SIEM Integration Field Mapping Reference
This table provides a comprehensive reference for fields that can be mapped during SIEM integrations. Each entry includes the field name and its corresponding description, enabling accurate alignment of data between your security tools and the SIEM platform.
| Field Name | Description |
|---|---|
| Event Time | Timestamp when the event occurs. |
| Event ID | Unique identifier of the event. |
| Entity Type | Type of the entity (for example, security_event). |
| Event Subtype | Subtype of the event (for example, shadow_it). |
| Customer Domain | Domain of the affected organization. |
| Customer Region | Region of the customer. |
| OEM | Security OEM vendor (for example, Avanan). |
| SaaS Product | SaaS product involved (for example, Google Mail, Office 365 Mail). |
| Severity | Severity level of the event. |
| Current State | Current processing state of the event (for example, new, remediated). |
| Event Category | Category of the event (for example, shadow_it). |
| Description | Description related to the event. |
| Confidence Level | Confidence score assigned to the event. |
| Confidence Indicator | Indicator used for confidence assessment. |
| Sender Address | Email address of the sender. |
| Matched Security Tool | A Security engine or tool that detected the issue. |
| Policy Rule ID | ID of the policy rule that triggered the event. |
| User Email | Email address of the affected user. |
| User Department | Department of the affected user. |
| User Title | Title or role of the affected user. |
| User Full Name | Full name of the affected user. |
| Subject | Subject of the suspicious email. |
| Malicious URL | The malicious URL that the user clicked. Note: Applicable for Malicious URL proceed events. |
| Clicking IP | IP address from which the user accesses the malicious URL. Note: Applicable for Malicious URL proceed events. |
| User Agent | The user agent string of the device used to access the malicious URL. Note: Applicable for Malicious URL proceed events. |
| Attachment Name | Name of the file detected as malicious. Note: Applicable for Malware, User reported phishing, and Threat extraction events. |
| Attachment MD5 | MD5 hash of the malicious attachment. Note: Applicable for Malware, User reported phishing, and Threat extraction events. |
| Verdict | Security tool verdict for the attachment. Note: Applicable for Malware events. |
| AV Verdict | Final verdict from AV engine. Note: Applicable for Suspected malware events. |
| Detection Reasons | Reasons the system detects the issue (for example, text obfuscation, link patterns and more). Note: Applicable for Graymail, Phishing, Spam, Suspected phishing events. |
| Application Domain | Domain of the detected application. Note: Applicable for Shadow it events. |
| App Category | Category of the application (for example, Collaboration, HR Software, Search Engine, Financial, Transcription, Software Source Control, Online Data Storage, Graphic Design, Application Development, Remote Access, Event Management, File Transfer, Single Sign On, Social Network, Project Management, CRM, Scheduling, Expense Reports, Electronic Signature, Construction Software, Password Keeper, Cloud Computing, Time Tracking). Note: Applicable for Shadow it events. |
| App Display Name | User-friendly display name of the application. Note: Applicable for Shadow it events. |
| App Risk Level | Risk level assigned to the application. Note: Applicable for Shadow it events. |