Skip to content

Data fields for Search

You can search the Data Lake for indicators of compromise (IOCs) or for other data such as IP addresses or usernames. See Search.

Here's a full list of the data fields.

Field name Description
activity_type OS query name
category Type of activity the event is associated with
command_line Command-line entry
customer_id Sophos customer ID
data_source Name of the vendor that generated the event
dest_ip IP address to which a system connected
dest_port Port number used to receive data
device_id Device ID of the device on which activity occurred
device_ip IP address on which activity occurred
hostname Hostname of device involved
parent_process_path File path of the process that created this child process
parent_command_line Previous command-line entry
parent_process-id ID of the process that created this child process
src_ip IP address that started a connection to a secondary system
process_name Name of the process involved
process_path File path of the process that was run
process_username -
sha256 SHA-256 file hash
sophos_process_id Sophos Process ID of the process that was run
sophos_parent_process_id Sophos Process ID of the process that created this child process
time Time at which the event occurred
username User who is logged into the device