- Print
- DarkLight
All Data Types
The data types in your schema can be further subdivided into three categories. Primitives, Code Blocks, and Objects (including tables). These data types allow for a cleaner UI and a more intuitive schema.
For a direct code reference, check out the type definition here.
Before you Start
When getting started, we recommend utilizing the simplest data type applicable for each field in your schema as to enable quick and reliable testing of your service.
Primitives
The following is the list of primitive values. Note that the following fields are also affected by filters:
- number, time and date types are affected by
min
andmax
- events and string types are affected by
whitelist
andblacklist
- only string types are affected by
valid_re
andinvalid_re
(regex) - SID types (and maybe platforms) are affected by
platforms
filters
Please reach out if any of the above use-cases don't work as you might expect.
name | description |
---|---|
string | |
integer | |
bool | |
enum | Requires the field enum_values |
complex_enum | a complex enum allows for a more detailed enum selection, including categories and description. Requires the field complex_enum_values |
sid | your Organization's sensor ids |
oid | your Organization's ID |
platform | |
architecture | |
sensor_selector | |
tag | |
duration | |
time | |
url | |
domain | |
yara_rule_name | Will show your Organization's list of yara rules available, if the user has permission |
event_name | |
secret | Will show your Organization's list of secrets as per the secrets manager |
Code Blocks
There are currently 3 code types available:
- JSON
- YAML
- Yara_rule
Code blocks do not support the field is_list
. If your extensions require a set of code blocks, we reocmmend wrapping it into key-value pair using the 'record' data type (see 'objects' section below).
Objects (and tables)
While objects generally reflect a nested layer of abstraction, it's utility grows when using the field is_list
to utilize the tables UI, or when defining a set of key-value pairs in the 'record' data type.
Note: there is a functional difference between an 'object' and 'record' data type.
Single Objects
Plain objects allow for nested fields, and are visually indifferent from if the nested fields were flattened to begin with. They also allow for extra context to be wrapped in the parent object’s description.
table: {
is_list: false,
data_type: "object",
object: {
fields: { ... }, // key-value pairs
requirements: null
}
}
Lists of Objects
Lists of objects display as tables and allow for a more complex and scalable data structure. Simply enable is_list
on a base object.
table: {
is_list: true,
data_type: "object",
object: {
fields: { ... }, // key-value pairs
requirements: null
}
}
Record Type
Records are inherently lists of a key-value pair, where the value is the defined object, and the key may vary. Record types require a key to be defined in the nested object details, and also supports additional fields for the nested element's name and description.
table: {
is_list: true,
data_type: "object",
object: {
key: {
name: "key",
data_type: "string"
},
element_name: "single row", // optional
element_desc: "a single row that represents a key-value pair on a record type", // optional
fields: { ... }, // key-value pairs
requirements: null
}
}