PK!W synthetics-1.0.6/UT dPK!W synthetics-1.0.6/LICENSE.txtUT dElastic License 2.0 URL: https://www.elastic.co/licensing/elastic-license ## Acceptance By using the software, you agree to all of the terms and conditions below. ## Copyright License The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below. ## Limitations You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software. You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key. You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law. ## Patents The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company. ## Notices You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms. If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software. ## No Other Rights These terms do not imply any licenses other than those expressly granted in these terms. ## Termination If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently. ## No Liability *As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.* ## Definitions The **licensor** is the entity offering these terms, and the **software** is the software the licensor makes available under these terms, including any portion of it. **you** refers to the individual or entity agreeing to these terms. **your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. **control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect. **your licenses** are all the licenses granted to you for the software under these terms. **use** means anything you do with the software requiring one of your licenses. **trademark** means trademarks, service marks, and similar rights. PKgjPK!W synthetics-1.0.6/changelog.ymlUT d# newer versions go on top - version: "1.0.6" changes: - description: Add max attempts field and mappings type: enhancement link: https://github.com/elastic/integrations/pull/7626 - version: "1.0.5" changes: - description: Add synthetics cost estimator dashboard type: enhancement link: https://github.com/elastic/integrations/pull/6047 - version: "1.0.4" changes: - description: Move processors to kibana type: enhancement link: https://github.com/elastic/integrations/pull/7196 - version: "1.0.3" changes: - description: Added field to override monitor.id type: enhancement link: https://github.com/elastic/integrations/pull/7163 - version: "1.0.2" changes: - description: Added field for test run ID type: enhancement link: https://github.com/elastic/integrations/pull/7156 - version: "1.0.1" changes: - description: Adjust location.id type: bugfix link: https://github.com/elastic/integrations/pull/6047 - version: "1.0.0" changes: - description: GA type: enhancement link: https://github.com/elastic/integrations/pull/6150 - version: "1.0.0-rc-2" changes: - description: Mark as GA type: enhancement link: https://github.com/elastic/integrations/pull/5951 - version: "1.0.0-rc-1" changes: - description: RC of upcoming GA release type: enhancement link: https://github.com/elastic/integrations/pull/5813 - version: "0.12.1" changes: - description: Add response.include_body_max_bytes to http.yml.bhs and remove zip url fields type: bugfix link: https://github.com/elastic/integrations/pull/5813 - version: "0.12.0" changes: - description: Add new lightweight heartbeat configs type: enhancement link: https://github.com/elastic/integrations/pull/5798 - version: "0.11.8" changes: - description: Fix broken mapping for state.ends.id. type: bugfix link: https://github.com/elastic/integrations/pull/5625 - version: "0.11.7" changes: - description: Added categories and/or subcategories. type: enhancement link: https://github.com/elastic/integrations/pull/5123 - version: "0.11.6" changes: - description: Adjust content, add max size to browser network and browser screenshot ILM policies, and fix state.ends mappings type: bugfix link: https://github.com/elastic/integrations/pull/5513 - version: "0.11.5" changes: - description: Clean up of geo processors type: bugfix link: https://github.com/elastic/integrations/pull/4823 - version: "0.11.4" changes: - description: Add run_from.geo.name field to monitor config to preserve location name type: bugfix link: https://github.com/elastic/integrations/pull/4741 - version: "0.11.3" changes: - description: Add run_from field to monitor config type: bugfix link: https://github.com/elastic/integrations/pull/4673 - version: "0.11.2" changes: - description: Change incorrectly typed `states.ends.duration` field from `date` to long type: bugfix link: https://github.com/elastic/integrations/pull/4541 - version: "0.11.1" changes: - description: Change incorrectly typed `states.duration` field from `date` to long type: bugfix link: https://github.com/elastic/integrations/pull/4477 - version: "0.11.0" changes: - description: Add support for new data used in future synthetics UI type: enhancement link: https://github.com/elastic/integrations/pull/4023 - version: "0.10.3" changes: - description: Adds project fields for lightweight monitors type: enhancement link: https://github.com/elastic/integrations/pull/4326 - version: "0.10.2" changes: - description: Adjusts ids for project monitors and add playwright_options type: bugfix link: https://github.com/elastic/integrations/pull/3998 - version: "0.10.1" changes: - description: Adjusts location name for tcp and icmp monitors type: bugfix link: https://github.com/elastic/integrations/pull/3925 - version: "0.10.0" changes: - description: Segment ILM policies by dataset type: enhancement link: https://github.com/elastic/integrations/pull/2744 - version: "0.9.6" changes: - description: Added fields for private location type: enhancement link: https://github.com/elastic/integrations/pull/3683 - version: "0.9.5" changes: - description: updated readme - added headings to the documentation type: enhancement link: https://github.com/elastic/integrations/pull/3164 - version: "0.9.4" changes: - description: Rename new monitor.source field for synthetics UI to monitor.origin, move project fields type: enhancement link: https://github.com/elastic/integrations/pull/3394 - version: "0.9.3" changes: - description: Adds new monitor.source field for synthetics UI type: enhancement link: https://github.com/elastic/integrations/pull/3394 - version: "0.9.2" changes: - description: Adds APM service name mappings type: enhancement link: https://github.com/elastic/integrations/pull/2725 - version: "0.9.1" changes: - description: Fix default values for monitor schedules type: enhancement link: https://github.com/elastic/integrations/pull/2698 - version: "0.9.0" changes: - description: Add run_once fields type: enhancement link: https://github.com/elastic/integrations/pull/2609 - version: "0.8.1" changes: - description: Add missing browser fields to the synthetics template type: enhancement link: https://github.com/elastic/integrations/pull/2549 - version: "0.8.0" changes: - description: Add index optimizations type: enhancement link: https://github.com/elastic/integrations/pull/2319 - version: "0.7.0" changes: - description: Add heartbeat enabled key type: enhancement link: https://github.com/elastic/integrations/pull/2290 - version: "0.6.0" changes: - description: Allow users to set throttling. type: enhancement link: https://github.com/elastic/integrations/pull/2161 - version: "0.5.0" changes: - description: Update compatibility of package to be compatible with 8.0.x type: enhancement link: https://github.com/elastic/integrations/pull/2213 - version: "0.4.2" changes: - description: Uniform with guidelines type: enhancement link: https://github.com/elastic/integrations/pull/2111 - version: "0.4.1" changes: - description: Update mappings for synthetics step type: enhancement link: https://github.com/elastic/integrations/pull/2027 - version: "0.4.0" changes: - description: Add new synthetics/browser input params type: enhancement link: https://github.com/elastic/integrations/pull/1778 - version: "0.3.1" changes: - description: Updates README type: enhancement link: https://github.com/elastic/integrations/pull/1945 - version: "0.3.0" changes: - description: Add browser data streams type: enhancement link: https://github.com/elastic/integrations/pull/1064 - version: "0.2.2" changes: - description: Adjust categories to add web and monitoring type: enhancement link: https://github.com/elastic/integrations/pull/1531 - version: "0.2.1" changes: - description: Adjust category to elastic_stack type: enhancement link: https://github.com/elastic/integrations/pull/1424 - version: "0.2.0" changes: - description: Update integration description type: enhancement link: https://github.com/elastic/integrations/pull/1364 - version: "0.1.0" changes: - description: bump version to 0.1.0 for 7.13.0 release type: enhancement # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/1016 - version: "0.0.6" changes: - description: update README type: enhancement # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/974 - version: "0.0.5" changes: - description: fix add_fields processor to support to support telemetry type: bugfix # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/981 - version: "0.0.4" changes: - description: add monitor.fleet_managed to support telemetry type: enhancement # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/920 - version: "0.0.3" changes: - description: adjust type of tcp data_stream check.receive field type: bugfix # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/914 - version: "0.0.2" changes: - description: add base fields type: bugfix # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/904 - version: "0.0.1" changes: - description: initial release type: enhancement # can be one of: enhancement, bugfix, breaking-change link: https://github.com/elastic/integrations/pull/748 PKkH$H$PK!W synthetics-1.0.6/data_stream/UT dPK!W% synthetics-1.0.6/data_stream/browser/UT dPK!W+ synthetics-1.0.6/data_stream/browser/agent/UT dPK!W2 synthetics-1.0.6/data_stream/browser/agent/stream/UT dPK!WA synthetics-1.0.6/data_stream/browser/agent/stream/browser.yml.hbsUT d__ui: {{__ui}} type: {{type}} name: {{name}} {{#if id}} id: {{id}} {{/if}} {{#if origin}} origin: {{origin}} {{/if}} {{#if location_id}} run_from.id: {{location_id}} {{/if}} {{#if location_name}} run_from.geo.name: {{location_name}} {{/if}} enabled: {{enabled}} {{#if service.name}} service.name: {{service.name}} {{/if}} schedule: {{schedule}} timeout: {{timeout}} throttling: {{throttling.config}} {{#if tags}} tags: {{tags}} {{/if}} {{#if source.inline.script}} source.inline.script: {{source.inline.script}} {{/if}} {{#if source.project.content}} source.project.content: {{source.project.content}} {{/if}} {{#if params}} params: {{params}} {{/if}} {{#if playwright_options}} playwright_options: {{playwright_options}} {{/if}} {{#if screenshots}} screenshots: {{screenshots}} {{/if}} {{#if synthetics_args}} synthetics_args: {{synthetics_args}} {{/if}} {{#if filter_journeys.match}} filter_journeys.match: {{filter_journeys.match}} {{/if}} {{#if filter_journeys.tags}} filter_journeys.tags: {{filter_journeys.tags}} {{/if}} {{#if ignore_https_errors}} ignore_https_errors: {{ignore_https_errors}} {{/if}} {{#if max_attempts}} max_attempts: {{max_attempts}} {{/if}} {{#if processors}} processors: {{processors}} {{/if}}PKPK!W3 synthetics-1.0.6/data_stream/browser/elasticsearch/UT dPK!W7 synthetics-1.0.6/data_stream/browser/elasticsearch/ilm/UT dPK!WJ synthetics-1.0.6/data_stream/browser/elasticsearch/ilm/default_policy.jsonUT d{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "30d", "max_primary_shard_size": "50gb" }, "set_priority": { "priority": 100 } } }, "delete": { "min_age": "365d", "actions": { "delete": {} } } } } }PK##PK!W, synthetics-1.0.6/data_stream/browser/fields/UT dPK!W; synthetics-1.0.6/data_stream/browser/fields/base-fields.ymlUT d- name: data_stream.type type: constant_keyword description: Data stream type. value: synthetics - name: data_stream.dataset type: constant_keyword description: Data stream dataset name. value: browser - name: data_stream.namespace type: constant_keyword description: Data stream namespace. - name: '@timestamp' type: date description: Event timestamp. PK?#uuPK!W4 synthetics-1.0.6/data_stream/browser/fields/beat.ymlUT d- name: fields type: object object_type: keyword description: > Contains user configurable fields. PKZғnnPK!W5 synthetics-1.0.6/data_stream/browser/fields/cloud.ymlUT d- name: cloud.image.id example: ami-abcd1234 type: keyword description: > Image ID for the cloud instance. PK!GvvPK!W6 synthetics-1.0.6/data_stream/browser/fields/common.ymlUT d- name: config_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Management flow - name: test_run_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Overview page - name: run_once type: boolean description: Whether the monitor is a run_once monitor - name: service.name type: keyword description: APM service name this monitor is linked to - name: monitor type: group description: > Common monitor fields. fields: - name: type type: constant_keyword value: browser description: > The monitor type. - name: name type: keyword description: > The monitors configured name multi_fields: - name: text type: text analyzer: simple - name: id type: keyword description: > The monitors full job ID as used by heartbeat. multi_fields: - name: text type: text analyzer: simple - name: duration type: group description: Total monitoring test duration fields: - name: us type: long description: Duration in microseconds - name: ip type: ip description: > IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status required: true type: keyword description: > Indicator if monitor could validate the service to be available. - name: check_group type: keyword description: > A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. - name: timespan type: date_range description: > Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check. - name: fleet_managed type: boolean description: > True if monitor is created with the Fleet integration UI - name: origin type: keyword description: > The source of this monitor configuration, usually either "ui", or "project" - name: project type: group description: > Project info for this monitor fields: - name: id type: keyword description: Project ID - name: name type: text description: Project name - name: state type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run - name: flap_history enabled: false - name: ends type: group description: the state that was ended by this state fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run PK2PK!W6 synthetics-1.0.6/data_stream/browser/fields/docker.ymlUT d- name: docker type: group fields: - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. PKqøPK!W3 synthetics-1.0.6/data_stream/browser/fields/ecs.ymlUT d- name: labels level: core type: object object_type: keyword description: "Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels." example: '{"application": "foo-bar", "env": "production"}' - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: "The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken." footnote: "Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server." type: group fields: - name: build.original level: core type: wildcard description: "Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required." example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: "Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not." example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: "Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id." example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: "Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty." example: foo - name: type level: core type: keyword ignore_above: 1024 description: "Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine." example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: "The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name." example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: "The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id." example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: "The cloud project name.\nExamples: Google Cloud Project name, Azure Project name." example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - name: container title: Container group: 2 description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: dns title: DNS group: 2 description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." type: group fields: - name: answers level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: wildcard description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." example: 1.0.0 - name: error title: Error group: 2 description: "These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error." type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients." example: image/gif default_field: false - name: request.referrer level: extended type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers." example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: observer title: Observer group: 2 description: "An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS." type: group fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: wildcard description: "User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation." example: boston-dc - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: MAC addresses of the observer - name: name level: extended type: keyword ignore_above: 1024 description: "Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty." example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: "The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`." example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: server.subject level: extended type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: "1.2" default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false - name: keyword type: keyword description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: "Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not." example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: wildcard description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: x509 title: x509 Certificate group: 2 description: "This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`." type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKTPK!W4 synthetics-1.0.6/data_stream/browser/fields/http.ymlUT d- name: http type: group description: > HTTP related fields. fields: - name: response type: group fields: - name: body type: group fields: - name: hash type: keyword description: > Hash of the full response body. Can be used to group responses with identical hashes. - name: redirects type: keyword description: > List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - name: headers.* type: object enabled: false description: > The canonical headers of the monitored HTTP response. - name: rtt type: group description: > HTTP layer round trip times. fields: - name: validate type: group description: | Duration between first byte of HTTP request being written and response being processed by validator. Duration based on already available network connection. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. fields: - name: us type: long description: Duration in microseconds - name: validate_body type: group description: | Duration of validator required to read and validate the response body. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. fields: - name: us type: long description: Duration in microseconds - name: write_request type: group description: Duration of sending the complete HTTP request. Duration based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: response_header type: group description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: content.us type: long description: Time required to retrieved the content in micro seconds. - name: total type: group description: | Duration required to process the HTTP transaction. Starts with the initial TCP connection attempt. Ends with after validator did check the response. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed. fields: - name: us type: long description: Duration in microseconds PKM PK!WD synthetics-1.0.6/data_stream/browser/fields/jolokia-autodiscover.ymlUT d- name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. PKPK!W: synthetics-1.0.6/data_stream/browser/fields/kubernetes.ymlUT d- name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name - name: container.image type: keyword description: > Kubernetes container image PKiiPK!W6 synthetics-1.0.6/data_stream/browser/fields/socks5.ymlUT d- name: socks5 type: group description: > SOCKS5 proxy related fields: fields: - name: rtt type: group description: > TLS layer round trip times. fields: - name: connect type: group description: > Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. fields: - name: us type: long description: Duration in microseconds PK=PK!W7 synthetics-1.0.6/data_stream/browser/fields/summary.ymlUT d- name: summary type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: up type: integer description: > The number of endpoints that succeeded - name: down type: integer description: > The number of endpoints that failed - name: status type: keyword description: > The status of this check as a whole. Either up or down. - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. - name: retry_group type: keyword description: "A unique token used to group checks across attempts. \n" PKbqf\\PK!W: synthetics-1.0.6/data_stream/browser/fields/synthetics.ymlUT d- name: synthetics type: group description: > Synthetics related fields. fields: - name: type type: keyword - name: package_version type: keyword - name: index type: integer description: > Indexed used for creating total order of all events in this invocation. - name: payload type: object enabled: false - name: blob type: binary description: binary data payload - name: blob_mime type: keyword description: mime type of blob data - name: step type: group fields: - name: name type: text multi_fields: - name: keyword type: keyword - name: index type: integer - name: status type: keyword - name: duration type: group description: Duration required to complete the step. fields: - name: us type: integer description: Duration in microseconds - name: journey type: group fields: - name: name type: text - name: id type: keyword - name: tags type: keyword - name: error type: group fields: - name: name type: keyword - name: message type: text - name: stack type: text - name: browser type: group fields: - name: experience type: group description: > Absolute values of all user experience metrics in the browser relative to the navigation start event in microseconds fields: - name: fcp type: group description: duration of First contentful paint metric fields: - name: us type: integer - name: lcp type: group description: duration of Largest contentful paint metric fields: - name: us type: integer - name: dcl type: group description: duration of Document content loaded end event fields: - name: us type: integer - name: load type: group description: duration of Load end event fields: - name: duration type: integer - name: us type: integer - name: cls type: integer description: culumative layout shift score across all frames - name: relative_trace type: group description: > trace event with timing information that are realtive to journey timings in microseconds fields: - name: name type: keyword description: name of the trace event - name: type type: text description: could be one of mark or measure event types - name: start type: group description: monotonically increasing trace start time in microseconds fields: - name: us type: long - name: duration type: group description: duration of the trace event in microseconds. fields: - name: us type: integer - name: score type: integer description: weighted score of the layout shift event PKaݎ?* * PK!W3 synthetics-1.0.6/data_stream/browser/fields/tcp.ymlUT d- name: tcp type: group description: > TCP network layer related fields. fields: - name: rtt type: group description: > TCP layer round trip times. fields: - name: connect type: group description: > Duration required to establish a TCP connection based on already available IP address. fields: - name: us type: long description: Duration in microseconds - name: validate type: group description: > Duration of validation step based on existing TCP connection. fields: - name: us type: long description: Duration in microseconds PKR+PK!W1 synthetics-1.0.6/data_stream/browser/manifest.ymlUT dtype: synthetics title: synthetic monitor check dataset: browser ilm_policy: synthetics-synthetics.browser-default_policy elasticsearch: index_template: mappings: dynamic: false settings: index: codec: best_compression sort.field: - "url.full.keyword" - "monitor.id" privileges.indices: [auto_configure, create_doc, read] streams: - input: synthetics/browser title: Synthetic monitor check description: Create synthetic browser checks template_path: browser.yml.hbs enabled: true vars: - name: __ui type: yaml title: ui metadata about the policy multi: false required: false show_user: false - name: enabled type: bool title: Whether the monitor is enabled multi: false required: true show_user: true default: true - name: type type: text title: Monitor type multi: false required: true show_user: true default: browser - name: name type: text title: Monitor name multi: false required: false show_user: true - name: schedule type: text title: Schedule multi: false required: true show_user: true default: "\"@every 3m\"" - name: service.name type: text title: APM Service Name multi: false required: false show_user: true - name: timeout type: text title: Timeout multi: false required: false show_user: true - name: tags type: yaml title: Tags multi: false required: false show_user: true - name: source.inline.script type: yaml title: Inline synthetics script multi: false required: false show_user: true - name: source.project.content type: text title: Project monitor script multi: false required: false show_user: true - name: params type: yaml title: Synthetics script params multi: false required: false show_user: true - name: playwright_options type: yaml title: Synthetics playwright options multi: false required: false show_user: true - name: screenshots type: text title: Synthetics screenshot options multi: false required: false show_user: true - name: synthetics_args type: text title: Extra arguments passed to synthetic by heartbeat multi: false required: false show_user: true - name: ignore_https_errors type: bool title: Adds an option to disable errors on invalid TLS certificates in heartbeat multi: false required: false show_user: true - name: throttling.config type: text title: Either disables throttling or contains the concatenated and ready-to-use throttling configuration parameter, including download, upload, and latency values. multi: false required: false show_user: false - name: filter_journeys.tags type: yaml title: run only journeys with the given tag(s), or globs multi: false required: false show_user: true - name: filter_journeys.match type: text title: run only journeys with a name or tags that matches the configured glob multi: false required: false show_user: true - name: location_name type: text title: Location name multi: false required: false show_user: true default: "Fleet managed" - name: location_id type: text title: Location id multi: false required: false default: "fleet_managed" show_user: true - name: id type: text title: id multi: false required: false show_user: false - name: origin type: text title: Origin of the monitor, ui or project multi: false required: false show_user: false - name: processors type: yaml title: Processors multi: false required: false show_user: false description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. - name: max_attempts type: integer title: Max attempts multi: false required: false show_user: true PKG{ooPK!W- synthetics-1.0.6/data_stream/browser_network/UT dPK!W3 synthetics-1.0.6/data_stream/browser_network/agent/UT dPK!W: synthetics-1.0.6/data_stream/browser_network/agent/stream/UT dPK!WQ synthetics-1.0.6/data_stream/browser_network/agent/stream/browser.network.yml.hbsUT dprocessors: - add_fields: target: '' fields: monitor.fleet_managed: truePK ^^PK!W; synthetics-1.0.6/data_stream/browser_network/elasticsearch/UT dPK!W? synthetics-1.0.6/data_stream/browser_network/elasticsearch/ilm/UT dPK!WR synthetics-1.0.6/data_stream/browser_network/elasticsearch/ilm/default_policy.jsonUT d{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "1d", "max_primary_shard_size": "50gb" }, "set_priority": { "priority": 100 } } }, "delete": { "min_age": "14d", "actions": { "delete": {} } } } } }PKe;y!!PK!W4 synthetics-1.0.6/data_stream/browser_network/fields/UT dPK!WC synthetics-1.0.6/data_stream/browser_network/fields/base-fields.ymlUT d- name: data_stream.type type: constant_keyword description: Data stream type. value: synthetics - name: data_stream.dataset type: constant_keyword description: Data stream dataset name. value: browser.network - name: data_stream.namespace type: constant_keyword description: Data stream namespace. - name: '@timestamp' type: date description: Event timestamp. PKAc}}PK!W< synthetics-1.0.6/data_stream/browser_network/fields/beat.ymlUT d- name: fields type: object object_type: keyword description: > Contains user configurable fields. PKZғnnPK!W= synthetics-1.0.6/data_stream/browser_network/fields/cloud.ymlUT d- name: cloud.image.id example: ami-abcd1234 type: keyword description: > Image ID for the cloud instance. PK!GvvPK!W> synthetics-1.0.6/data_stream/browser_network/fields/common.ymlUT d- name: config_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Management flow - name: test_run_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Overview page - name: run_once type: boolean description: Whether the monitor is a run_once monitor - name: service.name type: keyword description: APM service name this monitor is linked to - name: monitor type: group description: > Common monitor fields. fields: - name: type type: constant_keyword value: browser description: > The monitor type. - name: name type: keyword description: > The monitors configured name multi_fields: - name: text type: text analyzer: simple - name: id type: keyword description: > The monitors full job ID as used by heartbeat. multi_fields: - name: text type: text analyzer: simple - name: duration type: group description: Total monitoring test duration fields: - name: us type: long description: Duration in microseconds - name: ip type: ip description: > IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status required: true type: keyword description: > Indicator if monitor could validate the service to be available. - name: check_group type: keyword description: > A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. - name: timespan type: date_range description: > Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check. - name: fleet_managed type: boolean description: > True if monitor is created with the Fleet integration UI PK55PK!W> synthetics-1.0.6/data_stream/browser_network/fields/docker.ymlUT d- name: docker type: group fields: - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. PKqøPK!W; synthetics-1.0.6/data_stream/browser_network/fields/ecs.ymlUT d- name: labels level: core type: object object_type: keyword description: "Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels." example: '{"application": "foo-bar", "env": "production"}' - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: "The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken." footnote: "Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server." type: group fields: - name: build.original level: core type: wildcard description: "Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required." example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: "Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not." example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: "Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id." example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: "Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty." example: foo - name: type level: core type: keyword ignore_above: 1024 description: "Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine." example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: "The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name." example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: "The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id." example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: "The cloud project name.\nExamples: Google Cloud Project name, Azure Project name." example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - name: container title: Container group: 2 description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: dns title: DNS group: 2 description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." type: group fields: - name: answers level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: wildcard description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." example: 1.0.0 - name: error title: Error group: 2 description: "These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error." type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients." example: image/gif default_field: false - name: request.referrer level: extended type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers." example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: observer title: Observer group: 2 description: "An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS." type: group fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: wildcard description: "User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation." example: boston-dc - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: MAC addresses of the observer - name: name level: extended type: keyword ignore_above: 1024 description: "Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty." example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: "The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`." example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: server.subject level: extended type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: "1.2" default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false - name: keyword type: keyword description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: "Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not." example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: wildcard description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: x509 title: x509 Certificate group: 2 description: "This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`." type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKTPK!W< synthetics-1.0.6/data_stream/browser_network/fields/http.ymlUT d- name: http type: group description: > HTTP related fields. fields: - name: request.url level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false - name: keyword type: keyword description: The request url - name: response type: group fields: - name: body type: group fields: - name: hash type: keyword description: > Hash of the full response body. Can be used to group responses with identical hashes. - name: redirects type: keyword description: > List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - name: headers.etag type: keyword description: > Identifier for a specific version of a resource - name: headers.* type: object enabled: false description: > The canonical headers of the monitored HTTP response. - name: rtt type: group description: > HTTP layer round trip times. fields: - name: validate type: group description: | Duration between first byte of HTTP request being written and response being processed by validator. Duration based on already available network connection. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. fields: - name: us type: long description: Duration in microseconds - name: validate_body type: group description: | Duration of validator required to read and validate the response body. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. fields: - name: us type: long description: Duration in microseconds - name: write_request type: group description: Duration of sending the complete HTTP request. Duration based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: response_header type: group description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: content.us type: long description: Time required to retrieved the content in micro seconds. - name: total type: group description: | Duration required to process the HTTP transaction. Starts with the initial TCP connection attempt. Ends with after validator did check the response. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed. fields: - name: us type: long description: Duration in microseconds PK!<PK!WL synthetics-1.0.6/data_stream/browser_network/fields/jolokia-autodiscover.ymlUT d- name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. PKPK!WB synthetics-1.0.6/data_stream/browser_network/fields/kubernetes.ymlUT d- name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name - name: container.image type: keyword description: > Kubernetes container image PKiiPK!W? synthetics-1.0.6/data_stream/browser_network/fields/resolve.ymlUT d- name: resolve type: group description: > Host lookup fields. fields: - name: ip type: ip description: > IP address found for the given host. - name: rtt type: group description: Duration required to resolve an IP from hostname. fields: - name: us type: long description: Duration in microseconds PKc pPK!W> synthetics-1.0.6/data_stream/browser_network/fields/socks5.ymlUT d- name: socks5 type: group description: > SOCKS5 proxy related fields: fields: - name: rtt type: group description: > TLS layer round trip times. fields: - name: connect type: group description: > Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. fields: - name: us type: long description: Duration in microseconds PK=PK!W? synthetics-1.0.6/data_stream/browser_network/fields/summary.ymlUT d- name: summary type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: up type: integer description: > The number of endpoints that succeeded - name: down type: integer description: > The number of endpoints that failed - name: status type: keyword description: > The status of this check as a whole. Either up or down. - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. - name: retry_group type: keyword description: "A unique token used to group checks across attempts. \n" PKAVVPK!WB synthetics-1.0.6/data_stream/browser_network/fields/synthetics.ymlUT d- name: synthetics type: group description: > Synthetics related fields. fields: - name: type type: keyword - name: package_version type: keyword - name: index type: integer description: > Indexed used for creating total order of all events in this invocation. - name: payload type: object enabled: false - name: blob type: binary description: binary data payload - name: blob_mime type: keyword description: mime type of blob data - name: step type: group fields: - name: name type: text multi_fields: - name: keyword type: keyword - name: index type: integer - name: status type: keyword - name: duration type: group description: Duration required to complete the step. fields: - name: us type: integer description: Duration in microseconds - name: journey type: group fields: - name: name type: text - name: id type: keyword - name: tags type: keyword - name: error type: group fields: - name: name type: keyword - name: message type: text - name: stack type: text PKݐttPK!W; synthetics-1.0.6/data_stream/browser_network/fields/tcp.ymlUT d- name: tcp type: group description: > TCP network layer related fields. fields: - name: rtt type: group description: > TCP layer round trip times. fields: - name: connect type: group description: > Duration required to establish a TCP connection based on already available IP address. fields: - name: us type: long description: Duration in microseconds - name: validate type: group description: > Duration of validation step based on existing TCP connection. fields: - name: us type: long description: Duration in microseconds PKR+PK!W9 synthetics-1.0.6/data_stream/browser_network/manifest.ymlUT dtype: synthetics title: synthetic monitor check dataset: browser.network ilm_policy: synthetics-synthetics.browser_network-default_policy elasticsearch: index_template: mappings: dynamic: false settings: index: codec: best_compression sort.field: - "url.full.keyword" - "http.request.url.keyword" - "http.response.headers.etag" - "monitor.id" privileges.indices: [auto_configure, create_doc, read] streams: - input: synthetics/browser title: Synthetics monitors network information description: Store network information for synthetic monitors template_path: browser.network.yml.hbs enabled: true PKBSPK!W0 synthetics-1.0.6/data_stream/browser_screenshot/UT dPK!W6 synthetics-1.0.6/data_stream/browser_screenshot/agent/UT dPK!W= synthetics-1.0.6/data_stream/browser_screenshot/agent/stream/UT dPK!WW synthetics-1.0.6/data_stream/browser_screenshot/agent/stream/browser.screenshot.yml.hbsUT dprocessors: - add_fields: target: '' fields: monitor.fleet_managed: truePK ^^PK!W> synthetics-1.0.6/data_stream/browser_screenshot/elasticsearch/UT dPK!WB synthetics-1.0.6/data_stream/browser_screenshot/elasticsearch/ilm/UT dPK!WU synthetics-1.0.6/data_stream/browser_screenshot/elasticsearch/ilm/default_policy.jsonUT d{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "1d", "max_primary_shard_size": "50gb" }, "set_priority": { "priority": 100 } } }, "delete": { "min_age": "14d", "actions": { "delete": {} } } } } }PKe;y!!PK!W7 synthetics-1.0.6/data_stream/browser_screenshot/fields/UT dPK!WF synthetics-1.0.6/data_stream/browser_screenshot/fields/base-fields.ymlUT d- name: data_stream.type type: constant_keyword description: Data stream type. value: synthetics - name: data_stream.dataset type: constant_keyword description: Data stream dataset name. value: browser.screenshot - name: data_stream.namespace type: constant_keyword description: Data stream namespace. - name: '@timestamp' type: date description: Event timestamp. PKs+PK!W? synthetics-1.0.6/data_stream/browser_screenshot/fields/beat.ymlUT d- name: fields type: object object_type: keyword description: > Contains user configurable fields. PKZғnnPK!W@ synthetics-1.0.6/data_stream/browser_screenshot/fields/cloud.ymlUT d- name: cloud.image.id example: ami-abcd1234 type: keyword description: > Image ID for the cloud instance. PK!GvvPK!WA synthetics-1.0.6/data_stream/browser_screenshot/fields/common.ymlUT d- name: config_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Management flow - name: test_run_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Overview page - name: run_once type: boolean description: Whether the monitor is a run_once monitor - name: service.name type: keyword description: APM service name this monitor is linked to - name: monitor type: group description: > Common monitor fields. fields: - name: type type: constant_keyword value: browser description: > The monitor type. - name: name type: keyword description: > The monitors configured name multi_fields: - name: text type: text analyzer: simple - name: id type: keyword description: > The monitors full job ID as used by heartbeat. multi_fields: - name: text type: text analyzer: simple - name: duration type: group description: Total monitoring test duration fields: - name: us type: long description: Duration in microseconds - name: ip type: ip description: > IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status required: true type: keyword description: > Indicator if monitor could validate the service to be available. - name: check_group type: keyword description: > A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. - name: timespan type: date_range description: > Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check. - name: fleet_managed type: boolean description: > True if monitor is created with the Fleet integration UI PK55PK!WA synthetics-1.0.6/data_stream/browser_screenshot/fields/docker.ymlUT d- name: docker type: group fields: - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. PKqøPK!W> synthetics-1.0.6/data_stream/browser_screenshot/fields/ecs.ymlUT d- name: labels level: core type: object object_type: keyword description: "Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels." example: '{"application": "foo-bar", "env": "production"}' - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: "The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken." footnote: "Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server." type: group fields: - name: build.original level: core type: wildcard description: "Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required." example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: "Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not." example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: "Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id." example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: "Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty." example: foo - name: type level: core type: keyword ignore_above: 1024 description: "Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine." example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: "The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name." example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: "The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id." example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: "The cloud project name.\nExamples: Google Cloud Project name, Azure Project name." example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - name: container title: Container group: 2 description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: dns title: DNS group: 2 description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." type: group fields: - name: answers level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: wildcard description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." example: 1.0.0 - name: error title: Error group: 2 description: "These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error." type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients." example: image/gif default_field: false - name: request.referrer level: extended type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers." example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: observer title: Observer group: 2 description: "An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS." type: group fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: wildcard description: "User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation." example: boston-dc - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: MAC addresses of the observer - name: name level: extended type: keyword ignore_above: 1024 description: "Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty." example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: "The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`." example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: server.subject level: extended type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: "1.2" default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: "Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not." example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: wildcard description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: x509 title: x509 Certificate group: 2 description: "This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`." type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKjPK!WO synthetics-1.0.6/data_stream/browser_screenshot/fields/jolokia-autodiscover.ymlUT d- name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. PKPK!WE synthetics-1.0.6/data_stream/browser_screenshot/fields/kubernetes.ymlUT d- name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name - name: container.image type: keyword description: > Kubernetes container image PKiiPK!WA synthetics-1.0.6/data_stream/browser_screenshot/fields/socks5.ymlUT d- name: socks5 type: group description: > SOCKS5 proxy related fields: fields: - name: rtt type: group description: > TLS layer round trip times. fields: - name: connect type: group description: > Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. fields: - name: us type: long description: Duration in microseconds PK=PK!WB synthetics-1.0.6/data_stream/browser_screenshot/fields/summary.ymlUT d- name: summary type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: up type: integer description: > The number of endpoints that succeeded - name: down type: integer description: > The number of endpoints that failed - name: status type: keyword description: > The status of this check as a whole. Either up or down. - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. - name: retry_group type: keyword description: >- A unique token used to group checks across attempts. PK. [[PK!WE synthetics-1.0.6/data_stream/browser_screenshot/fields/synthetics.ymlUT d- name: synthetics type: group description: > Synthetics related fields. fields: - name: type type: keyword - name: package_version type: keyword - name: index type: integer description: > Indexed used for creating total order of all events in this invocation. - name: payload type: object enabled: false - name: blob type: binary description: binary data payload - name: blob_mime type: keyword description: mime type of blob data - name: step type: group fields: - name: name type: text multi_fields: - name: keyword type: keyword - name: index type: integer - name: status type: keyword - name: duration type: group description: Duration required to complete the step. fields: - name: us type: integer description: Duration in microseconds - name: journey type: group fields: - name: name type: text - name: id type: keyword - name: tags type: keyword - name: error type: group fields: - name: name type: keyword - name: message type: text - name: stack type: text - name: screenshot_ref type: group dynamic: false fields: - name: width type: integer description: Width of the full screenshot in pixels. - name: height type: integer description: Height of the full screenshot in pixels - name: blocks type: group description: Attributes representing individual screenshot blocks. Only hash is indexed since it's the only one we'd query on. fields: - name: hash type: keyword description: Hash that uniquely identifies this image by content. Corresponds to block document id. PK5]PK!W< synthetics-1.0.6/data_stream/browser_screenshot/manifest.ymlUT dtype: synthetics title: synthetic monitor check dataset: browser.screenshot ilm_policy: synthetics-synthetics.browser_screenshot-default_policy elasticsearch: index_template: mappings: dynamic: false settings: index: codec: best_compression sort.field: - "monitor.id" privileges.indices: [auto_configure, create_doc, read] streams: - input: synthetics/browser title: Synthetics monitors screenshot information description: Store screenshots for synthetic monitors template_path: browser.screenshot.yml.hbs enabled: true PKILLPK!W" synthetics-1.0.6/data_stream/http/UT dPK!W( synthetics-1.0.6/data_stream/http/agent/UT dPK!W/ synthetics-1.0.6/data_stream/http/agent/stream/UT dPK!W; synthetics-1.0.6/data_stream/http/agent/stream/http.yml.hbsUT d__ui: {{__ui}} type: {{type}} name: {{name}} {{#if id}} id: {{id}} {{/if}} {{#if origin}} origin: {{origin}} {{/if}} {{#if location_id}} run_from.id: {{location_id}} {{/if}} {{#if location_name}} run_from.geo.name: {{location_name}} {{/if}} enabled: {{enabled}} urls: {{urls}} {{#if service.name}} service.name: {{service.name}} {{/if}} schedule: {{schedule}} timeout: {{timeout}} max_redirects: {{max_redirects}} {{#if proxy_url}} proxy_url: {{proxy_url}} {{/if}} {{#if proxy_headers}} proxy_headers: {{proxy_headers}} {{/if}} {{#if tags}} tags: {{tags}} {{/if}} {{#if username}} username: {{username}} {{/if}} {{#if password}} password: {{password}} {{/if}} response.include_headers: {{response.include_headers}} response.include_body: {{response.include_body}} {{#if response.include_body_max_bytes}} response.include_body_max_bytes: {{response.include_body_max_bytes}} {{/if}} check.request.method: {{check.request.method}} {{#if check.request.headers}} check.request.headers: {{check.request.headers}} {{/if}} {{#if check.request.body}} check.request.body: {{check.request.body}} {{/if}} {{#if check.response.status}} check.response.status: {{check.response.status}} {{/if}} {{#if check.response.headers}} check.response.headers: {{check.response.headers}} {{/if}} {{#if check.response.body.negative}} check.response.body.negative: {{check.response.body.negative}} {{/if}} {{#if check.response.body.positive}} check.response.body.positive: {{check.response.body.positive}} {{/if}} {{#if check.response.json}} check.response.json: {{check.response.json}} {{/if}} {{#if ssl.certificate}} ssl.certificate: {{ssl.certificate}} {{/if}} {{#if ssl.certificate_authorities}} ssl.certificate_authorities: {{ssl.certificate_authorities}} {{/if}} {{#if ssl.key}} ssl.key: {{ssl.key}} {{/if}} {{#if ssl.key_passphrase}} ssl.key_passphrase: {{ssl.key_passphrase}} {{/if}} {{#if ssl.verification_mode}} ssl.verification_mode: {{ssl.verification_mode}} {{/if}} {{#if ssl.supported_protocols}} ssl.supported_protocols: {{ssl.supported_protocols}} {{/if}} {{#if mode}} mode: {{mode}} {{/if}} ipv4: {{ipv4}} ipv6: {{ipv6}} {{#if max_attempts}} max_attempts: {{max_attempts}} {{/if}} {{#if processors}} processors: {{processors}} {{/if}} PKW`PK!W0 synthetics-1.0.6/data_stream/http/elasticsearch/UT dPK!W4 synthetics-1.0.6/data_stream/http/elasticsearch/ilm/UT dPK!WG synthetics-1.0.6/data_stream/http/elasticsearch/ilm/default_policy.jsonUT d{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "30d", "max_primary_shard_size": "50gb" }, "set_priority": { "priority": 100 } } }, "delete": { "min_age": "365d", "actions": { "delete": {} } } } } }PK##PK!W) synthetics-1.0.6/data_stream/http/fields/UT dPK!W8 synthetics-1.0.6/data_stream/http/fields/base-fields.ymlUT d- name: data_stream.type type: constant_keyword description: Data stream type. - name: data_stream.dataset type: constant_keyword description: Data stream dataset name. - name: data_stream.namespace type: constant_keyword description: Data stream namespace. - name: dataset.type type: constant_keyword description: Dataset type. - name: dataset.name type: constant_keyword description: Dataset name. - name: dataset.namespace type: constant_keyword description: Dataset namespace. - name: '@timestamp' type: date description: Event timestamp. PKF{%;;PK!W1 synthetics-1.0.6/data_stream/http/fields/beat.ymlUT d- name: fields type: object object_type: keyword description: > Contains user configurable fields. PKZғnnPK!W2 synthetics-1.0.6/data_stream/http/fields/cloud.ymlUT d- name: cloud.image.id example: ami-abcd1234 type: keyword description: > Image ID for the cloud instance. PK!GvvPK!W3 synthetics-1.0.6/data_stream/http/fields/common.ymlUT d- name: config_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Management flow - name: test_run_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Overview page - name: run_once type: boolean description: Whether the monitor is a run_once monitor - name: service.name type: keyword description: APM service name this monitor is linked to - name: monitor type: group description: > Common monitor fields. fields: - name: type type: constant_keyword value: http description: > The monitor type. - name: name type: keyword description: > The monitors configured name multi_fields: - name: text type: text analyzer: simple - name: id type: keyword description: > The monitors full job ID as used by heartbeat. multi_fields: - name: text type: text analyzer: simple - name: duration type: group description: Total monitoring test duration fields: - name: us type: long description: Duration in microseconds - name: ip type: ip description: > IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status required: true type: keyword description: > Indicator if monitor could validate the service to be available. - name: check_group type: keyword description: > A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. - name: timespan type: date_range description: > Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check. - name: fleet_managed type: boolean description: > True if monitor is created with the Fleet integration UI - name: origin type: keyword description: > The source of this monitor configuration, usually either "ui", or "project" - name: project type: group description: > Project info for this monitor fields: - name: id type: keyword description: Project ID - name: name type: text description: Project name - name: state type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run - name: flap_history enabled: false - name: ends type: group description: the state that was ended by this state fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run PKpjPK!W3 synthetics-1.0.6/data_stream/http/fields/docker.ymlUT d- name: docker type: group fields: - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. PKqøPK!W0 synthetics-1.0.6/data_stream/http/fields/ecs.ymlUT d- name: labels level: core type: object object_type: keyword description: "Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels." example: '{"application": "foo-bar", "env": "production"}' - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: "The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken." footnote: "Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server." type: group fields: - name: build.original level: core type: wildcard description: "Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required." example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: "Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not." example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: "Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id." example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: "Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty." example: foo - name: type level: core type: keyword ignore_above: 1024 description: "Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine." example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: "The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name." example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: "The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id." example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: "The cloud project name.\nExamples: Google Cloud Project name, Azure Project name." example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - name: container title: Container group: 2 description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: dns title: DNS group: 2 description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." type: group fields: - name: answers level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: wildcard description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." example: 1.0.0 - name: error title: Error group: 2 description: "These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error." type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients." example: image/gif default_field: false - name: request.referrer level: extended type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers." example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: observer title: Observer group: 2 description: "An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS." type: group fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: wildcard description: "User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation." example: boston-dc - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: MAC addresses of the observer - name: name level: extended type: keyword ignore_above: 1024 description: "Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty." example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: "The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`." example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: server.subject level: extended type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: "1.2" default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false - name: keyword type: keyword description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: "Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not." example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: wildcard description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: x509 title: x509 Certificate group: 2 description: "This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`." type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKTPK!W1 synthetics-1.0.6/data_stream/http/fields/http.ymlUT d- name: http type: group description: > HTTP related fields. fields: - name: response type: group fields: - name: body type: group fields: - name: hash type: keyword description: > Hash of the full response body. Can be used to group responses with identical hashes. - name: redirects type: keyword description: > List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - name: headers.* type: object enabled: false description: > The canonical headers of the monitored HTTP response. - name: rtt type: group description: > HTTP layer round trip times. fields: - name: validate type: group description: | Duration between first byte of HTTP request being written and response being processed by validator. Duration based on already available network connection. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. fields: - name: us type: long description: Duration in microseconds - name: validate_body type: group description: | Duration of validator required to read and validate the response body. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. fields: - name: us type: long description: Duration in microseconds - name: write_request type: group description: Duration of sending the complete HTTP request. Duration based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: response_header type: group description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: content.us type: long description: Time required to retrieved the content in micro seconds. - name: total type: group description: | Duration required to process the HTTP transaction. Starts with the initial TCP connection attempt. Ends with after validator did check the response. Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed. fields: - name: us type: long description: Duration in microseconds PKM PK!WA synthetics-1.0.6/data_stream/http/fields/jolokia-autodiscover.ymlUT d- name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. PKPK!W7 synthetics-1.0.6/data_stream/http/fields/kubernetes.ymlUT d- name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name - name: container.image type: keyword description: > Kubernetes container image PKiiPK!W4 synthetics-1.0.6/data_stream/http/fields/resolve.ymlUT d- name: resolve type: group description: > Host lookup fields. fields: - name: ip type: ip description: > IP address found for the given host. - name: rtt type: group description: Duration required to resolve an IP from hostname. fields: - name: us type: long description: Duration in microseconds PKc pPK!W3 synthetics-1.0.6/data_stream/http/fields/socks5.ymlUT d- name: socks5 type: group description: > SOCKS5 proxy related fields: fields: - name: rtt type: group description: > TLS layer round trip times. fields: - name: connect type: group description: > Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. fields: - name: us type: long description: Duration in microseconds PK=PK!W4 synthetics-1.0.6/data_stream/http/fields/summary.ymlUT d- name: summary type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: up type: integer description: > The number of endpoints that succeeded - name: down type: integer description: > The number of endpoints that failed - name: status type: keyword description: > The status of this check as a whole. Either up or down. - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. - name: retry_group type: keyword description: >- A unique token used to group checks across attempts. PK. [[PK!W0 synthetics-1.0.6/data_stream/http/fields/tcp.ymlUT d- name: tcp type: group description: > TCP network layer related fields. fields: - name: rtt type: group description: > TCP layer round trip times. fields: - name: connect type: group description: > Duration required to establish a TCP connection based on already available IP address. fields: - name: us type: long description: Duration in microseconds - name: validate type: group description: > Duration of validation step based on existing TCP connection. fields: - name: us type: long description: Duration in microseconds PKR+PK!W0 synthetics-1.0.6/data_stream/http/fields/tls.ymlUT d- name: tls type: group description: > TLS layer related fields. fields: - name: certificate_not_valid_before type: date deprecated: 7.8.0 description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - name: certificate_not_valid_after deprecated: 7.8.0 type: date description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - name: rtt type: group description: > TLS layer round trip times. fields: - name: handshake type: group description: > Time required to finish TLS handshake based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: server type: group description: Detailed x509 certificate metadata fields: - name: version_number type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKmٯPK!W. synthetics-1.0.6/data_stream/http/manifest.ymlUT dtype: synthetics title: synthetic monitor check dataset: http ilm_policy: synthetics-synthetics.http-default_policy elasticsearch: index_template: mappings: dynamic: false settings: index: codec: best_compression sort.field: - "monitor.id" - "url.full.keyword" privileges.indices: [auto_configure, create_doc, read] streams: - input: synthetics/http title: Synthetic monitor check description: Monitor the health of an HTTP endpoint template_path: http.yml.hbs enabled: false vars: - name: __ui type: yaml title: metadata about the package multi: false required: false show_user: false - name: enabled type: bool title: Whether the monitor is enabled multi: false required: true show_user: true default: true - name: type type: text title: Monitor type multi: false required: true show_user: true default: http - name: name type: text title: Monitor name multi: false required: false show_user: true - name: schedule type: text title: Schedule multi: false required: true show_user: true default: "\"@every 3m\"" - name: urls type: text title: URL # do not change this to true, we specifically want it to be singular multi: false required: true show_user: true - name: service.name type: text title: APM Service Name multi: false required: false show_user: true - name: timeout type: text title: Timeout multi: false required: false show_user: true - name: max_redirects type: integer title: Timeout multi: false required: false show_user: true - name: proxy_url type: text title: Proxy URL multi: false required: false show_user: true - name: proxy_headers type: yaml title: Proxy headers multi: false required: false show_user: true - name: tags type: yaml title: Tags multi: false required: false show_user: true - name: username type: text title: Username multi: false required: false show_user: true - name: password type: password title: Password multi: false required: false show_user: true - name: response.include_headers type: bool title: Index response headers multi: false required: false show_user: true - name: response.include_body type: text title: Index response headers multi: false required: false show_user: true - name: response.include_body_max_bytes type: text title: Max bytes to include in response body when indexed multi: false required: false show_user: true - name: check.request.method type: text title: Request method multi: false required: false show_user: true - name: check.request.headers type: yaml title: Optional request headers multi: false required: false show_user: true - name: check.request.body type: yaml title: Optional request body multi: false required: false show_user: true - name: check.response.status type: yaml title: Response status includes multi: false required: false show_user: true - name: check.response.headers type: yaml title: Response headers includes multi: false required: false show_user: true - name: check.response.body.positive type: yaml title: Check response body includes multi: false required: false show_user: true - name: check.response.body.negative type: yaml title: Check response body does not include multi: false required: false show_user: true - name: check.response.json type: yaml title: A list of expressions executed against the body when parsed as JSON. multi: false required: false show_user: true - name: ssl.certificate_authorities type: yaml title: Certificate authorities multi: false required: false show_user: true - name: ssl.certificate type: yaml title: Certificate multi: false required: false show_user: true - name: ssl.key type: yaml title: Certificate private key multi: false required: false show_user: true - name: ssl.key_passphrase type: text title: Private key passphrase multi: false required: false show_user: true - name: ssl.verification_mode type: text title: SSL Verification mode multi: false required: false show_user: true - name: ssl.supported_protocols type: yaml title: Supported protocols multi: false required: false show_user: true - name: location_name type: text title: Location name multi: false required: false show_user: true default: "Fleet managed" - name: location_id type: text title: Location id multi: false required: false show_user: true default: "fleet_managed" - name: id type: text title: id multi: false required: false show_user: false - name: origin type: text title: Origin of the monitor, ui or project multi: false required: false show_user: false - name: mode type: text title: Heartbeat mode multi: false required: false show_user: true - name: ipv4 type: bool title: Use the ipv4 protocol multi: false required: false show_user: true default: true - name: ipv6 type: bool title: Use the ipv6 protocol multi: false required: false show_user: true default: true - name: processors type: yaml title: Processors multi: false required: false show_user: false description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. - name: max_attempts type: integer title: Max attempts multi: false required: false show_user: true PK{{PK!W" synthetics-1.0.6/data_stream/icmp/UT dPK!W( synthetics-1.0.6/data_stream/icmp/agent/UT dPK!W/ synthetics-1.0.6/data_stream/icmp/agent/stream/UT dPK!W; synthetics-1.0.6/data_stream/icmp/agent/stream/icmp.yml.hbsUT d__ui: {{__ui}} type: {{type}} name: {{name}} {{#if id}} id: {{id}} {{/if}} {{#if origin}} origin: {{origin}} {{/if}} {{#if location_id}} run_from.id: {{location_id}} {{/if}} {{#if location_name}} run_from.geo.name: {{location_name}} {{/if}} enabled: {{enabled}} hosts: {{hosts}} {{#if service.name}} service.name: {{service.name}} {{/if}} schedule: {{schedule}} wait: {{wait}} timeout: {{timeout}} {{#if tags}} tags: {{tags}} {{/if}} {{#if mode}} mode: {{mode}} {{/if}} ipv4: {{ipv4}} ipv6: {{ipv6}} {{#if max_attempts}} max_attempts: {{max_attempts}} {{/if}} {{#if processors}} processors: {{processors}} {{/if}}PKJeePK!W0 synthetics-1.0.6/data_stream/icmp/elasticsearch/UT dPK!W4 synthetics-1.0.6/data_stream/icmp/elasticsearch/ilm/UT dPK!WG synthetics-1.0.6/data_stream/icmp/elasticsearch/ilm/default_policy.jsonUT d{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "30d", "max_primary_shard_size": "50gb" }, "set_priority": { "priority": 100 } } }, "delete": { "min_age": "365d", "actions": { "delete": {} } } } } }PK##PK!W) synthetics-1.0.6/data_stream/icmp/fields/UT dPK!W8 synthetics-1.0.6/data_stream/icmp/fields/base-fields.ymlUT d- name: data_stream.type type: constant_keyword description: Data stream type. - name: data_stream.dataset type: constant_keyword description: Data stream dataset name. - name: data_stream.namespace type: constant_keyword description: Data stream namespace. - name: dataset.type type: constant_keyword description: Dataset type. - name: dataset.name type: constant_keyword description: Dataset name. - name: dataset.namespace type: constant_keyword description: Dataset namespace. - name: '@timestamp' type: date description: Event timestamp. PKF{%;;PK!W1 synthetics-1.0.6/data_stream/icmp/fields/beat.ymlUT d- name: fields type: object object_type: keyword description: > Contains user configurable fields. PKZғnnPK!W2 synthetics-1.0.6/data_stream/icmp/fields/cloud.ymlUT d- name: cloud.image.id example: ami-abcd1234 type: keyword description: > Image ID for the cloud instance. PK!GvvPK!W3 synthetics-1.0.6/data_stream/icmp/fields/common.ymlUT d- name: config_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Management flow - name: test_run_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Overview page - name: run_once type: boolean description: Whether the monitor is a run_once monitor - name: service.name type: keyword description: APM service name this monitor is linked to - name: monitor type: group description: > Common monitor fields. fields: - name: type type: constant_keyword value: icmp description: > The monitor type. - name: name type: keyword description: > The monitors configured name multi_fields: - name: text type: text analyzer: simple - name: id type: keyword description: > The monitors full job ID as used by heartbeat. multi_fields: - name: text type: text analyzer: simple - name: duration type: group description: Total monitoring test duration fields: - name: us type: long description: Duration in microseconds - name: ip type: ip description: > IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status required: true type: keyword description: > Indicator if monitor could validate the service to be available. - name: check_group type: keyword description: > A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. - name: timespan type: date_range description: > Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check. - name: fleet_managed type: boolean description: > True if monitor is created with the Fleet integration UI - name: origin type: keyword description: > The source of this monitor configuration, usually either "ui", or "project" - name: project type: group description: > Project info for this monitor fields: - name: id type: keyword description: Project ID - name: name type: text description: Project name - name: state type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run - name: flap_history enabled: false - name: ends type: group description: the state that was ended by this state fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run PK PK!W3 synthetics-1.0.6/data_stream/icmp/fields/docker.ymlUT d- name: docker type: group fields: - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. PKqøPK!W0 synthetics-1.0.6/data_stream/icmp/fields/ecs.ymlUT d- name: labels level: core type: object object_type: keyword description: "Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels." example: '{"application": "foo-bar", "env": "production"}' - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: "The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken." footnote: "Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server." type: group fields: - name: build.original level: core type: wildcard description: "Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required." example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: "Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not." example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: "Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id." example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: "Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty." example: foo - name: type level: core type: keyword ignore_above: 1024 description: "Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine." example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: "The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name." example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: "The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id." example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: "The cloud project name.\nExamples: Google Cloud Project name, Azure Project name." example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - name: container title: Container group: 2 description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: dns title: DNS group: 2 description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." type: group fields: - name: answers level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: wildcard description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." example: 1.0.0 - name: error title: Error group: 2 description: "These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error." type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients." example: image/gif default_field: false - name: request.referrer level: extended type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers." example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: observer title: Observer group: 2 description: "An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS." type: group fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: wildcard description: "User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation." example: boston-dc - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: MAC addresses of the observer - name: name level: extended type: keyword ignore_above: 1024 description: "Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty." example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: "The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`." example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: server.subject level: extended type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: "1.2" default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false - name: keyword type: keyword description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: "Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not." example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: wildcard description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: x509 title: x509 Certificate group: 2 description: "This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`." type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKTPK!W1 synthetics-1.0.6/data_stream/icmp/fields/icmp.ymlUT d- name: icmp type: group description: > IP ping fields. fields: - name: requests type: integer description: > Number if ICMP EchoRequests send. - name: rtt type: group description: ICMP Echo Request and Reply round trip time fields: - name: us type: long description: Duration in microseconds PKX1{{PK!WA synthetics-1.0.6/data_stream/icmp/fields/jolokia-autodiscover.ymlUT d- name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. PKPK!W7 synthetics-1.0.6/data_stream/icmp/fields/kubernetes.ymlUT d- name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name - name: container.image type: keyword description: > Kubernetes container image PKiiPK!W4 synthetics-1.0.6/data_stream/icmp/fields/resolve.ymlUT d- name: resolve type: group description: > Host lookup fields. fields: - name: ip type: ip description: > IP address found for the given host. - name: rtt type: group description: Duration required to resolve an IP from hostname. fields: - name: us type: long description: Duration in microseconds PKc pPK!W3 synthetics-1.0.6/data_stream/icmp/fields/socks5.ymlUT d- name: socks5 type: group description: > SOCKS5 proxy related fields: fields: - name: rtt type: group description: > TLS layer round trip times. fields: - name: connect type: group description: > Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. fields: - name: us type: long description: Duration in microseconds PK=PK!W4 synthetics-1.0.6/data_stream/icmp/fields/summary.ymlUT d- name: summary type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: up type: integer description: > The number of endpoints that succeeded - name: down type: integer description: > The number of endpoints that failed - name: status type: keyword description: > The status of this check as a whole. Either up or down. - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. - name: retry_group type: keyword description: >- A unique token used to group checks across attempts. PK. [[PK!W0 synthetics-1.0.6/data_stream/icmp/fields/tls.ymlUT d- name: tls type: group description: > TLS layer related fields. fields: - name: certificate_not_valid_before type: date deprecated: 7.8.0 description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - name: certificate_not_valid_after deprecated: 7.8.0 type: date description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - name: rtt type: group description: > TLS layer round trip times. fields: - name: handshake type: group description: > Time required to finish TLS handshake based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: server type: group description: Detailed x509 certificate metadata fields: - name: version_number type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKmٯPK!W. synthetics-1.0.6/data_stream/icmp/manifest.ymlUT dtype: synthetics title: synthetic monitor check dataset: icmp ilm_policy: synthetics-synthetics.icmp-default_policy elasticsearch: index_template: mappings: dynamic: false settings: index: codec: best_compression sort.field: - "monitor.id" - "url.full.keyword" privileges.indices: [auto_configure, create_doc, read] streams: - input: synthetics/icmp title: Synthetic monitor check description: Perform an ICMP check template_path: icmp.yml.hbs enabled: false vars: - name: __ui type: yaml title: metadata about the package multi: false required: false show_user: false - name: enabled type: bool title: Whether the monitor is enabled multi: false required: true show_user: true default: true - name: type type: text title: Monitor type multi: false required: true show_user: true default: icmp - name: name type: text title: Monitor name multi: false required: false show_user: true - name: schedule type: text title: Schedule multi: false required: true show_user: true default: "\"@every 3m\"" - name: wait type: text title: Wait multi: false required: true show_user: true default: 1s - name: hosts type: text title: Host # do not change this to true, we specifically want it to be singular multi: false required: true show_user: true - name: service.name type: text title: APM Service Name multi: false required: false show_user: true - name: timeout type: text title: Timeout multi: false required: false show_user: true - name: tags type: yaml title: Tags multi: false required: false show_user: true - name: location_name type: text title: Location name multi: false required: false show_user: true default: "Fleet managed" - name: location_id type: text title: Location id multi: false required: false show_user: true default: "fleet_managed" - name: id type: text title: id multi: false required: false show_user: false - name: origin type: text title: Origin of the monitor, ui or project multi: false required: false show_user: false - name: mode type: text title: Heartbeat mode multi: false required: false show_user: true - name: ipv4 type: bool title: Use the ipv4 protocol multi: false required: false show_user: true default: true - name: ipv6 type: bool title: Use the ipv6 protocol multi: false required: false show_user: true default: true - name: processors type: yaml title: Processors multi: false required: false show_user: false description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. - name: max_attempts type: integer title: Max attempts multi: false required: false show_user: true PK\o,,PK!W! synthetics-1.0.6/data_stream/tcp/UT dPK!W' synthetics-1.0.6/data_stream/tcp/agent/UT dPK!W. synthetics-1.0.6/data_stream/tcp/agent/stream/UT dPK!W9 synthetics-1.0.6/data_stream/tcp/agent/stream/tcp.yml.hbsUT d__ui: {{__ui}} type: {{type}} name: {{name}} {{#if id}} id: {{id}} {{/if}} {{#if origin}} origin: {{origin}} {{/if}} {{#if location_id}} run_from.id: {{location_id}} {{/if}} {{#if location_name}} run_from.geo.name: {{location_name}} {{/if}} enabled: {{enabled}} hosts: {{hosts}} {{#if service.name}} service.name: {{service.name}} {{/if}} schedule: {{schedule}} timeout: {{timeout}} {{#if proxy_url}} proxy_url: {{proxy_url}} {{/if}} proxy_use_local_resolver: {{proxy_use_local_resolver}} {{#if tags}} tags: {{tags}} {{/if}} {{#if check.send}} check.send: {{check.send}} {{/if}} {{#if check.receive}} check.receive: {{check.receive}} {{/if}} {{#if ssl.certificate}} ssl.certificate: {{ssl.certificate}} {{/if}} {{#if ssl.certificate_authorities}} ssl.certificate_authorities: {{ssl.certificate_authorities}} {{/if}} {{#if ssl.key}} ssl.key: {{ssl.key}} {{/if}} {{#if ssl.key_passphrase}} ssl.key_passphrase: {{ssl.key_passphrase}} {{/if}} {{#if ssl.verification_mode}} ssl.verification_mode: {{ssl.verification_mode}} {{/if}} {{#if ssl.supported_protocols}} ssl.supported_protocols: {{ssl.supported_protocols}} {{/if}} {{#if mode}} mode: {{mode}} {{/if}} ipv4: {{ipv4}} ipv6: {{ipv6}} {{#if max_attempts}} max_attempts: {{max_attempts}} {{/if}} {{#if processors}} processors: {{processors}} {{/if}}PK>PK!W/ synthetics-1.0.6/data_stream/tcp/elasticsearch/UT dPK!W3 synthetics-1.0.6/data_stream/tcp/elasticsearch/ilm/UT dPK!WF synthetics-1.0.6/data_stream/tcp/elasticsearch/ilm/default_policy.jsonUT d{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "30d", "max_primary_shard_size": "50gb" }, "set_priority": { "priority": 100 } } }, "delete": { "min_age": "365d", "actions": { "delete": {} } } } } }PK##PK!W( synthetics-1.0.6/data_stream/tcp/fields/UT dPK!W7 synthetics-1.0.6/data_stream/tcp/fields/base-fields.ymlUT d- name: data_stream.type type: constant_keyword description: Data stream type. - name: data_stream.dataset type: constant_keyword description: Data stream dataset name. - name: data_stream.namespace type: constant_keyword description: Data stream namespace. - name: dataset.type type: constant_keyword description: Dataset type. - name: dataset.name type: constant_keyword description: Dataset name. - name: dataset.namespace type: constant_keyword description: Dataset namespace. - name: '@timestamp' type: date description: Event timestamp. PKF{%;;PK!W0 synthetics-1.0.6/data_stream/tcp/fields/beat.ymlUT d- name: fields type: object object_type: keyword description: > Contains user configurable fields. PKZғnnPK!W1 synthetics-1.0.6/data_stream/tcp/fields/cloud.ymlUT d- name: cloud.image.id example: ami-abcd1234 type: keyword description: > Image ID for the cloud instance. PK!GvvPK!W2 synthetics-1.0.6/data_stream/tcp/fields/common.ymlUT d- name: config_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Management flow - name: test_run_id type: keyword description: The id of run_once monitor, when initiated from the Monitor Overview page - name: run_once type: boolean description: Whether the monitor is a run_once monitor - name: service.name type: keyword description: APM service name this monitor is linked to - name: monitor type: group description: > Common monitor fields. fields: - name: type type: constant_keyword value: tcp description: > The monitor type. - name: name type: keyword description: > The monitors configured name multi_fields: - name: text type: text analyzer: simple - name: id type: keyword description: > The monitors full job ID as used by heartbeat. multi_fields: - name: text type: text analyzer: simple - name: duration type: group description: Total monitoring test duration fields: - name: us type: long description: Duration in microseconds - name: ip type: ip description: > IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status required: true type: keyword description: > Indicator if monitor could validate the service to be available. - name: check_group type: keyword description: > A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. - name: timespan type: date_range description: > Time range this ping reported starting at the instant the check was started, ending at the start of the next scheduled check. - name: fleet_managed type: boolean description: > True if monitor is created with the Fleet integration UI - name: origin type: keyword description: > The source of this monitor configuration, usually either "ui", or "project" - name: project type: group description: > Project info for this monitor fields: - name: id type: keyword description: Project ID - name: name type: text description: Project name - name: state type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run - name: flap_history enabled: false - name: ends type: group description: the state that was ended by this state fields: - name: id type: keyword description: > ID of this state - name: started_at type: date description: > First time state with this ID was seen - name: duration_ms type: long description: > Length of time this state has existed in millis - name: status type: keyword description: > The current status, "up", "down", or "flapping" any state can change into flapping. - name: checks type: integer description: total checks run - name: up type: integer description: total up checks run - name: down type: integer description: total down checks run PKVz֩PK!W2 synthetics-1.0.6/data_stream/tcp/fields/docker.ymlUT d- name: docker type: group fields: - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. PKqøPK!W/ synthetics-1.0.6/data_stream/tcp/fields/ecs.ymlUT d- name: labels level: core type: object object_type: keyword description: "Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels." example: '{"application": "foo-bar", "env": "production"}' - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: "The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken." footnote: "Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server." type: group fields: - name: build.original level: core type: wildcard description: "Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required." example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: "Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not." example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: "Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id." example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: "Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.\nIf no name is given, the name is often left empty." example: foo - name: type level: core type: keyword ignore_above: 1024 description: "Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine." example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: "The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name." example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: "The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id." example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: "The cloud project name.\nExamples: Google Cloud Project name, Azure Project name." example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - name: container title: Container group: 2 description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: dns title: DNS group: 2 description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." type: group fields: - name: answers level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: wildcard description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." example: 1.0.0 - name: error title: Error group: 2 description: "These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error." type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - name: type level: extended type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients." example: image/gif default_field: false - name: request.referrer level: extended type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers." example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: observer title: Observer group: 2 description: "An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS." type: group fields: - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: wildcard description: "User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation." example: boston-dc - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: MAC addresses of the observer - name: name level: extended type: keyword ignore_above: 1024 description: "Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty." example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: "The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`." example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: "2021-01-01T00:00:00.000Z" default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: "1970-01-01T00:00:00.000Z" default_field: false - name: server.subject level: extended type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: "1.2" default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false - name: keyword type: keyword description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: "Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not." example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: wildcard description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: x509 title: x509 Certificate group: 2 description: "This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`." type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKTPK!W@ synthetics-1.0.6/data_stream/tcp/fields/jolokia-autodiscover.ymlUT d- name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. PKPK!W6 synthetics-1.0.6/data_stream/tcp/fields/kubernetes.ymlUT d- name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name - name: container.image type: keyword description: > Kubernetes container image PKiiPK!W3 synthetics-1.0.6/data_stream/tcp/fields/resolve.ymlUT d- name: resolve type: group description: > Host lookup fields. fields: - name: ip type: ip description: > IP address found for the given host. - name: rtt type: group description: Duration required to resolve an IP from hostname. fields: - name: us type: long description: Duration in microseconds PKc pPK!W2 synthetics-1.0.6/data_stream/tcp/fields/socks5.ymlUT d- name: socks5 type: group description: > SOCKS5 proxy related fields: fields: - name: rtt type: group description: > TLS layer round trip times. fields: - name: connect type: group description: > Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. fields: - name: us type: long description: Duration in microseconds PK=PK!W3 synthetics-1.0.6/data_stream/tcp/fields/summary.ymlUT d- name: summary type: group description: "Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`." fields: - name: up type: integer description: > The number of endpoints that succeeded - name: down type: integer description: > The number of endpoints that failed - name: status type: keyword description: > The status of this check as a whole. Either up or down. - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. - name: retry_group type: keyword description: >- A unique token used to group checks across attempts. PK. [[PK!W/ synthetics-1.0.6/data_stream/tcp/fields/tcp.ymlUT d- name: tcp type: group description: > TCP network layer related fields. fields: - name: rtt type: group description: > TCP layer round trip times. fields: - name: connect type: group description: > Duration required to establish a TCP connection based on already available IP address. fields: - name: us type: long description: Duration in microseconds - name: validate type: group description: > Duration of validation step based on existing TCP connection. fields: - name: us type: long description: Duration in microseconds PKR+PK!W/ synthetics-1.0.6/data_stream/tcp/fields/tls.ymlUT d- name: tls type: group description: > TLS layer related fields. fields: - name: certificate_not_valid_before type: date deprecated: 7.8.0 description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - name: certificate_not_valid_after deprecated: 7.8.0 type: date description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - name: rtt type: group description: > TLS layer round trip times. fields: - name: handshake type: group description: > Time required to finish TLS handshake based on already available network connection. fields: - name: us type: long description: Duration in microseconds - name: server type: group description: Detailed x509 certificate metadata fields: - name: version_number type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false PKmٯPK!W- synthetics-1.0.6/data_stream/tcp/manifest.ymlUT dtype: synthetics title: synthetic monitor check dataset: tcp ilm_policy: synthetics-synthetics.tcp-default_policy elasticsearch: index_template: mappings: dynamic: false settings: index: codec: best_compression sort.field: - "monitor.id" - "url.full.keyword" privileges.indices: [auto_configure, create_doc, read] streams: - input: synthetics/tcp title: Synthetic monitor check description: Monitor the health of an TCP endpoint template_path: tcp.yml.hbs enabled: false vars: - name: __ui type: yaml title: metadata about the package multi: false required: false show_user: false - name: enabled type: bool title: Whether the monitor is enabled multi: false required: true show_user: true default: true - name: type type: text title: Monitor type multi: false required: true show_user: true default: tcp - name: name type: text title: Monitor name multi: false required: false show_user: true - name: schedule type: text title: Schedule multi: false required: true show_user: true default: "\"@every 3m\"" - name: hosts type: text title: Host # do not change this to true, we specifically want it to be singular multi: false required: true show_user: true - name: service.name type: text title: APM Service Name multi: false required: false show_user: true - name: timeout type: text title: Timeout multi: false required: false show_user: true - name: proxy_url type: text title: Proxy URL multi: false required: false show_user: true - name: proxy_use_local_resolver type: bool title: Proxy URL multi: false required: false show_user: true default: false - name: tags type: yaml title: Tags multi: false required: false show_user: true - name: check.send type: text title: Request payload multi: false required: false show_user: true - name: check.receive type: text title: Response includes multi: false required: false show_user: true - name: ssl.certificate_authorities type: yaml title: Certificate authorities multi: false required: false show_user: true - name: ssl.certificate type: yaml title: Certificate multi: false required: false show_user: true - name: ssl.key type: yaml title: Certificate private key multi: false required: false show_user: true - name: ssl.key_passphrase type: text title: Private key passphrase multi: false required: false show_user: true - name: ssl.verification_mode type: text title: SSL Verification mode multi: false required: false show_user: true - name: ssl.supported_protocols type: yaml title: Supported protocols multi: false required: false show_user: true - name: location_name type: text title: Location name multi: false required: false show_user: true default: "Fleet managed" - name: location_id type: text title: Location id multi: false required: false show_user: true default: "fleet_managed" - name: id type: text title: id multi: false required: false show_user: false - name: origin type: text title: Origin of the monitor, ui or project multi: false required: false show_user: false - name: mode type: text title: Heartbeat mode multi: false required: false show_user: true - name: ipv4 type: bool title: Use the ipv4 protocol multi: false required: false show_user: true default: true - name: ipv6 type: bool title: Use the ipv6 protocol multi: false required: false show_user: true default: true - name: processors type: yaml title: Processors multi: false required: false show_user: false description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. - name: max_attempts type: integer title: Max attempts multi: false required: false show_user: true PKX_`PK!W synthetics-1.0.6/docs/UT dPK!W synthetics-1.0.6/docs/README.mdUT d# Elastic Synthetics The system uses the Elastic Synthetics integration in the background to provide access to [Synthetics private locations](/app/synthetics/settings/private-locations). It is installed by default and you do not need to edit or remove this integration manually. If you still have monitors set up with this integration, you have to [migrate them to the Synthetics app](https://www.elastic.co/guide/en/observability/current/synthetics-migrate-from-integration.html). For more information on setting up and managing monitors using the new Synthetics app, check the [documentation](https://www.elastic.co/guide/en/observability/current/monitor-uptime-synthetics.html).PK40XPK!W synthetics-1.0.6/img/UT dPK!W/ synthetics-1.0.6/img/uptime-logo-color-64px.svgUT d uptime-logo-color-64px Created with Sketch. PK2Я PK!W synthetics-1.0.6/kibana/UT dPK!W" synthetics-1.0.6/kibana/dashboard/UT dPK!WV synthetics-1.0.6/kibana/dashboard/synthetics-e465c570-1561-11ee-9d3b-15ab835418fd.jsonUT d{ "attributes": { "description": "Approximates billing usage based on synthetics data, letting you drill down on a monitor by monitor basis as well.", "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"observer.geo.name\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"observer.geo.name\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" }, "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"useMargins\":true}", "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"## How to Estimate Synthetics Usage / Pricing with this Dashboard\\n\\nThis dashboard can be used to approximate the cost of using the Elastic Synthetics service given your current monitors. Note that it does not use the more precise metrics used by our actual cloud service to determine actual costs. In some uncommon scenarios costs may differ.\\n\\nThis dashboard does not distinguish monitors running in private locations from those running on the service. If all of your monitors currently run on the service you can ignore this. If your monitors currently run on private locations you can use this tool to estimate the cost of running those same monitors on the cloud.\\n\\nNote that pricing data should be determined via https://www.elastic.co/pricing/ , and may vary based on your exchange rate and/or contract terms. If, for instance, your rate for browser monitor execution is $0.014 you can multiply the number of browser billing units used by this number to arrive at an estimated cost. Additionally, please note that this dashboard is only useful for estimating execution costs for the synthetics service, but does not include storage, network transfer, and other associated costs.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":17,\"i\":\"1a8368df-8290-41b1-94d2-1075420921e9\",\"w\":19,\"x\":0,\"y\":0},\"panelIndex\":\"1a8368df-8290-41b1-94d2-1075420921e9\",\"type\":\"visualization\",\"version\":\"8.8.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"6b4c5a50-e5b3-4286-937e-19180234d9f3\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"71168abb-5031-44c6-a5f3-9a0fa5cb7ef7\",\"type\":\"index-pattern\"}],\"state\":{\"adHocDataViews\":{},\"datasourceStates\":{\"formBased\":{\"layers\":{\"65aa1d2b-0064-4055-a37f-6144a7d1f3c7\":{\"columnOrder\":[\"72eb0e95-8f74-4f7f-a226-3cb7f9f9fcc1\",\"90ab8754-84f5-425e-9866-3fc32420bb1d\"],\"columns\":{\"72eb0e95-8f74-4f7f-a226-3cb7f9f9fcc1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Estimated Browser Billing Units\",\"operationType\":\"sum\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"est_billing_units\"},\"90ab8754-84f5-425e-9866-3fc32420bb1d\":{\"dataType\":\"number\",\"isBucketed\":false,\"isStaticValue\":true,\"label\":\"Static value: 150000\",\"operationType\":\"static_value\",\"params\":{\"value\":\"150000\"},\"references\":[],\"scale\":\"ratio\"}},\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"summary.down\",\"index\":\"6b4c5a50-e5b3-4286-937e-19180234d9f3\",\"key\":\"summary.down\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"summary.down\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"monitor.type\",\"index\":\"71168abb-5031-44c6-a5f3-9a0fa5cb7ef7\",\"key\":\"monitor.type\",\"negate\":false,\"params\":{\"query\":\"browser\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"monitor.type\":\"browser\"}}}],\"internalReferences\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layerId\":\"65aa1d2b-0064-4055-a37f-6144a7d1f3c7\",\"layerType\":\"data\",\"metricAccessor\":\"72eb0e95-8f74-4f7f-a226-3cb7f9f9fcc1\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"80dd067e-cdff-4f0e-b031-daddb2c7369e\",\"w\":7,\"x\":19,\"y\":0},\"panelIndex\":\"80dd067e-cdff-4f0e-b031-daddb2c7369e\",\"title\":\"Estimated Billing Units by Type\",\"type\":\"lens\",\"version\":\"8.8.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"indexpattern-datasource-layer-6678cd95-fa07-4ba2-957f-1c05120c4f35\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"25828960-9aed-4a3f-a41f-3f636a7dc357\",\"type\":\"index-pattern\"}],\"state\":{\"adHocDataViews\":{},\"datasourceStates\":{\"formBased\":{\"layers\":{\"6678cd95-fa07-4ba2-957f-1c05120c4f35\":{\"columnOrder\":[\"00f6b2f4-fadd-4781-a74a-92d2e478c7b1\",\"43a2aed5-cd1b-4cf1-b8fb-4ab75cd70dc8\"],\"columns\":{\"00f6b2f4-fadd-4781-a74a-92d2e478c7b1\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 20 values of observer.geo.name\",\"operationType\":\"terms\",\"params\":{\"exclude\":[],\"excludeIsRegex\":false,\"include\":[],\"includeIsRegex\":false,\"missingBucket\":false,\"orderBy\":{\"columnId\":\"43a2aed5-cd1b-4cf1-b8fb-4ab75cd70dc8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"observer.geo.name\"},\"43a2aed5-cd1b-4cf1-b8fb-4ab75cd70dc8\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of est_billing_units\",\"operationType\":\"sum\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"est_billing_units\"}},\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"monitor.type\",\"index\":\"25828960-9aed-4a3f-a41f-3f636a7dc357\",\"key\":\"monitor.type\",\"negate\":false,\"params\":{\"query\":\"browser\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"monitor.type\":\"browser\"}}}],\"internalReferences\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"00f6b2f4-fadd-4781-a74a-92d2e478c7b1\"},{\"columnId\":\"43a2aed5-cd1b-4cf1-b8fb-4ab75cd70dc8\",\"isTransposed\":false}],\"layerId\":\"6678cd95-fa07-4ba2-957f-1c05120c4f35\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"3bcd0e7f-4bad-496f-9e8a-1cef8af9cb10\",\"w\":12,\"x\":26,\"y\":1},\"panelIndex\":\"3bcd0e7f-4bad-496f-9e8a-1cef8af9cb10\",\"title\":\"Browser Locations\",\"type\":\"lens\",\"version\":\"8.8.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"6f557a27-c62b-4f6a-851d-20fc3eed3ae0\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"76438927-6522-4b44-8fba-2c2f6c93a485\",\"type\":\"index-pattern\"}],\"state\":{\"adHocDataViews\":{},\"datasourceStates\":{\"formBased\":{\"layers\":{\"65aa1d2b-0064-4055-a37f-6144a7d1f3c7\":{\"columnOrder\":[\"72eb0e95-8f74-4f7f-a226-3cb7f9f9fcc1\",\"90ab8754-84f5-425e-9866-3fc32420bb1d\"],\"columns\":{\"72eb0e95-8f74-4f7f-a226-3cb7f9f9fcc1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Lightweight Locations\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"observer.geo.name\"},\"90ab8754-84f5-425e-9866-3fc32420bb1d\":{\"dataType\":\"number\",\"isBucketed\":false,\"isStaticValue\":true,\"label\":\"Static value: 150000\",\"operationType\":\"static_value\",\"params\":{\"value\":\"150000\"},\"references\":[],\"scale\":\"ratio\"}},\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"summary.down\",\"index\":\"6f557a27-c62b-4f6a-851d-20fc3eed3ae0\",\"key\":\"summary.down\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"summary.down\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"monitor.type\",\"index\":\"76438927-6522-4b44-8fba-2c2f6c93a485\",\"key\":\"monitor.type\",\"negate\":true,\"params\":{\"query\":\"browser\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"monitor.type\":\"browser\"}}}],\"internalReferences\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layerId\":\"65aa1d2b-0064-4055-a37f-6144a7d1f3c7\",\"layerType\":\"data\",\"metricAccessor\":\"72eb0e95-8f74-4f7f-a226-3cb7f9f9fcc1\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"60d4a656-5d83-4827-9bc6-89c02f247726\",\"w\":7,\"x\":19,\"y\":9},\"panelIndex\":\"60d4a656-5d83-4827-9bc6-89c02f247726\",\"title\":\"Total Lightweight Locations\",\"type\":\"lens\",\"version\":\"8.8.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"indexpattern-datasource-layer-42ee11c3-ab9a-4b73-a2ba-65c4ad273b2d\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"7e003f05-a106-4350-a1ab-eb70c7dd2b0a\",\"type\":\"index-pattern\"}],\"state\":{\"adHocDataViews\":{},\"datasourceStates\":{\"formBased\":{\"layers\":{\"42ee11c3-ab9a-4b73-a2ba-65c4ad273b2d\":{\"columnOrder\":[\"e500b751-5940-4f43-a3ee-5fc4c8347ca8\",\"2d7b32d6-d0e6-4db5-a399-6aa4341f7c76\"],\"columns\":{\"2d7b32d6-d0e6-4db5-a399-6aa4341f7c76\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Monitors\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"monitor.name\"},\"e500b751-5940-4f43-a3ee-5fc4c8347ca8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 20 values of observer.geo.name\",\"operationType\":\"terms\",\"params\":{\"exclude\":[],\"excludeIsRegex\":false,\"include\":[],\"includeIsRegex\":false,\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d7b32d6-d0e6-4db5-a399-6aa4341f7c76\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"observer.geo.name\"}},\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"monitor.type\",\"index\":\"7e003f05-a106-4350-a1ab-eb70c7dd2b0a\",\"key\":\"monitor.type\",\"negate\":true,\"params\":{\"query\":\"browser\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"monitor.type\":\"browser\"}}}],\"internalReferences\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"2d7b32d6-d0e6-4db5-a399-6aa4341f7c76\"},{\"columnId\":\"e500b751-5940-4f43-a3ee-5fc4c8347ca8\",\"isTransposed\":false}],\"layerId\":\"42ee11c3-ab9a-4b73-a2ba-65c4ad273b2d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"504faa9a-3d93-462b-995d-c50e940a247d\",\"w\":12,\"x\":26,\"y\":17},\"panelIndex\":\"504faa9a-3d93-462b-995d-c50e940a247d\",\"title\":\"Lightweight locations\",\"type\":\"lens\",\"version\":\"8.8.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"indexpattern-datasource-layer-unifiedHistogram\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"c07ca82c-d7fc-4a13-acf6-e5aaea3cf836\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"2637b03d-012d-43c8-b7a0-c8a8f7bc85c4\",\"type\":\"index-pattern\"}],\"state\":{\"adHocDataViews\":{},\"datasourceStates\":{\"formBased\":{\"layers\":{\"unifiedHistogram\":{\"columnOrder\":[\"f29ec422-c9d7-4267-8ec9-62ab2621da1b\",\"date_column\",\"count_column\"],\"columns\":{\"count_column\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Billing Units\",\"operationType\":\"sum\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"est_billing_units\"},\"date_column\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"f29ec422-c9d7-4267-8ec9-62ab2621da1b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Most common monitors\",\"operationType\":\"terms\",\"params\":{\"accuracyMode\":true,\"exclude\":[],\"excludeIsRegex\":false,\"include\":[],\"includeIsRegex\":false,\"missingBucket\":false,\"orderBy\":{\"columnId\":\"count_column\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":50},\"scale\":\"ordinal\",\"sourceField\":\"monitor.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"summary.down\",\"index\":\"c07ca82c-d7fc-4a13-acf6-e5aaea3cf836\",\"key\":\"summary.down\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"summary.down\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"monitor.type\",\"index\":\"2637b03d-012d-43c8-b7a0-c8a8f7bc85c4\",\"key\":\"monitor.type\",\"negate\":false,\"params\":{\"query\":\"browser\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"monitor.type\":\"browser\"}}}],\"internalReferences\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":false,\"yLeft\":true,\"yRight\":false},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":false},\"layers\":[{\"accessors\":[\"count_column\"],\"layerId\":\"unifiedHistogram\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"splitAccessor\":\"f29ec422-c9d7-4267-8ec9-62ab2621da1b\",\"xAccessor\":\"date_column\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"showCurrentTimeMarker\":true,\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":false},\"valueLabels\":\"hide\"}},\"title\":\"Estimated Monitor Billing History\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"fe658793-8dd0-4c6c-860a-b9f8016fbd2e\",\"w\":26,\"x\":0,\"y\":17},\"panelIndex\":\"fe658793-8dd0-4c6c-860a-b9f8016fbd2e\",\"title\":\"Estimated Browser Monitor Billing History\",\"type\":\"lens\",\"version\":\"8.8.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"indexpattern-datasource-layer-e1869c68-3f80-4b33-b75f-f9668b5bcd94\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"d56bc5ac-37c2-4db8-958e-df713a2544d7\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"d3bfc8e4-9bf7-4421-be2b-e2acd639dc62\",\"type\":\"index-pattern\"},{\"id\":\"7258d186-6430-4b51-bb67-2603cdfb4652\",\"name\":\"59367fc9-7eff-4a02-ad14-145824e57772\",\"type\":\"index-pattern\"}],\"state\":{\"adHocDataViews\":{},\"datasourceStates\":{\"formBased\":{\"layers\":{\"e1869c68-3f80-4b33-b75f-f9668b5bcd94\":{\"columnOrder\":[\"aa589a53-6c45-4f0e-9f18-81dd4aae2e07\",\"b75998ac-91fa-436e-8038-a17c90045564\",\"113a352d-2e76-4c19-bd0d-295ac23e6131\",\"113a352d-2e76-4c19-bd0d-295ac23e6131X0\"],\"columns\":{\"113a352d-2e76-4c19-bd0d-295ac23e6131\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Billing Units\",\"operationType\":\"formula\",\"params\":{\"formula\":\"sum(est_billing_units)\",\"isFormulaBroken\":false},\"references\":[\"113a352d-2e76-4c19-bd0d-295ac23e6131X0\"],\"scale\":\"ratio\"},\"113a352d-2e76-4c19-bd0d-295ac23e6131X0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Part of Total Billing Units\",\"operationType\":\"sum\",\"params\":{\"emptyAsNull\":false},\"scale\":\"ratio\",\"sourceField\":\"est_billing_units\"},\"aa589a53-6c45-4f0e-9f18-81dd4aae2e07\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 100 values of monitor.name\",\"operationType\":\"terms\",\"params\":{\"accuracyMode\":true,\"exclude\":[],\"excludeIsRegex\":false,\"include\":[],\"includeIsRegex\":false,\"missingBucket\":false,\"orderBy\":{\"fallback\":true,\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":100},\"scale\":\"ordinal\",\"sourceField\":\"monitor.name\"},\"b75998ac-91fa-436e-8038-a17c90045564\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"View\",\"operationType\":\"terms\",\"params\":{\"exclude\":[],\"excludeIsRegex\":false,\"include\":[],\"includeIsRegex\":false,\"missingBucket\":false,\"orderBy\":{\"fallback\":true,\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"synthetics_url\"}},\"incompleteColumns\":{},\"sampling\":1}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"summary.down\",\"index\":\"d56bc5ac-37c2-4db8-958e-df713a2544d7\",\"key\":\"summary.down\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"summary.down\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"monitor.type\",\"index\":\"d3bfc8e4-9bf7-4421-be2b-e2acd639dc62\",\"key\":\"monitor.type\",\"negate\":false,\"params\":{\"query\":\"browser\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"monitor.type\":\"browser\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"field\":\"est_billing_units\",\"index\":\"59367fc9-7eff-4a02-ad14-145824e57772\",\"key\":\"est_billing_units\",\"negate\":false,\"params\":{\"gte\":\"1\",\"lt\":\"999999999999\"},\"type\":\"range\",\"value\":{\"gte\":\"1\",\"lt\":\"999999999999\"}},\"query\":{\"range\":{\"est_billing_units\":{\"gte\":\"1\",\"lt\":\"999999999999\"}}}}],\"internalReferences\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"aa589a53-6c45-4f0e-9f18-81dd4aae2e07\"},{\"columnId\":\"113a352d-2e76-4c19-bd0d-295ac23e6131\",\"width\":233.8888888888889},{\"columnId\":\"b75998ac-91fa-436e-8038-a17c90045564\",\"hidden\":false,\"isTransposed\":false}],\"layerId\":\"e1869c68-3f80-4b33-b75f-f9668b5bcd94\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"113a352d-2e76-4c19-bd0d-295ac23e6131\",\"direction\":\"desc\"}}},\"title\":\"Estimated Monitor Billing History\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":28,\"i\":\"82239bad-4227-4fa7-8907-bdf529c211a9\",\"w\":17,\"x\":0,\"y\":31},\"panelIndex\":\"82239bad-4227-4fa7-8907-bdf529c211a9\",\"title\":\"Top Monitors (by billed amount)\",\"type\":\"lens\",\"version\":\"8.8.0\"}]", "timeRestore": false, "title": "[Synthetics] Estimated Billing", "version": 1 }, "coreMigrationVersion": "8.7.0", "created_at": "2023-08-04T15:02:43.944Z", "id": "synthetics-e465c570-1561-11ee-9d3b-15ab835418fd", "migrationVersion": { "dashboard": "8.7.0" }, "references": [ { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "80dd067e-cdff-4f0e-b031-daddb2c7369e:indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "80dd067e-cdff-4f0e-b031-daddb2c7369e:6b4c5a50-e5b3-4286-937e-19180234d9f3", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "80dd067e-cdff-4f0e-b031-daddb2c7369e:71168abb-5031-44c6-a5f3-9a0fa5cb7ef7", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "3bcd0e7f-4bad-496f-9e8a-1cef8af9cb10:indexpattern-datasource-layer-6678cd95-fa07-4ba2-957f-1c05120c4f35", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "3bcd0e7f-4bad-496f-9e8a-1cef8af9cb10:25828960-9aed-4a3f-a41f-3f636a7dc357", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "60d4a656-5d83-4827-9bc6-89c02f247726:indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "60d4a656-5d83-4827-9bc6-89c02f247726:6f557a27-c62b-4f6a-851d-20fc3eed3ae0", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "60d4a656-5d83-4827-9bc6-89c02f247726:76438927-6522-4b44-8fba-2c2f6c93a485", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "504faa9a-3d93-462b-995d-c50e940a247d:indexpattern-datasource-layer-42ee11c3-ab9a-4b73-a2ba-65c4ad273b2d", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "504faa9a-3d93-462b-995d-c50e940a247d:7e003f05-a106-4350-a1ab-eb70c7dd2b0a", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "fe658793-8dd0-4c6c-860a-b9f8016fbd2e:indexpattern-datasource-layer-unifiedHistogram", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "fe658793-8dd0-4c6c-860a-b9f8016fbd2e:c07ca82c-d7fc-4a13-acf6-e5aaea3cf836", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "fe658793-8dd0-4c6c-860a-b9f8016fbd2e:2637b03d-012d-43c8-b7a0-c8a8f7bc85c4", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "82239bad-4227-4fa7-8907-bdf529c211a9:indexpattern-datasource-layer-e1869c68-3f80-4b33-b75f-f9668b5bcd94", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "82239bad-4227-4fa7-8907-bdf529c211a9:d56bc5ac-37c2-4db8-958e-df713a2544d7", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "82239bad-4227-4fa7-8907-bdf529c211a9:d3bfc8e4-9bf7-4421-be2b-e2acd639dc62", "type": "index-pattern" }, { "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "name": "82239bad-4227-4fa7-8907-bdf529c211a9:59367fc9-7eff-4a02-ad14-145824e57772", "type": "index-pattern" } ], "type": "dashboard" }PK]l__PK!W& synthetics-1.0.6/kibana/index_pattern/UT dPK!WO synthetics-1.0.6/kibana/index_pattern/7258d186-6430-4b51-bb67-2603cdfb4652.jsonUT d{ "attributes": { "fieldAttrs": "{\"est_billing_units\":{\"count\":2},\"monitor.id\":{\"count\":1},\"monitor.name\":{\"count\":1},\"observer.geo.name\":{\"count\":2},\"monitor.duration.us\":{\"count\":1}}", "fieldFormatMap": "{\"synthetics_url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"\",\"pathname\":\"/app/discover\",\"basePath\":\"\"},\"type\":\"a\",\"urlTemplate\":null,\"labelTemplate\":\"View Monitor\",\"width\":null,\"height\":null}},\"synthetics_error_url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"\",\"pathname\":\"/app/discover\",\"basePath\":\"\"},\"type\":\"a\",\"urlTemplate\":\"\",\"labelTemplate\":\"View Error\",\"width\":null,\"height\":null}}}", "fields": "[]", "name": "synthetics-dashboard", "runtimeFieldMap": "{\"est_billing_units\":{\"type\":\"long\",\"script\":{\"source\":\"if (doc['monitor.duration.us'].size() \u003e 0) {\\n long dur = doc['monitor.duration.us'][0];\\n double frac = Math.ceil(((double)(dur) / 1000000) / 60);\\n emit((long)(frac));\\n}\"}},\"synthetics_url\":{\"type\":\"keyword\",\"script\":{\"source\":\"if (doc['monitor.id'].size() \u003e 0) {\\n emit(\\\"/app/synthetics/monitor/\\\" + doc['monitor.id'][0])\\n}\"}},\"synthetics_error_url\":{\"type\":\"keyword\",\"script\":{\"source\":\"if (doc['monitor.id'].size() \u003e 0 \u0026\u0026 doc['state.status'].size() \u003e 0 \u0026\u0026 doc['state.status'][0] != \\\"up\\\") {\\n emit(\\\"/app/synthetics/monitor/\\\" + doc['monitor.id'][0] + \\\"/errors/\\\" + doc['state.id'][0])\\n}\"}}}", "sourceFilters": "[]", "timeFieldName": "@timestamp", "title": "synthetics-*", "typeMeta": "{}" }, "coreMigrationVersion": "8.8.0", "created_at": "2023-06-27T14:15:54.692Z", "id": "7258d186-6430-4b51-bb67-2603cdfb4652", "managed": true, "references": [], "type": "index-pattern", "migrationVersion": { "index-pattern": "8.0.0" }, "updated_at": "2023-07-07T18:53:09.336Z", "version": "WzE3NTksM10=" }PK N9PK!W synthetics-1.0.6/manifest.ymlUT dformat_version: 1.0.0 name: synthetics title: Elastic Synthetics description: Internal Elastic integration for providing access to private locations. version: 1.0.6 categories: ["observability"] release: ga type: integration license: basic policy_templates: - name: synthetics title: Elastic Synthetics description: Perform synthetic health checks on network endpoints. inputs: - type: synthetics/http title: HTTP description: Perform an HTTP check - type: synthetics/tcp title: TCP description: Perform a TCP check - type: synthetics/icmp title: ICMP description: Perform an ICMP check - type: synthetics/browser title: Browser description: Perform an Browser check conditions: kibana.version: "^8.10.0" icons: - src: /img/uptime-logo-color-64px.svg size: 16x16 type: image/svg+xml owner: github: elastic/uptime PKJ 0PK!W Asynthetics-1.0.6/UT dPK!Wgj 8synthetics-1.0.6/LICENSE.txtUT dPK!WkH$H$ synthetics-1.0.6/changelog.ymlUT dPK!W A<4synthetics-1.0.6/data_stream/UT dPK!W% A4synthetics-1.0.6/data_stream/browser/UT dPK!W+ A4synthetics-1.0.6/data_stream/browser/agent/UT dPK!W2 A5synthetics-1.0.6/data_stream/browser/agent/stream/UT dPK!WA w5synthetics-1.0.6/data_stream/browser/agent/stream/browser.yml.hbsUT dPK!W3 A:synthetics-1.0.6/data_stream/browser/elasticsearch/UT dPK!W7 A;synthetics-1.0.6/data_stream/browser/elasticsearch/ilm/UT dPK!W##J l;synthetics-1.0.6/data_stream/browser/elasticsearch/ilm/default_policy.jsonUT dPK!W, A>synthetics-1.0.6/data_stream/browser/fields/UT dPK!W?#uu; c>synthetics-1.0.6/data_stream/browser/fields/base-fields.ymlUT dPK!WZғnn4 J@synthetics-1.0.6/data_stream/browser/fields/beat.ymlUT dPK!W!Gvv5 #Asynthetics-1.0.6/data_stream/browser/fields/cloud.ymlUT dPK!W26 Bsynthetics-1.0.6/data_stream/browser/fields/common.ymlUT dPK!Wqø6 VSsynthetics-1.0.6/data_stream/browser/fields/docker.ymlUT dPK!WT3 {Tsynthetics-1.0.6/data_stream/browser/fields/ecs.ymlUT dPK!WM 4 .synthetics-1.0.6/data_stream/browser/fields/http.ymlUT dPK!WD :synthetics-1.0.6/data_stream/browser/fields/jolokia-autodiscover.ymlUT dPK!Wii: 6?synthetics-1.0.6/data_stream/browser/fields/kubernetes.ymlUT dPK!W=6 Esynthetics-1.0.6/data_stream/browser/fields/socks5.ymlUT dPK!Wbqf\\7 yGsynthetics-1.0.6/data_stream/browser/fields/summary.ymlUT dPK!Waݎ?* * : CLsynthetics-1.0.6/data_stream/browser/fields/synthetics.ymlUT dPK!WR+3 Ysynthetics-1.0.6/data_stream/browser/fields/tcp.ymlUT dPK!WG{oo1 8]synthetics-1.0.6/data_stream/browser/manifest.ymlUT dPK!W- Apsynthetics-1.0.6/data_stream/browser_network/UT dPK!W3 Acpsynthetics-1.0.6/data_stream/browser_network/agent/UT dPK!W: Apsynthetics-1.0.6/data_stream/browser_network/agent/stream/UT dPK!W ^^Q qsynthetics-1.0.6/data_stream/browser_network/agent/stream/browser.network.yml.hbsUT dPK!W; Arsynthetics-1.0.6/data_stream/browser_network/elasticsearch/UT dPK!W? Afrsynthetics-1.0.6/data_stream/browser_network/elasticsearch/ilm/UT dPK!We;y!!R rsynthetics-1.0.6/data_stream/browser_network/elasticsearch/ilm/default_policy.jsonUT dPK!W4 Avusynthetics-1.0.6/data_stream/browser_network/fields/UT dPK!WAc}}C usynthetics-1.0.6/data_stream/browser_network/fields/base-fields.ymlUT dPK!WZғnn< wsynthetics-1.0.6/data_stream/browser_network/fields/beat.ymlUT dPK!W!Gvv= xsynthetics-1.0.6/data_stream/browser_network/fields/cloud.ymlUT dPK!W55> ysynthetics-1.0.6/data_stream/browser_network/fields/common.ymlUT dPK!Wqø> =synthetics-1.0.6/data_stream/browser_network/fields/docker.ymlUT dPK!WT; jsynthetics-1.0.6/data_stream/browser_network/fields/ecs.ymlUT dPK!W!<< \synthetics-1.0.6/data_stream/browser_network/fields/http.ymlUT dPK!WL ksynthetics-1.0.6/data_stream/browser_network/fields/jolokia-autodiscover.ymlUT dPK!WiiB osynthetics-1.0.6/data_stream/browser_network/fields/kubernetes.ymlUT dPK!Wc p? usynthetics-1.0.6/data_stream/browser_network/fields/resolve.ymlUT dPK!W=> wsynthetics-1.0.6/data_stream/browser_network/fields/socks5.ymlUT dPK!WAVV? zsynthetics-1.0.6/data_stream/browser_network/fields/summary.ymlUT dPK!WݐttB ~synthetics-1.0.6/data_stream/browser_network/fields/synthetics.ymlUT dPK!WR+; Ԅsynthetics-1.0.6/data_stream/browser_network/fields/tcp.ymlUT dPK!WBS9 6synthetics-1.0.6/data_stream/browser_network/manifest.ymlUT dPK!W0 A]synthetics-1.0.6/data_stream/browser_screenshot/UT dPK!W6 Asynthetics-1.0.6/data_stream/browser_screenshot/agent/UT dPK!W= Asynthetics-1.0.6/data_stream/browser_screenshot/agent/stream/UT dPK!W ^^W usynthetics-1.0.6/data_stream/browser_screenshot/agent/stream/browser.screenshot.yml.hbsUT dPK!W> Aasynthetics-1.0.6/data_stream/browser_screenshot/elasticsearch/UT dPK!WB Aƍsynthetics-1.0.6/data_stream/browser_screenshot/elasticsearch/ilm/UT dPK!We;y!!U /synthetics-1.0.6/data_stream/browser_screenshot/elasticsearch/ilm/default_policy.jsonUT dPK!W7 Aܐsynthetics-1.0.6/data_stream/browser_screenshot/fields/UT dPK!Ws+F :synthetics-1.0.6/data_stream/browser_screenshot/fields/base-fields.ymlUT dPK!WZғnn? 7synthetics-1.0.6/data_stream/browser_screenshot/fields/beat.ymlUT dPK!W!Gvv@ synthetics-1.0.6/data_stream/browser_screenshot/fields/cloud.ymlUT dPK!W55A synthetics-1.0.6/data_stream/browser_screenshot/fields/common.ymlUT dPK!WqøA synthetics-1.0.6/data_stream/browser_screenshot/fields/docker.ymlUT dPK!Wj> synthetics-1.0.6/data_stream/browser_screenshot/fields/ecs.ymlUT dPK!WO Ixsynthetics-1.0.6/data_stream/browser_screenshot/fields/jolokia-autodiscover.ymlUT dPK!WiiE |synthetics-1.0.6/data_stream/browser_screenshot/fields/kubernetes.ymlUT dPK!W=A wsynthetics-1.0.6/data_stream/browser_screenshot/fields/socks5.ymlUT dPK!W. [[B synthetics-1.0.6/data_stream/browser_screenshot/fields/summary.ymlUT dPK!W5]E synthetics-1.0.6/data_stream/browser_screenshot/fields/synthetics.ymlUT dPK!WILL< Isynthetics-1.0.6/data_stream/browser_screenshot/manifest.ymlUT dPK!W" Asynthetics-1.0.6/data_stream/http/UT dPK!W( AQsynthetics-1.0.6/data_stream/http/agent/UT dPK!W/ Asynthetics-1.0.6/data_stream/http/agent/stream/UT dPK!WW`; synthetics-1.0.6/data_stream/http/agent/stream/http.yml.hbsUT dPK!W0 Asynthetics-1.0.6/data_stream/http/elasticsearch/UT dPK!W4 Aosynthetics-1.0.6/data_stream/http/elasticsearch/ilm/UT dPK!W##G ʟsynthetics-1.0.6/data_stream/http/elasticsearch/ilm/default_policy.jsonUT dPK!W) Aksynthetics-1.0.6/data_stream/http/fields/UT dPK!WF{%;;8 synthetics-1.0.6/data_stream/http/fields/base-fields.ymlUT dPK!WZғnn1 esynthetics-1.0.6/data_stream/http/fields/beat.ymlUT dPK!W!Gvv2 ;synthetics-1.0.6/data_stream/http/fields/cloud.ymlUT dPK!Wpj3 synthetics-1.0.6/data_stream/http/fields/common.ymlUT dPK!Wqø3 esynthetics-1.0.6/data_stream/http/fields/docker.ymlUT dPK!WT0 synthetics-1.0.6/data_stream/http/fields/ecs.ymlUT dPK!WM 1 synthetics-1.0.6/data_stream/http/fields/http.ymlUT dPK!WA synthetics-1.0.6/data_stream/http/fields/jolokia-autodiscover.ymlUT dPK!Wii7 9synthetics-1.0.6/data_stream/http/fields/kubernetes.ymlUT dPK!Wc p4 synthetics-1.0.6/data_stream/http/fields/resolve.ymlUT dPK!W=3 synthetics-1.0.6/data_stream/http/fields/socks5.ymlUT dPK!W. [[4 asynthetics-1.0.6/data_stream/http/fields/summary.ymlUT dPK!WR+0 'synthetics-1.0.6/data_stream/http/fields/tcp.ymlUT dPK!Wmٯ0 ~synthetics-1.0.6/data_stream/http/fields/tls.ymlUT dPK!W{{. synthetics-1.0.6/data_stream/http/manifest.ymlUT dPK!W" Atsynthetics-1.0.6/data_stream/icmp/UT dPK!W( Asynthetics-1.0.6/data_stream/icmp/agent/UT dPK!W/ A synthetics-1.0.6/data_stream/icmp/agent/stream/UT dPK!WJee; bsynthetics-1.0.6/data_stream/icmp/agent/stream/icmp.yml.hbsUT dPK!W0 A9synthetics-1.0.6/data_stream/icmp/elasticsearch/UT dPK!W4 Asynthetics-1.0.6/data_stream/icmp/elasticsearch/ilm/UT dPK!W##G synthetics-1.0.6/data_stream/icmp/elasticsearch/ilm/default_policy.jsonUT dPK!W) Asynthetics-1.0.6/data_stream/icmp/fields/UT dPK!WF{%;;8 synthetics-1.0.6/data_stream/icmp/fields/base-fields.ymlUT dPK!WZғnn1 synthetics-1.0.6/data_stream/icmp/fields/beat.ymlUT dPK!W!Gvv2 \synthetics-1.0.6/data_stream/icmp/fields/cloud.ymlUT dPK!W 3 ;synthetics-1.0.6/data_stream/icmp/fields/common.ymlUT dPK!Wqø3 synthetics-1.0.6/data_stream/icmp/fields/docker.ymlUT dPK!WT0 synthetics-1.0.6/data_stream/icmp/fields/ecs.ymlUT dPK!WX1{{1 .synthetics-1.0.6/data_stream/icmp/fields/icmp.ymlUT dPK!WA synthetics-1.0.6/data_stream/icmp/fields/jolokia-autodiscover.ymlUT dPK!Wii7 Lsynthetics-1.0.6/data_stream/icmp/fields/kubernetes.ymlUT dPK!Wc p4 #synthetics-1.0.6/data_stream/icmp/fields/resolve.ymlUT dPK!W=3 synthetics-1.0.6/data_stream/icmp/fields/socks5.ymlUT dPK!W. [[4 tsynthetics-1.0.6/data_stream/icmp/fields/summary.ymlUT dPK!Wmٯ0 :synthetics-1.0.6/data_stream/icmp/fields/tls.ymlUT dPK!W\o,,. Psynthetics-1.0.6/data_stream/icmp/manifest.ymlUT dPK!W! Asynthetics-1.0.6/data_stream/tcp/UT dPK!W' A)synthetics-1.0.6/data_stream/tcp/agent/UT dPK!W. Awsynthetics-1.0.6/data_stream/tcp/agent/stream/UT dPK!W>9 synthetics-1.0.6/data_stream/tcp/agent/stream/tcp.yml.hbsUT dPK!W/ ANsynthetics-1.0.6/data_stream/tcp/elasticsearch/UT dPK!W3 Asynthetics-1.0.6/data_stream/tcp/elasticsearch/ilm/UT dPK!W##F synthetics-1.0.6/data_stream/tcp/elasticsearch/ilm/default_policy.jsonUT dPK!W( Asynthetics-1.0.6/data_stream/tcp/fields/UT dPK!WF{%;;7 synthetics-1.0.6/data_stream/tcp/fields/base-fields.ymlUT dPK!WZғnn0 synthetics-1.0.6/data_stream/tcp/fields/beat.ymlUT dPK!W!Gvv1 ksynthetics-1.0.6/data_stream/tcp/fields/cloud.ymlUT dPK!WVz֩2 Isynthetics-1.0.6/data_stream/tcp/fields/common.ymlUT dPK!Wqø2 synthetics-1.0.6/data_stream/tcp/fields/docker.ymlUT dPK!WT/ synthetics-1.0.6/data_stream/tcp/fields/ecs.ymlUT dPK!W@ 8synthetics-1.0.6/data_stream/tcp/fields/jolokia-autodiscover.ymlUT dPK!Wii6 rsynthetics-1.0.6/data_stream/tcp/fields/kubernetes.ymlUT dPK!Wc p3 Hsynthetics-1.0.6/data_stream/tcp/fields/resolve.ymlUT dPK!W=2 2synthetics-1.0.6/data_stream/tcp/fields/socks5.ymlUT dPK!W. [[3 synthetics-1.0.6/data_stream/tcp/fields/summary.ymlUT dPK!WR+/ \synthetics-1.0.6/data_stream/tcp/fields/tcp.ymlUT dPK!Wmٯ/ synthetics-1.0.6/data_stream/tcp/fields/tls.ymlUT dPK!WX_`- synthetics-1.0.6/data_stream/tcp/manifest.ymlUT dPK!W A!synthetics-1.0.6/docs/UT dPK!W40X "synthetics-1.0.6/docs/README.mdUT dPK!W A%synthetics-1.0.6/img/UT dPK!W2Я / W%synthetics-1.0.6/img/uptime-logo-color-64px.svgUT dPK!W Al0synthetics-1.0.6/kibana/UT dPK!W" A0synthetics-1.0.6/kibana/dashboard/UT dPK!W]l__V 0synthetics-1.0.6/kibana/dashboard/synthetics-e465c570-1561-11ee-9d3b-15ab835418fd.jsonUT dPK!W& Asynthetics-1.0.6/kibana/index_pattern/UT dPK!W N9O ސsynthetics-1.0.6/kibana/index_pattern/7258d186-6430-4b51-bb67-2603cdfb4652.jsonUT dPK!WJ 0 ssynthetics-1.0.6/manifest.ymlUT dPK=h