Supported Azure search field names

Tables of valid Microsoft Azure search field names and types for Microsoft Azure environments.

Azure: Anomalies

Field name	Field type
anomalyId	String
accountId	String
userName	String
userType	String
anomalyConfidence	String
topReason	String
activityTimingsStart	Date
activityTimingsEnd	Date
wasThisHelpful	String
alertId	String

Note

Allowed values for anomalyConfidence are High, Medium, or Low. For example anomalyConfidence:High.

Allowed values for wasThisHelpful are Yes, No, or None. For example wasThisHelpful:Yes.

Azure: Hosts

Field name	Field type
name	String
resourceGroup	String
vmId	String
image	String
runningState	String
instanceType	String
region	String
startTime	Date
subnetId	String
vnetId	String
osType	String
isPublic	Boolean
classicPublicIpAddress	String
hasContainerNodes	Boolean
provisioningState	String
privateIP	String
primarySecurityGroup	String
vmScaleSetId	String
vmScaleSet	String
tags.<tag-name>	String
outGoingIp	String
outGoingPort	String
_exists_:serverAgent	Not applicable
not _exists_:serverAgent	Not applicable
serverAgent.agentId	String
serverAgent.hostname	String
serverAgent.health	String
serverAgent.osName	String
serverAgent.lastSeenAt	Date

Note

Allowed values for serverAgent.health are good, suspicious, bad, or unavailable. For example serverAgent.health:good.

Azure: Clusters

Field name	Field type
name	String
resourceGroup	String
instanceId	String
region	String
nodeResourceGroup	String
rbacEnabled	Boolean
httpEnabled	Boolean
version	String
tags.<tag-name>	String

Azure: Node Groups

Field name	Field type
resourceGroup	String
name	String
instanceId	String
cluster	String
count	Numeric
osDiskSize	Numeric
osType	String
vmSize	String

Azure: Nodes

Field name	Field type
instanceId	String
name	String
namespace	String
publicIp	String
vmId	String
podCIDR	String
startTime	Date
tags.<tag-name>	String

Azure: Pods

Field name	Field type
instanceId	String
name	String
namespace	String
nodeName	String
status	String
startTime	Date
hostIP	String
isPublic	Boolean
isPrivileged	Boolean
tags.<tag-name>	String
launchType	String

Azure: Containers

Field name	Field type
instanceId	String
name	String
image	String
imagePullPolicy	String
status	String
startedTime	Date
privileged	Boolean
kubeHost.nodeName	String
kubeHost.namespace	String
tags.<tag-name>	String
isRogueContainer	Boolean
isSecured	Boolean

Azure: Services

Field name	Field type
name	String
instanceId	String
namespace	String
clusterIP	String
startTime	Date
loadBalancerIP	String
type	String

Azure: Ingress

Field name	Field type
instanceId	String
name	String
namespace	String
startTime	Date
tags.<tag-name>	String

Azure: Network Policy

Field name	Field type
instanceId	String
name	String
namespace	String
startTime	Date
tags.<tag-name>	String

Azure: RBAC Roles

Field name	Field type
instanceId	String
roleType	String
name	String
namespace	String
creationTime	Date
tags.<tag-name>	String

Azure: Network Security Groups

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
isOpenGroup	Boolean
isUnusedGroup	Boolean
isOverlappedGroup	Boolean
tags.<tag-name>	String

Azure: Virtual Networks

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
addressSpaces	String
dnsServerIPs	String
isDdosProtectionEnabled	Boolean
isVmProtectionEnabled	Boolean
tags.<tag-name>	String

Azure: Resource Group

Field name	Field type
name	String
instanceId	String
region	String
tags.<tag-name>	String

Azure: IoT Hub

Field name	Field type
iotHubName	String
instanceId	String
region	String
minTlsVersion	String
enableFileUploadNotifications	Boolean
tags.<tag-name>	String
resourceGroup	String

Azure: Storage Account

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
creationTime	Date
skuType	String
isPublic	Boolean
kind	String
tags.<tag-name>	String

Azure: SQL Servers

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
administratorLogin	String
isAdLoginEnabled	Boolean
isPublic	Boolean
kind	String
isManagedServiceIdentityEnabled	Boolean
tags.<tag-name>	String

Azure: DBs

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
type	String
administratorLogin	String
storageMB	Numeric
geoRedundantBackup	String
sslEnforcement	String
isPublic	Boolean
tags.<tag-name>	String

Azure: Cosmos DBs

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
accountOfferType	String
documentEndpoint	String
kind	String
isMultipleWriteLocationsEnabled	Boolean
isVnetEnabled	Boolean
isPublic	Boolean
isAutomaticFailoverEnabled	Boolean
tags.<tag-name>	String

Azure: Users

Field name	Field type
name	String
instanceId	String
mail	String
mainNickname	String
signInName	String
isActive	Boolean
userType	String
source	String
tenantId	String

Azure: Groups

Field name	Field type
name	String
instanceId	String
mail	String
tenantId	String
serviceAccess	Boolean

Azure: Function Apps

Field name	Field type
name	String
instanceId	String
region	String
resourceGroup	String
alwaysOn	Boolean
appServicePlanId	String
clientCertEnabled	String
containerSize	Numeric
defaultHostName	String
enabled	Boolean
state	String
repositorySiteName	String
httpsOnly	Boolean
lastModifiedTime	Date
os	String
tags.<tag-name>	String

Azure: Apps Services

Field name	Field type
name	String
kind	String
instanceId	String
location	String
resourceGroup	String
alwaysOn	Boolean
clientCertEnabled	String
enabled	Boolean
state	String
httpsOnly	Boolean
lastModifiedTime	Date
tags.<tag-name>	String

Azure: Logic Apps

Field name	Field type
appname	String
instanceId	String
region	String
triggerType	String
changedTime	Date
appState	String
isPublic	Boolean

Azure: Outbound Traffic

Field name	Field type
srcAddr	String
dstAddr	String
dstPort	Numeric
protocol	Numeric
time	Date

Azure: Inbound Traffic

Field name	Field type
dstAddr	String
dstPort	Numeric
protocol	Numeric
time	Date

Azure Activity Log

Field Name	Field Type
resourceId	String
operationName	String
category	String
resultType	String
resultDescription	String
resultSignature	String
correlationId	String
time	Date
location	String
sourceIPAddress	String
httpRequest	String
caller	String
level	String
eventProperties.<key>	String
status	String
description	String
production	Boolean
identity.<key>	String
riskReason	String