Entity Enrichment - Generic v2
Enrich entities using one or more integrations
Common Playbooks · 9 tasks · 13 inputs · 336 outputs
Inputs
IP— The IP addresses to enrichInternalRange— A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).MD5— File MD5 to enrichSHA256— File SHA256 to enrichSHA1— File SHA1 to enrichURL— URL to enrichEmail— The email addresses to enrichHostname— The hostname to enrichUsername— The Username to enrichDomain— The domain name to enrichResolveIP— Determines whether the IP Enrichment - Generic playbook should convert IP addresses to hostnames using a DNS query. You can set this to either True or False.InternalDomains— A CSV list of internal domains. The list will be used to determine whether an email address is internal or external.UseReputationCommand— Define whether you wish to use the reputation command during the enrichment process. Note: This input should be used whenever auto-extract is not enabled in the investigation flow. The default value is false Possible values: True / False.
Outputs
IP— The IP object.Endpoint— The endpoint object.Endpoint.Hostname— The hostname that was enriched.Endpoint.OS— The endpoint's operating system.Endpoint.IP— A list of endpoint IP addresses.Endpoint.MAC— A list of endpoint MAC addresses.Endpoint.Domain— The endpoint domain name.DBotScore— The DBotScore object.DBotScore.Indicator— The indicator that was tested.DBotScore.Type— The indicator type.DBotScore.Vendor— Vendor used to calculate the score.DBotScore.Score— The actual score.File— The file object.File.SHA1— SHA1 hash of the file.File.SHA256— SHA256 hash of the file.File.MD5— MD5 hash of the file.File.Malicious— Whether the file is malicious.File.Malicious.Vendor— For malicious files, the vendor that made the decision.URL— The URL object.URL.Data— The enriched URL.URL.Malicious— Whether the detected URL was malicious.URL.Vendor— Vendor that labeled the URL as malicious.URL.Description— Additional information for the URL.Domain— The domain object.Account— The account object.Account.Email— The email of the account.Account.Email.NetworkType— The email account NetworkType (Internal/External).Account.Email.Distance— The object that contains the distance between the email domain and the compared domain.Account.Email.Distance.Domain— The compared domain.Account.Email.Distance.Value— The distance between the email domain and the compared domain.ActiveDirectory.Users— An object containing information about the user from Active Directory.ActiveDirectory.Users.sAMAccountName— The user's samAccountName.ActiveDirectory.Users.userAccountControl— The user's account control flag.ActiveDirectory.Users.mail— The user's email address.ActiveDirectory.Users.memberOf— Groups the user is a member of.CylanceProtectDevice— The device information about the hostname that was enriched using Cylance Protect v2.File.VirusTotal.Scans— The scan object.File.VirusTotal.Scans.Source— Vendor that scanned this hash.File.VirusTotal.Scans.Detected— Whether a scan was detected for this hash (True/False).File.VirusTotal.Scans.Result— Scan result for this hash - signature, etc.IAM— Generic IAM output.UserManagerEmail— The email of the user's manager.UserManagerDisplayName— The display name of the user's manager.ActiveDirectory.Users.manager— The manager of the user.ActiveDirectory.Users.dn— The user distinguished name.ActiveDirectory.Users.displayName— The user display name.ActiveDirectory.Users.name— The user common name.ActiveDirectory.Users.userAccountControlFields— The user account control fields.IdentityIQ.Identity— Identity asset from IdentityIQ.PingOne.Account— Account in PingID.IAM.Vendor.active— When true, indicates that the employee's status is active in the 3rd-party integration.IAM.Vendor.brand— Name of the integration.IAM.Vendor.details— Provides the raw data from the 3rd-party integration.IAM.Vendor.email— The employee's email address.IAM.Vendor.errorCode— HTTP error response code.IAM.Vendor.errorMessage— Reason why the API failed.IAM.Vendor.id— The employee's user ID in the app.IAM.Vendor.instanceName— Name of the integration instance.IAM.Vendor.success— When true, indicates that the command was executed successfully.IAM.Vendor.username— The employee's username in the app.IAM.Vendor.action— The command name.IdentityIQ.Identity.userName— The IdentityIQ username (primary ID).IdentityIQ.Identity.id— The IdentityIQ internal ID (UUID).IdentityIQ.Identity.active— Indicates whether the ID is active or inactive in IdentityIQ.IdentityIQ.Identity.lastModified— Timestamp of when the identity was last modified.IdentityIQ.Identity.displayName— The display name of the identity.IdentityIQ.Identity.emails— Array of email objects.IdentityIQ.Identity.entitlements— Array of entitlement objects that the identity has.IdentityIQ.Identity.roles— Array of role objects that the identity has.IdentityIQ.Identity.capabilities— Array of string representations of the IdentityIQ capabilities assigned to this identity.IdentityIQ.Identity.name— Account name.IdentityIQ.Identity.manager— The account's manager returned from IdentityIQ.IdentityIQ.Identity.name.formatted— The display name of the identity.IdentityIQ.Identity.name.familyName— The last name of the identity.IdentityIQ.Identity.name.givenName— The first name of the identity.IdentityIQ.Identity.manager.userName— The IdentityIQ username (primary ID) of the identity's manager.IdentityIQ.Identity.emails.type— Type of the email being returned.IdentityIQ.Identity.emails.value— The email address of the identity.IdentityIQ.Identity.emails.primary— Indicates if this email address is the identity's primary email.PingOne.Account.ID— PingOne account ID.PingOne.Account.Username— PingOne account username.PingOne.Account.DisplayName— PingOne account display name.PingOne.Account.Email— PingOne account email.PingOne.Account.Enabled— PingOne account enabled status.PingOne.Account.CreatedAt— PingOne account create date.PingOne.Account.UpdatedAt— PingOne account updated date.Account.PasswordChanged— Timestamp for when the user's password was last changed.Account.StatusChanged— Timestamp for when the user's status was last changed.Account.Activated— Timestamp for when the user was activated.Account.Created— Timestamp for when the user was created.Account.Status— Okta account status.Account.Username— The user SAM account name.Account.ID— The user distinguished name.Account.Manager— The user manager.Account.Groups— Groups for which the user is a member.Account.DisplayName— The user display name.Account.ManagerEmail— The manager email.Account.JobTitle— User’s job title.Account.TelephoneNumber— User’s mobile phone number.Account.Office— User’s office location.Account.Type— The account entity type.ActiveDirectory.Users.userAccountControlFields.SCRIPT— Whether the login script is run. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE— Whether the user account is disabled. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED— Whether the home folder is required. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.LOCKOUT— Whether the user is locked out. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD— Whether the password is required. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE— Whether the user can change the password. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED— Whether the user can send an encrypted password. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT— Whether this is an account for users whose primary account is in another domain. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT— Whether this is a default account type that represents a typical user. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT— Whether the account is permitted to trust a system domain that trusts other domains. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT— Whether this is a computer account for a computer running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT— Whether the account is a read-only domain controller (RODC).ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION— Whether the account is enabled for delegation.ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH— Whether this account require Kerberos pre-authentication for logging on.ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY— Whether to restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED— Whether the security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION— Whether the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED— Whether to force the user to log in by using a smart card.ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT— Whether this is an MNS login account.ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT— Whether this is a computer account for a domain controller that is a member of this domain. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD— Whether to never expire the password on the account.ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED— Whether the user password expired.IAM.Vendor— The returning results vendor.IAM.UserProfile— The user profile.SailPointIdentityNow.Account— The IdentityNow account object.SailPointIdentityNow.Account.id— The IdentityNow internal ID (UUID).SailPointIdentityNow.Account.name— Name of the identity on this account.SailPointIdentityNow.Account.identityId— The IdentityNow internal identity ID.SailPointIdentityNow.Account.nativeIdentity— The IdentityNow internal native identity ID.SailPointIdentityNow.Account.sourceId— Source ID that maps this account.SailPointIdentityNow.Account.created— Timestamp when the account was created.SailPointIdentityNow.Account.modified— Timestamp when the account was last modified.SailPointIdentityNow.Account.attributes— Map of variable number of attributes unique to this account.SailPointIdentityNow.Account.authoritative— Indicates whether the account is the true source for this identity.SailPointIdentityNow.Account.disabled— Indicates whether the account is disabled.SailPointIdentityNow.Account.locked— Indicates whether the account is locked.SailPointIdentityNow.Account.systemAccount— Indicates whether the account is a system account.SailPointIdentityNow.Account.uncorrelated— Indicates whether the account is uncorrelated.SailPointIdentityNow.Account.manuallyCorrelated— Indicates whether the account was manually correlated.SailPointIdentityNow.Account.hasEntitlements— Indicates whether the account has entitlement.MSGraphUser.ID— User's ID.MSGraphUser.DisplayName— User's display name.MSGraphUser.GivenName— User's given name.MSGraphUser.JobTitle— User's job title.MSGraphUser.Mail— User's mail address.MSGraphUser.Surname— User's surname.MSGraphUser.UserPrincipalName— User's principal name.MSGraphUser.MobilePhone— User's mobile phone number.MSGraphUser.OfficeLocation— User's office location.MSGraphUser.BusinessPhones— User's business phone numbers.MSGraphUserManager.Manager.ID— Manager's user ID.MSGraphUserManager.Manager.DisplayName— User's display name.MSGraphUserManager.Manager.GivenName— User's given name.MSGraphUserManager.Manager.Mail— User's mail address.MSGraphUserManager.Manager.Surname— User's surname.MSGraphUserManager.Manager.UserPrincipalName— User's principal name.MSGraphUserManager.Manager.BusinessPhones— User's business phone numbers.MSGraphUserManager.Manager.JobTitle— User's job title.MSGraphUserManager.Manager.MobilePhone— User's mobile phone number.MSGraphUserManager.Manager.OfficeLocation— User's office location.PaloAltoNetworksXDR.RiskyUser— The account object.PaloAltoNetworksXDR.RiskyUser.type— Form of identification element.PaloAltoNetworksXDR.RiskyUser.id— Identification value of the type field.PaloAltoNetworksXDR.RiskyUser.score— The score assigned to the user.PaloAltoNetworksXDR.RiskyUser.reasons— The account risk objects.PaloAltoNetworksXDR.RiskyUser.reasons.date created— Date when the incident was created.PaloAltoNetworksXDR.RiskyUser.reasons.description— Description of the incident.PaloAltoNetworksXDR.RiskyUser.reasons.severity— The severity of the incidentPaloAltoNetworksXDR.RiskyUser.reasons.status— The incident statusPaloAltoNetworksXDR.RiskyUser.reasons.points— The score.AWS.IAM.Users— AWS IAM output.AWS.IAM.Users.UserName— The friendly name identifying the user.AWS.IAM.Users.UserId— The stable and unique string identifying the user.AWS.IAM.Users.Arn— The Amazon Resource Name (ARN) that identifies the user.AWS.IAM.Users.CreateDate— The date and time when the user was created.AWS.IAM.Users.Path— The path to the user.AWS.IAM.Users.PasswordLastUsed— The date and time, when the user's password was last used to sign in to an AWS website.Account.Email.Address— User’s mail address.URL.Malicious.Vendor— For malicious URLs, the vendor that made the decision.URL.Malicious.Description— For malicious URLs, the reason that the vendor made the decision.DBotScore.Reliability— Reliability of the source providing the intelligence data.Endpoint.IPAddress— The endpoint IP address or list of IP addresses.Endpoint.ID— The endpoint ID.Endpoint.Status— The endpoint status.Endpoint.IsIsolated— The endpoint isolation status.Endpoint.MACAddress— The endpoint MAC address.Endpoint.Vendor— The integration name of the endpoint vendor.Endpoint.Relationships— The endpoint relationships of the endpoint that was enriched.Endpoint.Processor— The model of the processor.Endpoint.Processors— The number of processors.Endpoint.Memory— Memory on this endpoint.Endpoint.Model— The model of the machine or device.Endpoint.BIOSVersion— The endpoint's BIOS version.Endpoint.OSVersion— The endpoint's operation system version.Endpoint.DHCPServer— The DHCP server of the endpoint.Endpoint.Groups— Groups for which the computer is listed as a member.ExtraHop.Device.Macaddr— The MAC Address of the device.ExtraHop.Device.DeviceClass— The class of the device.ExtraHop.Device.UserModTime— The time of the most recent update, expressed in milliseconds since the epoch.ExtraHop.Device.AutoRole— The role automatically detected by the ExtraHop.ExtraHop.Device.ParentId— The ID of the parent device.ExtraHop.Device.Vendor— The device vendor.ExtraHop.Device.Analysis— The level of analysis preformed on the device.ExtraHop.Device.DiscoveryId— The UUID given by the Discover appliance.ExtraHop.Device.DefaultName— The default name of the device.ExtraHop.Device.DisplayName— The display name of device.ExtraHop.Device.OnWatchlist— Whether the device is on the advanced analysis allow list.ExtraHop.Device.ModTime— The time of the most recent update, expressed in milliseconds since the epoch.ExtraHop.Device.IsL3— Indicates whether the device is a Layer 3 device.ExtraHop.Device.Role— The role of the device.ExtraHop.Device.DiscoverTime— The time that the device was discovered.ExtraHop.Device.Id— The ID of the device.ExtraHop.Device.Ipaddr4— The IPv4 address of the device.ExtraHop.Device.Vlanid— The ID of VLan.ExtraHop.Device.Ipaddr6— The IPv6 address of the device.ExtraHop.Device.NodeId— The Node ID of the Discover appliance.ExtraHop.Device.Description— A user customizable description of the device.ExtraHop.Device.DnsName— The DNS name associated with the device.ExtraHop.Device.DhcpName— The DHCP name associated with the device.ExtraHop.Device.CdpName— The Cisco Discovery Protocol name associated with the device.ExtraHop.Device.NetbiosName— The NetBIOS name associated with the device.ExtraHop.Device.Url— Link to the device details page in ExtraHop.McAfee.ePO.Endpoint— The endpoint that was enriched.ActiveDirectory.ComputersPageCookie— An opaque string received in a paged search, used for requesting subsequent entries.ActiveDirectory.Computers— The information about the hostname that was enriched using Active Directory.ActiveDirectory.Computers.dn— The computer distinguished name.ActiveDirectory.Computers.memberOf— Groups for which the computer is listed.ActiveDirectory.Computers.name— The computer name.CrowdStrike.Device— The information about the endpoint.CarbonBlackEDR.Sensor.systemvolume_total_size— The size, in bytes, of the system volume of the endpoint on which the sensor is installed. installed.CarbonBlackEDR.Sensor.emet_telemetry_path— The path of the EMET telemetry associated with the sensor.CarbonBlackEDR.Sensor.os_environment_display_string— Human-readable string of the installed OS.CarbonBlackEDR.Sensor.emet_version— The EMET version associated with the sensor.CarbonBlackEDR.Sensor.emet_dump_flags— The flags of the EMET dump associated with the sensor.CarbonBlackEDR.Sensor.clock_delta— The clock delta associated with the sensor.CarbonBlackEDR.Sensor.supports_cblr— Whether the sensor supports Carbon Black Live Response (CbLR).CarbonBlackEDR.Sensor.sensor_uptime— The uptime of the process.CarbonBlackEDR.Sensor.last_update— When the sensor was last updated.CarbonBlackEDR.Sensor.physical_memory_size— The size in bytes of physical memory.CarbonBlackEDR.Sensor.build_id— The sensor version installed on this endpoint. From the /api/builds/ endpoint.CarbonBlackEDR.Sensor.uptime— Endpoint uptime in seconds.CarbonBlackEDR.Sensor.is_isolating— Boolean representing sensor-reported isolation status.CarbonBlackEDR.Sensor.event_log_flush_time— If event_log_flush_time is set, the server will instruct the sensor to immediately send all data before this date, ignoring all other throttling mechanisms. To force a host current, set this value to a value far in the future. When the sensor has finished sending its queued data, this value will be null.CarbonBlackEDR.Sensor.computer_dns_name— The DNS name of the endpoint on which the sensor is installed.CarbonBlackEDR.Sensor.emet_report_setting— The report setting of the EMET associated with the sensor.CarbonBlackEDR.Sensor.id— The ID of this sensor.CarbonBlackEDR.Sensor.emet_process_count— The number of EMET processes associated with the sensor.CarbonBlackEDR.Sensor.emet_is_gpo— Whether the EMET is a GPO.CarbonBlackEDR.Sensor.power_state— The sensor power state.CarbonBlackEDR.Sensor.network_isolation_enabled— Boolean representing the network isolation request status.CarbonBlackEDR.Sensor.systemvolume_free_size— The amount of free bytes on the system volume.CarbonBlackEDR.Sensor.status— The sensor status.CarbonBlackEDR.Sensor.num_eventlog_bytes— The number of event log bytes.CarbonBlackEDR.Sensor.sensor_health_message— Human-readable string indicating the sensor’s self-reported status.CarbonBlackEDR.Sensor.build_version_string— Human-readable string of the sensor version.CarbonBlackEDR.Sensor.computer_sid— Machine SID of this host.CarbonBlackEDR.Sensor.next_checkin_time— Next expected communication from this computer in server-local time and zone.CarbonBlackEDR.Sensor.node_id— The node ID associated with the sensor.CarbonBlackEDR.Sensor.cookie— The cookie associated with the sensor.CarbonBlackEDR.Sensor.emet_exploit_action— The EMET exploit action associated with the sensor.CarbonBlackEDR.Sensor.computer_name— NetBIOS name of this computer.CarbonBlackEDR.Sensor.license_expiration— When the license of the sensor expires.CarbonBlackEDR.Sensor.supports_isolation— Whether the sensor supports isolation.CarbonBlackEDR.Sensor.parity_host_id— The ID of the parity host associated with the sensor.CarbonBlackEDR.Sensor.supports_2nd_gen_modloads— Whether the sensor support modload of 2nd generation.CarbonBlackEDR.Sensor.network_adapters— A pipe-delimited list of IP,MAC pairs for each network interface.CarbonBlackEDR.Sensor.sensor_health_status— Self-reported health score, from 0 to 100. Higher numbers indicate a better health status.CarbonBlackEDR.Sensor.registration_time— Time this sensor was originally registered in server-local time and zone.CarbonBlackEDR.Sensor.restart_queued— Whether a restart of the sensor is queued.CarbonBlackEDR.Sensor.notes— The notes associated with the sensor.CarbonBlackEDR.Sensor.num_storefiles_bytes— Number of storefiles bytes associated with the sensor.CarbonBlackEDR.Sensor.os_environment_id— The ID of the OS environment of the sensor.CarbonBlackEDR.Sensor.shard_id— The ID of the shard associated with the sensor.CarbonBlackEDR.Sensor.boot_id— A sequential counter of boots since the sensor was installed.CarbonBlackEDR.Sensor.last_checkin_time— Last communication with this computer in server-local time and zone.CarbonBlackEDR.Sensor.os_type— The operating system type of the computer.CarbonBlackEDR.Sensor.group_id— The sensor group ID this sensor is assigned to.CarbonBlackEDR.Sensor.uninstall— When set, indicates that the sensor will be directed to uninstall on next check-in.PaloAltoNetworksXDR.Endpoint.endpoint_id— The endpoint ID.PaloAltoNetworksXDR.Endpoint.endpoint_name— The endpoint name.PaloAltoNetworksXDR.Endpoint.endpoint_type— The endpoint type.PaloAltoNetworksXDR.Endpoint.endpoint_status— The status of the endpoint.PaloAltoNetworksXDR.Endpoint.os_type— The endpoint OS type.PaloAltoNetworksXDR.Endpoint.ip— A list of IP addresses.PaloAltoNetworksXDR.Endpoint.users— A list of users.PaloAltoNetworksXDR.Endpoint.domain— The endpoint domain.PaloAltoNetworksXDR.Endpoint.alias— The endpoint's aliases.PaloAltoNetworksXDR.Endpoint.first_seen— First seen date/time in Epoch (milliseconds).PaloAltoNetworksXDR.Endpoint.last_seen— Last seen date/time in Epoch (milliseconds).PaloAltoNetworksXDR.Endpoint.content_version— Content version.PaloAltoNetworksXDR.Endpoint.installation_package— Installation package.PaloAltoNetworksXDR.Endpoint.active_directory— Active directory.PaloAltoNetworksXDR.Endpoint.install_date— Install date in Epoch (milliseconds).PaloAltoNetworksXDR.Endpoint.endpoint_version— Endpoint version.PaloAltoNetworksXDR.Endpoint.is_isolated— Whether the endpoint is isolated.PaloAltoNetworksXDR.Endpoint.group_name— The name of the group to which the endpoint belongs.PaloAltoNetworksXDR.Endpoint.count— Number of endpoints returned.Account.Domain— The domain of the account.PaloAltoNetworksXDR.RiskyHost.type— Form of identification element.PaloAltoNetworksXDR.RiskyHost.id— Identification value of the type field.PaloAltoNetworksXDR.RiskyHost.score— The score assigned to the host.PaloAltoNetworksXDR.RiskyHost.reasons— The endpoint risk objects.PaloAltoNetworksXDR.RiskyHost.reasons.date created— Date when the incident was created.PaloAltoNetworksXDR.RiskyHost.reasons.description— Description of the incident.PaloAltoNetworksXDR.RiskyHost.reasons.severity— The severity of the incident.PaloAltoNetworksXDR.RiskyHost.reasons.status— The incident status.PaloAltoNetworksXDR.RiskyHost.reasons.points— The score.Core.Endpoint.endpoint_id— The endpoint ID.Core.Endpoint.endpoint_name— The endpoint name.Core.Endpoint.endpoint_type— The endpoint type.Core.Endpoint.endpoint_status— The status of the endpoint.Core.Endpoint.os_type— The endpoint OS type.Core.Endpoint.ip— A list of IP addresses.Core.Endpoint.users— A list of users.Core.Endpoint.domain— The endpoint domain.Core.Endpoint.alias— The endpoint's aliases.Core.Endpoint.first_seen— First seen date/time in Epoch (milliseconds).Core.Endpoint.last_seen— Last seen date/time in Epoch (milliseconds).Core.Endpoint.content_version— Content version.Core.Endpoint.installation_package— Installation package.Core.Endpoint.active_directory— Active directory.Core.Endpoint.install_date— Install date in Epoch (milliseconds).Core.Endpoint.endpoint_version— Endpoint version.Core.Endpoint.is_isolated— Whether the endpoint is isolated.Core.Endpoint.group_name— The name of the group to which the endpoint belongs.Core.RiskyHost.type— Form of identification element.Core.RiskyHost.id— Identification value of the type field.Core.RiskyHost.score— The score assigned to the host.Core.RiskyHost.reasons.date created— Date when the incident was created.Core.RiskyHost.reasons.description— Description of the incident.Core.RiskyHost.reasons.severity— The severity of the incident.Core.RiskyHost.reasons.status— The incident status.Core.RiskyHost.reasons.points— The score.Domain.Malicious.Vendor— For malicious domains, the vendor that made the decision.Domain.Name— Bad domain found.