Schema Data Types
  • 05 Oct 2024
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Schema Data Types

  • Dark
    Light

Article summary

All Data Types

The data types in your schema can be further subdivided into three categories. Primitives, Code Blocks, and Objects (including tables). These data types allow for a cleaner UI and a more intuitive schema.

For a direct code reference, check out the type definition here.

Before you Start

When getting started, we recommend utilizing the simplest data type applicable for each field in your schema as to enable quick and reliable testing of your service.

Primitives

The following is the list of primitive values. Note that the following fields are also affected by filters:

  • number, time and date types are affected by min and max

  • events and string types are affected by whitelist and blacklist

  • only string types are affected by valid_re and invalid_re (regex)

  • SID types (and maybe platforms) are affected by platforms filters

Oops, some fields may be missing support for filters

Please reach out if any of the above use-cases don't work as you might expect.

name

description

string

integer

bool

enum

Requires the field enum_values

complex_enum

a complex enum allows for a more detailed enum selection, including categories and description. Requires the field complex_enum_values

sid

your Organization's sensor ids

oid

your Organization's ID

platform

architecture

sensor_selector

tag

duration

time

url

domain

yara_rule_name

Will show your Organization's list of yara rules available, if the user has permission

event_name

secret

Will show your Organization's list of secrets as per the secrets manager

Code Blocks

There are currently 3 code types available:

  1. JSON

  2. YAML

  3. Yara_rule

Yara Rule UI Support is limited

Code blocks do not support the field is_list. If your extensions require a set of code blocks, we reocmmend wrapping it into key-value pair using the 'record' data type (see 'objects' section below).

Objects (and tables)

While objects generally reflect a nested layer of abstraction, it's utility grows when using the field is_list to utilize the tables UI, or when defining a set of key-value pairs in the 'record' data type.

Note: there is a functional difference between an 'object' and 'record' data type.

Single Objects
Plain objects allow for nested fields, and are visually indifferent from if the nested fields were flattened to begin with. They also allow for extra context to be wrapped in the parent object’s description.

table: {
  is_list: false,
  data_type: "object",
  object: {
    fields: { ... }, // key-value pairs
    requirements: null
  }
}

Lists of Objects
Lists of objects display as tables and allow for a more complex and scalable data structure. Simply enable is_list on a base object.

table: {
  is_list: true,
  data_type: "object",
  object: {
    fields: { ... }, // key-value pairs
    requirements: null
  }
}

Record Type
Records are inherently lists of a key-value pair, where the value is the defined object, and the key may vary. Record types require a key to be defined in the nested object details, and also supports additional fields for the nested element's name and description.

table: {
  is_list: true,
  data_type: "object",
  object: {
    key: {
      name: "key",
      data_type: "string"
    },
    element_name: "single row", // optional
    element_desc: "a single row that represents a key-value pair on a record type", // optional
    
    fields: { ... }, // key-value pairs
    requirements: null
  }
}


Was this article helpful?