When you build a widget or query in Interno, you choose a data source and its fields. This guide explains how Interno's data is organized so you can find the right source and field quickly.
ZCN_<TYPE> (for example ZCN_DEVICES, ZCN_ALERTS).ZCN_DEVICES may contain endpoints from your EDR, patch manager, and identity tool together.UPPER_SNAKE_CASE. The exact fields available in a table depend on which connectors populate it.| Field | What it means |
|---|---|
ZCN_SOURCE | The connector/tool the record came from. Filter on this to scope a widget to one tool. |
ZCN_CATEGORY | The category of the source (e.g., EDR, SIEM, CSPM). |
ZCN_COLLECTED_AT | When the record was collected. Use for time-based charts. |
ZCN_IS_LATEST | Marks the most recent snapshot of a record. Filter to 1 to avoid counting historical duplicates. |
ZCN_ID | Unique record identifier. |
ZCN_COLLECTION_ID | Identifier for the collection run that produced the record. |
ZCN_CREDENTIAL_ID | The connection/credential that collected the record. |
The tables available to you depend on your connected integrations. Common ones:
| Table | Contains |
|---|---|
ZCN_DEVICES | Endpoints / hosts and their attributes |
ZCN_ASSETS | Discovered assets / inventory items |
ZCN_USERS | User accounts and identities |
ZCN_ALERTS | Security alerts raised by tools |
ZCN_DETECTIONS | Detections from EDR/XDR |
ZCN_INCIDENTS | Security incidents |
ZCN_CASES | Investigation / SOAR cases |
ZCN_EVENTS / ZCN_LOGS | Normalized security events and log records |
ZCN_VULNERABILITIES | Vulnerabilities from VM/VMDR tools |
ZCN_FINDINGS / ZCN_INSIGHTS | Posture findings and insights (CSPM) |
ZCN_PATCHES / ZCN_SOFTWARES | Patches and installed software |
ZCN_POLICIES | Security / firewall policies |
ZCN_ADDRESSES / ZCN_ADDRESS_GROUPS / ZCN_INTERFACES | Network address objects, groups, and interfaces |
ZCN_DOMAINS | Domains |
ZCN_THREATS / ZCN_INDICATORS | Threats and threat indicators (IOCs) |
ZCN_AGENTS | Installed security agents and versions |
ZCN_ISSUES / ZCN_FINDINGS | Issues / findings from scanners (e.g., SCA) |
ZCN_PLAYBOOKS / ZCN_ACTIONS | SOAR playbooks and response actions |
Note: Interno integrates with 50+ tools across EDR, XDR, SIEM, SOAR, CSPM, VM/VMDR, WAF, Firewall, PAM, IDAM/IDP, DLP, NAC, MDM, CMDB, ITSM, SCA, and more. Each connector adds its data into the matching
ZCN_table.
ZCN_SOURCE.ZCN_IS_LATEST = 1.ZCN_COLLECTED_AT on the time axis.| Issue | What to do |
|---|---|
| A table I expected isn't in the source list | That data type's connector may not be connected. Connect the relevant integration and let it sync. |
| A field is empty for some rows | Fields vary by source — not every connector provides every field. Filter by ZCN_SOURCE to a tool that does. |
| Counts look too high | You may be counting historical snapshots. Add a filter for ZCN_IS_LATEST = 1. |
Need more help? Contact support@zeron.one.