Data Model for Normalization
LAST UPDATED: JULY 24, 2025
The following table presents the JSON keys covered within the D3 data model. These keys serve as standardized attributes to which incoming raw data is mapped during the normalization process.
Display Name | Description |
Source vendor name | The name of the vendor providing the source. |
Source type | The type of source from which the event originated. |
Source vendor product name | The product name from the vendor associated with the source. |
Source product version | The version of the source product. |
Operating system | The operating system on which the event occurred. |
Original event ID | The unique identifier for the original event. |
Event code | The code that identifies the specific event. |
Rule name | The name of the rule that triggered the event. |
Severity | The severity level assigned to the event. |
Severity numeric ID | The numeric identifier for the severity level. |
Event name | The name assigned to the event. |
Event category | The category that classifies the event. |
Event Type | The classification of the event type. |
Action taken | The action that was taken during the event. |
Delay (ms) | The delay in milliseconds for the event processing. |
Action result | The outcome of the action taken during the event. |
Action result ID | The identifier for the action result. |
Status | The current status of the event or process. |
Description | A descriptive text detailing the event. |
Application layer protocol | The protocol used at the application layer for the event. |
Transport layer protocol | The protocol used at the transport layer. |
Protocol info | Additional information about the protocol used. |
Pipe name | The name of the communication pipe used in the event. |
Tag | A label or tag associated with the event. |
Start time (UTC) | The original start time of the event in UTC. |
End time (UTC) | The original end time of the event in UTC. |
Receipt time | The local time when the event was received. |
Aggregated / Correlated Event count | The total number of events that were aggregated or correlated. |
Event level | The severity or level of the event. |
Alert type | The type or category of alert generated by the event. |
Change type | The type of change that occurred during the event. |
DLP type | The type of Data Loss Prevention (DLP) classification. |
IDS type | The type of Intrusion Detection System (IDS) involved. |
Raw event data | The unprocessed raw data from the event. |
Host FQDN | The fully qualified domain name of the host involved in the event. |
Hostname | The name of the host associated with the event. |
Source | The source involved in the event. |
Source host FQDN | The fully qualified domain name of the source host. |
Source hostname | The hostname of the source entity. |
Source MAC address | The MAC address of the source device. |
Source IP address | The IP address of the source involved in the event. |
Source is IPv6 address | Indicates whether the source IP address is IPv6. |
Source port | The port number used by the source. |
Source port name | The name of the service associated with the source port. |
Source business unit | The business unit associated with the source. |
Source category | The category of the source involved in the event. |
Source Priority | The priority level assigned to the source entity. |
Source NT domain | The NT domain of the source entity. |
Source zone | The network zone associated with the source. |
Source interface | The network interface used by the source. |
Source translated IP address | The translated IP address of the source (e.g., after NAT). |
Source translated port | The translated port number of the source. |
Original source | The original source before any translation occurred. |
Destination | The destination involved in the event. |
Destination FQDN | The fully qualified domain name of the destination. |
Destination hostname | The hostname of the destination entity. |
Destination MAC | The MAC address of the destination device. |
Destination IP address | The IP address of the destination. |
Destination is IPv6 address | Indicates whether the destination IP address is IPv6. |
Destination port | The port number used by the destination. |
Destination port name | The name of the service associated with the destination port. |
Destination translated IP address | The translated IP address of the destination (e.g., after NAT). |
Destination translated port | The translated port number of the destination. |
Destination interface | The network interface used by the destination. |
Destination business unit | The business unit associated with the destination. |
Destination category | The category of the destination entity. |
Destination priority | The priority level assigned to the destination. |
Destination NT domain | The NT domain of the destination entity. |
Destination zone | The network zone associated with the destination. |
Original destination | The original destination before any translation occurred. |
Device | The device involved in the event. |
Device business unit | The business unit associated with the device. |
Device category | The category of the device involved in the event. |
Device priority | The priority level assigned to the device. |
Device zone | The network zone associated with the device. |
Device IP address | The IP address of the device involved in the event. |
Device MAC address | The MAC address of the device involved in the event. |
Source username | The username associated with the source. |
Source user business unit | The business unit of the source user. |
Source user category | The category of the source user. |
Source user priority | The priority level assigned to the source user. |
Original recipient | The original recipient of the message. |
Recipient | The recipient of the message. |
Recipient count | The total number of recipients. |
Recipient status | The current status of the recipient. |
Original sender | The original sender of the message. |
Sender | The sender of the message or email. |
Log username | The username associated with the log entry. |
Username | The username associated with the event. |
User business unit | The business unit of the user involved in the event. |
User category | The category or role of the user. |
User priority | The priority level assigned to the user. |
Logon ID | The identifier for the logon session. |
Logon GUID | The GUID associated with the logon session. |
User security ID | The security identifier (SID) of the user. |
Content | The content associated with the event. |
Duration | The duration of the event or process. |
TCP flags | The TCP flags set on the packet. |
Packets count | The total number of packets transferred. |
Packets in | The number of incoming packets. |
Packets out | The number of outgoing packets. |
Bytes Count | The total number of bytes transferred. |
Bytes in | The number of incoming bytes. |
Bytes out | The number of outgoing bytes. |
Response time | The time taken to receive a response. |
Initiated | Indicates if the action was initiated. |
Packet direction | The direction of the network packet (inbound or outbound). |
Inbound interface | The interface used for incoming traffic. |
Outbound interface | The interface used for outgoing traffic. |
TTL (time to live) | The time-to-live value for a network packet. |
Type of service | The type of service field from the IP header. |
VLAN | The Virtual LAN associated with the event. |
Wifi standard | The Wi-Fi standard used (e.g., 802.11ac). |
SSID | The SSID of the wireless network. |
Process Name | The name of the process involved in the event. |
Process file path | The file path of the process executable. |
Process file version | The version of the process executable. |
Process Description | A description of the process. |
Process product | The product name associated with the process. |
Process company | The company that produced the process executable. |
Process Hash | The hash of the process executable. |
Process Hash SHA256 | The SHA256 hash of the process executable. |
Process Hash SHA1 | The SHA1 hash of the process executable. |
Process Hash MD5 | The MD5 hash of the process executable. |
Process GUID | The GUID of the process. |
Process ID | The identifier of the process. |
Process command line | The command line used to start the process. |
Process current directory | The current working directory of the process. |
Process integrity level | The integrity level of the process. |
Process signature | The digital signature of the process executable. |
Existence of process signature | Indicates whether a process signature exists. |
Process signature is verified | Indicates whether the process signature is verified. |
Driver name | The name of the driver associated with the event. |
Driver image path | The file path of the driver executable. |
Driver version | The version of the driver executable. |
Driver description | A description of the driver. |
Driver product | The product name associated with the driver. |
Driver company | The company that produced the driver. |
Driver Hash | The hash of the driver executable. |
Driver Hash SHA256 | The SHA256 hash of the driver executable. |
Driver Hash SHA1 | The SHA1 hash of the driver executable. |
Driver Hash MD5 | The MD5 hash of the driver executable. |
Driver base address | The base memory address of the driver. |
Driver signature | The digital signature of the driver executable. |
Existence of driver signature | Indicates whether a driver signature exists. |
Driver signature is verified | Indicates whether the driver signature is verified. |
Source thread ID | The identifier for the source thread. |
Target process GUID | The GUID of the target process. |
Target process ID | The identifier for the target process. |
Target image | The image or executable targeted by the event. |
Service name | The name of the service involved in the event. |
Service image path | The file path of the service executable. |
Service version | The version of the service executable. |
Service description | A description of the service file. |
Service product | The product name associated with the service. |
Service company | The company that produced the service executable. |
Service Hash | The hash of the service executable. |
Service Hash SHA256 | The SHA256 hash of the service executable. |
Service Hash SHA1 | The SHA1 hash of the service executable. |
Service Hash MD5 | The MD5 hash of the service executable. |
Service signature | The digital signature of the service executable. |
Existence of service signature | Indicates whether a service signature exists. |
Service signature is verified | Indicates whether the service signature is verified. |
Service start mode | The startup mode of the service (e.g., automatic, manual). |
Service status | The current status of the service (e.g., running, stopped). |
Service ID | The identifier of the service. |
Parent process name | The name of the parent process. |
Parent process ID | The identifier for the parent process. |
Parent process GUID | The GUID of the parent process. |
Parent process image path | The file path of the parent process. |
Parent process commandline | The command line used to start the parent process. |
Module name | The name of the module involved in the event. |
Module image path | The file path of the module. |
Image module version | The version of the module involved in the event. |
Module Description | A description of the module. |
Module product | The product name associated with the module. |
Module company | The company that produced the module. |
Module Hash | The hash of the module executable. |
Module Hash SHA256 | The SHA256 hash of the module executable. |
Module Hash SHA1 | The SHA1 hash of the module executable. |
Module Hash MD5 | The MD5 hash of the module executable. |
Module base address | The base memory address of the module. |
Module signature | The digital signature of the module executable. |
Existence of module signature | Indicates whether a module signature exists. |
Module signature is verified | Indicates whether the module signature is verified. |
App | The application associated with the event. |
Message body | The body content of the message. |
Email subject | The subject line of the email. |
Signature | The signature associated with the event. |
Signature Type | The type of the signature used. |
Signature ID | The unique identifier for the signature. |
Signature version | The version of the signature used. |
Signature extra | Additional information related to the signature. |
Certificate expiry time (UTC) | The expiry time of the certificate in UTC. |
Certificate signature engine | The engine used for signing the certificate. |
Certificate hash | The hash value of the certificate. |
Certificate is valid | Indicates whether the certificate is valid. |
Certificate issuer distinguished name | The distinguished name of the certificate issuer. |
Certificate issuer common name | The common name of the certificate issuer. |
Certificate issuer email address | The email address of the certificate issuer. |
Certificate issuer locality | The locality of the certificate issuer. |
Certificate issuer organization | The organization name of the certificate issuer. |
Certificate issuer's state (address) | The state or province of the certificate issuer. |
Certificate issuer's street (address) | The street address of the certificate issuer. |
Certificate issuer's organizational unit | The organizational unit of the certificate issuer. |
Certificate name | The name of the certificate. |
Certificate policies | The policies associated with the certificate. |
Certificate's public key | The public key contained in the certificate. |
Certificate public key algorithm | The algorithm used for the certificate's public key. |
Certificate serial number | The serial number assigned to the certificate. |
Certificate session ID | The session ID associated with the certificate. |
Certificate signature algorithm | The algorithm used for the certificate's signature. |
Certificate start time (UTC) | The start time of the certificate's validity in UTC. |
Certificate subject distinguished name | The distinguished name of the certificate subject. |
Certificate subject common name | The common name of the certificate subject. |
Certificate subject email address | The email address of the certificate subject. |
Certificate subject locality | The locality of the certificate subject. |
Certificate subject organization | The organization name of the certificate subject. |
Certificate subject state (address) | The state or province of the certificate subject. |
Certificate subject street (address) | The street address of the certificate subject. |
Certificate subject organizational unit | The organizational unit of the certificate subject. |
Certificate validity length (seconds) | The duration of the certificate's validity in seconds. |
Certificate version | The version of the certificate. |
Object | The object involved in the event. |
Object attributes | The attributes of the object involved in the event. |
Object category | The category of the object involved in the event. |
Object ID | The unique identifier of the object involved in the event. |
Object path | The path to the object involved in the event. |
Initiating Command | The command that initiated the event. |
Device volume | The device volume involved in the event. |
Filename | The name of the file involved in the event. |
Filepath | The path to the file involved in the event. |
File Hash | The hash value of the file involved in the event. |
File Hash SHA256 | The SHA256 hash of the file involved in the event. |
File Hash SHA1 | The SHA1 hash of the file involved in the event. |
File Hash MD5 | The MD5 hash of the file involved in the event. |
File size | The size of the file in bytes. |
File access time (UTC) | The time when the file was last accessed in UTC. |
File create time (UTC) | The creation time of the file in UTC. |
Previous file create time (UTC) | The previous creation time of the file in UTC. |
File modify time (UTC) | The time when the file was last modified in UTC. |
File access control | The access control settings of the file. |
Registry hive | The root key in the registry (e.g., HKEY_LOCAL_MACHINE). |
Registry path | The full path to the registry key. |
New registry path | The new path of the registry key. |
Registry key name | The name of the registry key. |
Registry value name | The name of the registry value. |
Registry details | Additional details about the registry operation. |
Registry value type | The data type of the registry value. |
Registry value data | The data stored in the registry value. |
Registry value text | The text representation of the registry value. |
Internal message ID | An internal identifier for the message. |
Message ID | The identifier for the message. |
Message info | Information related to the message. |
Number of retries | The number of times an action or message was retried. |
Return address | The return address associated with an email or message. |
Message size | The size of the message. |
URL | The URL involved in the event. |
Defanged URL | The sanitized version of the URL to prevent exploitation. |
xdelay | The delay experienced, often in email delivery. |
Xref | Cross-reference information related to the event. |
Filter action | The action taken by the filter during the event processing. |
Filter score | The score assigned by the filter based on its evaluation. |
Network Lease duration (seconds) | The duration of the network lease in seconds. |
Network Lease scope | The scope of the network lease. |
Session ID | The identifier for the terminal session. |
Vulnerability name | The name of the vulnerability identified. |
Vulnerability category | The category to which the vulnerability belongs. |
CVE | The Common Vulnerabilities and Exposures (CVE) identifier. |
CERT | The CERT advisory associated with the vulnerability. |
CVSS | The Common Vulnerability Scoring System (CVSS) score. |
MSFT security advisory | The Microsoft security advisory related to the vulnerability. |
MSKB | The Microsoft Knowledge Base article number. |
HTTP cookie | The HTTP cookie data associated with the event. |
HTTP content type | The content type of the HTTP response. |
HTTP method | The HTTP method used (e.g., GET, POST). |
HTTP referrer | The referrer URL from the HTTP request. |
HTTP user agent | The user agent string from the HTTP request. |
HTTP user agent length | The length of the user agent string. |
Sysmon service state | The state of the Sysmon service at the time of the event. |
Sysmon version | The version of Sysmon running on the device. |
Sysmon config version | The version of the Sysmon configuration schema. |
Configuration filename | The filename of the configuration used. |
Configuration File Hash | The hash of the configuration file. |
Configuration File Hash SHA256 | The SHA256 hash of the configuration file. |
Configuration File Hash SHA1 | The SHA1 hash of the configuration file. |
Configuration File Hash MD5 | The MD5 hash of the configuration file. |
New thread ID | The identifier for the new thread created. |
Start memory address | The starting memory address of the process or module. |
Start module | The module that initiated the start of the event. |
Start function | The function that initiated the event. |
Granted Access | The access rights granted to the process. |
Call trace | The sequence of function calls leading to the event. |
WMI Event namespace | The namespace in which the WMI event occurred. |
WMI filter name | The name of the WMI filter applied during the event. |
WMI filter query | The query associated with the WMI filter. |
WMI consumer name | The name of the WMI consumer. |
WMI consumer type | The type of WMI consumer. |
WMI consumer commandline | The command line of the WMI consumer. |
WMI consumer path | The file path of the WMI consumer. |
WMI filter | The WMI filter applied during the event processing. |
DNS query name | The name queried in the DNS request. |
DNS query status | The status of the DNS query result. |
DNS query results | The results obtained from the DNS query. |
Device Product | The product associated with the device involved in the event. |
Device DAT version | The DAT version of the device. |
Device detection method | The method used for detecting the device. |
Device engine version | The version of the engine used by the device. |
Device product name | The name of the device product. |
Device product version | The version of the device product. |
Target process name | The name of the target process involved in the event. |
Threat action taken | The action taken in response to a detected threat. |
Threat category | The category of the detected threat. |
Threat event ID | The event ID associated with the detected threat. |
Threat handled | Indicates whether the detected threat was handled. |
Threat name | The name of the detected threat. |
Threat severity | The severity level assigned to the detected threat. |
Threat type | The type of threat detected. |
Unique Event Key | The unique key that identifies the event. |
toRecipients | The list of recipients for the message. |
CcRecipients | The list of carbon copy recipients for the message. |
bodyPreview | A preview of the body content of the message. |
Tactics | The tactics involved in the event. |
Techniques | The techniques used in the event. |
Alert Raw Log | The raw log data associated with the alert. |
Alert Timestamp | The timestamp for when the alert was generated. |
Source Product | The product name associated with the source. |
Alert Name | The name of the alert generated. |
Alert URI | The URI associated with the alert. |
File Content | The content of the file involved in the event. |
MFA Used | Indicates whether Multi-Factor Authentication was used. |
User Identify Invoked By | The user identity that invoked the action. |
Session Name | The name of the session involved in the event. |
Source Device | The hostname of the source device. |
Source Device IP address | The IP address of the source device. |
Destination Device | The hostname of the destination device. |
Destination Device IP address | The IP address of the destination device. |
Message | The message content associated with the event. |
Start Time | The local start time of the event. |
Start time time zone | The timezone for the start time of the event. |
End Time | The local end time of the event. |
End time time zone | The timezone for the end time of the event. |
Receipt time (UTC) | The receipt time of the event in UTC. |
Receipt time time zone | The timezone for the receipt time of the event. |
Certificate start time | The local start time of the certificate. |
Certificate start time time zone | The timezone for the certificate start time. |
Certificate expiry time | The local expiry time of the certificate. |
Certificate expiry time time zone | The timezone for the certificate expiry time. |
File access time | The local access time of the file. |
File access time time zone | The timezone for the file access time. |
File create time | The local creation time of the file. |
File create time time zone | The timezone for the file creation time. |
Previous file create time | The local previous creation time of the file. |
Previous file create time time zone | The timezone for the previous file creation time. |
File modify time | The local modification time of the file. |
File modify time time zone | The timezone for the file modification time. |
Sub Event | Additional details or sub-events related to the main event. |
Extra Data | Additional data associated with the event. |
Document ID | The unique identifier for the document. |
Instance ID | The unique identifier for the instance. |
Instance Name | The name of the instance. |