Events
All search results in Query are represented as events. Events can represent observability data like network and process activity, but also alerts, detections, findings, remediation activities, and even queries to systems of record. Events are grouped into categories. For a complete list of events, see the Event Categories page.
Events have attributes. Attributes can be primitive data types – strings, numbers, boolean values, etc. But attributes can also be objects: compound, reusable attributes with attributes of their own. Some key objects include User, File, and Device. See the Objects section for a complete list. Finally, attributes can be arrays (plural) or scalar (singular).
Events and attributes can be described as paths through the schema in dot notation, e.g. <event>[.<attribute>[.<attribute>[...]]]. All events and attributes have an internal machine-friendly name – all lowercase letters with underscores – and a human-friendly caption with mixed case letters and spaces.
Updated about 8 hours ago