Enriched object field types
A field that is of type object simply means the field is actually a collection of sub-fields. Some of those sub-fields could also be another collection of sub-fields. Think of an object as a JSON block, or a dictionary for the Python users, or a map for the C/C++ users. Sub-fields are then referenced using dot notation, (for example, dst.geo.country).
Some object types are very common and are used over and over again, such as an ip-object. An ip-object refers to a field with the structure shown in the ip-object table. These field types are used throughout the different event types, so you should be familiar with them.
|
Deprecation notice:The |
The following topics provide a description of each object field type and the sub-fields it contains:
IP-Objects
The following table describes the fields that contain enriched information for an IP address:
| Field | Type | Description |
|---|---|---|
|
asn |
asn-object |
ASN information for the IP address Example: See table below |
|
$device |
synthetic field |
Enables querying devices by hostname or MAC address. Note: this field is only available for the |
|
geo |
geo-object |
Geographic information for the IP address Example: See table below |
|
internal |
Boolean |
Indicates whether the IP address is internal to the network Example: |
|
ip |
ip |
The IP address Example: |
|
ip_bytes |
int |
The number of bytes transmitted by the IP address within the flow (only populated in Flow events) Example: |
|
pkts |
int |
The number of packets transmitted by the IP address within the flow (only populated in Flow events) Example: |
|
port |
int |
The port used by the IP address Example: |
|
username |
int |
The user name from Zscaler used in device detections (only populated in DNS, Flow, HTTP, and SSL events). Example: |
|
hostname |
int |
The host name from Zscaler used in device detections (only populated in DNS, Flow, HTTP, and SSL events). Example: |
The asn field contains the following subfields.
| Field | Type | Description |
|---|---|---|
|
asn |
int |
The Autonomous System Number Example: |
|
asn.asn_org |
string |
The organization name associated with the ASN (they actually use the ASN) Example: |
|
asn.asn |
string |
The upstream ISP for the ASN Example: |
|
org |
string | The upstream owner of the ASN - may differ from asn_orgExample: |
The geo field contains the following subfields.
| Field | Type | Description |
|---|---|---|
|
city |
string |
The city of record Example: |
|
country |
string |
The country of record Example: |
|
location |
object |
The longitude and latitude of record Example: |
|
subdivision |
string |
The segment of the country (states in the US) Example: |
Back to Enriched object field types.
Active Directory (AD) objects
Active Directory enrichment enhances device identification by collecting hostname information from Windows AD on a scheduled basis. See Device enrichment.
When Active Directory enrichments are enabled, IP addresses are enriched with the following fields:
- IP_enrichments
- ip_enriched_with_port 1
- ip_enriched 1
- ip_enriched 2
- interface_enriched
- device_hostname
IP_enrichments
The following table describes the fields that contain enriched information for IP_enrichments:
|
Property |
Type |
Description |
|---|---|---|
|
annotations |
annotations object | User‑ and system‑generated metadata associated with an entity or event. Annotations are typically added during investigations to capture analyst notes, contextual observations, or links to related findings, and are used to enrich the interpretation of security data. |
|
asn |
asn object | ASN information for the IP address |
|
device_data_timestamp |
string |
Time which device enrichment data was determined Example: 2025-01-16T23:26:28.000000Z |
|
device_hostnames |
array | A collection of hostnames associated with a device, derived from observed network activity or integrated identity sources. |
|
device_last_logoff |
string |
Timestamp device was last recorded logging out Example: 2025-01-16T22:15:08.000000Z |
|
device_last_logon |
string |
Timestamp device was last recorded logging in Example: 2025-01-16T22:13:08.000000Z |
|
device_os_name |
string |
Device operating system name Example: Windows |
|
device_os_name_with_version |
string |
Device operating system with version Example: Windows 10 Pro |
|
device_os_version |
string |
Device operating system version Example: 10.0 (54983) |
|
device_os_version_major |
string |
Device operating system major version number Example: 10 |
|
device_os_version_minor |
string |
Device operating system minor version number Example: 0 |
|
geo |
geo object | Geographic information associated with an IP address. |
|
internal |
boolean |
Indicates whether the IP address is internal to the network Example: true |
ip_enriched_with_port 1
The following table describes the fields that contain enriched information for ip_enriched_with_port 1:
|
Property |
Type |
Description |
|---|---|---|
|
annotations |
annotations object | User‑ and system‑generated metadata associated with an entity or event. Annotations are typically added during investigations to capture analyst notes, contextual observations, or links to related findings, and are used to enrich the interpretation of security data. |
|
asn |
asn object | ASN information for the IP address |
|
device_data_timestamp |
string |
Time which device enrichment data was determined. Example: 2025-01-16T23:26:28.000000Z |
|
device_hostnames |
array | A collection of hostnames associated with a device, derived from observed network activity or integrated identity sources. |
|
device_last_logoff |
string |
Timestamp device was last recorded logging out. Example: 2025-01-16T22:15:08.000000Z |
|
device_last_logon |
string |
Timestamp device was last recorded logging in. Example: 2025-01-16T22:13:08.000000Z |
|
device_os_name |
string |
Device operating system name. Example: Windows |
|
device_os_name_with_version |
string |
Device operating system with version. Example: Windows 10 Pro |
|
device_os_version |
string |
Device operating system version. Example: 10.0 (54983) |
|
device_os_version_major |
string |
Device operating system major version number. Example: 10 |
|
device_os_version_minor |
string |
Device operating system minor version number. Example: 0 |
|
geo |
geo object | Geographic information associated with an IP address. |
|
internal |
boolean |
Indicates whether the IP address is internal to the network. Example: true |
|
ip |
string |
An IP address. Example: 8.8.8.8 |
|
port |
integer |
A port number. Example: 443 |
ip_enriched 1
The following table describes the fields that contain enriched information for ip_enriched 1:
|
Property |
Type |
Description |
|---|---|---|
|
annotations |
annotations object | User‑ and system‑generated metadata associated with an entity or event. Annotations are typically added during investigations to capture analyst notes, contextual observations, or links to related findings, and are used to enrich the interpretation of security data. |
|
asn |
asn object | ASN information for the IP address |
|
device_data_timestamp |
string |
Time which device enrichment data was determined. Example: 2025-01-16T23:26:28.000000Z |
|
device_hostnames |
array | A collection of hostnames associated with a device, derived from observed network activity or integrated identity sources. |
|
device_last_logoff |
string |
Timestamp device was last recorded logging out. Example: 2025-01-16T22:15:08.000000Z |
|
device_last_logon |
string |
Timestamp device was last recorded logging in. Example: 2025-01-16T22:13:08.000000Z |
|
device_os_name |
string |
Device operating system name. Example: Windows |
|
device_os_name_with_version |
string |
Device operating system with version. Example: Windows 10 Pro |
|
device_os_version |
string |
Device operating system version. Example: 10.0 (54983) |
|
device_os_version_major |
string |
Device operating system major version number. Example: 10 |
|
device_os_version_minor |
string |
Device operating system minor version number. Example: 0 |
|
geo |
geo object | Geographic information associated with an IP address. |
|
internal |
boolean |
Indicates whether the IP address is internal to the network. Example: true |
|
ip |
string |
An IP address. Example: 8.8.8.8 |
ip_enriched 2
The following table describes the fields that contain enriched information for ip_enriched 2:
|
Property |
Type |
Description |
|---|---|---|
|
annotations |
annotations object | User‑ and system‑generated metadata associated with an entity or event. Annotations are typically added during investigations to capture analyst notes, contextual observations, or links to related findings, and are used to enrich the interpretation of security data. |
|
asn |
asn object | ASN information for the IP address |
|
device_data_timestamp |
string |
Time which device enrichment data was determined. Example: 2025-01-16T23:26:28.000000Z |
|
device_hostnames |
array | A collection of hostnames associated with a device, derived from observed network activity or integrated identity sources. |
|
device_last_logoff |
string |
Timestamp device was last recorded logging out. Example: 2025-01-16T22:15:08.000000Z |
|
device_last_logon |
string |
Timestamp device was last recorded logging in. Example: 2025-01-16T22:13:08.000000Z |
|
device_os_name |
string |
Device operating system name. Example: Windows |
|
device_os_name_with_version |
string |
Device operating system with version. Example: Windows 10 Pro |
|
device_os_version |
string |
Device operating system version. Example: 10.0 (54983) |
|
device_os_version_major |
string |
Device operating system major version number. Example: 10 |
|
device_os_version_minor |
string |
Device operating system minor version number. Example: 0 |
|
geo |
geo object | Geographic information associated with an IP address. |
|
internal |
boolean |
Indicates whether the IP address is internal to the network. Example: true |
|
ip |
string |
An IP address. Example: 8.8.8.8 |
interface_enriched
The following table describes the fields that contain enriched information for an interface_enriched:
|
Property |
Type |
Description |
|---|---|---|
|
annotations |
annotations object | User‑ and system‑generated metadata associated with an entity or event. Annotations are typically added during investigations to capture analyst notes, contextual observations, or links to related findings, and are used to enrich the interpretation of security data. |
|
asn |
asn object | ASN information for the IP address |
|
device_data_timestamp |
string |
Time which device enrichment data was determined. Example: 2025-01-16T23:26:28.000000Z |
|
device_hostnames |
array | A collection of hostnames associated with a device, derived from observed network activity or integrated identity sources. |
|
device_last_logoff |
string |
Timestamp device was last recorded logging out. Example: 2025-01-16T22:15:08.000000Z |
|
device_last_logon |
string |
Timestamp device was last recorded logging in. Example: 2025-01-16T22:13:08.000000Z |
|
device_os_name |
string |
Device operating system name. Example: Windows |
|
device_os_name_with_version |
string |
Device operating system with version. Example: Windows 10 Pro |
|
device_os_version |
string |
Device operating system version. Example: 10.0 (54983) |
|
device_os_version_major |
string |
Device operating system major version number. Example: 10 |
|
device_os_version_minor |
string |
Device operating system minor version number. Example: 0 |
|
geo |
geo object | Geographic information associated with an IP address. |
|
internal |
boolean |
Indicates whether the IP address is internal to the network. Example: true |
|
ip |
string |
An IP address. Example: 8.8.8.8 |
|
mac |
string |
A MAC address. Example: 00:1A:2B:3C:4D:5E |
|
port |
integer |
A port number. Example: 443 |
device_hostname
The following table describes the fields that contain enriched information for an device_hostname:
|
Property |
Type |
Description |
|---|---|---|
|
domain_name |
string | Domain of the device's fully qualified domain name. Example: apps.google.com |
|
fqdn |
string | Device's fully qualified domain name. Example: server1.apps.google.com |
|
name |
string | Hostname of the device's fully qualified domain name. Example: server1 |
|
secondary_level_domain_name |
string | Secondary level domain of the device's fully qualified domain name. Example: google.com |
Domain-Objects
The following table describes the fields that contain enriched information for a domain:
| Field | Type | Description |
|---|---|---|
|
domain |
string |
The domain Example: |
|
domain_entropy |
float |
The computed Shannon entropy of the domain Example: |
Back to Enriched object field types
Host-Objects
Host-Objects fields contain enriched information for both IP addresses and domains because the field could be either one. For example an HTTP Host header or a DNS answer.
Host-Objects contain the combined sub-fields in:
Back to Enriched object field types
URI-Objects
Fields that contain a URI are broken up into its different components.
| Field | Type | Description |
|---|---|---|
|
fragment |
string |
The fragment identifier component Example: |
|
host |
host-object |
The content of the Host header Example: |
|
params |
object-array |
The HTTP parameters as an array of key-value pairs Example: |
|
path |
string |
The path of the requested resource Example: |
|
port |
integer |
The specified port Example: |
|
query |
string |
The full parameter string Example: |
|
scheme |
string |
The specified scheme Example: |
|
uri |
string |
The full URI Example: |
URL-Objects
Fields that contain both a host-object and a uri-object are referred to as a url-object.
URL-Objects contain the combined sub-fields in:
Back to Enriched object field types
File-Objects
File-Objects fields contain enriched information for an observed file.
| Field | Type | Description |
|---|---|---|
|
bytes |
int |
The file's size in bytes Example: |
|
md5 |
string |
The computed MD5 hash Example: |
|
mime_type |
string |
The fingerprinted MIME-type Example: |
|
name |
string |
The observed name Example: |
|
sha1 |
string |
The computed SHA1 hash Example: e63932430d4028b51fa25dae13d9e0188e9a02a5 |
|
sha256 |
string |
The computed SHA256 hash Example: |
Back to Enriched object field types
Email-Objects
Email-Objects fields contain an email address broken up into its different components.
| Field | Type | Description |
|---|---|---|
|
domain |
string |
The domain Example: |
|
|
string |
The entire email address Example: |
|
name |
string |
The name Example: |