Data sources
These are the available data sources with which you can start a query.
| alerts | Raised events |
| appliances | Downstream connected sensors synchronizing data to this, local one |
| assertions | Assertions saved by the users. An assertion represents an automatic check against other query sources |
| assets | Identified assets. Assets represent a local (private), physical system to care about, and can be composed of one or more Nodes. Broadcast nodes, grouped nodes, internet nodes, and similar cannot be Assets accordingly |
| audit_log | System’s log for important operational events, e.g., login, backup creation, etc. |
| captured_files | Files reconstructed for analysis |
| captured_logs | Logs captured passively over the network |
| captured_urls | URLs and other protocol calls captured over the network. Access to files, requests to DNS, requested URLs and other are available in this query source |
| cpe_items | CPE maps definitions |
| cve_files | CVE definitions |
| dhcp_leases | IP to Mac bindings due to the presence of DHCP |
| function_codes | Protocols' function codes used in the environment |
| health_log | System's Health-related events, e.g. high resource utilization or hardware-related issues or events |
| link_events | Events that can occur on a Link, like it being available or not |
| links | Identified links, defined as directional one-to-one associations with a single protocol (i.e. source, destination, protocol) |
| microsoft_hotfixes | Microsoft hotfix information |
| node_cpe_changes | Common Platform Enumeration changes identified over known nodes. On the event of update of a CPE (on hardware, operating system and software versions), an entry in this query source is created to keep track of software updates or better detection of software |
| node_cpes | Common Platform Enumeration identified on nodes (hardware, operating system and software versions) |
| node_cves | Common Vulnerability Exposures: vulnerabilities associated to identified nodes' CPEs |
| node_points | Data points extracted over time, via Smart Polling or via Arc, from monitored Nodes |
| node_points_last | node_points last samples per each included data point |
| nodes | Identified nodes, where a node is an L2 or L3 (and above) entity able to speak some protocol |
| packet_rules | Packet rules definitions |
| protocol_connections | Identified protocol handhsakes/connections needed to decode process variables |
| report_files | Generated report files available for consultation |
| report_folders | Generated report folders |
| sessions | Sessions with recent network actvity. A Session is a specific application-level connection between nodes. A Link can hold one or more Session at a given time |
| sessions_history | Archived sessions |
| sigma_rules | Sigma rules definitions |
| sp_executions | Executions of Smart Polling plans |
| sp_node_executions | Results of Smart Polling plans executions per node |
| stix_indicators | STIX definitions |
| subnets | Identified network subnets |
| threat_models | Threat Modeling definitions |
| trace_requests | Trace requests in processing |
| variable_history | Process variables' history of values |
| variables | Identified process variables |
| yara_rules | YARA rules definitions |
| zone_links | A list of protocols exchanged by the defined zones |
| zones | Defined network zones |