A Data type represents the data structure of records of a certain type. Hunters support a variety of data types, belonging to a wide range of security and monitoring products, from both cloud and on-prem eco-systems.
A Data type contains a superset of all the fields that could be received in events of that type, while not all of them have to exist in every event. Under the hood, Hunters holds the collected data per data type and generates threat signals, enriches them and enables advanced investigations based on the semantics of their data types. The more data types being collected, the more comprehensive and accurate the threat hunting would be.
Data types supported in Hunters are grouped by the Product they're related to. For example, AWS Product consists of Cloudtrail, VPC Flow logs, Config Snapshots data types, while Okta consists of many other data types, such as users, groups, apps, users-to-groups, users-to-apps, groups-to-apps. It is worth noting that not every product consists of multiple data types, products like windows event log and osquery, for example, supply us with only one kind of data type.
A data type could be supplied from various Sources, such as Cloud Storage (AWS S3, Azure Blob Storage), a vendor's REST API or even syslog streams. In order to ship events of a specific data type into Hunters from a specific source, a new Dataflow has to be configured.