PK}W endpoint-8.10.2/UTdPK}W endpoint-8.10.2/LICENSE.txtUTdELASTIC LICENSE AGREEMENT PLEASE READ CAREFULLY THIS ELASTIC LICENSE AGREEMENT (THIS "AGREEMENT"), WHICH CONSTITUTES A LEGALLY BINDING AGREEMENT AND GOVERNS ALL OF YOUR USE OF ALL OF THE ELASTIC SOFTWARE WITH WHICH THIS AGREEMENT IS INCLUDED ("ELASTIC SOFTWARE") THAT IS PROVIDED IN OBJECT CODE FORMAT, AND, IN ACCORDANCE WITH SECTION 2 BELOW, CERTAIN OF THE ELASTIC SOFTWARE THAT IS PROVIDED IN SOURCE CODE FORMAT. BY INSTALLING OR USING ANY OF THE ELASTIC SOFTWARE GOVERNED BY THIS AGREEMENT, YOU ARE ASSENTING TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH SUCH TERMS AND CONDITIONS, YOU MAY NOT INSTALL OR USE THE ELASTIC SOFTWARE GOVERNED BY THIS AGREEMENT. IF YOU ARE INSTALLING OR USING THE SOFTWARE ON BEHALF OF A LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE ACTUAL AUTHORITY TO AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT ON BEHALF OF SUCH ENTITY. Posted Date: April 20, 2018 This Agreement is entered into by and between Elasticsearch BV ("Elastic") and You, or the legal entity on behalf of whom You are acting (as applicable, "You"). 1. OBJECT CODE END USER LICENSES, RESTRICTIONS AND THIRD PARTY OPEN SOURCE SOFTWARE 1.1 Object Code End User License. Subject to the terms and conditions of Section 1.2 of this Agreement, Elastic hereby grants to You, AT NO CHARGE and for so long as you are not in breach of any provision of this Agreement, a License to the Basic Features and Functions of the Elastic Software. 1.2 Reservation of Rights; Restrictions. As between Elastic and You, Elastic and its licensors own all right, title and interest in and to the Elastic Software, and except as expressly set forth in Sections 1.1, and 2.1 of this Agreement, no other license to the Elastic Software is granted to You under this Agreement, by implication, estoppel or otherwise. You agree not to: (i) reverse engineer or decompile, decrypt, disassemble or otherwise reduce any Elastic Software provided to You in Object Code, or any portion thereof, to Source Code, except and only to the extent any such restriction is prohibited by applicable law, (ii) except as expressly permitted in this Agreement, prepare derivative works from, modify, copy or use the Elastic Software Object Code or the Commercial Software Source Code in any manner; (iii) except as expressly permitted in Section 1.1 above, transfer, sell, rent, lease, distribute, sublicense, loan or otherwise transfer, Elastic Software Object Code, in whole or in part, to any third party; (iv) use Elastic Software Object Code for providing time-sharing services, any software-as-a-service, service bureau services or as part of an application services provider or other service offering (collectively, "SaaS Offering") where obtaining access to the Elastic Software or the features and functions of the Elastic Software is a primary reason or substantial motivation for users of the SaaS Offering to access and/or use the SaaS Offering ("Prohibited SaaS Offering"); (v) circumvent the limitations on use of Elastic Software provided to You in Object Code format that are imposed or preserved by any License Key, or (vi) alter or remove any Marks and Notices in the Elastic Software. If You have any question as to whether a specific SaaS Offering constitutes a Prohibited SaaS Offering, or are interested in obtaining Elastic's permission to engage in commercial or non-commercial distribution of the Elastic Software, please contact elastic_license@elastic.co. 1.3 Third Party Open Source Software. The Commercial Software may contain or be provided with third party open source libraries, components, utilities and other open source software (collectively, "Open Source Software"), which Open Source Software may have applicable license terms as identified on a website designated by Elastic. Notwithstanding anything to the contrary herein, use of the Open Source Software shall be subject to the license terms and conditions applicable to such Open Source Software, to the extent required by the applicable licensor (which terms shall not restrict the license rights granted to You hereunder, but may contain additional rights). To the extent any condition of this Agreement conflicts with any license to the Open Source Software, the Open Source Software license will govern with respect to such Open Source Software only. Elastic may also separately provide you with certain open source software that is licensed by Elastic. Your use of such Elastic open source software will not be governed by this Agreement, but by the applicable open source license terms. 2. COMMERCIAL SOFTWARE SOURCE CODE 2.1 Limited License. Subject to the terms and conditions of Section 2.2 of this Agreement, Elastic hereby grants to You, AT NO CHARGE and for so long as you are not in breach of any provision of this Agreement, a limited, non-exclusive, non-transferable, fully paid up royalty free right and license to the Commercial Software in Source Code format, without the right to grant or authorize sublicenses, to prepare Derivative Works of the Commercial Software, provided You (i) do not hack the licensing mechanism, or otherwise circumvent the intended limitations on the use of Elastic Software to enable features other than Basic Features and Functions or those features You are entitled to as part of a Subscription, and (ii) use the resulting object code only for reasonable testing purposes. 2.2 Restrictions. Nothing in Section 2.1 grants You the right to (i) use the Commercial Software Source Code other than in accordance with Section 2.1 above, (ii) use a Derivative Work of the Commercial Software outside of a Non-production Environment, in any production capacity, on a temporary or permanent basis, or (iii) transfer, sell, rent, lease, distribute, sublicense, loan or otherwise make available the Commercial Software Source Code, in whole or in part, to any third party. Notwithstanding the foregoing, You may maintain a copy of the repository in which the Source Code of the Commercial Software resides and that copy may be publicly accessible, provided that you include this Agreement with Your copy of the repository. 3. TERMINATION 3.1 Termination. This Agreement will automatically terminate, whether or not You receive notice of such Termination from Elastic, if You breach any of its provisions. 3.2 Post Termination. Upon any termination of this Agreement, for any reason, You shall promptly cease the use of the Elastic Software in Object Code format and cease use of the Commercial Software in Source Code format. For the avoidance of doubt, termination of this Agreement will not affect Your right to use Elastic Software, in either Object Code or Source Code formats, made available under the Apache License Version 2.0. 3.3 Survival. Sections 1.2, 2.2. 3.3, 4 and 5 shall survive any termination or expiration of this Agreement. 4. DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY 4.1 Disclaimer of Warranties. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, THE ELASTIC SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, AND ELASTIC AND ITS LICENSORS MAKE NO WARRANTIES WHETHER EXPRESSED, IMPLIED OR STATUTORY REGARDING OR RELATING TO THE ELASTIC SOFTWARE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, ELASTIC AND ITS LICENSORS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT WITH RESPECT TO THE ELASTIC SOFTWARE, AND WITH RESPECT TO THE USE OF THE FOREGOING. FURTHER, ELASTIC DOES NOT WARRANT RESULTS OF USE OR THAT THE ELASTIC SOFTWARE WILL BE ERROR FREE OR THAT THE USE OF THE ELASTIC SOFTWARE WILL BE UNINTERRUPTED. 4.2 Limitation of Liability. IN NO EVENT SHALL ELASTIC OR ITS LICENSORS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT OR INDIRECT DAMAGES, INCLUDING, WITHOUT LIMITATION, FOR ANY LOSS OF PROFITS, LOSS OF USE, BUSINESS INTERRUPTION, LOSS OF DATA, COST OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, IN CONNECTION WITH OR ARISING OUT OF THE USE OR INABILITY TO USE THE ELASTIC SOFTWARE, OR THE PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN IF ELASTIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 5. MISCELLANEOUS This Agreement completely and exclusively states the entire agreement of the parties regarding the subject matter herein, and it supersedes, and its terms govern, all prior proposals, agreements, or other communications between the parties, oral or written, regarding such subject matter. This Agreement may be modified by Elastic from time to time, and any such modifications will be effective upon the "Posted Date" set forth at the top of the modified Agreement. If any provision hereof is held unenforceable, this Agreement will continue without said provision and be interpreted to reflect the original intent of the parties. This Agreement and any non-contractual obligation arising out of or in connection with it, is governed exclusively by Dutch law. This Agreement shall not be governed by the 1980 UN Convention on Contracts for the International Sale of Goods. All disputes arising out of or in connection with this Agreement, including its existence and validity, shall be resolved by the courts with jurisdiction in Amsterdam, The Netherlands, except where mandatory law provides for the courts at another location in The Netherlands to have jurisdiction. The parties hereby irrevocably waive any and all claims and defenses either might otherwise have in any such action or proceeding in any of such courts based upon any alleged lack of personal jurisdiction, improper venue, forum non conveniens or any similar claim or defense. A breach or threatened breach, by You of Section 2 may cause irreparable harm for which damages at law may not provide adequate relief, and therefore Elastic shall be entitled to seek injunctive relief without being required to post a bond. You may not assign this Agreement (including by operation of law in connection with a merger or acquisition), in whole or in part to any third party without the prior written consent of Elastic, which may be withheld or granted by Elastic in its sole and absolute discretion. Any assignment in violation of the preceding sentence is void. Notices to Elastic may also be sent to legal@elastic.co. 6. DEFINITIONS The following terms have the meanings ascribed: 6.1 "Affiliate" means, with respect to a party, any entity that controls, is controlled by, or which is under common control with, such party, where "control" means ownership of at least fifty percent (50%) of the outstanding voting shares of the entity, or the contractual right to establish policy for, and manage the operations of, the entity. 6.2 "Basic Features and Functions" means those features and functions of the Elastic Software that are eligible for use under a Basic license, as set forth at https://www.elastic.co/subscriptions, as may be modified by Elastic from time to time. 6.3 "Commercial Software" means the Elastic Software Source Code in any file containing a header stating the contents are subject to the Elastic License or which is contained in the repository folder labeled "x-pack", unless a LICENSE file present in the directory subtree declares a different license. 6.4 "Derivative Work of the Commercial Software" means, for purposes of this Agreement, any modification(s) or enhancement(s) to the Commercial Software, which represent, as a whole, an original work of authorship. 6.5 "License" means a limited, non-exclusive, non-transferable, fully paid up, royalty free, right and license, without the right to grant or authorize sublicenses, solely for Your internal business operations to (i) install and use the applicable Features and Functions of the Elastic Software in Object Code, and (ii) permit Contractors and Your Affiliates to use the Elastic software as set forth in (i) above, provided that such use by Contractors must be solely for Your benefit and/or the benefit of Your Affiliates, and You shall be responsible for all acts and omissions of such Contractors and Affiliates in connection with their use of the Elastic software that are contrary to the terms and conditions of this Agreement. 6.6 "License Key" means a sequence of bytes, including but not limited to a JSON blob, that is used to enable certain features and functions of the Elastic Software. 6.7 "Marks and Notices" means all Elastic trademarks, trade names, logos and notices present on the Documentation as originally provided by Elastic. 6.8 "Non-production Environment" means an environment for development, testing or quality assurance, where software is not used for production purposes. 6.9 "Object Code" means any form resulting from mechanical transformation or translation of Source Code form, including but not limited to compiled object code, generated documentation, and conversions to other media types. 6.10 "Source Code" means the preferred form of computer software for making modifications, including but not limited to software source code, documentation source, and configuration files. 6.11 "Subscription" means the right to receive Support Services and a License to the Commercial Software. PKI;k5k5PK}W endpoint-8.10.2/changelog.ymlUTd- version: "8.10.2" changes: - description: revert transform schema v2 type: bugfix link: https://github.com/elastic/endpoint-package/pull/411 - version: "8.10.1" changes: - description: revert unattended transforms type: bugfix link: https://github.com/elastic/endpoint-package/pull/407 - version: "8.10.0" changes: - description: set transforms to be unattended type: enhancement link: https://github.com/elastic/endpoint-package/pull/401 - description: Added Process Rollback fields type: enhancement link: https://github.com/elastic/endpoint-package/pull/393 - description: Transform schema v2 type: enhancement link: https://github.com/elastic/endpoint-package/pull/270 - description: Add `code_signature` mappings for API events type: enhancement link: https://github.com/elastic/endpoint-package/pull/398 - description: Keylogging (Win32k ETW) API Event metrics type: enhancement link: https://github.com/elastic/endpoint-package/pull/395 - description: add heartbeat ds type: enhancement link: https://github.com/elastic/endpoint-package/pull/396 - description: add endpoint custom documentation type: enhancement link: https://github.com/elastic/endpoint-package/pull/389 - description: '[Security Solution] Update description copy' type: enhancement link: https://github.com/elastic/endpoint-package/pull/380 - version: "8.9.1" changes: - description: Update description copy type: enhancement link: https://github.com/elastic/endpoint-package/pull/380 - version: "8.9.0" changes: - description: Fix mapping error by replacing string with keyword type: bugfix link: https://github.com/elastic/endpoint-package/pull/373 - description: ETW Threat-Intelligence API Event metrics type: enhancement link: https://github.com/elastic/endpoint-package/pull/370 - version: "8.8.0" changes: - description: change action.key.values to object in alerts type: enhancement link: https://github.com/elastic/endpoint-package/pull/364 - description: Added registry rollback fields associated with recovered values type: enhancement link: https://github.com/elastic/endpoint-package/pull/362 - description: File system type type: enhancement link: https://github.com/elastic/endpoint-package/pull/361 - description: Add thread callstacks to process, file, registry, and image/library load events type: enhancement link: https://github.com/elastic/endpoint-package/pull/360 - description: Added Registry Rollback Fields to Package type: enhancement link: https://github.com/elastic/endpoint-package/pull/358 - description: Add fields connected to rules and alerts type: enhancement link: https://github.com/elastic/endpoint-package/pull/355 - description: Update Endpoint package categories type: enhancement link: https://github.com/elastic/endpoint-package/pull/354 - description: '[Memory Protection] Add fields for trampoline detection.' type: enhancement link: https://github.com/elastic/endpoint-package/pull/344 - version: "8.7.1" changes: - description: Update package overview type: enhancement link: https://github.com/elastic/endpoint-package/pull/346 - description: Make process.Ext.api.name indexable type: enhancement link: https://github.com/elastic/endpoint-package/pull/345 - version: "8.7.0" changes: - description: Update ECS to 8.7-dev type: enhancement link: https://github.com/elastic/endpoint-package/pull/338 - description: Adding persistence event type: enhancement link: https://github.com/elastic/endpoint-package/pull/336 - description: 11957 hardware breakpoint set type: enhancement link: https://github.com/elastic/endpoint-package/pull/333 - description: Update unsupported u64 type to unsigned_long type: enhancement link: https://github.com/elastic/endpoint-package/pull/337 - description: Add new data stream for API event types type: enhancement link: https://github.com/elastic/endpoint-package/pull/328 - description: Report DLL size type: enhancement link: https://github.com/elastic/endpoint-package/pull/329 - description: Mitigation policies type: enhancement link: https://github.com/elastic/endpoint-package/pull/319 - version: "8.6.1" changes: - description: Rename process.Ext.session to session_info and restore legacy keyword field type: enhancement link: https://github.com/elastic/endpoint-package/pull/318 - description: Update ECS to 8.5.2 type: enhancement link: https://github.com/elastic/endpoint-package/pull/322 - version: "8.6.0" changes: - description: Add entity_id to file and network type: enhancement link: https://github.com/elastic/endpoint-package/pull/306 - description: Add .NET metadata hashes to malware alerts type: enhancement link: https://github.com/elastic/endpoint-package/pull/307 - description: Add call_stack_contains_unbacked type: enhancement link: https://github.com/elastic/endpoint-package/pull/308 - description: Add session data to Windows process creation events type: enhancement link: https://github.com/elastic/endpoint-package/pull/309 - version: 8.5.0 changes: - description: rename integration to Elastic Defend type: enhancement link: https://github.com/elastic/endpoint-package/pull/292 - description: add process.tty and process.io fields type: enhancement link: https://github.com/elastic/endpoint-package/pull/294 - description: update united index to include new fleet agents fields type: enhancement link: https://github.com/elastic/endpoint-package/pull/295 - description: add attested fields to process.entry_leader type: enhancement link: https://github.com/elastic/endpoint-package/pull/299 - version: 8.4.1 changes: - description: adds volume_device_type type: enhancement link: https://github.com/elastic/endpoint-package/pull/276 - description: adds container.image.hash.all, orchestrator.cluster.id, orchestrator.resource.ip, orchestrator.resource.parent.type type: enhancement link: https://github.com/elastic/endpoint-package/pull/280 - version: 8.4.0 changes: - description: Add Effective_process and effective_parent type: enhancement link: https://github.com/elastic/endpoint-package/pull/263 - description: Add container and cloud fields in alerts and process type: enhancement link: https://github.com/elastic/endpoint-package/pull/264 - description: Add Ext.device fields, correct some memory_address field names, add system_impact metrics type: enhancement link: https://github.com/elastic/endpoint-package/pull/265 - description: Add file creation times type: enhancement link: https://github.com/elastic/endpoint-package/pull/269 - description: Add process.end type: enhancement link: https://github.com/elastic/endpoint-package/pull/273 - description: Add attack_surface_reduction fields type: enhancement link: https://github.com/elastic/endpoint-package/pull/274 - version: 1.3.0-dev.0 changes: - description: TBD type: enhancement link: TBD - version: 1.2.2 changes: - description: malware_signature.primary.matches should be keyword type: bugfix link: https://github.com/elastic/endpoint-package/pull/212 - version: 1.2.1 changes: - description: remake security_attributes generation type: bugfix link: https://github.com/elastic/endpoint-package/pull/204 - description: Increase alerts nested_fields limit type: bugfix link: https://github.com/elastic/endpoint-package/pull/205 - version: 1.2.0 changes: - description: Set Minimum Kibana version to 7.16 type: enhancement link: https://github.com/elastic/endpoint-package/pull/179 - description: Remove unused exceptionable type: bugfix link: https://github.com/elastic/endpoint-package/pull/180 - description: Added Endpoint.metrics.documents_volume to metrics stream type: enhancement link: https://github.com/elastic/endpoint-package/pull/188 - description: Update "metadata_current" transform description type: enhancement link: https://github.com/elastic/endpoint-package/pull/190 - description: Add metadata-united transform type: enhancement link: https://github.com/elastic/endpoint-package/pull/191 - description: Add new data streams for endpoint actions type: enhancement link: https://github.com/elastic/endpoint-package/pull/198 - description: Add endpoint fields for credential protection and memory scan type: enhancement link: https://github.com/elastic/endpoint-package/pull/200 - description: Add process security_attributes type: enhancement link: https://github.com/elastic/endpoint-package/pull/201 - version: 1.1.1 changes: - description: convert Events to be an object field type: bugfix link: https://github.com/elastic/endpoint-package/pull/185 - version: 1.1.0 changes: - description: Changes for multi process ransomware type: enhancement link: https://github.com/elastic/endpoint-package/pull/153 - description: Add malware_signature for Memory protection alerts type: enhancement link: https://github.com/elastic/endpoint-package/pull/155 - description: Add memory_protection fields to policy response type: enhancement link: https://github.com/elastic/endpoint-package/pull/162 - description: Don't index memory region strings type: bugfix link: https://github.com/elastic/endpoint-package/pull/167 - description: Add Endpoint.capabilities to metadata type: enhancement link: https://github.com/elastic/endpoint-package/pull/168 - description: Minimum supported Kibana for this version is 7.15 type: enhancement link: https://github.com/elastic/endpoint-package/pull/169 - description: Add more behavior protection fields (ip, code_signature, dns, registry) type: enhancement link: https://github.com/elastic/endpoint-package/pull/170 - description: Add Rule detection event schema type: enhancement link: https://github.com/elastic/endpoint-package/pull/177 - description: Add all code_signature ECS fields type: enhancement link: https://github.com/elastic/endpoint-package/pull/178 - description: update to ECS 1.11.0 type: enhancement link: https://github.com/elastic/endpoint-package/pull/173 - version: 1.0.0 changes: - description: GA Release type: enhancement link: https://github.com/elastic/endpoint-package/pull/160 PK+k+k+PK}W endpoint-8.10.2/data_stream/UTdPK}W- endpoint-8.10.2/data_stream/action_responses/UTdPK}W; endpoint-8.10.2/data_stream/action_responses/elasticsearch/UTdPK}WK endpoint-8.10.2/data_stream/action_responses/elasticsearch/ingest_pipeline/UTdPK}WW endpoint-8.10.2/data_stream/action_responses/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W4 endpoint-8.10.2/data_stream/action_responses/fields/UTdPK}W> endpoint-8.10.2/data_stream/action_responses/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: action_id level: custom type: alias description: The action id path: EndpointActions.action_id - name: agent_id level: custom type: alias description: 'Alias field that maps to {agent: {id}}' path: agent.id - name: completed_at level: custom type: alias description: Request completion timestamp when the response is done executing. Usually matches with @timestamp. path: EndpointActions.completed_at - name: data.alert_id level: custom type: alias description: List of alert ids that triggered the action path: EndpointActions.data.alert_id - name: data.command level: custom type: alias description: The action that is requested path: EndpointActions.data.command - name: data.comment level: custom type: alias description: A comment that describes the action that is requested path: EndpointActions.data.comment - name: started_at level: custom type: alias description: Timestamp of start of request path: EndpointActions.started_at - name: status level: custom type: alias description: The status of the request that distinguishes if the request is queued, running or completed. path: EndpointActions.status - name: EndpointActions title: Endpoint Actions group: 2 description: Fields to describe the endpoint action requests and responses. type: group default_field: true fields: - name: action_id level: custom type: keyword ignore_above: 1024 description: The action id default_field: false - name: completed_at level: custom type: date description: Request completion timestamp when the response is done executing. Usually matches with @timestamp. default_field: false - name: data level: custom type: object description: The action request information default_field: false - name: data.alert_id level: custom type: keyword ignore_above: 1024 description: List of alert ids that triggered the action default_field: false - name: data.command level: custom type: keyword ignore_above: 1024 description: The action that is requested example: isolate default_field: false - name: data.comment level: custom type: text description: A comment that describes the action that is requested default_field: false - name: started_at level: custom type: date description: Timestamp of start of request default_field: false - name: status level: custom type: keyword ignore_above: 1024 description: The status of the request that distinguishes if the request is queued, running or completed. default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: error title: Error group: 2 description: 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.' type: group default_field: true fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: match_only_text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: match_only_text default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: keyword ignore_above: 1024 description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: end level: extended type: date description: event.end contains the date when the event ended or when the activity was last observed. - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: start level: extended type: date description: event.start contains the date when the event started or when the activity was first observed. - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' PKc ..PK}W9 endpoint-8.10.2/data_stream/action_responses/manifest.ymlUTdtitle: Endpoint Action Responses type: logs dataset: endpoint.action.responses hidden: true elasticsearch: index_template: mappings: dynamic: false PKgI1PK}W> endpoint-8.10.2/data_stream/action_responses/sample_event.jsonUTd{ "EndpointActions": { "completed_at": "2022-04-04T20:44:14.0Z", "data": { "comment": "Action completed successfully", "command": "isolate" }, "action_id": "cfa1d245-24ad-4867-8043-475d4ee2a111", "started_at": "2022-04-04T20:44:08.0Z" }, "agent": { "id": "c8cad7f3-9e62-43d0-94ed-8c51670fae62" }, "@timestamp": "2022-04-04T20:44:14.0Z", "data_stream": { "namespace": "default", "type": ".logs", "dataset": "endpoint.action.responses" }, "event": { "agent_id_status": "verified", "ingested": "2022-04-04T20:44:45Z" } }PKljPK}W$ endpoint-8.10.2/data_stream/actions/UTdPK}W2 endpoint-8.10.2/data_stream/actions/elasticsearch/UTdPK}WB endpoint-8.10.2/data_stream/actions/elasticsearch/ingest_pipeline/UTdPK}WN endpoint-8.10.2/data_stream/actions/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W+ endpoint-8.10.2/data_stream/actions/fields/UTdPK}W5 endpoint-8.10.2/data_stream/actions/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: action_id level: custom type: alias description: The action id path: EndpointActions.action_id - name: agents level: custom type: alias description: 'Alias field that maps to {agent: {id}}' path: agent.id - name: data.alert_id level: custom type: alias description: List of alert ids that triggered the action path: EndpointActions.data.alert_id - name: data.command level: custom type: alias description: The action that is requested path: EndpointActions.data.command - name: data.comment level: custom type: alias description: A comment that describes the action that is requested path: EndpointActions.data.comment - name: expiration level: custom type: alias description: Request expiration timestamp path: EndpointActions.expiration - name: input_type level: custom type: alias description: The input type of the action, distinguishes endpoint actions as `endpoint` path: EndpointActions.input_type - name: type level: custom type: alias description: Distinguishes the type of input. Usually set to `INPUT_ACTION` path: EndpointActions.type - name: user_id level: custom type: alias description: The user id path: user.id - name: EndpointActions title: Endpoint Actions group: 2 description: Fields to describe the endpoint action requests and responses. type: group default_field: true fields: - name: action_id level: custom type: keyword ignore_above: 1024 description: The action id default_field: false - name: data level: custom type: object description: The action request information default_field: false - name: data.alert_id level: custom type: keyword ignore_above: 1024 description: List of alert ids that triggered the action default_field: false - name: data.command level: custom type: keyword ignore_above: 1024 description: The action that is requested example: isolate default_field: false - name: data.comment level: custom type: text description: A comment that describes the action that is requested default_field: false - name: expiration level: custom type: date description: Request expiration timestamp default_field: false - name: input_type level: custom type: keyword ignore_above: 1024 description: The input type of the action, distinguishes endpoint actions as `endpoint` default_field: false - name: type level: custom type: keyword ignore_above: 1024 description: Distinguishes the type of input. Usually set to `INPUT_ACTION` default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: error title: Error group: 2 description: 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.' type: group default_field: true fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: match_only_text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: match_only_text default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: keyword ignore_above: 1024 description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: end level: extended type: date description: event.end contains the date when the event ended or when the activity was last observed. - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: start level: extended type: date description: event.start contains the date when the event started or when the activity was first observed. - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: rule title: Rule group: 2 description: 'Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.' type: group default_field: true fields: - name: id level: extended type: keyword ignore_above: 1024 description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. example: 101 default_field: false - name: name level: extended type: keyword ignore_above: 1024 description: The name of the rule or signature generating the event. example: BLOCK_DNS_over_TLS default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 PK?344PK}W0 endpoint-8.10.2/data_stream/actions/manifest.ymlUTdtitle: Endpoint Actions type: logs dataset: endpoint.actions hidden: true elasticsearch: index_template: mappings: dynamic: false PKA5̎PK}W5 endpoint-8.10.2/data_stream/actions/sample_event.jsonUTd{ "EndpointActions": { "data": { "comment": "testing isolation", "command": "isolate" }, "action_id": "cfa1d245-24ad-4867-8043-475d4ee2a111", "input_type": "endpoint", "expiration": "2022-04-18T20:44:07.805Z", "type": "INPUT_ACTION" }, "agent": { "id": [ "c8cad7f3-9e62-43d0-94ed-8c51670fae62" ] }, "@timestamp": "2022-04-04T20:44:07.805Z", "event": { "agent_id_status": "auth_metadata_missing", "ingested": "2022-04-04T20:44:07Z" }, "user": { "id": "user@elastic.co" } }PKvwwPK}W# endpoint-8.10.2/data_stream/alerts/UTdPK}W1 endpoint-8.10.2/data_stream/alerts/elasticsearch/UTdPK}WA endpoint-8.10.2/data_stream/alerts/elasticsearch/ingest_pipeline/UTdPK}WM endpoint-8.10.2/data_stream/alerts/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W* endpoint-8.10.2/data_stream/alerts/fields/UTdPK}W4 endpoint-8.10.2/data_stream/alerts/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: Events level: custom type: object description: events array - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: Endpoint title: Endpoint group: 2 description: Fields describing the state of the Elastic Endpoint when an event occurs. type: group default_field: true fields: - name: policy level: custom type: object description: The policy fields are used to hold information about applied policy. default_field: false - name: policy.applied level: custom type: object description: information about the policy that is applied default_field: false - name: policy.applied.artifacts level: custom type: object description: information about protection artifacts applied. enabled: false default_field: false - name: policy.applied.artifacts.global level: custom type: object description: information about global protection artifacts applied. default_field: false - name: policy.applied.artifacts.global.identifiers level: custom type: nested description: the identifiers of global artifacts applied. default_field: false - name: policy.applied.artifacts.global.identifiers.name level: custom type: keyword ignore_above: 1024 description: the name of global artifact applied. default_field: false - name: policy.applied.artifacts.global.identifiers.sha256 level: custom type: keyword ignore_above: 1024 description: the sha256 of global artifacts applied. default_field: false - name: policy.applied.artifacts.global.version level: custom type: keyword ignore_above: 1024 description: the version of global artifacts applied. default_field: false - name: policy.applied.artifacts.user level: custom type: object description: information about user protection artifacts applied. default_field: false - name: policy.applied.artifacts.user.identifiers level: custom type: nested description: the identifiers of user artifacts applied. default_field: false - name: policy.applied.artifacts.user.identifiers.name level: custom type: keyword ignore_above: 1024 description: the name of user artifact applied. default_field: false - name: policy.applied.artifacts.user.identifiers.sha256 level: custom type: keyword ignore_above: 1024 description: the sha256 of user artifacts applied. default_field: false - name: policy.applied.artifacts.user.version level: custom type: keyword ignore_above: 1024 description: the version of user artifacts applied. default_field: false - name: policy.applied.id level: custom type: keyword ignore_above: 1024 description: the id of the applied policy default_field: false - name: policy.applied.name level: custom type: keyword ignore_above: 1024 description: the name of this applied policy default_field: false - name: policy.applied.status level: custom type: keyword ignore_above: 1024 description: the status of the applied policy default_field: false - name: policy.applied.version level: custom type: keyword ignore_above: 1024 description: the version of this applied policy default_field: false - name: Memory_protection title: Memory Protection group: 2 description: These fields contain information specific to Memory Protection alerts. type: group default_field: true fields: - name: cross_session level: custom type: boolean description: Is this process injecting across operating system sessions? default_field: false - name: feature level: custom type: keyword ignore_above: 1024 description: Memory Protection feature which triggered the alert. example: shellcode_thread default_field: false - name: parent_to_child level: custom type: boolean description: Is this process injecting into its child? default_field: false - name: self_injection level: custom type: boolean description: Is this alert about a process injecting into itself? default_field: false - name: thread_count level: custom type: long description: The number of threads that this alert applies to. If several alerts occur in a short period of time, they can be combined into a single alert with thread_count > 1. default_field: false - name: unique_key_v1 level: custom type: keyword ignore_above: 1024 description: A unique key created by hashing several characteristics of this alert. default_field: false - name: Ransomware title: Ransomware group: 2 description: These fields contain information specific to ransomware alerts. type: group default_field: true fields: - name: child_processes.executable level: custom type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: child_processes.feature level: custom type: keyword ignore_above: 1024 description: Ransomware feature which triggered the alert. default_field: false - name: child_processes.files level: custom type: nested description: Information about each file event attributed to the ransomware. Expected to be an array. default_field: false - name: child_processes.files.data level: custom type: keyword ignore_above: 1024 description: File header or MBR bytes. default_field: false - name: child_processes.files.entropy level: custom type: double description: Entropy of file contents. default_field: false - name: child_processes.files.extension level: custom type: keyword ignore_above: 1024 description: File extension, excluding the leading dot. default_field: false - name: child_processes.files.metrics level: custom type: keyword ignore_above: 1024 description: Suspicious ransomware behaviours associated with the file event. default_field: false - name: child_processes.files.operation level: custom type: keyword ignore_above: 1024 description: Operation applied to file. default_field: false - name: child_processes.files.original.extension level: custom type: keyword ignore_above: 1024 description: Original file extension prior to the file event. default_field: false - name: child_processes.files.original.path level: custom type: keyword ignore_above: 1024 description: Original file path prior to the file event. default_field: false - name: child_processes.files.path level: custom type: keyword ignore_above: 1024 description: Full path to the file, including the file name. default_field: false - name: child_processes.files.score level: custom type: double description: Ransomware score for this particular file event. default_field: false - name: child_processes.pid level: custom type: long format: string description: Process id. example: 4242 default_field: false - name: child_processes.score level: custom type: double description: Total ransomware score for aggregated file events. default_field: false - name: child_processes.version level: custom type: keyword ignore_above: 1024 description: Ransomware artifact version. default_field: false - name: executable level: custom type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: feature level: custom type: keyword ignore_above: 1024 description: Ransomware feature which triggered the alert. default_field: false - name: files level: custom type: nested description: Information about each file event attributed to the ransomware. Expected to be an array. default_field: false - name: files.data level: custom type: keyword ignore_above: 1024 description: File header or MBR bytes. default_field: false - name: files.entropy level: custom type: double description: Entropy of file contents. default_field: false - name: files.extension level: custom type: keyword ignore_above: 1024 description: File extension, excluding the leading dot. default_field: false - name: files.metrics level: custom type: keyword ignore_above: 1024 description: Suspicious ransomware behaviours associated with the file event. default_field: false - name: files.operation level: custom type: keyword ignore_above: 1024 description: Operation applied to file. default_field: false - name: files.original.extension level: custom type: keyword ignore_above: 1024 description: Original file extension prior to the file event. default_field: false - name: files.original.path level: custom type: keyword ignore_above: 1024 description: Original file path prior to the file event. default_field: false - name: files.path level: custom type: keyword ignore_above: 1024 description: Full path to the file, including the file name. default_field: false - name: files.score level: custom type: double description: Ransomware score for this particular file event. default_field: false - name: pid level: custom type: long format: string description: Process id. example: 4242 default_field: false - name: score level: custom type: double description: Total ransomware score for aggregated file events. default_field: false - name: version level: custom type: keyword ignore_above: 1024 description: Ransomware artifact version. default_field: false - name: Responses title: Responses group: 2 description: responses array contains rule response action results type: group default_field: true fields: - name: '@timestamp' level: custom type: date format: string description: Timestamp in which action was taken default_field: false - name: action level: custom type: nested description: Dictionary representing requested response action default_field: false - name: action.action level: custom type: keyword ignore_above: 1024 description: Response action name default_field: false - name: action.field level: custom type: text description: Field in the triggering event to use as input for action default_field: false - name: action.file.attributes level: custom type: keyword ignore_above: 1024 description: Destination file attributes default_field: false - name: action.file.path level: custom type: keyword ignore_above: 1024 description: Destination file path default_field: false - name: action.file.reason level: custom type: long description: Combined USN file modification reason default_field: false - name: action.key.actions level: custom type: keyword ignore_above: 1024 description: Actions taken by Registry Rollback for key default_field: false - name: action.key.path level: custom type: keyword ignore_above: 1024 description: NT path of registry key recovered by Rollback default_field: false - name: action.key.values level: custom type: object description: Values modified default_field: false - name: action.key.values.actions level: custom type: keyword ignore_above: 1024 description: Actions taken by Registry Rollback for value default_field: false - name: action.key.values.name level: custom type: keyword ignore_above: 1024 description: Value name recovered by Rollback default_field: false - name: action.process.message level: custom type: keyword ignore_above: 1024 description: Status message for Process Rollback default_field: false - name: action.process.path level: custom type: keyword ignore_above: 1024 description: Path of process killed by Process Rollback default_field: false - name: action.process.result level: custom type: long description: Result code for Process Rollback default_field: false - name: action.source.attributes level: custom type: keyword ignore_above: 1024 description: Source file attributes default_field: false - name: action.source.path level: custom type: keyword ignore_above: 1024 description: Source file path default_field: false - name: action.state level: custom type: long description: Index of event in events array to use for field lookup default_field: false - name: action.tree level: custom type: boolean description: Indicates whether or not an action was taken against an entire process tree default_field: false - name: message level: custom type: text description: Result message default_field: false - name: process level: custom type: nested description: Dictionary representing process information default_field: false - name: process.entity_id level: custom type: text description: Entity id of actionable process default_field: false - name: process.name level: custom type: keyword ignore_above: 1024 description: Name of actionable process default_field: false - name: process.pid level: custom type: long description: pid of actionable process default_field: false - name: result level: custom type: long description: Response action result code default_field: false - name: Target title: Target group: 2 description: 'These fields contain information about a target. These fields provide more context about the target process and thread that are related to the data in the document. Useful in a security context where a target process or thread may be acted on by another process or thread.' type: group default_field: true fields: - name: dll.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: dll.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: dll.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: dll.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: dll.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: dll.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: dll.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: dll.Ext.compile_time level: custom type: date description: Timestamp from when the module was compiled. default_field: false - name: dll.Ext.malware_classification.features level: custom type: object description: Intermediate field included by adding option with subset enabled: false default_field: false - name: dll.Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: dll.Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: dll.Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: dll.Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: dll.Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: dll.Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: dll.Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: dll.Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: dll.Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: dll.Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: dll.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: dll.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: dll.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: dll.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: dll.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: dll.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: dll.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: dll.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: dll.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: dll.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: dll.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: dll.name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: dll.path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: dll.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: dll.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: dll.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: dll.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: dll.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: dll.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: process.Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: process.Ext.architecture level: custom type: keyword ignore_above: 1024 description: Process architecture. It can differ from host architecture. example: x86_64 default_field: false - name: process.Ext.authentication_id level: custom type: keyword ignore_above: 1024 description: Process authentication ID default_field: false - name: process.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: process.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.Ext.dll.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: process.Ext.dll.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: process.Ext.dll.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.Ext.dll.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.Ext.dll.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.Ext.dll.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.Ext.dll.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.Ext.dll.Ext.compile_time level: custom type: date description: Timestamp from when the module was compiled. default_field: false - name: process.Ext.dll.Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: process.Ext.dll.Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: process.Ext.dll.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.Ext.dll.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: process.Ext.dll.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.Ext.dll.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.Ext.dll.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: process.Ext.dll.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.Ext.dll.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.Ext.dll.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: process.Ext.dll.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: process.Ext.dll.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: process.Ext.dll.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: process.Ext.dll.name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: process.Ext.dll.path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: process.Ext.dll.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: process.Ext.dll.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: process.Ext.dll.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: process.Ext.dll.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: process.Ext.dll.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: process.Ext.dll.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.Ext.malware_classification.features level: custom type: object description: Intermediate field included by adding option with subset enabled: false default_field: false - name: process.Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: process.Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: process.Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: process.Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: process.Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: process.Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: process.Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: process.Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: process.Ext.memory_region.allocation_base level: custom type: unsigned_long description: Base address of the memory allocation containing the memory region. example: 2431737462784 default_field: false - name: process.Ext.memory_region.allocation_protection level: custom type: keyword ignore_above: 1024 description: Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". example: RWX default_field: false - name: process.Ext.memory_region.allocation_size level: custom type: unsigned_long description: Original memory size requested when the memory was allocated. example: 4096 default_field: false - name: process.Ext.memory_region.allocation_type level: custom type: keyword ignore_above: 1024 description: The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". example: PRIVATE default_field: false - name: process.Ext.memory_region.bytes_address level: custom type: unsigned_long description: The address where bytes_compressed begins. example: 2431737462784 default_field: false - name: process.Ext.memory_region.bytes_allocation_offset level: custom type: unsigned_long description: Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. example: 0 default_field: false - name: process.Ext.memory_region.bytes_compressed level: custom type: keyword description: Up to 4MB of raw data from the memory allocation. This is compressed with zlib.To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. example: eJzzSM3JyVcIzy/KSVEEABxJBD4= index: false doc_values: false default_field: false - name: process.Ext.memory_region.bytes_compressed_present level: custom type: boolean description: Whether bytes_compressed is present in this event. example: false default_field: false - name: process.Ext.memory_region.malware_signature.all_names level: custom type: keyword ignore_above: 1024 description: A sequence of signature names matched. example: Windows.EICAR.Not-a-virus default_field: false - name: process.Ext.memory_region.malware_signature.identifier level: custom type: keyword ignore_above: 1024 description: malware signature identifier default_field: false - name: process.Ext.memory_region.malware_signature.primary level: custom type: object description: The first matching details. default_field: false - name: process.Ext.memory_region.malware_signature.primary.matches level: custom type: keyword description: The first matching details. index: false doc_values: false default_field: false - name: process.Ext.memory_region.malware_signature.primary.signature.hash level: custom type: nested description: hash of file matching signature. default_field: false - name: process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 level: custom type: keyword ignore_above: 1024 description: sha256 hash of file matching signature. default_field: false - name: process.Ext.memory_region.malware_signature.primary.signature.id level: custom type: keyword ignore_above: 1024 description: The id of the first yara rule matched. default_field: false - name: process.Ext.memory_region.malware_signature.primary.signature.name level: custom type: keyword ignore_above: 1024 description: The name of the first yara rule matched. default_field: false - name: process.Ext.memory_region.malware_signature.version level: custom type: keyword ignore_above: 1024 description: malware signature version default_field: false - name: process.Ext.memory_region.mapped_path level: custom type: keyword ignore_above: 1024 description: If the memory corresponds to a file mapping, this is the file's path. example: C:\Windows\System32\mshtml.dll default_field: false - name: process.Ext.memory_region.mapped_pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: process.Ext.memory_region.mapped_pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: process.Ext.memory_region.mapped_pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: process.Ext.memory_region.mapped_pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: process.Ext.memory_region.mapped_pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: process.Ext.memory_region.mapped_pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.Ext.memory_region.mapped_pe_detected level: custom type: boolean description: Whether the file at mapped_path is an executable. example: false default_field: false - name: process.Ext.memory_region.memory_pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: process.Ext.memory_region.memory_pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: process.Ext.memory_region.memory_pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: process.Ext.memory_region.memory_pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: process.Ext.memory_region.memory_pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: process.Ext.memory_region.memory_pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.Ext.memory_region.memory_pe_detected level: custom type: boolean description: Whether an executable file was found in memory. example: false default_field: false - name: process.Ext.memory_region.region_base level: custom type: unsigned_long description: Base address of the memory region. example: 2431737462784 default_field: false - name: process.Ext.memory_region.region_protection level: custom type: keyword ignore_above: 1024 description: Memory protection of the memory region. Example values include "RWX" and "R-X". example: RWX default_field: false - name: process.Ext.memory_region.region_size level: custom type: unsigned_long description: Size of the memory region. example: 4096 default_field: false - name: process.Ext.memory_region.region_state level: custom type: keyword ignore_above: 1024 description: State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". example: COMMIT default_field: false - name: process.Ext.memory_region.strings level: custom type: keyword description: Array of strings found within the memory region. index: false doc_values: false default_field: false - name: process.Ext.protection level: custom type: keyword ignore_above: 1024 description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. default_field: false - name: process.Ext.services level: custom type: keyword ignore_above: 1024 description: Services running in this process. default_field: false - name: process.Ext.session level: custom type: keyword ignore_above: 1024 description: Session information for the current process default_field: false - name: process.Ext.token.domain level: custom type: keyword ignore_above: 1024 description: Domain of token user. default_field: false - name: process.Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: process.Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: process.Ext.token.impersonation_level level: custom type: keyword ignore_above: 1024 description: Impersonation level. Only valid for impersonation tokens. default_field: false - name: process.Ext.token.integrity_level level: custom type: long description: Numeric integrity level. default_field: false - name: process.Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: process.Ext.token.is_appcontainer level: custom type: boolean description: Whether or not this is an appcontainer token. default_field: false - name: process.Ext.token.privileges level: custom type: nested description: Array describing the privileges associated with the token. default_field: false - name: process.Ext.token.privileges.description level: custom type: keyword ignore_above: 1024 description: Description of the privilege. default_field: false - name: process.Ext.token.privileges.enabled level: custom type: boolean description: Whether or not the privilege is enabled. default_field: false - name: process.Ext.token.privileges.name level: custom type: keyword ignore_above: 1024 description: Name of the privilege. default_field: false - name: process.Ext.token.sid level: custom type: keyword ignore_above: 1024 description: Token user's Security Identifier (SID). default_field: false - name: process.Ext.token.type level: custom type: keyword ignore_above: 1024 description: Type of the token, either primary or impersonation. default_field: false - name: process.Ext.token.user level: custom type: keyword ignore_above: 1024 description: Username of token owner. default_field: false - name: process.Ext.user level: custom type: keyword ignore_above: 1024 description: User associated with the running process. default_field: false - name: process.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: process.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: process.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: process.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: process.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: process.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: process.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: process.exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: process.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: process.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: process.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: process.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: process.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: process.parent.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: process.parent.Ext.architecture level: custom type: keyword ignore_above: 1024 description: Process architecture. It can differ from host architecture. example: x86_64 default_field: false - name: process.parent.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: process.parent.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.parent.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.parent.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.parent.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.parent.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.parent.Ext.dll.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: process.parent.Ext.dll.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: process.parent.Ext.dll.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.parent.Ext.dll.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.parent.Ext.dll.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.parent.Ext.dll.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.parent.Ext.dll.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.parent.Ext.dll.Ext.compile_time level: custom type: date description: Timestamp from when the module was compiled. default_field: false - name: process.parent.Ext.dll.Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: process.parent.Ext.dll.Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: process.parent.Ext.dll.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.parent.Ext.dll.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: process.parent.Ext.dll.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.parent.Ext.dll.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.parent.Ext.dll.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: process.parent.Ext.dll.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.parent.Ext.dll.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.parent.Ext.dll.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: process.parent.Ext.dll.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: process.parent.Ext.dll.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: process.parent.Ext.dll.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: process.parent.Ext.dll.name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: process.parent.Ext.dll.path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: process.parent.Ext.dll.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: process.parent.Ext.dll.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: process.parent.Ext.dll.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: process.parent.Ext.dll.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: process.parent.Ext.dll.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: process.parent.Ext.dll.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.parent.Ext.protection level: custom type: keyword ignore_above: 1024 description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. default_field: false - name: process.parent.Ext.real level: custom type: object description: The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. default_field: false - name: process.parent.Ext.real.pid level: custom type: long description: For process.parent this will be the ppid of the process that actually spawned the current process. default_field: false - name: process.parent.Ext.token.domain level: custom type: keyword ignore_above: 1024 description: Domain of token user. default_field: false - name: process.parent.Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: process.parent.Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: process.parent.Ext.token.impersonation_level level: custom type: keyword ignore_above: 1024 description: Impersonation level. Only valid for impersonation tokens. default_field: false - name: process.parent.Ext.token.integrity_level level: custom type: long description: Numeric integrity level. default_field: false - name: process.parent.Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: process.parent.Ext.token.is_appcontainer level: custom type: boolean description: Whether or not this is an appcontainer token. default_field: false - name: process.parent.Ext.token.privileges level: custom type: nested description: Array describing the privileges associated with the token. default_field: false - name: process.parent.Ext.token.privileges.description level: custom type: keyword ignore_above: 1024 description: Description of the privilege. default_field: false - name: process.parent.Ext.token.privileges.enabled level: custom type: boolean description: Whether or not the privilege is enabled. default_field: false - name: process.parent.Ext.token.privileges.name level: custom type: keyword ignore_above: 1024 description: Name of the privilege. default_field: false - name: process.parent.Ext.token.sid level: custom type: keyword ignore_above: 1024 description: Token user's Security Identifier (SID). default_field: false - name: process.parent.Ext.token.type level: custom type: keyword ignore_above: 1024 description: Type of the token, either primary or impersonation. default_field: false - name: process.parent.Ext.token.user level: custom type: keyword ignore_above: 1024 description: Username of token owner. default_field: false - name: process.parent.Ext.user level: custom type: keyword ignore_above: 1024 description: User associated with the running process. default_field: false - name: process.parent.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: process.parent.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: process.parent.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.parent.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: process.parent.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.parent.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.parent.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: process.parent.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.parent.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.parent.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: process.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: process.parent.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: process.parent.exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: process.parent.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: process.parent.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: process.parent.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: process.parent.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: process.parent.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: process.parent.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: process.parent.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: process.parent.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: process.parent.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: process.parent.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: process.parent.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.parent.pgid level: extended type: long format: string description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' default_field: false - name: process.parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: process.parent.ppid level: extended type: long format: string description: Parent process' pid. example: 4241 default_field: false - name: process.parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: process.parent.thread.id level: extended type: long format: string description: Thread ID. example: 4242 default_field: false - name: process.parent.thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: process.parent.title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' default_field: false - name: process.parent.uptime level: extended type: long description: Seconds the process has been up. example: 1325 default_field: false - name: process.parent.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: process.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: process.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: process.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: process.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: process.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: process.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: process.pgid level: extended type: long format: string description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' default_field: false - name: process.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: process.ppid level: extended type: long format: string description: Parent process' pid. example: 4241 default_field: false - name: process.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: process.thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: process.thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: false default_field: false - name: process.thread.Ext.call_stack.instruction_pointer level: custom type: keyword ignore_above: 1024 description: The return address of this stack frame. default_field: false - name: process.thread.Ext.call_stack.memory_section.memory_address level: custom type: keyword description: Base address of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.BaseAddress` index: false doc_values: false default_field: false - name: process.thread.Ext.call_stack.memory_section.memory_size level: custom type: keyword description: Size of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.RegionSize` index: false doc_values: false default_field: false - name: process.thread.Ext.call_stack.memory_section.protection level: custom type: keyword ignore_above: 1024 description: Memory protection flags of this memory region. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` default_field: false - name: process.thread.Ext.call_stack.module_name level: custom type: keyword description: The name of the DLL/module containing `instruction_pointer`. index: false doc_values: false default_field: false - name: process.thread.Ext.call_stack.module_path level: custom type: keyword ignore_above: 1024 description: The path to the DLL/module containing `instruction_pointer`. default_field: false - name: process.thread.Ext.call_stack.rva level: custom type: keyword ignore_above: 1024 description: The relative virtual address of `instruction_pointer`. Computed as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. default_field: false - name: process.thread.Ext.call_stack.symbol_info level: custom type: keyword ignore_above: 1024 description: The nearest symbol for `instruction_pointer`. default_field: false - name: process.thread.Ext.call_stack_final_user_module level: custom type: nested description: The final non-win32 module in the call stack. default_field: false - name: process.thread.Ext.call_stack_final_user_module.code_signature level: custom type: nested description: Code signature of the call_stack_final_user_module. default_field: false - name: process.thread.Ext.call_stack_final_user_module.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: process.thread.Ext.call_stack_final_user_module.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: process.thread.Ext.call_stack_final_user_module.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: process.thread.Ext.call_stack_final_user_module.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: process.thread.Ext.call_stack_final_user_module.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: process.thread.Ext.call_stack_final_user_module.hash level: custom type: object description: Hashes of the call_stack_final_user_module. default_field: false - name: process.thread.Ext.call_stack_final_user_module.hash.sha256 level: custom type: keyword ignore_above: 1024 description: The sha256 of the call_stack_final_user_module. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 default_field: false - name: process.thread.Ext.call_stack_final_user_module.name level: custom type: keyword ignore_above: 1024 description: The file name of the call_stack_final_user_module. example: example.dll default_field: false - name: process.thread.Ext.call_stack_final_user_module.path level: custom type: keyword ignore_above: 1024 description: The file path of the call_stack_final_user_module. example: C:\Program Files\Example\example.dll default_field: false - name: process.thread.Ext.call_stack_summary level: custom type: keyword ignore_above: 1024 description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll, example.exe, kernel32.dll, ntdll.dll default_field: false - name: process.thread.Ext.hardware_breakpoint_set level: custom type: boolean description: Whether a hardware breakpoint was set for the thread. This field is omitted if false. example: 'true' default_field: false - name: process.thread.Ext.original_start_address level: custom type: unsigned_long description: When a trampoline was detected, this indicates the original content for the thread start address in memory. example: 4194304 default_field: false - name: process.thread.Ext.original_start_address_allocation_offset level: custom type: unsigned_long description: When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base. example: 0 default_field: false - name: process.thread.Ext.original_start_address_bytes level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address. example: 48b84141414141414141ffe000ccccccccccccccccccccccccccccccccccccccc default_field: false - name: process.thread.Ext.original_start_address_bytes_disasm level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address. example: mov rax, 0x4141414141414141\njmp rax default_field: false - name: process.thread.Ext.original_start_address_bytes_disasm_hash level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address. example: aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c default_field: false - name: process.thread.Ext.original_start_address_module level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution. example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe default_field: false - name: process.thread.Ext.parameter level: custom type: unsigned_long description: When a thread is created, this is the raw numerical value of its parameter. default_field: false - name: process.thread.Ext.parameter_bytes_compressed level: custom type: keyword description: Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. index: false doc_values: false default_field: false - name: process.thread.Ext.parameter_bytes_compressed_present level: custom type: boolean description: Whether parameter_bytes_compressed is present in this event. default_field: false - name: process.thread.Ext.service level: custom type: keyword ignore_above: 1024 description: Service associated with the thread. example: VaultSvc default_field: false - name: process.thread.Ext.start level: custom type: date description: The time the thread started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: process.thread.Ext.start_address level: custom type: unsigned_long description: Memory address where the thread began execution. example: 4194304 default_field: false - name: process.thread.Ext.start_address_allocation_offset level: custom type: unsigned_long description: Offset of start_address into the memory allocation. Equal to start_address - start_address_details.allocation_base. example: 0 default_field: false - name: process.thread.Ext.start_address_bytes level: custom type: keyword ignore_above: 1024 description: A few (typically 32) raw opcode bytes at the thread start address, hex-encoded. example: c3cc0000cccccccccccccccccccccccccccccccccccccccccccccccccccccccc default_field: false - name: process.thread.Ext.start_address_bytes_disasm level: custom type: keyword ignore_above: 1024 description: The bytes at the thread start address, disassembled into human-readable assembly code. example: ret\nint3 default_field: false - name: process.thread.Ext.start_address_bytes_disasm_hash level: custom type: keyword ignore_above: 1024 description: The bytes at the thread start address, with immediate values capped to 0x100, disassembled into human-readable assembly code, then hashed. example: aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c default_field: false - name: process.thread.Ext.start_address_module level: custom type: keyword ignore_above: 1024 description: The dll/module where the thread began execution. example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe default_field: false - name: process.thread.Ext.token.domain level: custom type: keyword ignore_above: 1024 description: Domain of token user. default_field: false - name: process.thread.Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: process.thread.Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: process.thread.Ext.token.impersonation_level level: custom type: keyword ignore_above: 1024 description: Impersonation level. Only valid for impersonation tokens. default_field: false - name: process.thread.Ext.token.integrity_level level: custom type: long description: Numeric integrity level. default_field: false - name: process.thread.Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: process.thread.Ext.token.is_appcontainer level: custom type: boolean description: Whether or not this is an appcontainer token. default_field: false - name: process.thread.Ext.token.privileges level: custom type: nested description: Array describing the privileges associated with the token. default_field: false - name: process.thread.Ext.token.privileges.description level: custom type: keyword ignore_above: 1024 description: Description of the privilege. default_field: false - name: process.thread.Ext.token.privileges.enabled level: custom type: boolean description: Whether or not the privilege is enabled. default_field: false - name: process.thread.Ext.token.privileges.name level: custom type: keyword ignore_above: 1024 description: Name of the privilege. default_field: false - name: process.thread.Ext.token.sid level: custom type: keyword ignore_above: 1024 description: Token user's Security Identifier (SID). default_field: false - name: process.thread.Ext.token.type level: custom type: keyword ignore_above: 1024 description: Type of the token, either primary or impersonation. default_field: false - name: process.thread.Ext.token.user level: custom type: keyword ignore_above: 1024 description: Username of token owner. default_field: false - name: process.thread.Ext.uptime level: custom type: long description: Seconds since thread started. default_field: false - name: process.thread.id level: extended type: long format: string description: Thread ID. example: 4242 default_field: false - name: process.thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: process.title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' default_field: false - name: process.uptime level: extended type: long description: Seconds the process has been up. example: 1325 default_field: false - name: process.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.' example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: 'Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.' example: foo - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on. The cloud fields may be self-nested under cloud.origin.* and cloud.target.* to describe origin or target service''s cloud information in the context of incoming or outgoing requests, respectively. However, the fieldsets cloud.origin.* and cloud.target.* must not be confused with the root cloud fieldset that is used to describe the cloud context of the actual service under observation. The fieldset cloud.origin.* may only be used in the context of incoming requests or events to provide the originating service''s cloud information. The fieldset cloud.target.* may only be used in the context of outgoing requests or events to describe the target service''s cloud information.' type: group default_field: true fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: project.id level: extended type: keyword ignore_above: 1024 description: 'The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.' example: my-project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host, resource, or service is located. example: us-east-1 - name: container title: Container group: 2 description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the destination (IPv4 or IPv6). - name: dll title: DLL group: 2 description: 'These fields contain information about code libraries dynamically loaded into processes. Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.compile_time level: custom type: date description: Timestamp from when the module was compiled. default_field: false - name: Ext.malware_classification.features level: custom type: object description: Intermediate field included by adding option with subset enabled: false default_field: false - name: Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: dns title: DNS group: 2 description: 'Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).' type: group default_field: true fields: - name: question.name level: extended type: keyword ignore_above: 1024 description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: elastic title: Elastic group: 2 description: Holds fields and properties of data points and concepts in the elastic domain or namespace. type: group default_field: true fields: - name: agent level: custom type: object description: The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent that manages other agents or process on the host. default_field: false - name: agent.id level: custom type: keyword ignore_above: 1024 description: Unique identifier of this elastic agent (if one exists). example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a default_field: false - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: risk_score level: core type: float description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: file title: File group: 2 description: 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.entry_modified level: custom type: double description: Time of last status change. See `st_ctim` member of `struct stat`. default_field: false - name: Ext.macro.code_page level: custom type: long description: Identifies the character encoding used for this macro. https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers default_field: false - name: Ext.macro.collection level: custom type: object description: Object containing hashes for the macro collection. default_field: false - name: Ext.macro.collection.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: Ext.macro.collection.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: Ext.macro.collection.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: Ext.macro.collection.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: Ext.macro.errors level: custom type: nested description: Errors that occurred when parsing this document file. default_field: false - name: Ext.macro.errors.count level: custom type: long description: Number of times this error that occurred. default_field: false - name: Ext.macro.errors.error_type level: custom type: keyword ignore_above: 1024 description: The type of parsing error that occurred. default_field: false - name: Ext.macro.file_extension level: custom type: keyword ignore_above: 1024 description: The extension of the file containing this macro (e.g. .docm) default_field: false - name: Ext.macro.project_file level: custom type: object description: Metadata about the corresponding VBA project file default_field: false - name: Ext.macro.project_file.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: Ext.macro.project_file.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: Ext.macro.project_file.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: Ext.macro.project_file.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: Ext.macro.stream level: custom type: nested description: Streams associated with the document. default_field: false - name: Ext.macro.stream.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: Ext.macro.stream.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: Ext.macro.stream.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: Ext.macro.stream.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: Ext.macro.stream.name level: custom type: keyword ignore_above: 1024 description: Name of the stream. default_field: false - name: Ext.macro.stream.raw_code level: custom type: keyword ignore_above: 1024 description: First 100KB of raw stream binary. Can be useful to analyze false positives and malicious payloads. default_field: false - name: Ext.macro.stream.raw_code_size level: custom type: keyword ignore_above: 1024 description: The original stream size. Indicates whether stream.raw_code was truncated. default_field: false - name: Ext.malware_classification.features level: custom type: object description: Intermediate field included by adding option with subset enabled: false default_field: false - name: Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: Ext.original level: custom type: object description: Original file information during a modification event. default_field: false - name: Ext.original.gid level: custom type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: Ext.original.group level: custom type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: Ext.original.mode level: custom type: keyword ignore_above: 1024 description: Original file mode prior to a modification event default_field: false - name: Ext.original.name level: custom type: keyword ignore_above: 1024 description: Original file name prior to a modification event default_field: false - name: Ext.original.owner level: custom type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: Ext.original.path level: custom type: keyword ignore_above: 1024 description: Original file path prior to a modification event default_field: false - name: Ext.original.uid level: custom type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: Ext.quarantine_message level: custom type: keyword ignore_above: 1024 description: Message describing quarantine results. default_field: false - name: Ext.quarantine_path level: custom type: keyword ignore_above: 1024 description: Path on endpoint the quarantined file was originally. default_field: false - name: Ext.quarantine_result level: custom type: boolean description: Boolean representing whether or not file quarantine succeeded. default_field: false - name: Ext.temp_file_path level: custom type: keyword ignore_above: 1024 description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. default_field: false - name: Ext.windows level: custom type: object description: Platform-specific Windows fields default_field: false - name: Ext.windows.zone_identifier level: custom type: keyword ignore_above: 1024 description: Windows zone identifier for a file default_field: false - name: accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - name: attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' - name: ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - name: device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda - name: directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - name: drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' - name: group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' - name: mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' - name: mtime level: extended type: date description: Last time the file content was modified. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png - name: owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice - name: path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - name: pe.Ext.dotnet level: custom type: boolean description: Whether this file is a .NET PE example: 'true' default_field: false - name: pe.Ext.sections level: custom type: object description: The file's relevant sections, if it is a PE default_field: false - name: pe.Ext.sections.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: pe.Ext.sections.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: pe.Ext.sections.name level: custom type: keyword ignore_above: 1024 description: The section's name example: .reloc default_field: false - name: pe.Ext.streams level: custom type: object description: The file's streams, if it is a PE default_field: false - name: pe.Ext.streams.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: pe.Ext.streams.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: pe.Ext.streams.name level: custom type: keyword ignore_above: 1024 description: The stream's name example: .reloc default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - name: target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Target path for symlinks. - name: type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file - name: uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: boot.id level: extended type: keyword ignore_above: 1024 description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: pid_ns_ino level: extended type: keyword ignore_above: 1024 description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 default_field: false - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: user.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: user.Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: user.Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: user.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: user.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword ignore_above: 1024 description: User email address. - name: user.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: user.group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: user.group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: user.group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: user.group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: user.group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: user.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: user.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: user.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein - name: orchestrator title: Orchestrator group: 2 description: Fields that describe the resources which container orchestrators manage or act upon. type: group default_field: true fields: - name: cluster.name level: extended type: keyword ignore_above: 1024 description: Name of the cluster. default_field: false - name: namespace level: extended type: keyword ignore_above: 1024 description: Namespace in which the action is taking place. example: kube-system default_field: false - name: resource.name level: extended type: keyword ignore_above: 1024 description: Name of the resource being acted upon. example: test-pod-cdcws default_field: false - name: resource.type level: extended type: keyword ignore_above: 1024 description: Type of resource being acted upon. example: service default_field: false - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.architecture level: custom type: keyword ignore_above: 1024 description: Process architecture. It can differ from host architecture. example: x86_64 default_field: false - name: Ext.authentication_id level: custom type: keyword ignore_above: 1024 description: Process authentication ID default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.dll.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.dll.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.dll.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.dll.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.dll.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.dll.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.dll.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.dll.Ext.compile_time level: custom type: date description: Timestamp from when the module was compiled. default_field: false - name: Ext.dll.Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: Ext.dll.Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: Ext.dll.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.dll.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: Ext.dll.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.dll.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.dll.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: Ext.dll.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.dll.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.dll.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: Ext.dll.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: Ext.dll.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: Ext.dll.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: Ext.dll.name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: Ext.dll.path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: Ext.dll.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: Ext.dll.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: Ext.dll.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: Ext.dll.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: Ext.dll.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: Ext.dll.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: Ext.malware_classification.features level: custom type: object description: Intermediate field included by adding option with subset enabled: false default_field: false - name: Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: Ext.memory_region.allocation_base level: custom type: unsigned_long description: Base address of the memory allocation containing the memory region. example: 2431737462784 default_field: false - name: Ext.memory_region.allocation_protection level: custom type: keyword ignore_above: 1024 description: Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". example: RWX default_field: false - name: Ext.memory_region.allocation_size level: custom type: unsigned_long description: Original memory size requested when the memory was allocated. example: 4096 default_field: false - name: Ext.memory_region.allocation_type level: custom type: keyword ignore_above: 1024 description: The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". example: PRIVATE default_field: false - name: Ext.memory_region.bytes_address level: custom type: unsigned_long description: The address where bytes_compressed begins. example: 2431737462784 default_field: false - name: Ext.memory_region.bytes_allocation_offset level: custom type: unsigned_long description: Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. example: 0 default_field: false - name: Ext.memory_region.bytes_compressed level: custom type: keyword description: Up to 4MB of raw data from the memory allocation. This is compressed with zlib.To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. example: eJzzSM3JyVcIzy/KSVEEABxJBD4= index: false doc_values: false default_field: false - name: Ext.memory_region.bytes_compressed_present level: custom type: boolean description: Whether bytes_compressed is present in this event. example: false default_field: false - name: Ext.memory_region.malware_signature.all_names level: custom type: keyword ignore_above: 1024 description: A sequence of signature names matched. example: Windows.EICAR.Not-a-virus default_field: false - name: Ext.memory_region.malware_signature.identifier level: custom type: keyword ignore_above: 1024 description: malware signature identifier default_field: false - name: Ext.memory_region.malware_signature.primary level: custom type: object description: The first matching details. default_field: false - name: Ext.memory_region.malware_signature.primary.matches level: custom type: keyword description: The first matching details. index: false doc_values: false default_field: false - name: Ext.memory_region.malware_signature.primary.signature.hash level: custom type: nested description: hash of file matching signature. default_field: false - name: Ext.memory_region.malware_signature.primary.signature.hash.sha256 level: custom type: keyword ignore_above: 1024 description: sha256 hash of file matching signature. default_field: false - name: Ext.memory_region.malware_signature.primary.signature.id level: custom type: keyword ignore_above: 1024 description: The id of the first yara rule matched. default_field: false - name: Ext.memory_region.malware_signature.primary.signature.name level: custom type: keyword ignore_above: 1024 description: The name of the first yara rule matched. default_field: false - name: Ext.memory_region.malware_signature.version level: custom type: keyword ignore_above: 1024 description: malware signature version default_field: false - name: Ext.memory_region.mapped_path level: custom type: keyword ignore_above: 1024 description: If the memory corresponds to a file mapping, this is the file's path. example: C:\Windows\System32\mshtml.dll default_field: false - name: Ext.memory_region.mapped_pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: Ext.memory_region.mapped_pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: Ext.memory_region.mapped_pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: Ext.memory_region.mapped_pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: Ext.memory_region.mapped_pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: Ext.memory_region.mapped_pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: Ext.memory_region.mapped_pe_detected level: custom type: boolean description: Whether the file at mapped_path is an executable. example: false default_field: false - name: Ext.memory_region.memory_pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: Ext.memory_region.memory_pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: Ext.memory_region.memory_pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: Ext.memory_region.memory_pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: Ext.memory_region.memory_pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: Ext.memory_region.memory_pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: Ext.memory_region.memory_pe_detected level: custom type: boolean description: Whether an executable file was found in memory. example: false default_field: false - name: Ext.memory_region.region_base level: custom type: unsigned_long description: Base address of the memory region. example: 2431737462784 default_field: false - name: Ext.memory_region.region_protection level: custom type: keyword ignore_above: 1024 description: Memory protection of the memory region. Example values include "RWX" and "R-X". example: RWX default_field: false - name: Ext.memory_region.region_size level: custom type: unsigned_long description: Size of the memory region. example: 4096 default_field: false - name: Ext.memory_region.region_state level: custom type: keyword ignore_above: 1024 description: State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". example: COMMIT default_field: false - name: Ext.memory_region.strings level: custom type: keyword description: Array of strings found within the memory region. index: false doc_values: false default_field: false - name: Ext.protection level: custom type: keyword ignore_above: 1024 description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. default_field: false - name: Ext.services level: custom type: keyword ignore_above: 1024 description: Services running in this process. default_field: false - name: Ext.session level: custom type: keyword ignore_above: 1024 description: Session information for the current process default_field: false - name: Ext.token.domain level: custom type: keyword ignore_above: 1024 description: Domain of token user. default_field: false - name: Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: Ext.token.impersonation_level level: custom type: keyword ignore_above: 1024 description: Impersonation level. Only valid for impersonation tokens. default_field: false - name: Ext.token.integrity_level level: custom type: long description: Numeric integrity level. default_field: false - name: Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: Ext.token.is_appcontainer level: custom type: boolean description: Whether or not this is an appcontainer token. default_field: false - name: Ext.token.privileges level: custom type: nested description: Array describing the privileges associated with the token. default_field: false - name: Ext.token.privileges.description level: custom type: keyword ignore_above: 1024 description: Description of the privilege. default_field: false - name: Ext.token.privileges.enabled level: custom type: boolean description: Whether or not the privilege is enabled. default_field: false - name: Ext.token.privileges.name level: custom type: keyword ignore_above: 1024 description: Name of the privilege. default_field: false - name: Ext.token.sid level: custom type: keyword ignore_above: 1024 description: Token user's Security Identifier (SID). default_field: false - name: Ext.token.type level: custom type: keyword ignore_above: 1024 description: Type of the token, either primary or impersonation. default_field: false - name: Ext.token.user level: custom type: keyword ignore_above: 1024 description: Username of token owner. default_field: false - name: Ext.user level: custom type: keyword ignore_above: 1024 description: User associated with the running process. default_field: false - name: args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - name: args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: entry_leader.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: entry_leader.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: entry_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.entry_meta.source.ip level: core type: ip description: IP address of the source (IPv4 or IPv6). default_field: false - name: entry_leader.entry_meta.type level: extended type: keyword ignore_above: 1024 description: 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console Note: This field is only set on process.session_leader.' default_field: false - name: entry_leader.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: entry_leader.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: entry_leader.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: entry_leader.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: entry_leader.parent.session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.parent.session_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: entry_leader.parent.session_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entry_leader.parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entry_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: entry_leader.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.same_as_process level: extended type: boolean description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true default_field: false - name: entry_leader.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entry_leader.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: entry_leader.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: entry_leader.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: entry_leader.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: env_vars level: extended type: keyword ignore_above: 1024 description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information.' example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: group_leader.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: group_leader.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: group_leader.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: group_leader.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: group_leader.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: group_leader.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: group_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: group_leader.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: group_leader.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: group_leader.same_as_process level: extended type: boolean description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true default_field: false - name: group_leader.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: group_leader.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: group_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: group_leader.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: group_leader.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: group_leader.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: group_leader.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: group_leader.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: group_leader.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: parent.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: parent.Ext.architecture level: custom type: keyword ignore_above: 1024 description: Process architecture. It can differ from host architecture. example: x86_64 default_field: false - name: parent.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: parent.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.Ext.dll.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: parent.Ext.dll.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: parent.Ext.dll.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.Ext.dll.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.Ext.dll.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.Ext.dll.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.Ext.dll.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.Ext.dll.Ext.compile_time level: custom type: date description: Timestamp from when the module was compiled. default_field: false - name: parent.Ext.dll.Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: parent.Ext.dll.Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: parent.Ext.dll.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.Ext.dll.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: parent.Ext.dll.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.Ext.dll.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.Ext.dll.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: parent.Ext.dll.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.Ext.dll.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.Ext.dll.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: parent.Ext.dll.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: parent.Ext.dll.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: parent.Ext.dll.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: parent.Ext.dll.name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: parent.Ext.dll.path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: parent.Ext.dll.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: parent.Ext.dll.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: parent.Ext.dll.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: parent.Ext.dll.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: parent.Ext.dll.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: parent.Ext.dll.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: parent.Ext.protection level: custom type: keyword ignore_above: 1024 description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. default_field: false - name: parent.Ext.real level: custom type: object description: The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. default_field: false - name: parent.Ext.real.pid level: custom type: long description: For process.parent this will be the ppid of the process that actually spawned the current process. default_field: false - name: parent.Ext.token.domain level: custom type: keyword ignore_above: 1024 description: Domain of token user. default_field: false - name: parent.Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: parent.Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: parent.Ext.token.impersonation_level level: custom type: keyword ignore_above: 1024 description: Impersonation level. Only valid for impersonation tokens. default_field: false - name: parent.Ext.token.integrity_level level: custom type: long description: Numeric integrity level. default_field: false - name: parent.Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: parent.Ext.token.is_appcontainer level: custom type: boolean description: Whether or not this is an appcontainer token. default_field: false - name: parent.Ext.token.privileges level: custom type: nested description: Array describing the privileges associated with the token. default_field: false - name: parent.Ext.token.privileges.description level: custom type: keyword ignore_above: 1024 description: Description of the privilege. default_field: false - name: parent.Ext.token.privileges.enabled level: custom type: boolean description: Whether or not the privilege is enabled. default_field: false - name: parent.Ext.token.privileges.name level: custom type: keyword ignore_above: 1024 description: Name of the privilege. default_field: false - name: parent.Ext.token.sid level: custom type: keyword ignore_above: 1024 description: Token user's Security Identifier (SID). default_field: false - name: parent.Ext.token.type level: custom type: keyword ignore_above: 1024 description: Type of the token, either primary or impersonation. default_field: false - name: parent.Ext.token.user level: custom type: keyword ignore_above: 1024 description: Username of token owner. default_field: false - name: parent.Ext.user level: custom type: keyword ignore_above: 1024 description: User associated with the running process. default_field: false - name: parent.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: parent.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: parent.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: parent.exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: parent.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.group_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: parent.group_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: parent.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: parent.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: parent.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: parent.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: parent.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: parent.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: parent.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: parent.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: parent.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: parent.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: parent.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: parent.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: parent.pgid level: extended type: long format: string description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' default_field: false - name: parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: parent.ppid level: extended type: long format: string description: Parent process' pid. example: 4241 default_field: false - name: parent.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: parent.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: parent.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: parent.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: parent.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.thread.id level: extended type: long format: string description: Thread ID. example: 4242 default_field: false - name: parent.thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' default_field: false - name: parent.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: parent.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: parent.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: parent.uptime level: extended type: long description: Seconds the process has been up. example: 1325 default_field: false - name: parent.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: parent.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: parent.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: pgid level: extended type: long format: string description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' - name: pid level: core type: long format: string description: Process id. example: 4242 - name: ppid level: extended type: long format: string description: Parent process' pid. example: 4241 - name: previous.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: previous.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: previous.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: session_leader.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: session_leader.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: session_leader.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: session_leader.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: session_leader.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: session_leader.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: session_leader.parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: session_leader.parent.session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: session_leader.parent.session_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: session_leader.parent.session_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: session_leader.parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: session_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: session_leader.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: session_leader.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.same_as_process level: extended type: boolean description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true default_field: false - name: session_leader.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: session_leader.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: session_leader.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: session_leader.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: session_leader.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: session_leader.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: session_leader.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' - name: supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: false default_field: false - name: thread.Ext.call_stack.instruction_pointer level: custom type: keyword ignore_above: 1024 description: The return address of this stack frame. default_field: false - name: thread.Ext.call_stack.memory_section.memory_address level: custom type: keyword description: Base address of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.BaseAddress` index: false doc_values: false default_field: false - name: thread.Ext.call_stack.memory_section.memory_size level: custom type: keyword description: Size of the memory region containing `instruction_pointer`. Corresponds to `MEMORY_BASIC_INFORMATION.RegionSize` index: false doc_values: false default_field: false - name: thread.Ext.call_stack.memory_section.protection level: custom type: keyword ignore_above: 1024 description: Memory protection flags of this memory region. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` default_field: false - name: thread.Ext.call_stack.module_name level: custom type: keyword description: The name of the DLL/module containing `instruction_pointer`. index: false doc_values: false default_field: false - name: thread.Ext.call_stack.module_path level: custom type: keyword ignore_above: 1024 description: The path to the DLL/module containing `instruction_pointer`. default_field: false - name: thread.Ext.call_stack.rva level: custom type: keyword ignore_above: 1024 description: The relative virtual address of `instruction_pointer`. Computed as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. default_field: false - name: thread.Ext.call_stack.symbol_info level: custom type: keyword ignore_above: 1024 description: The nearest symbol for `instruction_pointer`. default_field: false - name: thread.Ext.call_stack_final_user_module level: custom type: nested description: The final non-win32 module in the call stack. default_field: false - name: thread.Ext.call_stack_final_user_module.code_signature level: custom type: nested description: Code signature of the call_stack_final_user_module. default_field: false - name: thread.Ext.call_stack_final_user_module.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: thread.Ext.call_stack_final_user_module.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: thread.Ext.call_stack_final_user_module.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: thread.Ext.call_stack_final_user_module.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: thread.Ext.call_stack_final_user_module.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: thread.Ext.call_stack_final_user_module.hash level: custom type: object description: Hashes of the call_stack_final_user_module. default_field: false - name: thread.Ext.call_stack_final_user_module.hash.sha256 level: custom type: keyword ignore_above: 1024 description: The sha256 of the call_stack_final_user_module. example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 default_field: false - name: thread.Ext.call_stack_final_user_module.name level: custom type: keyword ignore_above: 1024 description: The file name of the call_stack_final_user_module. example: example.dll default_field: false - name: thread.Ext.call_stack_final_user_module.path level: custom type: keyword ignore_above: 1024 description: The file path of the call_stack_final_user_module. example: C:\Program Files\Example\example.dll default_field: false - name: thread.Ext.call_stack_summary level: custom type: keyword ignore_above: 1024 description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll, example.exe, kernel32.dll, ntdll.dll default_field: false - name: thread.Ext.hardware_breakpoint_set level: custom type: boolean description: Whether a hardware breakpoint was set for the thread. This field is omitted if false. example: 'true' default_field: false - name: thread.Ext.original_start_address level: custom type: unsigned_long description: When a trampoline was detected, this indicates the original content for the thread start address in memory. example: 4194304 default_field: false - name: thread.Ext.original_start_address_allocation_offset level: custom type: unsigned_long description: When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base. example: 0 default_field: false - name: thread.Ext.original_start_address_bytes level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address. example: 48b84141414141414141ffe000ccccccccccccccccccccccccccccccccccccccc default_field: false - name: thread.Ext.original_start_address_bytes_disasm level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address. example: mov rax, 0x4141414141414141\njmp rax default_field: false - name: thread.Ext.original_start_address_bytes_disasm_hash level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address. example: aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c default_field: false - name: thread.Ext.original_start_address_module level: custom type: keyword ignore_above: 1024 description: When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution. example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe default_field: false - name: thread.Ext.parameter level: custom type: unsigned_long description: When a thread is created, this is the raw numerical value of its parameter. default_field: false - name: thread.Ext.parameter_bytes_compressed level: custom type: keyword description: Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. index: false doc_values: false default_field: false - name: thread.Ext.parameter_bytes_compressed_present level: custom type: boolean description: Whether parameter_bytes_compressed is present in this event. default_field: false - name: thread.Ext.service level: custom type: keyword ignore_above: 1024 description: Service associated with the thread. example: VaultSvc default_field: false - name: thread.Ext.start level: custom type: date description: The time the thread started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: thread.Ext.start_address level: custom type: unsigned_long description: Memory address where the thread began execution. example: 4194304 default_field: false - name: thread.Ext.start_address_allocation_offset level: custom type: unsigned_long description: Offset of start_address into the memory allocation. Equal to start_address - start_address_details.allocation_base. example: 0 default_field: false - name: thread.Ext.start_address_bytes level: custom type: keyword ignore_above: 1024 description: A few (typically 32) raw opcode bytes at the thread start address, hex-encoded. example: c3cc0000cccccccccccccccccccccccccccccccccccccccccccccccccccccccc default_field: false - name: thread.Ext.start_address_bytes_disasm level: custom type: keyword ignore_above: 1024 description: The bytes at the thread start address, disassembled into human-readable assembly code. example: ret\nint3 default_field: false - name: thread.Ext.start_address_bytes_disasm_hash level: custom type: keyword ignore_above: 1024 description: The bytes at the thread start address, with immediate values capped to 0x100, disassembled into human-readable assembly code, then hashed. example: aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c default_field: false - name: thread.Ext.start_address_module level: custom type: keyword ignore_above: 1024 description: The dll/module where the thread began execution. example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe default_field: false - name: thread.Ext.token.domain level: custom type: keyword ignore_above: 1024 description: Domain of token user. default_field: false - name: thread.Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: thread.Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: thread.Ext.token.impersonation_level level: custom type: keyword ignore_above: 1024 description: Impersonation level. Only valid for impersonation tokens. default_field: false - name: thread.Ext.token.integrity_level level: custom type: long description: Numeric integrity level. default_field: false - name: thread.Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: thread.Ext.token.is_appcontainer level: custom type: boolean description: Whether or not this is an appcontainer token. default_field: false - name: thread.Ext.token.privileges level: custom type: nested description: Array describing the privileges associated with the token. default_field: false - name: thread.Ext.token.privileges.description level: custom type: keyword ignore_above: 1024 description: Description of the privilege. default_field: false - name: thread.Ext.token.privileges.enabled level: custom type: boolean description: Whether or not the privilege is enabled. default_field: false - name: thread.Ext.token.privileges.name level: custom type: keyword ignore_above: 1024 description: Name of the privilege. default_field: false - name: thread.Ext.token.sid level: custom type: keyword ignore_above: 1024 description: Token user's Security Identifier (SID). default_field: false - name: thread.Ext.token.type level: custom type: keyword ignore_above: 1024 description: Type of the token, either primary or impersonation. default_field: false - name: thread.Ext.token.user level: custom type: keyword ignore_above: 1024 description: Username of token owner. default_field: false - name: thread.Ext.uptime level: custom type: long description: Seconds since thread started. default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 - name: title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - name: tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: uptime level: extended type: long description: Seconds the process has been up. example: 1325 - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: The working directory of the process. example: /home/alice - name: registry title: Registry group: 2 description: Fields related to Windows Registry operations. type: group default_field: true fields: - name: data.strings level: core type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: rule title: Rule group: 2 description: 'Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.' type: group default_field: true fields: - name: author level: extended type: keyword ignore_above: 1024 description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. example: '["Star-Lord"]' default_field: false - name: category level: extended type: keyword ignore_above: 1024 description: A categorization value keyword used by the entity using the rule for detection of this event. example: Attempted Information Leak default_field: false - name: description level: extended type: keyword ignore_above: 1024 description: The description of the rule generating the event. example: Block requests to public DNS over HTTPS / TLS protocols default_field: false - name: id level: extended type: keyword ignore_above: 1024 description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. example: 101 default_field: false - name: license level: extended type: keyword ignore_above: 1024 description: Name of the license under which the rule used to generate this event is made available. example: Apache 2.0 default_field: false - name: name level: extended type: keyword ignore_above: 1024 description: The name of the rule or signature generating the event. example: BLOCK_DNS_over_TLS default_field: false - name: reference level: extended type: keyword ignore_above: 1024 description: 'Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor''s documentation about the rule. If that''s not available, it can also be a link to a more general page describing this type of alert.' example: https://en.wikipedia.org/wiki/DNS_over_TLS default_field: false - name: ruleset level: extended type: keyword ignore_above: 1024 description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. example: Standard_Protocol_Filters default_field: false - name: uuid level: extended type: keyword ignore_above: 1024 description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. example: 1100110011 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: The version / revision of the rule being used for analysis. example: 1.1 default_field: false - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the source (IPv4 or IPv6). - name: threat title: Threat group: 2 description: "Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.\nThese fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. \"endpoint denial of service\")." type: group default_field: true fields: - name: enrichments level: extended type: nested description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. default_field: false - name: enrichments.indicator level: extended type: object description: Object containing associated indicators enriching the event. default_field: false - name: enrichments.indicator.file.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: enrichments.indicator.file.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: enrichments.indicator.file.Ext.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: enrichments.indicator.file.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: enrichments.indicator.file.Ext.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: enrichments.indicator.file.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: enrichments.indicator.file.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: enrichments.indicator.file.Ext.device.bus_type level: custom type: keyword ignore_above: 1024 description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. default_field: false - name: enrichments.indicator.file.Ext.device.dos_name level: custom type: keyword ignore_above: 1024 description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... default_field: false - name: enrichments.indicator.file.Ext.device.file_system_type level: custom type: keyword ignore_above: 1024 description: 'Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF' default_field: false - name: enrichments.indicator.file.Ext.device.nt_name level: custom type: keyword ignore_above: 1024 description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' default_field: false - name: enrichments.indicator.file.Ext.device.product_id level: custom type: keyword ignore_above: 1024 description: ProductID of the device. It is provided by the vendor of the device if any. default_field: false - name: enrichments.indicator.file.Ext.device.serial_number level: custom type: keyword ignore_above: 1024 description: Serial Number of the device. It is provided by the vendor of the device if any. default_field: false - name: enrichments.indicator.file.Ext.device.vendor_id level: custom type: keyword ignore_above: 1024 description: VendorID of the device. It is provided by the vendor of the device. default_field: false - name: enrichments.indicator.file.Ext.device.volume_device_type level: custom type: keyword ignore_above: 1024 description: 'Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System' default_field: false - name: enrichments.indicator.file.Ext.entropy level: custom type: double description: Entropy calculation of file's header and footer used to check file integrity. default_field: false - name: enrichments.indicator.file.Ext.entry_modified level: custom type: double description: Time of last status change. See `st_ctim` member of `struct stat`. default_field: false - name: enrichments.indicator.file.Ext.header_bytes level: custom type: keyword ignore_above: 1024 description: First 16 bytes of file used to check file integrity. default_field: false - name: enrichments.indicator.file.Ext.header_data level: custom type: text description: First 16 bytes of file used to check file integrity. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: enrichments.indicator.file.Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: enrichments.indicator.file.Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: enrichments.indicator.file.Ext.malware_signature level: custom type: nested description: Nested version of malware_signature fieldset. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.all_names level: custom type: text description: The concatenated names of all yara signatures default_field: false - name: enrichments.indicator.file.Ext.malware_signature.identifier level: custom type: text description: Malware artifact identifier. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary level: custom type: nested description: Primary malware signature match. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary.matches level: custom type: nested description: An array of bytes representing yara signature matches default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary.signature level: custom type: nested description: Primary malware signature match. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary.signature.hash level: custom type: nested description: Primary malware signature hash. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 level: custom type: keyword ignore_above: 1024 description: Primary malware signature sha256. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary.signature.id level: custom type: keyword ignore_above: 1024 description: Primary malware signature id. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.primary.signature.name level: custom type: keyword ignore_above: 1024 description: Primary malware signature name. default_field: false - name: enrichments.indicator.file.Ext.malware_signature.secondary level: custom type: nested description: An array of malware signature matches default_field: false - name: enrichments.indicator.file.Ext.malware_signature.version level: custom type: keyword ignore_above: 1024 description: Primary malware signature version. default_field: false - name: enrichments.indicator.file.Ext.monotonic_id level: custom type: unsigned_long description: File event monotonic ID. default_field: false - name: enrichments.indicator.file.Ext.original level: custom type: object description: Original file information during a modification event. default_field: false - name: enrichments.indicator.file.Ext.original.gid level: custom type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: enrichments.indicator.file.Ext.original.group level: custom type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: enrichments.indicator.file.Ext.original.mode level: custom type: keyword ignore_above: 1024 description: Original file mode prior to a modification event default_field: false - name: enrichments.indicator.file.Ext.original.name level: custom type: keyword ignore_above: 1024 description: Original file name prior to a modification event default_field: false - name: enrichments.indicator.file.Ext.original.owner level: custom type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: enrichments.indicator.file.Ext.original.path level: custom type: keyword ignore_above: 1024 description: Original file path prior to a modification event default_field: false - name: enrichments.indicator.file.Ext.original.uid level: custom type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: enrichments.indicator.file.Ext.quarantine_message level: custom type: keyword ignore_above: 1024 description: Message describing quarantine results. default_field: false - name: enrichments.indicator.file.Ext.quarantine_path level: custom type: keyword ignore_above: 1024 description: Path on endpoint the quarantined file was originally. default_field: false - name: enrichments.indicator.file.Ext.quarantine_result level: custom type: boolean description: Boolean representing whether or not file quarantine succeeded. default_field: false - name: enrichments.indicator.file.Ext.temp_file_path level: custom type: keyword ignore_above: 1024 description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. default_field: false - name: enrichments.indicator.file.Ext.windows level: custom type: object description: Platform-specific Windows fields default_field: false - name: enrichments.indicator.file.Ext.windows.zone_identifier level: custom type: keyword ignore_above: 1024 description: Windows zone identifier for a file default_field: false - name: enrichments.indicator.file.accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' default_field: false - name: enrichments.indicator.file.attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: enrichments.indicator.file.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: enrichments.indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: enrichments.indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: enrichments.indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: enrichments.indicator.file.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: enrichments.indicator.file.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: enrichments.indicator.file.created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' default_field: false - name: enrichments.indicator.file.ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - name: enrichments.indicator.file.device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda default_field: false - name: enrichments.indicator.file.directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice default_field: false - name: enrichments.indicator.file.drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: enrichments.indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: enrichments.indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: enrichments.indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: enrichments.indicator.file.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: enrichments.indicator.file.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: enrichments.indicator.file.elf.go_import_hash level: extended type: keyword ignore_above: 1024 description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 default_field: false - name: enrichments.indicator.file.elf.go_imports level: extended type: flattened description: List of imported Go language element names and types. default_field: false - name: enrichments.indicator.file.elf.go_imports_names_entropy level: extended type: long format: number description: Shannon entropy calculation from the list of Go imports. default_field: false - name: enrichments.indicator.file.elf.go_imports_names_var_entropy level: extended type: long format: number description: Variance for Shannon entropy calculation from the list of Go imports. default_field: false - name: enrichments.indicator.file.elf.go_stripped level: extended type: boolean description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. default_field: false - name: enrichments.indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: enrichments.indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: enrichments.indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: enrichments.indicator.file.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: enrichments.indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: enrichments.indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: enrichments.indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: enrichments.indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: enrichments.indicator.file.elf.import_hash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e default_field: false - name: enrichments.indicator.file.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: enrichments.indicator.file.elf.imports_names_entropy level: extended type: long format: number description: Shannon entropy calculation from the list of imported element names and types. default_field: false - name: enrichments.indicator.file.elf.imports_names_var_entropy level: extended type: long format: number description: Variance for Shannon entropy calculation from the list of imported element names and types. default_field: false - name: enrichments.indicator.file.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: enrichments.indicator.file.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: enrichments.indicator.file.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: enrichments.indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: enrichments.indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: enrichments.indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: enrichments.indicator.file.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: enrichments.indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: enrichments.indicator.file.elf.sections.var_entropy level: extended type: long format: number description: Variance for Shannon entropy calculation from the section. default_field: false - name: enrichments.indicator.file.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: enrichments.indicator.file.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: enrichments.indicator.file.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: enrichments.indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: enrichments.indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: enrichments.indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: enrichments.indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: enrichments.indicator.file.extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: enrichments.indicator.file.gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: enrichments.indicator.file.group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: enrichments.indicator.file.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: enrichments.indicator.file.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: enrichments.indicator.file.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: enrichments.indicator.file.hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: enrichments.indicator.file.inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' default_field: false - name: enrichments.indicator.file.mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: enrichments.indicator.file.mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' default_field: false - name: enrichments.indicator.file.mtime level: extended type: date description: Last time the file content was modified. default_field: false - name: enrichments.indicator.file.name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png default_field: false - name: enrichments.indicator.file.owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: enrichments.indicator.file.path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png default_field: false - name: enrichments.indicator.file.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: enrichments.indicator.file.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: enrichments.indicator.file.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: enrichments.indicator.file.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: enrichments.indicator.file.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: enrichments.indicator.file.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: enrichments.indicator.file.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: enrichments.indicator.file.size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 default_field: false - name: enrichments.indicator.file.target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Target path for symlinks. default_field: false - name: enrichments.indicator.file.type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file default_field: false - name: enrichments.indicator.file.uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: enrichments.indicator.first_seen level: extended type: date description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: enrichments.indicator.geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal default_field: false - name: enrichments.indicator.geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: enrichments.indicator.geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America default_field: false - name: enrichments.indicator.geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA default_field: false - name: enrichments.indicator.geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada default_field: false - name: enrichments.indicator.geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - name: enrichments.indicator.geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc default_field: false - name: enrichments.indicator.geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: enrichments.indicator.geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC default_field: false - name: enrichments.indicator.geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec default_field: false - name: enrichments.indicator.geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: enrichments.indicator.ip level: extended type: ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 default_field: false - name: enrichments.indicator.last_seen level: extended type: date description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: enrichments.indicator.marking.tlp level: extended type: keyword ignore_above: 1024 description: Traffic Light Protocol sharing markings. example: CLEAR default_field: false - name: enrichments.indicator.modified_at level: extended type: date description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: enrichments.indicator.port level: extended type: long description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 default_field: false - name: enrichments.indicator.provider level: extended type: keyword ignore_above: 1024 description: The name of the indicator's provider. example: lrz_urlhaus default_field: false - name: enrichments.indicator.reference level: extended type: keyword ignore_above: 1024 description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false - name: enrichments.indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - name: enrichments.indicator.registry.data.strings level: core type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: enrichments.indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - name: enrichments.indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - name: enrichments.indicator.registry.key level: core type: keyword ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: enrichments.indicator.registry.path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: enrichments.indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: enrichments.indicator.scanner_stats level: extended type: long description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 default_field: false - name: enrichments.indicator.sightings level: extended type: long description: Number of times this indicator was observed conducting threat activity. example: 20 default_field: false - name: enrichments.indicator.type level: extended type: keyword ignore_above: 1024 description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr default_field: false - name: enrichments.indicator.url.domain level: extended type: keyword ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co default_field: false - name: enrichments.indicator.url.extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: enrichments.indicator.url.fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' default_field: false - name: enrichments.indicator.url.full level: extended type: wildcard multi_fields: - name: text type: match_only_text description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - name: enrichments.indicator.url.original level: extended type: wildcard multi_fields: - name: text type: match_only_text description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - name: enrichments.indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - name: enrichments.indicator.url.path level: extended type: wildcard description: Path of the request, such as "/search". default_field: false - name: enrichments.indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - name: enrichments.indicator.url.query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - name: enrichments.indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - name: enrichments.indicator.url.scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https default_field: false - name: enrichments.indicator.url.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: enrichments.indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - name: enrichments.indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - name: enrichments.indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: enrichments.indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: enrichments.indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country \(C) codes example: US default_field: false - name: enrichments.indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: enrichments.indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: enrichments.indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: enrichments.indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: enrichments.indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: enrichments.indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: '2020-07-16T03:15:39Z' default_field: false - name: enrichments.indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: '2019-08-16T01:40:25Z' default_field: false - name: enrichments.indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: enrichments.indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: enrichments.indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: enrichments.indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: enrichments.indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: enrichments.indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: enrichments.indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: enrichments.indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country \(C) code example: US default_field: false - name: enrichments.indicator.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: enrichments.indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: enrichments.indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: enrichments.indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: enrichments.indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: enrichments.indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: enrichments.matched.atomic level: extended type: keyword ignore_above: 1024 description: Identifies the atomic indicator value that matched a local environment endpoint or network event. example: bad-domain.com default_field: false - name: enrichments.matched.field level: extended type: keyword ignore_above: 1024 description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. example: file.hash.sha256 default_field: false - name: enrichments.matched.id level: extended type: keyword ignore_above: 1024 description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 default_field: false - name: enrichments.matched.index level: extended type: keyword ignore_above: 1024 description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 default_field: false - name: enrichments.matched.type level: extended type: keyword ignore_above: 1024 description: Identifies the type of match that caused the event to be enriched with the given indicator example: indicator_match_rule default_field: false - name: framework level: extended type: keyword ignore_above: 1024 description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK - name: group.alias level: extended type: keyword ignore_above: 1024 description: "The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group alias(es)." example: '[ "Magecart Group 6" ]' default_field: false - name: group.id level: extended type: keyword ignore_above: 1024 description: "The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group id." example: G0037 default_field: false - name: group.name level: extended type: keyword ignore_above: 1024 description: "The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group name." example: FIN6 default_field: false - name: group.reference level: extended type: keyword ignore_above: 1024 description: "The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group reference URL." example: https://attack.mitre.org/groups/G0037/ default_field: false - name: indicator.as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 default_field: false - name: indicator.as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Organization name. example: Google LLC default_field: false - name: indicator.confidence level: extended type: keyword ignore_above: 1024 description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. example: Medium default_field: false - name: indicator.description level: extended type: keyword ignore_above: 1024 description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - name: indicator.email.address level: extended type: keyword ignore_above: 1024 description: Identifies a threat indicator as an email address (irrespective of direction). example: phish@example.com default_field: false - name: indicator.file.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: indicator.file.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: indicator.file.Ext.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: indicator.file.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: indicator.file.Ext.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: indicator.file.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: indicator.file.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: indicator.file.Ext.device.bus_type level: custom type: keyword ignore_above: 1024 description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. default_field: false - name: indicator.file.Ext.device.dos_name level: custom type: keyword ignore_above: 1024 description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... default_field: false - name: indicator.file.Ext.device.file_system_type level: custom type: keyword ignore_above: 1024 description: 'Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF' default_field: false - name: indicator.file.Ext.device.nt_name level: custom type: keyword ignore_above: 1024 description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' default_field: false - name: indicator.file.Ext.device.product_id level: custom type: keyword ignore_above: 1024 description: ProductID of the device. It is provided by the vendor of the device if any. default_field: false - name: indicator.file.Ext.device.serial_number level: custom type: keyword ignore_above: 1024 description: Serial Number of the device. It is provided by the vendor of the device if any. default_field: false - name: indicator.file.Ext.device.vendor_id level: custom type: keyword ignore_above: 1024 description: VendorID of the device. It is provided by the vendor of the device. default_field: false - name: indicator.file.Ext.device.volume_device_type level: custom type: keyword ignore_above: 1024 description: 'Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System' default_field: false - name: indicator.file.Ext.entropy level: custom type: double description: Entropy calculation of file's header and footer used to check file integrity. default_field: false - name: indicator.file.Ext.entry_modified level: custom type: double description: Time of last status change. See `st_ctim` member of `struct stat`. default_field: false - name: indicator.file.Ext.header_bytes level: custom type: keyword ignore_above: 1024 description: First 16 bytes of file used to check file integrity. default_field: false - name: indicator.file.Ext.header_data level: custom type: text description: First 16 bytes of file used to check file integrity. default_field: false - name: indicator.file.Ext.malware_classification.features.data.buffer level: custom type: keyword ignore_above: 1024 description: The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. default_field: false - name: indicator.file.Ext.malware_classification.features.data.decompressed_size level: custom type: integer description: The decompressed size of buffer. default_field: false - name: indicator.file.Ext.malware_classification.features.data.encoding level: custom type: keyword ignore_above: 1024 description: The encoding of buffer (e.g. zlib). default_field: false - name: indicator.file.Ext.malware_classification.identifier level: custom type: keyword ignore_above: 1024 description: The model's unique identifier. default_field: false - name: indicator.file.Ext.malware_classification.score level: custom type: double description: The score produced by the classification model. default_field: false - name: indicator.file.Ext.malware_classification.threshold level: custom type: double description: The score threshold for the model. Files that score above this threshold are considered malicious. default_field: false - name: indicator.file.Ext.malware_classification.upx_packed level: custom type: boolean description: Whether UPX packing was detected. default_field: false - name: indicator.file.Ext.malware_classification.version level: custom type: keyword ignore_above: 1024 description: The version of the model used. default_field: false - name: indicator.file.Ext.malware_signature level: custom type: nested description: Nested version of malware_signature fieldset. default_field: false - name: indicator.file.Ext.malware_signature.all_names level: custom type: text description: The concatenated names of all yara signatures default_field: false - name: indicator.file.Ext.malware_signature.identifier level: custom type: text description: Malware artifact identifier. default_field: false - name: indicator.file.Ext.malware_signature.primary level: custom type: nested description: Primary malware signature match. default_field: false - name: indicator.file.Ext.malware_signature.primary.matches level: custom type: nested description: An array of bytes representing yara signature matches default_field: false - name: indicator.file.Ext.malware_signature.primary.signature level: custom type: nested description: Primary malware signature match. default_field: false - name: indicator.file.Ext.malware_signature.primary.signature.hash level: custom type: nested description: Primary malware signature hash. default_field: false - name: indicator.file.Ext.malware_signature.primary.signature.hash.sha256 level: custom type: keyword ignore_above: 1024 description: Primary malware signature sha256. default_field: false - name: indicator.file.Ext.malware_signature.primary.signature.id level: custom type: keyword ignore_above: 1024 description: Primary malware signature id. default_field: false - name: indicator.file.Ext.malware_signature.primary.signature.name level: custom type: keyword ignore_above: 1024 description: Primary malware signature name. default_field: false - name: indicator.file.Ext.malware_signature.secondary level: custom type: nested description: An array of malware signature matches default_field: false - name: indicator.file.Ext.malware_signature.version level: custom type: keyword ignore_above: 1024 description: Primary malware signature version. default_field: false - name: indicator.file.Ext.monotonic_id level: custom type: unsigned_long description: File event monotonic ID. default_field: false - name: indicator.file.Ext.original level: custom type: object description: Original file information during a modification event. default_field: false - name: indicator.file.Ext.original.gid level: custom type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: indicator.file.Ext.original.group level: custom type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: indicator.file.Ext.original.mode level: custom type: keyword ignore_above: 1024 description: Original file mode prior to a modification event default_field: false - name: indicator.file.Ext.original.name level: custom type: keyword ignore_above: 1024 description: Original file name prior to a modification event default_field: false - name: indicator.file.Ext.original.owner level: custom type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: indicator.file.Ext.original.path level: custom type: keyword ignore_above: 1024 description: Original file path prior to a modification event default_field: false - name: indicator.file.Ext.original.uid level: custom type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: indicator.file.Ext.quarantine_message level: custom type: keyword ignore_above: 1024 description: Message describing quarantine results. default_field: false - name: indicator.file.Ext.quarantine_path level: custom type: keyword ignore_above: 1024 description: Path on endpoint the quarantined file was originally. default_field: false - name: indicator.file.Ext.quarantine_result level: custom type: boolean description: Boolean representing whether or not file quarantine succeeded. default_field: false - name: indicator.file.Ext.temp_file_path level: custom type: keyword ignore_above: 1024 description: Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. default_field: false - name: indicator.file.Ext.windows level: custom type: object description: Platform-specific Windows fields default_field: false - name: indicator.file.Ext.windows.zone_identifier level: custom type: keyword ignore_above: 1024 description: Windows zone identifier for a file default_field: false - name: indicator.file.accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' default_field: false - name: indicator.file.attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: indicator.file.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: indicator.file.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: indicator.file.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: indicator.file.created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' default_field: false - name: indicator.file.ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - name: indicator.file.device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda default_field: false - name: indicator.file.directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice default_field: false - name: indicator.file.drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: indicator.file.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: indicator.file.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: indicator.file.elf.go_import_hash level: extended type: keyword ignore_above: 1024 description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma).' example: 10bddcb4cee42080f76c88d9ff964491 default_field: false - name: indicator.file.elf.go_imports level: extended type: flattened description: List of imported Go language element names and types. default_field: false - name: indicator.file.elf.go_imports_names_entropy level: extended type: long format: number description: Shannon entropy calculation from the list of Go imports. default_field: false - name: indicator.file.elf.go_imports_names_var_entropy level: extended type: long format: number description: Variance for Shannon entropy calculation from the list of Go imports. default_field: false - name: indicator.file.elf.go_stripped level: extended type: boolean description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. default_field: false - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: indicator.file.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: indicator.file.elf.import_hash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e default_field: false - name: indicator.file.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: indicator.file.elf.imports_names_entropy level: extended type: long format: number description: Shannon entropy calculation from the list of imported element names and types. default_field: false - name: indicator.file.elf.imports_names_var_entropy level: extended type: long format: number description: Variance for Shannon entropy calculation from the list of imported element names and types. default_field: false - name: indicator.file.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: indicator.file.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: indicator.file.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: indicator.file.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: indicator.file.elf.sections.var_entropy level: extended type: long format: number description: Variance for Shannon entropy calculation from the section. default_field: false - name: indicator.file.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: indicator.file.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: indicator.file.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: indicator.file.extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: indicator.file.group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: indicator.file.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: indicator.file.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: indicator.file.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: indicator.file.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: indicator.file.hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' default_field: false - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: indicator.file.mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' default_field: false - name: indicator.file.mtime level: extended type: date description: Last time the file content was modified. default_field: false - name: indicator.file.name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png default_field: false - name: indicator.file.owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: indicator.file.path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png default_field: false - name: indicator.file.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: indicator.file.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: indicator.file.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: indicator.file.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: indicator.file.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: indicator.file.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: indicator.file.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: indicator.file.size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 default_field: false - name: indicator.file.target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Target path for symlinks. default_field: false - name: indicator.file.type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file default_field: false - name: indicator.file.uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: indicator.first_seen level: extended type: date description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal default_field: false - name: indicator.geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: indicator.geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America default_field: false - name: indicator.geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA default_field: false - name: indicator.geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada default_field: false - name: indicator.geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - name: indicator.geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc default_field: false - name: indicator.geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: indicator.geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC default_field: false - name: indicator.geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec default_field: false - name: indicator.geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: indicator.ip level: extended type: ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 default_field: false - name: indicator.last_seen level: extended type: date description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.marking.tlp level: extended type: keyword ignore_above: 1024 description: Traffic Light Protocol sharing markings. example: CLEAR default_field: false - name: indicator.modified_at level: extended type: date description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.port level: extended type: long description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 default_field: false - name: indicator.provider level: extended type: keyword ignore_above: 1024 description: The name of the indicator's provider. example: lrz_urlhaus default_field: false - name: indicator.reference level: extended type: keyword ignore_above: 1024 description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false - name: indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - name: indicator.registry.data.strings level: core type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - name: indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - name: indicator.registry.key level: core type: keyword ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: indicator.registry.path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: indicator.scanner_stats level: extended type: long description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 default_field: false - name: indicator.sightings level: extended type: long description: Number of times this indicator was observed conducting threat activity. example: 20 default_field: false - name: indicator.type level: extended type: keyword ignore_above: 1024 description: Type of indicator as represented by Cyber Observable in STIX 2.0. example: ipv4-addr default_field: false - name: indicator.url.domain level: extended type: keyword ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co default_field: false - name: indicator.url.extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: indicator.url.fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' default_field: false - name: indicator.url.full level: extended type: wildcard multi_fields: - name: text type: match_only_text description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - name: indicator.url.original level: extended type: wildcard multi_fields: - name: text type: match_only_text description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - name: indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - name: indicator.url.path level: extended type: wildcard description: Path of the request, such as "/search". default_field: false - name: indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - name: indicator.url.query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - name: indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - name: indicator.url.scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https default_field: false - name: indicator.url.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - name: indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - name: indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country \(C) codes example: US default_field: false - name: indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: '2020-07-16T03:15:39Z' default_field: false - name: indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: '2019-08-16T01:40:25Z' default_field: false - name: indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country \(C) code example: US default_field: false - name: indicator.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: software.id level: extended type: keyword ignore_above: 1024 description: "The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software id." example: S0552 default_field: false - name: software.name level: extended type: keyword ignore_above: 1024 description: "The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software name." example: AdFind default_field: false - name: software.platforms level: extended type: keyword ignore_above: 1024 description: "The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use MITRE ATT&CK® software platform values." example: '[ "Windows" ]' default_field: false - name: software.reference level: extended type: keyword ignore_above: 1024 description: "The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software reference URL." example: https://attack.mitre.org/software/S0552/ default_field: false - name: software.type level: extended type: keyword ignore_above: 1024 description: "The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software type." example: Tool default_field: false - name: tactic.id level: extended type: keyword ignore_above: 1024 description: "The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" example: TA0002 - name: tactic.name level: extended type: keyword ignore_above: 1024 description: "Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" example: Execution - name: tactic.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" example: https://attack.mitre.org/tactics/TA0002/ - name: technique.id level: extended type: keyword ignore_above: 1024 description: "The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: T1059 - name: technique.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: "The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: Command and Scripting Interpreter - name: technique.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: https://attack.mitre.org/techniques/T1059/ - name: technique.subtechnique.id level: extended type: keyword ignore_above: 1024 description: "The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: T1059.001 default_field: false - name: technique.subtechnique.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: "The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: PowerShell default_field: false - name: technique.subtechnique.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: https://attack.mitre.org/techniques/T1059/001/ default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PKP**PK}W/ endpoint-8.10.2/data_stream/alerts/manifest.ymlUTdtitle: Endpoint Alerts type: logs elasticsearch: index_template: settings: index: mapping: nested_fields: limit: 80 total_fields: limit: 5000 mappings: dynamic: false PKnPK}W4 endpoint-8.10.2/data_stream/alerts/sample_event.jsonUTd{ "agent": { "build": { "original": "version: 8.3.0-SNAPSHOT, compiled: Fri Apr 1 06:00:00 2022, branch: main, commit: f8b0ed879ad40ee1ae561ced31ec8a4027a2bf53" }, "id": "2b1eb7f7-bd61-436a-98af-c2b182043476", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "container": { "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "image": { "name": "docker.io/library/nginx", "tag": "latest" }, "name": "nginx" }, "cloud": { "account": { "id": "1234" }, "instance": { "name": "webserver-12" }, "project": { "id": "1234" }, "provider": "aws", "region": "us-east-1" }, "orchestrator": { "cluster": { "name": "webservers" }, "namespace": "webapp", "resource": { "name": "webservers", "type": "kubernetes" } }, "process": { "Ext": { "ancestry": [ "MmIxZWI3ZjctYmQ2MS00MzZhLTk4YWYtYzJiMTgyMDQzNDc2LTAtMTMyOTM1NDczMTkuOTk5Mjc0NjAw" ], "protection": "PsProtectedSignerWinSystem", "user": "SYSTEM", "architecture": "x86_64", "token": { "elevation": true, "integrity_level_name": "system", "domain": "NT AUTHORITY", "user": "SYSTEM", "elevation_type": "default", "sid": "S-1-5-18" } }, "parent": { "Ext": { "protection": "", "user": "", "architecture": "unknown" }, "name": "System Idle Process", "start": "2022-04-04T12:15:41.4606245Z", "pid": 0, "entity_id": "MmIxZWI3ZjctYmQ2MS00MzZhLTk4YWYtYzJiMTgyMDQzNDc2LTAtMTMyOTM1NDczMTkuOTk5Mjc0NjAw", "command_line": "", "executable": "", "ppid": 0, "uptime": 822 }, "pe": {}, "name": "System", "start": "2022-04-04T12:15:41.4606245Z", "pid": 4, "entity_id": "MmIxZWI3ZjctYmQ2MS00MzZhLTk4YWYtYzJiMTgyMDQzNDc2LTQtMTMyOTM1NDczMTkuOTk5Mjc0NjAw", "command_line": "", "executable": "", "thread": { "Ext": { "call_stack": [ { "instruction_pointer": 140705188471348, "memory_section": { "memory_address": 140705187827712, "memory_size": 1163264, "protection": "R-X" }, "module_name": "ntdll.dll", "module_path": "c:\\windows\\system32\\ntdll.dll", "symbol_info": "c:\\windows\\system32\\ntdll.dll!NtAlpcSendWaitReceivePort+0x14" }, { "instruction_pointer": 140705158956066, "memory_section": { "memory_address": 140705158664192, "memory_size": 921600, "protection": "R-X" }, "module_name": "rpcrt4.dll", "module_path": "c:\\windows\\system32\\rpcrt4.dll", "symbol_info": "c:\\windows\\system32\\rpcrt4.dll!0x7FF879048422" }, { "instruction_pointer": 140705158944113, "memory_section": { "memory_address": 140705158664192, "memory_size": 921600, "protection": "R-X" }, "module_name": "rpcrt4.dll", "module_path": "c:\\windows\\system32\\rpcrt4.dll", "symbol_info": "c:\\windows\\system32\\rpcrt4.dll!0x7FF879045571" }, { "instruction_pointer": 140705158854463, "memory_section": { "memory_address": 140705158664192, "memory_size": 921600, "protection": "R-X" }, "module_name": "rpcrt4.dll", "module_path": "c:\\windows\\system32\\rpcrt4.dll", "symbol_info": "c:\\windows\\system32\\rpcrt4.dll!0x7FF87902F73F" }, { "instruction_pointer": 140705155101013, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878C9B155" }, { "instruction_pointer": 140705155097096, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878C9A208" }, { "instruction_pointer": 140705155090820, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878C98984" }, { "instruction_pointer": 140705155093243, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878C992FB" }, { "instruction_pointer": 140705155073556, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878C94614" }, { "instruction_pointer": 140705155277630, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878CC633E" }, { "instruction_pointer": 140705158666224, "memory_section": { "memory_address": 140705158664192, "memory_size": 921600, "protection": "R-X" }, "module_name": "rpcrt4.dll", "module_path": "c:\\windows\\system32\\rpcrt4.dll", "symbol_info": "c:\\windows\\system32\\rpcrt4.dll!0x7FF8790017F0" }, { "instruction_pointer": 140705155255496, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878CC0CC8" }, { "instruction_pointer": 140705155775858, "memory_section": { "memory_address": 140705154535424, "memory_size": 2334720, "protection": "R-X" }, "module_name": "combase.dll", "module_path": "c:\\windows\\system32\\combase.dll", "symbol_info": "c:\\windows\\system32\\combase.dll!0x7FF878D3FD72" }, { "instruction_pointer": 140704876148243, "memory_section": { "memory_address": 140704875483136, "memory_size": 708608, "protection": "R-X" }, "module_name": "fastprox.dll", "module_path": "c:\\windows\\system32\\wbem\\fastprox.dll", "symbol_info": "c:\\windows\\system32\\wbem\\fastprox.dll!0x7FF868293613" }, { "instruction_pointer": 140699640718787, "memory_section": { "memory_address": 140699634241536, "memory_size": 9220096, "protection": "R-X" }, "module_name": "alertstests.exe", "module_path": "c:\\users\\vagrant\\endpoint-dev\\build\\_ws-vs2019-x64-dbg\\alertstests\\debug\\alertstests.exe", "symbol_info": "c:\\users\\vagrant\\endpoint-dev\\build\\_ws-vs2019-x64-dbg\\alertstests\\debug\\alertstests.exe!0x7FF7301AE5C3" }, { "instruction_pointer": 140699640807495, "memory_section": { "memory_address": 140699634241536, "memory_size": 9220096, "protection": "R-X" }, "module_name": "alertstests.exe", "module_path": "c:\\users\\vagrant\\endpoint-dev\\build\\_ws-vs2019-x64-dbg\\alertstests\\debug\\alertstests.exe", "symbol_info": "c:\\users\\vagrant\\endpoint-dev\\build\\_ws-vs2019-x64-dbg\\alertstests\\debug\\alertstests.exe!0x7FF7301C4047" }, { "instruction_pointer": 140705160001044, "memory_section": { "memory_address": 140705159909376, "memory_size": 520192, "protection": "R-X" }, "module_name": "kernel32.dll", "module_path": "c:\\windows\\system32\\kernel32.dll", "symbol_info": "c:\\windows\\system32\\kernel32.dll!BaseThreadInitThunk+0x14" }, { "instruction_pointer": 140705188161185, "memory_section": { "memory_address": 140705187827712, "memory_size": 1163264, "protection": "R-X" }, "module_name": "ntdll.dll", "module_path": "c:\\windows\\system32\\ntdll.dll", "symbol_info": "c:\\windows\\system32\\ntdll.dll!RtlUserThreadStart+0x21" } ], "call_stack_final_user_module": { "code_signature": [ { "exists": true, "status": "trusted", "subject_name": "Microsoft Windows", "trusted": true } ], "hash": { "sha256": "8c9740e7fe9c97d5782b8d3db102c7880c40f0b27f20d3ec9f334fe0161b7e55" }, "name": "rpcrt4.dll", "path": "c:\\windows\\system32\\rpcrt4.dll" }, "call_stack_summary": "ntdll.dll, rpcrt4.dll, combase.dll, rpcrt4.dll, combase.dll, fastprox.dll, alertstests.exe, kernel32.dll, ntdll.dll", "hardware_breakpoint_set": true, "start_address": 140699640807104, "start_address_module": "C:\\Users\\vagrant\\endpoint-dev\\Build\\_WS-vs2019-x64-dbg\\AlertsTests\\Debug\\AlertsTests.exe" }, "id": 5752 }, "uptime": 822 }, "rule": { "ruleset": "production" }, "message": "Malware Prevention Alert", "@timestamp": "2022-04-04T12:15:41.5944062Z", "file": { "Ext": { "temp_file_path": "C:\\Windows\\TEMP\\90edbe42-fe6c-4965-8a6b-222aa2b15cf2", "code_signature": [ { "exists": false } ], "quarantine_path": "C:\\.equarantine\\20a65f043449c96f10e538a860a415b55ff46c93", "quarantine_message": "Success", "quarantine_result": true, "malware_classification": { "identifier": "endpointpe-v4-model", "score": 0.692318737506866, "threshold": 0.58, "version": "4.0.19000" } }, "owner": "Administrators", "extension": "dll", "drive_letter": "C", "created": "2022-04-04T12:15:41.4606245Z", "accessed": "2022-04-04T12:15:41.4606245Z", "mtime": "2022-04-04T12:15:41.4606245Z", "directory": "C:\\sysmon", "path": "C:\\sysmon\\9C0E42A47D34240A9A4101CC5D3BC5787DC5AD73DEBF08C09D49337FBE7ACDE4D374924290143DFB2E3210F18E1BCC50EB6C3961D11071E3EC024215B8835E468FA63E53DAE02F32A21E03CE65412F6E56942DAA.dll", "code_signature": { "exists": false }, "size": 4608, "pe": { "file_version": "0.0.0.0", "description": " ", "original_file_name": "5t5mpwxc.dll", "Ext": { "dotnet": true, "streams": [ { "name": "#~", "hash": { "md5": "debf08c09d49337fbe7acde4d3749242", "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53" } }, { "name": "#Blob", "hash": { "md5": "debf08c09d49337fbe7acde4d3749242", "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53" } } ], "sections": [ { "name": ".reloc", "hash": { "md5": "debf08c09d49337fbe7acde4d3749242", "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53" } } ] } }, "name": "9C0E42A47D34240A9A4101CC5D3BC5787DC5AD73DEBF08C09D49337FBE7ACDE4D374924290143DFB2E3210F18E1BCC50EB6C3961D11071E3EC024215B8835E468FA63E53DAE02F32A21E03CE65412F6E56942DAA.dll", "hash": { "sha1": "9c0e42a47d34240a9a4101cc5d3bc5787dc5ad73", "sha256": "90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53", "md5": "debf08c09d49337fbe7acde4d3749242" } }, "Endpoint": { "policy": { "applied": { "artifacts": { "global": { "identifiers": [ { "sha256": "e57a7d5638060e9655c64ac1d02f7949b87e5f5f27f2074329608db1e06d645b", "name": "diagnostic-configuration-v1" }, { "sha256": "c33693fcadb720d4d37706cd2ca77b28a8c59a424ab3f251b2b07ac7975eb2f4", "name": "diagnostic-endpointpe-v4-blocklist" }, { "sha256": "d47bfd600e3a8f79e290dfb0306e8abe7be11b75b36ba98132f46b8971f7f071", "name": "diagnostic-endpointpe-v4-exceptionlist" }, { "sha256": "8609faa372f8761bf199a03325f56577d2fd47630d6dba386b6eb33562aef6e3", "name": "diagnostic-endpointpe-v4-model" }, { "sha256": "52bc8b59292b5017bb091f97fa395881b127b07dec6182f91c4b84074ae6e7bc", "name": "diagnostic-malware-signature-v1-windows" }, { "sha256": "dcbaa744fc672d8db32010a1422aafa6e0cf86816d34b1d4df9f273f106be425", "name": "diagnostic-ransomware-v1-windows" }, { "sha256": "b680beed0f3ca83ae78802e972bf4bb12ecea2b1649a7aafd16e6fec8c9a0ede", "name": "diagnostic-rules-windows-v1" }, { "sha256": "1d591a12ce8ae215ebdcdabc81fc912cd51162e7a8e35bcdc1676bc3125cebbf", "name": "endpointpe-v4-blocklist" }, { "sha256": "d784c2aa70a2216dd5bfeecfdd67a83ff5b656e9321bd70cf345a8667a63fb2e", "name": "endpointpe-v4-exceptionlist" }, { "sha256": "c05c025cce1c2b5808c180dc4986eb519c0affd30d7c27f67fdd14bde3224638", "name": "endpointpe-v4-model" }, { "sha256": "b98dc812e3cd9c9aa21462bb8b2bac86158d6d2d97ea4aac6731c069f6babb4d", "name": "global-configuration-v1" }, { "sha256": "7acbe147698a40c817775d471ea30c2fe4dfa7a9f54271e6dbc073131c5a3bcb", "name": "global-exceptionlist-windows" }, { "sha256": "dfb2b428357b756d9f5b593c02dce99b026c9e2afeb76cdb8e8c76c6db78290a", "name": "global-trustlist-windows-v1" }, { "sha256": "611a02c398c58ebe2f6d9d63621778de96263ef7fa885098ce62a22c411d67bc", "name": "production-malware-signature-v1-windows" }, { "sha256": "363cb9d7bbc013d9bc171a6a29fdfe486f1c987ef2c0cdfa3c283fc4c5a4a595", "name": "production-ransomware-v1-windows" }, { "sha256": "b07cf3beacd69e6922d344448a8c6d03e96ae6d5ec1e540415fe2f4804bcb631", "name": "production-rules-windows-v1" } ], "version": "1.0.260" }, "user": { "identifiers": [ { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-blocklist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-eventfilterlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-exceptionlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-hostisolationexceptionlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-trustlist-windows-v1" } ], "version": "1.0.0" } } } } }, "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.alerts" }, "elastic": { "agent": { "id": "2b1eb7f7-bd61-436a-98af-c2b182043476" } }, "host": { "hostname": "security-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.34", "fe80::4850:4f4f:4b53:8103", "127.0.0.1", "::1" ], "name": "security-win-1", "id": "bbea673e-eae6-4b03-8724-2183f79da331", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "severity": 73, "code": "malicious_file", "risk_score": 73, "created": "2022-04-04T12:15:41.5944062Z", "kind": "alert", "module": "endpoint", "type": [ "info", "change", "denied" ], "agent_id_status": "verified", "sequence": 29414, "ingested": "2022-04-04T12:19:33Z", "action": "rename", "id": "MYfSjQEEEFe1o09b+++++D5Q", "category": [ "malware", "intrusion_detection", "file" ], "dataset": "endpoint.alerts", "outcome": "success" }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM" }, "Responses": [ { "@timestamp": "2023-04-13T16:15:16.0Z", "action": { "action": "file_rollback", "file": { "attributes": [ "invalid" ], "path": "", "reason": 2147484160 }, "source": { "attributes": [ "archive" ], "path": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy55\\git\\endpoint-dev\\Python\\runtime\\failed_test_logs\\20230413_181248\\EndpointRollbackTestCase\\test_rollback_trigger_malware_1_prevent\\tmp\\TRA14KA5Z2\\ExceptionlistTester-Windows.1d1phoq97d" } }, "message": "Successful production rollback", "result": 0 }, { "@timestamp": "2023-04-13T16:15:16.0Z", "action": { "action": "registry_rollback", "key": { "actions": [ "Deleted" ], "path": "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\TestRollback\\1" } }, "message": "Successful production registry rollback", "result": 0 }, { "@timestamp": "2023-04-13T16:15:16.0Z", "action": { "action": "registry_rollback", "key": { "actions": [ "Modified" ], "path": "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\TestRollback.valuetest", "values": [ { "actions": [ "Deleted" ], "name": "SomeValue" } ] } } }, { "@timestamp": "2023-07-19T14:21:05.0Z", "action": { "action": "process_rollback", "process": { "path": "C:\\Users\\Pawel Mirski\\AppData\\Local\\Programs\\Python\\Python38-32\\python.exe" } }, "message": "Successful production process rollback", "result": 0 } ] }PK؃zbibiPK}W endpoint-8.10.2/data_stream/api/UTdPK}W. endpoint-8.10.2/data_stream/api/elasticsearch/UTdPK}W> endpoint-8.10.2/data_stream/api/elasticsearch/ingest_pipeline/UTdPK}WJ endpoint-8.10.2/data_stream/api/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W' endpoint-8.10.2/data_stream/api/fields/UTdPK}W1 endpoint-8.10.2/data_stream/api/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: Target title: Target group: 2 description: 'These fields contain information about a target. These fields provide more context about the target process and thread that are related to the data in the document. Useful in a security context where a target process or thread may be acted on by another process or thread.' type: group default_field: true fields: - name: process.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: process.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: end level: extended type: date description: event.end contains the date when the event ended or when the activity was last observed. - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: start level: extended type: date description: event.start contains the date when the event started or when the activity was first observed. - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.api.name level: custom type: keyword ignore_above: 1024 description: The name of the API, usually the name of the function or system call. default_field: false - name: Ext.api.parameters.desired_access level: custom type: keyword ignore_above: 1024 description: This parameter indicates the string value of the `DesiredAccess` field to `OpenProcess` or `OpenThread`. default_field: false - name: Ext.api.parameters.desired_access_numeric level: custom type: long description: This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. default_field: false - name: Ext.api.parameters.handle_type level: custom type: keyword ignore_above: 1024 description: This parameter indicates whether the detected access was attempt against a process or a thread. example: process default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: pid level: core type: long format: string description: Process id. example: 4242 - name: thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: false default_field: false - name: thread.Ext.call_stack.instruction_pointer level: custom type: keyword ignore_above: 1024 description: The return address of this stack frame. default_field: false - name: thread.Ext.call_stack.module_path level: custom type: keyword ignore_above: 1024 description: The path to the DLL/module containing `instruction_pointer`. default_field: false - name: thread.Ext.call_stack_contains_unbacked level: custom type: boolean description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image. default_field: false - name: thread.Ext.call_stack_final_user_module level: custom type: nested description: The final non-win32 module in the call stack. default_field: false - name: thread.Ext.call_stack_final_user_module.path level: custom type: keyword ignore_above: 1024 description: The file path of the call_stack_final_user_module. example: C:\Program Files\Example\example.dll default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PK*`ӏYYPK}W, endpoint-8.10.2/data_stream/api/manifest.ymlUTdtitle: Endpoint API Events type: logs dataset: endpoint.events.api elasticsearch: index_template: mappings: dynamic: false PKyyPK}W1 endpoint-8.10.2/data_stream/api/sample_event.jsonUTd{ "@timestamp": "2023-01-09T19:38:51.5141503Z", "Target": { "process": { "name": "lsass.exe", "pid": 956 } }, "event": { "category": [ "api" ], "created": "2023-01-09T19:38:51.5141503Z", "id": "MvlgiHxIZtj1+Abi++++++ul", "kind": "event", "type": [ "credential_access" ] }, "host": { "architecture": "x86_64", "hostname": "DESKTOP-OCG8CR6", "id": "dabadaba-0000-0000-0000-000000000000", "ip": [ "169.254.104.226", "fe80::6037:d589:2ee9:772f", "172.22.6.230", "fe80::80ea:8e8d:e1f2:6622", "169.254.74.35", "fe80::900c:a9d3:fd8:9345", "127.0.0.1", "::1" ], "mac": [ "00-15-5D-00-09-18", "00-15-5D-00-09-19", "00-15-5D-00-09-17" ], "name": "DESKTOP-OCG8CR6", "os": { "Ext": { "variant": "Windows 11 Enterprise N" }, "family": "windows", "full": "Windows 11 Enterprise N 22H2 (10.0.22621.963)", "kernel": "22H2 (10.0.22621.963)", "name": "Windows", "platform": "windows", "type": "windows", "version": "22H2 (10.0.22621.963)" } }, "message": "Endpoint Credential Access event", "process": { "Ext": { "ancestry": [ "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTgxMi0xNjczMjkxNTMzLjcxNjczMTgwMA==", "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ5NjAtMTY3Mjk2NTgzMC4yODc0OTYxMDA=", "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTY2MjgtMTY3Mjk2NTc3Mi41MTg4MDA1MDA=", "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ2MDAtMTY3Mjk2NTcxMy40NzY1NDUyMDA=" ], "api": { "name": "OpenProcess", "parameters": { "desired_access": [ "PROCESS_QUERY_LIMITED_INFORMATION", "PROCESS_VM_READ" ], "desired_access_numeric": 4112, "handle_type": "process" } }, "code_signature": [ { "exists": true, "status": "errorBadDigest", "subject_name": "Microsoft Windows", "trusted": false } ] }, "code_signature": { "exists": true, "status": "errorBadDigest", "subject_name": "Microsoft Windows", "trusted": false }, "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTkxNi0xNjczMjkzMTMwLjk0NjAwMjAw", "executable": "c\\git\\endpoint-dev\\Tools\\Leia\\modules\\exe_malware\\mimikatz.exe", "name": "mimikatz.exe", "pid": 916, "thread": { "Ext": { "call_stack": [ { "instruction_pointer": 140717353267908, "module_path": "C:\\Windows\\System32\\ntdll.dll" }, { "instruction_pointer": 140717309764254, "module_path": "C:\\Windows\\System32\\KernelBase.dll" }, { "instruction_pointer": 140697175487234, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175488197, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175487041, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175277748, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175277292, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175276599, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175514281, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" } ], "call_stack_contains_unbacked": false, "call_stack_final_user_module": { "path": "mimikatz.exe" } }, "id": 11628 } }, "user": { "domain": "DESKTOP-OCG8CR6", "id": "S-1-5-21-3820246941-898183108-3095036578-1001", "name": "User" } }PKTjGGPK}W' endpoint-8.10.2/data_stream/collection/UTdPK}W5 endpoint-8.10.2/data_stream/collection/elasticsearch/UTdPK}W9 endpoint-8.10.2/data_stream/collection/elasticsearch/ilm/UTdPK}WH endpoint-8.10.2/data_stream/collection/elasticsearch/ilm/diagnostic.jsonUTd{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "rollover": { "max_size": "1gb", "max_age": "7d", "max_docs": 10000 } } }, "delete": { "min_age": "10m", "actions": { "delete": {} } } } } }PKFPK}WE endpoint-8.10.2/data_stream/collection/elasticsearch/ingest_pipeline/UTdPK}WQ endpoint-8.10.2/data_stream/collection/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W. endpoint-8.10.2/data_stream/collection/fields/UTdPK}W8 endpoint-8.10.2/data_stream/collection/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' PK ݿ$''PK}W3 endpoint-8.10.2/data_stream/collection/manifest.ymlUTdtitle: Endpoint Alert Collection type: logs dataset: endpoint.diagnostic.collection hidden: true ilm_policy: logs-endpoint.collection-diagnostic elasticsearch: index_template: mappings: dynamic: false PK"PK}W! endpoint-8.10.2/data_stream/file/UTdPK}W/ endpoint-8.10.2/data_stream/file/elasticsearch/UTdPK}W? endpoint-8.10.2/data_stream/file/elasticsearch/ingest_pipeline/UTdPK}WK endpoint-8.10.2/data_stream/file/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W( endpoint-8.10.2/data_stream/file/fields/UTdPK}W2 endpoint-8.10.2/data_stream/file/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: Effective_process title: Effective_process group: 2 description: 'These fields contain information about an effective process. The effective process is the process that requested the a specific action, without directly performing it. Processes can have effective parents that differ from their regular parents. For example, on Windows, "wmic process call create notepad" will ask WmiPrvSE.exe to launch notepad.exe. WmiPrvSE will be notepad''s parent, but the wmic will be the effective parent. Events can have effective processes that differ from their regular processes. For example, on Windows, "reg add \\localhost\HKLM\Software\Foo /v Data /t REG_SZ /d 123" will result in a registry event from the Remote Registry service (svchost.exe). In this case, the effective process will be reg.exe.' type: group default_field: true fields: - name: entity_id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the effective process. example: c2c455d9f99375d default_field: false - name: executable level: custom type: keyword ignore_above: 1024 description: Executable name for the effective process. example: C:\Windows\System32\wbem\WMIC.exe default_field: false - name: name level: custom type: keyword ignore_above: 1024 description: Process name for the effective process. example: WMIC.exe default_field: false - name: pid level: custom type: long description: Process ID. example: 4242 default_field: false - name: Persistence title: Persistence group: 2 description: These fields contain information about a Persistence event. type: group default_field: true fields: - name: args level: custom type: keyword ignore_above: 1024 description: Arguments used to execute the persistence item default_field: false - name: executable level: custom type: keyword ignore_above: 1024 description: The persistence item's executable default_field: false - name: keepalive level: custom type: boolean description: Keep alive option boolean default_field: false - name: name level: custom type: keyword ignore_above: 1024 description: The persistence item's name default_field: false - name: path level: custom type: keyword ignore_above: 1024 description: The file's path default_field: false - name: runatload level: custom type: boolean description: Run at load option boolean default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.correlation level: custom type: object description: Information about event this should be correlated with. default_field: false - name: Ext.correlation.id level: custom type: keyword ignore_above: 1024 description: ID of event that this event is correlated to, e.g. quarantine event associated with an unquarantine event default_field: false - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: file title: File group: 2 description: 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.device.bus_type level: custom type: keyword ignore_above: 1024 description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. default_field: false - name: Ext.device.dos_name level: custom type: keyword ignore_above: 1024 description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... default_field: false - name: Ext.device.file_system_type level: custom type: keyword ignore_above: 1024 description: 'Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF' default_field: false - name: Ext.device.nt_name level: custom type: keyword ignore_above: 1024 description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' default_field: false - name: Ext.device.product_id level: custom type: keyword ignore_above: 1024 description: ProductID of the device. It is provided by the vendor of the device if any. default_field: false - name: Ext.device.serial_number level: custom type: keyword ignore_above: 1024 description: Serial Number of the device. It is provided by the vendor of the device if any. default_field: false - name: Ext.device.vendor_id level: custom type: keyword ignore_above: 1024 description: VendorID of the device. It is provided by the vendor of the device. default_field: false - name: Ext.device.volume_device_type level: custom type: keyword ignore_above: 1024 description: 'Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System' default_field: false - name: Ext.entropy level: custom type: double description: Entropy calculation of file's header and footer used to check file integrity. default_field: false - name: Ext.header_bytes level: custom type: keyword ignore_above: 1024 description: First 16 bytes of file used to check file integrity. default_field: false - name: Ext.header_data level: custom type: text description: First 16 bytes of file used to check file integrity. default_field: false - name: Ext.malware_signature level: custom type: nested description: Nested version of malware_signature fieldset. default_field: false - name: Ext.malware_signature.all_names level: custom type: text description: The concatenated names of all yara signatures default_field: false - name: Ext.malware_signature.identifier level: custom type: text description: Malware artifact identifier. default_field: false - name: Ext.malware_signature.primary level: custom type: nested description: Primary malware signature match. default_field: false - name: Ext.malware_signature.primary.matches level: custom type: nested description: An array of bytes representing yara signature matches default_field: false - name: Ext.malware_signature.primary.signature level: custom type: nested description: Primary malware signature match. default_field: false - name: Ext.malware_signature.primary.signature.hash level: custom type: nested description: Primary malware signature hash. default_field: false - name: Ext.malware_signature.primary.signature.hash.sha256 level: custom type: keyword ignore_above: 1024 description: Primary malware signature sha256. default_field: false - name: Ext.malware_signature.primary.signature.id level: custom type: keyword ignore_above: 1024 description: Primary malware signature id. default_field: false - name: Ext.malware_signature.primary.signature.name level: custom type: keyword ignore_above: 1024 description: Primary malware signature name. default_field: false - name: Ext.malware_signature.secondary level: custom type: nested description: An array of malware signature matches default_field: false - name: Ext.malware_signature.version level: custom type: keyword ignore_above: 1024 description: Primary malware signature version. default_field: false - name: Ext.monotonic_id level: custom type: unsigned_long description: File event monotonic ID. default_field: false - name: Ext.original level: custom type: object description: Original file information during a modification event. default_field: false - name: Ext.original.gid level: custom type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: Ext.original.group level: custom type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: Ext.original.mode level: custom type: keyword ignore_above: 1024 description: Original file mode prior to a modification event default_field: false - name: Ext.original.name level: custom type: keyword ignore_above: 1024 description: Original file name prior to a modification event default_field: false - name: Ext.original.owner level: custom type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: Ext.original.path level: custom type: keyword ignore_above: 1024 description: Original file path prior to a modification event default_field: false - name: Ext.original.uid level: custom type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: Ext.windows level: custom type: object description: Platform-specific Windows fields default_field: false - name: Ext.windows.zone_identifier level: custom type: keyword ignore_above: 1024 description: Windows zone identifier for a file default_field: false - name: accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - name: attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' - name: ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - name: device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda - name: directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - name: drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' - name: group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' - name: mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' - name: mtime level: extended type: date description: Last time the file content was modified. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png - name: owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice - name: path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - name: target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Target path for symlinks. - name: type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file - name: uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: pid level: core type: long format: string description: Process id. example: 4242 - name: ppid level: extended type: long format: string description: Parent process' pid. example: 4241 - name: session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: true default_field: false - name: thread.Ext.call_stack.allocation_private_bytes level: custom type: unsigned_long description: The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. default_field: false - name: thread.Ext.call_stack.callsite_leading_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes preceding the callsite default_field: false - name: thread.Ext.call_stack.callsite_trailing_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes after the callsite (where control will return to) default_field: false - name: thread.Ext.call_stack.protection level: custom type: keyword ignore_above: 1024 description: Protection of the page containing this instruction. This is `R-X' by default if omitted. default_field: false - name: thread.Ext.call_stack.symbol_info level: custom type: keyword ignore_above: 1024 description: The nearest symbol for `instruction_pointer`. default_field: false - name: thread.Ext.call_stack_summary level: custom type: keyword ignore_above: 1024 description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll, example.exe, kernel32.dll, ntdll.dll default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PK?4SSPK}W- endpoint-8.10.2/data_stream/file/manifest.ymlUTdtitle: Endpoint File Events type: logs dataset: endpoint.events.file elasticsearch: index_template: mappings: dynamic: false PKhKPK}W2 endpoint-8.10.2/data_stream/file/sample_event.jsonUTd{ "agent": { "id": "ccb7b1a1-303e-416f-b975-311737e8e125", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "Effective_process": { "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTI3MzItMTMyOTk3MDczNDEuMjUyNTI3NDAw", "executable": "C:\\Windows\\System32\\wbem\\WMIC.exe", "name": "WMIC.exe", "pid": 2732 }, "process": { "Ext": { "ancestry": [ "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTYwNC0xMzI5MzU0OTEwOS4zNTg1OTc3MDA=", "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ3Mi0xMzI5MzU0OTEwOS43NjU4MjcwMA==" ], "code_signature": [ { "trusted": true, "subject_name": "Elasticsearch, Inc.", "exists": true, "status": "trusted" } ] }, "args_count": 1, "parent": { "pid": 604, "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw", "group_leader": { "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw" } }, "entry_leader": { "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw", "parent": { "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw" } }, "session_leader": { "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw" }, "group_leader": { "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw" }, "code_signature": { "trusted": true, "subject_name": "Elasticsearch, Inc.", "exists": true, "status": "trusted" }, "name": "winlogbeat.exe", "pid": 4512, "thread": { "id": 340, "Ext": { "call_stack": [ { "allocation_private_bytes": 16384, "callsite_leading_bytes": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "callsite_trailing_bytes": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "protection": "RWX", "symbol_info": "C:\\Windows\\System32\\ntdll.dll!RtlUserThreadStart+0x21" } ], "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|cmd.exe|kernel32.dll|ntdll.dll" } }, "entity_id": "Y2NiN2IxYTEtMzAzZS00MTZmLWI5NzUtMzExNzM3ZThlMTI1LTQ1MTItMTMyOTM1NDkyODYuNzQ2MjY0MDAw", "executable": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe" }, "message": "Endpoint file event", "@timestamp": "2022-04-04T18:37:01.5775771Z", "file": { "Ext": { "header_data": [], "entropy": 5.28353871945538, "device": { "volume_device_type": "Disk File System" }, "header_bytes": "7570646174655f74696d653a20323032", "windows": { "zone_identifier": -1 }, "monotonic_id": 3526 }, "path": "C:\\ProgramData\\winlogbeat\\.winlogbeat.yml.new", "extension": "new", "size": 1406, "name": ".winlogbeat.yml.new" }, "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.events.file" }, "host": { "hostname": "response-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.9", "fe80::4d1:ef01:c0ed:299a", "127.0.0.1", "::1" ], "name": "response-win-1", "id": "bcbbe9cb-0278-43f9-aa1b-2dc9839bbf6f", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 32114, "ingested": "2022-04-04T18:37:29Z", "created": "2022-04-04T18:37:01.5775771Z", "kind": "event", "module": "endpoint", "action": "creation", "id": "MYfZFpbNKturKgFp+++++AlT", "category": [ "file" ], "type": [ "creation" ], "dataset": "endpoint.events.file" }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM", "id": "S-1-5-18" } }PKZjPK}W& endpoint-8.10.2/data_stream/heartbeat/UTdPK}W4 endpoint-8.10.2/data_stream/heartbeat/elasticsearch/UTdPK}WD endpoint-8.10.2/data_stream/heartbeat/elasticsearch/ingest_pipeline/UTdPK}WP endpoint-8.10.2/data_stream/heartbeat/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W- endpoint-8.10.2/data_stream/heartbeat/fields/UTdPK}W7 endpoint-8.10.2/data_stream/heartbeat/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false PKelHPK}W2 endpoint-8.10.2/data_stream/heartbeat/manifest.ymlUTdtitle: Endpoint Heartbeat type: logs dataset: endpoint.heartbeat hidden: true elasticsearch: index_template: mappings: dynamic: false settings: index: sort.field: - event.ingested sort.order: - desc PKZPK}W7 endpoint-8.10.2/data_stream/heartbeat/sample_event.jsonUTd{ "@timestamp": "2023-07-18T20:40:09.279939Z", "agent": { "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" }, "data_stream": { "dataset": "endpoint.heartbeat", "namespace": "default", "type": ".logs" }, "message": "Endpoint heartbeat", "event": { "ingested": "2023-07-18T20:40:09.279939Z" } }PK{hhPK}W$ endpoint-8.10.2/data_stream/library/UTdPK}W2 endpoint-8.10.2/data_stream/library/elasticsearch/UTdPK}WB endpoint-8.10.2/data_stream/library/elasticsearch/ingest_pipeline/UTdPK}WN endpoint-8.10.2/data_stream/library/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W+ endpoint-8.10.2/data_stream/library/fields/UTdPK}W5 endpoint-8.10.2/data_stream/library/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: dll title: DLL group: 2 description: 'These fields contain information about code libraries dynamically loaded into processes. Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.defense_evasions level: custom type: keyword ignore_above: 1024 description: List of defense evasions found for this DLL. These defense evasions can make it harder to inspect a process and/or cause abnormal OS behavior. Examples tools that can cause defense evasions include KnownDlls hijacking and PPLDump. default_field: false - name: Ext.device.bus_type level: custom type: keyword ignore_above: 1024 description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. default_field: false - name: Ext.device.dos_name level: custom type: keyword ignore_above: 1024 description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... default_field: false - name: Ext.device.file_system_type level: custom type: keyword ignore_above: 1024 description: 'Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF' default_field: false - name: Ext.device.nt_name level: custom type: keyword ignore_above: 1024 description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' default_field: false - name: Ext.device.product_id level: custom type: keyword ignore_above: 1024 description: ProductID of the device. It is provided by the vendor of the device if any. default_field: false - name: Ext.device.serial_number level: custom type: keyword ignore_above: 1024 description: Serial Number of the device. It is provided by the vendor of the device if any. default_field: false - name: Ext.device.vendor_id level: custom type: keyword ignore_above: 1024 description: VendorID of the device. It is provided by the vendor of the device. default_field: false - name: Ext.device.volume_device_type level: custom type: keyword ignore_above: 1024 description: 'Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System' default_field: false - name: Ext.load_index level: custom type: unsigned_long description: 'A DLL can be loaded into a process multiple times. This field indicates the Nth time that this DLL has been loaded. The first load index is 1.' default_field: false - name: Ext.relative_file_creation_time level: custom type: double description: Number of seconds since the DLL's file was created. This number may be negative if the file's timestamp is in the future. default_field: false - name: Ext.relative_file_name_modify_time level: custom type: double description: Number of seconds since the DLL's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future. default_field: false - name: Ext.size level: custom type: unsigned_long description: Size of DLL default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: file title: File group: 2 description: 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png - name: path level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: pid level: core type: long format: string description: Process id. example: 4242 - name: thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: true default_field: false - name: thread.Ext.call_stack.allocation_private_bytes level: custom type: unsigned_long description: The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. default_field: false - name: thread.Ext.call_stack.callsite_leading_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes preceding the callsite default_field: false - name: thread.Ext.call_stack.callsite_trailing_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes after the callsite (where control will return to) default_field: false - name: thread.Ext.call_stack.protection level: custom type: keyword ignore_above: 1024 description: Protection of the page containing this instruction. This is `R-X' by default if omitted. default_field: false - name: thread.Ext.call_stack.symbol_info level: custom type: keyword ignore_above: 1024 description: The nearest symbol for `instruction_pointer`. default_field: false - name: thread.Ext.call_stack_summary level: custom type: keyword ignore_above: 1024 description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll, example.exe, kernel32.dll, ntdll.dll default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PKJGGPK}W0 endpoint-8.10.2/data_stream/library/manifest.ymlUTdtitle: Endpoint Library and Driver Events type: logs dataset: endpoint.events.library elasticsearch: index_template: mappings: dynamic: false PKjXPK}W5 endpoint-8.10.2/data_stream/library/sample_event.jsonUTd{ "agent": { "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "process": { "Ext": { "ancestry": [ "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTYwMC0xMzI5MzU0OTExMC40NjgyMjI3MDA=", "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTQ3Mi0xMzI5MzU0OTExMC4xNzIwMjY5MDA=" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ] }, "code_signature": { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" }, "name": "VSSVC.exe", "pid": 4528, "entity_id": "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTQ1MjgtMTMyOTM1NzEwODYuNjI4MzM0NzAw", "executable": "C:\\Windows\\System32\\VSSVC.exe", "thread": { "id": 340, "Ext": { "call_stack": [ { "allocation_private_bytes": 16384, "callsite_leading_bytes": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "callsite_trailing_bytes": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "protection": "RWX", "symbol_info": "C:\\Windows\\System32\\ntdll.dll!RtlUserThreadStart+0x21" } ], "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|cmd.exe|kernel32.dll|ntdll.dll" } } }, "dll": { "Ext": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "device": { "volume_device_type": "Disk File System" }, "load_index": 1, "relative_file_creation_time": 48628704.4029488, "relative_file_name_modify_time": 48628704.4029488, "size": 65536 }, "path": "C:\\Windows\\System32\\msxml3.dll", "code_signature": { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" }, "pe": { "file_version": "8.110.17763.1911", "imphash": "2e1d1e35c17be5497d2de33f06dc41b4", "original_file_name": "MSXML3.dll" }, "name": "msxml3.dll", "hash": { "sha1": "02488fb2dbf679a3282338178b451da635b79b54", "sha256": "a9698adcf789d9e30f37dd5e6c9be0441bc37662ba7402e85071ccec2135d36c", "md5": "65e4fd0564411bb60c600fae12cde2f9" } }, "message": "Endpoint DLL load event", "@timestamp": "2022-04-04T18:38:08.3185831Z", "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.events.library" }, "host": { "hostname": "data-viz-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.13", "fe80::f40a:aed0:618a:972d", "127.0.0.1", "::1" ], "name": "data-viz-win-1", "id": "2beebb8e-e5f0-46ca-8635-97ba7bb8ccca", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 34339, "ingested": "2022-04-04T18:38:16Z", "created": "2022-04-04T18:38:08.3185831Z", "kind": "event", "module": "endpoint", "action": "load", "id": "MYfZG00oEwD2/fqT+++++BRi", "category": [ "library" ], "type": [ "start" ], "dataset": "endpoint.events.library" }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM", "id": "S-1-5-18" } }PKPK}W% endpoint-8.10.2/data_stream/metadata/UTdPK}W3 endpoint-8.10.2/data_stream/metadata/elasticsearch/UTdPK}WC endpoint-8.10.2/data_stream/metadata/elasticsearch/ingest_pipeline/UTdPK}WO endpoint-8.10.2/data_stream/metadata/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W, endpoint-8.10.2/data_stream/metadata/fields/UTdPK}W6 endpoint-8.10.2/data_stream/metadata/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: Endpoint title: Endpoint group: 2 description: Fields describing the state of the Elastic Endpoint when an event occurs. type: group default_field: true fields: - name: capabilities level: custom type: keyword ignore_above: 128 description: Enabled capabilities doc_values: false default_field: false - name: configuration level: custom type: object description: Configuration fields represent the intended and applied setting for fields not part of a Policy setting This reflects what a given field is configured to do. The actual state of that same field is found in Endpoint.state default_field: false - name: configuration.isolation level: custom type: boolean description: Configuration setting for Host Isolation from the network default_field: false - name: policy level: custom type: object description: The policy fields are used to hold information about applied policy. default_field: false - name: policy.applied level: custom type: object description: information about the policy that is applied default_field: false - name: policy.applied.id level: custom type: keyword ignore_above: 1024 description: the id of the applied policy default_field: false - name: policy.applied.name level: custom type: keyword ignore_above: 1024 description: the name of this applied policy default_field: false - name: policy.applied.status level: custom type: keyword ignore_above: 1024 description: the status of the applied policy default_field: false - name: state level: custom type: object description: Represents the current state of a non-policy setting These fields reflect the current status of a field, which may differ from what it is configured to be (see Endpoint.configuration) default_field: false - name: state.isolation level: custom type: boolean description: Current network isolation state of the host default_field: false - name: status level: custom type: keyword ignore_above: 1024 description: The current status of the endpoint e.g. enrolled, unenrolled. default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: 'Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.' example: foo - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: elastic title: Elastic group: 2 description: Holds fields and properties of data points and concepts in the elastic domain or namespace. type: group default_field: true fields: - name: agent level: custom type: object description: The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent that manages other agents or process on the host. default_field: false - name: agent.id level: custom type: keyword ignore_above: 1024 description: Unique identifier of this elastic agent (if one exists). example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a default_field: false - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 PK#J=O=OPK}W1 endpoint-8.10.2/data_stream/metadata/manifest.ymlUTdtitle: Endpoint Metadata type: metrics elasticsearch: index_template: mappings: dynamic: false settings: index: sort.field: - "@timestamp" - agent.id sort.order: - desc - asc PKG6PK}W6 endpoint-8.10.2/data_stream/metadata/sample_event.jsonUTd{ "agent": { "build": { "original": "version: 8.3.0-SNAPSHOT, compiled: Fri Apr 1 06:00:00 2022, branch: main, commit: f8b0ed879ad40ee1ae561ced31ec8a4027a2bf53" }, "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "@timestamp": "2022-04-04T12:33:36.6664577Z", "Endpoint": { "capabilities": [ "isolation" ], "configuration": { "isolation": false }, "state": { "isolation": false }, "policy": { "applied": { "name": "endpoint-1", "id": "b372bc3f-e9b3-4b2d-9dfe-ae677ed83933", "status": "success" } }, "status": "enrolled" }, "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "metrics", "dataset": "endpoint.metadata" }, "elastic": { "agent": { "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21" } }, "host": { "hostname": "data-viz-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.13", "fe80::f40a:aed0:618a:972d", "127.0.0.1", "::1" ], "name": "data-viz-win-1", "id": "2beebb8e-e5f0-46ca-8635-97ba7bb8ccca", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 5054, "ingested": "2022-04-04T12:33:37Z", "created": "2022-04-04T12:33:36.6664577Z", "kind": "metric", "module": "endpoint", "action": "endpoint_metadata", "id": "MYfZG00oEwD2/fqT+++++/SC", "category": [ "host" ], "type": [ "info" ], "dataset": "endpoint.metadata" } }PK@ @ PK}W$ endpoint-8.10.2/data_stream/metrics/UTdPK}W2 endpoint-8.10.2/data_stream/metrics/elasticsearch/UTdPK}WB endpoint-8.10.2/data_stream/metrics/elasticsearch/ingest_pipeline/UTdPK}WN endpoint-8.10.2/data_stream/metrics/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W+ endpoint-8.10.2/data_stream/metrics/fields/UTdPK}W5 endpoint-8.10.2/data_stream/metrics/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: Endpoint title: Endpoint group: 2 description: Fields describing the state of the Elastic Endpoint when an event occurs. type: group default_field: true fields: - name: metrics level: custom type: object description: Metrics fields hold the endpoint and system's performance metrics default_field: false - name: metrics.cpu level: custom type: object description: CPU statistics default_field: false - name: metrics.cpu.endpoint level: custom type: object description: CPU metrics for the endpoint default_field: false - name: metrics.cpu.endpoint.histogram level: custom type: histogram description: This field defines an elasticsearch histogram field (https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html#histogram) The values field includes 20 buckets (each bucket is 5%) representing the cpu usage The counts field includes 20 buckets of how many times the endpoint's cpu usage fell into each bucket default_field: false - name: metrics.cpu.endpoint.latest level: custom type: half_float description: Average CPU over the last sample interval default_field: false - name: metrics.cpu.endpoint.mean level: custom type: half_float description: Average CPU load used by the endpoint default_field: false - name: metrics.disks level: custom type: object description: An array of disk information for the host enabled: false default_field: false - name: metrics.disks.device level: custom type: keyword ignore_above: 1024 description: Device name default_field: false - name: metrics.disks.endpoint_drive level: custom type: boolean description: This field will be present and set to true only for the drive that holds the installed endpoint default_field: false - name: metrics.disks.free level: custom type: long description: The number of bytes marked as free on the disk default_field: false - name: metrics.disks.fstype level: custom type: keyword ignore_above: 1024 description: The file system type for the drive default_field: false - name: metrics.disks.mount level: custom type: keyword ignore_above: 1024 description: The disks mount location default_field: false - name: metrics.disks.total level: custom type: long description: The size of the disk in bytes default_field: false - name: metrics.documents_volume level: custom type: object description: Statistics about sent documents default_field: false - name: metrics.documents_volume.alerts.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.alerts.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.alerts.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.alerts.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.api_events.sent_bytes level: custom type: long description: Total size of API Event sent documents default_field: false - name: metrics.documents_volume.api_events.sent_count level: custom type: long description: Number of sent API Event documents default_field: false - name: metrics.documents_volume.api_events.sources level: custom type: object description: An array of API Event document statistics per source default_field: false - name: metrics.documents_volume.api_events.sources.sent_bytes level: custom type: long description: Total size of API Event sent documents from source default_field: false - name: metrics.documents_volume.api_events.sources.sent_count level: custom type: long description: Number of sent API Event documents from source default_field: false - name: metrics.documents_volume.api_events.sources.source level: custom type: keyword ignore_above: 1024 description: API Event document source name default_field: false - name: metrics.documents_volume.api_events.sources.suppressed_bytes level: custom type: long description: Total size of suppressed API Event documents from source default_field: false - name: metrics.documents_volume.api_events.sources.suppressed_count level: custom type: long description: Number of suppressed API Event documents from source default_field: false - name: metrics.documents_volume.api_events.suppressed_bytes level: custom type: long description: Total size of suppressed API Event documents default_field: false - name: metrics.documents_volume.api_events.suppressed_count level: custom type: long description: Number of suppressed API Event documents default_field: false - name: metrics.documents_volume.diagnostic_alerts.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.diagnostic_alerts.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.diagnostic_alerts.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.diagnostic_alerts.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.dns_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.dns_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.dns_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.dns_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.file_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.file_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.file_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.file_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.library_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.library_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.library_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.library_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.network_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.network_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.network_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.network_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.overall.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.overall.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.overall.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.overall.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.process_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.process_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.process_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.process_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.registry_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.registry_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.registry_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.registry_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.documents_volume.security_events.sent_bytes level: custom type: long description: Total size of sent documents default_field: false - name: metrics.documents_volume.security_events.sent_count level: custom type: long description: Number of sent documents default_field: false - name: metrics.documents_volume.security_events.suppressed_bytes level: custom type: long description: Total size of suppressed documents default_field: false - name: metrics.documents_volume.security_events.suppressed_count level: custom type: long description: Number of suppressed documents default_field: false - name: metrics.event_filter.active_global_count level: custom type: long description: The number of active global event filters index: false doc_values: false default_field: false - name: metrics.event_filter.active_user_count level: custom type: long description: The number of active user event filters index: false doc_values: false default_field: false - name: metrics.malicious_behavior_rules level: custom type: object description: An array of performance information about each malicious behavior rule enabled: false default_field: false - name: metrics.malicious_behavior_rules.endpoint_uptime_percent level: custom type: double description: Perfect of Endpoint's update spent running the rule index: false doc_values: false default_field: false - name: metrics.malicious_behavior_rules.id level: custom type: keyword description: The rule id index: false doc_values: false default_field: false - name: metrics.memory level: custom type: object description: Memory statistics default_field: false - name: metrics.memory.endpoint level: custom type: object description: Endpoint memory utilization default_field: false - name: metrics.memory.endpoint.private level: custom type: object description: The memory private to the endpoint default_field: false - name: metrics.memory.endpoint.private.latest level: custom type: long description: The memory usage by the endpoint for the last sample interval default_field: false - name: metrics.memory.endpoint.private.mean level: custom type: long description: Average memory usage by the endpoint since its start default_field: false - name: metrics.system_impact level: custom type: object description: An array of system impact information enabled: false index: false doc_values: false default_field: false - name: metrics.system_impact.authentication_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing authentication events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.authentication_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on authentication events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.dns_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing DNS events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.dns_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on DNS events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.file_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing file events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.file_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on file events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.library_load_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing library load events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.library_load_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on library load events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.malware.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing malware scanning due to the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.malware.week_ms level: custom type: unsigned_long description: The total milliseconds spent on malware scanning due to the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.network_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing network events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.network_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on network events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.overall.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing activity for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.overall.week_ms level: custom type: unsigned_long description: The total milliseconds spent monitoring the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature level: custom type: nested description: Code signature of the process index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.signing_id level: extended type: keyword description: '''The identifier used to sign the binary. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.''' example: com.apple.xpc.proxy index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.status level: custom type: keyword description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.subject_name level: custom type: keyword description: Subject name of the code signer example: Microsoft Corporation index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.team_id level: extended type: keyword description: '''The team identifier used to sign the binary. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.''' example: EQHXZ8M8AV index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' index: false doc_values: false default_field: false - name: metrics.system_impact.process.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' index: false doc_values: false default_field: false - name: metrics.system_impact.process.executable level: custom type: unsigned_long description: Path to the process executable for the impact entry index: false doc_values: false default_field: false - name: metrics.system_impact.process_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing process events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.process_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on process events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.registry_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing registry events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.registry_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on registry events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.threat_intelligence_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing ETW Threat-Intelligence events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.threat_intelligence_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on ETW Threat-Intelligence events for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.win32k_events.week_idle_ms level: custom type: unsigned_long description: The total milliseconds spent queueing ETW Win32k events (currently, only keylogging events) for the process over the last week index: false doc_values: false default_field: false - name: metrics.system_impact.win32k_events.week_ms level: custom type: unsigned_long description: The total milliseconds spent on ETW Win32k events (currently, only keylogging events) for the process over the last week index: false doc_values: false default_field: false - name: metrics.threads level: custom type: object description: Statistics about the individual Endpoint threads (array) enabled: false default_field: false - name: metrics.threads.cpu.mean level: custom type: double description: The thread's average CPU use index: false doc_values: false default_field: false - name: metrics.threads.name level: custom type: keyword description: The thread name index: false doc_values: false default_field: false - name: metrics.uptime level: custom type: object description: Number of seconds since boot default_field: false - name: metrics.uptime.endpoint level: custom type: long description: Number of seconds since the endpoint was started default_field: false - name: metrics.uptime.system level: custom type: long description: Number of seconds since the system was started default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: end level: extended type: date description: event.end contains the date when the event ended or when the activity was last observed. - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: start level: extended type: date description: event.start contains the date when the event started or when the activity was first observed. - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 PK5££PK}W0 endpoint-8.10.2/data_stream/metrics/manifest.ymlUTdtitle: Endpoint Metrics type: metrics elasticsearch: index_template: mappings: dynamic: false PKo%CjjPK}W5 endpoint-8.10.2/data_stream/metrics/sample_event.jsonUTd{ "agent": { "build": { "original": "version: 8.3.0-SNAPSHOT, compiled: Fri Apr 1 06:00:00 2022, branch: main, commit: f8b0ed879ad40ee1ae561ced31ec8a4027a2bf53" }, "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "message": "Endpoint metrics", "@timestamp": "2022-04-04T18:38:15.7178887Z", "Endpoint": { "metrics": { "system_impact": [ { "file_events": { "week_ms": 418 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\svchost.exe" }, "malware": { "week_ms": 7483 }, "process_events": { "week_ms": 78 }, "registry_events": { "week_ms": 248 }, "dns_events": { "week_ms": 16 }, "network_events": { "week_ms": 8 }, "overall": { "week_ms": 11744 }, "authentication_events": { "week_ms": 155 }, "library_load_events": { "week_ms": 3028 }, "cred_access_events": { "week_ms": 10 }, "threat_intelligence_events": { "week_ms": 250 }, "win32k_events": { "week_ms": 50 } }, { "file_events": { "week_ms": 46 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" }, "malware": { "week_ms": 2 }, "process_events": { "week_ms": 19 }, "registry_events": { "week_ms": 3 }, "overall": { "week_ms": 8290 }, "library_load_events": { "week_ms": 7890 }, "cred_access_events": { "week_ms": 20 }, "threat_intelligence_events": { "week_ms": 300 }, "win32k_events": { "week_ms": 10 } }, { "file_events": { "week_ms": 1641 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Elasticsearch, Inc.", "exists": true, "status": "trusted" } ], "executable": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe" }, "malware": { "week_ms": 2589 }, "process_events": { "week_ms": 419 }, "registry_events": { "week_ms": 1 }, "network_events": { "week_ms": 32 }, "overall": { "week_ms": 5046 }, "library_load_events": { "week_ms": 4 }, "threat_intelligence_events": { "week_ms": 360 } }, { "file_events": { "week_ms": 2 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\lsass.exe" }, "process_events": { "week_ms": 3 }, "registry_events": { "week_ms": 83 }, "overall": { "week_ms": 4761 }, "authentication_events": { "week_ms": 3177 }, "library_load_events": { "week_ms": 26 }, "cred_access_events": { "week_ms": 1350 }, "threat_intelligence_events": { "week_ms": 120 } }, { "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\conhost.exe" }, "malware": { "week_ms": 16 }, "process_events": { "week_ms": 26 }, "registry_events": { "week_ms": 3 }, "overall": { "week_ms": 3261 }, "library_load_events": { "week_ms": 2966 }, "threat_intelligence_events": { "week_ms": 250 } }, { "file_events": { "week_ms": 51 }, "process": { "code_signature": [ { "exists": false, "status": "errorCode_endpoint: Initital state, no attempt to load signature was made" } ], "executable": "System" }, "malware": { "week_ms": 1978 }, "overall": { "week_ms": 2029 } }, { "process": { "code_signature": [ { "exists": false } ], "executable": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Web\\e266326169887aa7cb26b9e2aa421ee4\\System.Web.ni.dll" }, "malware": { "week_ms": 1015 }, "overall": { "week_ms": 1015 } }, { "file_events": { "week_ms": 8 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Elasticsearch, Inc.", "exists": true, "status": "trusted" } ], "executable": "C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-e80913\\install\\metricbeat-8.3.0-SNAPSHOT-windows-x86_64\\metricbeat.exe" }, "process_events": { "week_ms": 502 }, "dns_events": { "week_ms": 84 }, "network_events": { "week_ms": 1 }, "overall": { "week_ms": 1162 }, "library_load_events": { "week_ms": 417 }, "threat_intelligence_events": { "week_ms": 150 } }, { "process": { "code_signature": [ { "trusted": false, "subject_name": "Google LLC", "exists": true, "status": "errorExpired" } ], "executable": "C:\\Program Files\\Google\\Compute Engine\\agent\\GCEWindowsAgent.exe" }, "malware": { "week_ms": 627 }, "process_events": { "week_ms": 89 }, "registry_events": { "week_ms": 2 }, "dns_events": { "week_ms": 7 }, "network_events": { "week_ms": 8 }, "overall": { "week_ms": 1068 }, "library_load_events": { "week_ms": 85 }, "threat_intelligence_events": { "week_ms": 250 } }, { "process": { "code_signature": [ { "exists": false } ], "executable": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\39ce4aafe1a3bc56fb1435f6550dd7a3\\Microsoft.PowerShell.Commands.Utility.ni.dll" }, "malware": { "week_ms": 760 }, "overall": { "week_ms": 760 } }, { "file_events": { "week_ms": 15 }, "process": { "code_signature": [ { "exists": false } ], "executable": "C:\\Program Files\\metricbeat-7.10.0-windows-x86_64\\metricbeat.exe" }, "malware": { "week_ms": 29 }, "process_events": { "week_ms": 634 }, "registry_events": { "week_ms": 1 }, "dns_events": { "week_ms": 8 }, "network_events": { "week_ms": 4 }, "overall": { "week_ms": 744 }, "library_load_events": { "week_ms": 3 }, "threat_intelligence_events": { "week_ms": 50 } }, { "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\spoolsv.exe" }, "process_events": { "week_ms": 8 }, "registry_events": { "week_ms": 40 }, "overall": { "week_ms": 795 }, "library_load_events": { "week_ms": 627 }, "threat_intelligence_events": { "week_ms": 120 } }, { "process": { "code_signature": [ { "trusted": true, "subject_name": "Elasticsearch, Inc.", "exists": true, "status": "trusted" } ], "executable": "C:\\Program Files\\Packetbeat\\packetbeat.exe" }, "malware": { "week_ms": 74 }, "process_events": { "week_ms": 432 }, "registry_events": { "week_ms": 1 }, "network_events": { "week_ms": 1 }, "overall": { "week_ms": 599 }, "library_load_events": { "week_ms": 61 }, "threat_intelligence_events": { "week_ms": 30 } }, { "file_events": { "week_ms": 20 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Corporation", "exists": true, "status": "trusted" }, { "trusted": true, "subject_name": "Microsoft Corporation", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe" }, "malware": { "week_ms": 350 }, "process_events": { "week_ms": 19 }, "registry_events": { "week_ms": 1 }, "overall": { "week_ms": 480 }, "library_load_events": { "week_ms": 70 }, "threat_intelligence_events": { "week_ms": 20 } }, { "file_events": { "week_ms": 6 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Elasticsearch, Inc.", "exists": true, "status": "trusted" } ], "executable": "C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-e80913\\install\\filebeat-8.3.0-SNAPSHOT-windows-x86_64\\filebeat.exe" }, "process_events": { "week_ms": 395 }, "dns_events": { "week_ms": 51 }, "network_events": { "week_ms": 2 }, "overall": { "week_ms": 494 }, "threat_intelligence_events": { "week_ms": 40 } }, { "process": { "code_signature": [ { "trusted": true, "subject_name": "Google LLC", "exists": true, "status": "trusted" } ], "executable": "C:\\Program Files\\Google\\Compute Engine\\vss\\GoogleVssProvider.dll" }, "malware": { "week_ms": 439 }, "overall": { "week_ms": 439 } }, { "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\VSSVC.exe" }, "malware": { "week_ms": 45 }, "process_events": { "week_ms": 13 }, "registry_events": { "week_ms": 124 }, "overall": { "week_ms": 476 }, "authentication_events": { "week_ms": 8 }, "library_load_events": { "week_ms": 216 }, "threat_intelligence_events": { "week_ms": 70 } }, { "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\SYSTEM32\\mispace.dll" }, "malware": { "week_ms": 353 }, "overall": { "week_ms": 353 } }, { "process": { "code_signature": [ { "exists": false } ], "executable": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Web.28b9ef5a#\\b1cbeb46534d9974961496306f2f1a28\\System.Web.Extensions.ni.dll" }, "malware": { "week_ms": 305 }, "overall": { "week_ms": 305 } }, { "file_events": { "week_ms": 25 }, "process": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "executable": "C:\\Windows\\System32\\wbem\\WMIADAP.exe" }, "malware": { "week_ms": 247 }, "process_events": { "week_ms": 4 }, "registry_events": { "week_ms": 5 }, "overall": { "week_ms": 345 }, "library_load_events": { "week_ms": 14 }, "threat_intelligence_events": { "week_ms": 50 } } ], "memory": { "endpoint": { "private": { "mean": 288590259, "latest": 493723648 } } }, "disks": [ { "endpoint_drive": true, "total": 53564403712, "free": 25891106816, "device": "\\Device\\HarddiskVolume3", "mount": "C:\\", "fstype": "NTFS" }, { "total": 100663296, "free": 73579520, "device": "\\Device\\HarddiskVolume2", "mount": "", "fstype": "FAT32" } ], "documents_volume": { "file_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 3485, "sent_bytes": 7302875 }, "security_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 259, "sent_bytes": 422247 }, "library_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 114, "sent_bytes": 287954 }, "process_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 201, "sent_bytes": 602914 }, "registry_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 605, "sent_bytes": 1288593 }, "dns_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 5250, "sent_bytes": 11364752 }, "network_events": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 1753, "sent_bytes": 3479631 }, "overall": { "suppressed_count": 0, "suppressed_bytes": 0, "sent_count": 11667, "sent_bytes": 24748966 } }, "cpu": { "endpoint": { "mean": 0.324235176435677, "latest": 62.6406111450215 } }, "threads": [ { "name": "actionsAPIThread", "cpu": { "mean": 0.00456829602558246 } }, { "name": "stateReportThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "checkinAPIThread", "cpu": { "mean": 0.0365463682046597 } }, { "name": "KernelAsyncMessageQueueConsumerThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "Cron", "cpu": { "mean": 0.0 } }, { "name": "File Cache", "cpu": { "mean": 0.0 } }, { "name": "FileLogThread", "cpu": { "mean": 0.0 } }, { "name": "LoggingLimitThread", "cpu": { "mean": 0.0 } }, { "name": "CredentialAccessEventDispatcherThread", "cpu": { "mean": 0.0 } }, { "name": "KernelPortConsumerThread", "cpu": { "mean": 0.00456454263282819 } }, { "name": "KernelPortConsumerThread", "cpu": { "mean": 0.00456454263282819 } }, { "name": "RulesEngineThread", "cpu": { "mean": 0.0091324200913242 } }, { "name": "KernelPortConsumerThread", "cpu": { "mean": 0.0 } }, { "name": "KernelAsyncMessageQueueConsumerThread", "cpu": { "mean": 0.00456454263282819 } }, { "name": "KernelSyncQueueConsumerThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "DocumentLoggingThread", "cpu": { "mean": 0.0 } }, { "name": "DocumentLoggingMaintenance", "cpu": { "mean": 0.0 } }, { "name": "BulkConsumerThread", "cpu": { "mean": 0.00455871626549964 } }, { "name": "DocumentLoggingConsumerThread", "cpu": { "mean": 0.113967906637491 } }, { "name": "DocumentLoggingLimitThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.022822713164141 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.022822713164141 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "KernelSyncMessageThread", "cpu": { "mean": 0.0 } }, { "name": "ArtifactManifestDownload", "cpu": { "mean": 0.12311901504788 } }, { "name": "PolicyReloadThread", "cpu": { "mean": 0.0 } }, { "name": "CredentialAccessClassifierThread", "cpu": { "mean": 0.0 } }, { "name": "KernelPortConsumerThread", "cpu": { "mean": 0.0136936278984846 } }, { "name": "PerformanceMonitorWorkerThread", "cpu": { "mean": 0.00912200684150513 } }, { "name": "MetadataThread", "cpu": { "mean": 0.0 } }, { "name": "EventsQueueThread", "cpu": { "mean": 0.0729760547320411 } }, { "name": "DelayedAlertEnrichment", "cpu": { "mean": 0.0 } }, { "name": "MaintainProcessMap", "cpu": { "mean": 0.0 } }, { "name": "FileScoreThread", "cpu": { "mean": 0.0 } }, { "name": "DiagnosticMalwareThread", "cpu": { "mean": 0.0 } }, { "name": "QuarantineManagerWorkerThread", "cpu": { "mean": 0.0 } }, { "name": "EventProcessingThread", "cpu": { "mean": 0.0 } }, { "name": "HostIsolationMonitorThread", "cpu": { "mean": 0.0 } }, { "name": "serviceCommsThread", "cpu": { "mean": 0.0 } }, { "name": "grpcConnectionManagerThread", "cpu": { "mean": 0.0 } }, { "name": "RansomwareGlobalUserThread" }, { "name": "RansomwareProcessMonitorThread" }, { "name": "RansomwareFileCacheCleanupThread" }, { "name": "RansomwareParseUnverifiedThread" }, { "name": "RansomwareLuaVerifiedThread" } ], "uptime": { "endpoint": 21930, "system": 21992 } } }, "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "metrics", "dataset": "endpoint.metrics" }, "host": { "hostname": "data-viz-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.13", "fe80::f40a:aed0:618a:972d", "127.0.0.1", "::1" ], "name": "data-viz-win-1", "id": "2beebb8e-e5f0-46ca-8635-97ba7bb8ccca", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 35124, "ingested": "2022-04-04T18:38:16Z", "created": "2022-04-04T18:38:15.7178887Z", "kind": "metric", "module": "endpoint", "action": "endpoint_metrics", "id": "MYfZG00oEwD2/fqT+++++Byi", "category": [ "host" ], "type": [ "info" ], "dataset": "endpoint.metrics" } }PKFyPK}W$ endpoint-8.10.2/data_stream/network/UTdPK}W2 endpoint-8.10.2/data_stream/network/elasticsearch/UTdPK}WB endpoint-8.10.2/data_stream/network/elasticsearch/ingest_pipeline/UTdPK}WM endpoint-8.10.2/data_stream/network/elasticsearch/ingest_pipeline/default.ymlUTd--- description: Pipeline for network events processors: - set: field: "event.ingested" value: "{{ _ingest.timestamp }}" ignore_failure: true - geoip: field: "source.ip" target_field: "source.geo" properties: - continent_name - country_name - country_iso_code - region_iso_code - region_name - city_name - location ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb field: "source.ip" target_field: "source.as" properties: - asn - organization_name ignore_missing: true - geoip: field: "destination.ip" target_field: "destination.geo" properties: - continent_name - country_name - country_iso_code - region_iso_code - region_name - city_name - location ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb field: "destination.ip" target_field: "destination.as" properties: - asn - organization_name ignore_missing: true - rename: field: source.as.asn target_field: source.as.number ignore_missing: true - rename: field: source.as.organization_name target_field: source.as.organization.name ignore_missing: true - rename: field: destination.as.asn target_field: destination.as.number ignore_missing: true - rename: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - grok: if: "ctx.network?.protocol == 'dns'" ignore_missing: true ignore_failure: true field: "message" patterns: # dns.question.Ext_temp.type is a temporary field used to hold the parsed question type - "^DNS query is completed for the name .* type %{WORD:dns.question.Ext_temp.type}" - script: ignore_failure: true if: "ctx.network?.protocol == 'dns' && ctx.dns?.question?.Ext_temp?.type != null && ctx.dns?.question?.type == null" # the parsed type is a string of a number, so we'll want to convert it to the resource reference format # question.type map references: # https://github.com/spc476/SPCDNS/blob/master/src/dns.h # https://pkg.go.dev/github.com/miekg/dns#pkg-constants # https://en.wikipedia.org/wiki/List_of_DNS_record_types source: >- Map typeMap = ['1': 'A', '2': 'NS', '3': 'MD', '4': 'MF', '5': 'CNAME', '6': 'SOA', '7': 'MB', '8': 'MG', '9': 'MR', '10': 'NULL', '11': 'WKS', '12': 'PTR', '13': 'HINFO', '14': 'MINFO', '15': 'MX', '16': 'TXT', '17': 'RP', '18': 'AFSDB', '19': 'X25', '20': 'ISDN', '21': 'RT', '22': 'NSAP', '23': 'NSAPPTR', '24': 'SIG', '25': 'KEY', '26': 'PX', '27': 'GPOS', '28': 'AAAA', '29': 'LOC', '30': 'NXT', '31': 'EID', '32': 'NIMLOC', '33': 'SRV', '34': 'ATMA', '35': 'NAPTR', '36': 'KX', '37': 'CERT', '38': 'A6', '39': 'DNAME', '40': 'SINK', '41': 'OPT', '42': 'APL', '43': 'DS', '44': 'SSHFP', '45': 'ISECKEY', '46': 'RRSIG', '47': 'NSEC', '48': 'DNSKEY', '49': 'DHCID', '50': 'NSEC3', '51': 'NSEC3PARAM', '52': 'TLSA', '53': 'SMIMEA', '55': 'HIP', '56': 'NINFO', '57': 'RKEY', '58': 'TALINK', '59': 'CDS', '60': 'CDNSKEY', '61': 'OPENPGPKEY', '62': 'CSYNC', '63': 'ZONEMD', '64': 'SVCB', '65': 'HTTPS', '99': 'SPF', '100': 'UINFO', '101': 'UID', '102': 'GID', '103': 'UNSPEC', '104': 'NID', '105': 'L32', '106': 'L64', '107': 'LP', '108': 'EUI48', '109': 'EUI64', '249': 'TKEY', '250': 'TSIG', '251': 'IXFR', '252': 'AXFR', '253': 'MAILB', '254': 'MAILA', '255': 'ANY','256': 'URI', '257': 'CAA', '258': 'AVC']; def type = typeMap[ctx.dns.question.Ext_temp.type]; if (type != null) { ctx.dns.question.type = type; } - remove: if: "ctx.network?.protocol == 'dns'" ignore_failure: true ignore_missing: true field: "dns.question.Ext_temp" PKtAPK}W+ endpoint-8.10.2/data_stream/network/fields/UTdPK}W5 endpoint-8.10.2/data_stream/network/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: address level: extended type: keyword ignore_above: 1024 description: 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' - name: as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Organization name. example: Google LLC - name: bytes level: core type: long format: bytes description: Bytes sent from the destination to the source. example: 184 - name: domain level: core type: keyword ignore_above: 1024 description: 'The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.' example: foo.example.com - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the destination (IPv4 or IPv6). - name: packets level: core type: long description: Packets sent from the destination to the source. example: 12 - name: port level: core type: long format: string description: Port of the destination. - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: dns title: DNS group: 2 description: 'Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.options level: custom type: keyword ignore_above: 1024 description: DNS options field, uint64, representing as a keyword to avoid overflows in ES default_field: false - name: Ext.status level: custom type: long description: DNS status field, uint32 default_field: false - name: question.name level: extended type: keyword ignore_above: 1024 description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: 'Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.' example: '["10.10.10.10", "10.10.10.11"]' - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group default_field: true fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: match_only_text default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: response.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: response.Ext.version level: custom type: keyword ignore_above: 1024 description: HTTP version default_field: false - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: match_only_text default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: network title: Network group: 2 description: 'The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.' type: group default_field: true fields: - name: bytes level: core type: long format: bytes description: 'Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.' example: 368 - name: community_id level: extended type: keyword ignore_above: 1024 description: 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.' example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - name: direction level: core type: keyword ignore_above: 1024 description: 'Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host''s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.' example: inbound - name: iana_number level: extended type: keyword ignore_above: 1024 description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. example: 6 - name: packets level: core type: long description: 'Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.' example: 24 - name: protocol level: core type: keyword ignore_above: 1024 description: 'In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.' example: http - name: transport level: core type: keyword ignore_above: 1024 description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.' example: tcp - name: type level: core type: keyword ignore_above: 1024 description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying.' example: ipv4 - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: pid level: core type: long format: string description: Process id. example: 4242 - name: session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: address level: extended type: keyword ignore_above: 1024 description: 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' - name: as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Organization name. example: Google LLC - name: bytes level: core type: long format: bytes description: Bytes sent from the source to the destination. example: 184 - name: domain level: core type: keyword ignore_above: 1024 description: 'The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.' example: foo.example.com - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the source (IPv4 or IPv6). - name: packets level: core type: long description: Packets sent from the source to the destination. example: 12 - name: port level: core type: long format: string description: Port of the source. - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PKjMPK}W0 endpoint-8.10.2/data_stream/network/manifest.ymlUTdtitle: Endpoint Network Events type: logs dataset: endpoint.events.network elasticsearch: index_template: mappings: dynamic: false PKnBPK}W5 endpoint-8.10.2/data_stream/network/sample_event.jsonUTd{ "agent": { "id": "afd348c6-0ec9-4961-805e-8ed2fc4c043b", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "process": { "Ext": { "ancestry": [ "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTYxMi0xMzI5MzU0OTEwOS43MzU5NDk3MDA=", "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTQ3Ni0xMzI5MzU0OTEwOS4zODExMTM3MDA=" ], "code_signature": [ { "trusted": false, "subject_name": "Google LLC", "exists": true, "status": "errorExpired" } ] }, "parent": { "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=", "group_leader": { "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=" } }, "entry_leader": { "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=", "parent": { "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=" } }, "session_leader": { "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=" }, "group_leader": { "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=" }, "code_signature": { "trusted": false, "subject_name": "Google LLC", "exists": true, "status": "errorExpired" }, "name": "GCEWindowsAgent.exe", "pid": 580, "entity_id": "YWZkMzQ4YzYtMGVjOS00OTYxLTgwNWUtOGVkMmZjNGMwNDNiLTU4MC0xMzI5MzU0OTExMy40ODIyMTUwMDA=", "executable": "C:\\Program Files\\Google\\Compute Engine\\agent\\GCEWindowsAgent.exe" }, "destination": { "geo": { "continent_name": "North America", "country_iso_code": "US", "country_name": "United States", "location": { "lon": -97.822, "lat": 37.751 } }, "as": { "number": 15169, "organization": { "name": "GOOGLE" } }, "address": "64.233.191.95", "port": 443, "bytes": 4923, "ip": "64.233.191.95" }, "source": { "address": "10.201.0.32", "port": 54924, "bytes": 498, "ip": "10.201.0.32" }, "message": "Endpoint network event", "network": { "transport": "tcp", "type": "ipv4", "direction": "egress" }, "@timestamp": "2022-04-04T18:52:00.6007809Z", "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.events.network" }, "host": { "hostname": "mgmt-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.32", "fe80::f8e6:a511:69ea:27c4", "127.0.0.1", "::1" ], "name": "mgmt-win-1", "id": "51b19c6c-27e3-4c80-ac2a-b72ed52c40c9", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 36090, "ingested": "2022-04-04T18:52:21Z", "created": "2022-04-04T18:52:00.6007809Z", "kind": "event", "module": "endpoint", "action": "disconnect_received", "id": "MYfZG5h8j1qej16H+++++CFe", "category": [ "network" ], "type": [ "end" ], "dataset": "endpoint.events.network" }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM", "id": "S-1-5-18" } }PKBUhB\\PK}W# endpoint-8.10.2/data_stream/policy/UTdPK}W1 endpoint-8.10.2/data_stream/policy/elasticsearch/UTdPK}WA endpoint-8.10.2/data_stream/policy/elasticsearch/ingest_pipeline/UTdPK}WM endpoint-8.10.2/data_stream/policy/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W* endpoint-8.10.2/data_stream/policy/fields/UTdPK}W4 endpoint-8.10.2/data_stream/policy/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: Endpoint title: Endpoint group: 2 description: Fields describing the state of the Elastic Endpoint when an event occurs. type: group default_field: true fields: - name: configuration level: custom type: object description: Configuration fields represent the intended and applied setting for fields not part of a Policy setting This reflects what a given field is configured to do. The actual state of that same field is found in Endpoint.state default_field: false - name: configuration.isolation level: custom type: boolean description: Configuration setting for Host Isolation from the network default_field: false - name: policy level: custom type: object description: The policy fields are used to hold information about applied policy. default_field: false - name: policy.applied level: custom type: object description: information about the policy that is applied default_field: false - name: policy.applied.actions level: custom type: nested description: actions applied during the application of the policy enabled: false default_field: false - name: policy.applied.actions.message level: custom type: keyword ignore_above: 1024 description: message about the application of the action to further qualify the status of the action default_field: false - name: policy.applied.actions.name level: custom type: keyword ignore_above: 1024 description: name of the action that was applied default_field: false - name: policy.applied.actions.status level: custom type: keyword ignore_above: 1024 description: the status of the action default_field: false - name: policy.applied.artifacts level: custom type: object description: information about protection artifacts applied. enabled: false default_field: false - name: policy.applied.artifacts.global level: custom type: object description: information about global protection artifacts applied. default_field: false - name: policy.applied.artifacts.global.identifiers level: custom type: nested description: the identifiers of global artifacts applied. default_field: false - name: policy.applied.artifacts.global.identifiers.name level: custom type: keyword ignore_above: 1024 description: the name of global artifact applied. default_field: false - name: policy.applied.artifacts.global.identifiers.sha256 level: custom type: keyword ignore_above: 1024 description: the sha256 of global artifacts applied. default_field: false - name: policy.applied.artifacts.global.version level: custom type: keyword ignore_above: 1024 description: the version of global artifacts applied. default_field: false - name: policy.applied.artifacts.user level: custom type: object description: information about user protection artifacts applied. default_field: false - name: policy.applied.artifacts.user.identifiers level: custom type: nested description: the identifiers of user artifacts applied. default_field: false - name: policy.applied.artifacts.user.identifiers.name level: custom type: keyword ignore_above: 1024 description: the name of user artifact applied. default_field: false - name: policy.applied.artifacts.user.identifiers.sha256 level: custom type: keyword ignore_above: 1024 description: the sha256 of user artifacts applied. default_field: false - name: policy.applied.artifacts.user.version level: custom type: keyword ignore_above: 1024 description: the version of user artifacts applied. default_field: false - name: policy.applied.endpoint_policy_version level: custom type: keyword ignore_above: 1024 description: the version of this applied policy default_field: false - name: policy.applied.id level: custom type: keyword ignore_above: 1024 description: the id of the applied policy default_field: false - name: policy.applied.name level: custom type: keyword ignore_above: 1024 description: the name of this applied policy default_field: false - name: policy.applied.response level: custom type: object description: the response of actions that failed in the applied policy enabled: false default_field: false - name: policy.applied.response.configurations level: custom type: object description: the configurations of the applied policy enabled: false default_field: false - name: policy.applied.response.configurations.antivirus_registration level: custom type: object description: overall antivirus registration configuration and status of the applied policy enabled: false default_field: false - name: policy.applied.response.configurations.antivirus_registration.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for antivirus registration default_field: false - name: policy.applied.response.configurations.antivirus_registration.status level: custom type: keyword ignore_above: 1024 description: the overall status of antivirus registration, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.attack_surface_reduction.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for attack surface reduction default_field: false - name: policy.applied.response.configurations.attack_surface_reduction.status level: custom type: keyword ignore_above: 1024 description: the overall status of attack surface reduction, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.behavior_protection.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for behavior_protection default_field: false - name: policy.applied.response.configurations.behavior_protection.status level: custom type: keyword ignore_above: 1024 description: the overall status of behavior_protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.events level: custom type: object description: overall event collection configuration and status of the applied policy default_field: false - name: policy.applied.response.configurations.events.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for event collection default_field: false - name: policy.applied.response.configurations.events.status level: custom type: keyword ignore_above: 1024 description: the overall status of event collection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.host_isolation.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for host isolation default_field: false - name: policy.applied.response.configurations.host_isolation.status level: custom type: keyword ignore_above: 1024 description: the overall status of host isolation, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.logging level: custom type: object description: overall logging configuration and status of the applied policy default_field: false - name: policy.applied.response.configurations.logging.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for logging default_field: false - name: policy.applied.response.configurations.logging.status level: custom type: keyword ignore_above: 1024 description: the overall status of logging, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.malware level: custom type: object description: overall malware configuration and status of the applied policy default_field: false - name: policy.applied.response.configurations.malware.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for malware default_field: false - name: policy.applied.response.configurations.malware.status level: custom type: keyword ignore_above: 1024 description: the overall status of malware, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.memory_protection level: custom type: object description: overall memory_protection configuration and status of the applied policy default_field: false - name: policy.applied.response.configurations.memory_protection.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for memory_protection default_field: false - name: policy.applied.response.configurations.memory_protection.status level: custom type: keyword ignore_above: 1024 description: the overall status of memory_protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.ransomware.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for ransomware default_field: false - name: policy.applied.response.configurations.ransomware.status level: custom type: keyword ignore_above: 1024 description: the overall status of ransomware, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.streaming level: custom type: object description: overall data streaming configuration and status of the applied policy default_field: false - name: policy.applied.response.configurations.streaming.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for data streaming default_field: false - name: policy.applied.response.configurations.streaming.status level: custom type: keyword ignore_above: 1024 description: the overall status of data streaming, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.diagnostic level: custom type: object description: the diagnostic configurations of the applied policy enabled: false default_field: false - name: policy.applied.response.diagnostic.behavior_protection.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for the diagnostic configuration of behavior protection default_field: false - name: policy.applied.response.diagnostic.behavior_protection.status level: custom type: keyword ignore_above: 1024 description: the overall status of the diagnostic configuration of behavior protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.diagnostic.credential_protection.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for the diagnostic configuration of credential protection default_field: false - name: policy.applied.response.diagnostic.credential_protection.status level: custom type: keyword ignore_above: 1024 description: the overall status of the diagnostic configuration of credential protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.diagnostic.malware.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for the diagnostic configuration of malware default_field: false - name: policy.applied.response.diagnostic.malware.status level: custom type: keyword ignore_above: 1024 description: the overall status of the diagnostic configuration of malware, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.diagnostic.memory_protection.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for the diagnostic configuration of memory protection default_field: false - name: policy.applied.response.diagnostic.memory_protection.status level: custom type: keyword ignore_above: 1024 description: the overall status of the diagnostic configuration of memory protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.diagnostic.memory_scan.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for the diagnostic configuration of memory scan default_field: false - name: policy.applied.response.diagnostic.memory_scan.status level: custom type: keyword ignore_above: 1024 description: the overall status of the diagnostic configuration of memory scan, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.diagnostic.ransomware.concerned_actions level: custom type: keyword ignore_above: 1024 description: all actions that were taken for the diagnostic configuration of ransomware default_field: false - name: policy.applied.response.diagnostic.ransomware.status level: custom type: keyword ignore_above: 1024 description: the overall status of the diagnostic configuration of ransomware, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.status level: custom type: keyword ignore_above: 1024 description: the status of the applied policy default_field: false - name: policy.applied.version level: custom type: keyword ignore_above: 1024 description: the version of this applied policy default_field: false - name: state level: custom type: object description: Represents the current state of a non-policy setting These fields reflect the current status of a field, which may differ from what it is configured to be (see Endpoint.configuration) default_field: false - name: state.isolation level: custom type: boolean description: Current network isolation state of the host default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: build.original level: core type: keyword ignore_above: 1024 description: 'Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.' example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 PKJnPK}W/ endpoint-8.10.2/data_stream/policy/manifest.ymlUTdtitle: Endpoint Policy Response type: metrics elasticsearch: index_template: mappings: dynamic: false PK͚drrPK}W4 endpoint-8.10.2/data_stream/policy/sample_event.jsonUTd{ "agent": { "build": { "original": "version: 8.3.0-SNAPSHOT, compiled: Fri Apr 1 06:00:00 2022, branch: main, commit: f8b0ed879ad40ee1ae561ced31ec8a4027a2bf53" }, "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "message": "Endpoint policy change", "@timestamp": "2022-04-04T18:38:15.7178887Z", "Endpoint": { "configuration": { "isolation": false }, "state": { "isolation": false }, "policy": { "applied": { "response": { "configurations": { "behavior_protection": { "concerned_actions": [ "agent_connectivity", "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "configure_file_events", "configure_network_events", "configure_process_events", "configure_kernel", "connect_kernel", "configure_imageload_events", "configure_dns_events", "configure_security_events", "configure_registry_events", "configure_malicious_behavior" ], "status": "success" }, "streaming": { "concerned_actions": [ "agent_connectivity", "load_config", "configure_output", "workflow" ], "status": "success" }, "malware": { "concerned_actions": [ "agent_connectivity", "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "configure_malware", "configure_kernel", "detect_process_events", "detect_file_write_events", "connect_kernel", "configure_user_notification", "configure_alerts", "detect_file_open_events", "detect_sync_image_load_events" ], "status": "success" }, "logging": { "concerned_actions": [ "agent_connectivity", "load_config", "configure_logging", "workflow" ], "status": "success" }, "antivirus_registration": { "concerned_actions": [ "agent_connectivity", "load_config", "configure_antivirus_registration", "workflow" ], "status": "unsupported" }, "host_isolation": { "concerned_actions": [ "agent_connectivity", "configure_host_isolation", "load_config", "workflow", "connect_kernel", "configure_user_notification" ], "status": "success" }, "events": { "concerned_actions": [ "agent_connectivity", "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "detect_process_events", "detect_file_write_events", "detect_network_events", "configure_file_events", "configure_network_events", "configure_process_events", "configure_kernel", "connect_kernel", "detect_file_open_events", "detect_file_access_events", "detect_async_image_load_events", "detect_registry_events", "detect_registry_access_events", "configure_imageload_events", "configure_dns_events", "configure_security_events", "configure_registry_events" ], "status": "success" }, "ransomware": { "concerned_actions": [ "agent_connectivity", "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "detect_process_events", "detect_file_write_events", "configure_process_events", "configure_file_events", "configure_ransomware", "configure_kernel", "connect_kernel", "configure_user_notification" ], "status": "success" }, "memory_protection": { "concerned_actions": [ "agent_connectivity", "configure_memory_threat", "configure_process_events", "download_global_artifacts", "download_user_artifacts", "workflow", "load_config", "detect_process_events", "configure_kernel", "connect_kernel", "detect_thread_events" ], "status": "success" }, "attack_surface_reduction": { "concerned_actions": [ "agent_connectivity", "configure_credential_hardening", "download_global_artifacts", "download_user_artifacts", "workflow", "load_config", "configure_kernel", "connect_kernel" ], "status": "success" } }, "diagnostic": { "behavior_protection": { "concerned_actions": [ "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "configure_file_events", "configure_network_events", "configure_process_events", "configure_kernel", "connect_kernel", "configure_imageload_events", "configure_dns_events", "configure_security_events", "configure_registry_events", "configure_diagnostic_rollback", "detect_process_handle_events", "configure_diagnostic_malicious_behavior" ], "status": "success" }, "malware": { "concerned_actions": [ "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "configure_diagnostic_malware", "detect_process_events", "detect_file_write_events", "connect_kernel", "configure_kernel", "detect_file_open_events", "detect_sync_image_load_events", "configure_diagnostic_rollback" ], "status": "success" }, "ransomware": { "concerned_actions": [ "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "detect_process_events", "detect_file_write_events", "configure_process_events", "configure_file_events", "configure_diagnostic_ransomware", "configure_kernel", "connect_kernel", "configure_diagnostic_rollback" ], "status": "success" }, "memory_protection": { "concerned_actions": [ "load_config", "workflow", "download_global_artifacts", "download_user_artifacts", "detect_process_events", "configure_process_events", "configure_diagnostic_memory_threat", "configure_kernel", "connect_kernel", "detect_thread_events", "configure_diagnostic_rollback" ], "status": "success" } } }, "name": "endpoint-1", "id": "b372bc3f-e9b3-4b2d-9dfe-ae677ed83933", "actions": [ { "name": "configure_antivirus_registration", "message": "Antivirus registration is not possible on servers", "status": "unsupported" }, { "name": "configure_ransomware", "message": "Successfully enabled ransomware prevention with mbr enabled and canaries enabled", "status": "success" }, { "name": "configure_memory_threat", "message": "Successfully enabled memory threat prevention with memory scanning enabled and shellcode protection enabled including trampoline monitoring", "status": "success" }, { "name": "configure_diagnostic_memory_threat", "message": "Successfully enabled memory threat detection with memory scanning enabled and shellcode protection enabled including trampoline monitoring", "status": "success" }, { "name": "configure_host_isolation", "message": "Host is not isolated", "status": "success" }, { "name": "configure_malicious_behavior", "message": "Enabled 152 out of 152 malicious behavior rules", "status": "success" }, { "name": "configure_diagnostic_malicious_behavior", "message": "Enabled 196 out of 196 diagnostic malicious behavior rules", "status": "success" }, { "name": "configure_user_notification", "message": "Successfully configured user notification", "status": "success" }, { "name": "configure_malware", "message": "Successfully enabled malware prevention", "status": "success" }, { "name": "configure_diagnostic_malware", "message": "Successfully enabled malware detection", "status": "success" }, { "name": "configure_diagnostic_rollback", "message": "Diagnostic system rollback is enabled", "status": "success" }, { "name": "configure_kernel", "message": "Successfully configured kernel", "status": "success" }, { "name": "configure_output", "message": "Successfully configured output connection", "status": "success" }, { "name": "configure_alerts", "message": "Successfully configured alerts", "status": "success" }, { "name": "configure_logging", "message": "Successfully configured logging", "status": "success" }, { "name": "load_config", "message": "Successfully parsed configuration", "status": "success" }, { "name": "download_user_artifacts", "message": "Successfully downloaded user artifacts", "status": "success" }, { "name": "download_global_artifacts", "message": "Global artifacts are available for use", "status": "success" }, { "name": "connect_kernel", "message": "Successfully connected to kernel", "status": "success" }, { "name": "detect_process_events", "message": "Successfully started process event reporting", "status": "success" }, { "name": "detect_sync_image_load_events", "message": "Successfully started sync image load event reporting", "status": "success" }, { "name": "detect_async_image_load_events", "message": "Successfully started async image load event reporting", "status": "success" }, { "name": "detect_file_write_events", "message": "Successfully started file write event reporting", "status": "success" }, { "name": "detect_file_open_events", "message": "Successfully stopped file open event reporting", "status": "success" }, { "name": "detect_network_events", "message": "Successfully started network event reporting", "status": "success" }, { "name": "detect_registry_events", "message": "Successfully started registry event reporting", "status": "success" }, { "name": "detect_thread_events", "message": "Successfully configured thread events", "status": "success" }, { "name": "detect_file_access_events", "message": "Successfully configured file access event reporting", "status": "success" }, { "name": "detect_registry_access_events", "message": "Successfully configured registry access event reporting", "status": "success" }, { "name": "detect_process_handle_events", "message": "Successfully started process handle event reporting", "status": "success" }, { "name": "configure_file_events", "message": "Success enabling file events; current state is enabled", "status": "success" }, { "name": "configure_network_events", "message": "Success enabling network events; current state is enabled", "status": "success" }, { "name": "configure_process_events", "message": "Success enabling process events; current state is enabled", "status": "success" }, { "name": "configure_imageload_events", "message": "Success enabling image load events; current state is enabled", "status": "success" }, { "name": "configure_dns_events", "message": "Success enabling dns events; current state is enabled", "status": "success" }, { "name": "configure_registry_events", "message": "Success enabling registry events; current state is enabled", "status": "success" }, { "name": "configure_security_events", "message": "Success enabling security events; current state is enabled", "status": "success" }, { "name": "configure_diagnostic_ransomware", "message": "Successfully enabled ransomware detection with mbr enabled and canaries enabled", "status": "success" }, { "name": "agent_connectivity", "message": "Successfully connected to Agent", "status": "success" }, { "name": "workflow", "message": "Successfully executed all workflows", "status": "success" }, { "name": "configure_credential_hardening", "message": "Successfully configured credential hardening", "status": "success" } ], "endpoint_policy_version": "1", "version": "2", "artifacts": { "global": { "identifiers": [ { "sha256": "e57a7d5638060e9655c64ac1d02f7949b87e5f5f27f2074329608db1e06d645b", "name": "diagnostic-configuration-v1" }, { "sha256": "c33693fcadb720d4d37706cd2ca77b28a8c59a424ab3f251b2b07ac7975eb2f4", "name": "diagnostic-endpointpe-v4-blocklist" }, { "sha256": "d47bfd600e3a8f79e290dfb0306e8abe7be11b75b36ba98132f46b8971f7f071", "name": "diagnostic-endpointpe-v4-exceptionlist" }, { "sha256": "8609faa372f8761bf199a03325f56577d2fd47630d6dba386b6eb33562aef6e3", "name": "diagnostic-endpointpe-v4-model" }, { "sha256": "52bc8b59292b5017bb091f97fa395881b127b07dec6182f91c4b84074ae6e7bc", "name": "diagnostic-malware-signature-v1-windows" }, { "sha256": "dcbaa744fc672d8db32010a1422aafa6e0cf86816d34b1d4df9f273f106be425", "name": "diagnostic-ransomware-v1-windows" }, { "sha256": "b680beed0f3ca83ae78802e972bf4bb12ecea2b1649a7aafd16e6fec8c9a0ede", "name": "diagnostic-rules-windows-v1" }, { "sha256": "1d591a12ce8ae215ebdcdabc81fc912cd51162e7a8e35bcdc1676bc3125cebbf", "name": "endpointpe-v4-blocklist" }, { "sha256": "b49fdcd8bf63af07ab1e74352137eb20f1e3710640dfcb1bfff3f7273ee14a7f", "name": "endpointpe-v4-exceptionlist" }, { "sha256": "c05c025cce1c2b5808c180dc4986eb519c0affd30d7c27f67fdd14bde3224638", "name": "endpointpe-v4-model" }, { "sha256": "b98dc812e3cd9c9aa21462bb8b2bac86158d6d2d97ea4aac6731c069f6babb4d", "name": "global-configuration-v1" }, { "sha256": "7acbe147698a40c817775d471ea30c2fe4dfa7a9f54271e6dbc073131c5a3bcb", "name": "global-exceptionlist-windows" }, { "sha256": "dfb2b428357b756d9f5b593c02dce99b026c9e2afeb76cdb8e8c76c6db78290a", "name": "global-trustlist-windows-v1" }, { "sha256": "611a02c398c58ebe2f6d9d63621778de96263ef7fa885098ce62a22c411d67bc", "name": "production-malware-signature-v1-windows" }, { "sha256": "363cb9d7bbc013d9bc171a6a29fdfe486f1c987ef2c0cdfa3c283fc4c5a4a595", "name": "production-ransomware-v1-windows" }, { "sha256": "b07cf3beacd69e6922d344448a8c6d03e96ae6d5ec1e540415fe2f4804bcb631", "name": "production-rules-windows-v1" } ], "version": "1.0.261" }, "user": { "identifiers": [ { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-blocklist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-eventfilterlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-exceptionlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-hostisolationexceptionlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-trustlist-windows-v1" } ], "version": "1.0.0" } }, "status": "success" } } }, "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "metrics", "dataset": "endpoint.policy" }, "host": { "hostname": "data-viz-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.13", "fe80::f40a:aed0:618a:972d", "127.0.0.1", "::1" ], "name": "data-viz-win-1", "id": "2beebb8e-e5f0-46ca-8635-97ba7bb8ccca", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 35122, "ingested": "2022-04-04T18:38:16Z", "created": "2022-04-04T18:38:15.7178887Z", "kind": "state", "module": "endpoint", "action": "endpoint_policy_response", "id": "MYfZG00oEwD2/fqT+++++Bye", "category": [ "host" ], "type": [ "change" ], "dataset": "endpoint.policy" } }PKUqqPK}W$ endpoint-8.10.2/data_stream/process/UTdPK}W2 endpoint-8.10.2/data_stream/process/elasticsearch/UTdPK}WB endpoint-8.10.2/data_stream/process/elasticsearch/ingest_pipeline/UTdPK}WN endpoint-8.10.2/data_stream/process/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W+ endpoint-8.10.2/data_stream/process/fields/UTdPK}W5 endpoint-8.10.2/data_stream/process/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.' example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: 'Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.' example: foo - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on. The cloud fields may be self-nested under cloud.origin.* and cloud.target.* to describe origin or target service''s cloud information in the context of incoming or outgoing requests, respectively. However, the fieldsets cloud.origin.* and cloud.target.* must not be confused with the root cloud fieldset that is used to describe the cloud context of the actual service under observation. The fieldset cloud.origin.* may only be used in the context of incoming requests or events to provide the originating service''s cloud information. The fieldset cloud.target.* may only be used in the context of outgoing requests or events to describe the target service''s cloud information.' type: group default_field: true fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: project.id level: extended type: keyword ignore_above: 1024 description: 'The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.' example: my-project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host, resource, or service is located. example: us-east-1 - name: container title: Container group: 2 description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.hash.all level: extended type: keyword ignore_above: 1024 description: 'An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set.' example: '[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]' default_field: false - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: boot.id level: extended type: keyword ignore_above: 1024 description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: pid_ns_ino level: extended type: keyword ignore_above: 1024 description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. example: 256383 default_field: false - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: orchestrator title: Orchestrator group: 2 description: Fields that describe the resources which container orchestrators manage or act upon. type: group default_field: true fields: - name: cluster.id level: extended type: keyword ignore_above: 1024 description: Unique ID of the cluster. default_field: false - name: cluster.name level: extended type: keyword ignore_above: 1024 description: Name of the cluster. default_field: false - name: namespace level: extended type: keyword ignore_above: 1024 description: Namespace in which the action is taking place. example: kube-system default_field: false - name: resource.ip level: extended type: ip description: 'IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running).' default_field: false - name: resource.name level: extended type: keyword ignore_above: 1024 description: Name of the resource being acted upon. example: test-pod-cdcws default_field: false - name: resource.parent.type level: extended type: keyword ignore_above: 1024 description: Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). example: DaemonSet default_field: false - name: resource.type level: extended type: keyword ignore_above: 1024 description: Type of resource being acted upon. example: service default_field: false - name: package title: Package group: 2 description: These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. type: group default_field: true fields: - name: name level: extended type: keyword ignore_above: 1024 description: Package name example: go - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.architecture level: custom type: keyword ignore_above: 1024 description: Process architecture. It can differ from host architecture. example: x86_64 default_field: false - name: Ext.authentication_id level: custom type: keyword ignore_above: 1024 description: Process authentication ID default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: Ext.defense_evasions level: custom type: keyword ignore_above: 1024 description: List of defense evasions found in this process. These defense evasions can make it harder to inspect a process and/or cause abnormal OS behavior. Examples tools that can cause defense evasions include Process Doppelganging and Process Herpaderping. default_field: false - name: Ext.device.bus_type level: custom type: keyword ignore_above: 1024 description: Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. default_field: false - name: Ext.device.dos_name level: custom type: keyword ignore_above: 1024 description: DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... default_field: false - name: Ext.device.file_system_type level: custom type: keyword ignore_above: 1024 description: 'Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF' default_field: false - name: Ext.device.nt_name level: custom type: keyword ignore_above: 1024 description: 'NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2' default_field: false - name: Ext.device.product_id level: custom type: keyword ignore_above: 1024 description: ProductID of the device. It is provided by the vendor of the device if any. default_field: false - name: Ext.device.serial_number level: custom type: keyword ignore_above: 1024 description: Serial Number of the device. It is provided by the vendor of the device if any. default_field: false - name: Ext.device.vendor_id level: custom type: keyword ignore_above: 1024 description: VendorID of the device. It is provided by the vendor of the device. default_field: false - name: Ext.device.volume_device_type level: custom type: keyword ignore_above: 1024 description: 'Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System' default_field: false - name: Ext.dll.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.dll.Ext.mapped_address level: custom type: unsigned_long description: The base address where this module is loaded. default_field: false - name: Ext.dll.Ext.mapped_size level: custom type: unsigned_long description: The size of this module's memory mapping, in bytes. default_field: false - name: Ext.dll.name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: Ext.dll.path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: Ext.effective_parent.entity_id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the effective process. example: c2c455d9f99375d default_field: false - name: Ext.effective_parent.executable level: custom type: keyword ignore_above: 1024 description: Executable name for the effective process. example: C:\Windows\System32\wbem\WMIC.exe default_field: false - name: Ext.effective_parent.name level: custom type: keyword ignore_above: 1024 description: Process name for the effective process. example: WMIC.exe default_field: false - name: Ext.effective_parent.pid level: custom type: long description: Process ID. example: 4242 default_field: false - name: Ext.mitigation_policies level: custom type: keyword ignore_above: 1024 description: Process mitigation policies include SignaturePolicy, DynamicCodePolicy, UserShadowStackPolicy, ControlFlowGuardPolicy, etc. Examples include Microsoft only, CF Guard, User Shadow Stack enabled default_field: false - name: Ext.protection level: custom type: keyword ignore_above: 1024 description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. default_field: false - name: Ext.relative_file_creation_time level: custom type: double description: Number of seconds since the process's file was created. This number may be negative if the file's timestamp is in the future. default_field: false - name: Ext.relative_file_name_modify_time level: custom type: double description: Number of seconds since the process's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future. default_field: false - name: Ext.session level: custom type: keyword ignore_above: 1024 description: Session information for the current process default_field: false - name: Ext.session_info.authentication_package level: custom type: keyword ignore_above: 1024 description: Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP default_field: false - name: Ext.session_info.client_address level: custom type: keyword ignore_above: 1024 description: Client's IPv4 or IPv6 address as a string, if available. default_field: false - name: Ext.session_info.id level: custom type: unsigned_long description: Session ID default_field: false - name: Ext.session_info.logon_type level: custom type: keyword ignore_above: 1024 description: Session logon type. Examples include Interactive, Network, and Service. default_field: false - name: Ext.session_info.relative_logon_time level: custom type: double description: Process creation time, relative to logon time, in seconds. default_field: false - name: Ext.session_info.relative_password_age level: custom type: double description: Process creation time, relative to the last time the password was changed, in seconds. default_field: false - name: Ext.session_info.user_flags level: custom type: keyword ignore_above: 1024 description: List of user flags associated with this logon session. Examples include LOGON_NTLMV2_ENABLED and LOGON_WINLOGON. default_field: false - name: Ext.token.elevation level: custom type: boolean description: Whether the token is elevated or not default_field: false - name: Ext.token.elevation_level level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: Ext.token.elevation_type level: custom type: keyword ignore_above: 1024 description: What level of elevation the token has example: one of "default", "full", "limited" default_field: false - name: Ext.token.integrity_level_name level: custom type: keyword ignore_above: 1024 description: Human readable integrity level. example: one of "system", "high", "medium", "low", "untrusted" default_field: false - name: Ext.token.security_attributes level: custom type: keyword ignore_above: 1024 description: Array of security attributes of the token, retrieved via the TokenSecurityAttributes class. example: TSA://ProcUnique, LUA://DecHdAutoAp default_field: false - name: Ext.trusted level: custom type: boolean description: Whether or not the process is a trusted application default_field: false - name: Ext.trusted_descendant level: custom type: boolean description: Whether or not the process is a descendent of a trusted application default_field: false - name: args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - name: args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: end level: extended type: date description: The time the process ended. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: entry_leader.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: entry_leader.attested_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.attested_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.attested_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: entry_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.entry_meta.source.ip level: core type: ip description: IP address of the source (IPv4 or IPv6). default_field: false - name: entry_leader.entry_meta.type level: extended type: keyword ignore_above: 1024 description: 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console Note: This field is only set on process.session_leader.' default_field: false - name: entry_leader.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: entry_leader.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: entry_leader.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: entry_leader.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: entry_leader.parent.session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: entry_leader.parent.session_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: entry_leader.parent.session_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entry_leader.parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entry_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: entry_leader.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.same_as_process level: extended type: boolean description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true default_field: false - name: entry_leader.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: entry_leader.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: entry_leader.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: entry_leader.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: entry_leader.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: entry_leader.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: entry_leader.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: entry_leader.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: entry_leader.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: env_vars level: extended type: keyword ignore_above: 1024 description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information.' example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: group_leader.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: group_leader.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: group_leader.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: group_leader.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: group_leader.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: group_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: group_leader.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: group_leader.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: group_leader.same_as_process level: extended type: boolean description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true default_field: false - name: group_leader.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: group_leader.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: group_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: group_leader.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group_leader.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group_leader.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: group_leader.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: group_leader.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: group_leader.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: group_leader.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: group_leader.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: io level: extended type: object description: 'A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input.' default_field: false - name: io.max_bytes_per_process_exceeded level: extended type: boolean description: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. default_field: false - name: io.text level: extended type: wildcard description: 'A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.' default_field: false - name: io.total_bytes_captured level: extended type: long description: The total number of bytes captured in this event. default_field: false - name: io.total_bytes_skipped level: extended type: long description: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero default_field: false - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: parent.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: parent.Ext.architecture level: custom type: keyword ignore_above: 1024 description: Process architecture. It can differ from host architecture. example: x86_64 default_field: false - name: parent.Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: parent.Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.Ext.protection level: custom type: keyword ignore_above: 1024 description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. default_field: false - name: parent.Ext.real level: custom type: object description: The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. default_field: false - name: parent.Ext.real.pid level: custom type: long description: For process.parent this will be the ppid of the process that actually spawned the current process. default_field: false - name: parent.Ext.user level: custom type: keyword ignore_above: 1024 description: User associated with the running process. default_field: false - name: parent.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: parent.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: parent.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: parent.exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: parent.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.group_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.group_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: parent.group_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: parent.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: parent.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: parent.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: parent.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: parent.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: parent.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: parent.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: parent.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: parent.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: parent.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: parent.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: parent.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: parent.pgid level: extended type: long format: string description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' default_field: false - name: parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: parent.ppid level: extended type: long format: string description: Parent process' pid. example: 4241 default_field: false - name: parent.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: parent.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: parent.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: parent.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: parent.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: parent.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: parent.thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: parent.thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: true default_field: false - name: parent.thread.Ext.call_stack.allocation_private_bytes level: custom type: unsigned_long description: The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. default_field: false - name: parent.thread.Ext.call_stack.callsite_leading_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes preceding the callsite default_field: false - name: parent.thread.Ext.call_stack.callsite_trailing_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes after the callsite (where control will return to) default_field: false - name: parent.thread.Ext.call_stack.protection level: custom type: keyword ignore_above: 1024 description: Protection of the page containing this instruction. This is `R-X' by default if omitted. default_field: false - name: parent.thread.Ext.call_stack.symbol_info level: custom type: keyword ignore_above: 1024 description: The nearest symbol for `instruction_pointer`. default_field: false - name: parent.thread.Ext.call_stack_contains_unbacked level: custom type: boolean description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image. default_field: false - name: parent.thread.Ext.call_stack_summary level: custom type: keyword ignore_above: 1024 description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll, example.exe, kernel32.dll, ntdll.dll default_field: false - name: parent.thread.id level: extended type: long format: string description: Thread ID. example: 4242 default_field: false - name: parent.thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' default_field: false - name: parent.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: parent.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: parent.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: parent.uptime level: extended type: long description: Seconds the process has been up. example: 1325 default_field: false - name: parent.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: parent.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: parent.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft® Windows® Operating System" default_field: false - name: pgid level: extended type: long format: string description: 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to.' - name: pid level: core type: long format: string description: Process id. example: 4242 - name: ppid level: extended type: long format: string description: Parent process' pid. example: 4241 - name: previous.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: previous.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: previous.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: session_leader.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: session_leader.command_line level: extended type: wildcard multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: session_leader.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: session_leader.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.interactive level: extended type: boolean description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true default_field: false - name: session_leader.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: session_leader.parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: session_leader.parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: session_leader.parent.session_leader.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: session_leader.parent.session_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: session_leader.parent.session_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: session_leader.parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: session_leader.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: session_leader.real_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.real_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.real_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: session_leader.real_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.same_as_process level: extended type: boolean description: 'This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it''s not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.' example: true default_field: false - name: session_leader.saved_group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.saved_group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.saved_user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: session_leader.saved_user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: session_leader.supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: session_leader.supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: session_leader.tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: session_leader.tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: session_leader.tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: session_leader.user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: session_leader.user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: session_leader.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' - name: supplemental_groups.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: supplemental_groups.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 - name: title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - name: tty level: extended type: object description: Information about the controlling TTY device. If set, the process belongs to an interactive session. default_field: false - name: tty.char_device.major level: extended type: long description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 default_field: false - name: tty.char_device.minor level: extended type: long description: "The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them." example: 1 default_field: false - name: tty.columns level: extended type: long description: 'The number of character columns per line. e.g terminal width Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ''text_output''' example: 80 default_field: false - name: tty.rows level: extended type: long description: 'The number of character rows in the terminal. e.g terminal height Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ''text_output''' example: 24 default_field: false - name: uptime level: extended type: long description: Seconds the process has been up. example: 1325 - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text description: Short name or login of the user. example: a.einstein default_field: false - name: working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: The working directory of the process. example: /home/alice - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PK9C..PK}W0 endpoint-8.10.2/data_stream/process/manifest.ymlUTdtitle: Endpoint Process Events type: logs dataset: endpoint.events.process elasticsearch: index_template: mappings: dynamic: false PK.ŌWPK}W5 endpoint-8.10.2/data_stream/process/sample_event.jsonUTd{ "agent": { "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "container": { "id": "8d38b2f18290e973c5ea8f9ee207e970a8aa9191fa89bf3d4ea2a126f2f010a6", "image": { "name": "gke.gcr.io/csi-node-driver-registrar:v2.5.0-gke.1", "tag": [ "v2.5.0-gke.1" ], "hash": { "all": [ "sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d" ] } }, "name": "csi-driver-registrar" }, "cloud": { "account": { "id": "1234" }, "instance": { "name": "webserver-12" }, "project": { "id": "1234" }, "provider": "aws", "region": "us-east-1" }, "orchestrator": { "cluster": { "id": "f0cd61d5-327b-43e0-bc94-d9ea922fb4b5", "name": "webservers" }, "namespace": "webapp", "resource": { "ip": [ "10.1.237.155" ], "name": "pdcsi-node-6zh4j", "type": "pod", "parent": { "type": "DaemonSet" } } }, "process": { "entry_leader": { "attested_user": { "id": "123", "name": "userA" }, "attested_groups": { "name": "groupA" } }, "Ext": { "ancestry": [ "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTYwMC0xMzI5MzU0OTExMC40NjgyMjI3MDA=", "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTQ3Mi0xMzI5MzU0OTExMC4xNzIwMjY5MDA=" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" } ], "mitigation_policies": [ "Microsoft only, Opt-in to restrict to Microsoft, Windows Store and WHQL", "CET dynamic APIs can only be called out of proc", "CF Guard" ], "device": { "volume_device_type": "Disk File System" }, "authentication_id": "0x3e7", "token": { "integrity_level_name": "system", "security_attributes": [ "TSA://ProcUnique" ], "elevation_level": "default" }, "effective_parent": { "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTI3MzItMTMyOTk3MDczNDEuMjUyNTI3NDAw", "executable": "C:\\Windows\\System32\\wbem\\WMIC.exe", "name": "WMIC.exe", "pid": 2732 }, "relative_file_creation_time": 48628704.4029488, "relative_file_name_modify_time": 48628704.4029488, "session_info": { "logon_type": "Interactive", "client_address": "127.0.0.1", "id": 1, "authentication_package": "NTLM", "relative_logon_time": 0.1, "relative_password_age": 2592000.123, "user_flags": [ "LOGON_EXTRA_SIDS", "LOGON_NTLMV2_ENABLED", "LOGON_WINLOGON" ] } }, "parent": { "args": [], "name": "services.exe", "pid": 600, "args_count": 0, "entity_id": "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTYwMC0xMzI5MzU0OTExMC40NjgyMjI3MDA=", "command_line": "", "executable": "C:\\Windows\\System32\\services.exe", "thread": { "Ext": { "call_stack": [ { "allocation_private_bytes": 16384, "callsite_leading_bytes": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "callsite_trailing_bytes": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "protection": "RWX", "symbol_info": "C:\\Windows\\System32\\ntdll.dll!RtlUserThreadStart+0x21" } ], "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|cmd.exe|kernel32.dll|ntdll.dll", "call_stack_contains_unbacked": true } } }, "pid": 2772, "working_directory": "C:\\Windows\\system32\\", "end": "2022-07-18T21:05:19.9419692Z", "entity_id": "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTI3NzItMTMyOTM1NzE5ODguNjU3ODk4NjAw", "executable": "C:\\Windows\\System32\\svchost.exe", "args": [ "C:\\Windows\\System32\\svchost.exe", "-k", "WerSvcGroup" ], "code_signature": { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" }, "pe": { "original_file_name": "svchost.exe" }, "name": "svchost.exe", "args_count": 3, "command_line": "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup", "hash": { "sha1": "4fbfc6004084d97032837c21d3f426892d868eac", "sha256": "cb19fd67b1d028e01f54c426a0924528c4a8d8ed8996cfe0ee0c6e45285436a1", "md5": "1b280ad032268a636ecfe6f9165431b7" }, "tty": { "char_device": { "major": 4, "minor": 1 }, "rows": 24, "columns": 80 }, "io": { "text": "helloworld", "total_bytes_captured": 10, "total_bytes_skipped": 0, "max_bytes_per_process_exceeded": false }, "env_vars": [ "NICK=test", "OTHER=why" ] }, "message": "Endpoint process event", "@timestamp": "2022-04-04T18:53:08.6578986Z", "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.events.process" }, "host": { "hostname": "data-viz-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.13", "fe80::f40a:aed0:618a:972d", "127.0.0.1", "::1" ], "name": "data-viz-win-1", "id": "2beebb8e-e5f0-46ca-8635-97ba7bb8ccca", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 36236, "ingested": "2022-04-04T18:53:18Z", "created": "2022-04-04T18:53:08.6578986Z", "kind": "event", "module": "endpoint", "action": "start", "id": "MYfZG00oEwD2/fqT+++++CLz", "category": [ "process" ], "type": [ "start" ], "dataset": "endpoint.events.process" }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM", "id": "S-1-5-18" } }PKG#rrPK}W% endpoint-8.10.2/data_stream/registry/UTdPK}W3 endpoint-8.10.2/data_stream/registry/elasticsearch/UTdPK}WC endpoint-8.10.2/data_stream/registry/elasticsearch/ingest_pipeline/UTdPK}WO endpoint-8.10.2/data_stream/registry/elasticsearch/ingest_pipeline/default.jsonUTd{ "description": "Pipeline for setting event.ingested", "processors": [ { "set": { "field": "event.ingested", "value": "{{ _ingest.timestamp }}", "ignore_failure": true } } ] } PKx{PK}W, endpoint-8.10.2/data_stream/registry/fields/UTdPK}W6 endpoint-8.10.2/data_stream/registry/fields/fields.ymlUTd- name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' default_field: true - name: message level: core type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World default_field: true - name: Effective_process title: Effective_process group: 2 description: 'These fields contain information about an effective process. The effective process is the process that requested the a specific action, without directly performing it. Processes can have effective parents that differ from their regular parents. For example, on Windows, "wmic process call create notepad" will ask WmiPrvSE.exe to launch notepad.exe. WmiPrvSE will be notepad''s parent, but the wmic will be the effective parent. Events can have effective processes that differ from their regular processes. For example, on Windows, "reg add \\localhost\HKLM\Software\Foo /v Data /t REG_SZ /d 123" will result in a registry event from the Remote Registry service (svchost.exe). In this case, the effective process will be reg.exe.' type: group default_field: true fields: - name: entity_id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the effective process. example: c2c455d9f99375d default_field: false - name: executable level: custom type: keyword ignore_above: 1024 description: Executable name for the effective process. example: C:\Windows\System32\wbem\WMIC.exe default_field: false - name: name level: custom type: keyword ignore_above: 1024 description: Process name for the effective process. example: WMIC.exe default_field: false - name: pid level: custom type: long description: Process ID. example: 4242 default_field: false - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group default_field: true fields: - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: data_stream title: data_stream group: 2 description: Fields describing the new indexing strategy -- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: pid level: core type: long format: string description: Process id. example: 4242 - name: thread.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: thread.Ext.call_stack level: custom type: object description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: true default_field: false - name: thread.Ext.call_stack.allocation_private_bytes level: custom type: unsigned_long description: The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. default_field: false - name: thread.Ext.call_stack.callsite_leading_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes preceding the callsite default_field: false - name: thread.Ext.call_stack.callsite_trailing_bytes level: custom type: keyword ignore_above: 1024 description: Hex opcode bytes after the callsite (where control will return to) default_field: false - name: thread.Ext.call_stack.protection level: custom type: keyword ignore_above: 1024 description: Protection of the page containing this instruction. This is `R-X' by default if omitted. default_field: false - name: thread.Ext.call_stack.symbol_info level: custom type: keyword ignore_above: 1024 description: The nearest symbol for `instruction_pointer`. default_field: false - name: thread.Ext.call_stack_summary level: custom type: keyword ignore_above: 1024 description: Concatentation of the non-repeated modules in the call stack. example: ntdll.dll, example.exe, kernel32.dll, ntdll.dll default_field: false - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: registry title: Registry group: 2 description: Fields related to Windows Registry operations. type: group default_field: true fields: - name: data.bytes level: extended type: keyword ignore_above: 1024 description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - name: data.strings level: core type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - name: hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - name: key level: core type: keyword ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PK2TTPK}W1 endpoint-8.10.2/data_stream/registry/manifest.ymlUTdtitle: Endpoint Registry Events type: logs dataset: endpoint.events.registry elasticsearch: index_template: mappings: dynamic: false PK!-- type: group default_field: true fields: - name: dataset level: custom type: constant_keyword description: Data stream dataset name. example: nginx.access default_field: false - name: namespace level: custom type: constant_keyword description: Data stream namespace. example: production default_field: false - name: type level: custom type: constant_keyword description: Data stream type. example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group default_field: true fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group default_field: true fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group default_field: true fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.' - name: os.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: os.Ext.variant level: custom type: keyword ignore_above: 1024 description: A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. example: Ubuntu default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.ancestry level: custom type: keyword ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false - name: Ext.code_signature level: custom type: nested description: Nested version of ECS code_signature fieldset. default_field: false - name: Ext.code_signature.exists level: custom type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: Ext.code_signature.status level: custom type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: Ext.code_signature.subject_name level: custom type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: Ext.code_signature.trusted level: custom type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: Ext.code_signature.valid level: custom type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: caseless type: keyword normalizer: lowercase ignore_above: 1024 default_field: false - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: pid level: core type: long format: string description: Process id. example: 4242 - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group default_field: true fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group default_field: true fields: - name: Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: Ext.real level: custom type: object description: User info prior to any setuid operations. default_field: false - name: Ext.real.id level: custom type: keyword ignore_above: 1024 description: One or multiple unique identifiers of the user. default_field: false - name: Ext.real.name level: custom type: keyword ignore_above: 1024 description: Short name or login of the user. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein - name: group.Ext level: custom type: object description: Object for all custom defined fields to live in. default_field: false - name: group.Ext.real level: custom type: object description: Group info prior to any setgid operations. default_field: false - name: group.Ext.real.id level: custom type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: group.Ext.real.name level: custom type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: group.domain level: extended type: keyword ignore_above: 1024 description: Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: match_only_text default_field: false description: Short name or login of the user. example: a.einstein PKyǦPK}W1 endpoint-8.10.2/data_stream/security/manifest.ymlUTdtitle: Endpoint Security Events type: logs dataset: endpoint.events.security elasticsearch: index_template: mappings: dynamic: false PKw]őPK}W6 endpoint-8.10.2/data_stream/security/sample_event.jsonUTd{ "agent": { "id": "4c9c9cb3-f80f-44d8-9c89-6168243b7f21", "type": "endpoint", "version": "8.3.0-SNAPSHOT" }, "process": { "Ext": { "ancestry": [ "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTQ3Mi0xMzI5MzU0OTExMC4xNzIwMjY5MDA=" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" } ] }, "code_signature": { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" }, "name": "C:\\Windows\\System32\\services.exe", "entity_id": "NGM5YzljYjMtZjgwZi00NGQ4LTljODktNjE2ODI0M2I3ZjIxLTYwMC0xMzI5MzU0OTExMC40NjgyMjI3MDA=", "executable": "C:\\Windows\\System32\\services.exe" }, "message": "Endpoint security event", "@timestamp": "2022-04-04T18:53:08.6510289Z", "ecs": { "version": "1.11.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.events.security" }, "host": { "hostname": "data-viz-win-1", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter" }, "kernel": "1809 (10.0.17763.2686)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.2686)", "platform": "windows", "full": "Windows Server 2019 Datacenter 1809 (10.0.17763.2686)" }, "ip": [ "10.201.0.13", "fe80::f40a:aed0:618a:972d", "127.0.0.1", "::1" ], "name": "data-viz-win-1", "id": "2beebb8e-e5f0-46ca-8635-97ba7bb8ccca", "mac": [ "00-00-5E-00-53-23" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 36385, "ingested": "2022-04-04T18:53:18Z", "created": "2022-04-04T18:53:08.6510289Z", "kind": "event", "module": "endpoint", "action": "log_on", "id": "MYfZG00oEwD2/fqT+++++CQ/", "category": [ "authentication", "session" ], "type": [ "start" ], "dataset": "endpoint.events.security", "outcome": "success" }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM", "id": "S-1-5-18" } }PKqNk PK}W endpoint-8.10.2/docs/UTdPK}W endpoint-8.10.2/docs/README.mdUTd# Elastic Defend Integration Elastic Defend provides organizations with prevention, detection, and response capabilities with deep visibility for EPP, EDR, SIEM, and Security Analytics use cases across Windows, macOS, and Linux operating systems running on both traditional endpoints and public cloud environments. ​​Use Elastic Defend to: - **Prevent complex attacks** - Prevent malware (Windows, macOS, Linux) and ransomware (Windows) from executing, and stop advanced threats with malicious behavior (Windows, macOS, Linux), memory threat (Windows, macOS, Linux), and credential hardening (Windows) protections. All powered by [Elastic Labs](https://www.elastic.co/security-labs/) and our global community. - **Alert in high fidelity** - Bolster team efficacy by detecting threats centrally and minimizing false positives via extensive corroboration. - **Detect threats in high fidelity** - Elastic Defend facilitates deep visibility by instrumenting the process, file, and network data in your environments with minimal data collection overhead. - **Triage and respond rapidly** - Quickly analyze detailed data from across your hosts. Examine host-based activity with interactive visualizations. Invoke remote response actions across distributed endpoints. Extend investigation capabilities even further with the Osquery integration, fully integrated into Elastic Security workflows. - **Secure your cloud workloads** - Stop threats targeting cloud workloads and cloud-native applications. Gain real-time visibility and control with a lightweight user-space agent, powered by eBPF. Automate the identification of cloud threats with detection rules and machine learning (ML). Achieve rapid time-to-value with MITRE ATT&CK-aligned detections honed by Elastic Security Labs. - **View terminal sessions** - Give your security team a unique and powerful investigative tool for digital forensics and incident response (DFIR), reducing the mean time to respond (MTTR). Session view provides a time-ordered series of process executions in your Linux workloads in the form of a terminal shell, as well as the ability to replay the terminal session. **Installation guide** For in-depth, step-by-step instructions to help you get started with Elastic Defend, read through our [installation guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). For macOS endpoints, we recommend reviewing our documentation on [enabling full disk access](https://www.elastic.co/guide/en/security/current/deploy-elastic-endpoint.html#enable-fda-endpoint). ## Compatibility For compatibility information view our [documentation](https://www.elastic.co/guide/en/security/current/index.html). ## Logs The log type of documents are stored in the `logs-endpoint.*` indices. The following sections define the mapped fields sent by the endpoint. ### alerts #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | Endpoint.policy | The policy fields are used to hold information about applied policy. | object | | Endpoint.policy.applied | information about the policy that is applied | object | | Endpoint.policy.applied.id | the id of the applied policy | keyword | | Endpoint.policy.applied.name | the name of this applied policy | keyword | | Endpoint.policy.applied.status | the status of the applied policy | keyword | | Endpoint.policy.applied.version | the version of this applied policy | keyword | | Events | events array | object | | Memory_protection.cross_session | Is this process injecting across operating system sessions? | boolean | | Memory_protection.feature | Memory Protection feature which triggered the alert. | keyword | | Memory_protection.parent_to_child | Is this process injecting into its child? | boolean | | Memory_protection.self_injection | Is this alert about a process injecting into itself? | boolean | | Memory_protection.thread_count | The number of threads that this alert applies to. If several alerts occur in a short period of time, they can be combined into a single alert with thread_count > 1. | long | | Memory_protection.unique_key_v1 | A unique key created by hashing several characteristics of this alert. | keyword | | Ransomware.child_processes.executable | Absolute path to the process executable. | keyword | | Ransomware.child_processes.feature | Ransomware feature which triggered the alert. | keyword | | Ransomware.child_processes.files | Information about each file event attributed to the ransomware. Expected to be an array. | nested | | Ransomware.child_processes.files.data | File header or MBR bytes. | keyword | | Ransomware.child_processes.files.entropy | Entropy of file contents. | double | | Ransomware.child_processes.files.extension | File extension, excluding the leading dot. | keyword | | Ransomware.child_processes.files.metrics | Suspicious ransomware behaviours associated with the file event. | keyword | | Ransomware.child_processes.files.operation | Operation applied to file. | keyword | | Ransomware.child_processes.files.original.extension | Original file extension prior to the file event. | keyword | | Ransomware.child_processes.files.original.path | Original file path prior to the file event. | keyword | | Ransomware.child_processes.files.path | Full path to the file, including the file name. | keyword | | Ransomware.child_processes.files.score | Ransomware score for this particular file event. | double | | Ransomware.child_processes.pid | Process id. | long | | Ransomware.child_processes.score | Total ransomware score for aggregated file events. | double | | Ransomware.child_processes.version | Ransomware artifact version. | keyword | | Ransomware.executable | Absolute path to the process executable. | keyword | | Ransomware.feature | Ransomware feature which triggered the alert. | keyword | | Ransomware.files | Information about each file event attributed to the ransomware. Expected to be an array. | nested | | Ransomware.files.data | File header or MBR bytes. | keyword | | Ransomware.files.entropy | Entropy of file contents. | double | | Ransomware.files.extension | File extension, excluding the leading dot. | keyword | | Ransomware.files.metrics | Suspicious ransomware behaviours associated with the file event. | keyword | | Ransomware.files.operation | Operation applied to file. | keyword | | Ransomware.files.original.extension | Original file extension prior to the file event. | keyword | | Ransomware.files.original.path | Original file path prior to the file event. | keyword | | Ransomware.files.path | Full path to the file, including the file name. | keyword | | Ransomware.files.score | Ransomware score for this particular file event. | double | | Ransomware.pid | Process id. | long | | Ransomware.score | Total ransomware score for aggregated file events. | double | | Ransomware.version | Ransomware artifact version. | keyword | | Responses.@timestamp | Timestamp in which action was taken | date | | Responses.action | Dictionary representing requested response action | nested | | Responses.action.action | Response action name | keyword | | Responses.action.field | Field in the triggering event to use as input for action | text | | Responses.action.file.attributes | Destination file attributes | keyword | | Responses.action.file.path | Destination file path | keyword | | Responses.action.file.reason | Combined USN file modification reason | long | | Responses.action.key.actions | Actions taken by Registry Rollback for key | keyword | | Responses.action.key.path | NT path of registry key recovered by Rollback | keyword | | Responses.action.key.values | Values modified | object | | Responses.action.key.values.actions | Actions taken by Registry Rollback for value | keyword | | Responses.action.key.values.name | Value name recovered by Rollback | keyword | | Responses.action.process.message | Status message for Process Rollback | keyword | | Responses.action.process.path | Path of process killed by Process Rollback | keyword | | Responses.action.process.result | Result code for Process Rollback | long | | Responses.action.source.attributes | Source file attributes | keyword | | Responses.action.source.path | Source file path | keyword | | Responses.action.state | Index of event in events array to use for field lookup | long | | Responses.action.tree | Indicates whether or not an action was taken against an entire process tree | boolean | | Responses.message | Result message | text | | Responses.process | Dictionary representing process information | nested | | Responses.process.entity_id | Entity id of actionable process | text | | Responses.process.name | Name of actionable process | keyword | | Responses.process.pid | pid of actionable process | long | | Responses.result | Response action result code | long | | Target.dll.Ext | Object for all custom defined fields to live in. | object | | Target.dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | Target.dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | Target.dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.dll.Ext.compile_time | Timestamp from when the module was compiled. | date | | Target.dll.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | Target.dll.Ext.malware_classification.score | The score produced by the classification model. | double | | Target.dll.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | Target.dll.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | Target.dll.Ext.malware_classification.version | The version of the model used. | keyword | | Target.dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | Target.dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | Target.dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | Target.dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.dll.code_signature.subject_name | Subject name of the code signer | keyword | | Target.dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | Target.dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.dll.hash.md5 | MD5 hash. | keyword | | Target.dll.hash.sha1 | SHA1 hash. | keyword | | Target.dll.hash.sha256 | SHA256 hash. | keyword | | Target.dll.hash.sha512 | SHA512 hash. | keyword | | Target.dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | Target.dll.path | Full file path of the library. | keyword | | Target.dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.Ext | Object for all custom defined fields to live in. | object | | Target.process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | Target.process.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | Target.process.Ext.authentication_id | Process authentication ID | keyword | | Target.process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | Target.process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.Ext.dll.Ext | Object for all custom defined fields to live in. | object | | Target.process.Ext.dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | Target.process.Ext.dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.Ext.dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.Ext.dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.Ext.dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.Ext.dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.Ext.dll.Ext.compile_time | Timestamp from when the module was compiled. | date | | Target.process.Ext.dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | Target.process.Ext.dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | Target.process.Ext.dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.Ext.dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | Target.process.Ext.dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.Ext.dll.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.Ext.dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | Target.process.Ext.dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.Ext.dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.Ext.dll.hash.md5 | MD5 hash. | keyword | | Target.process.Ext.dll.hash.sha1 | SHA1 hash. | keyword | | Target.process.Ext.dll.hash.sha256 | SHA256 hash. | keyword | | Target.process.Ext.dll.hash.sha512 | SHA512 hash. | keyword | | Target.process.Ext.dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | Target.process.Ext.dll.path | Full file path of the library. | keyword | | Target.process.Ext.dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.process.Ext.dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.process.Ext.dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.process.Ext.dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.process.Ext.dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.process.Ext.dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | Target.process.Ext.malware_classification.score | The score produced by the classification model. | double | | Target.process.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | Target.process.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | Target.process.Ext.malware_classification.version | The version of the model used. | keyword | | Target.process.Ext.memory_region.allocation_base | Base address of the memory allocation containing the memory region. | unsigned_long | | Target.process.Ext.memory_region.allocation_protection | Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". | keyword | | Target.process.Ext.memory_region.allocation_size | Original memory size requested when the memory was allocated. | unsigned_long | | Target.process.Ext.memory_region.allocation_type | The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". | keyword | | Target.process.Ext.memory_region.bytes_address | The address where bytes_compressed begins. | unsigned_long | | Target.process.Ext.memory_region.bytes_allocation_offset | Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. | unsigned_long | | Target.process.Ext.memory_region.bytes_compressed | Up to 4MB of raw data from the memory allocation. This is compressed with zlib.To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. | keyword | | Target.process.Ext.memory_region.bytes_compressed_present | Whether bytes_compressed is present in this event. | boolean | | Target.process.Ext.memory_region.malware_signature.all_names | A sequence of signature names matched. | keyword | | Target.process.Ext.memory_region.malware_signature.identifier | malware signature identifier | keyword | | Target.process.Ext.memory_region.malware_signature.primary | The first matching details. | object | | Target.process.Ext.memory_region.malware_signature.primary.matches | The first matching details. | keyword | | Target.process.Ext.memory_region.malware_signature.primary.signature.hash | hash of file matching signature. | nested | | Target.process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 | sha256 hash of file matching signature. | keyword | | Target.process.Ext.memory_region.malware_signature.primary.signature.id | The id of the first yara rule matched. | keyword | | Target.process.Ext.memory_region.malware_signature.primary.signature.name | The name of the first yara rule matched. | keyword | | Target.process.Ext.memory_region.malware_signature.version | malware signature version | keyword | | Target.process.Ext.memory_region.mapped_path | If the memory corresponds to a file mapping, this is the file's path. | keyword | | Target.process.Ext.memory_region.mapped_pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.mapped_pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.mapped_pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.mapped_pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.process.Ext.memory_region.mapped_pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.mapped_pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.mapped_pe_detected | Whether the file at mapped_path is an executable. | boolean | | Target.process.Ext.memory_region.memory_pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.memory_pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.memory_pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.memory_pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.process.Ext.memory_region.memory_pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.memory_pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.Ext.memory_region.memory_pe_detected | Whether an executable file was found in memory. | boolean | | Target.process.Ext.memory_region.region_base | Base address of the memory region. | unsigned_long | | Target.process.Ext.memory_region.region_protection | Memory protection of the memory region. Example values include "RWX" and "R-X". | keyword | | Target.process.Ext.memory_region.region_size | Size of the memory region. | unsigned_long | | Target.process.Ext.memory_region.region_state | State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". | keyword | | Target.process.Ext.memory_region.strings | Array of strings found within the memory region. | keyword | | Target.process.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword | | Target.process.Ext.services | Services running in this process. | keyword | | Target.process.Ext.session | Session information for the current process | keyword | | Target.process.Ext.token.domain | Domain of token user. | keyword | | Target.process.Ext.token.elevation | Whether the token is elevated or not | boolean | | Target.process.Ext.token.elevation_type | What level of elevation the token has | keyword | | Target.process.Ext.token.impersonation_level | Impersonation level. Only valid for impersonation tokens. | keyword | | Target.process.Ext.token.integrity_level | Numeric integrity level. | long | | Target.process.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | Target.process.Ext.token.is_appcontainer | Whether or not this is an appcontainer token. | boolean | | Target.process.Ext.token.privileges | Array describing the privileges associated with the token. | nested | | Target.process.Ext.token.privileges.description | Description of the privilege. | keyword | | Target.process.Ext.token.privileges.enabled | Whether or not the privilege is enabled. | boolean | | Target.process.Ext.token.privileges.name | Name of the privilege. | keyword | | Target.process.Ext.token.sid | Token user's Security Identifier (SID). | keyword | | Target.process.Ext.token.type | Type of the token, either primary or impersonation. | keyword | | Target.process.Ext.token.user | Username of token owner. | keyword | | Target.process.Ext.user | User associated with the running process. | keyword | | Target.process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | Target.process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | Target.process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | Target.process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | Target.process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | Target.process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | Target.process.executable | Absolute path to the process executable. | keyword | | Target.process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | Target.process.hash.md5 | MD5 hash. | keyword | | Target.process.hash.sha1 | SHA1 hash. | keyword | | Target.process.hash.sha256 | SHA256 hash. | keyword | | Target.process.hash.sha512 | SHA512 hash. | keyword | | Target.process.name | Process name. Sometimes called program name or similar. | keyword | | Target.process.parent.Ext | Object for all custom defined fields to live in. | object | | Target.process.parent.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | Target.process.parent.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | Target.process.parent.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.parent.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.parent.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.parent.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.parent.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.parent.Ext.dll.Ext | Object for all custom defined fields to live in. | object | | Target.process.parent.Ext.dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | Target.process.parent.Ext.dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.parent.Ext.dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.parent.Ext.dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.parent.Ext.dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.parent.Ext.dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.parent.Ext.dll.Ext.compile_time | Timestamp from when the module was compiled. | date | | Target.process.parent.Ext.dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | Target.process.parent.Ext.dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | Target.process.parent.Ext.dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.parent.Ext.dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | Target.process.parent.Ext.dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.parent.Ext.dll.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.parent.Ext.dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | Target.process.parent.Ext.dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.parent.Ext.dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.parent.Ext.dll.hash.md5 | MD5 hash. | keyword | | Target.process.parent.Ext.dll.hash.sha1 | SHA1 hash. | keyword | | Target.process.parent.Ext.dll.hash.sha256 | SHA256 hash. | keyword | | Target.process.parent.Ext.dll.hash.sha512 | SHA512 hash. | keyword | | Target.process.parent.Ext.dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | Target.process.parent.Ext.dll.path | Full file path of the library. | keyword | | Target.process.parent.Ext.dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.process.parent.Ext.dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.process.parent.Ext.dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.process.parent.Ext.dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.process.parent.Ext.dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.process.parent.Ext.dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.parent.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword | | Target.process.parent.Ext.real | The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. | object | | Target.process.parent.Ext.real.pid | For process.parent this will be the ppid of the process that actually spawned the current process. | long | | Target.process.parent.Ext.token.domain | Domain of token user. | keyword | | Target.process.parent.Ext.token.elevation | Whether the token is elevated or not | boolean | | Target.process.parent.Ext.token.elevation_type | What level of elevation the token has | keyword | | Target.process.parent.Ext.token.impersonation_level | Impersonation level. Only valid for impersonation tokens. | keyword | | Target.process.parent.Ext.token.integrity_level | Numeric integrity level. | long | | Target.process.parent.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | Target.process.parent.Ext.token.is_appcontainer | Whether or not this is an appcontainer token. | boolean | | Target.process.parent.Ext.token.privileges | Array describing the privileges associated with the token. | nested | | Target.process.parent.Ext.token.privileges.description | Description of the privilege. | keyword | | Target.process.parent.Ext.token.privileges.enabled | Whether or not the privilege is enabled. | boolean | | Target.process.parent.Ext.token.privileges.name | Name of the privilege. | keyword | | Target.process.parent.Ext.token.sid | Token user's Security Identifier (SID). | keyword | | Target.process.parent.Ext.token.type | Type of the token, either primary or impersonation. | keyword | | Target.process.parent.Ext.token.user | Username of token owner. | keyword | | Target.process.parent.Ext.user | User associated with the running process. | keyword | | Target.process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | Target.process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | Target.process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | Target.process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | Target.process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | Target.process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | Target.process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | Target.process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | Target.process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | Target.process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | Target.process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | Target.process.parent.executable | Absolute path to the process executable. | keyword | | Target.process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | Target.process.parent.hash.md5 | MD5 hash. | keyword | | Target.process.parent.hash.sha1 | SHA1 hash. | keyword | | Target.process.parent.hash.sha256 | SHA256 hash. | keyword | | Target.process.parent.hash.sha512 | SHA512 hash. | keyword | | Target.process.parent.name | Process name. Sometimes called program name or similar. | keyword | | Target.process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.parent.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | | Target.process.parent.pid | Process id. | long | | Target.process.parent.ppid | Parent process' pid. | long | | Target.process.parent.start | The time the process started. | date | | Target.process.parent.thread.id | Thread ID. | long | | Target.process.parent.thread.name | Thread name. | keyword | | Target.process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | Target.process.parent.uptime | Seconds the process has been up. | long | | Target.process.parent.working_directory | The working directory of the process. | keyword | | Target.process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | Target.process.pe.description | Internal description of the file, provided at compile-time. | keyword | | Target.process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | Target.process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | Target.process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | Target.process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | Target.process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | | Target.process.pid | Process id. | long | | Target.process.ppid | Parent process' pid. | long | | Target.process.start | The time the process started. | date | | Target.process.thread.Ext | Object for all custom defined fields to live in. | object | | Target.process.thread.Ext.hardware_breakpoint_set | Whether a hardware breakpoint was set for the thread. This field is omitted if false. | boolean | | Target.process.thread.Ext.original_start_address | When a trampoline was detected, this indicates the original content for the thread start address in memory. | unsigned_long | | Target.process.thread.Ext.original_start_address_allocation_offset | When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base. | unsigned_long | | Target.process.thread.Ext.original_start_address_bytes | When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address. | keyword | | Target.process.thread.Ext.original_start_address_bytes_disasm | When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address. | keyword | | Target.process.thread.Ext.original_start_address_bytes_disasm_hash | When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address. | keyword | | Target.process.thread.Ext.original_start_address_module | When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution. | keyword | | Target.process.thread.Ext.parameter | When a thread is created, this is the raw numerical value of its parameter. | unsigned_long | | Target.process.thread.Ext.parameter_bytes_compressed | Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. | keyword | | Target.process.thread.Ext.parameter_bytes_compressed_present | Whether parameter_bytes_compressed is present in this event. | boolean | | Target.process.thread.Ext.service | Service associated with the thread. | keyword | | Target.process.thread.Ext.start | The time the thread started. | date | | Target.process.thread.Ext.start_address | Memory address where the thread began execution. | unsigned_long | | Target.process.thread.Ext.start_address_allocation_offset | Offset of start_address into the memory allocation. Equal to start_address - start_address_details.allocation_base. | unsigned_long | | Target.process.thread.Ext.start_address_bytes | A few (typically 32) raw opcode bytes at the thread start address, hex-encoded. | keyword | | Target.process.thread.Ext.start_address_bytes_disasm | The bytes at the thread start address, disassembled into human-readable assembly code. | keyword | | Target.process.thread.Ext.start_address_bytes_disasm_hash | The bytes at the thread start address, with immediate values capped to 0x100, disassembled into human-readable assembly code, then hashed. | keyword | | Target.process.thread.Ext.start_address_module | The dll/module where the thread began execution. | keyword | | Target.process.thread.Ext.token.domain | Domain of token user. | keyword | | Target.process.thread.Ext.token.elevation | Whether the token is elevated or not | boolean | | Target.process.thread.Ext.token.elevation_type | What level of elevation the token has | keyword | | Target.process.thread.Ext.token.impersonation_level | Impersonation level. Only valid for impersonation tokens. | keyword | | Target.process.thread.Ext.token.integrity_level | Numeric integrity level. | long | | Target.process.thread.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | Target.process.thread.Ext.token.is_appcontainer | Whether or not this is an appcontainer token. | boolean | | Target.process.thread.Ext.token.privileges | Array describing the privileges associated with the token. | nested | | Target.process.thread.Ext.token.privileges.description | Description of the privilege. | keyword | | Target.process.thread.Ext.token.privileges.enabled | Whether or not the privilege is enabled. | boolean | | Target.process.thread.Ext.token.privileges.name | Name of the privilege. | keyword | | Target.process.thread.Ext.token.sid | Token user's Security Identifier (SID). | keyword | | Target.process.thread.Ext.token.type | Type of the token, either primary or impersonation. | keyword | | Target.process.thread.Ext.token.user | Username of token owner. | keyword | | Target.process.thread.Ext.uptime | Seconds since thread started. | long | | Target.process.thread.id | Thread ID. | long | | Target.process.thread.name | Thread name. | keyword | | Target.process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | Target.process.uptime | Seconds the process has been up. | long | | Target.process.working_directory | The working directory of the process. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.image.tag | Container image tags. | keyword | | container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | dll.Ext | Object for all custom defined fields to live in. | object | | dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | dll.Ext.compile_time | Timestamp from when the module was compiled. | date | | dll.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | dll.Ext.malware_classification.score | The score produced by the classification model. | double | | dll.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | dll.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | dll.Ext.malware_classification.version | The version of the model used. | keyword | | dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | dll.code_signature.subject_name | Subject name of the code signer | keyword | | dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | dll.hash.md5 | MD5 hash. | keyword | | dll.hash.sha1 | SHA1 hash. | keyword | | dll.hash.sha256 | SHA256 hash. | keyword | | dll.hash.sha512 | SHA512 hash. | keyword | | dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | dll.path | Full file path of the library. | keyword | | dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.type | The type of record being queried. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | elastic.agent | The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent that manages other agents or process on the host. | object | | elastic.agent.id | Unique identifier of this elastic agent (if one exists). | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | file.Ext | Object for all custom defined fields to live in. | object | | file.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | file.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | file.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | file.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | file.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | file.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | file.Ext.entry_modified | Time of last status change. See `st_ctim` member of `struct stat`. | double | | file.Ext.macro.code_page | Identifies the character encoding used for this macro. https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers | long | | file.Ext.macro.collection | Object containing hashes for the macro collection. | object | | file.Ext.macro.collection.hash.md5 | MD5 hash. | keyword | | file.Ext.macro.collection.hash.sha1 | SHA1 hash. | keyword | | file.Ext.macro.collection.hash.sha256 | SHA256 hash. | keyword | | file.Ext.macro.collection.hash.sha512 | SHA512 hash. | keyword | | file.Ext.macro.errors | Errors that occurred when parsing this document file. | nested | | file.Ext.macro.errors.count | Number of times this error that occurred. | long | | file.Ext.macro.errors.error_type | The type of parsing error that occurred. | keyword | | file.Ext.macro.file_extension | The extension of the file containing this macro (e.g. .docm) | keyword | | file.Ext.macro.project_file | Metadata about the corresponding VBA project file | object | | file.Ext.macro.project_file.hash.md5 | MD5 hash. | keyword | | file.Ext.macro.project_file.hash.sha1 | SHA1 hash. | keyword | | file.Ext.macro.project_file.hash.sha256 | SHA256 hash. | keyword | | file.Ext.macro.project_file.hash.sha512 | SHA512 hash. | keyword | | file.Ext.macro.stream | Streams associated with the document. | nested | | file.Ext.macro.stream.hash.md5 | MD5 hash. | keyword | | file.Ext.macro.stream.hash.sha1 | SHA1 hash. | keyword | | file.Ext.macro.stream.hash.sha256 | SHA256 hash. | keyword | | file.Ext.macro.stream.hash.sha512 | SHA512 hash. | keyword | | file.Ext.macro.stream.name | Name of the stream. | keyword | | file.Ext.macro.stream.raw_code | First 100KB of raw stream binary. Can be useful to analyze false positives and malicious payloads. | keyword | | file.Ext.macro.stream.raw_code_size | The original stream size. Indicates whether stream.raw_code was truncated. | keyword | | file.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | file.Ext.malware_classification.score | The score produced by the classification model. | double | | file.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | file.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | file.Ext.malware_classification.version | The version of the model used. | keyword | | file.Ext.original | Original file information during a modification event. | object | | file.Ext.original.gid | Primary group ID (GID) of the file. | keyword | | file.Ext.original.group | Primary group name of the file. | keyword | | file.Ext.original.mode | Original file mode prior to a modification event | keyword | | file.Ext.original.name | Original file name prior to a modification event | keyword | | file.Ext.original.owner | File owner's username. | keyword | | file.Ext.original.path | Original file path prior to a modification event | keyword | | file.Ext.original.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | file.Ext.quarantine_message | Message describing quarantine results. | keyword | | file.Ext.quarantine_path | Path on endpoint the quarantined file was originally. | keyword | | file.Ext.quarantine_result | Boolean representing whether or not file quarantine succeeded. | boolean | | file.Ext.temp_file_path | Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. | keyword | | file.Ext.windows | Platform-specific Windows fields | object | | file.Ext.windows.zone_identifier | Windows zone identifier for a file | keyword | | file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | | file.code_signature.exists | Boolean to capture if a signature is present. | boolean | | file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | file.code_signature.subject_name | Subject name of the code signer | keyword | | file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | file.created | File creation time. Note that not all filesystems store the creation time. | date | | file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | | file.device | Device that is the source of the file. | keyword | | file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | | file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.gid | Primary group ID (GID) of the file. | keyword | | file.group | Primary group name of the file. | keyword | | file.hash.md5 | MD5 hash. | keyword | | file.hash.sha1 | SHA1 hash. | keyword | | file.hash.sha256 | SHA256 hash. | keyword | | file.hash.sha512 | SHA512 hash. | keyword | | file.inode | Inode representing the file in the filesystem. | keyword | | file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | | file.mode | Mode of the file in octal representation. | keyword | | file.mtime | Last time the file content was modified. | date | | file.name | Name of the file including the extension, without the directory. | keyword | | file.owner | File owner's username. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | file.pe.Ext.dotnet | Whether this file is a .NET PE | boolean | | file.pe.Ext.sections | The file's relevant sections, if it is a PE | object | | file.pe.Ext.sections.hash.md5 | MD5 hash. | keyword | | file.pe.Ext.sections.hash.sha256 | SHA256 hash. | keyword | | file.pe.Ext.sections.name | The section's name | keyword | | file.pe.Ext.streams | The file's streams, if it is a PE | object | | file.pe.Ext.streams.hash.md5 | MD5 hash. | keyword | | file.pe.Ext.streams.hash.sha256 | SHA256 hash. | keyword | | file.pe.Ext.streams.name | The stream's name | keyword | | file.pe.company | Internal company name of the file, provided at compile-time. | keyword | | file.pe.description | Internal description of the file, provided at compile-time. | keyword | | file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | file.pe.product | Internal product name of the file, provided at compile-time. | keyword | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.target_path | Target path for symlinks. | keyword | | file.type | File type (file, dir, or symlink). | keyword | | file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.boot.id | Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.geo.city_name | City name. | keyword | | host.geo.continent_code | Two-letter code representing continent's name. | keyword | | host.geo.continent_name | Name of the continent. | keyword | | host.geo.country_iso_code | Country ISO code. | keyword | | host.geo.country_name | Country name. | keyword | | host.geo.location | Longitude and latitude. | geo_point | | host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | host.geo.region_iso_code | Region ISO code. | keyword | | host.geo.region_name | Region name. | keyword | | host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.pid_ns_ino | This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | host.user.Ext | Object for all custom defined fields to live in. | object | | host.user.Ext.real | User info prior to any setuid operations. | object | | host.user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | host.user.Ext.real.name | Short name or login of the user. | keyword | | host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | host.user.email | User email address. | keyword | | host.user.full_name | User's full name, if available. | keyword | | host.user.group.Ext | Object for all custom defined fields to live in. | object | | host.user.group.Ext.real | Group info prior to any setgid operations. | object | | host.user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | host.user.group.Ext.real.name | Name of the group. | keyword | | host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | host.user.group.name | Name of the group. | keyword | | host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | host.user.id | Unique identifier of the user. | keyword | | host.user.name | Short name or login of the user. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | orchestrator.cluster.name | Name of the cluster. | keyword | | orchestrator.namespace | Namespace in which the action is taking place. | keyword | | orchestrator.resource.name | Name of the resource being acted upon. | keyword | | orchestrator.resource.type | Type of resource being acted upon. | keyword | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | process.Ext.authentication_id | Process authentication ID | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.Ext.dll.Ext | Object for all custom defined fields to live in. | object | | process.Ext.dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.Ext.dll.Ext.compile_time | Timestamp from when the module was compiled. | date | | process.Ext.dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | process.Ext.dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | process.Ext.dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.Ext.dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.dll.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.Ext.dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.Ext.dll.hash.md5 | MD5 hash. | keyword | | process.Ext.dll.hash.sha1 | SHA1 hash. | keyword | | process.Ext.dll.hash.sha256 | SHA256 hash. | keyword | | process.Ext.dll.hash.sha512 | SHA512 hash. | keyword | | process.Ext.dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | process.Ext.dll.path | Full file path of the library. | keyword | | process.Ext.dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.Ext.dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | process.Ext.dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.Ext.dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.Ext.dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.Ext.dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | process.Ext.malware_classification.score | The score produced by the classification model. | double | | process.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | process.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | process.Ext.malware_classification.version | The version of the model used. | keyword | | process.Ext.memory_region.allocation_base | Base address of the memory allocation containing the memory region. | unsigned_long | | process.Ext.memory_region.allocation_protection | Original memory protection requested when the memory was allocated. Example values include "RWX" and "R-X". | keyword | | process.Ext.memory_region.allocation_size | Original memory size requested when the memory was allocated. | unsigned_long | | process.Ext.memory_region.allocation_type | The memory allocation type. Example values include "IMAGE", "MAPPED", and "PRIVATE". | keyword | | process.Ext.memory_region.bytes_address | The address where bytes_compressed begins. | unsigned_long | | process.Ext.memory_region.bytes_allocation_offset | Offset of bytes_address the memory allocation. Equal to bytes_address - allocation_base. | unsigned_long | | process.Ext.memory_region.bytes_compressed | Up to 4MB of raw data from the memory allocation. This is compressed with zlib.To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. | keyword | | process.Ext.memory_region.bytes_compressed_present | Whether bytes_compressed is present in this event. | boolean | | process.Ext.memory_region.malware_signature.all_names | A sequence of signature names matched. | keyword | | process.Ext.memory_region.malware_signature.identifier | malware signature identifier | keyword | | process.Ext.memory_region.malware_signature.primary | The first matching details. | object | | process.Ext.memory_region.malware_signature.primary.matches | The first matching details. | keyword | | process.Ext.memory_region.malware_signature.primary.signature.hash | hash of file matching signature. | nested | | process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 | sha256 hash of file matching signature. | keyword | | process.Ext.memory_region.malware_signature.primary.signature.id | The id of the first yara rule matched. | keyword | | process.Ext.memory_region.malware_signature.primary.signature.name | The name of the first yara rule matched. | keyword | | process.Ext.memory_region.malware_signature.version | malware signature version | keyword | | process.Ext.memory_region.mapped_path | If the memory corresponds to a file mapping, this is the file's path. | keyword | | process.Ext.memory_region.mapped_pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.Ext.memory_region.mapped_pe.description | Internal description of the file, provided at compile-time. | keyword | | process.Ext.memory_region.mapped_pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.Ext.memory_region.mapped_pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.Ext.memory_region.mapped_pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.Ext.memory_region.mapped_pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.Ext.memory_region.mapped_pe_detected | Whether the file at mapped_path is an executable. | boolean | | process.Ext.memory_region.memory_pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.Ext.memory_region.memory_pe.description | Internal description of the file, provided at compile-time. | keyword | | process.Ext.memory_region.memory_pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.Ext.memory_region.memory_pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.Ext.memory_region.memory_pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.Ext.memory_region.memory_pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.Ext.memory_region.memory_pe_detected | Whether an executable file was found in memory. | boolean | | process.Ext.memory_region.region_base | Base address of the memory region. | unsigned_long | | process.Ext.memory_region.region_protection | Memory protection of the memory region. Example values include "RWX" and "R-X". | keyword | | process.Ext.memory_region.region_size | Size of the memory region. | unsigned_long | | process.Ext.memory_region.region_state | State of the memory region. Example values include "RESERVE", "COMMIT", and "FREE". | keyword | | process.Ext.memory_region.strings | Array of strings found within the memory region. | keyword | | process.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword | | process.Ext.services | Services running in this process. | keyword | | process.Ext.session | Session information for the current process | keyword | | process.Ext.token.domain | Domain of token user. | keyword | | process.Ext.token.elevation | Whether the token is elevated or not | boolean | | process.Ext.token.elevation_type | What level of elevation the token has | keyword | | process.Ext.token.impersonation_level | Impersonation level. Only valid for impersonation tokens. | keyword | | process.Ext.token.integrity_level | Numeric integrity level. | long | | process.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | process.Ext.token.is_appcontainer | Whether or not this is an appcontainer token. | boolean | | process.Ext.token.privileges | Array describing the privileges associated with the token. | nested | | process.Ext.token.privileges.description | Description of the privilege. | keyword | | process.Ext.token.privileges.enabled | Whether or not the privilege is enabled. | boolean | | process.Ext.token.privileges.name | Name of the privilege. | keyword | | process.Ext.token.sid | Token user's Security Identifier (SID). | keyword | | process.Ext.token.type | Type of the token, either primary or impersonation. | keyword | | process.Ext.token.user | Username of token owner. | keyword | | process.Ext.user | User associated with the running process. | keyword | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.entry_leader.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.entry_leader.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.entry_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.entry_meta.source.ip | IP address of the source (IPv4 or IPv6). | ip | | process.entry_leader.entry_meta.type | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console Note: This field is only set on process.session_leader. | keyword | | process.entry_leader.executable | Absolute path to the process executable. | keyword | | process.entry_leader.group.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.group.name | Name of the group. | keyword | | process.entry_leader.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.entry_leader.name | Process name. Sometimes called program name or similar. | keyword | | process.entry_leader.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.parent.pid | Process id. | long | | process.entry_leader.parent.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.parent.session_leader.pid | Process id. | long | | process.entry_leader.parent.session_leader.start | The time the process started. | date | | process.entry_leader.parent.start | The time the process started. | date | | process.entry_leader.pid | Process id. | long | | process.entry_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.real_group.name | Name of the group. | keyword | | process.entry_leader.real_user.id | Unique identifier of the user. | keyword | | process.entry_leader.real_user.name | Short name or login of the user. | keyword | | process.entry_leader.same_as_process | This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. | boolean | | process.entry_leader.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.saved_group.name | Name of the group. | keyword | | process.entry_leader.saved_user.id | Unique identifier of the user. | keyword | | process.entry_leader.saved_user.name | Short name or login of the user. | keyword | | process.entry_leader.start | The time the process started. | date | | process.entry_leader.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.supplemental_groups.name | Name of the group. | keyword | | process.entry_leader.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.entry_leader.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.entry_leader.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.entry_leader.user.id | Unique identifier of the user. | keyword | | process.entry_leader.user.name | Short name or login of the user. | keyword | | process.entry_leader.working_directory | The working directory of the process. | keyword | | process.env_vars | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | process.group_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.group_leader.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.group_leader.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.group_leader.executable | Absolute path to the process executable. | keyword | | process.group_leader.group.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.group.name | Name of the group. | keyword | | process.group_leader.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.group_leader.name | Process name. Sometimes called program name or similar. | keyword | | process.group_leader.pid | Process id. | long | | process.group_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.real_group.name | Name of the group. | keyword | | process.group_leader.real_user.id | Unique identifier of the user. | keyword | | process.group_leader.real_user.name | Short name or login of the user. | keyword | | process.group_leader.same_as_process | This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. | boolean | | process.group_leader.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.saved_group.name | Name of the group. | keyword | | process.group_leader.saved_user.id | Unique identifier of the user. | keyword | | process.group_leader.saved_user.name | Short name or login of the user. | keyword | | process.group_leader.start | The time the process started. | date | | process.group_leader.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.supplemental_groups.name | Name of the group. | keyword | | process.group_leader.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.group_leader.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.group_leader.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.group_leader.user.id | Unique identifier of the user. | keyword | | process.group_leader.user.name | Short name or login of the user. | keyword | | process.group_leader.working_directory | The working directory of the process. | keyword | | process.hash.md5 | MD5 hash. | keyword | | process.hash.sha1 | SHA1 hash. | keyword | | process.hash.sha256 | SHA256 hash. | keyword | | process.hash.sha512 | SHA512 hash. | keyword | | process.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.Ext | Object for all custom defined fields to live in. | object | | process.parent.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | process.parent.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.parent.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.parent.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.parent.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.parent.Ext.dll.Ext | Object for all custom defined fields to live in. | object | | process.parent.Ext.dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.parent.Ext.dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.Ext.dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.parent.Ext.dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.parent.Ext.dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.Ext.dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.parent.Ext.dll.Ext.compile_time | Timestamp from when the module was compiled. | date | | process.parent.Ext.dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | process.parent.Ext.dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | process.parent.Ext.dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.Ext.dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.parent.Ext.dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.parent.Ext.dll.code_signature.subject_name | Subject name of the code signer | keyword | | process.parent.Ext.dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.parent.Ext.dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.Ext.dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.parent.Ext.dll.hash.md5 | MD5 hash. | keyword | | process.parent.Ext.dll.hash.sha1 | SHA1 hash. | keyword | | process.parent.Ext.dll.hash.sha256 | SHA256 hash. | keyword | | process.parent.Ext.dll.hash.sha512 | SHA512 hash. | keyword | | process.parent.Ext.dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | process.parent.Ext.dll.path | Full file path of the library. | keyword | | process.parent.Ext.dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.parent.Ext.dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | process.parent.Ext.dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.parent.Ext.dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.parent.Ext.dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.parent.Ext.dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.parent.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword | | process.parent.Ext.real | The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. | object | | process.parent.Ext.real.pid | For process.parent this will be the ppid of the process that actually spawned the current process. | long | | process.parent.Ext.token.domain | Domain of token user. | keyword | | process.parent.Ext.token.elevation | Whether the token is elevated or not | boolean | | process.parent.Ext.token.elevation_type | What level of elevation the token has | keyword | | process.parent.Ext.token.impersonation_level | Impersonation level. Only valid for impersonation tokens. | keyword | | process.parent.Ext.token.integrity_level | Numeric integrity level. | long | | process.parent.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | process.parent.Ext.token.is_appcontainer | Whether or not this is an appcontainer token. | boolean | | process.parent.Ext.token.privileges | Array describing the privileges associated with the token. | nested | | process.parent.Ext.token.privileges.description | Description of the privilege. | keyword | | process.parent.Ext.token.privileges.enabled | Whether or not the privilege is enabled. | boolean | | process.parent.Ext.token.privileges.name | Name of the privilege. | keyword | | process.parent.Ext.token.sid | Token user's Security Identifier (SID). | keyword | | process.parent.Ext.token.type | Type of the token, either primary or impersonation. | keyword | | process.parent.Ext.token.user | Username of token owner. | keyword | | process.parent.Ext.user | User associated with the running process. | keyword | | process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.executable | Absolute path to the process executable. | keyword | | process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | process.parent.group.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.group.name | Name of the group. | keyword | | process.parent.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.group_leader.pid | Process id. | long | | process.parent.group_leader.start | The time the process started. | date | | process.parent.hash.md5 | MD5 hash. | keyword | | process.parent.hash.sha1 | SHA1 hash. | keyword | | process.parent.hash.sha256 | SHA256 hash. | keyword | | process.parent.hash.sha512 | SHA512 hash. | keyword | | process.parent.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.parent.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | | process.parent.pid | Process id. | long | | process.parent.ppid | Parent process' pid. | long | | process.parent.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.real_group.name | Name of the group. | keyword | | process.parent.real_user.id | Unique identifier of the user. | keyword | | process.parent.real_user.name | Short name or login of the user. | keyword | | process.parent.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.saved_group.name | Name of the group. | keyword | | process.parent.saved_user.id | Unique identifier of the user. | keyword | | process.parent.saved_user.name | Short name or login of the user. | keyword | | process.parent.start | The time the process started. | date | | process.parent.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.supplemental_groups.name | Name of the group. | keyword | | process.parent.thread.id | Thread ID. | long | | process.parent.thread.name | Thread name. | keyword | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.parent.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.parent.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.parent.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.parent.uptime | Seconds the process has been up. | long | | process.parent.user.id | Unique identifier of the user. | keyword | | process.parent.user.name | Short name or login of the user. | keyword | | process.parent.working_directory | The working directory of the process. | keyword | | process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.pe.description | Internal description of the file, provided at compile-time. | keyword | | process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.previous.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.previous.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.previous.executable | Absolute path to the process executable. | keyword | | process.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.real_group.name | Name of the group. | keyword | | process.real_user.id | Unique identifier of the user. | keyword | | process.real_user.name | Short name or login of the user. | keyword | | process.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.saved_group.name | Name of the group. | keyword | | process.saved_user.id | Unique identifier of the user. | keyword | | process.saved_user.name | Short name or login of the user. | keyword | | process.session_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.session_leader.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.session_leader.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.session_leader.executable | Absolute path to the process executable. | keyword | | process.session_leader.group.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.group.name | Name of the group. | keyword | | process.session_leader.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.session_leader.name | Process name. Sometimes called program name or similar. | keyword | | process.session_leader.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.session_leader.parent.pid | Process id. | long | | process.session_leader.parent.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.session_leader.parent.session_leader.pid | Process id. | long | | process.session_leader.parent.session_leader.start | The time the process started. | date | | process.session_leader.parent.start | The time the process started. | date | | process.session_leader.pid | Process id. | long | | process.session_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.real_group.name | Name of the group. | keyword | | process.session_leader.real_user.id | Unique identifier of the user. | keyword | | process.session_leader.real_user.name | Short name or login of the user. | keyword | | process.session_leader.same_as_process | This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. | boolean | | process.session_leader.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.saved_group.name | Name of the group. | keyword | | process.session_leader.saved_user.id | Unique identifier of the user. | keyword | | process.session_leader.saved_user.name | Short name or login of the user. | keyword | | process.session_leader.start | The time the process started. | date | | process.session_leader.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.supplemental_groups.name | Name of the group. | keyword | | process.session_leader.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.session_leader.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.session_leader.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.session_leader.user.id | Unique identifier of the user. | keyword | | process.session_leader.user.name | Short name or login of the user. | keyword | | process.session_leader.working_directory | The working directory of the process. | keyword | | process.start | The time the process started. | date | | process.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.supplemental_groups.name | Name of the group. | keyword | | process.thread.Ext | Object for all custom defined fields to live in. | object | | process.thread.Ext.hardware_breakpoint_set | Whether a hardware breakpoint was set for the thread. This field is omitted if false. | boolean | | process.thread.Ext.original_start_address | When a trampoline was detected, this indicates the original content for the thread start address in memory. | unsigned_long | | process.thread.Ext.original_start_address_allocation_offset | When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base. | unsigned_long | | process.thread.Ext.original_start_address_bytes | When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address. | keyword | | process.thread.Ext.original_start_address_bytes_disasm | When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address. | keyword | | process.thread.Ext.original_start_address_bytes_disasm_hash | When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address. | keyword | | process.thread.Ext.original_start_address_module | When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution. | keyword | | process.thread.Ext.parameter | When a thread is created, this is the raw numerical value of its parameter. | unsigned_long | | process.thread.Ext.parameter_bytes_compressed | Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. | keyword | | process.thread.Ext.parameter_bytes_compressed_present | Whether parameter_bytes_compressed is present in this event. | boolean | | process.thread.Ext.service | Service associated with the thread. | keyword | | process.thread.Ext.start | The time the thread started. | date | | process.thread.Ext.start_address | Memory address where the thread began execution. | unsigned_long | | process.thread.Ext.start_address_allocation_offset | Offset of start_address into the memory allocation. Equal to start_address - start_address_details.allocation_base. | unsigned_long | | process.thread.Ext.start_address_bytes | A few (typically 32) raw opcode bytes at the thread start address, hex-encoded. | keyword | | process.thread.Ext.start_address_bytes_disasm | The bytes at the thread start address, disassembled into human-readable assembly code. | keyword | | process.thread.Ext.start_address_bytes_disasm_hash | The bytes at the thread start address, with immediate values capped to 0x100, disassembled into human-readable assembly code, then hashed. | keyword | | process.thread.Ext.start_address_module | The dll/module where the thread began execution. | keyword | | process.thread.Ext.token.domain | Domain of token user. | keyword | | process.thread.Ext.token.elevation | Whether the token is elevated or not | boolean | | process.thread.Ext.token.elevation_type | What level of elevation the token has | keyword | | process.thread.Ext.token.impersonation_level | Impersonation level. Only valid for impersonation tokens. | keyword | | process.thread.Ext.token.integrity_level | Numeric integrity level. | long | | process.thread.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | process.thread.Ext.token.is_appcontainer | Whether or not this is an appcontainer token. | boolean | | process.thread.Ext.token.privileges | Array describing the privileges associated with the token. | nested | | process.thread.Ext.token.privileges.description | Description of the privilege. | keyword | | process.thread.Ext.token.privileges.enabled | Whether or not the privilege is enabled. | boolean | | process.thread.Ext.token.privileges.name | Name of the privilege. | keyword | | process.thread.Ext.token.sid | Token user's Security Identifier (SID). | keyword | | process.thread.Ext.token.type | Type of the token, either primary or impersonation. | keyword | | process.thread.Ext.token.user | Username of token owner. | keyword | | process.thread.Ext.uptime | Seconds since thread started. | long | | process.thread.id | Thread ID. | long | | process.thread.name | Thread name. | keyword | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.uptime | Seconds the process has been up. | long | | process.user.id | Unique identifier of the user. | keyword | | process.user.name | Short name or login of the user. | keyword | | process.working_directory | The working directory of the process. | keyword | | registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | | registry.path | Full path, including hive, key and value | keyword | | registry.value | Name of the value written. | keyword | | rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | | rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | | rule.description | The description of the rule generating the event. | keyword | | rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | | rule.license | Name of the license under which the rule used to generate this event is made available. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | | rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | | rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | | rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | | rule.version | The version / revision of the rule being used for analysis. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | | threat.enrichments.indicator | Object containing associated indicators enriching the event. | object | | threat.enrichments.indicator.file.Ext | Object for all custom defined fields to live in. | object | | threat.enrichments.indicator.file.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | threat.enrichments.indicator.file.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | threat.enrichments.indicator.file.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | threat.enrichments.indicator.file.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | threat.enrichments.indicator.file.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | threat.enrichments.indicator.file.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | threat.enrichments.indicator.file.Ext.device.bus_type | Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. | keyword | | threat.enrichments.indicator.file.Ext.device.dos_name | DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... | keyword | | threat.enrichments.indicator.file.Ext.device.file_system_type | Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF | keyword | | threat.enrichments.indicator.file.Ext.device.nt_name | NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2 | keyword | | threat.enrichments.indicator.file.Ext.device.product_id | ProductID of the device. It is provided by the vendor of the device if any. | keyword | | threat.enrichments.indicator.file.Ext.device.serial_number | Serial Number of the device. It is provided by the vendor of the device if any. | keyword | | threat.enrichments.indicator.file.Ext.device.vendor_id | VendorID of the device. It is provided by the vendor of the device. | keyword | | threat.enrichments.indicator.file.Ext.device.volume_device_type | Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System | keyword | | threat.enrichments.indicator.file.Ext.entropy | Entropy calculation of file's header and footer used to check file integrity. | double | | threat.enrichments.indicator.file.Ext.entry_modified | Time of last status change. See `st_ctim` member of `struct stat`. | double | | threat.enrichments.indicator.file.Ext.header_bytes | First 16 bytes of file used to check file integrity. | keyword | | threat.enrichments.indicator.file.Ext.header_data | First 16 bytes of file used to check file integrity. | text | | threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer | The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. | keyword | | threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size | The decompressed size of buffer. | integer | | threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding | The encoding of buffer (e.g. zlib). | keyword | | threat.enrichments.indicator.file.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | threat.enrichments.indicator.file.Ext.malware_classification.score | The score produced by the classification model. | double | | threat.enrichments.indicator.file.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | threat.enrichments.indicator.file.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | threat.enrichments.indicator.file.Ext.malware_classification.version | The version of the model used. | keyword | | threat.enrichments.indicator.file.Ext.malware_signature | Nested version of malware_signature fieldset. | nested | | threat.enrichments.indicator.file.Ext.malware_signature.all_names | The concatenated names of all yara signatures | text | | threat.enrichments.indicator.file.Ext.malware_signature.identifier | Malware artifact identifier. | text | | threat.enrichments.indicator.file.Ext.malware_signature.primary | Primary malware signature match. | nested | | threat.enrichments.indicator.file.Ext.malware_signature.primary.matches | An array of bytes representing yara signature matches | nested | | threat.enrichments.indicator.file.Ext.malware_signature.primary.signature | Primary malware signature match. | nested | | threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash | Primary malware signature hash. | nested | | threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 | Primary malware signature sha256. | keyword | | threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id | Primary malware signature id. | keyword | | threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name | Primary malware signature name. | keyword | | threat.enrichments.indicator.file.Ext.malware_signature.secondary | An array of malware signature matches | nested | | threat.enrichments.indicator.file.Ext.malware_signature.version | Primary malware signature version. | keyword | | threat.enrichments.indicator.file.Ext.monotonic_id | File event monotonic ID. | unsigned_long | | threat.enrichments.indicator.file.Ext.original | Original file information during a modification event. | object | | threat.enrichments.indicator.file.Ext.original.gid | Primary group ID (GID) of the file. | keyword | | threat.enrichments.indicator.file.Ext.original.group | Primary group name of the file. | keyword | | threat.enrichments.indicator.file.Ext.original.mode | Original file mode prior to a modification event | keyword | | threat.enrichments.indicator.file.Ext.original.name | Original file name prior to a modification event | keyword | | threat.enrichments.indicator.file.Ext.original.owner | File owner's username. | keyword | | threat.enrichments.indicator.file.Ext.original.path | Original file path prior to a modification event | keyword | | threat.enrichments.indicator.file.Ext.original.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | threat.enrichments.indicator.file.Ext.quarantine_message | Message describing quarantine results. | keyword | | threat.enrichments.indicator.file.Ext.quarantine_path | Path on endpoint the quarantined file was originally. | keyword | | threat.enrichments.indicator.file.Ext.quarantine_result | Boolean representing whether or not file quarantine succeeded. | boolean | | threat.enrichments.indicator.file.Ext.temp_file_path | Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. | keyword | | threat.enrichments.indicator.file.Ext.windows | Platform-specific Windows fields | object | | threat.enrichments.indicator.file.Ext.windows.zone_identifier | Windows zone identifier for a file | keyword | | threat.enrichments.indicator.file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | | threat.enrichments.indicator.file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | | threat.enrichments.indicator.file.code_signature.exists | Boolean to capture if a signature is present. | boolean | | threat.enrichments.indicator.file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | threat.enrichments.indicator.file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | threat.enrichments.indicator.file.code_signature.subject_name | Subject name of the code signer | keyword | | threat.enrichments.indicator.file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | threat.enrichments.indicator.file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | threat.enrichments.indicator.file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | threat.enrichments.indicator.file.created | File creation time. Note that not all filesystems store the creation time. | date | | threat.enrichments.indicator.file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | | threat.enrichments.indicator.file.device | Device that is the source of the file. | keyword | | threat.enrichments.indicator.file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | | threat.enrichments.indicator.file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | | threat.enrichments.indicator.file.elf.architecture | Machine architecture of the ELF file. | keyword | | threat.enrichments.indicator.file.elf.byte_order | Byte sequence of ELF file. | keyword | | threat.enrichments.indicator.file.elf.cpu_type | CPU type of the ELF file. | keyword | | threat.enrichments.indicator.file.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | threat.enrichments.indicator.file.elf.exports | List of exported element names and types. | flattened | | threat.enrichments.indicator.file.elf.go_import_hash | A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). | keyword | | threat.enrichments.indicator.file.elf.go_imports | List of imported Go language element names and types. | flattened | | threat.enrichments.indicator.file.elf.go_imports_names_entropy | Shannon entropy calculation from the list of Go imports. | long | | threat.enrichments.indicator.file.elf.go_imports_names_var_entropy | Variance for Shannon entropy calculation from the list of Go imports. | long | | threat.enrichments.indicator.file.elf.go_stripped | Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. | boolean | | threat.enrichments.indicator.file.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | threat.enrichments.indicator.file.elf.header.class | Header class of the ELF file. | keyword | | threat.enrichments.indicator.file.elf.header.data | Data table of the ELF header. | keyword | | threat.enrichments.indicator.file.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | threat.enrichments.indicator.file.elf.header.object_version | "0x1" for original ELF files. | keyword | | threat.enrichments.indicator.file.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | threat.enrichments.indicator.file.elf.header.type | Header type of the ELF file. | keyword | | threat.enrichments.indicator.file.elf.header.version | Version of the ELF header. | keyword | | threat.enrichments.indicator.file.elf.import_hash | A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash. | keyword | | threat.enrichments.indicator.file.elf.imports | List of imported element names and types. | flattened | | threat.enrichments.indicator.file.elf.imports_names_entropy | Shannon entropy calculation from the list of imported element names and types. | long | | threat.enrichments.indicator.file.elf.imports_names_var_entropy | Variance for Shannon entropy calculation from the list of imported element names and types. | long | | threat.enrichments.indicator.file.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. | nested | | threat.enrichments.indicator.file.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | threat.enrichments.indicator.file.elf.sections.entropy | Shannon entropy calculation from the section. | long | | threat.enrichments.indicator.file.elf.sections.flags | ELF Section List flags. | keyword | | threat.enrichments.indicator.file.elf.sections.name | ELF Section List name. | keyword | | threat.enrichments.indicator.file.elf.sections.physical_offset | ELF Section List offset. | keyword | | threat.enrichments.indicator.file.elf.sections.physical_size | ELF Section List physical size. | long | | threat.enrichments.indicator.file.elf.sections.type | ELF Section List type. | keyword | | threat.enrichments.indicator.file.elf.sections.var_entropy | Variance for Shannon entropy calculation from the section. | long | | threat.enrichments.indicator.file.elf.sections.virtual_address | ELF Section List virtual address. | long | | threat.enrichments.indicator.file.elf.sections.virtual_size | ELF Section List virtual size. | long | | threat.enrichments.indicator.file.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. | nested | | threat.enrichments.indicator.file.elf.segments.sections | ELF object segment sections. | keyword | | threat.enrichments.indicator.file.elf.segments.type | ELF object segment type. | keyword | | threat.enrichments.indicator.file.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | threat.enrichments.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | threat.enrichments.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | threat.enrichments.indicator.file.gid | Primary group ID (GID) of the file. | keyword | | threat.enrichments.indicator.file.group | Primary group name of the file. | keyword | | threat.enrichments.indicator.file.hash.md5 | MD5 hash. | keyword | | threat.enrichments.indicator.file.hash.sha1 | SHA1 hash. | keyword | | threat.enrichments.indicator.file.hash.sha256 | SHA256 hash. | keyword | | threat.enrichments.indicator.file.hash.sha512 | SHA512 hash. | keyword | | threat.enrichments.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | | threat.enrichments.indicator.file.inode | Inode representing the file in the filesystem. | keyword | | threat.enrichments.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | | threat.enrichments.indicator.file.mode | Mode of the file in octal representation. | keyword | | threat.enrichments.indicator.file.mtime | Last time the file content was modified. | date | | threat.enrichments.indicator.file.name | Name of the file including the extension, without the directory. | keyword | | threat.enrichments.indicator.file.owner | File owner's username. | keyword | | threat.enrichments.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | threat.enrichments.indicator.file.pe.architecture | CPU architecture target for the file. | keyword | | threat.enrichments.indicator.file.pe.company | Internal company name of the file, provided at compile-time. | keyword | | threat.enrichments.indicator.file.pe.description | Internal description of the file, provided at compile-time. | keyword | | threat.enrichments.indicator.file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | threat.enrichments.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | threat.enrichments.indicator.file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | threat.enrichments.indicator.file.pe.product | Internal product name of the file, provided at compile-time. | keyword | | threat.enrichments.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | threat.enrichments.indicator.file.target_path | Target path for symlinks. | keyword | | threat.enrichments.indicator.file.type | File type (file, dir, or symlink). | keyword | | threat.enrichments.indicator.file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | threat.enrichments.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | | threat.enrichments.indicator.geo.city_name | City name. | keyword | | threat.enrichments.indicator.geo.continent_code | Two-letter code representing continent's name. | keyword | | threat.enrichments.indicator.geo.continent_name | Name of the continent. | keyword | | threat.enrichments.indicator.geo.country_iso_code | Country ISO code. | keyword | | threat.enrichments.indicator.geo.country_name | Country name. | keyword | | threat.enrichments.indicator.geo.location | Longitude and latitude. | geo_point | | threat.enrichments.indicator.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | threat.enrichments.indicator.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | threat.enrichments.indicator.geo.region_iso_code | Region ISO code. | keyword | | threat.enrichments.indicator.geo.region_name | Region name. | keyword | | threat.enrichments.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | threat.enrichments.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | | threat.enrichments.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | | threat.enrichments.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | | threat.enrichments.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.enrichments.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | | threat.enrichments.indicator.provider | The name of the indicator's provider. | keyword | | threat.enrichments.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | | threat.enrichments.indicator.registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | | threat.enrichments.indicator.registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | | threat.enrichments.indicator.registry.data.type | Standard registry type for encoding contents | keyword | | threat.enrichments.indicator.registry.hive | Abbreviated name for the hive. | keyword | | threat.enrichments.indicator.registry.key | Hive-relative path of keys. | keyword | | threat.enrichments.indicator.registry.path | Full path, including hive, key and value | keyword | | threat.enrichments.indicator.registry.value | Name of the value written. | keyword | | threat.enrichments.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | | threat.enrichments.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | | threat.enrichments.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.enrichments.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | threat.enrichments.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | threat.enrichments.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | | threat.enrichments.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | | threat.enrichments.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | threat.enrichments.indicator.url.password | Password of the request. | keyword | | threat.enrichments.indicator.url.path | Path of the request, such as "/search". | wildcard | | threat.enrichments.indicator.url.port | Port of the request, such as 443. | long | | threat.enrichments.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | threat.enrichments.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | threat.enrichments.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | | threat.enrichments.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | threat.enrichments.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | threat.enrichments.indicator.url.username | Username of the request. | keyword | | threat.enrichments.indicator.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | | threat.enrichments.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | | threat.enrichments.indicator.x509.issuer.country | List of country \(C) codes | keyword | | threat.enrichments.indicator.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | | threat.enrichments.indicator.x509.issuer.locality | List of locality names (L) | keyword | | threat.enrichments.indicator.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | | threat.enrichments.indicator.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | | threat.enrichments.indicator.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | | threat.enrichments.indicator.x509.not_after | Time at which the certificate is no longer considered valid. | date | | threat.enrichments.indicator.x509.not_before | Time at which the certificate is first considered valid. | date | | threat.enrichments.indicator.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | | threat.enrichments.indicator.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | | threat.enrichments.indicator.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | | threat.enrichments.indicator.x509.public_key_size | The size of the public key space in bits. | long | | threat.enrichments.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | | threat.enrichments.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | | threat.enrichments.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | | threat.enrichments.indicator.x509.subject.country | List of country \(C) code | keyword | | threat.enrichments.indicator.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | | threat.enrichments.indicator.x509.subject.locality | List of locality names (L) | keyword | | threat.enrichments.indicator.x509.subject.organization | List of organizations (O) of subject. | keyword | | threat.enrichments.indicator.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | | threat.enrichments.indicator.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | | threat.enrichments.indicator.x509.version_number | Version of x509 format. | keyword | | threat.enrichments.matched.atomic | Identifies the atomic indicator value that matched a local environment endpoint or network event. | keyword | | threat.enrichments.matched.field | Identifies the field of the atomic indicator that matched a local environment endpoint or network event. | keyword | | threat.enrichments.matched.id | Identifies the _id of the indicator document enriching the event. | keyword | | threat.enrichments.matched.index | Identifies the _index of the indicator document enriching the event. | keyword | | threat.enrichments.matched.type | Identifies the type of match that caused the event to be enriched with the given indicator | keyword | | threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | | threat.group.alias | The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). | keyword | | threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword | | threat.group.name | The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. | keyword | | threat.group.reference | The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. | keyword | | threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | threat.indicator.as.organization.name | Organization name. | keyword | | threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | | threat.indicator.description | Describes the type of action conducted by the threat. | keyword | | threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | | threat.indicator.file.Ext | Object for all custom defined fields to live in. | object | | threat.indicator.file.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | threat.indicator.file.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | threat.indicator.file.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | threat.indicator.file.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | threat.indicator.file.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | threat.indicator.file.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | threat.indicator.file.Ext.device.bus_type | Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. | keyword | | threat.indicator.file.Ext.device.dos_name | DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... | keyword | | threat.indicator.file.Ext.device.file_system_type | Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF | keyword | | threat.indicator.file.Ext.device.nt_name | NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2 | keyword | | threat.indicator.file.Ext.device.product_id | ProductID of the device. It is provided by the vendor of the device if any. | keyword | | threat.indicator.file.Ext.device.serial_number | Serial Number of the device. It is provided by the vendor of the device if any. | keyword | | threat.indicator.file.Ext.device.vendor_id | VendorID of the device. It is provided by the vendor of the device. | keyword | | threat.indicator.file.Ext.device.volume_device_type | Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System | keyword | | threat.indicator.file.Ext.entropy | Entropy calculation of file's header and footer used to check file integrity. | double | | threat.indicator.file.Ext.entry_modified | Time of last status change. See `st_ctim` member of `struct stat`. | double | | threat.indicator.file.Ext.header_bytes | First 16 bytes of file used to check file integrity. | keyword | | threat.indicator.file.Ext.header_data | First 16 bytes of file used to check file integrity. | text | | threat.indicator.file.Ext.malware_classification.features.data.buffer | The features extracted from this file and evaluated by the model. Usually an array of floats. Likely zlib-encoded. | keyword | | threat.indicator.file.Ext.malware_classification.features.data.decompressed_size | The decompressed size of buffer. | integer | | threat.indicator.file.Ext.malware_classification.features.data.encoding | The encoding of buffer (e.g. zlib). | keyword | | threat.indicator.file.Ext.malware_classification.identifier | The model's unique identifier. | keyword | | threat.indicator.file.Ext.malware_classification.score | The score produced by the classification model. | double | | threat.indicator.file.Ext.malware_classification.threshold | The score threshold for the model. Files that score above this threshold are considered malicious. | double | | threat.indicator.file.Ext.malware_classification.upx_packed | Whether UPX packing was detected. | boolean | | threat.indicator.file.Ext.malware_classification.version | The version of the model used. | keyword | | threat.indicator.file.Ext.malware_signature | Nested version of malware_signature fieldset. | nested | | threat.indicator.file.Ext.malware_signature.all_names | The concatenated names of all yara signatures | text | | threat.indicator.file.Ext.malware_signature.identifier | Malware artifact identifier. | text | | threat.indicator.file.Ext.malware_signature.primary | Primary malware signature match. | nested | | threat.indicator.file.Ext.malware_signature.primary.matches | An array of bytes representing yara signature matches | nested | | threat.indicator.file.Ext.malware_signature.primary.signature | Primary malware signature match. | nested | | threat.indicator.file.Ext.malware_signature.primary.signature.hash | Primary malware signature hash. | nested | | threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256 | Primary malware signature sha256. | keyword | | threat.indicator.file.Ext.malware_signature.primary.signature.id | Primary malware signature id. | keyword | | threat.indicator.file.Ext.malware_signature.primary.signature.name | Primary malware signature name. | keyword | | threat.indicator.file.Ext.malware_signature.secondary | An array of malware signature matches | nested | | threat.indicator.file.Ext.malware_signature.version | Primary malware signature version. | keyword | | threat.indicator.file.Ext.monotonic_id | File event monotonic ID. | unsigned_long | | threat.indicator.file.Ext.original | Original file information during a modification event. | object | | threat.indicator.file.Ext.original.gid | Primary group ID (GID) of the file. | keyword | | threat.indicator.file.Ext.original.group | Primary group name of the file. | keyword | | threat.indicator.file.Ext.original.mode | Original file mode prior to a modification event | keyword | | threat.indicator.file.Ext.original.name | Original file name prior to a modification event | keyword | | threat.indicator.file.Ext.original.owner | File owner's username. | keyword | | threat.indicator.file.Ext.original.path | Original file path prior to a modification event | keyword | | threat.indicator.file.Ext.original.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | threat.indicator.file.Ext.quarantine_message | Message describing quarantine results. | keyword | | threat.indicator.file.Ext.quarantine_path | Path on endpoint the quarantined file was originally. | keyword | | threat.indicator.file.Ext.quarantine_result | Boolean representing whether or not file quarantine succeeded. | boolean | | threat.indicator.file.Ext.temp_file_path | Path on endpoint where a copy of the file is being stored. Used to make ephemeral files retrievable. | keyword | | threat.indicator.file.Ext.windows | Platform-specific Windows fields | object | | threat.indicator.file.Ext.windows.zone_identifier | Windows zone identifier for a file | keyword | | threat.indicator.file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | | threat.indicator.file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | | threat.indicator.file.code_signature.exists | Boolean to capture if a signature is present. | boolean | | threat.indicator.file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | threat.indicator.file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | threat.indicator.file.code_signature.subject_name | Subject name of the code signer | keyword | | threat.indicator.file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | threat.indicator.file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | threat.indicator.file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | threat.indicator.file.created | File creation time. Note that not all filesystems store the creation time. | date | | threat.indicator.file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | | threat.indicator.file.device | Device that is the source of the file. | keyword | | threat.indicator.file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | | threat.indicator.file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | | threat.indicator.file.elf.architecture | Machine architecture of the ELF file. | keyword | | threat.indicator.file.elf.byte_order | Byte sequence of ELF file. | keyword | | threat.indicator.file.elf.cpu_type | CPU type of the ELF file. | keyword | | threat.indicator.file.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | threat.indicator.file.elf.exports | List of exported element names and types. | flattened | | threat.indicator.file.elf.go_import_hash | A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). | keyword | | threat.indicator.file.elf.go_imports | List of imported Go language element names and types. | flattened | | threat.indicator.file.elf.go_imports_names_entropy | Shannon entropy calculation from the list of Go imports. | long | | threat.indicator.file.elf.go_imports_names_var_entropy | Variance for Shannon entropy calculation from the list of Go imports. | long | | threat.indicator.file.elf.go_stripped | Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. | boolean | | threat.indicator.file.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | threat.indicator.file.elf.header.class | Header class of the ELF file. | keyword | | threat.indicator.file.elf.header.data | Data table of the ELF header. | keyword | | threat.indicator.file.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | threat.indicator.file.elf.header.object_version | "0x1" for original ELF files. | keyword | | threat.indicator.file.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | threat.indicator.file.elf.header.type | Header type of the ELF file. | keyword | | threat.indicator.file.elf.header.version | Version of the ELF header. | keyword | | threat.indicator.file.elf.import_hash | A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash. | keyword | | threat.indicator.file.elf.imports | List of imported element names and types. | flattened | | threat.indicator.file.elf.imports_names_entropy | Shannon entropy calculation from the list of imported element names and types. | long | | threat.indicator.file.elf.imports_names_var_entropy | Variance for Shannon entropy calculation from the list of imported element names and types. | long | | threat.indicator.file.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. | nested | | threat.indicator.file.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | threat.indicator.file.elf.sections.entropy | Shannon entropy calculation from the section. | long | | threat.indicator.file.elf.sections.flags | ELF Section List flags. | keyword | | threat.indicator.file.elf.sections.name | ELF Section List name. | keyword | | threat.indicator.file.elf.sections.physical_offset | ELF Section List offset. | keyword | | threat.indicator.file.elf.sections.physical_size | ELF Section List physical size. | long | | threat.indicator.file.elf.sections.type | ELF Section List type. | keyword | | threat.indicator.file.elf.sections.var_entropy | Variance for Shannon entropy calculation from the section. | long | | threat.indicator.file.elf.sections.virtual_address | ELF Section List virtual address. | long | | threat.indicator.file.elf.sections.virtual_size | ELF Section List virtual size. | long | | threat.indicator.file.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. | nested | | threat.indicator.file.elf.segments.sections | ELF object segment sections. | keyword | | threat.indicator.file.elf.segments.type | ELF object segment type. | keyword | | threat.indicator.file.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | threat.indicator.file.gid | Primary group ID (GID) of the file. | keyword | | threat.indicator.file.group | Primary group name of the file. | keyword | | threat.indicator.file.hash.md5 | MD5 hash. | keyword | | threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | | threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | | threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | | threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | | threat.indicator.file.inode | Inode representing the file in the filesystem. | keyword | | threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | | threat.indicator.file.mode | Mode of the file in octal representation. | keyword | | threat.indicator.file.mtime | Last time the file content was modified. | date | | threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | | threat.indicator.file.owner | File owner's username. | keyword | | threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | threat.indicator.file.pe.architecture | CPU architecture target for the file. | keyword | | threat.indicator.file.pe.company | Internal company name of the file, provided at compile-time. | keyword | | threat.indicator.file.pe.description | Internal description of the file, provided at compile-time. | keyword | | threat.indicator.file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | threat.indicator.file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | threat.indicator.file.pe.product | Internal product name of the file, provided at compile-time. | keyword | | threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | threat.indicator.file.target_path | Target path for symlinks. | keyword | | threat.indicator.file.type | File type (file, dir, or symlink). | keyword | | threat.indicator.file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | | threat.indicator.geo.city_name | City name. | keyword | | threat.indicator.geo.continent_code | Two-letter code representing continent's name. | keyword | | threat.indicator.geo.continent_name | Name of the continent. | keyword | | threat.indicator.geo.country_iso_code | Country ISO code. | keyword | | threat.indicator.geo.country_name | Country name. | keyword | | threat.indicator.geo.location | Longitude and latitude. | geo_point | | threat.indicator.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | threat.indicator.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | threat.indicator.geo.region_iso_code | Region ISO code. | keyword | | threat.indicator.geo.region_name | Region name. | keyword | | threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | | threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | | threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | | threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | | threat.indicator.provider | The name of the indicator's provider. | keyword | | threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | | threat.indicator.registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | | threat.indicator.registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | | threat.indicator.registry.data.type | Standard registry type for encoding contents | keyword | | threat.indicator.registry.hive | Abbreviated name for the hive. | keyword | | threat.indicator.registry.key | Hive-relative path of keys. | keyword | | threat.indicator.registry.path | Full path, including hive, key and value | keyword | | threat.indicator.registry.value | Name of the value written. | keyword | | threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | | threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | | threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | | threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | threat.indicator.url.password | Password of the request. | keyword | | threat.indicator.url.path | Path of the request, such as "/search". | wildcard | | threat.indicator.url.port | Port of the request, such as 443. | long | | threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | | threat.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | threat.indicator.url.username | Username of the request. | keyword | | threat.indicator.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | | threat.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | | threat.indicator.x509.issuer.country | List of country \(C) codes | keyword | | threat.indicator.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | | threat.indicator.x509.issuer.locality | List of locality names (L) | keyword | | threat.indicator.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | | threat.indicator.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | | threat.indicator.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | | threat.indicator.x509.not_after | Time at which the certificate is no longer considered valid. | date | | threat.indicator.x509.not_before | Time at which the certificate is first considered valid. | date | | threat.indicator.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | | threat.indicator.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | | threat.indicator.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | | threat.indicator.x509.public_key_size | The size of the public key space in bits. | long | | threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | | threat.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | | threat.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | | threat.indicator.x509.subject.country | List of country \(C) code | keyword | | threat.indicator.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | | threat.indicator.x509.subject.locality | List of locality names (L) | keyword | | threat.indicator.x509.subject.organization | List of organizations (O) of subject. | keyword | | threat.indicator.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | | threat.indicator.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | | threat.indicator.x509.version_number | Version of x509 format. | keyword | | threat.software.id | The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. | keyword | | threat.software.name | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. | keyword | | threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | | threat.software.reference | The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. | keyword | | threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | | threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | | threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | | threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | | threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | | threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | | threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | | threat.technique.subtechnique.id | The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) | keyword | | threat.technique.subtechnique.name | The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) | keyword | | threat.technique.subtechnique.reference | The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ### file #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | Effective_process.entity_id | Unique identifier for the effective process. | keyword | | Effective_process.executable | Executable name for the effective process. | keyword | | Effective_process.name | Process name for the effective process. | keyword | | Effective_process.pid | Process ID. | long | | Persistence.args | Arguments used to execute the persistence item | keyword | | Persistence.executable | The persistence item's executable | keyword | | Persistence.keepalive | Keep alive option boolean | boolean | | Persistence.name | The persistence item's name | keyword | | Persistence.path | The file's path | keyword | | Persistence.runatload | Run at load option boolean | boolean | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.Ext | Object for all custom defined fields to live in. | object | | event.Ext.correlation | Information about event this should be correlated with. | object | | event.Ext.correlation.id | ID of event that this event is correlated to, e.g. quarantine event associated with an unquarantine event | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | file.Ext | Object for all custom defined fields to live in. | object | | file.Ext.device.bus_type | Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. | keyword | | file.Ext.device.dos_name | DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... | keyword | | file.Ext.device.file_system_type | Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF | keyword | | file.Ext.device.nt_name | NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2 | keyword | | file.Ext.device.product_id | ProductID of the device. It is provided by the vendor of the device if any. | keyword | | file.Ext.device.serial_number | Serial Number of the device. It is provided by the vendor of the device if any. | keyword | | file.Ext.device.vendor_id | VendorID of the device. It is provided by the vendor of the device. | keyword | | file.Ext.device.volume_device_type | Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System | keyword | | file.Ext.entropy | Entropy calculation of file's header and footer used to check file integrity. | double | | file.Ext.header_bytes | First 16 bytes of file used to check file integrity. | keyword | | file.Ext.header_data | First 16 bytes of file used to check file integrity. | text | | file.Ext.malware_signature | Nested version of malware_signature fieldset. | nested | | file.Ext.malware_signature.all_names | The concatenated names of all yara signatures | text | | file.Ext.malware_signature.identifier | Malware artifact identifier. | text | | file.Ext.malware_signature.primary | Primary malware signature match. | nested | | file.Ext.malware_signature.primary.matches | An array of bytes representing yara signature matches | nested | | file.Ext.malware_signature.primary.signature | Primary malware signature match. | nested | | file.Ext.malware_signature.primary.signature.hash | Primary malware signature hash. | nested | | file.Ext.malware_signature.primary.signature.hash.sha256 | Primary malware signature sha256. | keyword | | file.Ext.malware_signature.primary.signature.id | Primary malware signature id. | keyword | | file.Ext.malware_signature.primary.signature.name | Primary malware signature name. | keyword | | file.Ext.malware_signature.secondary | An array of malware signature matches | nested | | file.Ext.malware_signature.version | Primary malware signature version. | keyword | | file.Ext.monotonic_id | File event monotonic ID. | unsigned_long | | file.Ext.original | Original file information during a modification event. | object | | file.Ext.original.gid | Primary group ID (GID) of the file. | keyword | | file.Ext.original.group | Primary group name of the file. | keyword | | file.Ext.original.mode | Original file mode prior to a modification event | keyword | | file.Ext.original.name | Original file name prior to a modification event | keyword | | file.Ext.original.owner | File owner's username. | keyword | | file.Ext.original.path | Original file path prior to a modification event | keyword | | file.Ext.original.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | file.Ext.windows | Platform-specific Windows fields | object | | file.Ext.windows.zone_identifier | Windows zone identifier for a file | keyword | | file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | | file.created | File creation time. Note that not all filesystems store the creation time. | date | | file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | | file.device | Device that is the source of the file. | keyword | | file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | | file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.gid | Primary group ID (GID) of the file. | keyword | | file.group | Primary group name of the file. | keyword | | file.hash.md5 | MD5 hash. | keyword | | file.hash.sha1 | SHA1 hash. | keyword | | file.hash.sha256 | SHA256 hash. | keyword | | file.hash.sha512 | SHA512 hash. | keyword | | file.inode | Inode representing the file in the filesystem. | keyword | | file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | | file.mode | Mode of the file in octal representation. | keyword | | file.mtime | Last time the file content was modified. | date | | file.name | Name of the file including the extension, without the directory. | keyword | | file.owner | File owner's username. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | file.pe.company | Internal company name of the file, provided at compile-time. | keyword | | file.pe.description | Internal description of the file, provided at compile-time. | keyword | | file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | file.pe.product | Internal product name of the file, provided at compile-time. | keyword | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.target_path | Target path for symlinks. | keyword | | file.type | File type (file, dir, or symlink). | keyword | | file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.pid | Process id. | long | | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.thread.Ext | Object for all custom defined fields to live in. | object | | process.thread.Ext.call_stack | Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. | object | | process.thread.Ext.call_stack.allocation_private_bytes | The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. | unsigned_long | | process.thread.Ext.call_stack.callsite_leading_bytes | Hex opcode bytes preceding the callsite | keyword | | process.thread.Ext.call_stack.callsite_trailing_bytes | Hex opcode bytes after the callsite (where control will return to) | keyword | | process.thread.Ext.call_stack.protection | Protection of the page containing this instruction. This is `R-X' by default if omitted. | keyword | | process.thread.Ext.call_stack.symbol_info | The nearest symbol for `instruction_pointer`. | keyword | | process.thread.Ext.call_stack_summary | Concatentation of the non-repeated modules in the call stack. | keyword | | process.thread.id | Thread ID. | long | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ### library #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | dll.Ext | Object for all custom defined fields to live in. | object | | dll.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | dll.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | dll.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | dll.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | dll.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | dll.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | dll.Ext.defense_evasions | List of defense evasions found for this DLL. These defense evasions can make it harder to inspect a process and/or cause abnormal OS behavior. Examples tools that can cause defense evasions include KnownDlls hijacking and PPLDump. | keyword | | dll.Ext.device.bus_type | Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. | keyword | | dll.Ext.device.dos_name | DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... | keyword | | dll.Ext.device.file_system_type | Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF | keyword | | dll.Ext.device.nt_name | NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2 | keyword | | dll.Ext.device.product_id | ProductID of the device. It is provided by the vendor of the device if any. | keyword | | dll.Ext.device.serial_number | Serial Number of the device. It is provided by the vendor of the device if any. | keyword | | dll.Ext.device.vendor_id | VendorID of the device. It is provided by the vendor of the device. | keyword | | dll.Ext.device.volume_device_type | Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System | keyword | | dll.Ext.load_index | A DLL can be loaded into a process multiple times. This field indicates the Nth time that this DLL has been loaded. The first load index is 1. | unsigned_long | | dll.Ext.relative_file_creation_time | Number of seconds since the DLL's file was created. This number may be negative if the file's timestamp is in the future. | double | | dll.Ext.relative_file_name_modify_time | Number of seconds since the DLL's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future. | double | | dll.Ext.size | Size of DLL | unsigned_long | | dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | | dll.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | dll.code_signature.subject_name | Subject name of the code signer | keyword | | dll.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | dll.hash.md5 | MD5 hash. | keyword | | dll.hash.sha1 | SHA1 hash. | keyword | | dll.hash.sha256 | SHA256 hash. | keyword | | dll.hash.sha512 | SHA512 hash. | keyword | | dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | dll.path | Full file path of the library. | keyword | | dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | dll.pe.description | Internal description of the file, provided at compile-time. | keyword | | dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | file.Ext | Object for all custom defined fields to live in. | object | | file.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | file.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | file.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | file.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | file.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | file.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | file.code_signature.exists | Boolean to capture if a signature is present. | boolean | | file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | file.code_signature.subject_name | Subject name of the code signer | keyword | | file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | file.hash.md5 | MD5 hash. | keyword | | file.hash.sha1 | SHA1 hash. | keyword | | file.hash.sha256 | SHA256 hash. | keyword | | file.hash.sha512 | SHA512 hash. | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | file.pe.company | Internal company name of the file, provided at compile-time. | keyword | | file.pe.description | Internal description of the file, provided at compile-time. | keyword | | file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | file.pe.product | Internal product name of the file, provided at compile-time. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.pid | Process id. | long | | process.thread.Ext | Object for all custom defined fields to live in. | object | | process.thread.Ext.call_stack | Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. | object | | process.thread.Ext.call_stack.allocation_private_bytes | The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. | unsigned_long | | process.thread.Ext.call_stack.callsite_leading_bytes | Hex opcode bytes preceding the callsite | keyword | | process.thread.Ext.call_stack.callsite_trailing_bytes | Hex opcode bytes after the callsite (where control will return to) | keyword | | process.thread.Ext.call_stack.protection | Protection of the page containing this instruction. This is `R-X' by default if omitted. | keyword | | process.thread.Ext.call_stack.symbol_info | The nearest symbol for `instruction_pointer`. | keyword | | process.thread.Ext.call_stack_summary | Concatentation of the non-repeated modules in the call stack. | keyword | | process.thread.id | Thread ID. | long | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ### network #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.packets | Packets sent from the destination to the source. | long | | destination.port | Port of the destination. | long | | destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | dns.Ext | Object for all custom defined fields to live in. | object | | dns.Ext.options | DNS options field, uint64, representing as a keyword to avoid overflows in ES | keyword | | dns.Ext.status | DNS status field, uint32 | long | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | dns.question.type | The type of record being queried. | keyword | | dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | http.request.body.bytes | Size in bytes of the request body. | long | | http.request.body.content | The full HTTP request body. | wildcard | | http.request.bytes | Total size in bytes of the request (body and headers). | long | | http.response.Ext | Object for all custom defined fields to live in. | object | | http.response.Ext.version | HTTP version | keyword | | http.response.body.bytes | Size in bytes of the response body. | long | | http.response.body.content | The full HTTP response body. | wildcard | | http.response.bytes | Total size in bytes of the response (body and headers). | long | | http.response.status_code | HTTP response status code. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.pid | Process id. | long | | process.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.thread.id | Thread ID. | long | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | | source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ### process #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.hash.all | An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.image.tag | Container image tags. | keyword | | container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.boot.id | Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.pid_ns_ino | This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | orchestrator.cluster.id | Unique ID of the cluster. | keyword | | orchestrator.cluster.name | Name of the cluster. | keyword | | orchestrator.namespace | Namespace in which the action is taking place. | keyword | | orchestrator.resource.ip | IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running). | ip | | orchestrator.resource.name | Name of the resource being acted upon. | keyword | | orchestrator.resource.parent.type | Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). | keyword | | orchestrator.resource.type | Type of resource being acted upon. | keyword | | package.name | Package name | keyword | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | process.Ext.authentication_id | Process authentication ID | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.Ext.defense_evasions | List of defense evasions found in this process. These defense evasions can make it harder to inspect a process and/or cause abnormal OS behavior. Examples tools that can cause defense evasions include Process Doppelganging and Process Herpaderping. | keyword | | process.Ext.device.bus_type | Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc. | keyword | | process.Ext.device.dos_name | DOS name of the device. DOS device name is in the format of driver letters such as C:, D:,... | keyword | | process.Ext.device.file_system_type | Volume device file system type. Following are examples of the most frequently seen volume device file system types: NTFS UDF | keyword | | process.Ext.device.nt_name | NT name of the device. NT device name is in the format such as: \Device\HarddiskVolume2 | keyword | | process.Ext.device.product_id | ProductID of the device. It is provided by the vendor of the device if any. | keyword | | process.Ext.device.serial_number | Serial Number of the device. It is provided by the vendor of the device if any. | keyword | | process.Ext.device.vendor_id | VendorID of the device. It is provided by the vendor of the device. | keyword | | process.Ext.device.volume_device_type | Volume device type. Following are examples of the most frequently seen volume device types: Disk File System CD-ROM File System | keyword | | process.Ext.dll.Ext | Object for all custom defined fields to live in. | object | | process.Ext.dll.Ext.mapped_address | The base address where this module is loaded. | unsigned_long | | process.Ext.dll.Ext.mapped_size | The size of this module's memory mapping, in bytes. | unsigned_long | | process.Ext.dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | | process.Ext.dll.path | Full file path of the library. | keyword | | process.Ext.effective_parent.entity_id | Unique identifier for the effective process. | keyword | | process.Ext.effective_parent.executable | Executable name for the effective process. | keyword | | process.Ext.effective_parent.name | Process name for the effective process. | keyword | | process.Ext.effective_parent.pid | Process ID. | long | | process.Ext.mitigation_policies | Process mitigation policies include SignaturePolicy, DynamicCodePolicy, UserShadowStackPolicy, ControlFlowGuardPolicy, etc. Examples include Microsoft only, CF Guard, User Shadow Stack enabled | keyword | | process.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword | | process.Ext.relative_file_creation_time | Number of seconds since the process's file was created. This number may be negative if the file's timestamp is in the future. | double | | process.Ext.relative_file_name_modify_time | Number of seconds since the process's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future. | double | | process.Ext.session | Session information for the current process | keyword | | process.Ext.session_info.authentication_package | Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP | keyword | | process.Ext.session_info.client_address | Client's IPv4 or IPv6 address as a string, if available. | keyword | | process.Ext.session_info.id | Session ID | unsigned_long | | process.Ext.session_info.logon_type | Session logon type. Examples include Interactive, Network, and Service. | keyword | | process.Ext.session_info.relative_logon_time | Process creation time, relative to logon time, in seconds. | double | | process.Ext.session_info.relative_password_age | Process creation time, relative to the last time the password was changed, in seconds. | double | | process.Ext.session_info.user_flags | List of user flags associated with this logon session. Examples include LOGON_NTLMV2_ENABLED and LOGON_WINLOGON. | keyword | | process.Ext.token.elevation | Whether the token is elevated or not | boolean | | process.Ext.token.elevation_level | What level of elevation the token has | keyword | | process.Ext.token.elevation_type | What level of elevation the token has | keyword | | process.Ext.token.integrity_level_name | Human readable integrity level. | keyword | | process.Ext.token.security_attributes | Array of security attributes of the token, retrieved via the TokenSecurityAttributes class. | keyword | | process.Ext.trusted | Whether or not the process is a trusted application | boolean | | process.Ext.trusted_descendant | Whether or not the process is a descendent of a trusted application | boolean | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.end | The time the process ended. | date | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.entry_leader.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.entry_leader.attested_groups.name | Name of the group. | keyword | | process.entry_leader.attested_user.id | Unique identifier of the user. | keyword | | process.entry_leader.attested_user.name | Short name or login of the user. | keyword | | process.entry_leader.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.entry_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.entry_meta.source.ip | IP address of the source (IPv4 or IPv6). | ip | | process.entry_leader.entry_meta.type | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console Note: This field is only set on process.session_leader. | keyword | | process.entry_leader.executable | Absolute path to the process executable. | keyword | | process.entry_leader.group.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.group.name | Name of the group. | keyword | | process.entry_leader.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.entry_leader.name | Process name. Sometimes called program name or similar. | keyword | | process.entry_leader.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.parent.pid | Process id. | long | | process.entry_leader.parent.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.entry_leader.parent.session_leader.pid | Process id. | long | | process.entry_leader.parent.session_leader.start | The time the process started. | date | | process.entry_leader.parent.start | The time the process started. | date | | process.entry_leader.pid | Process id. | long | | process.entry_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.real_group.name | Name of the group. | keyword | | process.entry_leader.real_user.id | Unique identifier of the user. | keyword | | process.entry_leader.real_user.name | Short name or login of the user. | keyword | | process.entry_leader.same_as_process | This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. | boolean | | process.entry_leader.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.saved_group.name | Name of the group. | keyword | | process.entry_leader.saved_user.id | Unique identifier of the user. | keyword | | process.entry_leader.saved_user.name | Short name or login of the user. | keyword | | process.entry_leader.start | The time the process started. | date | | process.entry_leader.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.entry_leader.supplemental_groups.name | Name of the group. | keyword | | process.entry_leader.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.entry_leader.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.entry_leader.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.entry_leader.user.id | Unique identifier of the user. | keyword | | process.entry_leader.user.name | Short name or login of the user. | keyword | | process.entry_leader.working_directory | The working directory of the process. | keyword | | process.env_vars | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | process.group.id | Unique identifier for the group on the system/platform. | keyword | | process.group.name | Name of the group. | keyword | | process.group_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.group_leader.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.group_leader.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.group_leader.executable | Absolute path to the process executable. | keyword | | process.group_leader.group.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.group.name | Name of the group. | keyword | | process.group_leader.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.group_leader.name | Process name. Sometimes called program name or similar. | keyword | | process.group_leader.pid | Process id. | long | | process.group_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.real_group.name | Name of the group. | keyword | | process.group_leader.real_user.id | Unique identifier of the user. | keyword | | process.group_leader.real_user.name | Short name or login of the user. | keyword | | process.group_leader.same_as_process | This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. | boolean | | process.group_leader.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.saved_group.name | Name of the group. | keyword | | process.group_leader.saved_user.id | Unique identifier of the user. | keyword | | process.group_leader.saved_user.name | Short name or login of the user. | keyword | | process.group_leader.start | The time the process started. | date | | process.group_leader.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.group_leader.supplemental_groups.name | Name of the group. | keyword | | process.group_leader.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.group_leader.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.group_leader.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.group_leader.user.id | Unique identifier of the user. | keyword | | process.group_leader.user.name | Short name or login of the user. | keyword | | process.group_leader.working_directory | The working directory of the process. | keyword | | process.hash.md5 | MD5 hash. | keyword | | process.hash.sha1 | SHA1 hash. | keyword | | process.hash.sha256 | SHA256 hash. | keyword | | process.hash.sha512 | SHA512 hash. | keyword | | process.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.io | A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input. | object | | process.io.max_bytes_per_process_exceeded | If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. | boolean | | process.io.text | A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word. | wildcard | | process.io.total_bytes_captured | The total number of bytes captured in this event. | long | | process.io.total_bytes_skipped | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero | long | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.Ext | Object for all custom defined fields to live in. | object | | process.parent.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | process.parent.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.parent.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.parent.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.parent.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.parent.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword | | process.parent.Ext.real | The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent. | object | | process.parent.Ext.real.pid | For process.parent this will be the ppid of the process that actually spawned the current process. | long | | process.parent.Ext.user | User associated with the running process. | keyword | | process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.executable | Absolute path to the process executable. | keyword | | process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | process.parent.group.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.group.name | Name of the group. | keyword | | process.parent.group_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.parent.group_leader.pid | Process id. | long | | process.parent.group_leader.start | The time the process started. | date | | process.parent.hash.md5 | MD5 hash. | keyword | | process.parent.hash.sha1 | SHA1 hash. | keyword | | process.parent.hash.sha256 | SHA256 hash. | keyword | | process.parent.hash.sha512 | SHA512 hash. | keyword | | process.parent.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.parent.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | | process.parent.pid | Process id. | long | | process.parent.ppid | Parent process' pid. | long | | process.parent.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.real_group.name | Name of the group. | keyword | | process.parent.real_user.id | Unique identifier of the user. | keyword | | process.parent.real_user.name | Short name or login of the user. | keyword | | process.parent.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.saved_group.name | Name of the group. | keyword | | process.parent.saved_user.id | Unique identifier of the user. | keyword | | process.parent.saved_user.name | Short name or login of the user. | keyword | | process.parent.start | The time the process started. | date | | process.parent.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.parent.supplemental_groups.name | Name of the group. | keyword | | process.parent.thread.Ext | Object for all custom defined fields to live in. | object | | process.parent.thread.Ext.call_stack | Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. | object | | process.parent.thread.Ext.call_stack.allocation_private_bytes | The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. | unsigned_long | | process.parent.thread.Ext.call_stack.callsite_leading_bytes | Hex opcode bytes preceding the callsite | keyword | | process.parent.thread.Ext.call_stack.callsite_trailing_bytes | Hex opcode bytes after the callsite (where control will return to) | keyword | | process.parent.thread.Ext.call_stack.protection | Protection of the page containing this instruction. This is `R-X' by default if omitted. | keyword | | process.parent.thread.Ext.call_stack.symbol_info | The nearest symbol for `instruction_pointer`. | keyword | | process.parent.thread.Ext.call_stack_contains_unbacked | Indicates whether the creating thread's stack contains frames pointing outside any known executable image. | boolean | | process.parent.thread.Ext.call_stack_summary | Concatentation of the non-repeated modules in the call stack. | keyword | | process.parent.thread.id | Thread ID. | long | | process.parent.thread.name | Thread name. | keyword | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.parent.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.parent.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.parent.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.parent.uptime | Seconds the process has been up. | long | | process.parent.user.id | Unique identifier of the user. | keyword | | process.parent.user.name | Short name or login of the user. | keyword | | process.parent.working_directory | The working directory of the process. | keyword | | process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | process.pe.description | Internal description of the file, provided at compile-time. | keyword | | process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | | process.previous.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.previous.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.previous.executable | Absolute path to the process executable. | keyword | | process.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.real_group.name | Name of the group. | keyword | | process.real_user.id | Unique identifier of the user. | keyword | | process.real_user.name | Short name or login of the user. | keyword | | process.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.saved_group.name | Name of the group. | keyword | | process.saved_user.id | Unique identifier of the user. | keyword | | process.saved_user.name | Short name or login of the user. | keyword | | process.session_leader.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.session_leader.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.session_leader.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.session_leader.executable | Absolute path to the process executable. | keyword | | process.session_leader.group.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.group.name | Name of the group. | keyword | | process.session_leader.interactive | Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. | boolean | | process.session_leader.name | Process name. Sometimes called program name or similar. | keyword | | process.session_leader.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.session_leader.parent.pid | Process id. | long | | process.session_leader.parent.session_leader.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.session_leader.parent.session_leader.pid | Process id. | long | | process.session_leader.parent.session_leader.start | The time the process started. | date | | process.session_leader.parent.start | The time the process started. | date | | process.session_leader.pid | Process id. | long | | process.session_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.real_group.name | Name of the group. | keyword | | process.session_leader.real_user.id | Unique identifier of the user. | keyword | | process.session_leader.real_user.name | Short name or login of the user. | keyword | | process.session_leader.same_as_process | This boolean is used to identify if a leader process is the same as the top level process. For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. | boolean | | process.session_leader.saved_group.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.saved_group.name | Name of the group. | keyword | | process.session_leader.saved_user.id | Unique identifier of the user. | keyword | | process.session_leader.saved_user.name | Short name or login of the user. | keyword | | process.session_leader.start | The time the process started. | date | | process.session_leader.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.session_leader.supplemental_groups.name | Name of the group. | keyword | | process.session_leader.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.session_leader.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.session_leader.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.session_leader.user.id | Unique identifier of the user. | keyword | | process.session_leader.user.name | Short name or login of the user. | keyword | | process.session_leader.working_directory | The working directory of the process. | keyword | | process.start | The time the process started. | date | | process.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword | | process.supplemental_groups.name | Name of the group. | keyword | | process.thread.id | Thread ID. | long | | process.thread.name | Thread name. | keyword | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | | process.tty.char_device.major | The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. | long | | process.tty.char_device.minor | The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. | long | | process.tty.columns | The number of character columns per line. e.g terminal width Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output' | long | | process.tty.rows | The number of character rows in the terminal. e.g terminal height Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output' | long | | process.uptime | Seconds the process has been up. | long | | process.user.id | Unique identifier of the user. | keyword | | process.user.name | Short name or login of the user. | keyword | | process.working_directory | The working directory of the process. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ### registry #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | Effective_process.entity_id | Unique identifier for the effective process. | keyword | | Effective_process.executable | Executable name for the effective process. | keyword | | Effective_process.name | Process name for the effective process. | keyword | | Effective_process.pid | Process ID. | long | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.pid | Process id. | long | | process.thread.Ext | Object for all custom defined fields to live in. | object | | process.thread.Ext.call_stack | Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. | object | | process.thread.Ext.call_stack.allocation_private_bytes | The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. | unsigned_long | | process.thread.Ext.call_stack.callsite_leading_bytes | Hex opcode bytes preceding the callsite | keyword | | process.thread.Ext.call_stack.callsite_trailing_bytes | Hex opcode bytes after the callsite (where control will return to) | keyword | | process.thread.Ext.call_stack.protection | Protection of the page containing this instruction. This is `R-X' by default if omitted. | keyword | | process.thread.Ext.call_stack.symbol_info | The nearest symbol for `instruction_pointer`. | keyword | | process.thread.Ext.call_stack_summary | Concatentation of the non-repeated modules in the call stack. | keyword | | process.thread.id | Thread ID. | long | | registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | | registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | | registry.data.type | Standard registry type for encoding contents | keyword | | registry.hive | Abbreviated name for the hive. | keyword | | registry.key | Hive-relative path of keys. | keyword | | registry.path | Full path, including hive, key and value | keyword | | registry.value | Name of the value written. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ### security #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_code | Two-letter code representing continent's name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | | destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | destination.geo.region_iso_code | Region ISO code. | keyword | | destination.geo.region_name | Region name. | keyword | | destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | group.Ext | Object for all custom defined fields to live in. | object | | group.Ext.real | Group info prior to any setgid operations. | object | | group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | group.Ext.real.name | Name of the group. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | process.Ext | Object for all custom defined fields to live in. | object | | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword | | process.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | | process.Ext.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.Ext.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.Ext.code_signature.subject_name | Subject name of the code signer | keyword | | process.Ext.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.Ext.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. | keyword | | process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | process.code_signature.subject_name | Subject name of the code signer | keyword | | process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. | keyword | | process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.pid | Process id. | long | | process.thread.id | Thread ID. | long | | source.geo.city_name | City name. | keyword | | source.geo.continent_code | Two-letter code representing continent's name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | | source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | source.geo.region_iso_code | Region ISO code. | keyword | | source.geo.region_name | Region name. | keyword | | source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | user.Ext | Object for all custom defined fields to live in. | object | | user.Ext.real | User info prior to any setuid operations. | object | | user.Ext.real.id | One or multiple unique identifiers of the user. | keyword | | user.Ext.real.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.group.Ext | Object for all custom defined fields to live in. | object | | user.group.Ext.real | Group info prior to any setgid operations. | object | | user.group.Ext.real.id | Unique identifier for the group on the system/platform. | keyword | | user.group.Ext.real.name | Name of the group. | keyword | | user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.group.id | Unique identifier for the group on the system/platform. | keyword | | user.group.name | Name of the group. | keyword | | user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | ## Metrics The metrics type of documents are stored in `metrics-endpoint.*` indices. The following sections define the mapped fields sent by the endpoint. ### metadata #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | Endpoint.capabilities | Enabled capabilities | keyword | | Endpoint.configuration | Configuration fields represent the intended and applied setting for fields not part of a Policy setting This reflects what a given field is configured to do. The actual state of that same field is found in Endpoint.state | object | | Endpoint.configuration.isolation | Configuration setting for Host Isolation from the network | boolean | | Endpoint.policy | The policy fields are used to hold information about applied policy. | object | | Endpoint.policy.applied | information about the policy that is applied | object | | Endpoint.policy.applied.id | the id of the applied policy | keyword | | Endpoint.policy.applied.name | the name of this applied policy | keyword | | Endpoint.policy.applied.status | the status of the applied policy | keyword | | Endpoint.state | Represents the current state of a non-policy setting These fields reflect the current status of a field, which may differ from what it is configured to be (see Endpoint.configuration) | object | | Endpoint.state.isolation | Current network isolation state of the host | boolean | | Endpoint.status | The current status of the endpoint e.g. enrolled, unenrolled. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | elastic.agent | The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent that manages other agents or process on the host. | object | | elastic.agent.id | Unique identifier of this elastic agent (if one exists). | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | ### metrics Metrics documents contain performance information about the endpoint executable and the host it is running on. #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | Endpoint.metrics | Metrics fields hold the endpoint and system's performance metrics | object | | Endpoint.metrics.cpu | CPU statistics | object | | Endpoint.metrics.cpu.endpoint | CPU metrics for the endpoint | object | | Endpoint.metrics.cpu.endpoint.histogram | This field defines an elasticsearch histogram field (https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html#histogram) The values field includes 20 buckets (each bucket is 5%) representing the cpu usage The counts field includes 20 buckets of how many times the endpoint's cpu usage fell into each bucket | histogram | | Endpoint.metrics.cpu.endpoint.latest | Average CPU over the last sample interval | half_float | | Endpoint.metrics.cpu.endpoint.mean | Average CPU load used by the endpoint | half_float | | Endpoint.metrics.documents_volume | Statistics about sent documents | object | | Endpoint.metrics.documents_volume.alerts.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.alerts.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.alerts.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.alerts.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.api_events.sent_bytes | Total size of API Event sent documents | long | | Endpoint.metrics.documents_volume.api_events.sent_count | Number of sent API Event documents | long | | Endpoint.metrics.documents_volume.api_events.sources | An array of API Event document statistics per source | object | | Endpoint.metrics.documents_volume.api_events.sources.sent_bytes | Total size of API Event sent documents from source | long | | Endpoint.metrics.documents_volume.api_events.sources.sent_count | Number of sent API Event documents from source | long | | Endpoint.metrics.documents_volume.api_events.sources.source | API Event document source name | keyword | | Endpoint.metrics.documents_volume.api_events.sources.suppressed_bytes | Total size of suppressed API Event documents from source | long | | Endpoint.metrics.documents_volume.api_events.sources.suppressed_count | Number of suppressed API Event documents from source | long | | Endpoint.metrics.documents_volume.api_events.suppressed_bytes | Total size of suppressed API Event documents | long | | Endpoint.metrics.documents_volume.api_events.suppressed_count | Number of suppressed API Event documents | long | | Endpoint.metrics.documents_volume.diagnostic_alerts.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.diagnostic_alerts.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.dns_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.dns_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.dns_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.dns_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.file_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.file_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.file_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.file_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.library_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.library_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.library_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.library_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.network_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.network_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.network_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.network_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.overall.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.overall.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.overall.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.overall.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.process_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.process_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.process_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.process_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.registry_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.registry_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.registry_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.registry_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.documents_volume.security_events.sent_bytes | Total size of sent documents | long | | Endpoint.metrics.documents_volume.security_events.sent_count | Number of sent documents | long | | Endpoint.metrics.documents_volume.security_events.suppressed_bytes | Total size of suppressed documents | long | | Endpoint.metrics.documents_volume.security_events.suppressed_count | Number of suppressed documents | long | | Endpoint.metrics.event_filter.active_global_count | The number of active global event filters | long | | Endpoint.metrics.event_filter.active_user_count | The number of active user event filters | long | | Endpoint.metrics.memory | Memory statistics | object | | Endpoint.metrics.memory.endpoint | Endpoint memory utilization | object | | Endpoint.metrics.memory.endpoint.private | The memory private to the endpoint | object | | Endpoint.metrics.memory.endpoint.private.latest | The memory usage by the endpoint for the last sample interval | long | | Endpoint.metrics.memory.endpoint.private.mean | Average memory usage by the endpoint since its start | long | | Endpoint.metrics.uptime | Number of seconds since boot | object | | Endpoint.metrics.uptime.endpoint | Number of seconds since the endpoint was started | long | | Endpoint.metrics.uptime.system | Number of seconds since the system was started | long | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.end | event.end contains the date when the event ended or when the activity was last observed. | date | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.start | event.start contains the date when the event started or when the activity was first observed. | date | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | host.architecture | Operating system architecture. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | ### policy response #### Exported fields | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | Endpoint.configuration | Configuration fields represent the intended and applied setting for fields not part of a Policy setting This reflects what a given field is configured to do. The actual state of that same field is found in Endpoint.state | object | | Endpoint.configuration.isolation | Configuration setting for Host Isolation from the network | boolean | | Endpoint.policy | The policy fields are used to hold information about applied policy. | object | | Endpoint.policy.applied | information about the policy that is applied | object | | Endpoint.policy.applied.endpoint_policy_version | the version of this applied policy | keyword | | Endpoint.policy.applied.id | the id of the applied policy | keyword | | Endpoint.policy.applied.name | the name of this applied policy | keyword | | Endpoint.policy.applied.status | the status of the applied policy | keyword | | Endpoint.policy.applied.version | the version of this applied policy | keyword | | Endpoint.state | Represents the current state of a non-policy setting These fields reflect the current status of a field, which may differ from what it is configured to be (see Endpoint.configuration) | object | | Endpoint.state.isolation | Current network isolation state of the host | boolean | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | data_stream.dataset | Data stream dataset name. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | host.architecture | Operating system architecture. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.Ext | Object for all custom defined fields to live in. | object | | host.os.Ext.variant | A string value or phrase that further aid to classify or qualify the operating system (OS). For example the distribution for a Linux OS will be entered in this field. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | PKHHPK}W* endpoint-8.10.2/docs/custom_documentation/UTdPK}W3 endpoint-8.10.2/docs/custom_documentation/README.mdUTd## Endpoint Event Documentation **This documentation is still beta** The subdirectories document all ECS fields that may exist in documents generated by Endpoint into logs and metrics datastreams. Only fields included by Endpoint are documented, those added during integration pipeline enrichment in Elasticsearch are not within the scope of this documentation. Endpoint state management documents are described in a cross-platform way because they are largely identical on each OS. Events are documented per-OS. Documentation for each state management or event document includes the relevant OS(es), the data stream the document is found in, a KQL filter to match on the document, and all the fields associated with the document. PK)PK}W1 endpoint-8.10.2/docs/custom_documentation/alerts/UTdPK}W7 endpoint-8.10.2/docs/custom_documentation/alerts/linux/UTdPK}WX endpoint-8.10.2/docs/custom_documentation/alerts/linux/linux_malicious_behavior_alert.mdUTd# Linux Malicious Behavior Alert - OS: Linux - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "behavior" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "linux"` This alert is generated when a Malicious Behavior alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | Events.*

Events is a list containing embedded copies of all events that triggered the Malicious Behavior alert. All fields that can exist in any event document can appear in this list. | | Events._label | | Events._state | | Responses.@timestamp | | Responses.action.action | | Responses.action.field | | Responses.action.state | | Responses.action.tree | | Responses.message | | Responses.process.entity_id | | Responses.process.name | | Responses.process.pid | | Responses.result | | agent.build.original | | agent.id | | agent.type | | agent.version | | cloud.account.id | | cloud.instance.name | | cloud.project.id | | cloud.provider | | cloud.region | | container.id | | container.image.hash.all | | container.image.name | | container.image.tag | | container.name | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | file.*

file contains the file data from the primary event in Events. It can contain any fields that any other events includes within the file fieldset. | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | orchestrator.cluster.id | | orchestrator.cluster.name | | orchestrator.namespace | | orchestrator.resource.ip | | orchestrator.resource.name | | orchestrator.resource.parent.type | | orchestrator.resource.type | | process.*

process contains the process data from the primary event in Events. It can contain any fields that any other events includes within the process fieldset. | | rule.description | | rule.id | | rule.name | | rule.reference | | rule.ruleset | | rule.version | | threat.framework | | threat.tactic.id | | threat.tactic.name | | threat.tactic.reference | | threat.technique.id | | threat.technique.name | | threat.technique.reference | | threat.technique.subtechnique | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKw_ PK}WM endpoint-8.10.2/docs/custom_documentation/alerts/linux/linux_malware_alert.mdUTd# Linux Malware Alert - OS: Linux - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "malicious_file" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "linux"` This alert is generated when a Malware alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | file.Ext.malware_classification.identifier | | file.Ext.malware_classification.score | | file.Ext.malware_classification.threshold | | file.Ext.malware_classification.version | | file.Ext.malware_signature.all_names | | file.Ext.malware_signature.identifier | | file.Ext.malware_signature.primary.matches | | file.Ext.malware_signature.primary.signature.hash.sha256 | | file.Ext.malware_signature.primary.signature.id | | file.Ext.malware_signature.primary.signature.name | | file.Ext.malware_signature.version | | file.Ext.quarantine_message | | file.Ext.quarantine_path | | file.Ext.quarantine_result | | file.Ext.temp_file_path | | file.accessed | | file.created | | file.directory | | file.extension | | file.hash.md5 | | file.hash.sha1 | | file.hash.sha256 | | file.inode | | file.mtime | | file.name | | file.owner | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.user | | process.args | | process.args_count | | process.command_line | | process.entity_id | | process.entry_leader.args | | process.entry_leader.args_count | | process.entry_leader.entity_id | | process.entry_leader.entry_meta.source.ip | | process.entry_leader.entry_meta.type | | process.entry_leader.executable | | process.entry_leader.group.id | | process.entry_leader.group.name | | process.entry_leader.interactive | | process.entry_leader.name | | process.entry_leader.parent.entity_id | | process.entry_leader.parent.pid | | process.entry_leader.parent.start | | process.entry_leader.pid | | process.entry_leader.real_group.id | | process.entry_leader.real_group.name | | process.entry_leader.real_user.id | | process.entry_leader.real_user.name | | process.entry_leader.same_as_process | | process.entry_leader.start | | process.entry_leader.supplemental_groups.id | | process.entry_leader.supplemental_groups.name | | process.entry_leader.tty.char_device.major | | process.entry_leader.tty.char_device.minor | | process.entry_leader.user.id | | process.entry_leader.user.name | | process.entry_leader.working_directory | | process.executable | | process.group.id | | process.group.name | | process.group_leader.args | | process.group_leader.args_count | | process.group_leader.entity_id | | process.group_leader.executable | | process.group_leader.group.id | | process.group_leader.group.name | | process.group_leader.interactive | | process.group_leader.name | | process.group_leader.pid | | process.group_leader.real_group.id | | process.group_leader.real_group.name | | process.group_leader.real_user.id | | process.group_leader.real_user.name | | process.group_leader.same_as_process | | process.group_leader.start | | process.group_leader.supplemental_groups.id | | process.group_leader.supplemental_groups.name | | process.group_leader.tty.char_device.major | | process.group_leader.tty.char_device.minor | | process.group_leader.user.id | | process.group_leader.user.name | | process.group_leader.working_directory | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.interactive | | process.name | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.group.id | | process.parent.group.name | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.interactive | | process.parent.name | | process.parent.pgid | | process.parent.pid | | process.parent.ppid | | process.parent.real_group.id | | process.parent.real_group.name | | process.parent.real_user.id | | process.parent.real_user.name | | process.parent.start | | process.parent.supplemental_groups.id | | process.parent.supplemental_groups.name | | process.parent.tty.char_device.major | | process.parent.tty.char_device.minor | | process.parent.uptime | | process.parent.user.id | | process.parent.user.name | | process.parent.working_directory | | process.pgid | | process.pid | | process.real_group.id | | process.real_group.name | | process.real_user.id | | process.real_user.name | | process.session_leader.args | | process.session_leader.args_count | | process.session_leader.entity_id | | process.session_leader.executable | | process.session_leader.group.id | | process.session_leader.group.name | | process.session_leader.interactive | | process.session_leader.name | | process.session_leader.pid | | process.session_leader.real_group.id | | process.session_leader.real_group.name | | process.session_leader.real_user.id | | process.session_leader.real_user.name | | process.session_leader.same_as_process | | process.session_leader.start | | process.session_leader.supplemental_groups.id | | process.session_leader.supplemental_groups.name | | process.session_leader.tty.char_device.major | | process.session_leader.tty.char_device.minor | | process.session_leader.user.id | | process.session_leader.user.name | | process.session_leader.working_directory | | process.start | | process.supplemental_groups.id | | process.supplemental_groups.name | | process.tty.char_device.major | | process.tty.char_device.minor | | process.uptime | | process.user.id | | process.user.name | | process.working_directory | | rule.id | | rule.name | | rule.ruleset | | user.name | PK<PK}WS endpoint-8.10.2/docs/custom_documentation/alerts/linux/linux_memory_threat_alert.mdUTd# Linux Memory Threat Alert - OS: Linux - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "memory_signature" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "linux"` This alert is generated when a Memory Threat alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.memory_region.allocation_base | | process.Ext.memory_region.allocation_size | | process.Ext.memory_region.allocation_type | | process.Ext.memory_region.bytes_address | | process.Ext.memory_region.bytes_allocation_offset | | process.Ext.memory_region.bytes_compressed | | process.Ext.memory_region.bytes_compressed_present | | process.Ext.memory_region.malware_signature.all_names | | process.Ext.memory_region.malware_signature.identifier | | process.Ext.memory_region.malware_signature.primary.matches | | process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 | | process.Ext.memory_region.malware_signature.primary.signature.id | | process.Ext.memory_region.malware_signature.primary.signature.name | | process.Ext.memory_region.malware_signature.version | | process.Ext.memory_region.region_base | | process.Ext.memory_region.region_protection | | process.Ext.memory_region.region_size | | process.Ext.user | | process.args | | process.args_count | | process.command_line | | process.entity_id | | process.entry_leader.args | | process.entry_leader.args_count | | process.entry_leader.entity_id | | process.entry_leader.entry_meta.source.ip | | process.entry_leader.entry_meta.type | | process.entry_leader.executable | | process.entry_leader.group.id | | process.entry_leader.group.name | | process.entry_leader.interactive | | process.entry_leader.name | | process.entry_leader.parent.entity_id | | process.entry_leader.parent.pid | | process.entry_leader.parent.start | | process.entry_leader.pid | | process.entry_leader.real_group.id | | process.entry_leader.real_group.name | | process.entry_leader.real_user.id | | process.entry_leader.real_user.name | | process.entry_leader.same_as_process | | process.entry_leader.start | | process.entry_leader.supplemental_groups.id | | process.entry_leader.supplemental_groups.name | | process.entry_leader.tty.char_device.major | | process.entry_leader.tty.char_device.minor | | process.entry_leader.user.id | | process.entry_leader.user.name | | process.entry_leader.working_directory | | process.executable | | process.group.id | | process.group.name | | process.group_leader.args | | process.group_leader.args_count | | process.group_leader.entity_id | | process.group_leader.executable | | process.group_leader.group.id | | process.group_leader.group.name | | process.group_leader.interactive | | process.group_leader.name | | process.group_leader.pid | | process.group_leader.real_group.id | | process.group_leader.real_group.name | | process.group_leader.real_user.id | | process.group_leader.real_user.name | | process.group_leader.same_as_process | | process.group_leader.start | | process.group_leader.supplemental_groups.id | | process.group_leader.supplemental_groups.name | | process.group_leader.tty.char_device.major | | process.group_leader.tty.char_device.minor | | process.group_leader.user.id | | process.group_leader.user.name | | process.group_leader.working_directory | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.interactive | | process.name | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pgid | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pgid | | process.pid | | process.ppid | | process.previous.args | | process.previous.args_count | | process.previous.executable | | process.real_group.id | | process.real_group.name | | process.real_user.id | | process.real_user.name | | process.session_leader.args | | process.session_leader.args_count | | process.session_leader.entity_id | | process.session_leader.executable | | process.session_leader.group.id | | process.session_leader.group.name | | process.session_leader.interactive | | process.session_leader.name | | process.session_leader.pid | | process.session_leader.real_group.id | | process.session_leader.real_group.name | | process.session_leader.real_user.id | | process.session_leader.real_user.name | | process.session_leader.same_as_process | | process.session_leader.start | | process.session_leader.supplemental_groups.id | | process.session_leader.supplemental_groups.name | | process.session_leader.tty.char_device.major | | process.session_leader.tty.char_device.minor | | process.session_leader.user.id | | process.session_leader.user.name | | process.session_leader.working_directory | | process.start | | process.supplemental_groups.id | | process.supplemental_groups.name | | process.tty.char_device.major | | process.tty.char_device.minor | | process.uptime | | process.user.id | | process.user.name | | process.working_directory | | rule.id | | rule.name | | rule.ruleset | | user.name | PK 6mmPK}W7 endpoint-8.10.2/docs/custom_documentation/alerts/macos/UTdPK}WX endpoint-8.10.2/docs/custom_documentation/alerts/macos/macos_malicious_behavior_alert.mdUTd# macOS Malicious Behavior Alert - OS: macOS - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "behavior" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "macos"` This alert is generated when a Malicious Behavior alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | Events.*

Events is a list containing embedded copies of all events that triggered the Malicious Behavior alert. All fields that can exist in any event document can appear in this list. | | Events._label | | Events._state | | Responses.@timestamp | | Responses.action.action | | Responses.action.field | | Responses.action.state | | Responses.action.tree | | Responses.message | | Responses.process.entity_id | | Responses.process.name | | Responses.process.pid | | Responses.result | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | file.*

file contains the file data from the primary event in Events. It can contain any fields that any other events includes within the file fieldset. | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.*

process contains the process data from the primary event in Events. It can contain any fields that any other events includes within the process fieldset. | | rule.description | | rule.id | | rule.name | | rule.reference | | rule.ruleset | | rule.version | | threat.framework | | threat.tactic.id | | threat.tactic.name | | threat.tactic.reference | | threat.technique.id | | threat.technique.name | | threat.technique.reference | | threat.technique.subtechnique | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKCU< < PK}WM endpoint-8.10.2/docs/custom_documentation/alerts/macos/macos_malware_alert.mdUTd# macOS Malware Alert - OS: macOS - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "malicious_file" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "macos"` This alert is generated when a macOS Malware alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | file.Ext.malware_classification.identifier | | file.Ext.malware_classification.score | | file.Ext.malware_classification.threshold | | file.Ext.malware_classification.version | | file.Ext.malware_signature.all_names | | file.Ext.malware_signature.identifier | | file.Ext.malware_signature.primary.matches | | file.Ext.malware_signature.primary.signature.hash.sha256 | | file.Ext.malware_signature.primary.signature.id | | file.Ext.malware_signature.primary.signature.name | | file.Ext.malware_signature.version | | file.Ext.quarantine_message | | file.Ext.quarantine_path | | file.Ext.quarantine_result | | file.Ext.temp_file_path | | file.accessed | | file.code_signature.exists | | file.code_signature.signing_id | | file.code_signature.status | | file.code_signature.subject_name | | file.code_signature.team_id | | file.code_signature.trusted | | file.created | | file.directory | | file.extension | | file.hash.md5 | | file.hash.sha1 | | file.hash.sha256 | | file.mtime | | file.name | | file.owner | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.user | | process.args | | process.args_count | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.command_line | | process.entity_id | | process.executable | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.name | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.code_signature.exists | | process.parent.code_signature.signing_id | | process.parent.code_signature.status | | process.parent.code_signature.subject_name | | process.parent.code_signature.team_id | | process.parent.code_signature.trusted | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pgid | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pgid | | process.pid | | process.start | | process.uptime | | rule.id | | rule.name | | rule.ruleset | | user.name | PK <PK}WS endpoint-8.10.2/docs/custom_documentation/alerts/macos/macos_memory_threat_alert.mdUTd# macOS Memory Threat Alert - OS: macOS - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "memory_signature" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "macos"` This alert is generated when a macOS Memory Thread alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.memory_region.allocation_base | | process.Ext.memory_region.allocation_size | | process.Ext.memory_region.allocation_type | | process.Ext.memory_region.bytes_address | | process.Ext.memory_region.bytes_allocation_offset | | process.Ext.memory_region.bytes_compressed | | process.Ext.memory_region.bytes_compressed_present | | process.Ext.memory_region.malware_signature.all_names | | process.Ext.memory_region.malware_signature.identifier | | process.Ext.memory_region.malware_signature.primary.matches | | process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 | | process.Ext.memory_region.malware_signature.primary.signature.id | | process.Ext.memory_region.malware_signature.primary.signature.name | | process.Ext.memory_region.malware_signature.version | | process.Ext.memory_region.region_base | | process.Ext.memory_region.region_protection | | process.Ext.memory_region.region_size | | process.Ext.user | | process.args | | process.args_count | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.command_line | | process.entity_id | | process.executable | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.name | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.code_signature.exists | | process.parent.code_signature.signing_id | | process.parent.code_signature.status | | process.parent.code_signature.subject_name | | process.parent.code_signature.team_id | | process.parent.code_signature.trusted | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pgid | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pgid | | process.pid | | process.ppid | | process.start | | process.uptime | | rule.id | | rule.name | | rule.ruleset | | user.name | PK>G6 PK}W9 endpoint-8.10.2/docs/custom_documentation/alerts/windows/UTdPK}W\ endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_malicious_behavior_alert.mdUTd# Windows Malicious Behavior Alert - OS: Windows - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "behavior" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "windows"` This alert occurs when a Malicious Behavior alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | Events.*

Events is a list containing embedded copies of all events that triggered the Malicious Behavior alert. All fields that can exist in any event document can appear in this list. | | Events._label | | Events._state | | Responses.@timestamp | | Responses.action.action | | Responses.action.field | | Responses.action.file.attributes | | Responses.action.file.path | | Responses.action.file.reason | | Responses.action.key.actions | | Responses.action.key.path | | Responses.action.key.values.actions | | Responses.action.key.values.name | | Responses.action.source.attributes | | Responses.action.source.path | | Responses.action.state | | Responses.action.tree | | Responses.message | | Responses.process.entity_id | | Responses.process.name | | Responses.process.pid | | Responses.result | | Target.*

Target contains target process data from the primary event in Events. It can contain any fields that any other events includes within the Target fieldset. | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | dll.*

dll contains dll data from the primary event in Events. It can contain any fields that any other events includes within the dll fieldset. | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | file.*

file contains the file data from the primary event in Events. It can contain any fields that any other events includes within the file fieldset. | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.*

process contains the process data from the primary event in Events. It can contain any fields that any other events includes within the process fieldset. | | registry.*

registry contains the registry data from the primary event in Events. It can contain any fields that any other events includes within the registry fieldset. | | rule.description | | rule.id | | rule.name | | rule.reference | | rule.ruleset | | rule.version | | threat.framework | | threat.tactic.id | | threat.tactic.name | | threat.tactic.reference | | threat.technique.id | | threat.technique.name | | threat.technique.reference | | threat.technique.subtechnique.id | | threat.technique.subtechnique.name | | threat.technique.subtechnique.reference | | user.domain | | user.id | | user.name | PK'rn n PK}WQ endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_malware_alert.mdUTd# Windows Malware Alert - OS: Windows - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "malicious_file" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "windows"` This alert is generated when a Malware alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | Responses.@timestamp | | Responses.action.action | | Responses.action.file.attributes | | Responses.action.file.path | | Responses.action.file.reason | | Responses.action.key.actions | | Responses.action.key.path | | Responses.action.key.values.actions | | Responses.action.key.values.name | | Responses.action.source.attributes | | Responses.action.source.path | | Responses.message | | Responses.result | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | file.Ext.code_signature.exists | | file.Ext.code_signature.status | | file.Ext.code_signature.subject_name | | file.Ext.code_signature.trusted | | file.Ext.device.bus_type | | file.Ext.device.dos_name | | file.Ext.device.file_system_type | | file.Ext.device.nt_name | | file.Ext.device.product_id | | file.Ext.device.vendor_id | | file.Ext.device.volume_device_type | | file.Ext.malware_classification.identifier | | file.Ext.malware_classification.score | | file.Ext.malware_classification.threshold | | file.Ext.malware_classification.version | | file.Ext.malware_signature.all_names | | file.Ext.malware_signature.identifier | | file.Ext.malware_signature.primary.matches | | file.Ext.malware_signature.primary.signature.hash.sha256 | | file.Ext.malware_signature.primary.signature.id | | file.Ext.malware_signature.primary.signature.name | | file.Ext.malware_signature.version | | file.Ext.quarantine_message | | file.Ext.quarantine_path | | file.Ext.quarantine_result | | file.Ext.temp_file_path | | file.accessed | | file.code_signature.exists | | file.code_signature.status | | file.code_signature.subject_name | | file.code_signature.trusted | | file.created | | file.directory | | file.drive_letter | | file.extension | | file.hash.md5 | | file.hash.sha1 | | file.hash.sha256 | | file.mtime | | file.name | | file.owner | | file.path | | file.pe.Ext.dotnet | | file.pe.Ext.sections.hash.md5 | | file.pe.Ext.sections.hash.sha256 | | file.pe.Ext.sections.name | | file.pe.Ext.streams.hash.md5 | | file.pe.Ext.streams.hash.sha256 | | file.pe.Ext.streams.name | | file.pe.company | | file.pe.description | | file.pe.file_version | | file.pe.original_file_name | | file.pe.product | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.architecture | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.Ext.protection | | process.Ext.token.domain | | process.Ext.token.elevation | | process.Ext.token.elevation_type | | process.Ext.token.integrity_level_name | | process.Ext.token.sid | | process.Ext.token.user | | process.Ext.user | | process.args | | process.args_count | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.command_line | | process.entity_id | | process.executable | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.name | | process.parent.Ext.architecture | | process.parent.Ext.code_signature.exists | | process.parent.Ext.code_signature.status | | process.parent.Ext.code_signature.subject_name | | process.parent.Ext.code_signature.trusted | | process.parent.Ext.protection | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.code_signature.exists | | process.parent.code_signature.status | | process.parent.code_signature.subject_name | | process.parent.code_signature.trusted | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pe.company | | process.pe.description | | process.pe.file_version | | process.pe.original_file_name | | process.pe.product | | process.pid | | process.start | | process.uptime | | rule.id | | rule.name | | rule.ruleset | | user.domain | | user.name | PKsY4PK}WW endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_memory_threat_alert.mdUTd# Windows Memory Threat Alert - OS: Windows - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "memory_signature" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "windows"` This alert is generated when a Memory Threat alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.architecture | | process.Ext.code_signature.exists | | process.Ext.memory_region.allocation_base | | process.Ext.memory_region.allocation_protection | | process.Ext.memory_region.allocation_size | | process.Ext.memory_region.allocation_type | | process.Ext.memory_region.bytes_address | | process.Ext.memory_region.bytes_allocation_offset | | process.Ext.memory_region.bytes_compressed | | process.Ext.memory_region.bytes_compressed_present | | process.Ext.memory_region.malware_signature.all_names | | process.Ext.memory_region.malware_signature.identifier | | process.Ext.memory_region.malware_signature.primary.matches | | process.Ext.memory_region.malware_signature.primary.signature.hash.sha256 | | process.Ext.memory_region.malware_signature.primary.signature.id | | process.Ext.memory_region.malware_signature.primary.signature.name | | process.Ext.memory_region.malware_signature.version | | process.Ext.memory_region.region_base | | process.Ext.memory_region.region_protection | | process.Ext.memory_region.region_size | | process.Ext.memory_region.region_state | | process.Ext.protection | | process.Ext.token.domain | | process.Ext.token.elevation | | process.Ext.token.elevation_type | | process.Ext.token.integrity_level_name | | process.Ext.token.sid | | process.Ext.token.user | | process.Ext.user | | process.args | | process.args_count | | process.code_signature.exists | | process.command_line | | process.entity_id | | process.executable | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.name | | process.parent.Ext.architecture | | process.parent.Ext.code_signature.exists | | process.parent.Ext.code_signature.status | | process.parent.Ext.code_signature.subject_name | | process.parent.Ext.code_signature.trusted | | process.parent.Ext.protection | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.code_signature.exists | | process.parent.code_signature.status | | process.parent.code_signature.subject_name | | process.parent.code_signature.trusted | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pid | | process.ppid | | process.start | | process.uptime | | rule.id | | rule.name | | rule.ruleset | | user.domain | | user.name | PKNkPK}WT endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_ransomware_alert.mdUTd# Windows Ransomware Alert - OS: Windows - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "ransomware" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "windows"` This alert is generated when a Ransomware alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | Ransomware.child_processes.executable | | Ransomware.child_processes.files.data | | Ransomware.child_processes.files.entropy | | Ransomware.child_processes.files.extension | | Ransomware.child_processes.files.metrics | | Ransomware.child_processes.files.operation | | Ransomware.child_processes.files.path | | Ransomware.child_processes.files.score | | Ransomware.child_processes.pid | | Ransomware.child_processes.score | | Ransomware.feature | | Ransomware.files.data | | Ransomware.files.entropy | | Ransomware.files.extension | | Ransomware.files.metrics | | Ransomware.files.operation | | Ransomware.files.path | | Ransomware.files.score | | Ransomware.score | | Ransomware.version | | Responses.@timestamp | | Responses.action.action | | Responses.action.file.attributes | | Responses.action.file.path | | Responses.action.file.reason | | Responses.action.key.actions | | Responses.action.key.path | | Responses.action.source.attributes | | Responses.action.source.path | | Responses.message | | Responses.result | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.architecture | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.Ext.dll.Ext.code_signature.exists | | process.Ext.dll.Ext.code_signature.status | | process.Ext.dll.Ext.code_signature.subject_name | | process.Ext.dll.Ext.code_signature.trusted | | process.Ext.dll.Ext.mapped_address | | process.Ext.dll.Ext.mapped_size | | process.Ext.dll.code_signature.exists | | process.Ext.dll.code_signature.status | | process.Ext.dll.code_signature.subject_name | | process.Ext.dll.code_signature.trusted | | process.Ext.dll.hash.md5 | | process.Ext.dll.hash.sha1 | | process.Ext.dll.hash.sha256 | | process.Ext.dll.name | | process.Ext.dll.path | | process.Ext.protection | | process.Ext.token.domain | | process.Ext.token.elevation | | process.Ext.token.elevation_type | | process.Ext.token.integrity_level_name | | process.Ext.token.sid | | process.Ext.token.user | | process.Ext.user | | process.args | | process.args_count | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.command_line | | process.entity_id | | process.executable | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.name | | process.parent.Ext.architecture | | process.parent.Ext.code_signature.exists | | process.parent.Ext.code_signature.status | | process.parent.Ext.code_signature.subject_name | | process.parent.Ext.code_signature.trusted | | process.parent.Ext.protection | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.code_signature.exists | | process.parent.code_signature.status | | process.parent.code_signature.subject_name | | process.parent.code_signature.trusted | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pe.company | | process.pe.description | | process.pe.file_version | | process.pe.original_file_name | | process.pe.product | | process.pid | | process.start | | process.uptime | | rule.ruleset | | user.domain | | user.name | PK(PK}WT endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_shellcode_thread.mdUTd# Windows Shellcode Thread Alert - OS: Windows - Data Stream: `logs-endpoint.alerts-*` - KQL: `event.code : "shellcode_thread" and event.dataset : "endpoint.alerts" and event.module : "endpoint" and host.os.type : "windows"` This alert is generated when a Shellcode Threat alert occurs. | Field | |---| | @timestamp | | Endpoint.policy.applied.artifacts.global.identifiers.name | | Endpoint.policy.applied.artifacts.global.identifiers.sha256 | | Endpoint.policy.applied.artifacts.global.version | | Endpoint.policy.applied.artifacts.user.identifiers.name | | Endpoint.policy.applied.artifacts.user.identifiers.sha256 | | Endpoint.policy.applied.artifacts.user.version | | Memory_protection.cross_session | | Memory_protection.feature | | Memory_protection.parent_to_child | | Memory_protection.self_injection | | Memory_protection.unique_key_v1 | | Responses.@timestamp | | Responses.action.action | | Responses.action.file.attributes | | Responses.action.file.path | | Responses.action.file.reason | | Responses.action.key.actions | | Responses.action.key.path | | Responses.action.key.values.actions | | Responses.action.key.values.name | | Responses.action.source.attributes | | Responses.action.source.path | | Responses.message | | Responses.result | | Target.process.Ext.architecture | | Target.process.Ext.code_signature.exists | | Target.process.Ext.dll.Ext.code_signature.exists | | Target.process.Ext.dll.Ext.code_signature.status | | Target.process.Ext.dll.Ext.code_signature.subject_name | | Target.process.Ext.dll.Ext.code_signature.trusted | | Target.process.Ext.dll.Ext.mapped_address | | Target.process.Ext.dll.Ext.mapped_size | | Target.process.Ext.dll.code_signature.exists | | Target.process.Ext.dll.code_signature.status | | Target.process.Ext.dll.code_signature.subject_name | | Target.process.Ext.dll.code_signature.trusted | | Target.process.Ext.dll.hash.md5 | | Target.process.Ext.dll.hash.sha1 | | Target.process.Ext.dll.hash.sha256 | | Target.process.Ext.dll.name | | Target.process.Ext.dll.path | | Target.process.Ext.memory_region.allocation_base | | Target.process.Ext.memory_region.allocation_protection | | Target.process.Ext.memory_region.allocation_size | | Target.process.Ext.memory_region.allocation_type | | Target.process.Ext.memory_region.bytes_address | | Target.process.Ext.memory_region.bytes_allocation_offset | | Target.process.Ext.memory_region.mapped_path | | Target.process.Ext.memory_region.memory_pe_detected | | Target.process.Ext.memory_region.region_base | | Target.process.Ext.memory_region.region_protection | | Target.process.Ext.memory_region.region_size | | Target.process.Ext.memory_region.region_state | | Target.process.Ext.memory_region.strings | | Target.process.Ext.protection | | Target.process.Ext.token.domain | | Target.process.Ext.token.elevation | | Target.process.Ext.token.elevation_type | | Target.process.Ext.token.integrity_level_name | | Target.process.Ext.token.sid | | Target.process.Ext.token.user | | Target.process.Ext.user | | Target.process.args | | Target.process.args_count | | Target.process.code_signature.exists | | Target.process.command_line | | Target.process.entity_id | | Target.process.executable | | Target.process.hash.md5 | | Target.process.hash.sha1 | | Target.process.hash.sha256 | | Target.process.name | | Target.process.parent.Ext.architecture | | Target.process.parent.Ext.code_signature.exists | | Target.process.parent.Ext.code_signature.status | | Target.process.parent.Ext.code_signature.subject_name | | Target.process.parent.Ext.code_signature.trusted | | Target.process.parent.Ext.protection | | Target.process.parent.Ext.user | | Target.process.parent.args | | Target.process.parent.args_count | | Target.process.parent.code_signature.exists | | Target.process.parent.code_signature.status | | Target.process.parent.code_signature.subject_name | | Target.process.parent.code_signature.trusted | | Target.process.parent.command_line | | Target.process.parent.entity_id | | Target.process.parent.executable | | Target.process.parent.hash.md5 | | Target.process.parent.hash.sha1 | | Target.process.parent.hash.sha256 | | Target.process.parent.name | | Target.process.parent.pid | | Target.process.parent.ppid | | Target.process.parent.start | | Target.process.parent.uptime | | Target.process.pid | | Target.process.ppid | | Target.process.start | | Target.process.thread.Ext.call_stack.instruction_pointer | | Target.process.thread.Ext.call_stack.memory_section.memory_address | | Target.process.thread.Ext.call_stack.memory_section.memory_size | | Target.process.thread.Ext.call_stack.memory_section.protection | | Target.process.thread.Ext.call_stack.module_name | | Target.process.thread.Ext.call_stack.module_path | | Target.process.thread.Ext.call_stack.symbol_info | | Target.process.thread.Ext.call_stack_summary | | Target.process.thread.Ext.original_start_address | | Target.process.thread.Ext.original_start_address_allocation_offset | | Target.process.thread.Ext.original_start_address_bytes | | Target.process.thread.Ext.original_start_address_bytes_disasm | | Target.process.thread.Ext.original_start_address_bytes_disasm_hash | | Target.process.thread.Ext.original_start_address_module | | Target.process.thread.Ext.start_address | | Target.process.thread.Ext.start_address_allocation_offset | | Target.process.thread.Ext.start_address_bytes | | Target.process.thread.Ext.start_address_bytes_disasm | | Target.process.thread.Ext.start_address_bytes_disasm_hash | | Target.process.thread.Ext.start_address_module | | Target.process.thread.id | | Target.process.uptime | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.code | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.risk_score | | event.sequence | | event.severity | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.architecture | | process.Ext.code_signature.exists | | process.Ext.dll.Ext.code_signature.exists | | process.Ext.dll.Ext.code_signature.status | | process.Ext.dll.Ext.code_signature.subject_name | | process.Ext.dll.Ext.code_signature.trusted | | process.Ext.dll.Ext.mapped_address | | process.Ext.dll.Ext.mapped_size | | process.Ext.dll.code_signature.exists | | process.Ext.dll.code_signature.status | | process.Ext.dll.code_signature.subject_name | | process.Ext.dll.code_signature.trusted | | process.Ext.dll.hash.md5 | | process.Ext.dll.hash.sha1 | | process.Ext.dll.hash.sha256 | | process.Ext.dll.name | | process.Ext.dll.path | | process.Ext.protection | | process.Ext.token.domain | | process.Ext.token.elevation | | process.Ext.token.elevation_type | | process.Ext.token.integrity_level_name | | process.Ext.token.sid | | process.Ext.token.user | | process.Ext.user | | process.args | | process.args_count | | process.code_signature.exists | | process.command_line | | process.entity_id | | process.executable | | process.hash.md5 | | process.hash.sha1 | | process.hash.sha256 | | process.name | | process.parent.Ext.architecture | | process.parent.Ext.code_signature.exists | | process.parent.Ext.code_signature.status | | process.parent.Ext.code_signature.subject_name | | process.parent.Ext.code_signature.trusted | | process.parent.Ext.protection | | process.parent.Ext.user | | process.parent.args | | process.parent.args_count | | process.parent.code_signature.exists | | process.parent.code_signature.status | | process.parent.code_signature.subject_name | | process.parent.code_signature.trusted | | process.parent.command_line | | process.parent.entity_id | | process.parent.executable | | process.parent.hash.md5 | | process.parent.hash.sha1 | | process.parent.hash.sha256 | | process.parent.name | | process.parent.pid | | process.parent.ppid | | process.parent.start | | process.parent.uptime | | process.pid | | process.ppid | | process.start | | process.thread.Ext.call_stack.instruction_pointer | | process.thread.Ext.call_stack.memory_section.memory_address | | process.thread.Ext.call_stack.memory_section.memory_size | | process.thread.Ext.call_stack.memory_section.protection | | process.thread.Ext.call_stack.module_name | | process.thread.Ext.call_stack.module_path | | process.thread.Ext.call_stack.symbol_info | | process.thread.Ext.call_stack_final_user_module.name | | process.thread.Ext.call_stack_summary | | process.thread.Ext.start_address | | process.thread.Ext.start_address_module | | process.thread.id | | process.uptime | | rule.ruleset | | user.domain | | user.name | PKXh}""PK}W. endpoint-8.10.2/docs/custom_documentation/api/UTdPK}W6 endpoint-8.10.2/docs/custom_documentation/api/windows/UTdPK}WV endpoint-8.10.2/docs/custom_documentation/api/windows/windows_api_credential_access.mdUTd# Windows API - OS: Windows - Data Stream: `logs-endpoint.events.api-*` - KQL: `event.dataset : "endpoint.events.api" and event.module : "endpoint" and event.type : "access" and host.os.type : "windows"` This event is generated when a process attempts to access priviledged credentials. | Field | |---| | @timestamp | | Target.process.name | | Target.process.pid | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.api.name | | process.Ext.api.parameters.desired_access | | process.Ext.api.parameters.desired_access_numeric | | process.Ext.api.parameters.handle_type | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.pid | | process.thread.Ext.call_stack.instruction_pointer | | process.thread.Ext.call_stack.module_path | | process.thread.Ext.call_stack_contains_unbacked | | process.thread.Ext.call_stack_final_user_module.path | | process.thread.id | | user.domain | | user.id | | user.name | PKuPK}W/ endpoint-8.10.2/docs/custom_documentation/file/UTdPK}W5 endpoint-8.10.2/docs/custom_documentation/file/linux/UTdPK}WI endpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_create.mdUTd# Linux File Create - OS: Linux - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "creation" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when a file is created. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.extension | | file.name | | file.path | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.entity_id | | process.entry_leader.entity_id | | process.entry_leader.parent.entity_id | | process.executable | | process.group_leader.entity_id | | process.name | | process.parent.entity_id | | process.pid | | process.session_leader.entity_id | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKy=pDDPK}WI endpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_delete.mdUTd# Linux File Delete - OS: Linux - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "deletion" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when a file is deleted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.extension | | file.name | | file.path | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.entity_id | | process.entry_leader.entity_id | | process.entry_leader.parent.entity_id | | process.executable | | process.group_leader.entity_id | | process.name | | process.parent.entity_id | | process.pid | | process.session_leader.entity_id | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK?DDPK}WX endpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_endpoint_unquarantine.mdUTd# Linux Malware Unquarantine - OS: Linux - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "endpoint_unquarantine" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when Endpoint restores a file from the malware quarantine. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.Ext.correlation.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.original.path | | file.hash.md5 | | file.hash.sha1 | | file.hash.sha256 | | file.name | | file.path | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | PKܻ''PK}WI endpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_rename.mdUTd# Linux File Rename - OS: Linux - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "rename" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when a file is renamed. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.original.path | | file.extension | | file.name | | file.path | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.entity_id | | process.entry_leader.entity_id | | process.entry_leader.parent.entity_id | | process.executable | | process.group_leader.entity_id | | process.name | | process.parent.entity_id | | process.pid | | process.session_leader.entity_id | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK(/]]PK}W5 endpoint-8.10.2/docs/custom_documentation/file/macos/UTdPK}WI endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_delete.mdUTd# macOS File Delete - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "deletion" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when a file is deleted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.extension | | file.inode | | file.name | | file.path | | file.size | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKDwPK}WX endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_endpoint_unquarantine.mdUTd# macOS Malware Unquarantine - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "endpoint_unquarantine" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when Endpoint restores a file from the malware quarantine. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.Ext.correlation.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.original.path | | file.hash.md5 | | file.hash.sha1 | | file.hash.sha256 | | file.name | | file.path | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | PKD''PK}W] endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_extended_attributes_delete.mdUTd# macOS File Extended Attributes Delete - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "extended_attributes_delete" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when extended file attributes are deleted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.attributes | | file.inode | | file.name | | file.path | | file.size | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK-\PK}WP endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_launch_daemon.mdUTd# macOS Launch Daemon - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "launch_daemon" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event includes information about a macOS Launch Daemon. | Field | |---| | @timestamp | | Persistence.args | | Persistence.keepalive | | Persistence.name | | Persistence.path | | Persistence.runatload | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.pid | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK0EPK}WO endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_modification.mdUTd# macOS File Modification - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "modification" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when a file is modified. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.header_bytes | | file.extension | | file.inode | | file.name | | file.path | | file.size | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKo:PK}WH endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_mount.mdUTd# macOS Mount - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "mount" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when a file system is mounted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.original.path | | file.inode | | file.path | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKUQ PK}WI endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_rename.mdUTd# macOS File Rename - OS: macOS - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "rename" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when a file is renamed. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.original.path | | file.extension | | file.inode | | file.name | | file.path | | file.size | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK0?PK}W7 endpoint-8.10.2/docs/custom_documentation/file/windows/UTdPK}WM endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_create.mdUTd# Windows File Create - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "creation" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a file is created. | Field | |---| | @timestamp | | Effective_process.entity_id | | Effective_process.executable | | Effective_process.name | | Effective_process.pid | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.entropy | | file.Ext.header_bytes | | file.Ext.monotonic_id | | file.Ext.windows.zone_identifier | | file.extension | | file.name | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | process.thread.id | | user.domain | | user.id | | user.name | PK0PK}WM endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_delete.mdUTd# Windows File Delete - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "deletion" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a file is deleted. | Field | |---| | @timestamp | | Effective_process.entity_id | | Effective_process.executable | | Effective_process.name | | Effective_process.pid | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.entropy | | file.Ext.monotonic_id | | file.extension | | file.name | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | process.thread.id | | user.domain | | user.id | | user.name | PK/U@@PK}W\ endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_endpoint_unquarantine.mdUTd# Windows Malware Unquarantine - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "endpoint_unquarantine" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when Endpoint restores a file from the malware quarantine. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.Ext.correlation.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.original.path | | file.hash.md5 | | file.hash.sha1 | | file.hash.sha256 | | file.name | | file.path | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | PK5--PK}WS endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_modification.mdUTd# Windows File Modification - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "modification" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a file is modified. | Field | |---| | @timestamp | | Effective_process.entity_id | | Effective_process.executable | | Effective_process.name | | Effective_process.pid | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.entropy | | file.Ext.header_bytes | | file.Ext.monotonic_id | | file.extension | | file.name | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | process.thread.id | | user.domain | | user.id | | user.name | PKg37eePK}WK endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_open.mdUTd# Windows File Open - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "open" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a file is opened. | Field | |---| | @timestamp | | Effective_process.entity_id | | Effective_process.executable | | Effective_process.name | | Effective_process.pid | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.entropy | | file.Ext.header_bytes | | file.Ext.monotonic_id | | file.extension | | file.name | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | process.thread.id | | user.domain | | user.id | | user.name | PKxSSPK}WP endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_overwrite.mdUTd# Windows File Overwrite - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "overwrite" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a file is overwritten | Field | |---| | @timestamp | | Effective_process.entity_id | | Effective_process.executable | | Effective_process.name | | Effective_process.pid | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.entropy | | file.Ext.header_bytes | | file.Ext.monotonic_id | | file.extension | | file.name | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | process.thread.id | | user.domain | | user.id | | user.name | PKaaPK}WM endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_rename.mdUTd# Windows File Rename - OS: Windows - Data Stream: `logs-endpoint.events.file-*` - KQL: `event.action : "rename" and event.dataset : "endpoint.events.file" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a file is renamed. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | file.Ext.entropy | | file.Ext.header_bytes | | file.Ext.monotonic_id | | file.Ext.original.name | | file.Ext.original.path | | file.extension | | file.name | | file.path | | file.size | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.pid | | process.pid | | process.thread.id | | user.domain | | user.id | | user.name | PKP(PK}W2 endpoint-8.10.2/docs/custom_documentation/library/UTdPK}W: endpoint-8.10.2/docs/custom_documentation/library/windows/UTdPK}WQ endpoint-8.10.2/docs/custom_documentation/library/windows/windows_library_load.mdUTd# Windows Library Load - OS: Windows - Data Stream: `logs-endpoint.events.library-*` - KQL: `event.action : "load" and event.dataset : "endpoint.events.library" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a DLL or driver is loaded. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | dll.Ext.code_signature.exists | | dll.Ext.code_signature.status | | dll.Ext.code_signature.subject_name | | dll.Ext.code_signature.trusted | | dll.Ext.defense_evasions | | dll.Ext.load_index | | dll.Ext.relative_file_creation_time | | dll.Ext.relative_file_name_modify_time | | dll.Ext.size | | dll.code_signature.exists | | dll.code_signature.status | | dll.code_signature.subject_name | | dll.code_signature.trusted | | dll.hash.md5 | | dll.hash.sha1 | | dll.hash.sha256 | | dll.name | | dll.path | | dll.pe.file_version | | dll.pe.imphash | | dll.pe.original_file_name | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.pid | | process.uptime | | user.domain | | user.id | | user.name | PK-vPK}W3 endpoint-8.10.2/docs/custom_documentation/metadata/UTdPK}W> endpoint-8.10.2/docs/custom_documentation/metadata/metadata.mdUTd# Endpoint Metadata - OS: Linux, Windows, macOS - Data Stream: `metrics-endpoint.metadata-*` - KQL: `event.action : "endpoint_metadata" and event.dataset : "endpoint.metadata" and event.module : "endpoint"` This is a relatively small state management document that includes details about an installed Endpoint. | Field | |---| | @timestamp | | Endpoint.capabilities | | Endpoint.configuration.isolation | | Endpoint.policy.applied.endpoint_policy_version | | Endpoint.policy.applied.id | | Endpoint.policy.applied.name | | Endpoint.policy.applied.status | | Endpoint.policy.applied.version | | Endpoint.state.isolation | | Endpoint.status | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.sequence | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | PK'R<PK}W2 endpoint-8.10.2/docs/custom_documentation/metrics/UTdPK}W< endpoint-8.10.2/docs/custom_documentation/metrics/metrics.mdUTd# Endpoint Metrics - OS: Linux, Windows, macOS - Data Stream: `metrics-endpoint.metrics-*` - KQL: `event.action : "endpoint_metrics" and event.dataset : "endpoint.metrics" and event.module : "endpoint"` This is an internal state management document that includes metrics on Endpoint's performance. | Field | |---| | @timestamp | | Endpoint.metrics.cpu.endpoint.histogram.counts | | Endpoint.metrics.cpu.endpoint.histogram.values | | Endpoint.metrics.cpu.endpoint.latest | | Endpoint.metrics.cpu.endpoint.mean | | Endpoint.metrics.disks.device | | Endpoint.metrics.disks.endpoint_drive | | Endpoint.metrics.disks.free | | Endpoint.metrics.disks.fstype | | Endpoint.metrics.disks.mount | | Endpoint.metrics.disks.total | | Endpoint.metrics.documents_volume.alerts.sent_bytes | | Endpoint.metrics.documents_volume.alerts.sent_count | | Endpoint.metrics.documents_volume.alerts.suppressed_bytes | | Endpoint.metrics.documents_volume.alerts.suppressed_count | | Endpoint.metrics.documents_volume.api_events.sent_bytes | | Endpoint.metrics.documents_volume.api_events.sent_count | | Endpoint.metrics.documents_volume.api_events.sources.sent_bytes | | Endpoint.metrics.documents_volume.api_events.sources.sent_count | | Endpoint.metrics.documents_volume.api_events.sources.source | | Endpoint.metrics.documents_volume.api_events.sources.suppressed_bytes | | Endpoint.metrics.documents_volume.api_events.sources.suppressed_count | | Endpoint.metrics.documents_volume.api_events.suppressed_bytes | | Endpoint.metrics.documents_volume.api_events.suppressed_count | | Endpoint.metrics.documents_volume.diagnostic_alerts.sent_bytes | | Endpoint.metrics.documents_volume.diagnostic_alerts.sent_count | | Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_bytes | | Endpoint.metrics.documents_volume.diagnostic_alerts.suppressed_count | | Endpoint.metrics.documents_volume.dns_events.sent_bytes | | Endpoint.metrics.documents_volume.dns_events.sent_count | | Endpoint.metrics.documents_volume.dns_events.suppressed_bytes | | Endpoint.metrics.documents_volume.dns_events.suppressed_count | | Endpoint.metrics.documents_volume.file_events.sent_bytes | | Endpoint.metrics.documents_volume.file_events.sent_count | | Endpoint.metrics.documents_volume.file_events.suppressed_bytes | | Endpoint.metrics.documents_volume.file_events.suppressed_count | | Endpoint.metrics.documents_volume.library_events.sent_bytes | | Endpoint.metrics.documents_volume.library_events.sent_count | | Endpoint.metrics.documents_volume.library_events.suppressed_bytes | | Endpoint.metrics.documents_volume.library_events.suppressed_count | | Endpoint.metrics.documents_volume.network_events.sent_bytes | | Endpoint.metrics.documents_volume.network_events.sent_count | | Endpoint.metrics.documents_volume.network_events.suppressed_bytes | | Endpoint.metrics.documents_volume.network_events.suppressed_count | | Endpoint.metrics.documents_volume.overall.sent_bytes | | Endpoint.metrics.documents_volume.overall.sent_count | | Endpoint.metrics.documents_volume.overall.suppressed_bytes | | Endpoint.metrics.documents_volume.overall.suppressed_count | | Endpoint.metrics.documents_volume.process_events.sent_bytes | | Endpoint.metrics.documents_volume.process_events.sent_count | | Endpoint.metrics.documents_volume.process_events.suppressed_bytes | | Endpoint.metrics.documents_volume.process_events.suppressed_count | | Endpoint.metrics.documents_volume.registry_events.sent_bytes | | Endpoint.metrics.documents_volume.registry_events.sent_count | | Endpoint.metrics.documents_volume.registry_events.suppressed_bytes | | Endpoint.metrics.documents_volume.registry_events.suppressed_count | | Endpoint.metrics.documents_volume.security_events.sent_bytes | | Endpoint.metrics.documents_volume.security_events.sent_count | | Endpoint.metrics.documents_volume.security_events.suppressed_bytes | | Endpoint.metrics.documents_volume.security_events.suppressed_count | | Endpoint.metrics.event_filter.active_global_count | | Endpoint.metrics.event_filter.active_user_count | | Endpoint.metrics.malicious_behavior_rules.endpoint_uptime_percent | | Endpoint.metrics.malicious_behavior_rules.id | | Endpoint.metrics.memory.endpoint.private.latest | | Endpoint.metrics.memory.endpoint.private.mean | | Endpoint.metrics.system_impact.authentication_events.week_idle_ms | | Endpoint.metrics.system_impact.authentication_events.week_ms | | Endpoint.metrics.system_impact.behavior_protection.week_idle_ms | | Endpoint.metrics.system_impact.behavior_protection.week_ms | | Endpoint.metrics.system_impact.cred_access_events.week_idle_ms | | Endpoint.metrics.system_impact.cred_access_events.week_ms | | Endpoint.metrics.system_impact.diagnostic_behavior_protection.week_idle_ms | | Endpoint.metrics.system_impact.diagnostic_behavior_protection.week_ms | | Endpoint.metrics.system_impact.dns_events.week_idle_ms | | Endpoint.metrics.system_impact.dns_events.week_ms | | Endpoint.metrics.system_impact.file_events.week_idle_ms | | Endpoint.metrics.system_impact.file_events.week_ms | | Endpoint.metrics.system_impact.library_load_events.week_idle_ms | | Endpoint.metrics.system_impact.library_load_events.week_ms | | Endpoint.metrics.system_impact.malware.week_idle_ms | | Endpoint.metrics.system_impact.malware.week_ms | | Endpoint.metrics.system_impact.memory_scan.week_idle_ms | | Endpoint.metrics.system_impact.memory_scan.week_ms | | Endpoint.metrics.system_impact.network_events.week_idle_ms | | Endpoint.metrics.system_impact.network_events.week_ms | | Endpoint.metrics.system_impact.overall.week_idle_ms | | Endpoint.metrics.system_impact.overall.week_ms | | Endpoint.metrics.system_impact.process.code_signature.exists | | Endpoint.metrics.system_impact.process.code_signature.signing_id | | Endpoint.metrics.system_impact.process.code_signature.status | | Endpoint.metrics.system_impact.process.code_signature.subject_name | | Endpoint.metrics.system_impact.process.code_signature.team_id | | Endpoint.metrics.system_impact.process.code_signature.trusted | | Endpoint.metrics.system_impact.process.executable | | Endpoint.metrics.system_impact.process_events.week_idle_ms | | Endpoint.metrics.system_impact.process_events.week_ms | | Endpoint.metrics.system_impact.process_injection.week_idle_ms | | Endpoint.metrics.system_impact.process_injection.week_ms | | Endpoint.metrics.system_impact.ransomware.week_idle_ms | | Endpoint.metrics.system_impact.ransomware.week_ms | | Endpoint.metrics.system_impact.registry_events.week_idle_ms | | Endpoint.metrics.system_impact.registry_events.week_ms | | Endpoint.metrics.system_impact.threat_intelligence_events.week_idle_ms | | Endpoint.metrics.system_impact.threat_intelligence_events.week_ms | | Endpoint.metrics.threads.cpu.mean | | Endpoint.metrics.threads.name | | Endpoint.metrics.uptime.endpoint | | Endpoint.metrics.uptime.system | | agent.build.original | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.sequence | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | PKG[  PK}W2 endpoint-8.10.2/docs/custom_documentation/network/UTdPK}W8 endpoint-8.10.2/docs/custom_documentation/network/linux/UTdPK}W\ endpoint-8.10.2/docs/custom_documentation/network/linux/linux_network_connection_accepted.mdUTd# Linux Network Connection Accepted - OS: Linux - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "connection_accepted" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when a network connection is accepted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.transport | | network.type | | process.Ext.ancestry | | process.entity_id | | process.entry_leader.entity_id | | process.entry_leader.parent.entity_id | | process.executable | | process.group_leader.entity_id | | process.name | | process.parent.entity_id | | process.pid | | process.session_leader.entity_id | | source.address | | source.ip | | source.port | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKPK}W[ endpoint-8.10.2/docs/custom_documentation/network/linux/linux_network_connection_attempt.mdUTd# Linux Network Connection Attempt - OS: Linux - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "connection_attempted" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when there is an attempt to establish a network connection. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.transport | | network.type | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.entry_leader.entity_id | | process.entry_leader.parent.entity_id | | process.executable | | process.group_leader.entity_id | | process.name | | process.parent.entity_id | | process.pid | | process.session_leader.entity_id | | source.address | | source.ip | | source.port | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK9<NPK}WS endpoint-8.10.2/docs/custom_documentation/network/linux/linux_network_disconnect.mdUTd# Linux Network Disconnect - OS: Linux - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "disconnect_received" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "linux"` This event is generated when a network session is terminated. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.bytes | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.direction | | network.transport | | network.type | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.entry_leader.entity_id | | process.entry_leader.parent.entity_id | | process.executable | | process.group_leader.entity_id | | process.name | | process.parent.entity_id | | process.pid | | process.session_leader.entity_id | | process.uptime | | source.address | | source.bytes | | source.ip | | source.port | | user.Ext.real.id | | user.Ext.real.name | | user.domain | | user.id | | user.name | PK%PK}W8 endpoint-8.10.2/docs/custom_documentation/network/macos/UTdPK}W] endpoint-8.10.2/docs/custom_documentation/network/macos/macos_network_connection_attempted.mdUTd# macOS Network Connection Attempted - OS: macOS - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "connection_attempted" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when a network connection is attempted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.transport | | network.type | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.entity_id | | process.pid | | source.address | | source.ip | | source.port | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PKoO|##PK}W\ endpoint-8.10.2/docs/custom_documentation/network/macos/macos_network_disconnect_received.mdUTd# macOS Network Disconnect Received - OS: macOS - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "disconnect_received" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "macos"` This event is generated when a request to terminate a network connection occurs. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.bytes | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | group.Ext.real.id | | group.Ext.real.name | | group.id | | group.name | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.transport | | network.type | | process.Ext.ancestry | | process.code_signature.exists | | process.code_signature.signing_id | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.team_id | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.parent.entity_id | | process.pid | | source.address | | source.bytes | | source.ip | | source.port | | user.Ext.real.id | | user.Ext.real.name | | user.id | | user.name | PK YYPK}W: endpoint-8.10.2/docs/custom_documentation/network/windows/UTdPK}W` endpoint-8.10.2/docs/custom_documentation/network/windows/windows_network_connection_accepted.mdUTd# Windows Network Connection Accepted - OS: Windows - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "connection_accepted" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when a network connection is accepted. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.direction | | network.transport | | network.type | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.pid | | process.uptime | | source.address | | source.ip | | source.port | | user.domain | | user.id | | user.name | PK\""PK}Wa endpoint-8.10.2/docs/custom_documentation/network/windows/windows_network_connection_attempted.mdUTd# Windows Network Connection Attempted - OS: Windows - Data Stream: `logs-endpoint.events.network-*` - KQL: `event.action : "connection_attempted" and event.dataset : "endpoint.events.network" and event.module : "endpoint" and host.os.type : "windows"` This event is generated when there is an attempt to establish a network connection. | Field | |---| | @timestamp | | agent.id | | agent.type | | agent.version | | data_stream.dataset | | data_stream.namespace | | data_stream.type | | destination.address | | destination.ip | | destination.port | | ecs.version | | elastic.agent.id | | event.action | | event.category | | event.created | | event.dataset | | event.id | | event.kind | | event.module | | event.outcome | | event.sequence | | event.type | | host.architecture | | host.hostname | | host.id | | host.ip | | host.mac | | host.name | | host.os.Ext.variant | | host.os.family | | host.os.full | | host.os.kernel | | host.os.name | | host.os.platform | | host.os.type | | host.os.version | | message | | network.direction | | network.transport | | network.type | | process.Ext.ancestry | | process.Ext.code_signature.exists | | process.Ext.code_signature.status | | process.Ext.code_signature.subject_name | | process.Ext.code_signature.trusted | | process.code_signature.exists | | process.code_signature.status | | process.code_signature.subject_name | | process.code_signature.trusted | | process.entity_id | | process.executable | | process.name | | process.pid | | process.uptime | | source.address | | source.ip | | source.port | | user.domain | | user.id | | user.name | PK security-logo-color-64px Created with Sketch. PK9PK}W endpoint-8.10.2/manifest.ymlUTdformat_version: 1.0.0 name: endpoint title: Elastic Defend description: Protect your hosts and cloud workloads with threat prevention, detection, and deep security data visibility. version: 8.10.2 categories: ["security", "edr_xdr"] # The package type. The options for now are [integration, input], more type might be added in the future. # The default type is integration and will be set if empty. type: integration license: basic policy_templates: - name: endpoint title: Endpoint Security Integration description: Interact with the endpoint. multiple: false conditions: kibana.version: "^8.10.0" # See https://github.com/Masterminds/semver#caret-range-comparisons-major for more details on `^` and supported versioning # >= && < 8.0.0 icons: - src: "/img/security-logo-color-64px.svg" size: "16x16" type: "image/svg+xml" owner: github: elastic/security-onboarding-and-lifecycle-mgt PKR#PK}W Aendpoint-8.10.2/UTdPK}WI;k5k5 7endpoint-8.10.2/LICENSE.txtUTdPK}W+k+k+ 5endpoint-8.10.2/changelog.ymlUTdPK}W Aaendpoint-8.10.2/data_stream/UTdPK}W- Aaendpoint-8.10.2/data_stream/action_responses/UTdPK}W; AJbendpoint-8.10.2/data_stream/action_responses/elasticsearch/UTdPK}WK Abendpoint-8.10.2/data_stream/action_responses/elasticsearch/ingest_pipeline/UTdPK}Wx{W cendpoint-8.10.2/data_stream/action_responses/elasticsearch/ingest_pipeline/default.jsonUTdPK}W4 Adendpoint-8.10.2/data_stream/action_responses/fields/UTdPK}Wc ..> dendpoint-8.10.2/data_stream/action_responses/fields/fields.ymlUTdPK}WgI19 6endpoint-8.10.2/data_stream/action_responses/manifest.ymlUTdPK}Wlj> Fendpoint-8.10.2/data_stream/action_responses/sample_event.jsonUTdPK}W$ ATendpoint-8.10.2/data_stream/actions/UTdPK}W2 Aendpoint-8.10.2/data_stream/actions/elasticsearch/UTdPK}WB Aendpoint-8.10.2/data_stream/actions/elasticsearch/ingest_pipeline/UTdPK}Wx{N aendpoint-8.10.2/data_stream/actions/elasticsearch/ingest_pipeline/default.jsonUTdPK}W+ Aɚendpoint-8.10.2/data_stream/actions/fields/UTdPK}W?3445 endpoint-8.10.2/data_stream/actions/fields/fields.ymlUTdPK}WA5̎0 endpoint-8.10.2/data_stream/actions/manifest.ymlUTdPK}Wvww5 endpoint-8.10.2/data_stream/actions/sample_event.jsonUTdPK}W# Aendpoint-8.10.2/data_stream/alerts/UTdPK}W1 A5endpoint-8.10.2/data_stream/alerts/elasticsearch/UTdPK}WA Aendpoint-8.10.2/data_stream/alerts/elasticsearch/ingest_pipeline/UTdPK}Wx{M endpoint-8.10.2/data_stream/alerts/elasticsearch/ingest_pipeline/default.jsonUTdPK}W* A\endpoint-8.10.2/data_stream/alerts/fields/UTdPK}WP**4 endpoint-8.10.2/data_stream/alerts/fields/fields.ymlUTdPK}Wn/ endpoint-8.10.2/data_stream/alerts/manifest.ymlUTdPK}W؃zbibi4 endpoint-8.10.2/data_stream/alerts/sample_event.jsonUTdPK}W Alendpoint-8.10.2/data_stream/api/UTdPK}W. A'mendpoint-8.10.2/data_stream/api/elasticsearch/UTdPK}W> A|mendpoint-8.10.2/data_stream/api/elasticsearch/ingest_pipeline/UTdPK}Wx{J mendpoint-8.10.2/data_stream/api/elasticsearch/ingest_pipeline/default.jsonUTdPK}W' AEoendpoint-8.10.2/data_stream/api/fields/UTdPK}W*`ӏYY1 oendpoint-8.10.2/data_stream/api/fields/fields.ymlUTdPK}Wyy, endpoint-8.10.2/data_stream/api/manifest.ymlUTdPK}WTjGG1 endpoint-8.10.2/data_stream/api/sample_event.jsonUTdPK}W' AYendpoint-8.10.2/data_stream/collection/UTdPK}W5 Aendpoint-8.10.2/data_stream/collection/elasticsearch/UTdPK}W9 Aendpoint-8.10.2/data_stream/collection/elasticsearch/ilm/UTdPK}WFH cendpoint-8.10.2/data_stream/collection/elasticsearch/ilm/diagnostic.jsonUTdPK}WE Aendpoint-8.10.2/data_stream/collection/elasticsearch/ingest_pipeline/UTdPK}Wx{Q Hendpoint-8.10.2/data_stream/collection/elasticsearch/ingest_pipeline/default.jsonUTdPK}W. Aendpoint-8.10.2/data_stream/collection/fields/UTdPK}W ݿ$''8 endpoint-8.10.2/data_stream/collection/fields/fields.ymlUTdPK}W"3 endpoint-8.10.2/data_stream/collection/manifest.ymlUTdPK}W! A_endpoint-8.10.2/data_stream/file/UTdPK}W/ Aendpoint-8.10.2/data_stream/file/elasticsearch/UTdPK}W? Aendpoint-8.10.2/data_stream/file/elasticsearch/ingest_pipeline/UTdPK}Wx{K cendpoint-8.10.2/data_stream/file/elasticsearch/ingest_pipeline/default.jsonUTdPK}W( Aendpoint-8.10.2/data_stream/file/fields/UTdPK}W?4SS2 endpoint-8.10.2/data_stream/file/fields/fields.ymlUTdPK}WhK- endpoint-8.10.2/data_stream/file/manifest.ymlUTdPK}WZj2 endpoint-8.10.2/data_stream/file/sample_event.jsonUTdPK}W& A endpoint-8.10.2/data_stream/heartbeat/UTdPK}W4 A` endpoint-8.10.2/data_stream/heartbeat/elasticsearch/UTdPK}WD A endpoint-8.10.2/data_stream/heartbeat/elasticsearch/ingest_pipeline/UTdPK}Wx{P & endpoint-8.10.2/data_stream/heartbeat/elasticsearch/ingest_pipeline/default.jsonUTdPK}W- A endpoint-8.10.2/data_stream/heartbeat/fields/UTdPK}WelH7 endpoint-8.10.2/data_stream/heartbeat/fields/fields.ymlUTdPK}WZ2  endpoint-8.10.2/data_stream/heartbeat/manifest.ymlUTdPK}W{hh7 I endpoint-8.10.2/data_stream/heartbeat/sample_event.jsonUTdPK}W$ A! endpoint-8.10.2/data_stream/library/UTdPK}W2 Aj! endpoint-8.10.2/data_stream/library/elasticsearch/UTdPK}WB A! endpoint-8.10.2/data_stream/library/elasticsearch/ingest_pipeline/UTdPK}Wx{N ," endpoint-8.10.2/data_stream/library/elasticsearch/ingest_pipeline/default.jsonUTdPK}W+ A# endpoint-8.10.2/data_stream/library/fields/UTdPK}WJGG5 # endpoint-8.10.2/data_stream/library/fields/fields.ymlUTdPK}WjX0 endpoint-8.10.2/data_stream/library/manifest.ymlUTdPK}W5 endpoint-8.10.2/data_stream/library/sample_event.jsonUTdPK}W% A endpoint-8.10.2/data_stream/metadata/UTdPK}W3 A5 endpoint-8.10.2/data_stream/metadata/elasticsearch/UTdPK}WC A endpoint-8.10.2/data_stream/metadata/elasticsearch/ingest_pipeline/UTdPK}Wx{O endpoint-8.10.2/data_stream/metadata/elasticsearch/ingest_pipeline/default.jsonUTdPK}W, Ab endpoint-8.10.2/data_stream/metadata/fields/UTdPK}W#J=O=O6 endpoint-8.10.2/data_stream/metadata/fields/fields.ymlUTdPK}WG61 _] endpoint-8.10.2/data_stream/metadata/manifest.ymlUTdPK}W@ @ 6 ^ endpoint-8.10.2/data_stream/metadata/sample_event.jsonUTdPK}W$ Aqh endpoint-8.10.2/data_stream/metrics/UTdPK}W2 Ah endpoint-8.10.2/data_stream/metrics/elasticsearch/UTdPK}WB Ai endpoint-8.10.2/data_stream/metrics/elasticsearch/ingest_pipeline/UTdPK}Wx{N ~i endpoint-8.10.2/data_stream/metrics/elasticsearch/ingest_pipeline/default.jsonUTdPK}W+ Aj endpoint-8.10.2/data_stream/metrics/fields/UTdPK}W5££5 8k endpoint-8.10.2/data_stream/metrics/fields/fields.ymlUTdPK}Wo%Cjj0 f endpoint-8.10.2/data_stream/metrics/manifest.ymlUTdPK}WFy5 7 endpoint-8.10.2/data_stream/metrics/sample_event.jsonUTdPK}W$ A endpoint-8.10.2/data_stream/network/UTdPK}W2 A endpoint-8.10.2/data_stream/network/elasticsearch/UTdPK}WB A: endpoint-8.10.2/data_stream/network/elasticsearch/ingest_pipeline/UTdPK}WtAM endpoint-8.10.2/data_stream/network/elasticsearch/ingest_pipeline/default.ymlUTdPK}W+ A endpoint-8.10.2/data_stream/network/fields/UTdPK}WjM5 [ endpoint-8.10.2/data_stream/network/fields/fields.ymlUTdPK}WnB0 } endpoint-8.10.2/data_stream/network/manifest.ymlUTdPK}WBUhB\\5 s endpoint-8.10.2/data_stream/network/sample_event.jsonUTdPK}W# A; endpoint-8.10.2/data_stream/policy/UTdPK}W1 A endpoint-8.10.2/data_stream/policy/elasticsearch/UTdPK}WA Aݔ endpoint-8.10.2/data_stream/policy/elasticsearch/ingest_pipeline/UTdPK}Wx{M E endpoint-8.10.2/data_stream/policy/elasticsearch/ingest_pipeline/default.jsonUTdPK}W* A endpoint-8.10.2/data_stream/policy/fields/UTdPK}WJn4 endpoint-8.10.2/data_stream/policy/fields/fields.ymlUTdPK}W͚drr/  endpoint-8.10.2/data_stream/policy/manifest.ymlUTdPK}WUqq4  endpoint-8.10.2/data_stream/policy/sample_event.jsonUTdPK}W$ Aь endpoint-8.10.2/data_stream/process/UTdPK}W2 A endpoint-8.10.2/data_stream/process/elasticsearch/UTdPK}WB Au endpoint-8.10.2/data_stream/process/elasticsearch/ingest_pipeline/UTdPK}Wx{N ލ endpoint-8.10.2/data_stream/process/elasticsearch/ingest_pipeline/default.jsonUTdPK}W+ AF endpoint-8.10.2/data_stream/process/fields/UTdPK}W9C..5 endpoint-8.10.2/data_stream/process/fields/fields.ymlUTdPK}W.ŌW0 2bendpoint-8.10.2/data_stream/process/manifest.ymlUTdPK}WG#rr5 (cendpoint-8.10.2/data_stream/process/sample_event.jsonUTdPK}W% Aendpoint-8.10.2/data_stream/registry/UTdPK}W3 ARendpoint-8.10.2/data_stream/registry/elasticsearch/UTdPK}WC Aendpoint-8.10.2/data_stream/registry/elasticsearch/ingest_pipeline/UTdPK}Wx{O endpoint-8.10.2/data_stream/registry/elasticsearch/ingest_pipeline/default.jsonUTdPK}W, Aendpoint-8.10.2/data_stream/registry/fields/UTdPK}W2TT6 ҅endpoint-8.10.2/data_stream/registry/fields/fields.ymlUTdPK}W!G6 S endpoint-8.10.2/docs/custom_documentation/alerts/macos/macos_memory_threat_alert.mdUTdPK}W9 Aendpoint-8.10.2/docs/custom_documentation/alerts/windows/UTdPK}W'rn n \ Eendpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_malicious_behavior_alert.mdUTdPK}WsY4Q Fendpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_malware_alert.mdUTdPK}WNkW yendpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_memory_threat_alert.mdUTdPK}W(T endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_ransomware_alert.mdUTdPK}WXh}""T 2endpoint-8.10.2/docs/custom_documentation/alerts/windows/windows_shellcode_thread.mdUTdPK}W. A5endpoint-8.10.2/docs/custom_documentation/api/UTdPK}W6 A5endpoint-8.10.2/docs/custom_documentation/api/windows/UTdPK}WuV 96endpoint-8.10.2/docs/custom_documentation/api/windows/windows_api_credential_access.mdUTdPK}W/ A=endpoint-8.10.2/docs/custom_documentation/file/UTdPK}W5 A>endpoint-8.10.2/docs/custom_documentation/file/linux/UTdPK}Wy=pDDI k>endpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_create.mdUTdPK}W?DDI /Dendpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_delete.mdUTdPK}Wܻ''X Iendpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_endpoint_unquarantine.mdUTdPK}W(/]]I Nendpoint-8.10.2/docs/custom_documentation/file/linux/linux_file_rename.mdUTdPK}W5 ATendpoint-8.10.2/docs/custom_documentation/file/macos/UTdPK}WDwI Tendpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_delete.mdUTdPK}WD''X [endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_endpoint_unquarantine.mdUTdPK}W-\] _endpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_extended_attributes_delete.mdUTdPK}W0EP "fendpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_launch_daemon.mdUTdPK}Wo:O klendpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_modification.mdUTdPK}WUQ H rendpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_mount.mdUTdPK}W0?I xendpoint-8.10.2/docs/custom_documentation/file/macos/macos_file_rename.mdUTdPK}W7 A~endpoint-8.10.2/docs/custom_documentation/file/windows/UTdPK}W0M Pendpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_create.mdUTdPK}W/U@@M Sendpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_delete.mdUTdPK}W5--\ endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_endpoint_unquarantine.mdUTdPK}Wg37eeS בendpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_modification.mdUTdPK}WxSSK Ƙendpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_open.mdUTdPK}WaaP endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_overwrite.mdUTdPK}WP(M endpoint-8.10.2/docs/custom_documentation/file/windows/windows_file_rename.mdUTdPK}W2 Aendpoint-8.10.2/docs/custom_documentation/library/UTdPK}W: Axendpoint-8.10.2/docs/custom_documentation/library/windows/UTdPK}W-vQ ٭endpoint-8.10.2/docs/custom_documentation/library/windows/windows_library_load.mdUTdPK}W3 Aendpoint-8.10.2/docs/custom_documentation/metadata/UTdPK}W'R<> Jendpoint-8.10.2/docs/custom_documentation/metadata/metadata.mdUTdPK}W2 Aendpoint-8.10.2/docs/custom_documentation/metrics/UTdPK}WG[  < endpoint-8.10.2/docs/custom_documentation/metrics/metrics.mdUTdPK}W2 Ahendpoint-8.10.2/docs/custom_documentation/network/UTdPK}W8 Aendpoint-8.10.2/docs/custom_documentation/network/linux/UTdPK}W\ endpoint-8.10.2/docs/custom_documentation/network/linux/linux_network_connection_accepted.mdUTdPK}W9<N[ endpoint-8.10.2/docs/custom_documentation/network/linux/linux_network_connection_attempt.mdUTdPK}W%S endpoint-8.10.2/docs/custom_documentation/network/linux/linux_network_disconnect.mdUTdPK}W8 A endpoint-8.10.2/docs/custom_documentation/network/macos/UTdPK}WoO|##] endpoint-8.10.2/docs/custom_documentation/network/macos/macos_network_connection_attempted.mdUTdPK}W YY\ 6endpoint-8.10.2/docs/custom_documentation/network/macos/macos_network_disconnect_received.mdUTdPK}W: A"endpoint-8.10.2/docs/custom_documentation/network/windows/UTdPK}W\""` endpoint-8.10.2/docs/custom_documentation/network/windows/windows_network_connection_accepted.mdUTdPK}W