Within Integrated Cyber Defence Exchange (ICDx), some events collected via the DataCenter Security (DCS) Collector sometimes contain a product_data.operation field. Other events do not appear to have this field.

The DCS Collector included with ICDx 1.3 and earlier maps the operation field into a type_id field and for additional information, sometimes adds an activity_type field.

When an operation is mapped to a type_id in this way, the designed behavior of ICDx 1.3 is to discard the original operation field to keep the size of data to a minimum.

Please update to ICDx 1.3.1, where the DCS Collector always retains the operation field of each DCS event as product_data.operation.