Appendix B. The List of Fields

artefacts_fs

File artifacts

Field	Data type
analysis_results.metawave.datetime	date
analysis_results.metawave.result	text
analysis_results.metawave.status	text
category_name	text
hash.sha1	text
modify_datetime	date
path	text
sha1	text
size	long

defender:computer_status

The computer status based on Microsoft Defender data

Field	Data type
am_engine_version	keyword
am_product_version	keyword
am_service_enabled	boolean
am_service_version	keyword
antispyware_enabled	boolean
antispyware_signature_age	long
antispyware_signature_last_updated	date
antispyware_signature_version	keyword
antivirus_enabled	boolean
antivirus_signature_age	long
antivirus_signature_last_updated	date
antivirus_signature_version	keyword
behavior_monitor_enabled	boolean
category_name	text
computer_id	text
computer_state	long
full_scan_age	long
full_scan_end_time	text
full_scan_start_time	text
ioav_protection_enabled	boolean
last_full_scan_source	long
last_quick_scan_source	long
nis_enabled	boolean
nis_engine_version	keyword
nis_signature_age	long
nis_signature_last_updated	date
on_access_protection_enabled	boolean
quick_scan_age	long
quick_scan_end_time	date
quick_scan_start_time	date
real_time_protection_enabled	boolean
real_time_scan_direction	long

defender:preference

Microsoft Defender settings

Field	Data type
category_name	text
check_for_signatures_before_running_scan	boolean
computer_id	text
disable_archive_scanning	boolean
disable_auto_exclusions	boolean
disable_behavior_monitoring	boolean
disable_catchup_full_scan	boolean
disable_catchup_quick_scan	boolean
disable_email_scanning	boolean
disable_intrusion_prevention_system	text
disable_ioav_protection	boolean
disable_privacy_mode	boolean
disable_realtime_monitoring	boolean
disable_removable_drive_scanning	boolean
disable_restore_point	boolean
disable_scanning_mapped_network_drives_for_full_scan	boolean
disable_scanning_network_files	boolean
disable_script_scanning	boolean
exclusion_path	text
high_threat_default_action	long
low_threat_default_action	long
maps_reporting	long
moderate_threat_default_action	long
quarantine_purge_items_after_delay	long
randomize_schedule_task_times	boolean
real_time_scan_direction	long
remediation_schedule_day	long
reporting_additional_action_time_out	long
reporting_critical_failure_time_out	long
reporting_non_critical_time_out	long
scan_only_if_idle_enabled	boolean
scan_parameters	long
scan_purge_items_after_delay	long
scan_schedule_day	long
scan_schedule_quick_scan_time	date
scan_schedule_time	date
severe_threat_default_action	long
signature_au_grace_period	long
signature_definition_update_file_shares_sources	text
signature_disable_update_on_startup_without_engine	boolean
signature_fallback_order	text
signature_first_au_grace_period	long
signature_schedule_day	long
signature_schedule_time	date
signature_update_catchup_interval	long
signature_update_interval	long
submit_samples_consent	long
ui_lockdown	boolean
unknown_threat_default_action	long

defender:threat

Threats detected by Microsoft Defender

Field	Data type
category_id	long
category_name	text
did_threat_execute	boolean
is_active	boolean
resources	text
rollup_status	long
schema_version	keyword
severity_id	long
threat_id	long
threat_name	text
type_id	long

defender:threat_detection

Threat detection using Microsoft Defender

Field	Data type
action_success	boolean
additional_actions_bit_mask	long
am_product_version	keyword
category_name	text
cleaning_action_id	long
current_threat_execution_status_id	long
detection_id	text
detection_source_type_id	long
domain_user	text
initial_detection_time	date
last_threat_status_change_time	date
process_name	text
remediation_time	text
resources	text
threat_id	long
threat_status_error_code	long
threat_status_id	long

disk_bootsect

Boot sectors of disks

Field	Data type
block.end_lba	text
block.start_lba	text
bytes_per_sector	integer
category_name	text
cylinders	integer
gpt.header.backup_lba	text
gpt.header.disk_guid	text
gpt.header.first_usable_lba	text
gpt.header.header_crc	text
gpt.header.header_size	text
gpt.header.last_usable_lba	text
gpt.header.num_parts	text
gpt.header.part_entries_crc	text
gpt.header.part_entry_lba	text
gpt.header.primary_lba	text
gpt.header.reserved	text
gpt.header.revision	text
gpt.header.signature	text
gpt.header.sizeof_part_entry	text
gpt.partition.arkstatus	text
gpt.partition.attrib	text
gpt.partition.end_lba	text
gpt.partition.guid	text
gpt.partition.index	text
gpt.partition.name	text
gpt.partition.start_lba	text
gpt.partition.type	text
id	integer
mbr.arkstatus	text
mbr.disk_signature	long
mbr.disk_signature	text
mbr.partition.arkstatus	text
mbr.partition.boot_id	integer
mbr.partition.boot_id	text
mbr.partition.index	integer
mbr.partition.index	text
mbr.partition.size_in_sectors	long
mbr.partition.size_in_sectors	text
mbr.partition.start_lba	long
mbr.partition.start_lba	text
mbr.partition.type	text
mbr.signature	integer
mbr.zero_padding	integer
media_type	integer
part_style	text
sectors_per_track	integer
size	long
tracks_per_cylinder	integer

drivers

Drivers

Field	Data type
base	text
category_name	text
path	text
size	long

drweb:bases

Dr.Web anti-virus databases

Field	Data type
category_name	text
name	text
path	text
records	long
timestamp	date
type	integer
version	text

drweb:components

Dr.Web components

Field	Data type
category_name	text
installation_datetime	date
name	text

drweb:info

Dr.Web product information

Field	Data type
bases_path	text
category_name	text
hash	text
hash_sha1	text
install_path	text
product_mode	text
product_type	text
product_version	text
repo_path	text

drweb:launched_modules

Launched Dr.Web modules

Field	Data type
launched	boolean

drweb:licenses

Dr.Web licenses

Field	Data type
category_name	text
key.applications	text
key.created	date
key.expires	date
key.product_spec	text
key.product_type	text
key.products	text
key.subscription_expires	date
path	text
settings.app_control	text
settings.AppControl	text
settings.file_server	text
settings.FileServer	text
settings.inet_gateway	text
settings.InetGateway	text
settings.lotus_spam_filter	text
settings.LotusSpamFilter	text
settings.mail_server	text
settings.MailServer	text
settings.spam_filter	text
settings.SpamFilter	text
settings.Users	text
settings.users	text
user.computers	integer
user.name	text
user.number	text

drweb:products

Dr.Web products

Field	Data type
category_name	text
installation_datetime	date
name	text

engine_detects

Threats detected using signature databases

Field	Data type
category_name	text
path	text
threat	text
type	text

events

Events

Field	Data type
category	text
category_name	text
code	text
computer	text
content	text
id	text
index	text
instance_id	text
keywords	text
logfile	text
msg	text
opcode	text
pid	text
source	text
task	text
tid	text
time	date
type	text
user	text

files

Files

Field	Data type
analysis_results.metawave.datetime	date
analysis_results.metawave.result	text
analysis_results.metawave.status	text
arkstatus.cert	text
arkstatus.cloud	text
arkstatus.confidence	text
arkstatus.file	text
arkstatus.soft_type	text
arkstatus.soft_white	text
arkstatus.threat	text
arkstatus.type	text
atime	date
attrib.archive	boolean
attrib.compressed	text
attrib.dir	boolean
attrib.ea	text
attrib.hidden	boolean
attrib.invalid	boolean
attrib.normal	boolean
attrib.not_content_indexed	boolean
attrib.readonly	boolean
attrib.recall_on_open	text
attrib.reparse_point	text
attrib.security	text
attrib.sparse	text
attrib.system	boolean
attrib.temporary	boolean
attrib.value	text
buildtime	date
category_name	text
certinfo.catfile	text
certinfo.creator_name	text
certinfo.creator_url	text
certinfo.item.alg	text
certinfo.item.ca	text
certinfo.item.eku	text
certinfo.item.flags	text
certinfo.item.from	date
certinfo.item.hash_alg	text
certinfo.item.hash_alg_type	text
certinfo.item.issuer.C	text
certinfo.item.issuer.CN	text
certinfo.item.issuer.DC	text
certinfo.item.issuer.L	text
certinfo.item.issuer.O	text
certinfo.item.issuer.OU	text
certinfo.item.issuer.ST	text
certinfo.item.sn	text
certinfo.item.subject.C	text
certinfo.item.subject.CN	text
certinfo.item.subject.DC	text
certinfo.item.subject.L	text
certinfo.item.subject.O	text
certinfo.item.subject.OU	text
certinfo.item.subject.SERIALNUMBER	text
certinfo.item.subject.ST	text
certinfo.item.thumbprint	text
certinfo.item.thumbprint_sha256	text
certinfo.item.to	date
certinfo.timestamp	date
certinfo.type	text
ctime	date
device_characteristics	text
device_type	text
eainfo.item.data	text
eainfo.item.name	text
eainfo.item.size	text
easize	integer
hash.pemd5	text
hash.pesha1	text
hash.pesha256	text
hash.pesha512	text
hash.sha1	text
hash.sha256	text
links	integer
path	text
signed	boolean
size	long
verinfo.company	text
verinfo.descr	text
verinfo.file_version_num	text
verinfo.origname	text
verinfo.product_name	text
verinfo.product_version	text
verinfo.product_version_num	text
verinfo.version	text
wtime	date
zone_transfer.host_url	text
zone_transfer.id	text
zone_transfer.referrer_url	text
zone_transfer.package_name	text

fixes

Fixes

Field	Data type
__type__	text
caption	text
category.id	text
category.name	text
category_name	text
comment	text
csname	text
descr	text
hidden	text
id	text
installed_by	text
installed_on	date
need_reboot	text

hosts

Hosts

Field	Data type
category_name	text
ip.address	ip
ip.category	text
ip.domain.address	text
ip.domain.category	text
line	integer
path	text
text	text

installed_apps

Installed applications

Field	Data type
category_name	text
hidden	text
id	text
location	text
name	text
uninstall	text

modules

Modules

Field	Data type
category_name	text
path	text

msi_apps

MSI applications

Field	Data type
category_name	text
id	text
language	integer
msi_package_code	text
msi_product_code	text
name	text
vendor	text
version	text

net_connections

Network connections

Field	Data type
__type__	text
category_name	text
local_addr	ip
local_port	integer
local_scopeid	text
path	text
pid	integer
remote_addr	ip
remote_port	integer
remote_scopeid	text
state	text

net_providers:namespaces

Network providers (namespaces)

Field	Data type
active	boolean
broken	boolean
category_name	text
guid	text
name	text
namespace	text
path	text
version	text
wow64	boolean

net_providers:protocols

Network providers (protocols)

Field	Data type
broken	boolean
category_name	text
entryid	text
flags	text
guid	text
name	text
path	text
protocol	text
scheme	text
version	text
wow64	boolean

processes

Processes

Field	Data type
appid	text
base	text
bit	integer
category_name	text
cmdline	text
create_time	date
curdir	text
handles	integer
ilevel	text
isdebugged	boolean
kernel_time	text
memory_usage.other_op	long
memory_usage.pagefaults	long
memory_usage.pagefile_usage	long
memory_usage.peak_pagefile_usage	long
memory_usage.peak_virtual_size	long
memory_usage.peak_workingset	long
memory_usage.quota_non_pagedpool	long
memory_usage.quota_pagedpool	long
memory_usage.quota_peak_non_pagedpool	long
memory_usage.quota_peak_pagedpool	long
memory_usage.read_op	long
memory_usage.virtual_size	long
memory_usage.workingset	long
memory_usage.write_op	long
mitigations.aslr_policy.disallow_stripped_images	text
mitigations.aslr_policy.enable_bottom_up_randomization	text
mitigations.aslr_policy.enable_force_relocate_images	text
mitigations.aslr_policy.enable_high_entropy	text
mitigations.cfg_policy.enable_cfg	text
mitigations.cfg_policy.enable_export_suppression	text
mitigations.cfg_policy.strict_mode	text
mitigations.child_process_policy.allow_secure_process_creation	text
mitigations.child_process_policy.audit_no_child_process_creation	text
mitigations.child_process_policy.no_child_process_creation	text
mitigations.dynamic_code_policy.allow_remote_downgrade	text
mitigations.dynamic_code_policy.allow_thread_opt_out	text
mitigations.dynamic_code_policy.audit_prohibit_dynamic_code	text
mitigations.dynamic_code_policy.prohibit_dynamic_code	text
mitigations.extension_point_disable_policy.disable_extension_points	text
mitigations.font_disable_policy.audit_non_system_font_loading	text
mitigations.font_disable_policy.disable_non_system_fonts	text
mitigations.image_load_policy.audit_no_low_mandatory_label_images	text
mitigations.image_load_policy.audit_no_remote_images	text
mitigations.image_load_policy.no_low_mandatory_label_images	text
mitigations.image_load_policy.no_remote_images	text
mitigations.image_load_policy.prefer_system32_images	text
mitigations.payload_restriction_policy.audit_export_address_filter	text
mitigations.payload_restriction_policy.audit_export_address_filter_plus	text
mitigations.payload_restriction_policy.audit_import_address_filter	text
mitigations.payload_restriction_policy.audit_rop_caller_check	text
mitigations.payload_restriction_policy.audit_rop_sim_exec	text
mitigations.payload_restriction_policy.audit_rop_stack_pivot	text
mitigations.payload_restriction_policy.enable_export_address_filter	text
mitigations.payload_restriction_policy.enable_export_address_filter_plus	text
mitigations.payload_restriction_policy.enable_import_address_filter	text
mitigations.payload_restriction_policy.enable_rop_caller_check	text
mitigations.payload_restriction_policy.enable_rop_sim_exec	text
mitigations.payload_restriction_policy.enable_rop_stack_pivot	text
mitigations.redirection_trust_policy.audit_redirectiont_rust	text
mitigations.redirection_trust_policy.enforce_redirection_trust	text
mitigations.side_channel_isolation_policy.disable_page_combine	text
mitigations.side_channel_isolation_policy.isolate_security_domain	text
mitigations.side_channel_isolation_policy.smt_branch_target_isolation	text
mitigations.side_channel_isolation_policy.speculative_store_bypass_disable	text
mitigations.signature_policy.audit_microsoft_signed_only	text
mitigations.signature_policy.audit_store_signed_only	text
mitigations.signature_policy.microsoft_signed_only	text
mitigations.signature_policy.mitigation_opt_in	text
mitigations.signature_policy.store_signed_only	text
mitigations.strict_handle_check_policy.handle_exceptions_permanently_enabled	text
mitigations.strict_handle_check_policy.raise_exception_on_invalid_handle_reference	text
mitigations.syscall_disable_policy.audit_disallow_win32k_syscalls	text
mitigations.syscall_disable_policy.disallow_win32k_syscalls	text
mitigations.systemcall_filter_policy.filter_id	text
mitigations.user_shadow_stack_policy.audit	text
mitigations.user_shadow_stack_policy.audit_block_non_cet_binaries	text
mitigations.user_shadow_stack_policy.audit_set_context_ip_validation	text
mitigations.user_shadow_stack_policy.block_non_cet_binaries	text
mitigations.user_shadow_stack_policy.block_non_cet_binaries_non_ehcont	text
mitigations.user_shadow_stack_policy.cet_dynamic_apis_out_of_proc_only	text
mitigations.user_shadow_stack_policy.enable	text
mitigations.user_shadow_stack_policy.enable_strict_mode	text
mitigations.user_shadow_stack_policy.set_context_ip_validation	text
mitigations.user_shadow_stack_policy.set_context_ip_validation_relaxed_mode	text
module.arkstatus	text
module.base	text
module.buildtime	date
module.path	text
module.size	long
path	text
peb	text
pid	integer
ppid	integer
priority	integer
protection_level	text
section_info.checksum	text
section_info.committed_stack_size	long
section_info.dll_characteristics	text
section_info.image_characteristics	text
section_info.image_contains_code	boolean
section_info.image_file_size	long
section_info.image_flags	text
section_info.loader_flags	text
section_info.machine	text
section_info.max_stack_size	long
section_info.os_major_ver	text
section_info.os_minor_ver	text
section_info.subsystem	text
section_info.subsystem_major_ver	text
section_info.subsystem_minor_ver	text
section_info.transfer_address	text
section_info.zero_bits	text
session_id	text
shell_info	text
shortcut	text
size	long
threads.count	text
threads.thread.base_priority	text
threads.thread.create_time	text
threads.thread.kernel_time	text
threads.thread.path	text
threads.thread.priority	text
threads.thread.start_address	text
threads.thread.state	text
threads.thread.tid	text
threads.thread.user_time	text
threads.thread.win32_start_address	text
title	text
type	text
unique_id	text
user_time	text
window_flags	text

services

Services

Field	Data type
category_name	text
checkpoint	text
cmdline	text
controls_accepted	text
depends	text
display_name	text
error_control	text
flags	text
group	text
name	text
path	text
pid	integer
start_name	text
startmode	text
state	text
svc_exitcode	text
tagid	text
type	text
waithint	text
win32_exitcode	text

startups:mstasks

Startup objects (task scheduler tasks)

Field	Data type
args	text
category_name	text
clsid	text
command	text
enabled	text
is_job	text
name	text
path	text
state	text
type	text
workdir	text

startups:registry

Startup objects (registry)

Field	Data type
arkstatus	text
category_name	text
clsid	text
data	text
id	text
full_key	text
key	text
path	text
sid	text
value	text

startups:wmi

Startup objects (WMI)

Field	Data type
arkstatus	text
category_name	text
class	text
clsid	text
instance	text
name	text
namespace	text
path	text
value	text
workdir	text

sysobj:chromium_config

System objects (Chromium settings)

Field	Data type
browser	text
category_name	text
profile	text
sid	text
url	text

sysobj:chromium_extensions

System objects (Chromium extensions)

Field	Data type
browser	text
category_name	text
id	text
name	text
path	text
profile	text
sid	text
url	text
version	text

sysobj:detects

System objects (detected threats)

Field	Data type
category_name	text
data	text
id	text
object	text
path	text
threat	text
type	text

sysobj:firefox_addons

System objects (Firefox addons)

Field	Data type
browser	text
category_name	text
id	text
name	text
path	text
profile	text
sid	text
type	text
url	text
version	text

sysobj:firefox_config

System objects (Firefox settings)

Field	Data type
browser	text
category_name	text
profile	text
sid	text
url	text

sysobj:ie

System objects

Field	Data type
category_name	text
data	text
id	text
key	text
sid	text
value	text

sysobj:mstasks

System objects (task scheduler tasks)

Field	Data type
category_name	text
clsid	text
command	text
enabled	text
is_job	text
name	text
path	text
state	text
type	text
workdir	text

sysobj:proxy

System objects (proxy)

Field	Data type
category_name	text
data	text
id	text
key	text
sid	text
value	text

sysobj:registry

System objects (registry)

Field	Data type
arkstatus	text
category_name	text
clsid	text
data	text
full_key	text
id	text
key	text
path	text
sid	text
threat	text
value	text

sysobj:shortcuts

System objects (shortcuts)

Field	Data type
arg	text
arkstatus	text
category_name	text
data	text
mac	text
machine_id	text
name	text
path	text
relative	text
target	text
threat	text
workdir	text

sysobj:wmi

System objects (WMI)

Field	Data type
arkstatus	text
category_name	text
class	text
clsid	text
data	text
instance	text
name	text
namespace	text
path	text
threat	text
value	text
workdir	text

system_reg_export

Registry

Field	Data type
arkstatus	text
category_name	text
hive	text
lastwrite	date
name	text
security	text
subkeys	integer
value.arkstatus	text
value.name	text
value.size	integer
value.type	text
value.value	text
values	integer

system:accounts

System (accounts)

Field	Data type
bad_passwd_count	integer
category_name	text
codepage	text
country	text
descr	text
expires	date
flags	text
fullname	text
group.name	text
home	text
home_drive	text
last_logoff	text
last_logon	date
logons_count	integer
logons_server	text
name	text
password_age	text
profile	text
script	text
type	text
workstation	text

system:antivirus

System (anti-virus)

Field	Data type
category_name	text
company	text
enabled	boolean
guid	text
name	text
product_exe	text
product_exe_company	text
product_exe_version	text
reporting_exe	text
reporting_exe_company	text
reporting_exe_version	text
timestamp	text
uptodate	boolean
version	text

system:bios

System (BIOS)

Field	Data type
category_name	text
manufacturer	text
primary	text
release_date	date
system_bios_major	integer
system_bios_minor	integer
version	text

system:cpu

System (CPU)

Field	Data type
category_name	text
cores	integer
cpuid	text
descr	text
enabled_cores	text
id	text
load	text
logical_cpus	long
manufacturer	text
max_speed	integer
name	text
socket	text
speed	integer
threads	integer
vmmonitor_support	boolean
vt_support	boolean

system:dep

Field	Data type
available	boolean
category_name	text
for_32bit	boolean
for_drivers	boolean
policy	integer

system:dirs

System (directories)

Field	Data type
category_name	text
name	text
path	text

system:dns

System DNS

Field	Data type
category_name	text
name	text
server	text

system:firewall

System (firewall)

Field	Data type
category_name	text
company	text
enabled	boolean
guid	text
name	text
product_exe	text
product_exe_company	text
product_exe_version	text
reporting_exe	text
reporting_exe_company	text
reporting_exe_version	text
timestamp	text
version	text

system:hdd

System (HDD)

Field	Data type
category_name	text
deviceid	text
firmware	text
model	text
name	text
partition.block_size	long
partition.bootable	boolean
partition.bootpart	boolean
partition.id	text
partition.index	text
partition.primary	boolean
partition.size	long
partition.start_offset	long
partition.type	text
partition.volume.compressed	boolean
partition.volume.descr	text
partition.volume.dirty	boolean
partition.volume.drive	text
partition.volume.drive_type	text
partition.volume.free	long
partition.volume.fs_type	text
partition.volume.media_type	text
partition.volume.name	text
partition.volume.serial	text
partition.volume.size	long
partitions	integer
serial	text
size	long
type	text

system:kernel_va_shadowing

Field	Data type
category_name	text
enabled	boolean
flags	integer
invalid_pte_bit	text
invpcid	text
invpcid_flushing_optimization	boolean
l1_data_cache_flush_supported	text
l1_terminal_fault_mitigation_present	text
pcid	text
pcid_flushing_optimization	boolean
required	text
required_available	text
status	text
user_global	text
user_pages_marked_global	boolean

system:locale

System (locale)

Field	Data type
category_name	text
code	text
codeset	text
country	text
descr	text
name	text
oslang	text

system:machine_scores

System (performance index)

Field	Data type
category_name	text
cpu	float
direct3d	float
disk	float
graphics	float
memory	float
timetaken	text
winsat_state	text
winsprlevel	float

system:mapped_disks

System (mapped disks)

Field	Data type
category_name	text
drive	text
free	text
fs_type	text
item.drive	text
item.free	text
item.fs_type	text
item.path	text
item.session_id	text
item.size	text
item.volume_name	text
path	text
session_id	text
size	text
volume_name	text

system:memory

System (RAM)

Field	Data type
category_name	text
free	long
free_virtual	long
total	long
total_virtual	long

system:net_adapters

Network (interfaces)

Field	Data type
category_name	text
default_ip_gateway	ip
dhcp_enabled	boolean
dhcp_server	ip
dns	text
dns_server_search_order	ip
id	text
index	text
ip_enabled	boolean
mac	text
name	text
subnet	ip

system:os

System (OS)

Field	Data type
bit	integer
boot_device	text
boot_mode	text
build	text
category_name	text
code_integrity	text
debug	boolean
install_date	date
last_bootup_time	date
local_time	date
name	text
pae	text
sp	text
suite	text
type	text
version	text

system:persisted_routes

Field	Data type
caption	text
category_name	text
descr	text
destination	text
item.caption	text
item.descr	text
item.destination	text
item.mask	text
item.metric1	text
item.name	text
item.next_hop	text
mask	text
metric1	text
name	text
next_hop	text

system:policies

System policies

Field	Data type
__type__	text
category_name	text
full_key	text
key.item.name	text
key.item.size	integer
key.item.value	text
key.name	text
name	text
sid	text
value.name	text
value.size	text
value.value	text

system:recovery

Field	Data type
auto_reboot	boolean
category_name	text
dump_path	text
dump_type	integer
kernel_dump_only	boolean
mini_dump_dir	text
overwrite_existing_dump	boolean
send_admin_alert	boolean
write_debug_info	boolean
write_to_eventlog	boolean

system:routes

Network (static routes)

Field	Data type
age	text
caption	ip
category_name	text
descr	text
destination	ip
information	text
interface_index	text
mask	ip
metric1	text
metric2	text
metric3	text
metric4	text
metric5	text
name	ip
next_hop	ip
protocol	text
type	text

system:secure_boot

Field	Data type
capable	boolean
category_name	text
enabled	boolean

system:security_providers

Field	Data type
category_name	text
health	text
name	text

system:sessions

System (sessions)

Field	Data type
category_name	text
client_device_id	text
client_dir	text
client_ip	text
client_name	text
connect_time	date
disconnect_time	date
domain	text
envid	text
id	text
is_rdp	text
last_input_time	date
logon_time	date
name	text
remote_ip	text
state	text
station_name	text
user	text

system:shares

System (shared directories)

Field	Data type
caption	text
category_name	text
descr	text
name	text
path	text
type	integer

system:smart

S.M.A.R.T. attributes

Field	Data type
attribute.index	integer
attribute.name	text
attribute.raw	integer
attribute.threshold	integer
attribute.value	integer
attribute.worst	integer
category_name	text
firmware	text
id	text
model	text
serial_number	text

system:speculation_control

Field	Data type
bpb_disabled_kernel_to_user	text
bpb_disabled_no_hardware_support	text
bpb_disabled_system_policy	text
bpb_enabled	text
branch_prediction_mitigation.disabled_by_system_policy	boolean
branch_prediction_mitigation.disabled_no_microcode_update	boolean
branch_prediction_mitigation.enabled	boolean
category_name	text
cpu_microcode_support_pred_cmd.enabled	boolean
cpu_microcode_support_pred_cmd.window_use_ibpb	boolean
cpu_microcode_support_spec_ctrl.enabled	boolean
cpu_microcode_support_spec_ctrl.windows_use_ibrs	boolean
cpu_microcode_support_spec_ctrl.windows_use_stipb	boolean
enhanced_ibrs	text
enhanced_ibrs_reported	text
flags	long
hv_l1tf_migitation_enabled	text
hv_l1tf_migitation_not_enabled_hardware	text
hv_l1tf_migitation_not_enabled_load_option	text
hv_l1tf_processor_not_affected	text
hv_l1tf_status_available	text
hvl_1tf_migitation_not_enabled_core_scheduler	text
ibrs_present	text
mb_clear_enabled	text
mb_clear_reported	text
mds_hardware_protected	text
smep_present	text
spec_cmd_enumerated	text
spec_ctrl_enumerated	text
spec_ctrl_import_optimization_enabled	text
spec_ctrl_retpoline_enabled	text
speculative_store_bypas_sdisable_supported	text
speculative_store_bypass_disable_available	text
speculative_store_bypass_disable_required	text
speculative_store_bypass_disable_supported	text
speculative_store_bypass_disabled_kernel	text
speculative_store_bypass_disabled_system_wide	text
status	text
stibp_present	text

system:user_privelegies

User privileges in the system

Field	Data type
category_name	text
enabled	boolean
name	text

system:users

System (users)

Field	Data type
category_name	text
folder.name	text
folder.path	text
home	text
name	text
network_drive.connect_flags	text
network_drive.connection_type	text
network_drive.defer_flags	text
network_drive.letter	text
network_drive.provider_name	text
network_drive.provider_type	text
network_drive.remote_path	text
network_drive.username	text
sid	text
type	integer

winstore_apps

Applications from Microsoft App Store

Field	Data type
arch	text
category_name	text
id	text
name	text
vendor.C	text
vendor.CN	text
vendor.L	text
vendor.O	text
vendor.OID.1.3.6.1.4.1.311.60.2.1.2	text
vendor.OID.1.3.6.1.4.1.311.60.2.1.3	text
vendor.OID.2.5.4.15	text
vendor.OU	text
vendor.S	text
vendor.SERIALNUMBER	text
version	text