Interno Data Sources & Fields (Data Dictionary)

Interno Data Sources & Fields (Data Dictionary)

When you build a widget or query in Interno, you choose a data source and its fields. This guide explains how Interno's data is organized so you can find the right source and field quickly.

How Interno organizes data

  • Data from your connected tools is normalized into standard tables, each named ZCN_<TYPE> (for example ZCN_DEVICES, ZCN_ALERTS).
  • There is one table per data type (devices, alerts, vulnerabilities, etc.), and many different connectors can feed the same table — so ZCN_DEVICES may contain endpoints from your EDR, patch manager, and identity tool together.
  • Field names follow a standard (OCSF-aligned) convention in UPPER_SNAKE_CASE. The exact fields available in a table depend on which connectors populate it.

Fields every table has (system fields)

FieldWhat it means
ZCN_SOURCEThe connector/tool the record came from. Filter on this to scope a widget to one tool.
ZCN_CATEGORYThe category of the source (e.g., EDR, SIEM, CSPM).
ZCN_COLLECTED_ATWhen the record was collected. Use for time-based charts.
ZCN_IS_LATESTMarks the most recent snapshot of a record. Filter to 1 to avoid counting historical duplicates.
ZCN_IDUnique record identifier.
ZCN_COLLECTION_IDIdentifier for the collection run that produced the record.
ZCN_CREDENTIAL_IDThe connection/credential that collected the record.

Data sources (tables) you may see

The tables available to you depend on your connected integrations. Common ones:

TableContains
ZCN_DEVICESEndpoints / hosts and their attributes
ZCN_ASSETSDiscovered assets / inventory items
ZCN_USERSUser accounts and identities
ZCN_ALERTSSecurity alerts raised by tools
ZCN_DETECTIONSDetections from EDR/XDR
ZCN_INCIDENTSSecurity incidents
ZCN_CASESInvestigation / SOAR cases
ZCN_EVENTS / ZCN_LOGSNormalized security events and log records
ZCN_VULNERABILITIESVulnerabilities from VM/VMDR tools
ZCN_FINDINGS / ZCN_INSIGHTSPosture findings and insights (CSPM)
ZCN_PATCHES / ZCN_SOFTWARESPatches and installed software
ZCN_POLICIESSecurity / firewall policies
ZCN_ADDRESSES / ZCN_ADDRESS_GROUPS / ZCN_INTERFACESNetwork address objects, groups, and interfaces
ZCN_DOMAINSDomains
ZCN_THREATS / ZCN_INDICATORSThreats and threat indicators (IOCs)
ZCN_AGENTSInstalled security agents and versions
ZCN_ISSUES / ZCN_FINDINGSIssues / findings from scanners (e.g., SCA)
ZCN_PLAYBOOKS / ZCN_ACTIONSSOAR playbooks and response actions

Note: Interno integrates with 50+ tools across EDR, XDR, SIEM, SOAR, CSPM, VM/VMDR, WAF, Firewall, PAM, IDAM/IDP, DLP, NAC, MDM, CMDB, ITSM, SCA, and more. Each connector adds its data into the matching ZCN_ table.

Tips for building widgets

  • Not sure which tool a record came from? Group or filter by ZCN_SOURCE.
  • Counting current state (not history)? Filter ZCN_IS_LATEST = 1.
  • Building a trend? Use ZCN_COLLECTED_AT on the time axis.
  • Unsure which field to pick? Try the AI tab in the Query Builder — describe what you want in plain language and it builds the query for you.

Troubleshooting

IssueWhat to do
A table I expected isn't in the source listThat data type's connector may not be connected. Connect the relevant integration and let it sync.
A field is empty for some rowsFields vary by source — not every connector provides every field. Filter by ZCN_SOURCE to a tool that does.
Counts look too highYou may be counting historical snapshots. Add a filter for ZCN_IS_LATEST = 1.

Need more help? Contact support@zeron.one.

    • Related Articles

    • Interno: Metrics & Glossary

      A reference for the terms, features, and dashboard metrics you'll see across Interno (the Zeron Command Center). Use it to understand what each KPI represents and what the platform's building blocks mean. Platform & Navigation Term What it means ...

    • Interno: Roles & Permissions Reference

      This guide lists the permission scopes that control access to each part of Interno (the Zeron Command Center). Interno scopes use the defence: prefix. This page covers Interno only. For the complete cross-product reference — every product's scopes, ...

    • Getting Started with Interno

      Prerequisites Before you begin, ensure you have: An active Zeron account with Interno access Admin or Security Analyst role assigned to your profile At least one security tool/integration ready to connect (e.g., Microsoft Defender, CrowdStrike, AWS) ...

    • How to Customize Widget Appearance & Colors in Interno

      This guide shows how to change the look of an Interno dashboard widget — its chart type and its colors — using either the quick editor on a dashboard or the full Widget Builder. For building a widget from data, see How to Build Custom Widgets and ...

    • Interno: Frequently Asked Questions (FAQ)

      Answers to the questions we hear most often about Interno, Zeron's AI-powered security command center. Getting Started What is Interno? The Zeron Command Center — it unifies your security posture across connected tools, with an AI copilot, asset ...