = read-only API call; `'false'` = mutating action — **stored as lowercase string, not a boolean; use quoted string comparisons** (e.g., `read_only = 'false'`) | | `management_event` | BOOLEAN | `true` if this is a management (control-plane) event | | `api_version` | VARCHAR | API version string (often empty) | | `request_id` | VARCHAR | AWS request ID for correlation with service logs | | `shared_event_id` | VARCHAR | UUID shared across related events (e.g. cross-account) | #### Identity Fields | Field | Type | Description | | ------------------------------------------------------------ | --------- | ------------------------------------------------------------------------------------------------- | | `user_identity` | STRUCT | Caller identity — access via dot-notation (see sub-fields below) | | `user_identity.type` | VARCHAR | Identity type: `IAMUser`, `AssumedRole`, `AWSService`, `Root`, `FederatedUser`, `AWSAccount` | | `user_identity.principal_id` | VARCHAR | Unique principal identifier | | `user_identity.arn` | VARCHAR | Full ARN of the calling entity | | `user_identity.account_id` | VARCHAR | AWS account ID of the caller | | `user_identity.access_key_id` | VARCHAR | Access key used for the call | | `user_identity.user_name` | VARCHAR | IAM user name (for `IAMUser` type) | | `user_identity.invoked_by` | VARCHAR | Service that invoked the call (e.g. `cloudtrail.amazonaws.com`) | | `user_identity.session_context.session_issuer.type` | VARCHAR | Role/federation type of the session issuer | | `user_identity.session_context.session_issuer.principal_id` | VARCHAR | Unique ID of the session issuer principal | | `user_identity.session_context.session_issuer.arn` | VARCHAR | ARN of the role that issued the session | | `user_identity.session_context.session_issuer.account_id` | VARCHAR | Account ID of the session issuer | | `user_identity.session_context.session_issuer.user_name` | VARCHAR | Friendly name of the session issuer role | | `user_identity.session_context.attributes.mfa_authenticated` | VARCHAR | `'true'` / `'false'` — was MFA used for the session? | | `user_identity.session_context.attributes.creation_date` | TIMESTAMP | When the temporary session credentials were issued | | `user_identity.session_context.ec2_role_delivery` | VARCHAR | EC2 instance role delivery mechanism (usually empty) | | `user_identity.session_context.source_identity` | VARCHAR | Source identity set by the caller (STS PassSession) | | `assume_role_role_arn` | VARCHAR | Role ARN when `AssumeRole` is detected (convenience field) | | `request_source_identity` | VARCHAR | Source identity from the request (flat string; PDF incorrectly documents as a `.value` sub-field) | | `user_identity_str` | VARCHAR | Full `user_identity` serialised as a JSON string — use with LIKE/CONTAINS | | `user_identity_json` | VARCHAR | Compact `user_identity` JSON (subset, Vectra-generated) — use with LIKE/CONTAINS | #### Network / Source Fields | Field | Type | Description | | ------------------------- | ------- | ----------------------------------------------------------------------- | | `source_ip_address` | VARCHAR | Source IP address or AWS service name (e.g. `cloudtrail.amazonaws.com`) | | `user_agent` | VARCHAR | HTTP user-agent string for the request | | `vpc_endpoint_id` | VARCHAR | VPC endpoint ID if request was via VPC endpoint | | `vpc_endpoint_account_id` | VARCHAR | Account ID associated with the VPC endpoint | #### Request / Response Fields | Field | Type | Description | | ----------------------- | ------- | -------------------------------------------------------------------------------------- | | `request_parameters` | VARCHAR | JSON blob of API request parameters — use LIKE/CONTAINS | | `response_elements` | VARCHAR | JSON blob of API response elements — use LIKE/CONTAINS | | `additional_event_data` | VARCHAR | JSON blob of extra event metadata (TLS details, auth method, etc.) — use LIKE/CONTAINS | | `service_event_details` | VARCHAR | Details for AWS service-generated events | #### Error Fields | Field | Type | Description | | --------------- | ------- | ----------------------------------------------------------------------- | | `error_code` | VARCHAR | AWS error code if the call failed (e.g. `AccessDenied`, `NoSuchBucket`) | | `error_message` | VARCHAR | Human-readable error message | #### Resource Fields | Field | Type | Description | | ----------- | -------------- | ----------------------------------------------------------------------------------------------------- | | `resources` | ARRAY\ | Resources accessed/modified. Each element has `.arn`, `.account_id`, `.type`. Filter with `ANY_MATCH` | #### Account / Organisation Fields | Field | Type | Description | | ---------------------- | ------- | ------------------------------------------------ | | `recipient_account_id` | VARCHAR | AWS account that received the event | | `organization` | VARCHAR | AWS Organisation ID (if applicable; often empty) | | `account` | VARCHAR | Account alias or descriptor (often empty) | #### Session / Console Fields | Field | Type | Description | | --------------------------------- | ------- | ----------------------------------------------------------- | | `session_credential_from_console` | VARCHAR | `'True'` if credentials originated from AWS Console sign-in | #### Undocumented / Extended Fields | Field | Type | Description | | --------------------- | ------- | -------------------------------------------------- | | `addendum` | VARCHAR | Supplemental CloudTrail data (rare; usually empty) | | `edge_device_details` | VARCHAR | Details for AWS edge device events (usually empty) | #### Vectra Entity Fields | Field | Type | Description | | --------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------ | | `vectra` | STRUCT | Vectra enrichment — access via dot-notation | | `vectra.entity.resolved_identity` | VARCHAR | **Plain string** — Vectra-resolved identity label (e.g. `AWSService`, `johndoe@example.com`). | | `vectra.entity.role_chain` | VARCHAR | **Plain string** — colon-delimited chain of account IDs and role/service names (e.g. `884414556547:cloudtrail.amazonaws.com`). | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition Fields | Field | Type | Description | | ------- | ------- | ----------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `year` | VARCHAR | Partition year (e.g. `'2026'`) | | `month` | VARCHAR | Partition month zero-padded (e.g. `'03'`) | | `day` | VARCHAR | Partition day zero-padded (e.g. `'09'`) | | `hour` | VARCHAR | Partition hour (e.g. `'9'`, not zero-padded) | ## Azure Control Plane Azure Control Plane tables capture Azure Resource Manager (ARM) operations across your Microsoft Azure environment. Use these tables to investigate resource creation and deletion, RBAC role assignments, subscription changes, and other management-layer activity. ### azurecp.operations.\_all Azure Control Plane operation events. Each row represents one Azure Resource Manager (ARM) operation — an API call that creates, modifies, deletes, or reads an Azure resource. Sourced from Azure Activity Logs. Covers RBAC changes, resource creation/deletion, Key Vault access, diagnostic setting changes, policy assignments, and any other management-plane activity across subscriptions. This table is the audit trail for **who did what to which Azure resource and when**. It is distinct from data-plane logs (e.g., Key Vault secret reads are here; the content of those secrets is not). #### Common Fields | Field | Type | Description | | ------------------ | --------- | ------------------------------------------------------------------------------------------------- | | `vectra_connector` | string | Vectra sensor/connector identifier | | `time` | timestamp | Raw Azure event timestamp in high-precision UTC (e.g., `2026-03-09T12:51:52.2893961Z`) | | `timestamp` | timestamp | Vectra-normalised event timestamp — **use this for queries** | | `dt` | date | Partition date | | `actor` | struct | The identity that performed the operation. Sub-fields: `actor.name`, `actor.id`, `actor.objectid` | | `vectra` | struct | Vectra-enriched identity context. `vectra.identity` = string (identity name). See note below. | #### Field Reference | Field | Type | Description | | ------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `vectra_connector` | string | Vectra connector identifier | | `time` | timestamp | Raw Azure event timestamp with sub-millisecond precision (UTC). Use `timestamp` for queries. | | `timestamp` | timestamp | Vectra-normalised event timestamp — **use this in WHERE / ORDER BY** | | `dt` | date | Partition date | | `tenantid` | string | Azure Active Directory tenant GUID. May be empty if not populated by the resource. *(PDF description is incorrect — see discrepancies)* | | `resourceid` | string | Full Azure Resource Manager resource path (e.g., `/SUBSCRIPTIONS/.../PROVIDERS/Microsoft.KeyVault/vaults/my-vault`). *(PDF description is incorrect — see discrepancies)* | | `operationname` | string | Name of the ARM operation (e.g., `SecretSet`, `Microsoft.Authorization/roleAssignments/write`, `Microsoft.Compute/virtualMachines/delete`) | | `operationversion` | string | API version used for the operation (e.g., `7.4`, `2021-04-01`) | | `category` | string | Log category (e.g., `AuditEvent`, `Administrative`, `Policy`, `Alert`) | | `resulttype` | string | Outcome of the operation: `Success`, `Failure`, `Start` | | `resultsignature` | string | Sub-status of the result. For REST API operations this is the HTTP status code (e.g., `OK`, `Created`, `Forbidden`). May be empty. | | `resultdescription` | string | Static text description of the operation result. Often empty. | | `durationms` | integer | Duration of the operation in milliseconds | | `calleripaddress` | string | IP address of the caller, if the operation originated from a public endpoint. Empty for operations from internal Azure infrastructure. | | `correlationid` | string | GUID linking related events across a single logical operation or workflow | | `identity` | string | **JSON string blob** describing the identity that performed the operation. Contains claim fields including `oid` (object ID), `appid`, `iss` (issuer), `iat`/`exp` (token times). Not a queryable struct — use `LIKE` or `CONTAINS` to search within it. | | `level` | string | Severity level of the event: `Informational`, `Warning`, `Error`, `Critical` | | `location` | string | Azure region of the resource that emitted the event (e.g., `eastus`, `westeurope`). May be empty. | | `properties` | string | **JSON string blob** containing operation-specific extended properties. Schema varies by resource provider and operation type. Not a queryable struct. | | `objectid` | string | GUID of the entity (user or service principal) that performed the operation | | `subscription` | string | Azure subscription GUID of the resource that emitted the event | | `applicationid` | string | Application (service principal) GUID used to perform the operation | | `applicationname` | string | Display name of the application used. May be empty. | | `resourcegroup` | string | Name of the resource group containing the resource (lowercase) | | `roleid` | string | GUID of the RBAC role used for the operation. Populated for role assignment events. | | `rolescope` | string | Scope at which the role was assigned (e.g., subscription, resource group, resource) | | `rolename` | string | Display name of the role (e.g., `Contributor`, `Key Vault Secrets Officer`) | | `actor` | struct | Vectra-enriched actor context. Use dot-notation: `actor.name`, `actor.id`, `actor.objectid` | #### actor.\* Struct Sub-Fields | Sub-field | Type | Description | | ---------------- | ------- | ---------------------------------------------------------------------------------------------------------- | | `actor.name` | string | Display name of the actor (user or application) that performed the operation | | `actor.id` | integer | Vectra internal UI reference ID for the actor. May be null for service principals not tracked as entities. | | `actor.objectid` | string | Azure object ID (GUID) of the actor — the canonical identifier | ## Entra ID Entra ID tables capture authentication and directory activity from Microsoft Entra ID (formerly Azure Active Directory). Use these tables to investigate sign-in events, failed authentications, user and group changes, role assignments, and application access across your Microsoft identity platform. ### entra.signins.\_all Sign-in logs from Microsoft Entra ID (Azure AD). Every authentication attempt generates a record here: interactive browser logins, non-interactive service logins, legacy protocol logins, and MFA challenges. Includes risk scoring, conditional access evaluation, device details, and geolocation. The primary source for authentication anomaly detection. Correlate with `entra.directoryaudits._all` using `correlation_id` to link a sign-in to subsequent directory changes. #### Core Event Fields | Field | Type | Description | | --------------------------- | --------- | ----------------------------------------------------------------------------- | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use for filtering** | | `creation_time` | TIMESTAMP | Raw Microsoft timestamp | | `created_date_type` | TIMESTAMP | Creation datetime (redundant with `timestamp`) | | `id` | VARCHAR | Unique sign-in event UUID | | `correlation_id` | VARCHAR | Correlation GUID — links to directoryaudits for the same auth flow | | `is_interactive` | VARCHAR | `True` if user-initiated interactive login; `False` for service/silent logins | | `conditional_access_status` | VARCHAR | `success`, `failure`, `notApplied` — was conditional access enforced? | #### User Identity Fields | Field | Type | Description | | --------------------- | ------- | -------------------------------------------------------------- | | `user_id` | VARCHAR | AAD object GUID of the user | | `user_principal_name` | VARCHAR | UPN of the user (e.g. `dale@demolab.vectra.ai`) | | `user_display_name` | VARCHAR | Display name of the user | | `client_ip` | VARCHAR | Source IP address (may be empty; use `ip_address` instead) | | `ip_address` | VARCHAR | Source IP address of the sign-in — **prefer over `client_ip`** | #### Application / Resource Fields | Field | Type | Description | | ----------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------- | | `app_id` | VARCHAR | GUID of the application used for sign-in | | `app_display_name` | VARCHAR | Name of the application (e.g. `Microsoft 365 Security and Compliance Center`) | | `resource_id` | VARCHAR | GUID of the resource being accessed | | `resource_display_name` | VARCHAR | Name of the resource (e.g. `Windows Azure Active Directory`) | | `client_app_used` | VARCHAR | Client type: `Browser`, `Mobile Apps and Desktop clients`, `Exchange ActiveSync`, `IMAP`, `SMTP`, `POP3`, `Other clients` | #### Authentication Status Fields | Field | Type | Description | | ------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------- | | `status` | STRUCT | Sign-in result. Sub-fields: `status.error_code` (int), `status.failure_reason` (string), `status.additional_details` (string) | | `status_flat` | VARCHAR | JSON string of `status` — use LIKE/CONTAINS | **Common `status.error_code` Values** | Code | Meaning | | ------- | ------------------------------ | | `0` | Success | | `50126` | Invalid username or password | | `50074` | Strong authentication required | | `50076` | MFA required but not completed | | `50079` | User must enroll in MFA | | `50053` | Account locked | | `50057` | Account disabled | | `70011` | Invalid scope | | `65001` | No consent for the application | #### Risk Fields | Field | Type | Description | | --------------------------- | ------- | ------------------------------------------------------------------------------------------------ | | `risk_detail` | VARCHAR | Details about the risk (e.g. `none`, `userPassedMFADrivenByRiskBasedPolicy`) | | `risk_level_aggregated` | VARCHAR | Aggregated risk level: `none`, `low`, `medium`, `high`, `hidden` | | `risk_level_during_sign_in` | VARCHAR | Real-time risk level at sign-in time | | `risk_state` | VARCHAR | Risk state: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised` | | `risk_event_types` | ARRAY | Legacy risk event types array | | `risk_event_types_v2` | ARRAY | Current risk event types array | #### Device Detail Fields | Field | Type | Description | | -------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `device_detail` | STRUCT | Device info. Sub-fields: `device_detail.device_id`, `device_detail.display_name`, `device_detail.operating_system`, `device_detail.browser`, `device_detail.is_compliant`, `device_detail.is_managed`, `device_detail.trust_type` | | `device_detail_flat` | VARCHAR | JSON string of `device_detail` — use LIKE/CONTAINS | #### Location Fields | Field | Type | Description | | ---------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `location` | STRUCT | Geographic info. Sub-fields: `location.city`, `location.state`, `location.country_or_region`, `location.geo_coordinates.latitude`, `location.geo_coordinates.longitude` | | `location.country_or_region` | STRING | **ISO 3166-1 alpha-2 country code** (e.g., `'US'`, `'RU'`, `'KP'`, `'MX'`) — use exact `=` match, **not** `CONTAINS` with full country names | | `location_flat` | VARCHAR | JSON string of `location` — use LIKE/CONTAINS | #### Conditional Access Fields | Field | Type | Description | | ------------------------------------- | ----- | -------------------------------------------------------- | | `applied_conditional_access_policies` | ARRAY | Array of CA policies evaluated — empty if CA not applied | #### Organisation Fields | Field | Type | Description | | ------------------ | ------- | ---------------------------- | | `office_tenant_id` | VARCHAR | Office 365 tenant identifier | #### Vectra Fields | Field | Type | Description | | ------------------ | ------- | ---------------------------------------------------------------------- | | `vectra` | VARCHAR | **Plain string** — Vectra-resolved identity (typically the user's UPN) | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition / Internal Fields | Field | Type | Description | | ---------------------- | --------- | ----------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `hour` | VARCHAR | Partition hour | | `id_dupe` | VARCHAR | Vectra deduplication tracking field — typically empty | | `cognito_stored_time` | TIMESTAMP | Vectra pipeline timestamp (often epoch-zero) | | `cognito_fetched_time` | TIMESTAMP | Vectra pipeline fetch timestamp | #### IP Address Field Note Both `client_ip` and `ip_address` exist. In live data `client_ip` is often empty while `ip_address` is populated. **Use `ip_address` for IP-based filtering.** ### entra.directoryaudits.\_all Audit logs from the Microsoft Entra ID (Azure AD) directory audit log. Captures changes to Entra ID objects: user management, group changes, application registration, service principal operations, role assignment, consent grants, conditional access policy changes, and other administrative actions. Complements `entra.signins._all` (which covers authentication) — these are the *what changed* records rather than the *who signed in* records. Correlate with `entra.signins._all` using `correlation_id`. #### Core Event Fields | Field | Type | Description | | ----------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------- | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use for filtering** | | `creation_time` | TIMESTAMP | Raw Microsoft timestamp (typically identical to `timestamp`) | | `activity_date_time` | TIMESTAMP | Time the activity occurred (typically matches `timestamp`) | | `id` | VARCHAR | Unique audit event ID (format: `Directory___`) | | `correlation_id` | VARCHAR | Correlation GUID — links to related sign-in events | | `category` | VARCHAR | Audit category: `UserManagement`, `GroupManagement`, `ApplicationManagement`, `RoleManagement`, `Policy`, `DirectoryManagement`, etc. | | `operation_type` | VARCHAR | Type of change: `Add`, `Update`, `Delete`, `Assign`, `Unassign` | | `activity_display_name` | VARCHAR | Human-readable description of the activity (e.g. `Consent to application`, `Add member to group`) | | `logged_by_service` | VARCHAR | Entra service that logged the event (e.g. `Core Directory`, `B2C`, `PIM`) | | `result` | VARCHAR | `success` or `failure` | | `result_reason` | VARCHAR | Reason for result (especially on failure) | #### Source / Identity Fields | Field | Type | Description | | ------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client_ip` | VARCHAR | Source IP of the initiating client (may be empty for service-initiated changes) | | `initiated_by` | STRUCT | Who initiated the change. Contains `app` and `user` sub-objects. Use dot-notation: `initiated_by.user.user_principal_name`, `initiated_by.app.display_name` | | `initiated_by_flat` | VARCHAR | JSON string of `initiated_by` — use LIKE/CONTAINS for text search | **`initiated_by` sub-fields** | Sub-field | Description | | ----------------------------------------- | ---------------------------------------------------- | | `initiated_by.user.id` | AAD object GUID of the initiating user | | `initiated_by.user.display_name` | Display name of the initiating user | | `initiated_by.user.user_principal_name` | UPN of the initiating user | | `initiated_by.user.ip_address` | IP address (may differ from `client_ip`) | | `initiated_by.app.app_id` | Application GUID (for service/app-initiated changes) | | `initiated_by.app.display_name` | Application display name | | `initiated_by.app.service_principal_id` | Service principal object GUID | | `initiated_by.app.service_principal_name` | Service principal display name | #### Target Fields | Field | Type | Description | | -------------------- | ----- | ------------------------------------------------------------------------------------------------------------------------------------------- | | `target_resources` | ARRAY | Array of objects affected by the change. Each has: `id`, `display_name`, `type`, `user_principal_name`, `group_type`, `modified_properties` | | `additional_details` | ARRAY | Array of `{key, value}` pairs with extra context (e.g. `User-Agent`, `AppId`, `SkuId`) | #### Organisation Fields | Field | Type | Description | | ------------------ | ------- | ---------------------------- | | `office_tenant_id` | VARCHAR | Office 365 tenant identifier | #### Vectra Fields | Field | Type | Description | | ------------------ | ------- | --------------------------------------------------------------------------------- | | `vectra` | VARCHAR | **Plain string** — Vectra-resolved identity (typically the initiating user's UPN) | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition / Internal Fields | Field | Type | Description | | ---------------------- | --------- | ----------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `hour` | VARCHAR | Partition hour | | `id_dupe` | VARCHAR | Vectra deduplication tracking field — typically empty | | `cognito_stored_time` | TIMESTAMP | Vectra pipeline timestamp (often epoch-zero) | | `cognito_fetched_time` | TIMESTAMP | Vectra pipeline fetch timestamp | ## M365 Microsoft 365 tables capture audit activity across the Microsoft 365 suite including Exchange Online, SharePoint, OneDrive, and Teams. Use these tables to investigate mailbox access, file sharing, external collaboration, forwarding rules, and other user activity within your M365 environment. ### m365.exchange.\_all Audit logs from the Exchange workload in the Microsoft 365 Unified Audit Log. Covers mailbox access, message send/receive, mail forwarding rules, calendar sharing, admin operations (mailbox creation, deletion, policy changes), and Exchange transport operations. Primary source for email-based threat detection. #### Core Event Fields | Field | Type | Description | | --------------- | --------- | ------------------------------------------------------------------------------------------------- | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use for filtering** | | `creation_time` | TIMESTAMP | Raw Microsoft audit log time | | `id` | VARCHAR | Unique audit event UUID | | `operation` | VARCHAR | Exchange operation (e.g. `Send`, `MailboxLogin`, `New-InboxRule`, `Remove-StoreMailbox`) | | `workload` | VARCHAR | Always `Exchange` for this table | | `record_type` | VARCHAR | Office 365 record type integer (`1` = ExchangeAdmin, `2` = ExchangeItem, `3` = ExchangeItemGroup) | | `result_status` | VARCHAR | `True`/`False` or `Success`/`Fail` | | `version` | VARCHAR | Audit schema version | #### Identity / Session Fields | Field | Type | Description | | ------------------------- | ------- | ------------------------------------------------------------------- | | `user_id` | VARCHAR | UPN or service account name of the acting identity | | `user_key` | VARCHAR | Alternate key (often matches `user_id`) | | `user_type` | VARCHAR | Integer: `0`=Regular, `2`=System, `4`=Application | | `logon_type` | VARCHAR | Integer: `0`=Owner, `1`=Admin, `2`=Delegated | | `internal_logon_type` | VARCHAR | Internal logon type integer | | `logon_user_sid` | VARCHAR | SID of the logged-on user | | `logon_user_display_name` | VARCHAR | Display name of the logged-on user | | `external_access` | VARCHAR | `True` if the operation was performed from outside the organisation | | `client_id` | VARCHAR | OAuth client GUID | | `client_app_id` | VARCHAR | GUID of the client application (may match `app_ip`) | | `app_ip` | VARCHAR | Application IP or GUID (may be a GUID string, not a real IP) | | `client_request_id` | VARCHAR | Client-side request correlation GUID | #### Network Fields | Field | Type | Description | | --------------------- | ------- | -------------------------------------------------------------------------------- | | `client_ip` | VARCHAR | Source IP address (may be IPv6 with port, e.g. `[2603:...]` `:port`) | | `client_ip_address` | VARCHAR | Alternate client IP field (may be empty when `client_ip` is populated) | | `client_machine_name` | VARCHAR | Client machine hostname | | `client_process_name` | VARCHAR | Client process name (e.g. `OUTLOOK.EXE`) | | `client_version` | VARCHAR | Client application version string | | `client_info_string` | VARCHAR | Full client identification string | | `originating_server` | VARCHAR | Exchange server that processed the event (e.g. `SN6PR02MB3934 (15.20.9678.010)`) | #### Mailbox Fields | Field | Type | Description | | ------------------------------- | ------- | -------------------------------------------- | | `mailbox_guid` | VARCHAR | GUID of the mailbox involved | | `mailbox_owner_upn` | VARCHAR | UPN of the mailbox owner | | `mailbox_owner_sid` | VARCHAR | SID of the mailbox owner | | `mailbox_master_account_sid` | VARCHAR | Master account SID for the mailbox | | `modified_object_resolved_name` | VARCHAR | Resolved display name of the modified object | #### Object / Item Fields | Field | Type | Description | | ------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `object_id` | VARCHAR | GUID or path of the object acted upon | | `folder` | STRUCT | Folder context: `folder.id`, `folder.path` | | `folder_flat` | VARCHAR | JSON string of `folder` — use LIKE/CONTAINS | | `item` | STRUCT | Email/item metadata: `item.id`, `item.subject`, `item.size_in_bytes`, `item.internet_message_id`, `item.is_record`, `item.attachments`, `item.parent_folder` | | `item_flat` | VARCHAR | JSON string of `item` — use LIKE/CONTAINS for subject/attachment search | #### Parameters / Properties | Field | Type | Description | | --------------------------- | ------- | ----------------------------------------------------------- | | `parameters` | ARRAY | Array of `{name, value}` pairs — Exchange cmdlet parameters | | `parameters_flat` | VARCHAR | JSON string of `parameters` — use LIKE/CONTAINS | | `operation_properties` | ARRAY | Array of additional operation properties | | `operation_properties_flat` | VARCHAR | JSON string of `operation_properties` | | `modified_properties` | ARRAY | Array of property change objects | #### Organisation Fields | Field | Type | Description | | ------------------- | ------- | ------------------------------------------------------ | | `organization_id` | VARCHAR | Azure AD tenant GUID | | `organization_name` | VARCHAR | Tenant domain name (e.g. `demovectra.onmicrosoft.com`) | | `office_tenant_id` | VARCHAR | Office 365 tenant identifier | #### Vectra Fields | Field | Type | Description | | ------------------ | ------- | ----------------------------------------------------------------------------------- | | `vectra` | VARCHAR | **Plain string** — Vectra-resolved identity (actor UPN or display name, lowercased) | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition / Internal Fields | Field | Type | Description | | ---------------------- | --------- | ----------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `hour` | VARCHAR | Partition hour | | `cognito_stored_time` | TIMESTAMP | Vectra pipeline timestamp (often epoch-zero) | | `cognito_fetched_time` | TIMESTAMP | Vectra pipeline fetch timestamp | | `cognito_trigger` | VARCHAR | Vectra pipeline trigger ID | | `content_created` | TIMESTAMP | Vectra pipeline content creation time | | `content_id` | VARCHAR | Vectra pipeline content ID | ### m365.sharepoint.\_all Audit logs from the SharePoint and OneDrive workloads in the Microsoft 365 Unified Audit Log. Covers file access, file downloads, uploads, sharing events, site collection changes, and permission changes. Check `workload` to distinguish SharePoint (`SharePoint`) from OneDrive (`OneDrive`) events. #### Core Event Fields | Field | Type | Description | | --------------- | --------- | ------------------------------------------------------------------------------------------------------ | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use for filtering** | | `creation_time` | TIMESTAMP | Raw Microsoft audit log time | | `id` | VARCHAR | Unique audit event UUID | | `operation` | VARCHAR | SharePoint operation (e.g. `FileAccessed`, `FileDownloaded`, `FileCopied`, `SharingInvitationCreated`) | | `workload` | VARCHAR | `SharePoint` or `OneDrive` | | `record_type` | VARCHAR | Office 365 record type integer (`4`=SharePointFileOperation, `6`=SharePointSiteOperation) | | `result_status` | VARCHAR | Operation result | | `version` | VARCHAR | Audit schema version | | `event_source` | VARCHAR | Source of the event: `SharePoint` or `ObjectModel` | | `custom_event` | VARCHAR | Custom event data (if applicable) | #### Identity Fields | Field | Type | Description | | ---------------- | ------- | -------------------------------------------------------------- | | `user_id` | VARCHAR | UPN of the acting user | | `user_key` | VARCHAR | Alternate user key (e.g. claims-based identity string \`i:0h.f | | `user_type` | VARCHAR | Integer: `0`=Regular, `2`=System, `5`=ServiceAccount | | `client_ip` | VARCHAR | Source IP address | | `client_id` | VARCHAR | OAuth client GUID | | `user_agent` | VARCHAR | Browser or client user-agent string | | `correlation_id` | VARCHAR | Correlation GUID for the session/operation | #### File / Document Fields | Field | Type | Description | | ---------------------------- | ------- | ------------------------------------------------------- | | `object_id` | VARCHAR | Full URL of the object acted upon | | `source_file_name` | VARCHAR | Name of the source file | | `source_file_extension` | VARCHAR | File extension of the source file | | `source_relative_url` | VARCHAR | Relative URL path within the site | | `destination_file_name` | VARCHAR | Name of the destination file (for Copy/Move operations) | | `destination_file_extension` | VARCHAR | Extension of the destination file | | `destination_relative_url` | VARCHAR | Relative destination URL (for Copy/Move) | | `item_type` | VARCHAR | `File`, `Folder`, `Page`, `ListItem`, etc. | #### Site / Library Fields | Field | Type | Description | | --------------------- | ------- | ---------------------------------------- | | `site` | VARCHAR | Site collection GUID | | `site_url` | VARCHAR | Full URL of the SharePoint/OneDrive site | | `web_id` | VARCHAR | Web/sub-site GUID | | `list_id` | VARCHAR | SharePoint list or document library GUID | | `list_item_unique_id` | VARCHAR | Unique item ID within the list | #### Sharing Fields | Field | Type | Description | | --------------------------- | ------- | --------------------------------------------------------- | | `sharing_type` | VARCHAR | Type of sharing: `Anonymous`, `Company`, `Direct`, `None` | | `target_user_or_group_name` | VARCHAR | UPN or group name the item was shared with | | `target_user_or_group_type` | VARCHAR | `User`, `Group`, `Partner`, `Guest`, `Everyone` | | `user_shared_with` | VARCHAR | Identities the item was shared with | #### Sync / Device Fields | Field | Type | Description | | -------------------------------- | ------- | ---------------------------------------------- | | `file_sync_bytes_committed` | VARCHAR | Bytes committed in a OneDrive sync operation | | `high_priority_media_processing` | VARCHAR | `True` if media was processed at high priority | | `machine_domain_info` | VARCHAR | Domain information for the client machine | | `machine_id` | VARCHAR | Client machine identifier | | `source_name` | VARCHAR | Name of the source (e.g. sync client name) | #### Organisation Fields | Field | Type | Description | | ------------------ | ------- | ---------------------------- | | `organization_id` | VARCHAR | Azure AD tenant GUID | | `office_tenant_id` | VARCHAR | Office 365 tenant identifier | #### Vectra Fields | Field | Type | Description | | ------------------ | ------- | ------------------------------------------------------- | | `vectra` | VARCHAR | **Plain string** — Vectra-resolved identity (actor UPN) | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition / Internal Fields | Field | Type | Description | | ---------------------- | --------- | ----------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `hour` | VARCHAR | Partition hour | | `cognito_stored_time` | TIMESTAMP | Vectra pipeline timestamp (often epoch-zero) | | `cognito_fetched_time` | TIMESTAMP | Vectra pipeline fetch timestamp | | `cognito_trigger` | VARCHAR | Vectra pipeline trigger ID | | `content_created` | TIMESTAMP | Vectra pipeline content creation time | | `content_id` | VARCHAR | Vectra pipeline content ID | ### m365.general.\_all A catch-all stream for Microsoft 365 audit events that span multiple workloads or don't fit neatly into the workload-specific streams. Includes Microsoft Teams events (app installs, team creation/deletion, member changes, channel operations), Power Automate (Flow) events, compliance events, Copilot AI interaction events, and other general Office 365 audit events. Check `workload` to understand which service generated each event. #### Core Event Fields | Field | Type | Description | | --------------- | --------- | --------------------------------------------------------------------------------------------------- | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use for filtering** | | `creation_time` | TIMESTAMP | Raw Microsoft audit log time | | `id` | VARCHAR | Unique audit event UUID | | `operation` | VARCHAR | Specific operation (e.g. `AppDeleted`, `TeamCreated`, `MemberAdded`, `FlowCreated`) | | `workload` | VARCHAR | Microsoft service: `MicrosoftTeams`, `Flow`, `SecurityComplianceCenter`, `ThreatIntelligence`, etc. | | `record_type` | VARCHAR | Office 365 record type integer | | `result_status` | VARCHAR | Operation result | | `version` | VARCHAR | Audit schema version | #### Identity Fields | Field | Type | Description | | ------------ | ------- | --------------------------------------------- | | `user_id` | VARCHAR | UPN or service account of the acting identity | | `user_key` | VARCHAR | Alternate user key | | `user_type` | VARCHAR | Integer user type code | | `client_ip` | VARCHAR | Source IP address | | `client_id` | VARCHAR | OAuth client GUID | | `user_agent` | VARCHAR | User-agent string for web-based operations | #### Teams-specific Fields | Field | Type | Description | | -------------------- | ------- | ---------------------------------------------------------- | | `team_guid` | VARCHAR | GUID of the Teams team | | `team_name` | VARCHAR | Display name of the Teams team | | `member` | VARCHAR | Single member identifier (for single-member operations) | | `members` | ARRAY | Array of member identifiers (for bulk operations) | | `communication_type` | VARCHAR | Type of Teams communication (Channel, Chat, Meeting, etc.) | #### Flow / Power Automate Fields | Field | Type | Description | | ---------------------- | ------- | ----------------------------------------- | | `flow_details_url` | VARCHAR | URL to the Power Automate flow details | | `flow_connector_name` | VARCHAR | Name of the connector used in the flow | | `flow_connector_names` | ARRAY | Array of connector names used in the flow | #### Compliance / eDiscovery Fields | Field | Type | Description | | -------------------- | ------- | -------------------------------------------------- | | `case_id` | VARCHAR | Compliance case identifier | | `query_id` | VARCHAR | Query identifier | | `query_text` | VARCHAR | Search query text | | `query` | VARCHAR | Query object or string | | `exchange_locations` | ARRAY | Exchange locations in scope for compliance queries | | `sources` | ARRAY | Source locations for compliance operations | | `detection_method` | VARCHAR | Detection method (for threat intelligence events) | | `verdict` | VARCHAR | Verdict for threat/policy events | | `policy` | VARCHAR | Policy name or identifier | #### Email / Message Fields | Field | Type | Description | | ----------------- | ------- | ------------------------------------ | | `subject` | VARCHAR | Email or message subject | | `recipient` | VARCHAR | Single recipient identifier | | `recipients` | ARRAY | Array of recipient identifiers | | `p1_sender` | VARCHAR | SMTP envelope sender (P1 From) | | `p2_sender` | VARCHAR | Message header sender (P2 From) | | `attachment_data` | ARRAY | Array of attachment metadata objects | | `add_on_name` | VARCHAR | Add-on or plug-in name | #### Object Fields | Field | Type | Description | | ------------ | ------- | ---------------------------------------- | | `object_id` | VARCHAR | Object acted upon | | `name` | VARCHAR | Display name of the object | | `item_name` | VARCHAR | Name of the item affected | | `parameters` | ARRAY | Array of `{name, value}` parameter pairs | #### Extended Properties | Field | Type | Description | | -------------------------- | ------- | ------------------------------ | | `extended_properties` | ARRAY | Array of `{name, value}` pairs | | `extended_properties_flat` | VARCHAR | JSON string for text search | #### Copilot AI Fields | Field | Type | Description | | -------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `copilot_event_data` | STRUCT | Copilot interaction metadata. Sub-fields: `app_host`, `contexts`, `thread_id`, `message_ids`, `messages`, `accessed_resources`, `model_transparency_details`, `ai_system_plugin` | #### Organisation Fields | Field | Type | Description | | ------------------ | ------- | ---------------------------- | | `organization_id` | VARCHAR | Azure AD tenant GUID | | `office_tenant_id` | VARCHAR | Office 365 tenant identifier | #### Vectra Fields | Field | Type | Description | | ------------------ | ------- | ----------------------------------------------------------------------------------- | | `vectra` | VARCHAR | **Plain string** — Vectra-resolved identity (actor UPN or display name, lowercased) | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition / Internal Fields | Field | Type | Description | | ---------------------- | --------- | ----------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `hour` | VARCHAR | Partition hour | | `cognito_stored_time` | TIMESTAMP | Vectra pipeline timestamp (often epoch-zero) | | `cognito_fetched_time` | TIMESTAMP | Vectra pipeline fetch timestamp | | `cognito_trigger` | VARCHAR | Vectra pipeline trigger ID | | `content_created` | TIMESTAMP | Vectra pipeline content creation time | | `content_id` | VARCHAR | Vectra pipeline content ID | ### m365.active\_directory.\_all Audit logs from the Azure Active Directory workload in the Microsoft 365 Unified Audit Log. Covers authentication events (sign-in successes and failures), user and group changes, application consent, and directory object modifications. Primary source for identity-based threat detection in Microsoft environments. #### Core Event Fields | Field | Type | Description | | ----------------------------------- | --------- | ----------------------------------------------------------------------------------------------- | | `timestamp` | TIMESTAMP | Vectra-normalised event time — **use for filtering** | | `creation_time` | TIMESTAMP | Raw Microsoft audit log time | | `id` | VARCHAR | Unique audit event UUID | | `operation` | VARCHAR | Specific AAD operation (e.g. `UserLoginFailed`, `Add member to role`, `Consent to application`) | | `workload` | VARCHAR | Always `AzureActiveDirectory` for this table | | `record_type` | VARCHAR | Office 365 record type integer (`15` = AzureActiveDirectory) | | `result_status` | VARCHAR | `Success` or `Failed` | | `version` | VARCHAR | Audit schema version | | `azure_active_directory_event_type` | VARCHAR | AAD event type integer code | | `error_number` | VARCHAR | AAD error code on failure (e.g. `50126` = invalid credentials, `50074` = MFA required) | | `logon_error` | VARCHAR | Human-readable logon failure reason (e.g. `InvalidUserNameOrPassword`, `InvalidReplyTo`) | #### Identity Fields | Field | Type | Description | | ------------------ | ------- | ----------------------------------------------------------------------------------------------------- | | `user_id` | VARCHAR | UPN of the acting user (e.g. `dale@demolab.vectra.ai`) | | `user_key` | VARCHAR | Alternate user key (often the user's AAD object GUID) | | `user_type` | VARCHAR | Integer: `0`=Regular, `2`=System, `4`=Application, `5`=ServiceAccount, `6`=Guest | | `actor` | ARRAY | Array of `{id, type}` objects identifying the actor chain — use `ANY_MATCH` or `CONTAINS(actor_flat)` | | `actor_context_id` | VARCHAR | Tenant/context GUID for the actor | | `actor_ip_address` | VARCHAR | IP address of the actor | | `client_ip` | VARCHAR | Source IP address of the client | | `application_id` | VARCHAR | AAD application GUID that performed the operation | | `client_id` | VARCHAR | OAuth client application GUID | #### Target / Object Fields | Field | Type | Description | | ------------------- | ------- | ------------------------------------------------------------------ | | `object_id` | VARCHAR | The object acted upon (resource GUID, application ID, etc.) | | `target` | ARRAY | Array of `{id, type}` target objects — use `ANY_MATCH` or CONTAINS | | `target_context_id` | VARCHAR | Tenant/context GUID for the target | | `user_domain` | VARCHAR | Domain portion of the acting user's UPN | | `inter_systems_id` | VARCHAR | Cross-system correlation GUID | | `intra_systems_id` | VARCHAR | Intra-system correlation GUID (often matches `id`) | | `support_ticket_id` | VARCHAR | Microsoft support ticket reference (if applicable) | #### Organisation Fields | Field | Type | Description | | ------------------ | ------- | ---------------------------- | | `organization_id` | VARCHAR | Azure AD tenant GUID | | `office_tenant_id` | VARCHAR | Office 365 tenant identifier | #### Device / Browser Properties | Field | Type | Description | | -------------------------------- | ------- | ------------------------------------------------------------------------------------------- | | `device_properties` | ARRAY | Array of `{name, value}` pairs: `OS`, `BrowserType`, `IsCompliant`, `IsCompliantAndManaged` | | `device_properties_flat` | VARCHAR | JSON string of `device_properties` — use LIKE/CONTAINS for text search | | `device_properties_display_name` | VARCHAR | Device display name (from device properties) | #### Extended Properties | Field | Type | Description | | ------------------------------------------------ | ------- | ------------------------------------------------------------ | | `extended_properties` | ARRAY | Array of `{name, value}` pairs with additional event context | | `extended_properties_flat` | VARCHAR | JSON string of `extended_properties` — use LIKE/CONTAINS | | `extended_properties_audit_event_category` | VARCHAR | Pre-extracted: audit event category | | `extended_properties_result_status_detail` | VARCHAR | Pre-extracted: detailed result status | | `extended_properties_user_authentication_method` | VARCHAR | Pre-extracted: authentication method code | | `extended_properties_user_agent` | VARCHAR | Pre-extracted: browser user-agent string | | `extended_properties_result_type` | VARCHAR | Pre-extracted: result type code | | `extended_properties_target_upn` | VARCHAR | Pre-extracted: UPN of the operation target | #### Modified Properties | Field | Type | Description | | -------------------------- | ------- | ----------------------------------------------------------------------------------- | | `modified_properties` | ARRAY | Array of objects describing directory property changes — empty `[]` for auth events | | `modified_properties_flat` | VARCHAR | JSON string of `modified_properties` — use LIKE/CONTAINS | #### Vectra Fields | Field | Type | Description | | ------------------ | ------- | ----------------------------------------------------------------------- | | `vectra` | VARCHAR | **Plain string** — Vectra-resolved identity (typically the actor's UPN) | | `vectra_connector` | VARCHAR | Vectra connector instance ID | #### Partition / Internal Fields | Field | Type | Description | | ---------------------- | --------- | --------------------------------------------------------- | | `dt` | DATE | Partition date `YYYY-MM-DD` — always include in WHERE | | `hour` | VARCHAR | Partition hour (e.g. `'12'`) | | `cognito_stored_time` | TIMESTAMP | Vectra pipeline: when event was stored (often epoch-zero) | | `cognito_fetched_time` | TIMESTAMP | Vectra pipeline: when event was fetched | | `cognito_trigger` | VARCHAR | Vectra pipeline trigger ID | | `content_created` | TIMESTAMP | Vectra pipeline content creation time | | `content_id` | VARCHAR | Vectra pipeline content ID | ***