Activity Log Event Action/Action

Field TypeTypeValueAvailabilityDescription
actionId    ID of triggered action; only set for the invocation of a specific action
actionInvocationId    Unique ID for the invocation of an action, can be used to correlate logs; only set for the invocation of a specific action
actionName    Name of the triggered action; only set for the invocation of a specific action
@id    A unique identifier for the event. Can be used to refer to and re-find specific events.
@ingesttimestamp    The timestamp of when the event was ingested. The value is milliseconds-since-epoch.
@rawstring    The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries.
@timestamp    Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp.
@timestamp.nanos    Extended precision of timestamp below millisecond. E.g. 295000
@timezone    The timezone the event originated in, if known. This is often set when the event's timestamp is parsed.
category    Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch
dataspace    Repository or view name
exception    The exception class that caused an error
exceptionMessage    Detailed error message that will include errors at the cluster-level that may have contributed; for example permission, API, or network issues
#category    Category of the event
#repo    Name of the repo where the event is stored
#severity    Severity of the event from original log source
invoker    
message    Message of the alert or event
orgId    Organization ID
recipients    
severity    Severity of the event
subCategory    Subcategory of the event
suggestion    Suggestion text for how to resolve the error or warning from the event
timestamp    Timestamp in milliseconds of the event
viewId    View ID