/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements. * Licensed under the Elastic License 2.0; you may not use this file except in compliance with the Elastic License 2.0. */ (window.osquery_bundle_jsonpfunction=window.osquery_bundle_jsonpfunction||[]).push([[7],{168:function(e,i,t){var n;e.exports=function e(i,t,o){function r(l,s){if(!t[l]){if(!i[l]){if(!s&&"function"==typeof n&&n)return n(l,!0);if(a)return a(l,!0);var p=new Error("Cannot find module '"+l+"'");throw p.code="MODULE_NOT_FOUND",p}var d=t[l]={exports:{}};i[l][0].call(d.exports,(function(e){return r(i[l][1][e]||e)}),d,d.exports,e,i,t,o)}return t[l].exports}for(var a="function"==typeof n&&n,l=0;l0){for(i=1,t=1;i0},function(e,i){return{args:Object.assign(i,e)}},function(e){return{filter:P(e)}},E("OVER clause"),function(e){return{over:e}},E("Window name"),function(e){return{type:"identifier",variant:"window",name:e}},E("Window specification"),function(e,i,t){return Object.assign({type:"window"},e,i,t)},function(e){return{source:e}},E("window partition clause"),function(e){return{partition:e}},E("Error Message"),function(e){return e},E("Statement"),function(e,i){return Object.assign(i,e)},E("QUERY PLAN"),function(e,i){return{explain:C(e)}},E("QUERY PLAN Keyword"),function(e,i){return j([e,i])},E("END Transaction Statement"),function(e,i){return{type:"statement",variant:"transaction",action:"commit"}},E("BEGIN Transaction Statement"),function(e,i,t,n){return Object.assign({type:"statement",variant:"transaction",action:"begin"},i,n)},function(e){return e},function(e){return{defer:P(e)}},E("ROLLBACK Statement"),function(e,i){return Object.assign({type:"statement",variant:"transaction",action:"rollback"},i)},E("TO Clause"),function(e){return{savepoint:e}},function(e){return P(e)},E("SAVEPOINT Statement"),function(e,i){return{type:"statement",variant:e,target:i}},E("RELEASE Statement"),function(e,i,t){return{type:"statement",variant:P(e),target:t}},E("ALTER TABLE Statement"),function(e,i,t){return Object.assign({type:"statement",variant:P(e),target:i},t)},E("ALTER TABLE Keyword"),function(e,i){return j([e,i])},E("RENAME TO Keyword"),function(e,i){return{action:P(e),name:i}},E("ADD COLUMN Keyword"),function(e,i){return{action:P(e),definition:i}},function(e,i){return Object.assign(i,e)},E("WITH Clause"),function(e,i,t){var n={variant:C(i)?"recursive":"common"};return M(t)&&(t=t.map((function(e){return Object.assign(e,n)}))),{with:t}},function(e,i){return R([e,i])},E("Common Table Expression"),function(e,i){return Object.assign({type:"expression",format:"table",variant:"common",target:e},i)},function(e){return{expression:e}},function(e,i){return Object.assign(i,e)},E("SET statement"),function(e,i,t){return Object.assign({type:"statement",variant:"set",local:e||!1,target:i},t)},"local",$("LOCAL",!0),function(){return!0},"session",$("SESSION",!0),function(){return!1},"current",$("CURRENT",!0),function(){return{kind:"current"}},function(){return{kind:"default"}},function(e){return{kind:"value",args:e}},function(e,i){return{type:"expression",variant:"list",expression:[e].concat(r(i))}},function(e){return e},function(e){return{type:"statement",variant:"show",target:e}},"time",$("TIME",!0),"zone",$("ZONE",!0),function(){return{type:"identifier",variant:"variable",name:"timezone"}},"transaction",$("TRANSACTION",!0),"isolation",$("ISOLATION",!0),"level",$("LEVEL",!0),function(){return{type:"identifier",variant:"variable",name:"transaction_isolation"}},"authorization",$("AUTHORIZATION",!0),function(){return{type:"identifier",variant:"variable",name:"session_authorization"}},"all",$("ALL",!0),function(){return{type:"identifier",variant:"variable",name:"all"}},E("ATTACH Statement"),function(e,i,t,n){return{type:"statement",variant:P(e),target:n,attach:t}},E("DETACH Statement"),function(e,i,t){return{type:"statement",variant:P(e),target:t}},E("VACUUM Statement"),function(e,i){return Object.assign({type:"statement",variant:"vacuum"},i)},function(e){return{target:e}},E("ANALYZE Statement"),function(e,i){return Object.assign({type:"statement",variant:P(e)},i)},function(e){return{target:e.name}},E("REINDEX Statement"),function(e){return{target:e.name}},E("PRAGMA Statement"),function(e,i,t){return{type:"statement",variant:P(e),target:i,args:{type:"expression",variant:"list",expression:t}}},function(e){return/^(yes|no|on|off|false|true|0|1)$/i.test(e)},function(e){return{type:"literal",variant:"boolean",normalized:/^(yes|on|true|1)$/i.test(e)?"1":"0",value:e}},function(e){return P(e)},function(e){return{type:"identifier",variant:"name",name:e}},E("SELECT Statement"),function(e,i,t,n){return Object.assign(e,i,t,n)},function(e,i,t,n){return Object.assign(e,i,n,t)},E("SELECT ... FOR locking clause"),function(){return{}},function(e,i){return{locking:R([e,i])}},function(e){return e},function(e,i,t){return Object.assign({type:"expression",variant:"locking",strength:N(e).toLowerCase()},i,t)},function(e){return{target:e}},function(e,i){return R([e,i])},function(e){return{policy:N(e).toLowerCase()}},E("WINDOW clause"),function(e){return{window:e}},function(e,i){return Object.assign(i,{target:e})},E("ORDER BY Clause"),function(e){return{order:e.result}},E("LIMIT Clause"),function(e,i,t){return{limit:Object.assign({type:"expression",variant:"limit",start:i},t)}},function(e){return{limit:{type:"expression",variant:"limit",offset:e}}},E("OFFSET Clause"),function(e,i){return{offset:i}},function(e,i){return M(i)?{type:"statement",variant:"compound",statement:e,compound:i}:e},E("Union Operation"),function(e,i){return{type:"compound",variant:e,statement:i}},function(e,i,t,n,o){return Object.assign({type:"statement",variant:"select"},e,i,t,n,o)},E("SELECT Results Clause"),function(e,i){return Object.assign({result:i},e)},E("SELECT Results Modifier"),function(e){return{distinct:!0}},function(e){return{}},E("FROM Clause"),function(e,i){return{from:i}},E("WHERE Clause"),function(e,i){return{where:O(i)}},E("GROUP BY Clause"),function(e,i,t){return Object.assign({group:i},t)},E("HAVING Clause"),function(e,i){return{having:i}},function(e,i){return{type:"identifier",variant:"star",name:N([e,i])}},function(e,i){return N([e,i])},function(e,i){return Object.assign(e,i)},function(e,i){return M(i)?{type:"map",variant:"join",source:e,map:i}:e},function(e,i){return Object.assign(e,i)},E("CROSS JOIN Operation"),function(e){return{type:"join",variant:"cross join",source:e}},E("JOIN Operation"),function(e,i){return{type:"join",variant:P(e),source:i}},function(e,i){return Object.assign(i,e)},function(e,i,t){return Object.assign({type:"function",variant:"table",name:e,args:i},t)},function(e,i){return{alias:e,columns:i}},function(e){return{columns:e}},function(e,i){return R([e,i])},function(e,i,t){return Object.assign({type:"definition",variant:"column",name:e,datatype:i},t)},function(){return{lateral:!0}},E("Qualified Table"),function(e,i){return Object.assign(e,i)},E("Qualified Table Identifier"),function(e,i){return Object.assign(e,i)},E("Qualfied Table Index"),function(e,i){return{index:i}},function(e,i){return{index:j([e,i])}},E("SELECT Source"),function(e,i){return Object.assign(e,i)},E("Subquery"),function(e,i){return Object.assign(e,i)},E("Alias"),function(e,i,t){return Object.assign({alias:i},t)},E("JOIN Operator"),function(e,i,t){return j([e,i,t])},function(e,i){return j([e,i])},function(e){return P(e)},E("JOIN Constraint"),function(e){return{constraint:Object.assign({type:"constraint",variant:"join"},e)}},E("Join ON Clause"),function(e,i){return{format:P(e),on:i}},E("Join USING Clause"),function(e,i){return{format:P(e),using:i}},E("VALUES Clause"),function(e,i){return{type:"statement",variant:"select",result:i}},function(e,i){return{result:R([e,i])}},E("Ordering Expression"),function(e,i,t){return C(i)||C(t)?Object.assign({type:"expression",variant:"order",expression:e},i,t):e},function(e){return{nulls:P(e)}},E("Star"),E("Fallback Type"),E("INSERT Statement"),function(e,i,t,n){return Object.assign({type:"statement",variant:"insert"},e,i,t,n)},E("RETURNING clause"),function(e){return{returning:e}},E("INSERT Keyword"),function(e,i){return Object.assign({action:P(e)},i)},E("REPLACE Keyword"),function(e){return{action:P(e)}},E("INSERT OR Modifier"),function(e,i){return{or:P(i)}},function(e,i){return Object.assign({into:e},i)},E("INTO Clause"),function(e,i){return i},E("INTO Keyword"),function(e){return{result:e}},E("PostgreSQL INSERT ON CONFLICT clause"),"do",$("DO",!0),function(e,i){return{conflict:Object.assign(i,e)}},E("PostgreSQL ON CONFLICT action"),function(e,i,t){return Object.assign({action:e},i,t)},"nothing",$("NOTHING",!0),function(e){return{action:P(e)}},E("PostgreSQL ON CONFLICT expression"),function(e,i){return{on:Object.assign({columns:e},i)}},function(e){return{on:{constraint:e}}},E("Column List"),function(e,i){return{columns:R([e,i])}},function(e){return e},E("Column Name"),function(e){return{type:"identifier",variant:"column",name:e}},function(e,i){return i},E("VALUES Keyword"),E("Wrapped Expression List"),function(e){return e},E("DEFAULT VALUES Clause"),function(e,i){return{type:"values",variant:"default"}},E("Compound Operator"),E("UNION Operator"),function(e,i){return j([e,i])},function(e){return e},E("UPDATE Statement"),function(e,i,t,n,o,r,a,l){return Object.assign({type:"statement",variant:e,into:t},i,n,o,r,a,l)},E("UPDATE Keyword"),E("UPDATE OR Modifier"),function(e){return{or:P(e)}},E("SET Clause"),function(e){return{set:e}},E("Column Assignment"),function(e,i){return{type:"assignment",target:e,value:i}},E("UPDATE value expression"),function(){return{type:"literal",variant:"default",value:"default"}},E("DELETE Statement"),function(e,i,t,n,o,r){return Object.assign({type:"statement",variant:e,from:i},t,n,o,r)},E("DELETE Keyword"),E("CREATE Statement"),E("CREATE TABLE Statement"),function(e,i,t,n){return Object.assign({type:"statement",name:t},e,n,i)},function(e,i,t){return Object.assign({variant:e,format:P(t)},i)},function(e){return{temporary:C(e)}},E("IF NOT EXISTS Modifier"),function(e,i,t){return{condition:O({type:"condition",variant:P(e),condition:{type:"expression",variant:P(t),operator:j([i,t])}})}},E("Table Definition"),function(e,i,t){return Object.assign({definition:R([e,i])},t)},function(e,i){return{optimization:[{type:"optimization",value:j([e,i])}]}},function(e){return e},E("Column Definition"),function(e,i,t){return Object.assign({type:"definition",variant:"column",name:e,definition:C(t)?t:[]},i)},E("Column Datatype"),function(e){return{datatype:e}},E("Column Constraint"),function(e,i,t){return Object.assign(i,e)},function(e){return e[e.length-1]},E("CONSTRAINT Name"),function(e){return{name:e}},E("FOREIGN KEY Column Constraint"),function(e){return Object.assign({variant:"foreign key"},e)},E("PRIMARY KEY Column Constraint"),function(e,i,t,n){return Object.assign(e,t,i,n)},E("PRIMARY KEY Keyword"),function(e,i){return{type:"constraint",variant:j([e,i])}},E("AUTOINCREMENT Keyword"),function(e){return{autoIncrement:!0}},function(e,i){return Object.assign({type:"constraint",variant:e},i)},E("UNIQUE Column Constraint"),E("NULL Column Constraint"),function(e,i){return j([e,i])},E("CHECK Column Constraint"),E("DEFAULT Column Constraint"),function(e,i){return{type:"constraint",variant:P(e),value:i}},E("COLLATE Column Constraint"),function(e){return{type:"constraint",variant:"collate",collate:e}},E("Table Constraint"),function(e,i,t){return Object.assign({type:"definition",variant:"constraint"},i,e)},E("CHECK Table Constraint"),function(e){return{definition:O(e)}},E("PRIMARY KEY Table Constraint"),function(e,i,t){return{definition:O(Object.assign(e,t,i[1])),columns:i[0]}},function(e){return{type:"constraint",variant:P(e)}},function(e,i){return j([e,i])},E("UNIQUE Keyword"),function(e){return P(e)},function(e,i){return[e].concat(i)},function(e){return e.map((function(e){return n(e,1)[0]}))},function(e){var i=e.find((function(e){var i=n(e,2);return i[0],C(i[1])}));return[e.map((function(e){var i=n(e,2),t=i[0];return i[1],t})),i?i[1]:null]},E("Indexed Column"),function(e,i,t){var n=e;return C(i)&&(n=Object.assign({type:"expression",variant:"order",expression:e},i)),[n,t]},E("Collation"),function(e){return{collate:O(e)}},E("Column Direction"),function(e){return{direction:P(e)}},function(e,i){return{conflict:P(i)}},E("ON CONFLICT Keyword"),function(e,i){return j([e,i])},function(e,i){return{type:"constraint",variant:P(e),expression:i}},E("FOREIGN KEY Table Constraint"),function(e,i,t){return Object.assign({definition:O(Object.assign(e,t))},i)},E("FOREIGN KEY Keyword"),function(e,i){return{type:"constraint",variant:j([e,i])}},function(e,i,t){return Object.assign({type:"constraint"},e,i,t)},E("REFERENCES Clause"),function(e,i){return{references:i}},function(e,i){return{action:R([e,i])}},E("FOREIGN KEY Action Clause"),function(e,i,t){return{type:"action",variant:P(e),action:P(t)}},E("FOREIGN KEY Action"),function(e,i){return j([e,i])},function(e){return P(e)},function(e,i){return j([e,i])},function(e,i){return{type:"action",variant:P(e),action:i}},E("DEFERRABLE Clause"),function(e,i,t){return{defer:j([e,i,t])}},function(e,i){return j([e,i])},function(e){return{definition:O(e)}},E("CREATE INDEX Statement"),function(e,i,t,n,o){return Object.assign({type:"statement",target:t,on:n},e,i,o)},function(e,i,t){return Object.assign({variant:P(e),format:P(t)},i)},function(e){return{unique:!0}},E("ON Clause"),function(e,i,t){return{type:"identifier",variant:"expression",format:"table",name:i.name,columns:t}},E("CREATE TRIGGER Statement"),function(e,i,t,n,o,r,a,l){return Object.assign({type:"statement",target:t,on:o,event:n,by:C(r)?r:"row",action:O(l)},e,i,a)},function(e,i,t){return Object.assign({variant:P(e),format:P(t)},i)},E("Conditional Clause"),function(e,i){return Object.assign({type:"event"},e,i)},function(e){return{occurs:P(e)}},function(e,i){return j([e,i])},E("Conditional Action"),function(e){return{event:P(e)}},function(e,i){return{event:P(e),of:i}},function(e,i){return i},"statement",$("STATEMENT",!0),function(e,i,t){return P(t)},function(e,i){return{when:i}},E("Actions Clause"),function(e,i,t){return i},function(e){return e},E("CREATE VIEW Statement"),function(e,i,t,n){return Object.assign({type:"statement",target:t,result:n},e,i)},function(e,i){return Object.assign({type:"identifier",variant:"expression",format:"view",name:e.name,columns:[]},i)},function(e,i,t){return Object.assign({variant:P(e),format:P(t)},i)},E("CREATE VIRTUAL TABLE Statement"),function(e,i,t,n){return Object.assign({type:"statement",target:t,result:n},e,i)},function(e,i,t){return{variant:P(e),format:P(i)}},function(e,i){return Object.assign({type:"module",variant:"virtual",name:e},i)},E("Module Arguments"),function(e){return{args:{type:"expression",variant:"list",expression:C(e)?e:[]}}},function(e,i){return R([e,i]).filter((function(e){return C(e)}))},E("DROP Statement"),function(e,i){return Object.assign({type:"statement",target:Object.assign(i,{variant:e.format})},e)},E("DROP Keyword"),function(e,i,t){return Object.assign({variant:P(e),format:i,condition:[]},t)},E("DROP Type"),E("IF EXISTS Keyword"),function(e,i){return{condition:[{type:"condition",variant:P(e),condition:{type:"expression",variant:P(i),operator:P(i)}}]}},E("Or"),E("Add"),E("Subtract"),E("Multiply"),E("Divide"),E("Modulo"),E("Shift Left"),E("Shift Right"),E("Logical AND"),E("Logical OR"),E("Less Than"),E("Greater Than"),E("Less Than Or Equal"),E("Greater Than Or Equal"),E("Equal"),E("Not Equal"),E("PostgreSQL custom binary operarator"),function(e){var i=e.join("");if(i.includes("--")||i.includes("/*"))return!1;var t=e[e.length-1];return"-"!==t&&"+"!==t||i.match(/[~@#%^&|`?]/)},function(e){return e.join("")},E("IS"),function(e,i){return j([e,i])},E("Identifier"),E("Database Identifier"),function(e){return{type:"identifier",variant:"database",name:e}},E("Function Identifier"),function(e,i){return{type:"identifier",variant:"function",name:N([e,i])}},E("Table Identifier"),function(e,i){return{type:"identifier",variant:"table",name:N([e,i])}},function(e,i){return N([e,i])},E("Column Identifier"),function(e,i,t){return Object.assign({type:"identifier",variant:"column",name:N([e,i])},t)},E("value indirection"),function(e){return{element:e}},function(e,i){return R([e,i])},function(e){return{type:"indirection",variant:"attribute",attribute:e}},function(e){return{type:"indirection",variant:"star",attribute:e}},function(e,i){return Object.assign({type:"indirection",variant:"slice"},e,i)},function(e){return Object.assign({type:"indirection",variant:"slice"},e)},function(e){return{type:"indirection",variant:"index",index:e}},function(e){return{lower:e}},function(e){return{upper:e}},function(){return""},function(e,i){return N([e,i])},E("Collation Identifier"),function(e){return{type:"identifier",variant:"collation",name:e}},E("Savepoint Identifier"),function(e){return{type:"identifier",variant:"savepoint",name:e}},E("Index Identifier"),function(e,i){return{type:"identifier",variant:"index",name:N([e,i])}},E("Trigger Identifier"),function(e,i){return{type:"identifier",variant:"trigger",name:N([e,i])}},E("View Identifier"),function(e,i){return{type:"identifier",variant:"view",name:N([e,i])}},E("Pragma Identifier"),function(e,i){return{type:"identifier",variant:"pragma",name:N([e,i])}},E("Variable Identifier"),function(e,i){return{type:"identifier",variant:"variable",name:N([e,i])}},E("CTE Identifier"),function(e){return e},function(e,i){return Object.assign({type:"identifier",variant:"expression",format:"table",name:e.name,columns:[]},i)},E("Table Constraint Identifier"),function(e){return{type:"identifier",variant:"constraint",format:"table",name:e}},E("Column Constraint Identifier"),function(e){return{type:"identifier",variant:"constraint",format:"column",name:e}},E("Datatype Name"),function(e){return[e,"text"]},function(e){return[e,"real"]},function(e){return[e,"numeric"]},function(e){return[e,"integer"]},function(e){return[e,"none"]},E("TEXT Datatype Name"),"n",$("N",!0),"var",$("VAR",!0),"char",$("CHAR",!0),"tiny",$("TINY",!0),"medium",$("MEDIUM",!0),"long",$("LONG",!0),"text",$("TEXT",!0),"clob",$("CLOB",!0),E("REAL Datatype Name"),"float",$("FLOAT",!0),"real",$("REAL",!0),E("DOUBLE Datatype Name"),"double",$("DOUBLE",!0),"precision",$("PRECISION",!0),function(e,i){return N([e,i])},E("NUMERIC Datatype Name"),"numeric",$("NUMERIC",!0),"decimal",$("DECIMAL",!0),"boolean",$("BOOLEAN",!0),"date",$("DATE",!0),"stamp",$("STAMP",!0),"string",$("STRING",!0),E("INTEGER Datatype Name"),"int",$("INT",!0),"2",$("2",!1),"4",$("4",!1),"8",$("8",!1),"eger",$("EGER",!0),"big",$("BIG",!0),"small",$("SMALL",!0),"floating",$("FLOATING",!0),"point",$("POINT",!0),function(e,i){return N([e,i])},E("BLOB Datatype Name"),"blob",$("BLOB",!0),/^[a-z0-9$_]/i,v([["a","z"],["0","9"],"$","_"],!1,!0),"\\u",$("\\u",!1),/^[a-f0-9]/i,v([["a","f"],["0","9"]],!1,!0),function(e,i){return N([e,i]).toLowerCase()},function(e){return P(e)},{type:"any"},function(e){return U(e)},/^[ \t]/,v([" ","\t"],!1,!1),'"',$('"',!1),'""',$('""',!1),/^[^"]/,v(['"'],!0,!1),function(e){return F(e,'"')},"'",$("'",!1),function(e){return F(e,"'")},"`",$("`",!1),"``",$("``",!1),/^[^`]/,v(["`"],!0,!1),function(e){return F(e,"`")},E("Open Bracket"),"[",$("[",!1),E("Close Bracket"),"]",$("]",!1),E("Open Parenthesis"),"(",$("(",!1),E("Close Parenthesis"),")",$(")",!1),E("Comma"),",",$(",",!1),E("Period"),".",$(".",!1),E("Asterisk"),"*",$("*",!1),E("Question Mark"),"?",$("?",!1),E("Single Quote"),E("Double Quote"),E("Backtick"),E("Tilde"),"~",$("~",!1),E("Plus"),"+",$("+",!1),E("Minus"),"-",$("-",!1),"=",$("=",!1),E("Ampersand"),"&",$("&",!1),E("Pipe"),"|",$("|",!1),"%",$("%",!1),"<",$("<",!1),">",$(">",!1),E("Exclamation"),"!",$("!",!1),E("Semicolon"),";",$(";",!1),E("Colon"),E("Forward Slash"),"/",$("/",!1),E("Backslash"),"\\",$("\\",!1),E("Operator characters"),/^[\-+*\/<>=~!@#%\^&|`]/,v(["-","+","*","/","<",">","=","~","!","@","#","%","^","&","|","`"],!1,!1),"abort",$("ABORT",!0),"action",$("ACTION",!0),"add",$("ADD",!0),"after",$("AFTER",!0),"alter",$("ALTER",!0),"analyze",$("ANALYZE",!0),"and",$("AND",!0),"array",$("ARRAY",!0),"as",$("AS",!0),"asc",$("ASC",!0),"attach",$("ATTACH",!0),"autoincrement",$("AUTOINCREMENT",!0),"before",$("BEFORE",!0),"begin",$("BEGIN",!0),"between",$("BETWEEN",!0),"by",$("BY",!0),"cascade",$("CASCADE",!0),"case",$("CASE",!0),"cast",$("CAST",!0),"check",$("CHECK",!0),"collate",$("COLLATE",!0),"column",$("COLUMN",!0),"commit",$("COMMIT",!0),"conflict",$("CONFLICT",!0),"constraint",$("CONSTRAINT",!0),"create",$("CREATE",!0),"cross",$("CROSS",!0),"current_date",$("CURRENT_DATE",!0),"current_time",$("CURRENT_TIME",!0),"current_timestamp",$("CURRENT_TIMESTAMP",!0),"database",$("DATABASE",!0),"default",$("DEFAULT",!0),"deferrable",$("DEFERRABLE",!0),"deferred",$("DEFERRED",!0),"delete",$("DELETE",!0),"desc",$("DESC",!0),"detach",$("DETACH",!0),"distinct",$("DISTINCT",!0),"drop",$("DROP",!0),"each",$("EACH",!0),"else",$("ELSE",!0),"end",$("END",!0),"escape",$("ESCAPE",!0),"except",$("EXCEPT",!0),"exclusive",$("EXCLUSIVE",!0),"exists",$("EXISTS",!0),"explain",$("EXPLAIN",!0),"fail",$("FAIL",!0),"first",$("FIRST",!0),"for",$("FOR",!0),"foreign",$("FOREIGN",!0),"from",$("FROM",!0),"full",$("FULL",!0),"glob",$("GLOB",!0),"group",$("GROUP",!0),"having",$("HAVING",!0),"if",$("IF",!0),"ignore",$("IGNORE",!0),"ilike",$("ILIKE",!0),"immediate",$("IMMEDIATE",!0),"in",$("IN",!0),"index",$("INDEX",!0),"indexed",$("INDEXED",!0),"initially",$("INITIALLY",!0),"inner",$("INNER",!0),"insert",$("INSERT",!0),"instead",$("INSTEAD",!0),"intersect",$("INTERSECT",!0),"into",$("INTO",!0),"is",$("IS",!0),"isnull",$("ISNULL",!0),"join",$("JOIN",!0),"key",$("KEY",!0),"last",$("LAST",!0),"lateral",$("LATERAL",!0),"left",$("LEFT",!0),"like",$("LIKE",!0),"limit",$("LIMIT",!0),"locked",$("LOCKED",!0),"match",$("MATCH",!0),"natural",$("NATURAL",!0),"no",$("NO",!0),"not",$("NOT",!0),"notnull",$("NOTNULL",!0),"nowait",$("NOWAIT",!0),"nulls",$("NULLS",!0),"of",$("OF",!0),"offset",$("OFFSET",!0),"on",$("ON",!0),"only",$("ONLY",!0),"or",$("OR",!0),"order",$("ORDER",!0),"outer",$("OUTER",!0),"over",$("OVER",!0),"partition",$("PARTITION",!0),"plan",$("PLAN",!0),"pragma",$("PRAGMA",!0),"primary",$("PRIMARY",!0),"query",$("QUERY",!0),"raise",$("RAISE",!0),"read",$("READ",!0),"recursive",$("RECURSIVE",!0),"references",$("REFERENCES",!0),"regexp",$("REGEXP",!0),"reindex",$("REINDEX",!0),"release",$("RELEASE",!0),"rename",$("RENAME",!0),"replace",$("REPLACE",!0),"restrict",$("RESTRICT",!0),"returning",$("RETURNING",!0),"right",$("RIGHT",!0),"rollback",$("ROLLBACK",!0),"row",$("ROW",!0),"rowid",$("ROWID",!0),"savepoint",$("SAVEPOINT",!0),"select",$("SELECT",!0),"set",$("SET",!0),"share",$("SHARE",!0),"show",$("SHOW",!0),"skip",$("SKIP",!0),"table",$("TABLE",!0),"temp",$("TEMP",!0),"temporary",$("TEMPORARY",!0),"then",$("THEN",!0),"to",$("TO",!0),"trigger",$("TRIGGER",!0),"union",$("UNION",!0),"unique",$("UNIQUE",!0),"update",$("UPDATE",!0),"using",$("USING",!0),"vacuum",$("VACUUM",!0),"values",$("VALUES",!0),"view",$("VIEW",!0),"virtual",$("VIRTUAL",!0),"when",$("WHEN",!0),"where",$("WHERE",!0),"window",$("WINDOW",!0),"with",$("WITH",!0),"without",$("WITHOUT",!0),function(e){return P(e)},function(){return null},E("Line Comment"),"--",$("--",!1),/^[\n\v\f\r]/,v(["\n","\v","\f","\r"],!1,!1),E("Block Comment"),"/*",$("/*",!1),"*/",$("*/",!1),/^[\n\v\f\r\t ]/,v(["\n","\v","\f","\r","\t"," "],!1,!1),E("Whitespace"),"__TODO__",$("__TODO__",!1)],u=[L("%;ʋ/H#;#/?$;\".\" &\"/1$;#/($8$: $!!)($'#(#'#(\"'#&'#"),L("%;ʋ/C#;#/:$;ˆ/1$;#/($8$: $!!)($'#(#'#(\"'#&'#"),L("%;ˆ/B#;ʋ/9$$;%0#*;%&/)$8#:!#\"\" )(#'#(\"'#&'#"),L("$;ǭ0#*;ǭ&"),L("$;ǭ/�#*;ǭ&&&#"),L("%;$/:#;ˆ/1$;ʋ/($8#:\"#!!)(#'#(\"'#&'#"),L('<%;).# &;*/O#;ʋ/F$;,." &"/8$;\'." &"/*$8$:$$##! )($\'#(#\'#("\'#&\'#=." 7#'),L('<%;(/9#$;(0#*;(&/)$8":&""! )("\'#&\'#.I &%;ʋ/?#;Ǻ/6$;(." &"/($8#:\'#! )(#\'#("\'#&\'#=." 7%'),L("%;ʋ/Z#;ǘ/Q$;ʋ/H$;9.\" &\"/:$;ʋ/1$;Ǚ/($8&:(&!\")(&'#(%'#($'#(#'#(\"'#&'#"),L("%;Dž/' 8!:)!! )"),L('<%;Ǐ/9#$;+0#*;+&/)$8":+""! )("\'#&\'#=." 7*'),L('%4,""5!7-/1#;Ǒ/($8":."! )("\'#&\'#'),L("<%;ǚ/R#;8/I$;ʋ/@$;-.\" &\"/2$;Ǜ/)$8%:0%\"#!)(%'#($'#(#'#(\"'#&'#=.\" 7/"),L("%;ǜ/C#;ʋ/:$;8/1$;ʋ/($8$:1$!!)($'#(#'#(\"'#&'#"),L(";8.A &;9.; &;4.5 &;/./ &;0.) &;1.# &;5"),L('<%;Ɉ/1#;ʋ/($8":3"!!)("\'#&\'#=." 72'),L('<%;Ȏ.) &;Ȑ.# &;ȏ/1#;ʋ/($8":5"!!)("\'#&\'#=." 74'),L('<%;7." &"/2#;2/)$8":7""! )("\'#&\'#=." 76'),L("<%;Ǡ/A#$;30#*;3&/1$;Ǡ/($8#:9#!!)(#'#(\"'#&'#=.\" 78"),L('2:""6:7;.) &4<""5!7='),L('<%4?""5!7@/1#;2/($8":A"! )("\'#&\'#=." 7>'),L('<%;&/8#;1.# &;B/)$8":C""! )("\'#&\'#=." 7B'),L("%;Ǒ.# &;Ǖ/' 8!:D!! )"),L('<%;Ǥ.# &;ǥ/\' 8!:"!! )=." 7E'),L('%;7." &"/2#;9/)$8":F""! )("\'#&\'#'),L(";?.# &;:"),L('%;;/7#;>." &"/)$8":G""! )("\'#&\'#'),L('<;<.# &;==." 7H'),L('%$;A/�#*;A&&&#/7#;=." &"/)$8":I""! )("\'#&\'#'),L('%;ǝ/9#$;A0#*;A&/)$8":J""! )("\'#&\'#'),L('<%3L""5!7M/T#4N""5!7O." &"/@$$;A/�#*;A&&&#/*$8#:P##"! )(#\'#("\'#&\'#=." 7K'),L('<%3R""5"7S/?#$;@/�#*;@&&&#/)$8":T""! )("\'#&\'#=." 7Q'),L('4U""5!7V'),L('4W""5!7X'),L("<%;C.) &;E.# &;F/' 8!:Z!! )=.\" 7Y"),L('<%;ǟ/@#;D." &"/2$;ʋ/)$8#:\\#""!)(#\'#("\'#&\'#=." 7['),L('%4]""5!7^/9#$;A0#*;A&/)$8":_""! )("\'#&\'#'),L('<%4a""5!7b/H#$;Ǎ/�#*;Ǎ&&&#/2$;ʋ/)$8#:c#""!)(#\'#("\'#&\'#=." 7`'),L('<%2e""6e7f/o#$;Ǎ.) &2g""6g7h/2#0/*;Ǎ.) &2g""6g7h&&&#/A$;ʋ/8$;G." &"/*$8$:i$##" )($\'#(#\'#("\'#&\'#=." 7d'),L('%;Ǖ/1#;ʋ/($8":j"!!)("\'#&\'#'),L('<%;I." &"/;#;ʋ/2$;¤/)$8#:l#"" )(#\'#("\'#&\'#=." 7k'),L('<%;u." &"/;#;Ƞ/2$;ʋ/)$8#:n#""!)(#\'#("\'#&\'#=." 7m'),L("<%;ɗ/_#;ʋ/V$;ǚ/M$;ʋ/D$;K/;$;ʋ/2$;Ǜ/)$8':p'\"&\")(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7o"),L("<%;L.# &;M/' 8!:r!! )=.\" 7q"),L("<%;Ȭ/' 8!:t!! )=.\" 7s"),L("%;ɣ.) &;Dz.# &;Ȣ/M#;ʋ/D$;ǜ/;$;ʋ/2$;‡/)$8%:u%\"$ )(%'#($'#(#'#(\"'#&'#"),L(";B./ &;~.) &;..# &;Ʈ"),L("%;ǚ/L#;ʋ/C$;z/:$;ʋ/1$;Ǜ/($8%:v%!\")(%'#($'#(#'#(\"'#&'#"),L(";O.G &;H.A &;h.; &;j.5 &;J./ &;Q.) &;R.# &;N"),L("<%;Ǻ/:#;ʋ/1$;S/($8#:x#! )(#'#(\"'#&'#=.\" 7w"),L("<%;Ǻ/:#;ʋ/1$;¤/($8#:z#! )(#'#(\"'#&'#=.\" 7y"),L("<%;ǘ/R#;ʋ/I$;T.# &;{/:$;ʋ/1$;Ǚ/($8%:|%!\")(%'#($'#(#'#(\"'#&'#=.\" 7{"),L('<%;S/B#;ʋ/9$$;U0#*;U&/)$8#:~#"" )(#\'#("\'#&\'#=." 7}'),L("%;ǜ/:#;ʋ/1$;S/($8#:#! )(#'#(\"'#&'#"),L("%;P/;#;ʋ/2$;Z/)$8#:€#\"\" )(#'#(\"'#&'#.# &;P"),L("<%;V/S#;ʋ/J$2‚\"\"6‚7ƒ/;$;ʋ/2$;&/)$8%:„%\"$ )(%'#($'#(#'#(\"'#&'#.# &;V=.\" 7"),L("%;Y/A#;ʋ/8$;W.# &;z/)$8#:…#\"\" )(#'#(\"'#&'#.# &;W"),L(";ǣ.U &;ǥ.O &;Ǥ.I &%%;u/8#%<;Ƞ=.##&&!&'#/#$+\")(\"'#&'#/\"!&,)"),L("<%;ŝ/' 8!:‡!! )=.\" 7†"),L("%;X/ƒ#$%;ʋ/>#;Ɩ/5$;ʋ/,$;X/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;Ɩ/5$;ʋ/,$;X/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L("%;[/ƒ#$%;ʋ/>#;]/5$;ʋ/,$;[/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;]/5$;ʋ/,$;[/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L(";ƙ.) &;ƚ.# &;ƛ"),L("%;\\/ƒ#$%;ʋ/>#;_/5$;ʋ/,$;\\/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;_/5$;ʋ/,$;\\/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L(";Ɨ.# &;Ƙ"),L("%;^/ƒ#$%;ʋ/>#;a/5$;ʋ/,$;^/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;a/5$;ʋ/,$;^/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L(";Ɯ.[ &;Ɲ.U &;Ƨ.O &;ƞ.I &%%;Ɵ/8#%<;Ɵ=.##&&!&'#/#$+\")(\"'#&'#/\"!&,)"),L("%;`/ƒ#$%;ʋ/>#;c/5$;ʋ/,$;`/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;c/5$;ʋ/,$;`/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L(";Ƣ.{ &;ƣ.u &%%;Ơ/8#%<;a=.##&&!&'#/#$+\")(\"'#&'#/\"!&,).I &%%;ơ/8#%<;a=.##&&!&'#/#$+\")(\"'#&'#/\"!&,)"),L('%;b/9#$;e0#*;e&/)$8":ˆ""! )("\'#&\'#'),L("%;ʋ/1#;f/($8\":‰\"! )(\"'#&'#.H &%;ʋ/>#;g/5$;ʋ/,$;b/#$+$)($'#(#'#(\"'#&'#"),L('%3Š""5$7‹/?#;ʋ/6$3Œ""5$7/\'$8#:Ž# )(#\'#("\'#&\'#.? &%;ȹ/& 8!:! ).. &%;Ɇ/& 8!:Ž! )'),L(";ƨ./ &;ƥ.) &;Ʀ.# &;Ƥ"),L("<%;ȅ/i#;ʋ/`$;ǚ/W$;z/N$;ʋ/E$;i/<$;ʋ/3$;Ǜ/*$8(:‘(#'$\")(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7"),L("<%;ǻ/:#;ʋ/1$;&/($8#:“#! )(#'#(\"'#&'#=.\" 7’"),L("<%;Ȅ/“#;ʋ/Š$;k.\" &\"/|$;ʋ/s$$;l/�#*;l&&&#/]$;ʋ/T$;m.\" &\"/F$;ʋ/=$;Ȝ/4$;ʋ/+$8*:•*$)'%#)(*'#()'#(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7”"),L("%%<;ɻ=.##&&!&'#/1#;z/($8\":–\"! )(\"'#&'#"),L("<%;ɻ/i#;ʋ/`$;z/W$;ʋ/N$;ɯ/E$;ʋ/<$;z/3$;ʋ/*$8(:˜(#'%!)(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7—"),L("<%;ț/D#;ʋ/;$;z/2$;ʋ/)$8$:š$\"#!)($'#(#'#(\"'#&'#=.\" 7™"),L("%;d/;#;ʋ/2$;o/)$8#:›#\"\" )(#'#(\"'#&'#.# &;d"),L(";v./ &;p.) &;s.# &;q"),L("<%;ȸ/n#;ʋ/e$;u.\" &\"/W$;Ș/N$;ʋ/E$;Ȧ/<$;ʋ/3$;n/*$8(:(#%$ )(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7œ"),L('<%;u." &"/u#;ȿ.5 &;ȭ./ &;Ȩ.) &;ɛ.# &;ɂ/T$;ʋ/K$;n/B$;ʋ/9$;r." &"/+$8&:Ÿ&$%$" )(&\'#(%\'#($\'#(#\'#("\'#&\'#=." 7ž'),L("<%;ȝ/D#;ʋ/;$;n/2$;ʋ/)$8$:¡$\"#!)($'#(#'#(\"'#&'#=.\" 7 "),L('<%;u." &"/E#;ȁ/<$;ʋ/3$;t/*$8$:£$##" )($\'#(#\'#("\'#&\'#=." 7¢'),L("%;n/W#%;ʋ/>#;ǹ/5$;ʋ/,$;n/#$+$)($'#(#'#(\"'#&'#/)$8\":¤\"\"! )(\"'#&'#"),L('%;Ʌ/1#;ʋ/($8":¥"!!)("\'#&\'#'),L('<%;u." &"/E#;ȯ/<$;ʋ/3$;w/*$8$:§$##" )($\'#(#\'#("\'#&\'#=." 7¦'),L(";x.# &;Ƭ"),L("%;ǚ/I#;¥.# &;{/:$;ʋ/1$;Ǜ/($8$:$!\")($'#(#'#(\"'#&'#"),L("%;n/ƒ#$%;ʋ/>#;ǹ/5$;ʋ/,$;n/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;ǹ/5$;ʋ/,$;n/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L("%;y/ƒ#$%;ʋ/>#;Ɏ/5$;ʋ/,$;y/#$+$)($'#(#'#(\"'#&'#0H*%;ʋ/>#;Ɏ/5$;ʋ/,$;y/#$+$)($'#(#'#(\"'#&'#&/)$8\":ˆ\"\"! )(\"'#&'#"),L('<%;|." &"/1#;ʋ/($8":©"!!)("\'#&\'#=." 7¨'),L("%;z/B#;ʋ/9$$;}0#*;}&/)$8#:ª#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;z/1$;ʋ/($8#:#!!)(#'#(\"'#&'#"),L("<%;ƫ/‹#;ʋ/‚$;ǚ/y$;€.\" &\"/k$;ʋ/b$;Ǜ/Y$;ʋ/P$;.\" &\"/B$;ʋ/9$;‚.\" &\"/+$8*:¬*$)&\" )(*'#()'#(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7«"),L("<%3®\"\"5&7¯/p#;ʋ/g$;ǚ/^$;ʋ/U$;ɼ/L$;ʋ/C$;z/:$;ʋ/1$;Ǜ/($8):°)!\")()'#(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7­"),L('<%;â/\' 8!:²!! ).V &%;." &"/G#;{/>$9:³ "! -""&!&#/)$8#:´#""!)(#\'#("\'#&\'#=." 7±'),L('%;Ș.# &;Ƕ/1#;ʋ/($8":µ"!!)("\'#&\'#'),L("<%;ɑ/@#;ʋ/7$;„.# &;ƒ/($8#:·#! )(#'#(\"'#&'#=.\" 7¶"),L("<%;Ʃ/' 8!:¹!! )=.\" 7¸"),L("<%;ǚ/#;ʋ/x$;….\" &\"/j$;ʋ/a$;†.\" &\"/S$;ʋ/J$;Î.\" &\"/<$;ʋ/3$;Ǜ/*$8):»)#&$\")()'#(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7º"),L("%;ƒ/P#%<%;ʋ/,#;Ȃ/#$+\")(\"'#&'#=.##&&!&'#/($8\":¼\"!!)(\"'#&'#"),L("<%;ɒ/L#;ʋ/C$;Ȃ/:$;ʋ/1$;{/($8%:¾%! )(%'#($'#(#'#(\"'#&'#=.\" 7½"),L("<%;1/' 8!:À!! )=.\" 7¿"),L('<%;‰." &"/;#;‹/2$;ʋ/)$8#:Â#""!)(#\'#("\'#&\'#=." 7Á'),L('<%;ȡ/@#;ʋ/7$;Š." &"/)$8#:Ä#"" )(#\'#("\'#&\'#=." 7Ã'),L("<%;ɖ/D#;ʋ/;$;ɓ/2$;ʋ/)$8$:Æ$\"#!)($'#(#'#(\"'#&'#=.\" 7Å"),L(";œ._ &;ī.Y &;ƒ.S &;.M &;Œ.G &;–.A &;.; &;”.5 &;•./ &;¦.) &;¬.# &;®"),L('<%;ȉ.# &;Ȝ/@#;ʋ/7$;Ž." &"/)$8#:È#"" )(#\'#("\'#&\'#=." 7Ç'),L('<%;Ȁ/^#;ʋ/U$;." &"/G$;Ž." &"/9$;’." &"/+$8%:Ê%$$"! )(%\'#($\'#(#\'#("\'#&\'#=." 7É'),L('%;ɱ/1#;ʋ/($8":Ë"!!)("\'#&\'#'),L('%;Ȕ.) &;Ȯ.# &;ȟ/1#;ʋ/($8":Ì"!!)("\'#&\'#'),L('<%;ɣ/N#;ʋ/E$;Ž." &"/7$;‘." &"/)$8$:Î$"# )($\'#(#\'#("\'#&\'#=." 7Í'),L('<%%;ɰ/,#;ʋ/#$+")("\'#&\'#." &"/?#;“." &"/1$;’/($8#:v#! )(#\'#("\'#&\'#=." 7Ï'),L('%;ƻ/1#;ʋ/($8":Ð"!!)("\'#&\'#'),L('%;ɦ/1#;ʋ/($8":Ñ"!!)("\'#&\'#'),L('<%;“/2#;’/)$8":Ó""! )("\'#&\'#=." 7Ò'),L("<%;ɝ/J#;ʋ/A$;“.\" &\"/3$;’/*$8$:Õ$##! )($'#(#'#(\"'#&'#=.\" 7Ô"),L("<%;—/N#;Ƭ/E$;ʋ/<$;˜/3$;ʋ/*$8%:×%#$#!)(%'#($'#(#'#(\"'#&'#=.\" 7Ö"),L("<%;Ƿ/D#;ʋ/;$;ɬ/2$;ʋ/)$8$:Ù$\"#!)($'#(#'#(\"'#&'#=.\" 7Ø"),L(";™.# &;š"),L("<%;ɞ/M#;ʋ/D$;ɰ/;$;ʋ/2$;Ƭ/)$8%:Û%\"$ )(%'#($'#(#'#(\"'#&'#=.\" 7Ú"),L('<%;Ǵ/I#;ʋ/@$;›." &"/2$;ļ/)$8$:Ý$"# )($\'#(#\'#("\'#&\'#=." 7Ü'),L('%;Ȉ/1#;ʋ/($8":Ñ"!!)("\'#&\'#'),L('%;/2#;¿/)$8":Þ""! )("\'#&\'#'),L('<%;ž." &"/1#;ʋ/($8":."!!)("\'#&\'#=." 7ß'),L("%;ɾ/J#;ʋ/A$;Ÿ.\" &\"/3$; /*$8$:à$##! )($'#(#'#(\"'#&'#"),L('%;ə/1#;ʋ/($8":Ñ"!!)("\'#&\'#'),L("%;¢/B#;ʋ/9$$;¡0#*;¡&/)$8#:á#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;¢/1$;ʋ/($8#:#!!)(#'#(\"'#&'#"),L('<%;ǁ/2#;£/)$8":ã""! )("\'#&\'#=." 7â'),L("%;ǻ/:#;ʋ/1$;¤/($8#:ä#! )(#'#(\"'#&'#"),L("%;ǚ/C#;¥/:$;ʋ/1$;Ǜ/($8$: $!\")($'#(#'#(\"'#&'#"),L('%;/2#;À/)$8":å""! )("\'#&\'#'),L("<%;ɨ/e#;ʋ/\\$;§.\" &\"/N$;ʋ/E$;ǀ/<$;ʋ/3$;¨/*$8':ç'#$\" )(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7æ"),L('%3è""5%7é/& 8!:ê! ).4 &%3ë""5\'7ì/& 8!:í! )'),L("%;Ȧ/?#;ʋ/6$3î\"\"5'7ï/'$8#:ð# )(#'#(\"'#&'#.v &%;ɰ.# &;Ǧ/9#;ʋ/0$;Ȓ/'$8#:ñ# )(#'#(\"'#&'#.J &%;ɰ.# &;Ǧ/:#;ʋ/1$;©/($8#:ò#! )(#'#(\"'#&'#"),L('%;«/9#$;ª0#*;ª&/)$8":ó""! )("\'#&\'#'),L("%;ʋ/C#;ǜ/:$;ʋ/1$;«/($8$:ô$! )($'#(#'#(\"'#&'#"),L(";º.# &;B"),L("%;ɪ/:#;ʋ/1$;­/($8#:õ#! )(#'#(\"'#&'#"),L('%3ö""5$7÷/?#;ʋ/6$3ø""5$7ù/\'$8#:ú# )(#\'#("\'#&\'#.¶ &%3û""5+7ü/W#;ʋ/N$3ý""5)7þ/?$;ʋ/6$3ÿ""5%7Ā/\'$8%:ā% )(%\'#($\'#(#\'#("\'#&\'#.l &%3ë""5\'7ì/?#;ʋ/6$3Ă""5-7ă/\'$8#:Ą# )(#\'#("\'#&\'#.: &%3ą""5#7Ć/& 8!:ć! ).# &;ǀ'),L(";¯.; &;±.5 &;²./ &;´.) &;¶.# &;¸"),L("<%;ǽ/‹#;ʋ/‚$%;ȑ/,#;ʋ/#$+\")(\"'#&'#.\" &\"/a$;z/X$;ʋ/O$;ǻ/F$;ʋ/=$;°/4$;ʋ/+$8):ĉ)$(&%!)()'#(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7Ĉ"),L(";ƪ.) &;/.# &;B"),L("<%;ȗ/f#;ʋ/]$%;ȑ/,#;ʋ/#$+\")(\"'#&'#.\" &\"/<$;°/3$;ʋ/*$8%:ċ%#$\"!)(%'#($'#(#'#(\"'#&'#=.\" 7Ċ"),L('<%;ɷ/@#;ʋ/7$;³." &"/)$8#:č#"" )(#\'#("\'#&\'#=." 7Č'),L('%;ƪ/1#;ʋ/($8":Ď"!!)("\'#&\'#'),L('<%;Ǹ/@#;ʋ/7$;µ." &"/)$8#:Đ#"" )(#\'#("\'#&\'#=." 7ď'),L('%;Ƭ.) &;Ƽ.# &;ƪ/1#;ʋ/($8":đ"!!)("\'#&\'#'),L('<%;ɜ/I#;ʋ/@$;·." &"/2$;ʋ/)$8$:Đ$"#!)($\'#(#\'#("\'#&\'#=." 7Ē'),L('%;Ƭ.) &;Ƽ.# &;ƺ/1#;ʋ/($8":ē"!!)("\'#&\'#'),L("<%;ɔ/S#;ʋ/J$;ƿ/A$;ʋ/8$;¹.\" &\"/*$8%:ĕ%#$\" )(%'#($'#(#'#(\"'#&'#=.\" 7Ĕ"),L("%;ǚ/C#;º/:$;ʋ/1$;Ǜ/($8$:ô$!\")($'#(#'#(\"'#&'#.D &%;Ǧ/:#;º/1$;ʋ/($8#:ô#!!)(#'#(\"'#&'#"),L(";¼.) &;».# &;¾"),L(";8.) &;1.# &;6"),L('%;½/<#9:Ė ! -""&!&#/($8":ė"!!)("\'#&\'#'),L("%$;Ǎ/�#*;Ǎ&&&#/' 8!:Ę!! )"),L("%;½/' 8!:ę!! )"),L(";À./ &;Ĉ.) &;ġ.# &;ĩ"),L("<%;Ó/k#;ʋ/b$;Î.\" &\"/T$;ʋ/K$;Ï/B$;ʋ/9$;Á.\" &\"/+$8':ě'$&$\" )(''#(&'#(%'#($'#(#'#(\"'#&'#.z &%;Ó/p#;ʋ/g$;Î.\" &\"/Y$;ʋ/P$;Á.\" &\"/B$;ʋ/9$;Ï.\" &\"/+$8':Ĝ'$&$\" )(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7Ě"),L("<;Â.^ &%;Ȥ/T#;ʋ/K$;ɘ/B$;ʋ/9$;ɍ/0$;ʋ/'$8&:Ğ& )(&'#(%'#($'#(#'#(\"'#&'#=.\" 7ĝ"),L("%;Ä/B#;ʋ/9$$;Ã0#*;Ã&/)$8#:ğ#\"\" )(#'#(\"'#&'#"),L('%;Ä/1#;ʋ/($8":Ġ"!!)("\'#&\'#'),L("%;Ȥ/j#;ʋ/a$;Å/X$;ʋ/O$;Æ.\" &\"/A$;ʋ/8$;É.\" &\"/*$8':ġ'#$\" )(''#(&'#(%'#($'#(#'#(\"'#&'#"),L(";ɵ.y &%;Ʉ/G#;ʋ/>$;Ȼ/5$;ʋ/,$;ɵ/#$+%)(%'#($'#(#'#(\"'#&'#.E &;ɩ.? &%;Ȼ/5#;ʋ/,$;ɩ/#$+#)(#'#(\"'#&'#"),L("%;Ɋ/:#;ʋ/1$;Ç/($8#:Ģ#! )(#'#(\"'#&'#"),L("%;Ƭ/B#;ʋ/9$$;È0#*;È&/)$8#:ģ#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;ʋ/1$;Ƭ/($8#:Ġ#! )(#'#(\"'#&'#"),L("%;ɇ.? &%;ɫ/5#;ʋ/,$;Ɂ/#$+#)(#'#(\"'#&'#/' 8!:Ĥ!! )"),L("<%;ɽ/C#;ʋ/:$;Ë/1$;ʋ/($8$:Ħ$!!)($'#(#'#(\"'#&'#=.\" 7ĥ"),L("%;Í/B#;ʋ/9$$;Ì0#*;Ì&/)$8#:á#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;Í/1$;ʋ/($8#:1#!!)(#'#(\"'#&'#"),L("%;ƒ/M#;ʋ/D$;ǻ/;$;ʋ/2$;„/)$8%:ħ%\"$ )(%'#($'#(#'#(\"'#&'#"),L("<%;ɏ/L#;ʋ/C$;Ȃ/:$;ʋ/1$;Ă/($8%:ĩ%! )(%'#($'#(#'#(\"'#&'#=.\" 7Ĩ"),L("<%;ɀ/S#;ʋ/J$;z/A$;ʋ/8$;Ð.\" &\"/*$8%:ī%#$\" )(%'#($'#(#'#(\"'#&'#.D &%;ɋ/:#;ʋ/1$;z/($8#:Ĭ#! )(#'#(\"'#&'#=.\" 7Ī"),L('<%;Ñ/2#;z/)$8":Į""! )("\'#&\'#=." 7ĭ'),L(";Ò.# &;ǜ"),L('%;ɋ/1#;ʋ/($8":Ñ"!!)("\'#&\'#'),L("%;Õ/B#;ʋ/9$$;Ô0#*;Ô&/)$8#:į#\"\" )(#'#(\"'#&'#"),L("<%;Ğ/D#;ʋ/;$;Õ/2$;ʋ/)$8$:ı$\"#!)($'#(#'#(\"'#&'#=.\" 7İ"),L(";Ö.# &;ā"),L('%;×/m#;Ý." &"/_$;Þ." &"/Q$;ß." &"/C$;ʋ/:$;Ê." &"/,$8&:IJ&%%$#" )(&\'#(%\'#($\'#(#\'#("\'#&\'#'),L('<%;ɧ/R#;ʋ/I$;Ø." &"/;$;ʋ/2$;Û/)$8%:Ĵ%"" )(%\'#($\'#(#\'#("\'#&\'#=." 7ij'),L('<;Ù.# &;Ú=." 7ĵ'),L('%;Ș/1#;ʋ/($8":Ķ"!!)("\'#&\'#'),L('%;Ƕ/1#;ʋ/($8":ķ"!!)("\'#&\'#'),L("%;á/B#;ʋ/9$$;Ü0#*;Ü&/)$8#:á#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;á/1$;ʋ/($8#:1#!!)(#'#(\"'#&'#"),L("<%;Ȧ/D#;ʋ/;$;å/2$;ʋ/)$8$:Ĺ$\"#!)($'#(#'#(\"'#&'#=.\" 7ĸ"),L("<%;ɼ/D#;ʋ/;$;z/2$;ʋ/)$8$:Ļ$\"#!)($'#(#'#(\"'#&'#=.\" 7ĺ"),L("<%;ȩ/e#;ʋ/\\$;Ȃ/S$;ʋ/J$;{/A$;ʋ/8$;à.\" &\"/*$8':Ľ'#&\" )(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7ļ"),L("<%;Ȫ/D#;ʋ/;$;z/2$;ʋ/)$8$:Ŀ$\"#!)($'#(#'#(\"'#&'#=.\" 7ľ"),L(";â.# &;ä"),L('%;ã." &"/2#;Ć/)$8":ŀ""! )("\'#&\'#'),L('%;Ǐ/2#;ǝ/)$8":Ł""! )("\'#&\'#'),L('%;z/@#;ʋ/7$;÷." &"/)$8#:ł#"" )(#\'#("\'#&\'#'),L("%;é/B#;ʋ/9$$;æ0#*;æ&/)$8#:Ń#\"\" )(#'#(\"'#&'#"),L('%;ç.# &;è/7#;þ." &"/)$8":ń""! )("\'#&\'#'),L("<%;ǜ/:#;é/1$;ʋ/($8#:ņ#!!)(#'#(\"'#&'#=.\" 7Ņ"),L("<%;ø/D#;ʋ/;$;é/2$;ʋ/)$8$:ň$\"#!)($'#(#'#(\"'#&'#=.\" 7Ň"),L('%;ï." &"/S#;ʋ/J$;õ.5 &;B./ &;ê.) &;ð.# &;ö/)$8#:ʼn#"" )(#\'#("\'#&\'#'),L("%;ƫ/S#;ʋ/J$;Ĝ/A$;ʋ/8$;ë.\" &\"/*$8%:Ŋ%#$\" )(%'#($'#(#'#(\"'#&'#"),L("%;ǻ.\" &\"/h#;ʋ/_$;Ǐ/V$;ʋ/M$;ǚ/D$;ì/;$;ʋ/2$;Ǜ/)$8(:ŋ(\"%\")(('#(''#(&'#(%'#($'#(#'#(\"'#&'#.n &%;ǻ/^#;ʋ/U$;ǚ/L$;ʋ/C$;ì/:$;ʋ/1$;Ǜ/($8':Ō'!\")(''#(&'#(%'#($'#(#'#(\"'#&'#.# &;÷"),L("%;í/B#;ʋ/9$$;î0#*;î&/)$8#:ō#\"\" )(#'#(\"'#&'#"),L("%;Ľ/S#;ʋ/J$;&/A$;ʋ/8$;ŝ.\" &\"/*$8%:Ŏ%#$\" )(%'#($'#(#'#(\"'#&'#"),L("%;ǜ/C#;ʋ/:$;í/1$;ʋ/($8$:Ë$!!)($'#(#'#(\"'#&'#"),L("%;Ƚ/& 8!:ŏ! )"),L('<%;ñ/@#;ʋ/7$;ò." &"/)$8#:ő#"" )(#\'#("\'#&\'#=." 7Ő'),L('<%;Ƭ/@#;ʋ/7$;÷." &"/)$8#:œ#"" )(#\'#("\'#&\'#=." 7Œ'),L('<;ó.# &;ô=." 7Ŕ'),L("%;ȱ/V#;ʋ/M$;Ȃ/D$;ʋ/;$;Ƽ/2$;ʋ/)$8&:ŕ&\"%!)(&'#(%'#($'#(#'#(\"'#&'#"),L("%;u/;#;ȱ/2$;ʋ/)$8#:Ŗ#\"\"!)(#'#(\"'#&'#"),L("<%;ǚ/R#;å/I$;ʋ/@$;Ǜ/7$;÷.\" &\"/)$8%:Ř%\"# )(%'#($'#(#'#(\"'#&'#=.\" 7ŗ"),L('<%;¤/7#;÷." &"/)$8":Ś""! )("\'#&\'#=." 7ř'),L("<%%;ǻ/Q#%%<;Ǎ.# &;ʂ=.##&&!&'#/,#;ʋ/#$+\")(\"'#&'#/#$+\")(\"'#&'#.\" &\"/S#;Ǐ/J$;ʋ/A$;ĕ.\" &\"/3$;ʋ/*$8%:Ŝ%#$#!)(%'#($'#(#'#(\"'#&'#=.\" 7ś"),L('<%;ù." &"/J#;ʋ/A$;ú." &"/3$;Ⱥ/*$8$:Ş$##! )($\'#(#\'#("\'#&\'#=." 7ŝ'),L('%;Ƀ/1#;ʋ/($8":¥"!!)("\'#&\'#'),L(";û.# &;ý"),L('%;Ⱦ.) &;ɢ.# &;ȧ/@#;ʋ/7$;ü." &"/)$8#:ş#"" )(#\'#("\'#&\'#'),L('%;ɐ/1#;ʋ/($8":Š"!!)("\'#&\'#'),L('%;ȳ.# &;ȍ/1#;ʋ/($8":Š"!!)("\'#&\'#'),L('<%;ÿ.# &;Ā/1#;ʋ/($8":Ţ"!!)("\'#&\'#=." 7š'),L('<%;Ɍ/;#;ʋ/2$;z/)$8#:Ť#"" )(#\'#("\'#&\'#=." 7ţ'),L('<%;ɶ/;#;ʋ/2$;ĕ/)$8#:Ŧ#"" )(#\'#("\'#&\'#=." 7ť'),L('<%;ɸ/;#;ʋ/2$;Ě/)$8#:Ũ#"" )(#\'#("\'#&\'#=." 7ŧ'),L("%;Ą/B#;ʋ/9$$;ă0#*;ă&/)$8#:ũ#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;Ą/1$;ʋ/($8#:Ġ#!!)(#'#(\"'#&'#"),L('<%;z/X#;ʋ/O$;ş." &"/A$;ʋ/8$;ą." &"/*$8%:ū%#$" )(%\'#($\'#(#\'#("\'#&\'#=." 7Ū'),L("%;ɉ/@#;ʋ/7$;ȣ.# &;ȼ/($8#:Ŭ#! )(#'#(\"'#&'#"),L('<;Ǟ=." 7ŭ'),L('<;ɟ.5 &;ɣ./ &;Dz.) &;Ȣ.# &;Ȭ=." 7Ů'),L("<%;Ċ/k#;ʋ/b$;Ď/Y$;ʋ/P$;Ē.\" &\"/B$;ʋ/9$;ĉ.\" &\"/+$8':Ű'$&$\" )(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7ů"),L("<%;ɡ/:#;ʋ/1$;Û/($8#:Ų#! )(#'#(\"'#&'#=.\" 7ű"),L(";ċ.# &;Č"),L('<%;ȴ/@#;ʋ/7$;č." &"/)$8#:Ŵ#"" )(#\'#("\'#&\'#=." 7ų'),L('<%;ɟ/1#;ʋ/($8":Ŷ"!!)("\'#&\'#=." 7ŵ'),L('<%;Ɏ/;#;ʋ/2$;ć/)$8#:Ÿ#"" )(#\'#("\'#&\'#=." 7ŷ'),L('%;ď/2#;đ/)$8":Ź""! )("\'#&\'#'),L('<%;Đ/2#;ǁ/)$8":Ż""! )("\'#&\'#=." 7ź'),L('<%;ȷ/,#;ʋ/#$+")("\'#&\'#=." 7ż'),L('<%;Ę.) &;¥.# &;ĝ/1#;ʋ/($8":Ž"!!)("\'#&\'#=." 7ŧ'),L("<%;š/j#;ʋ/a$;Ĕ.\" &\"/S$;ʋ/J$3ſ\"\"5\"7ƀ/;$;ʋ/2$;ē/)$8':Ɓ'\"$ )(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7ž"),L("<%;Ģ/S#;ʋ/J$;Ĥ/A$;ʋ/8$;Þ.\" &\"/*$8%:ƃ%#$\" )(%'#($'#(#'#(\"'#&'#.5 &%3Ƅ\"\"5'7ƅ/' 8!:Ɔ!! )=.\" 7Ƃ"),L("<%;Ř/@#;ʋ/7$;Þ.\" &\"/)$8#:ƈ#\"\" )(#'#(\"'#&'#.V &%;Ɍ/L#;ʋ/C$;ȋ/:$;ʋ/1$;Ʃ/($8%:Ɖ%! )(%'#($'#(#'#(\"'#&'#=.\" 7Ƈ"),L("<%;ǚ/T#;ė/K$;ʋ/B$$;Ė0#*;Ė&/2$;Ǜ/)$8%:Ƌ%\"#!)(%'#($'#(#'#(\"'#&'#=.\" 7Ɗ"),L("%;ǜ/:#;ė/1$;ʋ/($8#:ƌ#!!)(#'#(\"'#&'#"),L("<%;Ʃ/' 8!:Ǝ!! )=.\" 7ƍ"),L('<%;ę/2#;Ě/)$8":Ə""! )("\'#&\'#=." 7ŧ'),L('<%;ɸ/1#;ʋ/($8":Ñ"!!)("\'#&\'#=." 7Ɛ'),L("%;Ĝ/B#;ʋ/9$$;ě0#*;ě&/)$8#:ō#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;Ĝ/1$;ʋ/($8#:#!!)(#'#(\"'#&'#"),L("<%;ǚ/C#;{/:$;ʋ/1$;Ǜ/($8$:ƒ$!\")($'#(#'#(\"'#&'#=.\" 7Ƒ"),L('<%;Ȓ/;#;ʋ/2$;ɸ/)$8#:Ɣ#"" )(#\'#("\'#&\'#=." 7Ɠ'),L("<%;ğ.) &;ȶ.# &;Ȟ/' 8!:Ñ!! )=.\" 7ƕ"),L('<%;ɳ/@#;ʋ/7$;Ġ." &"/)$8#:Ɨ#"" )(#\'#("\'#&\'#=." 7Ɩ'),L('%;Ƕ/1#;ʋ/($8":Ƙ"!!)("\'#&\'#'),L('<%;Ģ/¢#;ģ." &"/”$;ð/‹$;ʋ/‚$;Ĥ/y$;Þ." &"/k$;Î." &"/]$;ʋ/T$;Ï." &"/F$;ʋ/=$;ĉ." &"//$8+:ƚ+(*)(&%$" )(+\'#(*\'#()\'#((\'#(\'\'#(&\'#(%\'#($\'#(#\'#("\'#&\'#=." 7ƙ'),L('<%;ɵ/1#;ʋ/($8":Ñ"!!)("\'#&\'#=." 7ƛ'),L("<%;Ɏ/C#;ʋ/:$;ć/1$;ʋ/($8$:Ɲ$!!)($'#(#'#(\"'#&'#=.\" 7Ɯ"),L("<%;ɨ/C#;ʋ/:$;ĥ/1$;ʋ/($8$:Ɵ$!!)($'#(#'#(\"'#&'#=.\" 7ƞ"),L('%;ħ/9#$;Ħ0#*;Ħ&/)$8":ō""! )("\'#&\'#'),L("%;ʋ/:#;ǜ/1$;ħ/($8#:ƌ#! )(#'#(\"'#&'#"),L("<%;Ʈ/M#;ʋ/D$;Ǧ/;$;Ĩ/2$;ʋ/)$8%:ơ%\"$!)(%'#($'#(#'#(\"'#&'#=.\" 7Ơ"),L('<;z.. &%;Ȓ/& 8!:ƣ! )=." 7Ƣ'),L('<%;Ī/€#;ð/w$;ʋ/n$;Þ." &"/`$;Î." &"/R$;Ï." &"/D$;ʋ/;$;ĉ." &"/-$8(:ƥ(&\'&$#" )((\'#(\'\'#(&\'#(%\'#($\'#(#\'#("\'#&\'#=." 7Ƥ'),L("<%;ȕ/C#;ʋ/:$;Ȧ/1$;ʋ/($8$:Ñ$!#)($'#(#'#(\"'#&'#=.\" 7Ʀ"),L('<;ĭ.5 &;Į./ &;į.) &;İ.# &;ı=." 7Ƨ'),L('%;Ȍ/1#;ʋ/($8":Ñ"!!)("\'#&\'#'),L("%%<%;Ĭ/>#;Ȱ./ &;ɲ.) &;ɹ.# &;ɺ/#$+\")(\"'#&'#=.##&&!&'#/1#;IJ/($8\":ƌ\"! )(\"'#&'#"),L("%%<%;Ĭ/>#;ɬ./ &;ɲ.) &;ɹ.# &;ɺ/#$+\")(\"'#&'#=.##&&!&'#/1#;ų/($8\":ƌ\"! )(\"'#&'#"),L("%%<%;Ĭ/>#;ɬ./ &;Ȱ.) &;ɹ.# &;ɺ/#$+\")(\"'#&'#=.##&&!&'#/1#;ŷ/($8\":ƌ\"! )(\"'#&'#"),L("%%<%;Ĭ/>#;ɬ./ &;Ȱ.) &;ɲ.# &;ɺ/#$+\")(\"'#&'#=.##&&!&'#/1#;Ɔ/($8\":ƌ\"! )(\"'#&'#"),L("%%<%;Ĭ/>#;ɬ./ &;Ȱ.) &;ɲ.# &;ɹ/#$+\")(\"'#&'#=.##&&!&'#/1#;Ɗ/($8\":ƌ\"! )(\"'#&'#"),L("<%;ij/T#;ĵ.\" &\"/F$;Ƭ/=$;ʋ/4$;Ķ/+$8%:Ʃ%$$#\" )(%'#($'#(#'#(\"'#&'#=.\" 7ƨ"),L("%;Ĭ/J#;Ĵ.\" &\"/<$;ɬ/3$;ʋ/*$8$:ƪ$##\"!)($'#(#'#(\"'#&'#"),L('%;ɮ.# &;ɭ/1#;ʋ/($8":ƫ"!!)("\'#&\'#'),L("<%;ȫ/N#;ʋ/E$;u/<$;Ƞ/3$;ʋ/*$8%:ƭ%#$\"!)(%'#($'#(#'#(\"'#&'#=.\" 7Ƭ"),L(";ķ.# &;Ų"),L("<%;ǚ/Z#;Ĺ/Q$$;Ļ0#*;Ļ&/A$;Ǜ/8$;ĸ.\" &\"/*$8%:Ư%##\" )(%'#($'#(#'#(\"'#&'#=.\" 7Ʈ"),L("%;ɿ/D#;ʋ/;$;ɥ/2$;ʋ/)$8$:ư$\"#!)($'#(#'#(\"'#&'#"),L("%;ļ/B#;ʋ/9$$;ĺ0#*;ĺ&/)$8#:ō#\"\" )(#'#(\"'#&'#"),L("%;ǜ/:#;ļ/1$;ʋ/($8#:Ë#!!)(#'#(\"'#&'#"),L('%;ǜ." &"/1#;Ő/($8":Ʊ"! )("\'#&\'#'),L('<%;Ľ/O#;ʋ/F$;ľ." &"/8$;Ŀ." &"/*$8$:Ƴ$##! )($\'#(#\'#("\'#&\'#=." 7Ʋ'),L("%;Ǐ/=#%<;ʋ=/##&'!&&#/($8\":v\"!!)(\"'#&'#.\\ &%%<;ľ.) &;Ł.# &;Ő=.##&&!&'#/:#;ʋ/1$;ǒ/($8#:v#! )(#'#(\"'#&'#"),L('<%;&/1#;ʋ/($8":Ƶ"!!)("\'#&\'#=." 7ƴ'),L("%;Ł/B#$;ŀ0#*;ŀ&/2$;ʋ/)$8#:ō#\"\"!)(#'#(\"'#&'#"),L('%;ʋ/1#;Ł/($8":ƌ"! )("\'#&\'#'),L('<%;ł." &"/A#;ń/8$;ł." &"/*$8#:Ʒ##"! )(#\'#("\'#&\'#=." 7ƶ'),L("%$;Ń/�#*;Ń&&&#/' 8!:Ƹ!! )"),L("<%;ȋ/C#;ʋ/:$;Ǐ/1$;ʋ/($8$:ƺ$!!)($'#(#'#(\"'#&'#=.\" 7ƹ"),L(";ņ.; &;ʼn.5 &;Ō./ &;ō.) &;ŏ.# &;Ņ"),L("<%;ť/' 8!:Ƽ!! )=.\" 7ƻ"),L('<%;Ň/U#;ş." &"/G$;Š." &"/9$;ň." &"/+$8$:ƾ$$#"! )($\'#(#\'#("\'#&\'#=." 7ƽ'),L("<%;ɕ.# &;ɔ/D#;ʋ/;$;Ȼ/2$;ʋ/)$8$:ǀ$\"#!)($'#(#'#(\"'#&'#=.\" 7ƿ"),L('<%;Ǿ/1#;ʋ/($8":ǂ"!!)("\'#&\'#=." 7ǁ'),L('%;Ŋ/@#;Š." &"/2$;ʋ/)$8#:ǃ#""!)(#\'#("\'#&\'#'),L('<%;ŋ.# &;ɴ/1#;ʋ/($8":Š"!!)("\'#&\'#=." 7DŽ'),L('<%;u." &"/2#;Ɉ/)$8":dž""! )("\'#&\'#=." 7Dž'),L('<;Ţ=." 7LJ'),L("<%;Ȓ/D#;ʋ/;$;Ŏ/2$;ʋ/)$8$:lj$\"#!)($'#(#'#(\"'#&'#=.\" 7Lj"),L(";O./ &;8.) &;..# &;6"),L("<%;ŝ/' 8!:Nj!! )=.\" 7NJ"),L('<%;ł." &"/J#;ő/A$;ʋ/8$;ł." &"/*$8$:Ǎ$##" )($\'#(#\'#("\'#&\'#=." 7nj'),L(";ţ.) &;œ.# &;Œ"),L("<%;Ţ/' 8!:Ǐ!! )=.\" 7ǎ"),L("<%;Ŕ/J#;ʋ/A$;ř/8$;Š.\" &\"/*$8$:Ǒ$##! )($'#(#'#(\"'#&'#=.\" 7ǐ"),L('%;ŕ.# &;Ŗ/1#;ʋ/($8":ǒ"!!)("\'#&\'#'),L('<%;ɕ/;#;ʋ/2$;Ȼ/)$8#:Ǔ#"" )(#\'#("\'#&\'#=." 7ƿ'),L("<%;ɴ/' 8!:Ǖ!! )=.\" 7ǔ"),L("%;ǚ/T#;ś/K$;ʋ/B$$;Ś0#*;Ś&/2$;Ǜ/)$8%:ǖ%\"#!)(%'#($'#(#'#(\"'#&'#"),L("%;ŗ/' 8!:Ǘ!! )"),L("%;ŗ/' 8!:ǘ!! )"),L("%;ǜ/:#;ś/1$;ʋ/($8#:ƌ#!!)(#'#(\"'#&'#"),L('<%;Ŝ/O#;ʋ/F$;ş." &"/8$;ň." &"/*$8$:ǚ$##! )($\'#(#\'#("\'#&\'#=." 7Ǚ'),L("%;ė/\\#%<%;ʋ/8#;ǭ.) &;Ǜ.# &;ş/#$+\")(\"'#&'#=/##&'!&&#/($8\":v\"!!)(\"'#&'#.# &;z"),L("<%$;Ş/�#*;Ş&&&#/' 8!:ǜ!! )=.\" 7Ǜ"),L("%;ȇ/C#;ʋ/:$;ƺ/1$;ʋ/($8$:v$!!)($'#(#'#(\"'#&'#"),L('<%;Ǽ.# &;Ȗ/1#;ʋ/($8":Ǟ"!!)("\'#&\'#=." 7ǝ'),L("%;š/;#;ć/2$;ʋ/)$8#:ǟ#\"\"!)(#'#(\"'#&'#"),L("<%;Ɍ/D#;ʋ/;$;Ȋ/2$;ʋ/)$8$:ǡ$\"#!)($'#(#'#(\"'#&'#=.\" 7Ǡ"),L("%;Ȇ/;#;ʋ/2$;O/)$8#:Ǣ#\"\" )(#'#(\"'#&'#"),L("<%;Ť/E#;ĕ/<$;ť/3$;ʋ/*$8$:Ǥ$##\"!)($'#(#'#(\"'#&'#=.\" 7ǣ"),L("<%;ȥ/D#;ʋ/;$;Ȼ/2$;ʋ/)$8$:Ǧ$\"#!)($'#(#'#(\"'#&'#=.\" 7ǥ"),L('%;Ŧ/F#;ŧ." &"/8$;Ű." &"/*$8#:ǧ##"! )(#\'#("\'#&\'#'),L("<%;ɚ/D#;ʋ/;$;ǁ/2$;ʋ/)$8$:ǩ$\"#!)($'#(#'#(\"'#&'#=.\" 7Ǩ"),L("%;ũ/B#;ʋ/9$$;Ũ0#*;Ũ&/)$8#:Ǫ#\"\" )(#'#(\"'#&'#"),L('%;ũ/1#;ʋ/($8":Ƙ"!!)("\'#&\'#'),L('<;Ū.# &;ů=." 7ǫ'),L("%;Ɍ/T#;ʋ/K$;ȕ.# &;ɵ/<$;ʋ/3$;ū/*$8%:Ǭ%#$\" )(%'#($'#(#'#(\"'#&'#"),L('<;Ŭ.) &;ŭ.# &;Ů=." 7ǭ'),L("%;ɨ/J#;ʋ/A$;Ɉ.# &;Ȓ/2$;ʋ/)$8$:Ǯ$\"#!)($'#(#'#(\"'#&'#"),L('%;ȃ.# &;ɠ/1#;ʋ/($8":ǯ"!!)("\'#&\'#'),L("%;Ʉ/D#;ʋ/;$;dz/2$;ʋ/)$8$:ǰ$\"#!)($'#(#'#(\"'#&'#"),L("%;ɂ/D#;ʋ/;$;Ǐ/2$;ʋ/)$8$:DZ$\"#!)($'#(#'#(\"'#&'#"),L('<%;u." &"/J#;ȓ/A$;ʋ/8$;ű." &"/*$8$:dz$##" )($\'#(#\'#("\'#&\'#=." 7Dz'),L("%;Ȳ/J#;ʋ/A$;Ȕ.# &;Ȯ/2$;ʋ/)$8$:Ǵ$\"#!)($'#(#'#(\"'#&'#"),L("%;Ɖ/' 8!:ǵ!! )"),L("<%;Ŵ/c#;ĵ.\" &\"/U$;Ƽ/L$;ʋ/C$;Ŷ/:$;Þ.\" &\"/,$8&:Ƿ&%%$#! )(&'#(%'#($'#(#'#(\"'#&'#=.\" 7Ƕ"),L("%;Ĭ/J#;ŵ.\" &\"/<$;Ȱ/3$;ʋ/*$8$:Ǹ$##\"!)($'#(#'#(\"'#&'#"),L('%;ɴ/1#;ʋ/($8":ǹ"!!)("\'#&\'#'),L("<%;Ɍ/N#;ʋ/E$;Ƭ/<$;ʋ/3$;Ř/*$8%:ǻ%#$\" )(%'#($'#(#'#(\"'#&'#=.\" 7Ǻ"),L("<%;Ÿ/¦#;ĵ.\" &\"/˜$;ƽ.\" &\"/Š$;ʋ/$;Ź/x$;Ɍ/o$;ʋ/f$;Ƭ/]$;ʋ/T$;Ɓ.\" &\"/F$;Ƃ.\" &\"/8$;ƃ//$8,:ǽ,(+*)'$\"! )(,'#(+'#(*'#()'#(('#(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7Ǽ"),L("%;Ĭ/J#;Ĵ.\" &\"/<$;ɲ/3$;ʋ/*$8$:Ǿ$##\"!)($'#(#'#(\"'#&'#"),L('<%;ź." &"/2#;ż/)$8":Ȁ""! )("\'#&\'#=." 7ǿ'),L('%;ǿ.) &;ǵ.# &;Ż/1#;ʋ/($8":ȁ"!!)("\'#&\'#'),L("%;ȵ/;#;ʋ/2$;Ɋ/)$8#:Ȃ#\"\" )(#'#(\"'#&'#"),L('<;Ž.# &;ž=." 7ȃ'),L('%;ȕ.# &;ȴ/1#;ʋ/($8":Ȅ"!!)("\'#&\'#'),L('%;ɵ/@#;ʋ/7$;ſ." &"/)$8#:ȅ#"" )(#\'#("\'#&\'#'),L("%;Ɋ/;#;ʋ/2$;ƀ/)$8#:Ȇ#\"\" )(#'#(\"'#&'#"),L("%;ė/B#;ʋ/9$$;Ė0#*;Ė&/)$8#:ō#\"\" )(#'#(\"'#&'#"),L("%;Ȥ/c#;ʋ/Z$;Ț/Q$;ʋ/H$;ɤ.) &3ȇ\"\"5)7Ȉ/3$;ʋ/*$8&:ȉ&#%#!)(&'#(%'#($'#(#'#(\"'#&'#"),L("<%;ɻ/D#;ʋ/;$;z/2$;ʋ/)$8$:Ȋ$\"#!)($'#(#'#(\"'#&'#=.\" 7—"),L("<%;Ȁ/W#;ʋ/N$;Ƅ/E$;ʋ/<$;Ȝ/3$;ʋ/*$8&:Ȍ&#%#!)(&'#(%'#($'#(#'#(\"'#&'#=.\" 7ȋ"),L("%$;ƅ/�#*;ƅ&&&#/' 8!:ȍ!! )"),L("%;œ/:#;ʋ/1$;$/($8#:\"#!\")(#'#(\"'#&'#"),L("<%;ƈ/T#;ĵ.\" &\"/F$;Ƈ/=$;ʋ/4$;Ɖ/+$8%:ȏ%$$#\" )(%'#($'#(#'#(\"'#&'#=.\" 7Ȏ"),L("%;ƾ/;#;ʋ/2$;ĕ/)$8#:Ȑ#\"\" )(#'#(\"'#&'#.# &;ƾ"),L("%;Ĭ/J#;Ĵ.\" &\"/<$;ɹ/3$;ʋ/*$8$:ȑ$##\"!)($'#(#'#(\"'#&'#"),L("%;ǻ/D#;ʋ/;$;À/2$;ʋ/)$8$:Ə$\"#!)($'#(#'#(\"'#&'#"),L("<%;Ƌ/f#;ĵ.\" &\"/X$;Ƭ/O$;ʋ/F$;ɶ/=$;ʋ/4$;ƌ/+$8':ȓ'$&%$ )(''#(&'#(%'#($'#(#'#(\"'#&'#=.\" 7Ȓ"),L("%;Ĭ/N#;ɺ/E$;ʋ/<$;ɬ/3$;ʋ/*$8%:Ȕ%#$#!)(%'#($'#(#'#(\"'#&'#"),L('%;Ǒ/@#;ʋ/7$;ƍ." &"/)$8#:ȕ#"" )(#\'#("\'#&\'#'),L("<%;ǚ/Z#;ʋ/Q$;Ǝ.\" &\"/C$;ʋ/:$;Ǜ/1$;ʋ/($8&:ȗ&!#)(&'#(%'#($'#(#'#(\"'#&'#=.\" 7Ȗ"),L('%;Ɛ/9#$;Ə0#*;Ə&/)$8":Ș""! )("\'#&\'#'),L("%;ʋ/H#;ǜ/?$;ʋ/6$;Ɛ.\" &\"/($8$:x$! )($'#(#'#(\"'#&'#"),L("%%<%;Ǐ/;#;ʋ/2$;&.# &;Ł/#$+#)(#'#(\"'#&'#=.##&&!&'#/:#;z/1$;ʋ/($8#:ƒ#!!)(#'#(\"'#&'#.x &%;Ƒ/n#%%<;Ǎ=.##&&!&'#/,#;ʋ/#$+\")(\"'#&'#/F$;ľ.\" &\"/8$;Ŀ.\" &\"/*$8$:Ƴ$##! )($'#(#'#(\"'#&'#"),L(";Ǐ.# &;ǒ"),L('<%;Ɠ/;#;Ƭ/2$;ʋ/)$8#:Ț#""!)(#\'#("\'#&\'#=." 7ș'),L("<%;ș/J#;ʋ/A$;Ɣ/8$;ƕ.\" &\"/*$8$:Ȝ$##! )($'#(#'#(\"'#&'#=.\" 7ț"),L('<%;ɬ./ &;Ȱ.) &;ɲ.# &;ɹ/1#;ʋ/($8":Š"!!)("\'#&\'#=." 7ȝ'),L("<%;ȫ/D#;ʋ/;$;Ƞ/2$;ʋ/)$8$:ȟ$\"#!)($'#(#'#(\"'#&'#=.\" 7Ȟ"),L('<%;Ǩ/,#;Ǩ/#$+")("\'#&\'#=." 7Ƞ'),L('<;Ǥ=." 7ȡ'),L('<;ǥ=." 7Ȣ'),L('<;Ǟ=." 7ȣ'),L('<;ǯ=." 7Ȥ'),L('<;ǩ=." 7ȥ'),L('<%;Ǫ/,#;Ǫ/#$+")("\'#&\'#=." 7Ȧ'),L('<%;ǫ/,#;ǫ/#$+")("\'#&\'#=." 7ȧ'),L('<;ǧ=." 7Ȩ'),L('<;Ǩ=." 7ȩ'),L('<;Ǫ=." 7Ȫ'),L('<;ǫ=." 7ȫ'),L('<%;Ǫ/,#;Ǧ/#$+")("\'#&\'#=." 7Ȭ'),L('<%;ǫ/,#;Ǧ/#$+")("\'#&\'#=." 7ȭ'),L('<%;Ǧ/1#;Ǧ." &"/#$+")("\'#&\'#=." 7Ȯ'),L('<%;Ǭ/,#;Ǧ/#$+")("\'#&\'#=." 7ȯ'),L('<%;Ǫ/,#;ǫ/#$+")("\'#&\'#=." 7ȯ'),L('<%$;DZ/�#*;DZ&&&#/<#9:ȱ ! -""&!&#/($8":Ȳ"!!)("\'#&\'#=." 7Ȱ'),L('<%;ȸ/@#;ʋ/7$;u." &"/)$8#:ȴ#"" )(#\'#("\'#&\'#=." 7ȳ'),L('<;Ǐ.# &;ǒ=." 7ȵ'),L("<%;Ʃ/' 8!:ȷ!! )=.\" 7ȶ"),L('<%;ƭ." &"/2#;Ʃ/)$8":ȹ""! )("\'#&\'#=." 7ȸ'),L('<%;ƭ." &"/2#;Ʃ/)$8":Ȼ""! )("\'#&\'#=." 7Ⱥ'),L('%;Ʃ/2#;ǝ/)$8":ȼ""! )("\'#&\'#'),L('<%;Ƹ.) &;ƹ.# &;Ʒ/J#;Ʃ/A$;ʋ/8$;Ư." &"/*$8$:Ⱦ$##" )($\'#(#\'#("\'#&\'#=." 7Ƚ'),L("<%;ư/' 8!:ɀ!! )=.\" 7ȿ"),L("%;Ʊ/B#;ʋ/9$$;Ʊ0#*;Ʊ&/)$8#:Ɂ#\"\" )(#'#(\"'#&'#"),L(";Ʋ.) &;Ƴ.# &;ƴ"),L("%;ǝ/:#;ʋ/1$;Ǐ/($8#:ɂ#! )(#'#(\"'#&'#.D &%;ǝ/:#;ʋ/1$;Ǟ/($8#:Ƀ#! )(#'#(\"'#&'#"),L("%;ǘ/r#;ʋ/i$;Ƶ.\" &\"/[$;Ǯ/R$;ʋ/I$;ƶ.\" &\"/;$;ʋ/2$;Ǚ/)$8(:Ʉ(\"%\")(('#(''#(&'#(%'#($'#(#'#(\"'#&'#.m &%;ǘ/c#;ʋ/Z$;Ǯ/Q$;ʋ/H$;ƶ.\" &\"/:$;ʋ/1$;Ǚ/($8':Ʌ'!\")(''#(&'#(%'#($'#(#'#(\"'#&'#"),L("%;ǘ/L#;ʋ/C$;z/:$;ʋ/1$;Ǚ/($8%:Ɇ%!\")(%'#($'#(#'#(\"'#&'#"),L("%;z/' 8!:ɇ!! )"),L("%;z/' 8!:Ɉ!! )"),L("%;ʋ/& 8!:ɉ! )"),L('%;ƭ/2#;ƹ/)$8":Ɋ""! )("\'#&\'#'),L('%;Ʃ/2#;ǝ/)$8":J""! )("\'#&\'#'),L("<%;Ʃ/' 8!:Ɍ!! )=.\" 7ɋ"),L("<%;Ʃ/' 8!:Ɏ!! )=.\" 7ɍ"),L('<%;ƭ." &"/2#;Ʃ/)$8":ɐ""! )("\'#&\'#=." 7ɏ'),L('<%;ƭ." &"/2#;Ʃ/)$8":ɒ""! )("\'#&\'#=." 7ɑ'),L('<%;ƭ." &"/2#;Ʃ/)$8":ɔ""! )("\'#&\'#=." 7ɓ'),L('<%;ƭ." &"/2#;Ʃ/)$8":ɖ""! )("\'#&\'#=." 7ɕ'),L('<%;ƭ." &"/2#;Ʃ/)$8":ɘ""! )("\'#&\'#=." 7ɗ'),L('<%;ǂ.# &;Ƭ/1#;ʋ/($8":ɚ"!!)("\'#&\'#=." 7ə'),L("%;Ƭ/;#;ʋ/2$;ĕ/)$8#:ɛ#\"\" )(#'#(\"'#&'#"),L("<%;Ʃ/' 8!:ɝ!! )=.\" 7ɜ"),L("<%;Ʃ/' 8!:ɟ!! )=.\" 7ɞ"),L('<%;dž/=#%<;Ǎ=.##&&!&\'#/($8":ɡ"!!)("\'#&\'#.Å &%;LJ/=#%<;Ǎ=.##&&!&\'#/($8":ɢ"!!)("\'#&\'#.› &%;lj/=#%<;Ǎ=.##&&!&\'#/($8":ɣ"!!)("\'#&\'#.q &%;NJ/=#%<;Ǎ=.##&&!&\'#/($8":ɤ"!!)("\'#&\'#.G &%;nj/=#%<;Ǎ=.##&&!&\'#/($8":ɥ"!!)("\'#&\'#=." 7ɠ'),L('<%%3ɧ""5!7ɨ." &"/F#3ɩ""5#7ɪ." &"/2$3ɫ""5$7ɬ/#$+#)(#\'#("\'#&\'#.k &%3ɭ""5$7ɮ.5 &3ɯ""5&7ɰ.) &3ɱ""5$7ɲ." &"/2#3ɳ""5$7ɴ/#$+")("\'#&\'#.) &3ɵ""5$7ɶ/\' 8!:Š!! )=." 7ɦ'),L('<%;Lj.5 &3ɸ""5%7ɹ.) &3ɺ""5$7ɻ/\' 8!:Š!! )=." 7ɷ'),L('<%3ɽ""5&7ɾ/i#%$4,""5!7-/,#0)*4,""5!7-&&&#/2#3ɿ""5)7ʀ/#$+")("\'#&\'#." &"/)$8":ʁ""! )("\'#&\'#=." 7ɼ'),L('<%3ʃ""5\'7ʄ.• &3ʅ""5\'7ʆ.‰ &3ʇ""5\'7ʈ.} &%3ʉ""5$7ʊ/7#3ö""5$7÷." &"/#$+")("\'#&\'#.S &%3ö""5$7÷/7#3ʋ""5%7ʌ." &"/#$+")("\'#&\'#.) &3ʍ""5&7ʎ/\' 8!:Š!! )=." 7ʂ'),L('<%%3ʐ""5#7ʑ/V#2ʒ""6ʒ7ʓ.A &2ʔ""6ʔ7ʕ.5 &2ʖ""6ʖ7ʗ.) &3ʘ""5$7ʙ/#$+")("\'#&\'#.q &%3ʚ""5#7ʛ.A &3ɯ""5&7ɰ.5 &3ʜ""5%7ʝ.) &3ɭ""5$7ɮ." &"/2#3ʐ""5#7ʑ/#$+")("\'#&\'#.# &;Nj/\' 8!:Š!! )=." 7ʏ'),L('%3ʞ""5(7ʟ/d#%$4,""5!7-/,#0)*4,""5!7-&&&#/2#3ʠ""5%7ʡ/#$+")("\'#&\'#/)$8":ʢ""! )("\'#&\'#'),L('<%3ʤ""5$7ʥ/\' 8!:Š!! )=." 7ʣ'),L('4ʦ""5!7ʧ'),L('%2ʨ""6ʨ7ʩ/K#$4ʪ""5!7ʫ/,#0)*4ʪ""5!7ʫ&&&#/)$8":ʬ""! )("\'#&\'#'),L(";ǐ.# &;Ǒ"),L(";Ǔ./ &;Ǘ.) &;Ǖ.# &;ǖ"),L("%%<;ʀ.# &;A=.##&&!&'#/J#$;ǎ.# &;Ǎ/,#0)*;ǎ.# &;Ǎ&&&#/($8\":Ę\"! )(\"'#&'#"),L("%%<;ʂ.# &;A=.##&&!&'#/J#$;ǎ.# &;Ǎ/,#0)*;ǎ.# &;Ǎ&&&#/($8\":ʭ\"! )(\"'#&'#"),L("%;ǘ/™#;ʋ/$%$%%<;ǔ=.##&&!&'#/1#1\"\"5!7ʮ/#$+\")(\"'#&'#0G*%%<;ǔ=.##&&!&'#/1#1\"\"5!7ʮ/#$+\")(\"'#&'#&/\"!&,)/1$;ǔ/($8$:ʯ$!!)($'#(#'#(\"'#&'#"),L('%$4ʰ""5!7ʱ0)*4ʰ""5!7ʱ&/5#;Ǚ/,$;ʋ/#$+#)(#\'#("\'#&\'#'),L('%2ʲ""6ʲ7ʳ/k#$2ʴ""6ʴ7ʵ.) &4ʶ""5!7ʷ05*2ʴ""6ʴ7ʵ.) &4ʶ""5!7ʷ&/7$2ʲ""6ʲ7ʳ/($8#:ʸ#!!)(#\'#("\'#&\'#'),L('%2ʹ""6ʹ7ʺ/k#$2:""6:7;.) &4<""5!7=05*2:""6:7;.) &4<""5!7=&/7$2ʹ""6ʹ7ʺ/($8#:ʻ#!!)(#\'#("\'#&\'#'),L('%2ʼ""6ʼ7ʽ/k#$2ʾ""6ʾ7ʿ.) &4ˀ""5!7ˁ05*2ʾ""6ʾ7ʿ.) &4ˀ""5!7ˁ&/7$2ʼ""6ʼ7ʽ/($8#:˂#!!)(#\'#("\'#&\'#'),L('<%2˄""6˄7˅/1#;ʋ/($8":""!!)("\'#&\'#=." 7˃'),L('<%2ˇ""6ˇ7ˈ/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˆ'),L('<%2ˊ""6ˊ7ˋ/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˉ'),L('<%2ˍ""6ˍ7ˎ/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˌ'),L('<%2ː""6ː7ˑ/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˏ'),L('<%2˓""6˓7˔/1#;ʋ/($8":""!!)("\'#&\'#=." 7˒'),L('<%2˖""6˖7˗/1#;ʋ/($8":""!!)("\'#&\'#=." 7˕'),L('<%2˙""6˙7˚/1#;ʋ/($8":""!!)("\'#&\'#=." 7˘'),L('<%2ʹ""6ʹ7ʺ/1#;ʋ/($8":""!!)("\'#&\'#=." 7˛'),L('<%2ʲ""6ʲ7ʳ/1#;ʋ/($8":""!!)("\'#&\'#=." 7˜'),L('<%2ʼ""6ʼ7ʽ/1#;ʋ/($8":""!!)("\'#&\'#=." 7˝'),L('<%2˟""6˟7ˠ/1#;ʋ/($8":""!!)("\'#&\'#=." 7˞'),L('<%2ˢ""6ˢ7ˣ/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˡ'),L('<%2˥""6˥7˦/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˤ'),L('<%2˧""6˧7˨/1#;ʋ/($8":""!!)("\'#&\'#=." 7Ȯ'),L('<%2˪""6˪7˫/1#;ʋ/($8":""!!)("\'#&\'#=." 7˩'),L('<%2˭""6˭7ˮ/1#;ʋ/($8":""!!)("\'#&\'#=." 7ˬ'),L('<%2˯""6˯7˰/1#;ʋ/($8":""!!)("\'#&\'#=." 7ȥ'),L('<%2˱""6˱7˲/1#;ʋ/($8":""!!)("\'#&\'#=." 7Ȫ'),L('<%2˳""6˳7˴/1#;ʋ/($8":""!!)("\'#&\'#=." 7ȫ'),L('<%2˶""6˶7˷/1#;ʋ/($8":""!!)("\'#&\'#=." 7˵'),L('<%2˹""6˹7˺/1#;ʋ/($8":""!!)("\'#&\'#=." 7˸'),L('<%2g""6g7h/1#;ʋ/($8":""!!)("\'#&\'#=." 7˻'),L('<%2˽""6˽7˾/1#;ʋ/($8":""!!)("\'#&\'#=." 7˼'),L('<%2̀""6̀7́/1#;ʋ/($8":""!!)("\'#&\'#=." 7˿'),L('<4̃""5!7̄=." 7̂'),L('%3̅""5%7̆/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̇""5&7̈/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̉""5#7̊/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̋""5%7̌/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ą""5#7Ć/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̍""5%7̎/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3̏\"\"5'7̐/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3̑""5#7̒/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̓""5%7̔/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̕""5"7̖/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̗""5#7̘/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̙""5&7̚/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̛""5-7̜/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̝""5&7̞/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̟""5%7̠/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3̡\"\"5'7̢/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3̣""5"7̤/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3̥\"\"5'7̦/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3̧""5$7̨/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̩""5$7̪/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̫""5%7̬/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3̭\"\"5'7̮/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3̯""5&7̰/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̱""5&7̲/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̳""5(7̴/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̵""5*7̶/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̷""5&7̸/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̹""5%7̺/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̻""5,7̼/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̽""5,7̾/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3̿""517̀/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3́""5(7͂/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3̓\"\"5'7̈́/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3ͅ""5*7͆/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͇""5(7͈/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͉""5&7͊/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͋""5$7͌/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͍""5&7͎/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͏""5(7͐/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͑""5$7͒/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͓""5$7͔/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͕""5$7͖/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͗""5#7͘/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͙""5&7͚/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͛""5&7͜/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͝""5)7͞/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͟""5&7͠/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3͡\"\"5'7͢/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3ͣ""5$7ͤ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͥ""5%7ͦ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͧ""5#7ͨ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3ͩ\"\"5'7ͪ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3ͫ""5$7ͬ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͭ""5$7ͮ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͯ""5$7Ͱ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͱ""5%7Ͳ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͳ""5&7ʹ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͵""5"7Ͷ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͷ""5&7͸/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3͹""5%7ͺ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͻ""5)7ͼ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ͽ""5"7;/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ϳ""5%7΀/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3΁\"\"5'7΂/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3΃""5)7΄/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3΅""5%7Ά/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3·""5&7Έ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Ή\"\"5'7Ί/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3΋""5)7Ό/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3΍""5$7Ύ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ώ""5"7ΐ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Α""5&7Β/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Γ""5$7Δ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ε""5#7Ζ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Η""5$7Θ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Ι\"\"5'7Κ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3Λ""5$7Μ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ν""5$7Ξ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ο""5%7Π/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ρ""5&7΢/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Σ""5%7Τ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Υ\"\"5'7Φ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3Χ""5"7Ψ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ω""5#7Ϊ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Ϋ\"\"5'7ά/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3έ""5&7ή/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Œ""5$7/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ί""5%7ΰ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3α""5"7β/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3γ""5&7δ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ε""5"7ζ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3η""5$7θ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ι""5"7κ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3λ""5%7μ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ν""5%7ξ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ο""5$7π/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ρ""5)7ς/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3σ""5$7τ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3υ""5&7φ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3χ\"\"5'7ψ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3ω""5%7ϊ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϋ""5%7ό/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ύ""5$7ώ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ϗ""5)7ϐ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϑ""5*7ϒ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϓ""5&7ϔ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3ϕ\"\"5'7ϖ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L("%3ϗ\"\"5'7Ϙ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3ϙ""5&7Ϛ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3ϛ\"\"5'7Ϝ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3ϝ""5(7Ϟ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϟ""5)7Ϡ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϡ""5%7Ϣ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϣ""5(7Ϥ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϥ""5#7Ϧ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϧ""5%7Ϩ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϩ""5)7Ϫ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϫ""5&7Ϭ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϭ""5#7Ϯ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϯ""5%7ϰ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϱ""5$7ϲ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϳ""5$7ϴ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϵ""5%7϶/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ϸ""5$7ϸ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ϲ""5)7Ϻ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3ϻ""5$7ϼ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ͻ""5"7Ͼ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3û""5+7ü/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Ͽ\"\"5'7Ѐ/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3Ё""5%7Ђ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ѓ""5&7Є/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ѕ""5&7І/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ї""5%7Ј/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Љ""5&7Њ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ћ""5&7Ќ/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Ѝ""5$7Ў/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Џ\"\"5'7А/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L('%3Б""5$7В/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Г""5%7Д/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3Е""5&7Ж/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L('%3З""5$7И/8#%<;Ǎ=.##&&!&\'#/#$+")("\'#&\'#'),L("%3Й\"\"5'7К/8#%<;Ǎ=.##&&!&'#/#$+\")(\"'#&'#"),L("%;ʁ/' 8!:Л!! )"),L(";Dz.͓ &;dz.͍ &;Ǵ.͇ &;ǵ.́ &;Ƕ.̻ &;Ƿ.̵ &;Ǹ.̯ &;ǹ.̩ &;Ǻ.̣ &;ǻ.̝ &;Ǽ.̗ &;ǽ.̑ &;Ǿ.̋ &;ǿ.̅ &;Ȁ.˿ &;ȁ.˹ &;Ȃ.˳ &;ȃ.˭ &;Ȅ.˧ &;ȅ.ˡ &;Ȇ.˛ &;ȇ.˕ &;Ȉ.ˏ &;ȉ.ˉ &;Ȋ.˃ &;ȋ.ʽ &;Ȍ.ʷ &;ȍ.ʱ &;Ȏ.ʫ &;ȏ.ʥ &;Ȑ.ʟ &;ȑ.ʙ &;Ȓ.ʓ &;ȓ.ʍ &;Ȕ.ʇ &;ȕ.ʁ &;Ȗ.ɻ &;ȗ.ɵ &;Ș.ɯ &;ș.ɩ &;Ț.ɣ &;ț.ɝ &;Ȝ.ɗ &;ȝ.ɑ &;Ȟ.ɋ &;ȟ.Ʌ &;Ƞ.ȿ &;ȡ.ȹ &;Ȣ.ȳ &;ȣ.ȭ &;Ȥ.ȧ &;ȥ.ȡ &;Ȧ.ț &;ȧ.ȕ &;Ȩ.ȏ &;ȩ.ȉ &;Ȫ.ȃ &;ȫ.ǽ &;Ȭ.Ƿ &;ȭ.DZ &;Ȯ.ǫ &;ȯ.ǥ &;Ȱ.ǟ &;ȱ.Ǚ &;Ȳ.Ǔ &;ȳ.Ǎ &;ȴ.LJ &;ȵ.ǁ &;ȶ.ƻ &;ȷ.Ƶ &;ȸ.Ư &;ȹ.Ʃ &;Ⱥ.ƣ &;Ȼ.Ɲ &;ȼ.Ɨ &;Ⱦ.Ƒ &;ȿ.Ƌ &;ɀ.ƅ &;Ɂ.ſ &;ɂ.Ź &;Ƀ.ų &;Ʉ.ŭ &;Ʌ.ŧ &;Ɇ.š &;ɇ.ś &;Ɉ.ŕ &;ɉ.ŏ &;Ɋ.ʼn &;ɋ.Ń &;Ɍ.Ľ &;ɍ.ķ &;Ɏ.ı &;ɏ.ī &;ɐ.ĥ &;ɑ.ğ &;ɒ.ę &;ɓ.ē &;ɔ.č &;ɕ.ć &;ɖ.ā &;ɗ.û &;ɘ.õ &;ə.ï &;ɚ.é &;ɛ.ã &;ɜ.Ý &;ɝ.× &;ɞ.Ñ &;ɟ.Ë &;ɠ.Å &;ɡ.¿ &;ɢ.¹ &;ɣ.³ &;ɦ.­ &;ɧ.§ &;ɨ.¡ &;ɩ.› &;ɪ.• &;ɫ. &;ɬ.‰ &;ɮ.ƒ &;ɯ.} &;ɰ.w &;ɱ.q &;ɲ.k &;ɳ.e &;ɴ._ &;ɵ.Y &;ɶ.S &;ɷ.M &;ɸ.G &;ɹ.A &;ɺ.; &;ɻ.5 &;ɼ./ &;ɽ.) &;ɾ.# &;ɿ"),L(";Ǵ.ŧ &;Ƕ.š &;Ƿ.ś &;ǹ.ŕ &;ǻ.ŏ &;Ǿ.ʼn &;ȁ.Ń &;Ȅ.Ľ &;Ȇ.ķ &;ȇ.ı &;ȉ.ī &;ȋ.ĥ &;Ȍ.ğ &;Ȓ.ę &;ȓ.ē &;ȕ.č &;Ș.ć &;ș.ā &;ț.û &;ȝ.õ &;Ȟ.ï &;Ƞ.é &;ȥ.ã &;Ȧ.Ý &;ȩ.× &;Ȫ.Ñ &;ȯ.Ë &;Ȱ.Å &;ȴ.¿ &;ȶ.¹ &;ȷ.³ &;ȸ.­ &;ȹ.§ &;Ⱥ.¡ &;ɀ.› &;Ʌ.• &;Ɇ. &;Ɉ.‰ &;Ɍ.ƒ &;Ɏ.} &;ɏ.w &;ɕ.q &;ɚ.k &;ɧ.e &;ɨ._ &;ɬ.Y &;ɯ.S &;ɰ.M &;ɱ.G &;ɳ.A &;ɴ.; &;ɵ.5 &;ɶ./ &;ɸ.) &;ɻ.# &;ɼ"),L(";ʄ.. &%;ʅ/& 8!:М! )"),L('<%2О""6О7П/‡#$%%<4Р""5!7С=.##&&!&\'#/1#1""5!7ʮ/#$+")("\'#&\'#0M*%%<4Р""5!7С=.##&&!&\'#/1#1""5!7ʮ/#$+")("\'#&\'#&/#$+")("\'#&\'#=." 7Н'),L("<%;ʆ/5#;ʊ/,$;ʇ/#$+#)(#'#(\"'#&'#=.\" 7Т"),L('2У""6У7Ф'),L('2Х""6Х7Ц'),L('$%%<;ʇ.# &;ʆ=.##&&!&\'#/1#1""5!7ʮ/#$+")("\'#&\'#/P#0M*%%<;ʇ.# &;ʆ=.##&&!&\'#/1#1""5!7ʮ/#$+")("\'#&\'#&&&#'),L(";ʈ.# &;ʅ"),L('%;ʉ/K#$4Ч""5!7Ш.# &;ʉ0/*4Ч""5!7Ш.# &;ʉ&/#$+")("\'#&\'#'),L('<%$4Ч""5!7Ш.# &;ʃ0/*4Ч""5!7Ш.# &;ʃ&/\' 8!:1!! )=." 7Щ'),L('2Ъ""6Ъ7Ы')],y=0,h=[{line:1,column:1}],x=0,g=[],_=0,z={},w=["start","start_streaming","stmt_list","semi_optional","semi_required","stmt_list_tail","type_definition","array_bounds","array_bound","type_definition_types","datatype_custom","datatype_word_tail","type_definition_args","definition_args_loop","literal_value","literal_null","literal_date","literal_string","literal_string_single","literal_string_schar","literal_blob","literal_typed","literal_text","number_sign","literal_number_signed","literal_number","literal_number_decimal","number_decimal_node","number_decimal_full","number_decimal_fraction","number_decimal_exponent","literal_number_hex","number_hex","number_digit","bind_parameter","bind_parameter_numbered","bind_number_id","bind_parameter_named","bind_parameter_tcl","tcl_suffix","expression_exists","expression_exists_ne","expression_raise","expression_raise_args","raise_args_ignore","raise_args_message","expression_root","expression_wrapped","expression_recur","expression_array","expression_array_select","array_expr","array_expr_list","array_expr_tail","expression_unary_collate","expression_pg_cast","expression_unary","expression_unary_op","expression_collate","expression_concat","expression_multiply","expression_multiply_op","expression_add","expression_add_op","expression_shift","expression_shift_op","expression_compare","expression_compare_op","expression_equiv","expression_equiv_tails","expression_equiv_null_op","expression_equiv_op","expression_cast","type_alias","expression_case","case_expression","expression_case_when","expression_case_else","expression_postfix","expression_postfix_tail","expression_distinct","expression_like","expression_escape","expression_between","expression_between_tail","expression_is_not","expression_in","expression_in_target","expression_list_or_select","expression_and","expression","expression_list","expression_list_loop","expression_list_rest","function_call","filter_clause","function_call_args","args_list_distinct","over_clause","window_name","window_specification","source_window_name","partition_clause","error_message","stmt","stmt_modifier","modifier_query","stmt_nodes","stmt_commit","stmt_begin","commit_transaction","stmt_begin_modifier","stmt_rollback","rollback_savepoint","savepoint_name","savepoint_alt","stmt_savepoint","stmt_release","stmt_alter","alter_start","alter_action","alter_action_rename","alter_action_add","action_add_modifier","stmt_crud","stmt_core_with","clause_with","clause_with_recursive","clause_with_tables","clause_with_loop","expression_cte","select_alias","select_wrapped","stmt_select_full","stmt_set","set_local_session","set_rest","var_list","var_list_tail","var_value","stmt_show","show_target","stmt_sqlite","stmt_attach","attach_arg","stmt_detach","stmt_vacuum","vacuum_target","stmt_analyze","analyze_arg","stmt_reindex","reindex_arg","stmt_pragma","pragma_expression","pragma_value","pragma_value_literal","pragma_value_bool","pragma_bool_id","pragma_value_name","stmt_crud_types","stmt_select","stmt_core_for_locking","for_locking_items","for_locking_loop","for_locking_item","for_locking_strength","locked_rels_list","id_table_list","id_table_loop","nowait_or_skip","window_clause","window_definition_list","window_definition_loop","window_definition","stmt_core_order","stmt_core_limit","stmt_core_limit_offset","limit_offset_variant","limit_offset_variant_name","select_loop","select_loop_union","select_parts","select_parts_core","select_core_select","select_modifier","select_modifier_distinct","select_modifier_all","select_target","select_target_loop","select_core_from","stmt_core_where","select_core_group","select_core_having","select_node","select_node_star","select_node_star_qualified","select_node_aliased","select_source","source_loop_tail","select_cross_clause","select_join_clause","table_or_sub","table_or_sub_func","func_alias_clause","table_func_element_list","table_func_element","table_func_element_tail","lateral","table_qualified","table_qualified_id","table_or_sub_index_node","index_node_indexed","index_node_none","table_or_sub_sub","table_or_sub_select","alias","join_operator","join_operator_natural","join_operator_types","operator_types_hand","types_hand_outer","operator_types_misc","join_condition","join_condition_on","join_condition_using","select_parts_values","stmt_core_order_list","stmt_core_order_list_loop","stmt_core_order_list_item","nulls_order","select_star","stmt_fallback_types","stmt_insert","returning_clause","insert_keyword","insert_keyword_ins","insert_keyword_repl","insert_keyword_mod","insert_target","insert_into","insert_into_start","insert_results","opt_on_conflict","opt_on_conflict_action","opt_conf_expr","loop_columns","loop_column_tail","loop_name","insert_value","insert_value_start","insert_values_list","insert_values_loop","expression_list_wrapped","insert_default","operator_compound","compound_union","compound_union_all","stmt_update","update_start","update_fallback","update_set","update_columns","update_columns_tail","update_column","update_expression","stmt_delete","delete_start","stmt_create","create_start","create_table_only","create_index_only","create_trigger_only","create_view_only","create_virtual_only","create_table","create_table_start","create_core_tmp","create_core_ine","create_table_source","table_source_def","source_def_rowid","source_def_loop","source_def_tail","source_tbl_loop","source_def_column","source_def_name","column_type","column_constraints","column_constraint_tail","column_constraint","constraint_name","constraint_name_loop","column_constraint_types","column_constraint_foreign","column_constraint_primary","col_primary_start","col_primary_auto","column_constraint_null","constraint_null_types","constraint_null_value","column_constraint_check","column_constraint_default","column_default_values","column_constraint_collate","table_constraint","table_constraint_types","table_constraint_check","table_constraint_primary","primary_start","primary_start_normal","primary_start_unique","primary_columns","primary_columns_index","primary_columns_table","primary_column_tail","primary_column","primary_column_types","column_collate","column_collate_loop","primary_column_dir","primary_conflict","primary_conflict_start","constraint_check","table_constraint_foreign","foreign_start","foreign_clause","foreign_references","foreign_actions","foreign_actions_tail","foreign_action","foreign_action_on","action_on_action","on_action_set","on_action_cascade","on_action_none","foreign_action_match","foreign_deferrable","deferrable_initially","table_source_select","create_index","create_index_start","index_unique","index_on","create_trigger","create_trigger_start","trigger_conditions","trigger_apply_mods","trigger_apply_instead","trigger_do","trigger_do_on","trigger_do_update","do_update_of","do_update_columns","trigger_foreach","trigger_when","trigger_action","action_loop","action_loop_stmt","create_view","id_view_expression","create_view_start","create_as_select","create_virtual","create_virtual_start","virtual_module","virtual_args","virtual_args_loop","virtual_args_tail","virtual_arg_types","virtual_column_name","stmt_drop","drop_start","drop_types","drop_ie","binary_concat","binary_plus","binary_minus","binary_multiply","binary_divide","binary_mod","binary_left","binary_right","binary_and","binary_or","binary_lt","binary_gt","binary_lte","binary_gte","binary_equal","binary_notequal_a","binary_notequal_b","binary_custom","binary_lang_isnt","id_name","id_database","id_function","id_table","id_table_qualified","id_column","indirection","indirection_loop","indirection_el","indirection_attr","indirection_slice","indirection_index","slice_lbound","slice_ubound","column_unqualified","column_qualifiers","id_column_qualified","id_collation","id_savepoint","id_index","id_trigger","id_view","id_pragma","id_variable","id_cte","id_table_expression","id_constraint_table","id_constraint_column","datatype_types","datatype_text","datatype_real","datatype_real_double","datatype_numeric","datatype_integer","datatype_integer_fp","datatype_none","name_char","unicode_char","name","name_quoted","name_unquoted","name_reserved","name_bracketed","bracket_terminator","name_dblquoted","name_sglquoted","name_backticked","sym_bopen","sym_bclose","sym_popen","sym_pclose","sym_comma","sym_dot","sym_star","sym_quest","sym_sglquote","sym_dblquote","sym_backtick","sym_tilde","sym_plus","sym_minus","sym_equal","sym_amp","sym_pipe","sym_mod","sym_lt","sym_gt","sym_excl","sym_semi","sym_colon","sym_fslash","sym_bslash","sym_op","ABORT","ACTION","ADD","AFTER","ALL","ALTER","ANALYZE","AND","ARRAY","AS","ASC","ATTACH","AUTOINCREMENT","BEFORE","BEGIN","BETWEEN","BY","CASCADE","CASE","CAST","CHECK","COLLATE","COLUMN","COMMIT","CONFLICT","CONSTRAINT","CREATE","CROSS","CURRENT_DATE","CURRENT_TIME","CURRENT_TIMESTAMP","DATABASE","DEFAULT","DEFERRABLE","DEFERRED","DELETE","DESC","DETACH","DISTINCT","DROP","EACH","ELSE","END","ESCAPE","EXCEPT","EXCLUSIVE","EXISTS","EXPLAIN","FAIL","FIRST","FOR","FOREIGN","FROM","FULL","GLOB","GROUP","HAVING","IF","IGNORE","ILIKE","IMMEDIATE","IN","INDEX","INDEXED","INITIALLY","INNER","INSERT","INSTEAD","INTERSECT","INTO","IS","ISNULL","JOIN","KEY","LAST","LATERAL","LEFT","LIKE","LIMIT","LOCKED","MATCH","NATURAL","NO","NOT","NOTNULL","NOWAIT","NULL","NULLS","OF","OFFSET","ON","ONLY","OR","ORDER","OUTER","OVER","PARTITION","PLAN","PRAGMA","PRIMARY","QUERY","RAISE","READ","RECURSIVE","REFERENCES","REGEXP","REINDEX","RELEASE","RENAME","REPLACE","RESTRICT","RETURNING","RIGHT","ROLLBACK","ROW","ROWID","SAVEPOINT","SELECT","SET","SHARE","SHOW","SKIP","TABLE","TEMP","TEMPORARY","THEN","TO","TRANSACTION","TRIGGER","UNION","UNIQUE","UPDATE","USING","VACUUM","VALUES","VIEW","VIRTUAL","WHEN","WHERE","WINDOW","WITH","WITHOUT","reserved_words","reserved_word_list","reserved_critical_list","comment","comment_line","comment_block","comment_block_start","comment_block_end","comment_block_body","block_body_nodes","comment_block_feed","o","_TODO_"],b=[null,null,null,null,null,null,"Type Definition","Array bounds",null,null,"Custom Datatype Name",null,"Type Definition Arguments",null,null,"Null Literal","Date Literal","String Literal","Single-quoted String Literal",null,"Blob Literal","Typed literal (or bind parameter)",null,"Number Sign",null,null,null,"Decimal Literal",null,null,"Decimal Literal Exponent","Hexidecimal Literal",null,null,"Bind Parameter","Numbered Bind Parameter",null,"Named Bind Parameter","TCL Bind Parameter",null,"EXISTS Expression","EXISTS Keyword","RAISE Expression","RAISE Expression Arguments","IGNORE Keyword",null,null,null,null,"ARRAY expression","ARRAY SELECT expression","array expression","multi-dimensional array expression",null,null,"PSQL-style cast",null,null,"COLLATE Expression",null,null,null,null,null,null,null,null,null,null,null,null,null,"CAST Expression","Type Alias","CASE Expression",null,"WHEN Clause","ELSE Clause",null,null,"IS DISTINCT expression","Comparison Expression","ESCAPE Expression","BETWEEN Expression",null,null,"IN Expression",null,null,null,null,"Expression List",null,null,"Function Call","FILTER clause","Function Call Arguments",null,"OVER clause","Window name","Window specification",null,"window partition clause","Error Message","Statement","QUERY PLAN","QUERY PLAN Keyword",null,"END Transaction Statement","BEGIN Transaction Statement",null,null,"ROLLBACK Statement","TO Clause",null,null,"SAVEPOINT Statement","RELEASE Statement","ALTER TABLE Statement","ALTER TABLE Keyword",null,"RENAME TO Keyword","ADD COLUMN Keyword",null,null,"WITH Clause",null,null,null,null,"Common Table Expression",null,null,null,"SET statement",null,null,null,null,null,null,null,null,"ATTACH Statement",null,"DETACH Statement","VACUUM Statement",null,"ANALYZE Statement",null,"REINDEX Statement",null,"PRAGMA Statement",null,null,null,null,null,null,null,"SELECT Statement","SELECT ... FOR locking clause",null,null,null,null,null,null,null,null,"WINDOW clause",null,null,null,"ORDER BY Clause","LIMIT Clause","OFFSET Clause",null,null,null,"Union Operation",null,null,"SELECT Results Clause","SELECT Results Modifier",null,null,null,null,"FROM Clause","WHERE Clause","GROUP BY Clause","HAVING Clause",null,null,null,null,null,null,"CROSS JOIN Operation","JOIN Operation",null,null,null,null,null,null,null,"Qualified Table","Qualified Table Identifier","Qualfied Table Index",null,null,"SELECT Source","Subquery","Alias","JOIN Operator",null,null,null,null,null,"JOIN Constraint","Join ON Clause","Join USING Clause","VALUES Clause",null,null,"Ordering Expression",null,"Star","Fallback Type","INSERT Statement","RETURNING clause",null,"INSERT Keyword","REPLACE Keyword","INSERT OR Modifier",null,"INTO Clause","INTO Keyword","VALUES Clause","PostgreSQL INSERT ON CONFLICT clause","PostgreSQL ON CONFLICT action","PostgreSQL ON CONFLICT expression","Column List",null,"Column Name","VALUES Clause","VALUES Keyword",null,null,"Wrapped Expression List","DEFAULT VALUES Clause","Compound Operator","UNION Operator",null,"UPDATE Statement","UPDATE Keyword","UPDATE OR Modifier","SET Clause",null,null,"Column Assignment","UPDATE value expression","DELETE Statement","DELETE Keyword","CREATE Statement",null,null,null,null,null,null,"CREATE TABLE Statement",null,null,"IF NOT EXISTS Modifier",null,"Table Definition",null,null,null,null,"Column Definition",null,"Column Datatype",null,null,"Column Constraint",null,"CONSTRAINT Name",null,"FOREIGN KEY Column Constraint","PRIMARY KEY Column Constraint","PRIMARY KEY Keyword","AUTOINCREMENT Keyword",null,"UNIQUE Column Constraint","NULL Column Constraint","CHECK Column Constraint","DEFAULT Column Constraint",null,"COLLATE Column Constraint","Table Constraint",null,"CHECK Table Constraint","PRIMARY KEY Table Constraint",null,"PRIMARY KEY Keyword","UNIQUE Keyword",null,null,null,null,"Indexed Column",null,"Collation",null,"Column Direction",null,"ON CONFLICT Keyword",null,"FOREIGN KEY Table Constraint","FOREIGN KEY Keyword",null,"REFERENCES Clause",null,null,"FOREIGN KEY Action Clause",null,"FOREIGN KEY Action",null,null,null,null,"DEFERRABLE Clause",null,null,"CREATE INDEX Statement",null,null,"ON Clause","CREATE TRIGGER Statement",null,"Conditional Clause",null,null,"Conditional Action",null,null,null,null,null,"WHEN Clause","Actions Clause",null,null,"CREATE VIEW Statement",null,null,null,"CREATE VIRTUAL TABLE Statement",null,null,"Module Arguments",null,null,null,null,"DROP Statement","DROP Keyword","DROP Type","IF EXISTS Keyword","Or","Add","Subtract","Multiply","Divide","Modulo","Shift Left","Shift Right","Logical AND","Logical OR","Less Than","Greater Than","Less Than Or Equal","Greater Than Or Equal","Equal","Not Equal","Not Equal","PostgreSQL custom binary operarator","IS","Identifier","Database Identifier","Function Identifier","Table Identifier",null,"Column Identifier","value indirection",null,null,null,null,null,null,null,null,null,null,"Collation Identifier","Savepoint Identifier","Index Identifier","Trigger Identifier","View Identifier","Pragma Identifier","Variable Identifier","CTE Identifier",null,"Table Constraint Identifier","Column Constraint Identifier","Datatype Name","TEXT Datatype Name","REAL Datatype Name","DOUBLE Datatype Name","NUMERIC Datatype Name","INTEGER Datatype Name",null,"BLOB Datatype Name",null,null,null,null,null,null,null,null,null,null,null,"Open Bracket","Close Bracket","Open Parenthesis","Close Parenthesis","Comma","Period","Asterisk","Question Mark","Single Quote","Double Quote","Backtick","Tilde","Plus","Minus","Equal","Ampersand","Pipe","Modulo","Less Than","Greater Than","Exclamation","Semicolon","Colon","Forward Slash","Backslash","Operator characters",null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,"Line Comment","Block Comment",null,null,null,null,null,"Whitespace",null],k="tracer"in i?i.tracer:new l;if("startRule"in i){if(!(i.startRule in c))throw new Error("Can't start parsing from rule \""+i.startRule+'".');m=c[i.startRule]}function $(e,i){return{type:"literal",text:e,ignoreCase:i}}function v(e,i,t){return{type:"class",parts:e,inverted:i,ignoreCase:t}}function E(e){return{type:"other",description:e}}function S(i){var t,n=h[i];if(n)return n;for(t=i-1;!h[t];)t--;for(n={line:(n=h[t]).line,column:n.column};tx&&(x=y,g=[]),g.push(e))}function L(e){return e.split("").map((function(e){return e.charCodeAt(0)-32}))}function O(e){return C(e)?Array.isArray(e)?e:[e]:[]}function C(e){return null!=e}function I(e){var i=arguments.length>1&&void 0!==arguments[1]?arguments[1]:" ";return e.filter((function(e){return C(e)})).reduce((function(e,t){return""+e+D(t)+i}),"").trim()}function N(e){return I(e,"")}function j(e){return I(e).toLowerCase()}function R(e){return e.filter((function(e){return C(e)})).reduce((function(e,i){return e.concat(i)}),[])}function F(e){var i=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"'",t=new RegExp(i+"{2}","g");return D(e).replace(t,i)}function D(){return O(arguments.length>0&&void 0!==arguments[0]?arguments[0]:[]).join("")}function U(e){return D(e).trim()}function P(e){return U(e).toLowerCase()}function M(e){return Array.isArray(e)&&e.length>0&&C(e[0])}function q(e,i){return i.reduce((function(e,i){var t=n(i,4),o=(t[0],t[1]),r=(t[2],t[3]);return{type:"expression",format:"binary",variant:"operation",operation:P(o),left:e,right:r}}),e)}if((t=function i(t){var n,o=u[t],r=0,a=[],l=o.length,s=[],p=[],c=y;k.trace({type:"rule.enter",rule:w[t],description:b[t],location:T(c,c)});var m=621*y+t,h=z[m];if(h)return y=h.nextPos,h.result!==d?k.trace({type:"rule.match",rule:w[t],description:b[t],result:h.result,location:T(c,y)}):k.trace({type:"rule.fail",rule:w[t],description:b[t],location:T(c,c)}),h.result;for(;;){for(;ry?(l=r+3+o[r+1],r+=3):(l=r+3+o[r+1]+o[r+2],r+=3+o[r+1]);break;case 18:s.push(l),a.push(r+4+o[r+2]+o[r+3]),e.substr(y,f[o[r+1]].length)===f[o[r+1]]?(l=r+4+o[r+2],r+=4):(l=r+4+o[r+2]+o[r+3],r+=4+o[r+2]);break;case 19:s.push(l),a.push(r+4+o[r+2]+o[r+3]),e.substr(y,f[o[r+1]].length).toLowerCase()===f[o[r+1]]?(l=r+4+o[r+2],r+=4):(l=r+4+o[r+2]+o[r+3],r+=4+o[r+2]);break;case 20:s.push(l),a.push(r+4+o[r+2]+o[r+3]),f[o[r+1]].test(e.charAt(y))?(l=r+4+o[r+2],r+=4):(l=r+4+o[r+2]+o[r+3],r+=4+o[r+2]);break;case 21:p.push(e.substr(y,o[r+1])),y+=o[r+1],r+=2;break;case 22:p.push(f[o[r+1]]),y+=f[o[r+1]].length,r+=2;break;case 23:p.push(d),0===_&&A(f[o[r+1]]),r+=2;break;case 24:p[p.length-1-o[r+1]],r+=2;break;case 25:r++;break;case 26:n=o.slice(r+4,r+4+o[r+3]).map((function(e){return p[p.length-1-e]})),p.splice(p.length-o[r+2],o[r+2],f[o[r+1]].apply(null,n)),r+=4+o[r+3];break;case 27:p.push(i(o[r+1])),r+=2;break;case 28:_++,r++;break;case 29:_--,r++;break;default:throw new Error("Invalid opcode: "+o[r]+".")}if(!(s.length>0))break;l=s.pop(),r=a.pop()}return z[m]={nextPos:y,result:p[0]},p[0]!==d?k.trace({type:"rule.match",rule:w[t],description:b[t],result:p[0],location:T(c,y)}):k.trace({type:"rule.fail",rule:w[t],description:b[t],location:T(c,c)}),p[0]}(m))!==d&&y===e.length)return t;throw t!==d&&y=0;t-=1)if(i(e[t]))return t;return-1}Object.defineProperty(t,"__esModule",{value:!0}),t.Tracer=function(){function e(){if(!(this instanceof e))return new e;this.events=[],this.indentation=0,this.whitespaceRule=/(^whitespace)|(char$)|(^[oe]$)|(^sym\_)/i,this.statementRule=/Statement$/i,this.firstNodeRule=/(Statement|Clause)$/i}return e.prototype.trace=function(e){var i,t,o=this;switch(e.indentation=this.indentation,e.type){case"rule.enter":this.events.push(e),this.indentation+=1;break;case"rule.match":this.indentation-=1;break;case"rule.fail":i=n(this.events,(function(i){return i.rule===e.rule})),t=n(this.events,(function(e){return!o.whitespaceRule.test(e.rule)})),(o.whitespaceRule.test(e.rule)||i===t)&&this.events.splice(i,1),this.indentation-=1}},e.prototype.smartError=function(e){var i,t,n,o,r=this,a={indentation:-1},l=!1,s=0;return(n=function(e,i){for(var t=e.length,n=0;n1)return!1;if(l){if(/^(stmt)$/i.test(e.rule))return l=!0,!0}else e.indentation>a.indentation?a=e:l=!0;return!0}))).length&&(t=a.location,i="Syntax error found near "+(null!=(o=n.find((function(e){return r.firstNodeRule.test(e.description)&&e.description!==a.description&&e.indentation!==a.indentation})))?this.statementRule.test(a.description)&&this.statementRule.test(o.description)?o.description:a.description+" ("+o.description+")":a.description),Object.assign(e,{message:i,location:t})),e},e}()},{}]},{},[1])(1)},169:function(e){e.exports=JSON.parse('[{"field":"labels","type":"object","normalization":"","example":{"application":"foo-bar","env":"production"},"description":"Custom key/value pairs."},{"field":"message","type":"match_only_text","normalization":"","example":"Hello World","description":"Log message optimized for viewing in a log viewer."},{"field":"tags","type":"keyword","normalization":"array","example":["production","env2"],"description":"List of keywords used to tag each event."},{"field":"agent.build.original","type":"keyword","normalization":"","example":"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]","description":"Extended build information for the agent."},{"field":"client.address","type":"keyword","normalization":"","example":"","description":"Client network address."},{"field":"client.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"client.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"client.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"client.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the client to the server."},{"field":"client.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the client."},{"field":"client.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"client.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"client.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"client.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"client.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"client.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"client.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"client.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"client.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"client.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"client.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"client.ip","type":"ip","normalization":"","example":"","description":"IP address of the client."},{"field":"client.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the client."},{"field":"client.nat.ip","type":"ip","normalization":"","example":"","description":"Client NAT ip address"},{"field":"client.nat.port","type":"long","normalization":"","example":"","description":"Client NAT port"},{"field":"client.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the client to the server."},{"field":"client.port","type":"long","normalization":"","example":"","description":"Port of the client."},{"field":"client.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered client domain, stripped of the subdomain."},{"field":"client.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"client.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"client.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"client.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"client.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"client.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"client.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"client.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"client.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"client.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"client.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"client.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"client.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"client.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"cloud.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.origin.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.origin.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.origin.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.origin.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.origin.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.origin.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.origin.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.origin.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.origin.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.origin.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.origin.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"cloud.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"cloud.target.account.id","type":"keyword","normalization":"","example":666777888999,"description":"The cloud account or organization id."},{"field":"cloud.target.account.name","type":"keyword","normalization":"","example":"elastic-dev","description":"The cloud account name."},{"field":"cloud.target.availability_zone","type":"keyword","normalization":"","example":"us-east-1c","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.target.instance.id","type":"keyword","normalization":"","example":"i-1234567890abcdef0","description":"Instance ID of the host machine."},{"field":"cloud.target.instance.name","type":"keyword","normalization":"","example":"","description":"Instance name of the host machine."},{"field":"cloud.target.machine.type","type":"keyword","normalization":"","example":"t2.medium","description":"Machine type of the host machine."},{"field":"cloud.target.project.id","type":"keyword","normalization":"","example":"my-project","description":"The cloud project id."},{"field":"cloud.target.project.name","type":"keyword","normalization":"","example":"my project","description":"The cloud project name."},{"field":"cloud.target.provider","type":"keyword","normalization":"","example":"aws","description":"Name of the cloud provider."},{"field":"cloud.target.region","type":"keyword","normalization":"","example":"us-east-1","description":"Region in which this host, resource, or service is located."},{"field":"cloud.target.service.name","type":"keyword","normalization":"","example":"lambda","description":"The cloud service name."},{"field":"container.cpu.usage","type":"scaled_float","normalization":"","example":"","description":"Percent CPU used, between 0 and 1."},{"field":"container.disk.read.bytes","type":"long","normalization":"","example":"","description":"The number of bytes read by all disks."},{"field":"container.disk.write.bytes","type":"long","normalization":"","example":"","description":"The number of bytes written on all disks."},{"field":"container.id","type":"keyword","normalization":"","example":"","description":"Unique container id."},{"field":"container.image.hash.all","type":"keyword","normalization":"array","example":"[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]","description":"An array of digests of the image the container was built on."},{"field":"container.image.name","type":"keyword","normalization":"","example":"","description":"Name of the image the container was built on."},{"field":"container.image.tag","type":"keyword","normalization":"array","example":"","description":"Container image tags."},{"field":"container.labels","type":"object","normalization":"","example":"","description":"Image labels."},{"field":"container.memory.usage","type":"scaled_float","normalization":"","example":"","description":"Percent memory used, between 0 and 1."},{"field":"container.name","type":"keyword","normalization":"","example":"","description":"Container name."},{"field":"container.network.egress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes sent on all network interfaces."},{"field":"container.network.ingress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes received on all network interfaces."},{"field":"container.runtime","type":"keyword","normalization":"","example":"docker","description":"Runtime managing this container."},{"field":"data_stream.dataset","type":"constant_keyword","normalization":"","example":"nginx.access","description":"The field can contain anything that makes sense to signify the source of the data."},{"field":"data_stream.namespace","type":"constant_keyword","normalization":"","example":"production","description":"A user defined namespace. Namespaces are useful to allow grouping of data."},{"field":"data_stream.type","type":"constant_keyword","normalization":"","example":"logs","description":"An overarching type for the data stream."},{"field":"destination.address","type":"keyword","normalization":"","example":"","description":"Destination network address."},{"field":"destination.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"destination.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"destination.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"destination.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the destination to the source."},{"field":"destination.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the destination."},{"field":"destination.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"destination.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"destination.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"destination.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"destination.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"destination.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"destination.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"destination.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"destination.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"destination.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"destination.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"destination.ip","type":"ip","normalization":"","example":"","description":"IP address of the destination."},{"field":"destination.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the destination."},{"field":"destination.nat.ip","type":"ip","normalization":"","example":"","description":"Destination NAT ip"},{"field":"destination.nat.port","type":"long","normalization":"","example":"","description":"Destination NAT Port"},{"field":"destination.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the destination to the source."},{"field":"destination.port","type":"long","normalization":"","example":"","description":"Port of the destination."},{"field":"destination.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered destination domain, stripped of the subdomain."},{"field":"destination.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"destination.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"destination.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"destination.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"destination.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"destination.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"destination.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"destination.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"destination.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"destination.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"destination.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"destination.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"destination.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"destination.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"device.id","type":"keyword","normalization":"","example":"00000000-54b3-e7c7-0000-000046bffd97","description":"The unique identifier of a device."},{"field":"device.manufacturer","type":"keyword","normalization":"","example":"Samsung","description":"The vendor name of the device manufacturer."},{"field":"device.model.identifier","type":"keyword","normalization":"","example":"SM-G920F","description":"The machine readable identifier of the device model."},{"field":"device.model.name","type":"keyword","normalization":"","example":"Samsung Galaxy S6","description":"The human readable marketing name of the device model."},{"field":"dll.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"dll.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"dll.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"dll.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"dll.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"dll.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"dll.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"dll.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"dll.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"dll.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"dll.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"dll.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"dll.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"dll.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"dll.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"dll.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"dll.name","type":"keyword","normalization":"","example":"kernel32.dll","description":"Name of the library."},{"field":"dll.path","type":"keyword","normalization":"","example":"C:\\\\Windows\\\\System32\\\\kernel32.dll","description":"Full file path of the library."},{"field":"dll.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"dll.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"dll.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"dll.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"dll.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"dll.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"dll.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"dll.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"dll.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"dll.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"dll.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"dll.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"dll.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"dll.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"dll.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"dll.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"dll.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"dll.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"dll.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"dll.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"dll.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"dll.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"dll.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"dns.answers","type":"object","normalization":"array","example":"","description":"Array of DNS answers."},{"field":"dns.answers.class","type":"keyword","normalization":"","example":"IN","description":"The class of DNS data contained in this resource record."},{"field":"dns.answers.data","type":"keyword","normalization":"","example":"10.10.10.10","description":"The data describing the resource."},{"field":"dns.answers.name","type":"keyword","normalization":"","example":"www.example.com","description":"The domain name to which this resource record pertains."},{"field":"dns.answers.ttl","type":"long","normalization":"","example":180,"description":"The time interval in seconds that this resource record may be cached before it should be discarded."},{"field":"dns.answers.type","type":"keyword","normalization":"","example":"CNAME","description":"The type of data contained in this resource record."},{"field":"dns.header_flags","type":"keyword","normalization":"array","example":["RD","RA"],"description":"Array of DNS header flags."},{"field":"dns.id","type":"keyword","normalization":"","example":62111,"description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response."},{"field":"dns.op_code","type":"keyword","normalization":"","example":"QUERY","description":"The DNS operation code that specifies the kind of query in the message."},{"field":"dns.question.class","type":"keyword","normalization":"","example":"IN","description":"The class of records being queried."},{"field":"dns.question.name","type":"keyword","normalization":"","example":"www.example.com","description":"The name being queried."},{"field":"dns.question.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered domain, stripped of the subdomain."},{"field":"dns.question.subdomain","type":"keyword","normalization":"","example":"www","description":"The subdomain of the domain."},{"field":"dns.question.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"dns.question.type","type":"keyword","normalization":"","example":"AAAA","description":"The type of record being queried."},{"field":"dns.resolved_ip","type":"ip","normalization":"array","example":["10.10.10.10","10.10.10.11"],"description":"Array containing all IPs seen in answers.data"},{"field":"dns.response_code","type":"keyword","normalization":"","example":"NOERROR","description":"The DNS response code."},{"field":"dns.type","type":"keyword","normalization":"","example":"answer","description":"The type of DNS event captured, query or answer."},{"field":"email.attachments","type":"nested","normalization":"array","example":"","description":"List of objects describing the attachments."},{"field":"email.attachments.file.extension","type":"keyword","normalization":"","example":"txt","description":"Attachment file extension."},{"field":"email.attachments.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"email.attachments.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"email.attachments.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"email.attachments.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"email.attachments.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"email.attachments.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"email.attachments.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"email.attachments.file.mime_type","type":"keyword","normalization":"","example":"text/plain","description":"MIME type of the attachment file."},{"field":"email.attachments.file.name","type":"keyword","normalization":"","example":"attachment.txt","description":"Name of the attachment file."},{"field":"email.attachments.file.size","type":"long","normalization":"","example":64329,"description":"Attachment file size."},{"field":"email.bcc.address","type":"keyword","normalization":"array","example":"bcc.user1@example.com","description":"Email address of BCC recipient"},{"field":"email.cc.address","type":"keyword","normalization":"array","example":"cc.user1@example.com","description":"Email address of CC recipient"},{"field":"email.content_type","type":"keyword","normalization":"","example":"text/plain","description":"MIME type of the email message."},{"field":"email.delivery_timestamp","type":"date","normalization":"","example":"2020-11-10T22:12:34.8196921Z","description":"Date and time when message was delivered."},{"field":"email.direction","type":"keyword","normalization":"","example":"inbound","description":"Direction of the message."},{"field":"email.from.address","type":"keyword","normalization":"array","example":"sender@example.com","description":"The sender\'s email address."},{"field":"email.local_id","type":"keyword","normalization":"","example":"c26dbea0-80d5-463b-b93c-4e8b708219ce","description":"Unique identifier given by the source."},{"field":"email.message_id","type":"wildcard","normalization":"","example":"81ce15$8r2j59@mail01.example.com","description":"Value from the Message-ID header."},{"field":"email.origination_timestamp","type":"date","normalization":"","example":"2020-11-10T22:12:34.8196921Z","description":"Date and time the email was composed."},{"field":"email.reply_to.address","type":"keyword","normalization":"array","example":"reply.here@example.com","description":"Address replies should be delivered to."},{"field":"email.sender.address","type":"keyword","normalization":"","example":"","description":"Address of the message sender."},{"field":"email.subject","type":"keyword","normalization":"","example":"Please see this important message.","description":"The subject of the email message."},{"field":"email.subject.text","type":"match_only_text","normalization":"","example":"Please see this important message.","description":"The subject of the email message."},{"field":"email.to.address","type":"keyword","normalization":"array","example":"user1@example.com","description":"Email address of recipient"},{"field":"email.x_mailer","type":"keyword","normalization":"","example":"Spambot v2.5","description":"Application that drafted email."},{"field":"error.code","type":"keyword","normalization":"","example":"","description":"Error code describing the error."},{"field":"error.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the error."},{"field":"error.message","type":"match_only_text","normalization":"","example":"","description":"Error message."},{"field":"error.stack_trace","type":"wildcard","normalization":"","example":"","description":"The stack trace of this error in plain text."},{"field":"error.stack_trace.text","type":"match_only_text","normalization":"","example":"","description":"The stack trace of this error in plain text."},{"field":"error.type","type":"keyword","normalization":"","example":"java.lang.NullPointerException","description":"The type of the error, for example the class name of the exception."},{"field":"event.action","type":"keyword","normalization":"","example":"user-password-change","description":"The action captured by the event."},{"field":"event.category","type":"keyword","normalization":"array","example":"authentication","description":"Event category. The second categorization field in the hierarchy."},{"field":"event.code","type":"keyword","normalization":"","example":4648,"description":"Identification code for this event."},{"field":"event.created","type":"date","normalization":"","example":"2016-05-23T08:05:34.857Z","description":"Time when the event was first read by an agent or by your pipeline."},{"field":"event.dataset","type":"keyword","normalization":"","example":"apache.access","description":"Name of the dataset."},{"field":"event.duration","type":"long","normalization":"","example":"","description":"Duration of the event in nanoseconds."},{"field":"event.end","type":"date","normalization":"","example":"","description":"event.end contains the date when the event ended or when the activity was last observed."},{"field":"event.hash","type":"keyword","normalization":"","example":"123456789012345678901234567890ABCD","description":"Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity."},{"field":"event.id","type":"keyword","normalization":"","example":"8a4f500d","description":"Unique ID to describe the event."},{"field":"event.kind","type":"keyword","normalization":"","example":"alert","description":"The kind of the event. The highest categorization field in the hierarchy."},{"field":"event.original","type":"keyword","normalization":"","example":"Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232","description":"Raw text message of entire event."},{"field":"event.outcome","type":"keyword","normalization":"","example":"success","description":"The outcome of the event. The lowest level categorization field in the hierarchy."},{"field":"event.provider","type":"keyword","normalization":"","example":"kernel","description":"Source of the event."},{"field":"event.reason","type":"keyword","normalization":"","example":"Terminated an unexpected process","description":"Reason why this event happened, according to the source"},{"field":"event.reference","type":"keyword","normalization":"","example":"https://system.example.com/event/#0001234","description":"Event reference URL"},{"field":"event.risk_score","type":"float","normalization":"","example":"","description":"Risk score or priority of the event (e.g. security solutions). Use your system\'s original value here."},{"field":"event.risk_score_norm","type":"float","normalization":"","example":"","description":"Normalized risk score or priority of the event (0-100)."},{"field":"event.sequence","type":"long","normalization":"","example":"","description":"Sequence number of the event."},{"field":"event.severity","type":"long","normalization":"","example":7,"description":"Numeric severity of the event."},{"field":"event.start","type":"date","normalization":"","example":"","description":"event.start contains the date when the event started or when the activity was first observed."},{"field":"event.timezone","type":"keyword","normalization":"","example":"","description":"Event time zone."},{"field":"event.type","type":"keyword","normalization":"array","example":"","description":"Event type. The third categorization field in the hierarchy."},{"field":"event.url","type":"keyword","normalization":"","example":"https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe","description":"Event investigation URL"},{"field":"faas.coldstart","type":"boolean","normalization":"","example":"","description":"Boolean value indicating a cold start of a function."},{"field":"faas.execution","type":"keyword","normalization":"","example":"af9d5aa4-a685-4c5f-a22b-444f80b3cc28","description":"The execution ID of the current function execution."},{"field":"faas.id","type":"keyword","normalization":"","example":"arn:aws:lambda:us-west-2:123456789012:function:my-function","description":"The unique identifier of a serverless function."},{"field":"faas.name","type":"keyword","normalization":"","example":"my-function","description":"The name of a serverless function."},{"field":"faas.trigger","type":"nested","normalization":"","example":"","description":"Details about the function trigger."},{"field":"faas.trigger.request_id","type":"keyword","normalization":"","example":123456789,"description":"The ID of the trigger request , message, event, etc."},{"field":"faas.trigger.type","type":"keyword","normalization":"","example":"http","description":"The trigger for the function execution."},{"field":"faas.version","type":"keyword","normalization":"","example":123,"description":"The version of a serverless function."},{"field":"file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"file.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"file.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"file.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"file.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"file.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\\" for original ELF files."},{"field":"file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"file.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"file.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"file.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"file.macho.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a Mach-O file."},{"field":"file.macho.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"file.macho.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"file.macho.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"file.macho.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"file.macho.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a Mach-O file."},{"field":"file.macho.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.macho.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"file.macho.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"file.macho.sections","type":"nested","normalization":"array","example":"","description":"Section information of the Mach-O file."},{"field":"file.macho.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.macho.sections.name","type":"keyword","normalization":"","example":"","description":"Mach-O Section List name."},{"field":"file.macho.sections.physical_size","type":"long","normalization":"","example":"","description":"Mach-O Section List physical size."},{"field":"file.macho.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"file.macho.sections.virtual_size","type":"long","normalization":"","example":"","description":"Mach-O Section List virtual size. This is always the same as `physical_size`."},{"field":"file.macho.symhash","type":"keyword","normalization":"","example":"d3ccf195b62a9279c3c19af1080497ec","description":"A hash of the imports in a Mach-O file."},{"field":"file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner\'s username."},{"field":"file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"file.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"file.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"file.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"file.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"file.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"file.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"file.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"file.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"file.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"file.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"file.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"file.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"file.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"file.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"file.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"host.boot.id","type":"keyword","normalization":"","example":"88a1f0ed-5ae5-41ee-af6b-41921c311872","description":"Linux boot uuid taken from /proc/sys/kernel/random/boot_id"},{"field":"host.cpu.usage","type":"scaled_float","normalization":"","example":"","description":"Percent CPU used, between 0 and 1."},{"field":"host.disk.read.bytes","type":"long","normalization":"","example":"","description":"The number of bytes read by all disks."},{"field":"host.disk.write.bytes","type":"long","normalization":"","example":"","description":"The number of bytes written on all disks."},{"field":"host.domain","type":"keyword","normalization":"","example":"CONTOSO","description":"Name of the directory the group is a member of."},{"field":"host.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"host.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"host.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"host.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"host.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"host.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"host.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"host.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"host.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"host.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"host.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"host.name","type":"keyword","normalization":"","example":"","description":"Name of the host."},{"field":"host.network.egress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes sent on all network interfaces."},{"field":"host.network.egress.packets","type":"long","normalization":"","example":"","description":"The number of packets sent on all network interfaces."},{"field":"host.network.ingress.bytes","type":"long","normalization":"","example":"","description":"The number of bytes received on all network interfaces."},{"field":"host.network.ingress.packets","type":"long","normalization":"","example":"","description":"The number of packets received on all network interfaces."},{"field":"host.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"host.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"host.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"host.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"host.pid_ns_ino","type":"keyword","normalization":"","example":256383,"description":"Pid namespace inode"},{"field":"host.risk.calculated_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"host.risk.calculated_score","type":"float","normalization":"","example":880.73,"description":"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"host.risk.calculated_score_norm","type":"float","normalization":"","example":88.73,"description":"A normalized risk score calculated by an internal system."},{"field":"host.risk.static_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"host.risk.static_score","type":"float","normalization":"","example":830,"description":"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"host.risk.static_score_norm","type":"float","normalization":"","example":83,"description":"A normalized risk score calculated by an external system."},{"field":"host.type","type":"keyword","normalization":"","example":"","description":"Type of host."},{"field":"host.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the host has been up."},{"field":"http.request.body.bytes","type":"long","normalization":"","example":887,"description":"Size in bytes of the request body."},{"field":"http.request.body.content","type":"wildcard","normalization":"","example":"Hello world","description":"The full HTTP request body."},{"field":"http.request.body.content.text","type":"match_only_text","normalization":"","example":"Hello world","description":"The full HTTP request body."},{"field":"http.request.bytes","type":"long","normalization":"","example":1437,"description":"Total size in bytes of the request (body and headers)."},{"field":"http.request.id","type":"keyword","normalization":"","example":"123e4567-e89b-12d3-a456-426614174000","description":"HTTP request ID."},{"field":"http.request.method","type":"keyword","normalization":"","example":"POST","description":"HTTP request method."},{"field":"http.request.mime_type","type":"keyword","normalization":"","example":"image/gif","description":"Mime type of the body of the request."},{"field":"http.request.referrer","type":"keyword","normalization":"","example":"https://blog.example.com/","description":"Referrer for this HTTP request."},{"field":"http.response.body.bytes","type":"long","normalization":"","example":887,"description":"Size in bytes of the response body."},{"field":"http.response.body.content","type":"wildcard","normalization":"","example":"Hello world","description":"The full HTTP response body."},{"field":"http.response.body.content.text","type":"match_only_text","normalization":"","example":"Hello world","description":"The full HTTP response body."},{"field":"http.response.bytes","type":"long","normalization":"","example":1437,"description":"Total size in bytes of the response (body and headers)."},{"field":"http.response.mime_type","type":"keyword","normalization":"","example":"image/gif","description":"Mime type of the body of the response."},{"field":"http.response.status_code","type":"long","normalization":"","example":404,"description":"HTTP response status code."},{"field":"http.version","type":"keyword","normalization":"","example":1.1,"description":"HTTP version."},{"field":"log.file.path","type":"keyword","normalization":"","example":"/var/log/fun-times.log","description":"Full path to the log file this event came from."},{"field":"log.level","type":"keyword","normalization":"","example":"error","description":"Log level of the log event."},{"field":"log.logger","type":"keyword","normalization":"","example":"org.elasticsearch.bootstrap.Bootstrap","description":"Name of the logger."},{"field":"log.origin.file.line","type":"long","normalization":"","example":42,"description":"The line number of the file which originated the log event."},{"field":"log.origin.file.name","type":"keyword","normalization":"","example":"Bootstrap.java","description":"The code file which originated the log event."},{"field":"log.origin.function","type":"keyword","normalization":"","example":"init","description":"The function which originated the log event."},{"field":"log.syslog","type":"object","normalization":"","example":"","description":"Syslog metadata"},{"field":"log.syslog.appname","type":"keyword","normalization":"","example":"sshd","description":"The device or application that originated the Syslog message."},{"field":"log.syslog.facility.code","type":"long","normalization":"","example":23,"description":"Syslog numeric facility of the event."},{"field":"log.syslog.facility.name","type":"keyword","normalization":"","example":"local7","description":"Syslog text-based facility of the event."},{"field":"log.syslog.hostname","type":"keyword","normalization":"","example":"example-host","description":"The host that originated the Syslog message."},{"field":"log.syslog.msgid","type":"keyword","normalization":"","example":"ID47","description":"An identifier for the type of Syslog message."},{"field":"log.syslog.priority","type":"long","normalization":"","example":135,"description":"Syslog priority of the event."},{"field":"log.syslog.procid","type":"keyword","normalization":"","example":12345,"description":"The process name or ID that originated the Syslog message."},{"field":"log.syslog.severity.code","type":"long","normalization":"","example":3,"description":"Syslog numeric severity of the event."},{"field":"log.syslog.severity.name","type":"keyword","normalization":"","example":"Error","description":"Syslog text-based severity of the event."},{"field":"log.syslog.structured_data","type":"flattened","normalization":"","example":"","description":"Structured data expressed in RFC 5424 messages."},{"field":"log.syslog.version","type":"keyword","normalization":"","example":1,"description":"Syslog protocol version."},{"field":"network.application","type":"keyword","normalization":"","example":"aim","description":"Application level protocol name."},{"field":"network.bytes","type":"long","normalization":"","example":368,"description":"Total bytes transferred in both directions."},{"field":"network.community_id","type":"keyword","normalization":"","example":"1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=","description":"A hash of source and destination IPs and ports."},{"field":"network.direction","type":"keyword","normalization":"","example":"inbound","description":"Direction of the network traffic."},{"field":"network.forwarded_ip","type":"ip","normalization":"","example":"192.1.1.2","description":"Host IP address when the source IP address is the proxy."},{"field":"network.iana_number","type":"keyword","normalization":"","example":6,"description":"IANA Protocol Number."},{"field":"network.inner","type":"object","normalization":"","example":"","description":"Inner VLAN tag information"},{"field":"network.inner.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"network.inner.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"network.name","type":"keyword","normalization":"","example":"Guest Wifi","description":"Name given by operators to sections of their network."},{"field":"network.packets","type":"long","normalization":"","example":24,"description":"Total packets transferred in both directions."},{"field":"network.protocol","type":"keyword","normalization":"","example":"http","description":"Application protocol name."},{"field":"network.transport","type":"keyword","normalization":"","example":"tcp","description":"Protocol Name corresponding to the field `iana_number`."},{"field":"network.type","type":"keyword","normalization":"","example":"ipv4","description":"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"},{"field":"network.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"network.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress","type":"object","normalization":"","example":"","description":"Object field for egress information"},{"field":"observer.egress.interface.alias","type":"keyword","normalization":"","example":"outside","description":"Interface alias"},{"field":"observer.egress.interface.id","type":"keyword","normalization":"","example":10,"description":"Interface ID"},{"field":"observer.egress.interface.name","type":"keyword","normalization":"","example":"eth0","description":"Interface name"},{"field":"observer.egress.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"observer.egress.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress.zone","type":"keyword","normalization":"","example":"Public_Internet","description":"Observer Egress zone"},{"field":"observer.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"observer.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"observer.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"observer.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"observer.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"observer.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"observer.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"observer.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"observer.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"observer.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"observer.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"observer.hostname","type":"keyword","normalization":"","example":"","description":"Hostname of the observer."},{"field":"observer.ingress","type":"object","normalization":"","example":"","description":"Object field for ingress information"},{"field":"observer.ingress.interface.alias","type":"keyword","normalization":"","example":"outside","description":"Interface alias"},{"field":"observer.ingress.interface.id","type":"keyword","normalization":"","example":10,"description":"Interface ID"},{"field":"observer.ingress.interface.name","type":"keyword","normalization":"","example":"eth0","description":"Interface name"},{"field":"observer.ingress.vlan.id","type":"keyword","normalization":"","example":10,"description":"VLAN ID as reported by the observer."},{"field":"observer.ingress.vlan.name","type":"keyword","normalization":"","example":"outside","description":"Optional VLAN name as reported by the observer."},{"field":"observer.ingress.zone","type":"keyword","normalization":"","example":"DMZ","description":"Observer ingress zone"},{"field":"observer.ip","type":"ip","normalization":"array","example":"","description":"IP addresses of the observer."},{"field":"observer.mac","type":"keyword","normalization":"array","example":["00-00-5E-00-53-23","00-00-5E-00-53-24"],"description":"MAC addresses of the observer."},{"field":"observer.name","type":"keyword","normalization":"","example":"1_proxySG","description":"Custom name of the observer."},{"field":"observer.os.family","type":"keyword","normalization":"","example":"debian","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"observer.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"observer.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"observer.os.kernel","type":"keyword","normalization":"","example":"4.4.0-112-generic","description":"Operating system kernel version as a raw string."},{"field":"observer.os.name","type":"keyword","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"observer.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"observer.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"observer.os.type","type":"keyword","normalization":"","example":"macos","description":"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."},{"field":"observer.os.version","type":"keyword","normalization":"","example":"10.14.1","description":"Operating system version as a raw string."},{"field":"observer.product","type":"keyword","normalization":"","example":"s200","description":"The product name of the observer."},{"field":"observer.serial_number","type":"keyword","normalization":"","example":"","description":"Observer serial number."},{"field":"observer.type","type":"keyword","normalization":"","example":"firewall","description":"The type of the observer the data is coming from."},{"field":"observer.vendor","type":"keyword","normalization":"","example":"Symantec","description":"Vendor name of the observer."},{"field":"observer.version","type":"keyword","normalization":"","example":"","description":"Observer version."},{"field":"orchestrator.api_version","type":"keyword","normalization":"","example":"v1beta1","description":"API version being used to carry out the action"},{"field":"orchestrator.cluster.id","type":"keyword","normalization":"","example":"","description":"Unique ID of the cluster."},{"field":"orchestrator.cluster.name","type":"keyword","normalization":"","example":"","description":"Name of the cluster."},{"field":"orchestrator.cluster.url","type":"keyword","normalization":"","example":"","description":"URL of the API used to manage the cluster."},{"field":"orchestrator.cluster.version","type":"keyword","normalization":"","example":"","description":"The version of the cluster."},{"field":"orchestrator.namespace","type":"keyword","normalization":"","example":"kube-system","description":"Namespace in which the action is taking place."},{"field":"orchestrator.organization","type":"keyword","normalization":"","example":"elastic","description":"Organization affected by the event (for multi-tenant orchestrator setups)."},{"field":"orchestrator.resource.id","type":"keyword","normalization":"","example":"","description":"Unique ID of the resource being acted upon."},{"field":"orchestrator.resource.ip","type":"ip","normalization":"array","example":"","description":"IP address assigned to the resource associated with the event being observed."},{"field":"orchestrator.resource.name","type":"keyword","normalization":"","example":"test-pod-cdcws","description":"Name of the resource being acted upon."},{"field":"orchestrator.resource.parent.type","type":"keyword","normalization":"","example":"DaemonSet","description":"Type or kind of the parent resource associated with the event being observed."},{"field":"orchestrator.resource.type","type":"keyword","normalization":"","example":"service","description":"Type of resource being acted upon."},{"field":"orchestrator.type","type":"keyword","normalization":"","example":"kubernetes","description":"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."},{"field":"organization.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the organization."},{"field":"organization.name","type":"keyword","normalization":"","example":"","description":"Organization name."},{"field":"organization.name.text","type":"match_only_text","normalization":"","example":"","description":"Organization name."},{"field":"package.architecture","type":"keyword","normalization":"","example":"x86_64","description":"Package architecture."},{"field":"package.build_version","type":"keyword","normalization":"","example":"36f4f7e89dd61b0988b12ee000b98966867710cd","description":"Build version information"},{"field":"package.checksum","type":"keyword","normalization":"","example":"68b329da9893e34099c7d8ad5cb9c940","description":"Checksum of the installed package for verification."},{"field":"package.description","type":"keyword","normalization":"","example":"Open source programming language to build simple/reliable/efficient software.","description":"Description of the package."},{"field":"package.install_scope","type":"keyword","normalization":"","example":"global","description":"Indicating how the package was installed, e.g. user-local, global."},{"field":"package.installed","type":"date","normalization":"","example":"","description":"Time when package was installed."},{"field":"package.license","type":"keyword","normalization":"","example":"Apache License 2.0","description":"Package license"},{"field":"package.name","type":"keyword","normalization":"","example":"go","description":"Package name"},{"field":"package.path","type":"keyword","normalization":"","example":"/usr/local/Cellar/go/1.12.9/","description":"Path where the package is installed."},{"field":"package.reference","type":"keyword","normalization":"","example":"https://golang.org","description":"Package home page or reference URL"},{"field":"package.size","type":"long","normalization":"","example":62231,"description":"Package size in bytes."},{"field":"package.type","type":"keyword","normalization":"","example":"rpm","description":"Package type"},{"field":"package.version","type":"keyword","normalization":"","example":"1.12.9","description":"Package version"},{"field":"process.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"process.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"process.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"process.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"process.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"process.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"process.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"process.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"process.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"process.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"process.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"process.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"process.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"process.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"process.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"process.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"process.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"process.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\\" for original ELF files."},{"field":"process.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"process.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"process.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"process.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"process.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"process.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"process.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"process.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"process.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"process.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"process.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"process.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"process.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"process.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"process.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"process.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"process.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"process.end","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process ended."},{"field":"process.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.entry_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.entry_leader.attested_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.attested_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.attested_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.attested_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.entry_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.entry_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.entry_meta.source.ip","type":"ip","normalization":"","example":"","description":"IP address of the source."},{"field":"process.entry_leader.entry_meta.type","type":"keyword","normalization":"","example":"","description":"The entry type for the entry session leader."},{"field":"process.entry_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.entry_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.entry_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.entry_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.entry_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.entry_leader.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.parent.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.entry_leader.parent.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.parent.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.entry_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.entry_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.entry_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.entry_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.entry_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.entry_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device\'s major number."},{"field":"process.entry_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device\'s minor number."},{"field":"process.entry_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.entry_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.entry_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.entry_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.env_vars","type":"keyword","normalization":"array","example":["PATH=/usr/local/bin:/usr/bin","USER=ubuntu"],"description":"Array of environment variable bindings."},{"field":"process.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.exit_code","type":"long","normalization":"","example":137,"description":"The exit code of the process."},{"field":"process.group_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.group_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.group_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.group_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.group_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.group_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.group_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.group_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.group_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.group_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.group_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.group_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.group_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.group_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.group_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.group_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.group_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device\'s major number."},{"field":"process.group_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device\'s minor number."},{"field":"process.group_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.group_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.group_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.group_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"process.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"process.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"process.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"process.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"process.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"process.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"process.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.io","type":"object","normalization":"","example":"","description":"A chunk of input or output (IO) from a single process."},{"field":"process.io.bytes_skipped","type":"object","normalization":"array","example":"","description":"An array of byte offsets and lengths denoting where IO data has been skipped."},{"field":"process.io.bytes_skipped.length","type":"long","normalization":"","example":"","description":"The length of bytes skipped."},{"field":"process.io.bytes_skipped.offset","type":"long","normalization":"","example":"","description":"The byte offset into this event\'s io.text (or io.bytes in the future) where length bytes were skipped."},{"field":"process.io.max_bytes_per_process_exceeded","type":"boolean","normalization":"","example":"","description":"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."},{"field":"process.io.text","type":"wildcard","normalization":"","example":"","description":"A chunk of output or input sanitized to UTF-8."},{"field":"process.io.total_bytes_captured","type":"long","normalization":"","example":"","description":"The total number of bytes captured in this event."},{"field":"process.io.total_bytes_skipped","type":"long","normalization":"","example":"","description":"The total number of bytes that were not captured due to implementation restrictions such as buffer size limits."},{"field":"process.io.type","type":"keyword","normalization":"","example":"","description":"The type of object on which the IO action (read or write) was taken."},{"field":"process.macho.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a Mach-O file."},{"field":"process.macho.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.macho.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.macho.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.macho.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.macho.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a Mach-O file."},{"field":"process.macho.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.macho.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.macho.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.macho.sections","type":"nested","normalization":"array","example":"","description":"Section information of the Mach-O file."},{"field":"process.macho.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.macho.sections.name","type":"keyword","normalization":"","example":"","description":"Mach-O Section List name."},{"field":"process.macho.sections.physical_size","type":"long","normalization":"","example":"","description":"Mach-O Section List physical size."},{"field":"process.macho.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.macho.sections.virtual_size","type":"long","normalization":"","example":"","description":"Mach-O Section List virtual size. This is always the same as `physical_size`."},{"field":"process.macho.symhash","type":"keyword","normalization":"","example":"d3ccf195b62a9279c3c19af1080497ec","description":"A hash of the imports in a Mach-O file."},{"field":"process.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.parent.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.parent.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"process.parent.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"process.parent.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"process.parent.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"process.parent.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"process.parent.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"process.parent.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"process.parent.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"process.parent.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.parent.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.parent.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.parent.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"process.parent.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"process.parent.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"process.parent.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"process.parent.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"process.parent.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"process.parent.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.parent.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.parent.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.parent.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"process.parent.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"process.parent.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"process.parent.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\\" for original ELF files."},{"field":"process.parent.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.parent.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"process.parent.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"process.parent.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"process.parent.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"process.parent.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"process.parent.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"process.parent.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"process.parent.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"process.parent.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"process.parent.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"process.parent.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"process.parent.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"process.parent.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"process.parent.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"process.parent.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"process.parent.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"process.parent.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"process.parent.end","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process ended."},{"field":"process.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.parent.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.parent.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.parent.exit_code","type":"long","normalization":"","example":137,"description":"The exit code of the process."},{"field":"process.parent.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.group_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.parent.group_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.parent.group_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.parent.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"process.parent.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"process.parent.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"process.parent.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"process.parent.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"process.parent.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"process.parent.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"process.parent.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.parent.macho.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a Mach-O file."},{"field":"process.parent.macho.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.parent.macho.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.macho.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.macho.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.parent.macho.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a Mach-O file."},{"field":"process.parent.macho.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.macho.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.macho.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.macho.sections","type":"nested","normalization":"array","example":"","description":"Section information of the Mach-O file."},{"field":"process.parent.macho.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.macho.sections.name","type":"keyword","normalization":"","example":"","description":"Mach-O Section List name."},{"field":"process.parent.macho.sections.physical_size","type":"long","normalization":"","example":"","description":"Mach-O Section List physical size."},{"field":"process.parent.macho.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.parent.macho.sections.virtual_size","type":"long","normalization":"","example":"","description":"Mach-O Section List virtual size. This is always the same as `physical_size`."},{"field":"process.parent.macho.symhash","type":"keyword","normalization":"","example":"d3ccf195b62a9279c3c19af1080497ec","description":"A hash of the imports in a Mach-O file."},{"field":"process.parent.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.parent.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"process.parent.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"process.parent.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"process.parent.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"process.parent.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"process.parent.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.parent.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.parent.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.parent.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.parent.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.parent.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"process.parent.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"process.parent.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"process.parent.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"process.parent.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.parent.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"process.parent.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"process.parent.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.parent.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"process.parent.pgid","type":"long","normalization":"","example":"","description":"Deprecated identifier of the group of processes the process belongs to."},{"field":"process.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.parent.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.parent.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.parent.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.parent.thread.id","type":"long","normalization":"","example":4242,"description":"Thread ID."},{"field":"process.parent.thread.name","type":"keyword","normalization":"","example":"thread-0","description":"Thread name."},{"field":"process.parent.title","type":"keyword","normalization":"","example":"","description":"Process title."},{"field":"process.parent.title.text","type":"match_only_text","normalization":"","example":"","description":"Process title."},{"field":"process.parent.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.parent.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device\'s major number."},{"field":"process.parent.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device\'s minor number."},{"field":"process.parent.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the process has been up."},{"field":"process.parent.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.parent.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.parent.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.parent.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"process.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"process.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"process.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"process.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"process.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"process.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"process.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"process.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"process.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"process.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"process.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"process.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"process.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"process.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"process.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"process.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"process.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"process.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"process.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"process.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"process.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"process.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"process.pgid","type":"long","normalization":"","example":"","description":"Deprecated identifier of the group of processes the process belongs to."},{"field":"process.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.previous.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.previous.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.previous.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.previous.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.args","type":"keyword","normalization":"array","example":["/usr/bin/ssh","-l","user","10.0.0.16"],"description":"Array of process arguments."},{"field":"process.session_leader.args_count","type":"long","normalization":"","example":4,"description":"Length of the process.args array."},{"field":"process.session_leader.command_line","type":"wildcard","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.session_leader.command_line.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh -l user 10.0.0.16","description":"Full command line that started the process."},{"field":"process.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.executable","type":"keyword","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.session_leader.executable.text","type":"match_only_text","normalization":"","example":"/usr/bin/ssh","description":"Absolute path to the process executable."},{"field":"process.session_leader.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.interactive","type":"boolean","normalization":"","example":"True","description":"Whether the process is connected to an interactive shell."},{"field":"process.session_leader.name","type":"keyword","normalization":"","example":"ssh","description":"Process name."},{"field":"process.session_leader.name.text","type":"match_only_text","normalization":"","example":"ssh","description":"Process name."},{"field":"process.session_leader.parent.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.parent.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.parent.session_leader.entity_id","type":"keyword","normalization":"","example":"c2c455d9f99375d","description":"Unique identifier for the process."},{"field":"process.session_leader.parent.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.parent.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.parent.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.pid","type":"long","normalization":"","example":4242,"description":"Process id."},{"field":"process.session_leader.real_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.real_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.real_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.real_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.real_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.same_as_process","type":"boolean","normalization":"","example":"True","description":"This boolean is used to identify if a leader process is the same as the top level process."},{"field":"process.session_leader.saved_group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.saved_group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.saved_user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.saved_user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.saved_user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.session_leader.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.session_leader.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.session_leader.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.session_leader.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device\'s major number."},{"field":"process.session_leader.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device\'s minor number."},{"field":"process.session_leader.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.session_leader.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.session_leader.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.session_leader.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.start","type":"date","normalization":"","example":"2016-05-23T08:05:34.853Z","description":"The time the process started."},{"field":"process.supplemental_groups.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"process.supplemental_groups.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"process.thread.id","type":"long","normalization":"","example":4242,"description":"Thread ID."},{"field":"process.thread.name","type":"keyword","normalization":"","example":"thread-0","description":"Thread name."},{"field":"process.title","type":"keyword","normalization":"","example":"","description":"Process title."},{"field":"process.title.text","type":"match_only_text","normalization":"","example":"","description":"Process title."},{"field":"process.tty","type":"object","normalization":"","example":"","description":"Information about the controlling TTY device."},{"field":"process.tty.char_device.major","type":"long","normalization":"","example":4,"description":"The TTY character device\'s major number."},{"field":"process.tty.char_device.minor","type":"long","normalization":"","example":1,"description":"The TTY character device\'s minor number."},{"field":"process.tty.columns","type":"long","normalization":"","example":80,"description":"The number of character columns per line. e.g terminal width"},{"field":"process.tty.rows","type":"long","normalization":"","example":24,"description":"The number of character rows in the terminal. e.g terminal height"},{"field":"process.uptime","type":"long","normalization":"","example":1325,"description":"Seconds the process has been up."},{"field":"process.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"process.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"process.working_directory","type":"keyword","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"process.working_directory.text","type":"match_only_text","normalization":"","example":"/home/alice","description":"The working directory of the process."},{"field":"registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"registry.data.strings","type":"wildcard","normalization":"array","example":"[\\"C:\\\\rta\\\\red_ttp\\\\bin\\\\myapp.exe\\"]","description":"List of strings representing what was written to the registry."},{"field":"registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\winword.exe","description":"Hive-relative path of keys."},{"field":"registry.path","type":"keyword","normalization":"","example":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\winword.exe\\\\Debugger","description":"Full path, including hive, key and value"},{"field":"registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"related.hash","type":"keyword","normalization":"array","example":"","description":"All the hashes seen on your event."},{"field":"related.hosts","type":"keyword","normalization":"array","example":"","description":"All the host identifiers seen on your event."},{"field":"related.ip","type":"ip","normalization":"array","example":"","description":"All of the IPs seen on your event."},{"field":"related.user","type":"keyword","normalization":"array","example":"","description":"All the user names or other user identifiers seen on the event."},{"field":"rule.author","type":"keyword","normalization":"array","example":["Star-Lord"],"description":"Rule author"},{"field":"rule.category","type":"keyword","normalization":"","example":"Attempted Information Leak","description":"Rule category"},{"field":"rule.description","type":"keyword","normalization":"","example":"Block requests to public DNS over HTTPS / TLS protocols","description":"Rule description"},{"field":"rule.id","type":"keyword","normalization":"","example":101,"description":"Rule ID"},{"field":"rule.license","type":"keyword","normalization":"","example":"Apache 2.0","description":"Rule license"},{"field":"rule.name","type":"keyword","normalization":"","example":"BLOCK_DNS_over_TLS","description":"Rule name"},{"field":"rule.reference","type":"keyword","normalization":"","example":"https://en.wikipedia.org/wiki/DNS_over_TLS","description":"Rule reference URL"},{"field":"rule.ruleset","type":"keyword","normalization":"","example":"Standard_Protocol_Filters","description":"Rule ruleset"},{"field":"rule.uuid","type":"keyword","normalization":"","example":1100110011,"description":"Rule UUID"},{"field":"rule.version","type":"keyword","normalization":"","example":1.1,"description":"Rule version"},{"field":"server.address","type":"keyword","normalization":"","example":"","description":"Server network address."},{"field":"server.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"server.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"server.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"server.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the server to the client."},{"field":"server.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the server."},{"field":"server.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"server.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"server.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"server.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"server.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"server.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"server.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"server.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"server.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"server.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"server.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"server.ip","type":"ip","normalization":"","example":"","description":"IP address of the server."},{"field":"server.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the server."},{"field":"server.nat.ip","type":"ip","normalization":"","example":"","description":"Server NAT ip"},{"field":"server.nat.port","type":"long","normalization":"","example":"","description":"Server NAT port"},{"field":"server.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the server to the client."},{"field":"server.port","type":"long","normalization":"","example":"","description":"Port of the server."},{"field":"server.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered server domain, stripped of the subdomain."},{"field":"server.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"server.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"server.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"server.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"server.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"server.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"server.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"server.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"server.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"server.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"server.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"server.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"server.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"server.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"service.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.origin.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.origin.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.origin.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.origin.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.origin.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.origin.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.origin.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.origin.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.origin.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.origin.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.origin.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"service.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.target.address","type":"keyword","normalization":"","example":"172.26.0.2:5432","description":"Address of this service."},{"field":"service.target.environment","type":"keyword","normalization":"","example":"production","description":"Environment of the service."},{"field":"service.target.ephemeral_id","type":"keyword","normalization":"","example":"8a4f500f","description":"Ephemeral identifier of this service."},{"field":"service.target.id","type":"keyword","normalization":"","example":"d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6","description":"Unique identifier of the running service."},{"field":"service.target.name","type":"keyword","normalization":"","example":"elasticsearch-metrics","description":"Name of the service."},{"field":"service.target.node.name","type":"keyword","normalization":"","example":"instance-0000000016","description":"Name of the service node."},{"field":"service.target.node.role","type":"keyword","normalization":"","example":"background_tasks","description":"Deprecated role (singular) of the service node."},{"field":"service.target.node.roles","type":"keyword","normalization":"array","example":["ui","background_tasks"],"description":"Roles of the service node."},{"field":"service.target.state","type":"keyword","normalization":"","example":"","description":"Current state of the service."},{"field":"service.target.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.target.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"service.type","type":"keyword","normalization":"","example":"elasticsearch","description":"The type of the service."},{"field":"service.version","type":"keyword","normalization":"","example":"3.2.4","description":"Version of the service."},{"field":"source.address","type":"keyword","normalization":"","example":"","description":"Source network address."},{"field":"source.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"source.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"source.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"source.bytes","type":"long","normalization":"","example":184,"description":"Bytes sent from the source to the destination."},{"field":"source.domain","type":"keyword","normalization":"","example":"foo.example.com","description":"The domain name of the source."},{"field":"source.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"source.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"source.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"source.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"source.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"source.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"source.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"source.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"source.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"source.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"source.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"source.ip","type":"ip","normalization":"","example":"","description":"IP address of the source."},{"field":"source.mac","type":"keyword","normalization":"","example":"00-00-5E-00-53-23","description":"MAC address of the source."},{"field":"source.nat.ip","type":"ip","normalization":"","example":"","description":"Source NAT ip"},{"field":"source.nat.port","type":"long","normalization":"","example":"","description":"Source NAT port"},{"field":"source.packets","type":"long","normalization":"","example":12,"description":"Packets sent from the source to the destination."},{"field":"source.port","type":"long","normalization":"","example":"","description":"Port of the source."},{"field":"source.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered source domain, stripped of the subdomain."},{"field":"source.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"source.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"source.user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"source.user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"source.user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"source.user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"source.user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"source.user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"source.user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"source.user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"source.user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"source.user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"source.user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"source.user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"span.id","type":"keyword","normalization":"","example":"3ff9a8981b7ccd5a","description":"Unique identifier of the span within the scope of its trace."},{"field":"threat.enrichments","type":"nested","normalization":"array","example":"","description":"List of objects containing indicators enriching the event."},{"field":"threat.enrichments.indicator","type":"object","normalization":"","example":"","description":"Object containing indicators enriching the event."},{"field":"threat.enrichments.indicator.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"threat.enrichments.indicator.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.enrichments.indicator.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.enrichments.indicator.confidence","type":"keyword","normalization":"","example":"Medium","description":"Indicator confidence rating"},{"field":"threat.enrichments.indicator.description","type":"keyword","normalization":"","example":"IP x.x.x.x was observed delivering the Angler EK.","description":"Indicator description"},{"field":"threat.enrichments.indicator.email.address","type":"keyword","normalization":"","example":"phish@example.com","description":"Indicator email address"},{"field":"threat.enrichments.indicator.file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"threat.enrichments.indicator.file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"threat.enrichments.indicator.file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"threat.enrichments.indicator.file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"threat.enrichments.indicator.file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"threat.enrichments.indicator.file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"threat.enrichments.indicator.file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"threat.enrichments.indicator.file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.enrichments.indicator.file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"threat.enrichments.indicator.file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"threat.enrichments.indicator.file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"threat.enrichments.indicator.file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"threat.enrichments.indicator.file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"threat.enrichments.indicator.file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"threat.enrichments.indicator.file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"threat.enrichments.indicator.file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"threat.enrichments.indicator.file.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"threat.enrichments.indicator.file.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.enrichments.indicator.file.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.enrichments.indicator.file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.enrichments.indicator.file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\\" for original ELF files."},{"field":"threat.enrichments.indicator.file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.enrichments.indicator.file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"threat.enrichments.indicator.file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"threat.enrichments.indicator.file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"threat.enrichments.indicator.file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"threat.enrichments.indicator.file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"threat.enrichments.indicator.file.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"threat.enrichments.indicator.file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"threat.enrichments.indicator.file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"threat.enrichments.indicator.file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"threat.enrichments.indicator.file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"threat.enrichments.indicator.file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"threat.enrichments.indicator.file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"threat.enrichments.indicator.file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.enrichments.indicator.file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"threat.enrichments.indicator.file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"threat.enrichments.indicator.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"threat.enrichments.indicator.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"threat.enrichments.indicator.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"threat.enrichments.indicator.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"threat.enrichments.indicator.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"threat.enrichments.indicator.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"threat.enrichments.indicator.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"threat.enrichments.indicator.file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"threat.enrichments.indicator.file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.enrichments.indicator.file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"threat.enrichments.indicator.file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"threat.enrichments.indicator.file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"threat.enrichments.indicator.file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner\'s username."},{"field":"threat.enrichments.indicator.file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"threat.enrichments.indicator.file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"threat.enrichments.indicator.file.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.enrichments.indicator.file.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.enrichments.indicator.file.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.enrichments.indicator.file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.enrichments.indicator.file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"threat.enrichments.indicator.file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"threat.enrichments.indicator.file.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"threat.enrichments.indicator.file.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"threat.enrichments.indicator.file.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"threat.enrichments.indicator.file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"threat.enrichments.indicator.file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"threat.enrichments.indicator.file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.enrichments.indicator.file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"threat.enrichments.indicator.file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"threat.enrichments.indicator.file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.enrichments.indicator.first_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was first reported."},{"field":"threat.enrichments.indicator.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"threat.enrichments.indicator.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"threat.enrichments.indicator.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"threat.enrichments.indicator.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"threat.enrichments.indicator.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"threat.enrichments.indicator.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"threat.enrichments.indicator.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"threat.enrichments.indicator.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"threat.enrichments.indicator.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"threat.enrichments.indicator.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"threat.enrichments.indicator.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"threat.enrichments.indicator.ip","type":"ip","normalization":"","example":"1.2.3.4","description":"Indicator IP address"},{"field":"threat.enrichments.indicator.last_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last reported."},{"field":"threat.enrichments.indicator.marking.tlp","type":"keyword","normalization":"","example":"CLEAR","description":"Indicator TLP marking"},{"field":"threat.enrichments.indicator.marking.tlp_version","type":"keyword","normalization":"","example":2,"description":"Indicator TLP version"},{"field":"threat.enrichments.indicator.modified_at","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last updated."},{"field":"threat.enrichments.indicator.name","type":"keyword","normalization":"","example":"5.2.75.227","description":"Indicator display name"},{"field":"threat.enrichments.indicator.port","type":"long","normalization":"","example":443,"description":"Indicator port"},{"field":"threat.enrichments.indicator.provider","type":"keyword","normalization":"","example":"lrz_urlhaus","description":"Indicator provider"},{"field":"threat.enrichments.indicator.reference","type":"keyword","normalization":"","example":"https://system.example.com/indicator/0001234","description":"Indicator reference URL"},{"field":"threat.enrichments.indicator.registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"threat.enrichments.indicator.registry.data.strings","type":"wildcard","normalization":"array","example":"[\\"C:\\\\rta\\\\red_ttp\\\\bin\\\\myapp.exe\\"]","description":"List of strings representing what was written to the registry."},{"field":"threat.enrichments.indicator.registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"threat.enrichments.indicator.registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"threat.enrichments.indicator.registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\winword.exe","description":"Hive-relative path of keys."},{"field":"threat.enrichments.indicator.registry.path","type":"keyword","normalization":"","example":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\winword.exe\\\\Debugger","description":"Full path, including hive, key and value"},{"field":"threat.enrichments.indicator.registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"threat.enrichments.indicator.scanner_stats","type":"long","normalization":"","example":4,"description":"Scanner statistics"},{"field":"threat.enrichments.indicator.sightings","type":"long","normalization":"","example":20,"description":"Number of times indicator observed"},{"field":"threat.enrichments.indicator.type","type":"keyword","normalization":"","example":"ipv4-addr","description":"Type of indicator"},{"field":"threat.enrichments.indicator.url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"threat.enrichments.indicator.url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.enrichments.indicator.url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"threat.enrichments.indicator.url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"threat.enrichments.indicator.url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \\"/search\\"."},{"field":"threat.enrichments.indicator.url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"threat.enrichments.indicator.url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"threat.enrichments.indicator.url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.enrichments.indicator.url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"threat.enrichments.indicator.url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"threat.enrichments.indicator.url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.enrichments.indicator.url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"threat.enrichments.indicator.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"threat.enrichments.indicator.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"threat.enrichments.indicator.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.enrichments.matched.atomic","type":"keyword","normalization":"","example":"bad-domain.com","description":"Matched indicator value"},{"field":"threat.enrichments.matched.field","type":"keyword","normalization":"","example":"file.hash.sha256","description":"Matched indicator field"},{"field":"threat.enrichments.matched.id","type":"keyword","normalization":"","example":"ff93aee5-86a1-4a61-b0e6-0cdc313d01b5","description":"Matched indicator identifier"},{"field":"threat.enrichments.matched.index","type":"keyword","normalization":"","example":"filebeat-8.0.0-2021.05.23-000011","description":"Matched indicator index"},{"field":"threat.enrichments.matched.occurred","type":"date","normalization":"","example":"2021-10-05T17:00:58.326Z","description":"Date of match"},{"field":"threat.enrichments.matched.type","type":"keyword","normalization":"","example":"indicator_match_rule","description":"Type of indicator match"},{"field":"threat.feed.dashboard_id","type":"keyword","normalization":"","example":"5ba16340-72e6-11eb-a3e3-b3cc7c78a70f","description":"Feed dashboard ID."},{"field":"threat.feed.description","type":"keyword","normalization":"","example":"Threat feed from the AlienVault Open Threat eXchange network.","description":"Description of the threat feed."},{"field":"threat.feed.name","type":"keyword","normalization":"","example":"AlienVault OTX","description":"Name of the threat feed."},{"field":"threat.feed.reference","type":"keyword","normalization":"","example":"https://otx.alienvault.com","description":"Reference for the threat feed."},{"field":"threat.framework","type":"keyword","normalization":"","example":"MITRE ATT&CK","description":"Threat classification framework."},{"field":"threat.group.alias","type":"keyword","normalization":"array","example":["Magecart Group 6"],"description":"Alias of the group."},{"field":"threat.group.id","type":"keyword","normalization":"","example":"G0037","description":"ID of the group."},{"field":"threat.group.name","type":"keyword","normalization":"","example":"FIN6","description":"Name of the group."},{"field":"threat.group.reference","type":"keyword","normalization":"","example":"https://attack.mitre.org/groups/G0037/","description":"Reference URL of the group."},{"field":"threat.indicator.as.number","type":"long","normalization":"","example":15169,"description":"Unique number allocated to the autonomous system."},{"field":"threat.indicator.as.organization.name","type":"keyword","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.indicator.as.organization.name.text","type":"match_only_text","normalization":"","example":"Google LLC","description":"Organization name."},{"field":"threat.indicator.confidence","type":"keyword","normalization":"","example":"Medium","description":"Indicator confidence rating"},{"field":"threat.indicator.description","type":"keyword","normalization":"","example":"IP x.x.x.x was observed delivering the Angler EK.","description":"Indicator description"},{"field":"threat.indicator.email.address","type":"keyword","normalization":"","example":"phish@example.com","description":"Indicator email address"},{"field":"threat.indicator.file.accessed","type":"date","normalization":"","example":"","description":"Last time the file was accessed."},{"field":"threat.indicator.file.attributes","type":"keyword","normalization":"array","example":["readonly","system"],"description":"Array of file attributes."},{"field":"threat.indicator.file.code_signature.digest_algorithm","type":"keyword","normalization":"","example":"sha256","description":"Hashing algorithm used to sign the process."},{"field":"threat.indicator.file.code_signature.exists","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if a signature is present."},{"field":"threat.indicator.file.code_signature.signing_id","type":"keyword","normalization":"","example":"com.apple.xpc.proxy","description":"The identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.status","type":"keyword","normalization":"","example":"ERROR_UNTRUSTED_ROOT","description":"Additional information about the certificate status."},{"field":"threat.indicator.file.code_signature.subject_name","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Subject name of the code signer"},{"field":"threat.indicator.file.code_signature.team_id","type":"keyword","normalization":"","example":"EQHXZ8M8AV","description":"The team identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.timestamp","type":"date","normalization":"","example":"2021-01-01T12:10:30Z","description":"When the signature was generated and signed."},{"field":"threat.indicator.file.code_signature.trusted","type":"boolean","normalization":"","example":true,"description":"Stores the trust status of the certificate chain."},{"field":"threat.indicator.file.code_signature.valid","type":"boolean","normalization":"","example":true,"description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.indicator.file.created","type":"date","normalization":"","example":"","description":"File creation time."},{"field":"threat.indicator.file.ctime","type":"date","normalization":"","example":"","description":"Last time the file attributes or metadata changed."},{"field":"threat.indicator.file.device","type":"keyword","normalization":"","example":"sda","description":"Device that is the source of the file."},{"field":"threat.indicator.file.directory","type":"keyword","normalization":"","example":"/home/alice","description":"Directory where the file is located."},{"field":"threat.indicator.file.drive_letter","type":"keyword","normalization":"","example":"C","description":"Drive letter where the file is located."},{"field":"threat.indicator.file.elf.architecture","type":"keyword","normalization":"","example":"x86-64","description":"Machine architecture of the ELF file."},{"field":"threat.indicator.file.elf.byte_order","type":"keyword","normalization":"","example":"Little Endian","description":"Byte sequence of ELF file."},{"field":"threat.indicator.file.elf.cpu_type","type":"keyword","normalization":"","example":"Intel","description":"CPU type of the ELF file."},{"field":"threat.indicator.file.elf.creation_date","type":"date","normalization":"","example":"","description":"Build or compile date."},{"field":"threat.indicator.file.elf.exports","type":"flattened","normalization":"array","example":"","description":"List of exported element names and types."},{"field":"threat.indicator.file.elf.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in an ELF file."},{"field":"threat.indicator.file.elf.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.indicator.file.elf.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.elf.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.elf.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.indicator.file.elf.header.abi_version","type":"keyword","normalization":"","example":"","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.indicator.file.elf.header.class","type":"keyword","normalization":"","example":"","description":"Header class of the ELF file."},{"field":"threat.indicator.file.elf.header.data","type":"keyword","normalization":"","example":"","description":"Data table of the ELF header."},{"field":"threat.indicator.file.elf.header.entrypoint","type":"long","normalization":"","example":"","description":"Header entrypoint of the ELF file."},{"field":"threat.indicator.file.elf.header.object_version","type":"keyword","normalization":"","example":"","description":"0x1\\" for original ELF files."},{"field":"threat.indicator.file.elf.header.os_abi","type":"keyword","normalization":"","example":"","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.indicator.file.elf.header.type","type":"keyword","normalization":"","example":"","description":"Header type of the ELF file."},{"field":"threat.indicator.file.elf.header.version","type":"keyword","normalization":"","example":"","description":"Version of the ELF header."},{"field":"threat.indicator.file.elf.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in an ELF file."},{"field":"threat.indicator.file.elf.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.indicator.file.elf.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.elf.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.elf.sections","type":"nested","normalization":"array","example":"","description":"Section information of the ELF file."},{"field":"threat.indicator.file.elf.sections.chi2","type":"long","normalization":"","example":"","description":"Chi-square probability distribution of the section."},{"field":"threat.indicator.file.elf.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.flags","type":"keyword","normalization":"","example":"","description":"ELF Section List flags."},{"field":"threat.indicator.file.elf.sections.name","type":"keyword","normalization":"","example":"","description":"ELF Section List name."},{"field":"threat.indicator.file.elf.sections.physical_offset","type":"keyword","normalization":"","example":"","description":"ELF Section List offset."},{"field":"threat.indicator.file.elf.sections.physical_size","type":"long","normalization":"","example":"","description":"ELF Section List physical size."},{"field":"threat.indicator.file.elf.sections.type","type":"keyword","normalization":"","example":"","description":"ELF Section List type."},{"field":"threat.indicator.file.elf.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.virtual_address","type":"long","normalization":"","example":"","description":"ELF Section List virtual address."},{"field":"threat.indicator.file.elf.sections.virtual_size","type":"long","normalization":"","example":"","description":"ELF Section List virtual size."},{"field":"threat.indicator.file.elf.segments","type":"nested","normalization":"array","example":"","description":"ELF object segment list."},{"field":"threat.indicator.file.elf.segments.sections","type":"keyword","normalization":"","example":"","description":"ELF object segment sections."},{"field":"threat.indicator.file.elf.segments.type","type":"keyword","normalization":"","example":"","description":"ELF object segment type."},{"field":"threat.indicator.file.elf.shared_libraries","type":"keyword","normalization":"array","example":"","description":"List of shared libraries used by this ELF object."},{"field":"threat.indicator.file.elf.telfhash","type":"keyword","normalization":"","example":"","description":"telfhash hash for ELF file."},{"field":"threat.indicator.file.extension","type":"keyword","normalization":"","example":"png","description":"File extension, excluding the leading dot."},{"field":"threat.indicator.file.fork_name","type":"keyword","normalization":"","example":"Zone.Identifer","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.indicator.file.gid","type":"keyword","normalization":"","example":1001,"description":"Primary group ID (GID) of the file."},{"field":"threat.indicator.file.group","type":"keyword","normalization":"","example":"alice","description":"Primary group name of the file."},{"field":"threat.indicator.file.hash.md5","type":"keyword","normalization":"","example":"","description":"MD5 hash."},{"field":"threat.indicator.file.hash.sha1","type":"keyword","normalization":"","example":"","description":"SHA1 hash."},{"field":"threat.indicator.file.hash.sha256","type":"keyword","normalization":"","example":"","description":"SHA256 hash."},{"field":"threat.indicator.file.hash.sha384","type":"keyword","normalization":"","example":"","description":"SHA384 hash."},{"field":"threat.indicator.file.hash.sha512","type":"keyword","normalization":"","example":"","description":"SHA512 hash."},{"field":"threat.indicator.file.hash.ssdeep","type":"keyword","normalization":"","example":"","description":"SSDEEP hash."},{"field":"threat.indicator.file.hash.tlsh","type":"keyword","normalization":"","example":"","description":"TLSH hash."},{"field":"threat.indicator.file.inode","type":"keyword","normalization":"","example":256383,"description":"Inode representing the file in the filesystem."},{"field":"threat.indicator.file.mime_type","type":"keyword","normalization":"","example":"","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.indicator.file.mode","type":"keyword","normalization":"","example":"0640","description":"Mode of the file in octal representation."},{"field":"threat.indicator.file.mtime","type":"date","normalization":"","example":"","description":"Last time the file content was modified."},{"field":"threat.indicator.file.name","type":"keyword","normalization":"","example":"example.png","description":"Name of the file including the extension, without the directory."},{"field":"threat.indicator.file.owner","type":"keyword","normalization":"","example":"alice","description":"File owner\'s username."},{"field":"threat.indicator.file.path","type":"keyword","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.path.text","type":"match_only_text","normalization":"","example":"/home/alice/example.png","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.pe.architecture","type":"keyword","normalization":"","example":"x64","description":"CPU architecture target for the file."},{"field":"threat.indicator.file.pe.company","type":"keyword","normalization":"","example":"Microsoft Corporation","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.description","type":"keyword","normalization":"","example":"Paint","description":"Internal description of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.file_version","type":"keyword","normalization":"","example":"6.3.9600.17415","description":"Process name."},{"field":"threat.indicator.file.pe.go_import_hash","type":"keyword","normalization":"","example":"10bddcb4cee42080f76c88d9ff964491","description":"A hash of the Go language imports in a PE file."},{"field":"threat.indicator.file.pe.go_imports","type":"flattened","normalization":"","example":"","description":"List of imported Go language element names and types."},{"field":"threat.indicator.file.pe.go_imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.pe.go_imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of Go imports."},{"field":"threat.indicator.file.pe.go_stripped","type":"boolean","normalization":"","example":"","description":"Whether the file is a stripped or obfuscated Go executable."},{"field":"threat.indicator.file.pe.imphash","type":"keyword","normalization":"","example":"0c6803c4e922103c4dca5963aad36ddf","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.file.pe.import_hash","type":"keyword","normalization":"","example":"d41d8cd98f00b204e9800998ecf8427e","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.file.pe.imports","type":"flattened","normalization":"array","example":"","description":"List of imported element names and types."},{"field":"threat.indicator.file.pe.imports_names_entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.pe.imports_names_var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the list of imported element names and types."},{"field":"threat.indicator.file.pe.original_file_name","type":"keyword","normalization":"","example":"MSPAINT.EXE","description":"Internal name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.pehash","type":"keyword","normalization":"","example":"73ff189b63cd6be375a7ff25179a38d347651975","description":"A hash of the PE header and data from one or more PE sections."},{"field":"threat.indicator.file.pe.product","type":"keyword","normalization":"","example":"Microsoft® Windows® Operating System","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.sections","type":"nested","normalization":"array","example":"","description":"Section information of the PE file."},{"field":"threat.indicator.file.pe.sections.entropy","type":"long","normalization":"","example":"","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.pe.sections.name","type":"keyword","normalization":"","example":"","description":"PE Section List name."},{"field":"threat.indicator.file.pe.sections.physical_size","type":"long","normalization":"","example":"","description":"PE Section List physical size."},{"field":"threat.indicator.file.pe.sections.var_entropy","type":"long","normalization":"","example":"","description":"Variance for Shannon entropy calculation from the section."},{"field":"threat.indicator.file.pe.sections.virtual_size","type":"long","normalization":"","example":"","description":"PE Section List virtual size. This is always the same as `physical_size`."},{"field":"threat.indicator.file.size","type":"long","normalization":"","example":16384,"description":"File size in bytes."},{"field":"threat.indicator.file.target_path","type":"keyword","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.indicator.file.target_path.text","type":"match_only_text","normalization":"","example":"","description":"Target path for symlinks."},{"field":"threat.indicator.file.type","type":"keyword","normalization":"","example":"file","description":"File type (file, dir, or symlink)."},{"field":"threat.indicator.file.uid","type":"keyword","normalization":"","example":1001,"description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.indicator.file.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.file.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"threat.indicator.file.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.file.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.file.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.file.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.indicator.file.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.file.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.file.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.indicator.file.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"threat.indicator.file.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.file.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.indicator.file.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.file.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.indicator.first_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was first reported."},{"field":"threat.indicator.geo.city_name","type":"keyword","normalization":"","example":"Montreal","description":"City name."},{"field":"threat.indicator.geo.continent_code","type":"keyword","normalization":"","example":"NA","description":"Continent code."},{"field":"threat.indicator.geo.continent_name","type":"keyword","normalization":"","example":"North America","description":"Name of the continent."},{"field":"threat.indicator.geo.country_iso_code","type":"keyword","normalization":"","example":"CA","description":"Country ISO code."},{"field":"threat.indicator.geo.country_name","type":"keyword","normalization":"","example":"Canada","description":"Country name."},{"field":"threat.indicator.geo.location","type":"geo_point","normalization":"","example":{"lon":-73.61483,"lat":45.505918},"description":"Longitude and latitude."},{"field":"threat.indicator.geo.name","type":"keyword","normalization":"","example":"boston-dc","description":"User-defined description of a location."},{"field":"threat.indicator.geo.postal_code","type":"keyword","normalization":"","example":94040,"description":"Postal code."},{"field":"threat.indicator.geo.region_iso_code","type":"keyword","normalization":"","example":"CA-QC","description":"Region ISO code."},{"field":"threat.indicator.geo.region_name","type":"keyword","normalization":"","example":"Quebec","description":"Region name."},{"field":"threat.indicator.geo.timezone","type":"keyword","normalization":"","example":"America/Argentina/Buenos_Aires","description":"Time zone."},{"field":"threat.indicator.ip","type":"ip","normalization":"","example":"1.2.3.4","description":"Indicator IP address"},{"field":"threat.indicator.last_seen","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last reported."},{"field":"threat.indicator.marking.tlp","type":"keyword","normalization":"","example":"CLEAR","description":"Indicator TLP marking"},{"field":"threat.indicator.marking.tlp_version","type":"keyword","normalization":"","example":2,"description":"Indicator TLP version"},{"field":"threat.indicator.modified_at","type":"date","normalization":"","example":"2020-11-05T17:25:47.000Z","description":"Date/time indicator was last updated."},{"field":"threat.indicator.name","type":"keyword","normalization":"","example":"5.2.75.227","description":"Indicator display name"},{"field":"threat.indicator.port","type":"long","normalization":"","example":443,"description":"Indicator port"},{"field":"threat.indicator.provider","type":"keyword","normalization":"","example":"lrz_urlhaus","description":"Indicator provider"},{"field":"threat.indicator.reference","type":"keyword","normalization":"","example":"https://system.example.com/indicator/0001234","description":"Indicator reference URL"},{"field":"threat.indicator.registry.data.bytes","type":"keyword","normalization":"","example":"ZQBuAC0AVQBTAAAAZQBuAAAAAAA=","description":"Original bytes written with base64 encoding."},{"field":"threat.indicator.registry.data.strings","type":"wildcard","normalization":"array","example":"[\\"C:\\\\rta\\\\red_ttp\\\\bin\\\\myapp.exe\\"]","description":"List of strings representing what was written to the registry."},{"field":"threat.indicator.registry.data.type","type":"keyword","normalization":"","example":"REG_SZ","description":"Standard registry type for encoding contents"},{"field":"threat.indicator.registry.hive","type":"keyword","normalization":"","example":"HKLM","description":"Abbreviated name for the hive."},{"field":"threat.indicator.registry.key","type":"keyword","normalization":"","example":"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\winword.exe","description":"Hive-relative path of keys."},{"field":"threat.indicator.registry.path","type":"keyword","normalization":"","example":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\winword.exe\\\\Debugger","description":"Full path, including hive, key and value"},{"field":"threat.indicator.registry.value","type":"keyword","normalization":"","example":"Debugger","description":"Name of the value written."},{"field":"threat.indicator.scanner_stats","type":"long","normalization":"","example":4,"description":"Scanner statistics"},{"field":"threat.indicator.sightings","type":"long","normalization":"","example":20,"description":"Number of times indicator observed"},{"field":"threat.indicator.type","type":"keyword","normalization":"","example":"ipv4-addr","description":"Type of indicator"},{"field":"threat.indicator.url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"threat.indicator.url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.indicator.url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"threat.indicator.url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.indicator.url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"threat.indicator.url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"threat.indicator.url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \\"/search\\"."},{"field":"threat.indicator.url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"threat.indicator.url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"threat.indicator.url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.indicator.url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"threat.indicator.url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"threat.indicator.url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.indicator.url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"threat.indicator.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"threat.indicator.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"threat.indicator.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"threat.indicator.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"threat.indicator.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"threat.indicator.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"threat.indicator.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"threat.indicator.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"threat.software.alias","type":"keyword","normalization":"array","example":["X-Agent"],"description":"Alias of the software"},{"field":"threat.software.id","type":"keyword","normalization":"","example":"S0552","description":"ID of the software"},{"field":"threat.software.name","type":"keyword","normalization":"","example":"AdFind","description":"Name of the software."},{"field":"threat.software.platforms","type":"keyword","normalization":"array","example":["Windows"],"description":"Platforms of the software."},{"field":"threat.software.reference","type":"keyword","normalization":"","example":"https://attack.mitre.org/software/S0552/","description":"Software reference URL."},{"field":"threat.software.type","type":"keyword","normalization":"","example":"Tool","description":"Software type."},{"field":"threat.tactic.id","type":"keyword","normalization":"array","example":"TA0002","description":"Threat tactic id."},{"field":"threat.tactic.name","type":"keyword","normalization":"array","example":"Execution","description":"Threat tactic."},{"field":"threat.tactic.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/tactics/TA0002/","description":"Threat tactic URL reference."},{"field":"threat.technique.id","type":"keyword","normalization":"array","example":"T1059","description":"Threat technique id."},{"field":"threat.technique.name","type":"keyword","normalization":"array","example":"Command and Scripting Interpreter","description":"Threat technique name."},{"field":"threat.technique.name.text","type":"match_only_text","normalization":"","example":"Command and Scripting Interpreter","description":"Threat technique name."},{"field":"threat.technique.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/techniques/T1059/","description":"Threat technique URL reference."},{"field":"threat.technique.subtechnique.id","type":"keyword","normalization":"array","example":"T1059.001","description":"Threat subtechnique id."},{"field":"threat.technique.subtechnique.name","type":"keyword","normalization":"array","example":"PowerShell","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.name.text","type":"match_only_text","normalization":"","example":"PowerShell","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.reference","type":"keyword","normalization":"array","example":"https://attack.mitre.org/techniques/T1059/001/","description":"Threat subtechnique URL reference."},{"field":"tls.cipher","type":"keyword","normalization":"","example":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","description":"String indicating the cipher used during the current connection."},{"field":"tls.client.certificate","type":"keyword","normalization":"","example":"MII...","description":"PEM-encoded stand-alone certificate offered by the client."},{"field":"tls.client.certificate_chain","type":"keyword","normalization":"array","example":["MII...","MII..."],"description":"Array of PEM-encoded certificates that make up the certificate chain offered by the client."},{"field":"tls.client.hash.md5","type":"keyword","normalization":"","example":"0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha1","type":"keyword","normalization":"","example":"9E393D93138888D288266C2D915214D1D1CCEB2A","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha256","type":"keyword","normalization":"","example":"0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.issuer","type":"keyword","normalization":"","example":"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com","description":"Distinguished name of subject of the issuer of the x.509 certificate presented by the client."},{"field":"tls.client.ja3","type":"keyword","normalization":"","example":"d4e5b18d6b55c71272893221c96ba240","description":"A hash that identifies clients based on how they perform an SSL/TLS handshake."},{"field":"tls.client.not_after","type":"date","normalization":"","example":"2021-01-01T00:00:00.000Z","description":"Date/Time indicating when client certificate is no longer considered valid."},{"field":"tls.client.not_before","type":"date","normalization":"","example":"1970-01-01T00:00:00.000Z","description":"Date/Time indicating when client certificate is first considered valid."},{"field":"tls.client.server_name","type":"keyword","normalization":"","example":"www.elastic.co","description":"Hostname the client is trying to connect to. Also called the SNI."},{"field":"tls.client.subject","type":"keyword","normalization":"","example":"CN=myclient, OU=Documentation Team, DC=example, DC=com","description":"Distinguished name of subject of the x.509 certificate presented by the client."},{"field":"tls.client.supported_ciphers","type":"keyword","normalization":"array","example":["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","..."],"description":"Array of ciphers offered by the client during the client hello."},{"field":"tls.client.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"tls.client.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"tls.client.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"tls.client.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.client.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.client.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.client.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"tls.client.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"tls.client.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.client.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.client.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"tls.client.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"tls.client.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"tls.client.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"tls.client.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"tls.client.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.client.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"tls.client.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"tls.client.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"tls.client.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"tls.curve","type":"keyword","normalization":"","example":"secp256r1","description":"String indicating the curve used for the given cipher, when applicable."},{"field":"tls.established","type":"boolean","normalization":"","example":"","description":"Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."},{"field":"tls.next_protocol","type":"keyword","normalization":"","example":"http/1.1","description":"String indicating the protocol being tunneled."},{"field":"tls.resumed","type":"boolean","normalization":"","example":"","description":"Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."},{"field":"tls.server.certificate","type":"keyword","normalization":"","example":"MII...","description":"PEM-encoded stand-alone certificate offered by the server."},{"field":"tls.server.certificate_chain","type":"keyword","normalization":"array","example":["MII...","MII..."],"description":"Array of PEM-encoded certificates that make up the certificate chain offered by the server."},{"field":"tls.server.hash.md5","type":"keyword","normalization":"","example":"0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha1","type":"keyword","normalization":"","example":"9E393D93138888D288266C2D915214D1D1CCEB2A","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha256","type":"keyword","normalization":"","example":"0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.issuer","type":"keyword","normalization":"","example":"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com","description":"Subject of the issuer of the x.509 certificate presented by the server."},{"field":"tls.server.ja3s","type":"keyword","normalization":"","example":"394441ab65754e2207b1e1b457b3641d","description":"A hash that identifies servers based on how they perform an SSL/TLS handshake."},{"field":"tls.server.not_after","type":"date","normalization":"","example":"2021-01-01T00:00:00.000Z","description":"Timestamp indicating when server certificate is no longer considered valid."},{"field":"tls.server.not_before","type":"date","normalization":"","example":"1970-01-01T00:00:00.000Z","description":"Timestamp indicating when server certificate is first considered valid."},{"field":"tls.server.subject","type":"keyword","normalization":"","example":"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com","description":"Subject of the x.509 certificate presented by the server."},{"field":"tls.server.x509.alternative_names","type":"keyword","normalization":"array","example":"*.elastic.co","description":"List of subject alternative names (SAN)."},{"field":"tls.server.x509.issuer.common_name","type":"keyword","normalization":"array","example":"Example SHA2 High Assurance Server CA","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) codes"},{"field":"tls.server.x509.issuer.distinguished_name","type":"keyword","normalization":"","example":"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.locality","type":"keyword","normalization":"array","example":"Mountain View","description":"List of locality names (L)"},{"field":"tls.server.x509.issuer.organization","type":"keyword","normalization":"array","example":"Example Inc","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.server.x509.issuer.organizational_unit","type":"keyword","normalization":"array","example":"www.example.com","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.server.x509.issuer.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.not_after","type":"date","normalization":"","example":"2020-07-16T03:15:39Z","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.server.x509.not_before","type":"date","normalization":"","example":"2019-08-16T01:40:25Z","description":"Time at which the certificate is first considered valid."},{"field":"tls.server.x509.public_key_algorithm","type":"keyword","normalization":"","example":"RSA","description":"Algorithm used to generate the public key."},{"field":"tls.server.x509.public_key_curve","type":"keyword","normalization":"","example":"nistp521","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.server.x509.public_key_exponent","type":"long","normalization":"","example":65537,"description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.server.x509.public_key_size","type":"long","normalization":"","example":2048,"description":"The size of the public key space in bits."},{"field":"tls.server.x509.serial_number","type":"keyword","normalization":"","example":"55FBB9C7DEBF09809D12CCAA","description":"Unique serial number issued by the certificate authority."},{"field":"tls.server.x509.signature_algorithm","type":"keyword","normalization":"","example":"SHA256-RSA","description":"Identifier for certificate signature algorithm."},{"field":"tls.server.x509.subject.common_name","type":"keyword","normalization":"array","example":"shared.global.example.net","description":"List of common names (CN) of subject."},{"field":"tls.server.x509.subject.country","type":"keyword","normalization":"array","example":"US","description":"List of country \\\\(C) code"},{"field":"tls.server.x509.subject.distinguished_name","type":"keyword","normalization":"","example":"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.server.x509.subject.locality","type":"keyword","normalization":"array","example":"San Francisco","description":"List of locality names (L)"},{"field":"tls.server.x509.subject.organization","type":"keyword","normalization":"array","example":"Example, Inc.","description":"List of organizations (O) of subject."},{"field":"tls.server.x509.subject.organizational_unit","type":"keyword","normalization":"array","example":"","description":"List of organizational units (OU) of subject."},{"field":"tls.server.x509.subject.state_or_province","type":"keyword","normalization":"array","example":"California","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.version_number","type":"keyword","normalization":"","example":3,"description":"Version of x509 format."},{"field":"tls.version","type":"keyword","normalization":"","example":1.2,"description":"Numeric part of the version parsed from the original string."},{"field":"tls.version_protocol","type":"keyword","normalization":"","example":"tls","description":"Normalized lowercase protocol name parsed from original string."},{"field":"trace.id","type":"keyword","normalization":"","example":"4bf92f3577b34da6a3ce929d0e0e4736","description":"Unique identifier of the trace."},{"field":"transaction.id","type":"keyword","normalization":"","example":"00f067aa0ba902b7","description":"Unique identifier of the transaction within the scope of its trace."},{"field":"url.domain","type":"keyword","normalization":"","example":"www.elastic.co","description":"Domain of the url."},{"field":"url.extension","type":"keyword","normalization":"","example":"png","description":"File extension from the request url, excluding the leading dot."},{"field":"url.fragment","type":"keyword","normalization":"","example":"","description":"Portion of the url after the `#`."},{"field":"url.full","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"url.full.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top","description":"Full unparsed URL."},{"field":"url.original","type":"wildcard","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"url.original.text","type":"match_only_text","normalization":"","example":"https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch","description":"Unmodified original url as seen in the event source."},{"field":"url.password","type":"keyword","normalization":"","example":"","description":"Password of the request."},{"field":"url.path","type":"wildcard","normalization":"","example":"","description":"Path of the request, such as \\"/search\\"."},{"field":"url.port","type":"long","normalization":"","example":443,"description":"Port of the request, such as 443."},{"field":"url.query","type":"keyword","normalization":"","example":"","description":"Query string of the request."},{"field":"url.registered_domain","type":"keyword","normalization":"","example":"example.com","description":"The highest registered url domain, stripped of the subdomain."},{"field":"url.scheme","type":"keyword","normalization":"","example":"https","description":"Scheme of the url."},{"field":"url.subdomain","type":"keyword","normalization":"","example":"east","description":"The subdomain of the domain."},{"field":"url.top_level_domain","type":"keyword","normalization":"","example":"co.uk","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"url.username","type":"keyword","normalization":"","example":"","description":"Username of the request."},{"field":"user.changes.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.changes.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.changes.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.changes.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.changes.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.changes.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.changes.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.changes.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.changes.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.changes.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.changes.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.changes.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.effective.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.effective.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.effective.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.effective.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.effective.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.effective.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.effective.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.effective.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.effective.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.effective.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.effective.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.effective.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.risk.calculated_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"user.risk.calculated_score","type":"float","normalization":"","example":880.73,"description":"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring."},{"field":"user.risk.calculated_score_norm","type":"float","normalization":"","example":88.73,"description":"A normalized risk score calculated by an internal system."},{"field":"user.risk.static_level","type":"keyword","normalization":"","example":"High","description":"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"user.risk.static_score","type":"float","normalization":"","example":830,"description":"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."},{"field":"user.risk.static_score_norm","type":"float","normalization":"","example":83,"description":"A normalized risk score calculated by an external system."},{"field":"user.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user.target.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the user is a member of."},{"field":"user.target.email","type":"keyword","normalization":"","example":"","description":"User email address."},{"field":"user.target.full_name","type":"keyword","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.target.full_name.text","type":"match_only_text","normalization":"","example":"Albert Einstein","description":"User\'s full name, if available."},{"field":"user.target.group.domain","type":"keyword","normalization":"","example":"","description":"Name of the directory the group is a member of."},{"field":"user.target.group.id","type":"keyword","normalization":"","example":"","description":"Unique identifier for the group on the system/platform."},{"field":"user.target.group.name","type":"keyword","normalization":"","example":"","description":"Name of the group."},{"field":"user.target.hash","type":"keyword","normalization":"","example":"","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.target.id","type":"keyword","normalization":"","example":"S-1-5-21-202424912787-2692429404-2351956786-1000","description":"Unique identifier of the user."},{"field":"user.target.name","type":"keyword","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.target.name.text","type":"match_only_text","normalization":"","example":"a.einstein","description":"Short name or login of the user."},{"field":"user.target.roles","type":"keyword","normalization":"array","example":["kibana_admin","reporting_user"],"description":"Array of user roles at the time of the event."},{"field":"user_agent.device.name","type":"keyword","normalization":"","example":"iPhone","description":"Name of the device."},{"field":"user_agent.name","type":"keyword","normalization":"","example":"Safari","description":"Name of the user agent."},{"field":"user_agent.original","type":"keyword","normalization":"","example":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","description":"Unparsed user_agent string."},{"field":"user_agent.original.text","type":"match_only_text","normalization":"","example":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","description":"Unparsed user_agent string."},{"field":"user_agent.os.family","type":"keyword","normalization":"","example":"debian","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"user_agent.os.full","type":"keyword","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.full.text","type":"match_only_text","normalization":"","example":"Mac OS Mojave","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.kernel","type":"keyword","normalization":"","example":"4.4.0-112-generic","description":"Operating system kernel version as a raw string."},{"field":"user_agent.os.name","type":"keyword","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"user_agent.os.name.text","type":"match_only_text","normalization":"","example":"Mac OS X","description":"Operating system name, without the version."},{"field":"user_agent.os.platform","type":"keyword","normalization":"","example":"darwin","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"user_agent.os.type","type":"keyword","normalization":"","example":"macos","description":"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."},{"field":"user_agent.os.version","type":"keyword","normalization":"","example":"10.14.1","description":"Operating system version as a raw string."},{"field":"user_agent.version","type":"keyword","normalization":"","example":12,"description":"Version of the user agent."},{"field":"vulnerability.category","type":"keyword","normalization":"array","example":["Firewall"],"description":"Category of a vulnerability."},{"field":"vulnerability.classification","type":"keyword","normalization":"","example":"CVSS","description":"Classification of the vulnerability."},{"field":"vulnerability.description","type":"keyword","normalization":"","example":"In macOS before 2.12.6, there is a vulnerability in the RPC...","description":"Description of the vulnerability."},{"field":"vulnerability.description.text","type":"match_only_text","normalization":"","example":"In macOS before 2.12.6, there is a vulnerability in the RPC...","description":"Description of the vulnerability."},{"field":"vulnerability.enumeration","type":"keyword","normalization":"","example":"CVE","description":"Identifier of the vulnerability."},{"field":"vulnerability.id","type":"keyword","normalization":"","example":"CVE-2019-00001","description":"ID of the vulnerability."},{"field":"vulnerability.reference","type":"keyword","normalization":"","example":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111","description":"Reference of the vulnerability."},{"field":"vulnerability.report_id","type":"keyword","normalization":"","example":20191018.0001,"description":"Scan identification number."},{"field":"vulnerability.scanner.vendor","type":"keyword","normalization":"","example":"Tenable","description":"Name of the scanner vendor."},{"field":"vulnerability.score.base","type":"float","normalization":"","example":5.5,"description":"Vulnerability Base score."},{"field":"vulnerability.score.environmental","type":"float","normalization":"","example":5.5,"description":"Vulnerability Environmental score."},{"field":"vulnerability.score.temporal","type":"float","normalization":"","example":"","description":"Vulnerability Temporal score."},{"field":"vulnerability.score.version","type":"keyword","normalization":"","example":2,"description":"CVSS version."},{"field":"vulnerability.severity","type":"keyword","normalization":"","example":"Critical","description":"Severity of the vulnerability."}]')},170:function(e,i,t){"use strict";t.r(i),t.d(i,"ECSComboboxField",(function(){return R})),t.d(i,"OsqueryColumnField",(function(){return P})),t.d(i,"defaultEcsFormData",(function(){return M})),t.d(i,"ECSMappingEditorForm",(function(){return q})),t.d(i,"ECSMappingEditorField",(function(){return B}));var n=t(7),o=t.n(n),r=t(15),a=t(1),l=t.n(a),s=t(6),p=t(168),d=t.n(p),c=t(14),m=t(8),f=t(60),u=t.n(f),y=t(16),h=t(90),x=t(169),g=t(113),_=t(4),z=t(62),w=t(68),b=t(65);const k={"&.euiComboBox":{position:"relative",left:"-1px",".euiComboBox__inputWrap":{borderRadius:"0 6px 6px 0"}}},$={minWidth:"70px",borderRadius:"6px 0 0 6px",".euiIcon":{padding:0,width:"18px",background:"none"}},v={width:"32px","> svg":{padding:"0 6px !important"}},E={paddingTop:"0 !important",paddingBottom:"0 !important"},S={overflow:"hidden"},T={marginTop:"28px"},A={marginTop:"28px",width:"24px"},L={maxWidth:"100%"};var O=t(0);const C={binary:"binary",half_float:"number",scaled_float:"number",float:"number",integer:"number",long:"number",short:"number",byte:"number",text:"string",keyword:"string","":"string",geo_point:"geo_point",date:"date",ip:"ip",boolean:"boolean",constant_keyword:"string"},I={asPlainText:!0},N=x.map((e=>({label:e.field,value:e}))),j=({euiFieldProps:e={},idAria:i,index:t,watch:n,control:l})=>{var p,d,c,f;const{ecsMappingArray:u}=n(),h=Object(r.get)(u,`[${t}].result.value`),x=Object(a.useCallback)((e=>null!=e&&e.length||null==h||!h.length?void 0:m.i18n.translate("xpack.osquery.pack.queryFlyoutForm.ecsFieldRequiredErrorMessage",{defaultMessage:"ECS field is required."})),[null==h?void 0:h.length]),{field:g,fieldState:z}=Object(y.useController)({control:l,name:`ecsMappingArray.${t}.key`,rules:{validate:x},defaultValue:""}),[w,b]=Object(a.useState)([]),k=Object(a.useMemo)((()=>i?[i]:[]),[i]),{ecsMappingArray:$}=n(),T=Object(a.useCallback)((e=>{var i,t;b(e),g.onChange(null!==(i=null===(t=e[0])||void 0===t?void 0:t.label)&&void 0!==i?i:"")}),[g]),A=Object(a.useCallback)(((e,i,t)=>{var n;return Object(O.jsx)(s.EuiFlexGroup,{className:`${t} euiSuggestItem euiSuggestItem--truncate`,alignItems:"center",gutterSize:"none"},Object(O.jsx)(s.EuiFlexItem,{grow:!1},Object(O.jsx)(_.a,{type:null!==(n=C[e.value.type])&&void 0!==n?n:e.value.type})),Object(O.jsx)(s.EuiFlexItem,{grow:!1},Object(O.jsx)("span",{css:E,className:"euiSuggestItem__label euiSuggestItem__label--expand"},e.value.field)),Object(O.jsx)(s.EuiFlexItem,{css:S,grow:!1},Object(O.jsx)("span",{css:E,className:"euiSuggestItem__description euiSuggestItem__description"},e.value.description)))}),[]),L=Object(a.useMemo)((()=>{var e,i,t,n,o;return Object(O.jsx)(_.a,{css:v,size:"l",type:null!==(e=C[null===(i=w[0])||void 0===i||null===(t=i.value)||void 0===t?void 0:t.type])&&void 0!==e?e:null===(n=w[0])||void 0===n||null===(o=n.value)||void 0===o?void 0:o.type})}),[w]),j=Object(a.useMemo)((()=>{var e,i,t,n;let o=null===(e=w[0])||void 0===e||null===(i=e.value)||void 0===i?void 0:i.description;if(!o)return;const r=null===(t=w[0])||void 0===t||null===(n=t.value)||void 0===n?void 0:n.example;return r&&(o+=` e.g. ${JSON.stringify(r)}`),o}),[w]),R=Object(a.useMemo)((()=>{const e=Object(r.map)($,"key");return N.filter((({label:i})=>!e.includes(i)))}),[$]);return Object(a.useEffect)((()=>{b((()=>{var e;if(null===(e=g.value)||void 0===e||!e.length)return[];const i=Object(r.find)(N,["label",g.value]);return i?[i]:[{label:g.value,value:{value:g.value}}]}))}),[g.value]),Object(O.jsx)(s.EuiFormRow,{label:m.i18n.translate("xpack.osquery.pack.queryFlyoutForm.mappingEcsFieldLabel",{defaultMessage:"ECS field"}),helpText:j,error:null===(p=z.error)||void 0===p?void 0:p.message,isInvalid:!(null===(d=z.error)||void 0===d||null===(c=d.message)||void 0===c||!c.length),fullWidth:!0,describedByIds:k,isDisabled:e.isDisabled},Object(O.jsx)(s.EuiComboBox,o()({prepend:L,fullWidth:!0,singleSelection:I,error:null===(f=z.error)||void 0===f?void 0:f.message,options:R,selectedOptions:w,onChange:T,"data-test-subj":"ECS-field-input",renderOption:A,rowHeight:32,isClearable:!0},e)))},R=l.a.memo(j,u.a),F=[{value:"field",inputDisplay:Object(O.jsx)(z.a,{size:"m"}),dropdownDisplay:Object(O.jsx)(s.EuiFlexGroup,{gutterSize:"xs",alignItems:"center",justifyContent:"center"},Object(O.jsx)(s.EuiFlexItem,{grow:!1},Object(O.jsx)(z.a,{size:"m"})),Object(O.jsx)(s.EuiFlexItem,null,Object(O.jsx)(s.EuiText,{size:"s",className:"eui-textNoWrap"},Object(O.jsx)(c.FormattedMessage,{id:"xpack.osquery.pack.form.ecsMappingSection.osqueryValueOptionLabel",defaultMessage:"Osquery value"}))))},{value:"value",inputDisplay:Object(O.jsx)(s.EuiIcon,{type:"user",size:"m"}),dropdownDisplay:Object(O.jsx)(s.EuiFlexGroup,{gutterSize:"xs",alignItems:"center",justifyContent:"center"},Object(O.jsx)(s.EuiFlexItem,{grow:!1},Object(O.jsx)(s.EuiIcon,{type:"user",size:"m"})),Object(O.jsx)(s.EuiFlexItem,null,Object(O.jsx)(s.EuiText,{size:"s",className:"eui-textNoWrap"},Object(O.jsx)(c.FormattedMessage,{id:"xpack.osquery.pack.form.ecsMappingSection.staticValueOptionLabel",defaultMessage:"Static value"}))))}],D=[],U=({euiFieldProps:e,idAria:i,index:t,isLastItem:n,control:l,watch:p,trigger:d})=>{var c,f,u,h,x,g,_,z;const{ecsMappingArray:w}=p(),v=Object(a.useCallback)((i=>{var n,o;const a=w&&w[t];return null!=i&&i.length||null==a||null===(n=a.key)||void 0===n||!n.length?null!=i&&i.length&&"field"===(null==a||null===(o=a.result)||void 0===o?void 0:o.type)?Object(r.find)(e.options,["label",Object(r.isArray)(i)?i[0]:i])?void 0:m.i18n.translate("xpack.osquery.pack.queryFlyoutForm.osqueryResultFieldValueMissingErrorMessage",{defaultMessage:"The current query does not return a {columnName} field",values:{columnName:Object(r.isArray)(i)?i[0]:i}}):void 0:m.i18n.translate("xpack.osquery.pack.queryFlyoutForm.osqueryResultFieldRequiredErrorMessage",{defaultMessage:"Value field is required."})}),[w,e.options,t]),{field:T}=Object(y.useController)({control:l,name:`ecsMappingArray.${t}.result.type`,defaultValue:F[0].value}),{field:A,fieldState:L}=Object(y.useController)({control:l,name:`ecsMappingArray.${t}.result.value`,rules:{validate:v},defaultValue:""}),C=Object(a.useRef)(),[j,R]=Object(a.useState)([]),U=Object(a.useMemo)((()=>i?[i]:[]),[i]),P=Object(a.useCallback)(((e,i,t)=>Object(O.jsx)(s.EuiFlexGroup,{className:`${t} euiSuggestItem euiSuggestItem--truncate`,alignItems:"center",gutterSize:"none"},Object(O.jsx)(s.EuiFlexItem,{grow:!1},Object(O.jsx)("span",{css:E,className:"euiSuggestItem__label euiSuggestItem__label--expand"},e.value.suggestion_label)),Object(O.jsx)(s.EuiFlexItem,{css:S,grow:!1},Object(O.jsx)("span",{css:E,className:"euiSuggestItem__description euiSuggestItem__description"},e.value.description)))),[]),M=Object(a.useCallback)((e=>{var i,t;R(e),A.onChange(Object(r.isArray)(e)?Object(r.map)(e,"label"):null!==(i=null===(t=e[0])||void 0===t?void 0:t.label)&&void 0!==i?i:"")}),[A]),q=Object(a.useMemo)((()=>{var e,i,o;const a=Object(r.get)(w,`${t}`);if(null!=a&&null!==(e=a.key)&&void 0!==e&&e.length&&"value"===T.value){var l;const e=Object(r.find)(N,["label",null==a?void 0:a.key]);return"array"!==(null==e||null===(l=e.value)||void 0===l?void 0:l.normalization)}return!(null!=a&&null!==(i=a.key)&&void 0!==i&&i.length||!n)||!(null==a||null===(o=a.key)||void 0===o||!o.length)}),[w,t,n,T.value]),B=Object(a.useCallback)((e=>{e!==T.value&&(T.onChange(e),A.onChange("value"===e&&!1===q?[]:""))}),[q,A,T]),H=Object(a.useCallback)((e=>{const i=Object(r.trim)(e);var t,n;i.length&&(!1===q?(A.onChange([i]),null!==(t=A.value)&&void 0!==t&&t.length?A.onChange([...Object(r.castArray)(A.value),i]):A.onChange([i]),null===(n=C.current)||void 0===n||n.blur()):A.onChange(i))}),[q,A]),G=Object(a.useMemo)((()=>Object(O.jsx)(s.EuiSuperSelect,{css:$,disabled:e.isDisabled,options:F,"data-test-subj":`osquery-result-type-select-${t}`,valueOfSelected:T.value||F[0].value,popoverProps:{panelStyle:{minWidth:"250px"}},onChange:B})),[e.isDisabled,t,B,T.value]);return Object(a.useEffect)((()=>{if(q&&Object(r.isArray)(A.value)&&A.onChange(A.value.join(" ")),!q&&!Object(r.isArray)(A.value)){const e=A.value.length?[A.value]:[];A.onChange(e)}}),[t,q,A,A.value]),Object(a.useEffect)((()=>{R((i=>{var t;if(null===(t=A.value)||void 0===t||!t.length)return[];if(Object(r.isArray)(A.value))return A.value.map((e=>({label:e})));const n=Object(r.find)(null==e?void 0:e.options,["label",A.value]);return n?[n]:[{label:A.value}]}))}),[null==e?void 0:e.options,R,A.value]),Object(a.useEffect)((()=>{d(`ecsMappingArray.${t}.key`)}),[A.value,d,t]),Object(O.jsx)(s.EuiFormRow,{label:m.i18n.translate("xpack.osquery.pack.queryFlyoutForm.mappingValueFieldLabel",{defaultMessage:"Value"}),helpText:null===(c=j[0])||void 0===c||null===(f=c.value)||void 0===f?void 0:f.description,error:null===(u=L.error)||void 0===u?void 0:u.message,isInvalid:!(null===(h=L.error)||void 0===h||null===(x=h.message)||void 0===x||!x.length),fullWidth:!0,describedByIds:U,isDisabled:e.isDisabled},Object(O.jsx)(s.EuiFlexGroup,{gutterSize:"none"},Object(O.jsx)(s.EuiFlexItem,{css:b.a,grow:!1},G),Object(O.jsx)(s.EuiFlexItem,{css:b.a},Object(O.jsx)(s.EuiComboBox,o()({css:k,error:null===(g=L.error)||void 0===g?void 0:g.message,inputRef:e=>{C.current=e},fullWidth:!0,selectedOptions:j,onChange:M,onCreateOption:H,renderOption:P,rowHeight:32,isClearable:!0,singleSelection:!!q&&I,idAria:i,helpText:null===(_=j[0])||void 0===_||null===(z=_.value)||void 0===z?void 0:z.description},e,{"data-test-subj":"osqueryColumnValueSelect",options:"field"===T.value&&e.options||D})))))},P=l.a.memo(U,u.a),M={key:"",result:{type:"field",value:""}},q=({isDisabled:e,osquerySchemaOptions:i,isLastItem:t,index:n,onDelete:o,control:r,watch:p,trigger:d})=>{const c=Object(a.useCallback)((()=>{o&&o(n)}),[n,o]);return Object(O.jsx)(l.a.Fragment,null,Object(O.jsx)(s.EuiFlexGroup,{"data-test-subj":"ECSMappingEditorForm",alignItems:"flexStart",gutterSize:"s"},Object(O.jsx)(s.EuiFlexItem,{css:b.a},Object(O.jsx)(s.EuiFlexGroup,{alignItems:"flexStart",gutterSize:"s",wrap:!0},Object(O.jsx)(s.EuiFlexItem,{css:b.a},Object(O.jsx)(R,{control:r,watch:p,index:n,euiFieldProps:{isDisabled:e}})),Object(O.jsx)(s.EuiFlexItem,{grow:!1,css:T},Object(O.jsx)(s.EuiText,null,":")))),Object(O.jsx)(s.EuiFlexItem,{css:b.a},Object(O.jsx)(s.EuiFlexGroup,{alignItems:"flexStart",gutterSize:"s",wrap:!0},Object(O.jsx)(s.EuiFlexItem,{css:L},Object(O.jsx)(P,{control:r,watch:p,trigger:d,index:n,isLastItem:t,euiFieldProps:{options:i,isDisabled:e}})),!e&&Object(O.jsx)(s.EuiFlexItem,{grow:!1},Object(O.jsx)("div",{css:A},!t&&Object(O.jsx)(s.EuiButtonIcon,{"aria-label":m.i18n.translate("xpack.osquery.pack.queryFlyoutForm.deleteECSMappingRowButtonAriaLabel",{defaultMessage:"Delete ECS mapping row"}),iconType:"trash",color:"danger",onClick:c})))))),Object(O.jsx)(s.EuiSpacer,{size:"s"}))},B=l.a.memo((({euiFieldProps:e})=>{const{setError:i,clearErrors:t,watch:n,register:o,setValue:p}=Object(y.useFormContext)(),m=Object(a.useRef)(void 0),[f,x]=n(["query","ecs_mapping"]),{control:_,trigger:z,watch:b,formState:k,resetField:$,getFieldState:v}=Object(y.useForm)({mode:"all",shouldUnregister:!0,defaultValues:{ecsMappingArray:Object(r.isEmpty)(Object(h.a)(x))?[M]:[...Object(h.a)(x),M]}}),{fields:E,append:S,remove:T,replace:A}=Object(y.useFieldArray)({control:_,name:"ecsMappingArray"}),L=b(),C=v("ecsMappingArray",k),[I,N]=Object(a.useState)([]);return Object(a.useEffect)((()=>{o("ecs_mapping")}),[o]),Object(a.useEffect)((()=>{var e,n;u()(m.current,k.errors.ecsMappingArray)||(m.current=k.errors.ecsMappingArray,null!==(e=k.errors.ecsMappingArray)&&void 0!==e&&e.length&&null!==(n=k.errors.ecsMappingArray[0])&&void 0!==n&&n.key?i("ecs_mapping",k.errors.ecsMappingArray[0].key):t("ecs_mapping"))}),[k,i,t]),Object(a.useEffect)((()=>{const e=n(((e,i)=>{if("ecs_mapping"===i.name){const i=Object(h.b)(L.ecsMappingArray);u()(e.ecs_mapping,i)||($("ecsMappingArray",{defaultValue:[...Object(h.a)(e.ecs_mapping),M]}),A([...Object(h.a)(e.ecs_mapping),M]))}}));return()=>e.unsubscribe()}),[n,x,A,$,L.ecsMappingArray]),Object(a.useEffect)((()=>{const e=b(((e,i)=>{if(null!=e&&e.ecsMappingArray){var t,n;const s=(null==e||null===(t=e.ecsMappingArray)||void 0===t?void 0:t.length)-1;if(null!==(n=i.name)&&void 0!==n&&n.startsWith(`ecsMappingArray.${s}.`)){var o,a,l;const i=Object(r.last)(e.ecsMappingArray);null!=i&&null!==(o=i.key)&&void 0!==o&&o.length&&null!=i&&null!==(a=i.result)&&void 0!==a&&null!==(l=a.value)&&void 0!==l&&l.length&&S(M)}}}));return()=>e.unsubscribe()}),[L,S,b]),Object(a.useEffect)((()=>{var e,i,t,n;if(null==f||!f.length)return;const o=Object(w.a)(f);let a;try{var l,s;a=null===(l=d()(o))||void 0===l||null===(s=l.statement)||void 0===s?void 0:s[0]}catch(e){return}const p=null!==(e=Object(r.reduce)(a,((e,i)=>{if("identifier"===(null==i?void 0:i.type)&&"table"===(null==i?void 0:i.variant)){const t=Object(r.find)(g,["name",i.name]);t&&(e[i.alias||i.name]={columns:t.columns,order:Object.keys(e).length})}if("map"===(null==i?void 0:i.type)&&"join"===(null==i?void 0:i.variant)){var t,n,o,a,l,s;if("identifier"===(null==i||null===(t=i.source)||void 0===t?void 0:t.type)&&"table"===(null==i||null===(n=i.source)||void 0===n?void 0:n.variant)){var p;const t=Object(r.find)(g,["name",null==i||null===(p=i.source)||void 0===p?void 0:p.name]);var d,c;t&&(e[(null==i||null===(d=i.source)||void 0===d?void 0:d.alias)||(null==i||null===(c=i.source)||void 0===c?void 0:c.name)]={columns:t.columns,order:Object.keys(e).length})}if("statement"===(null==i||null===(o=i.source)||void 0===o?void 0:o.type)&&"compound"===(null==i||null===(a=i.source)||void 0===a?void 0:a.variant)&&"identifier"===(null==i||null===(l=i.source)||void 0===l?void 0:l.statement.from.type)&&"table"===(null==i||null===(s=i.source)||void 0===s?void 0:s.statement.from.variant)){var m;const t=Object(r.find)(g,["name",null==i||null===(m=i.source)||void 0===m?void 0:m.statement.from.name]);var f,u;t&&(e[(null==i||null===(f=i.source)||void 0===f?void 0:f.statement.from.alias)||(null==i||null===(u=i.source)||void 0===u?void 0:u.statement.from.name)]={columns:t.columns,order:Object.keys(e).length})}Object(r.each)(null==i?void 0:i.map,(i=>{var t,n;if("join"===(null==i?void 0:i.type)&&"identifier"===(null==i||null===(t=i.source)||void 0===t?void 0:t.type)&&"table"===(null==i||null===(n=i.source)||void 0===n?void 0:n.variant)){var o;const t=Object(r.find)(g,["name",null==i||null===(o=i.source)||void 0===o?void 0:o.name]);var a,l;t&&(e[(null==i||null===(a=i.source)||void 0===a?void 0:a.alias)||(null==i||null===(l=i.source)||void 0===l?void 0:l.name)]={columns:t.columns,order:Object.keys(e).length})}}))}return e}),{}))&&void 0!==e?e:{};if(Object(r.isEmpty)(p))return;const c=Object(r.isArray)(null===(i=a)||void 0===i?void 0:i.result)?null===(t=a)||void 0===t||null===(n=t.result)||void 0===n?void 0:n.map((e=>{if("identifier"===e.type){var i;if(1===(null===(i=a)||void 0===i?void 0:i.result.length)&&"*"===e.name)return Object(r.reduce)(p,((e,{columns:i,order:t},n)=>(e.push(...i.map((e=>({label:e.name,value:{name:e.name,description:e.description,table:n,tableOrder:t,suggestion_label:e.name}})))),e)),[]);const[n,o]=e.name.includes(".")?e.name.split("."):[Object.keys(p)[0],e.name];if("*"===o&&p[n]){const{columns:e,order:i}=p[n];return e.map((e=>({label:e.name,value:{name:e.name,description:e.description,table:n,tableOrder:i,suggestion_label:`${e.name}`}})))}if(p[n]){const i=Object(r.find)(p[n].columns,["name",o]);if(i){var t;const r=null!==(t=e.alias)&&void 0!==t?t:o;return[{label:r,value:{name:i.name,description:i.description,table:n,tableOrder:p[n].order,suggestion_label:`${r}`}}]}}}return"function"===e.type&&e.alias?[{label:e.alias,value:{name:e.alias,description:"",table:"",tableOrder:-1,suggestion_label:e.alias}}]:[]})).flat():[],m=Object(r.sortedUniqBy)(Object(r.orderBy)(c,["value.suggestion_label","value.tableOrder"],["asc","desc"]),"label");N((e=>u()(e,m)?e:(z(),m)))}),[f,z]),Object(a.useEffect)((()=>{const e=Object(h.b)(L.ecsMappingArray);C.isDirty&&!u()(e,x)&&p("ecs_mapping",e,{shouldTouch:!0})}),[p,L,C.isDirty,x]),Object(O.jsx)(l.a.Fragment,null,Object(O.jsx)(s.EuiFlexGroup,null,Object(O.jsx)(s.EuiFlexItem,null,Object(O.jsx)(s.EuiTitle,{size:"xs"},Object(O.jsx)("h5",null,Object(O.jsx)(c.FormattedMessage,{id:"xpack.osquery.pack.form.ecsMappingSection.title",defaultMessage:"ECS mapping"}))),Object(O.jsx)(s.EuiText,{color:"subdued"},Object(O.jsx)(c.FormattedMessage,{id:"xpack.osquery.pack.form.ecsMappingSection.description",defaultMessage:"Use the fields below to map results from this query to ECS fields."})))),Object(O.jsx)(s.EuiSpacer,{size:"s"}),E.map(((i,t,n)=>Object(O.jsx)("div",{key:i.id},Object(O.jsx)(q,{osquerySchemaOptions:I,index:t,isLastItem:t===n.length-1,onDelete:T,isDisabled:!(null==e||!e.isDisabled),control:_,watch:b,trigger:z})))))}));i.default=B},60:function(e,i,t){"use strict";e.exports=function e(i,t){if(i===t)return!0;if(i&&t&&"object"==typeof i&&"object"==typeof t){if(i.constructor!==t.constructor)return!1;var n,o,r;if(Array.isArray(i)){if((n=i.length)!=t.length)return!1;for(o=n;0!=o--;)if(!e(i[o],t[o]))return!1;return!0}if(i.constructor===RegExp)return i.source===t.source&&i.flags===t.flags;if(i.valueOf!==Object.prototype.valueOf)return i.valueOf()===t.valueOf();if(i.toString!==Object.prototype.toString)return i.toString()===t.toString();if((n=(r=Object.keys(i)).length)!==Object.keys(t).length)return!1;for(o=n;0!=o--;)if(!Object.prototype.hasOwnProperty.call(t,r[o]))return!1;for(o=n;0!=o--;){var a=r[o];if(!e(i[a],t[a]))return!1}return!0}return i!=i&&t!=t}},62:function(e,i,t){"use strict";t.d(i,"a",(function(){return m}));var n=t(7),o=t.n(n),r=t(1),a=t.n(r),l=t(6),s=t(29),p=t.n(s),d=t(0);const c=e=>Object(d.jsx)(l.EuiIcon,o()({size:"xl",type:p.a},e)),m=a.a.memo(c)},65:function(e,i,t){"use strict";t.d(i,"a",(function(){return n}));const n={overflow:"hidden"}},68:function(e,i,t){"use strict";t.d(i,"a",(function(){return n}));const n=e=>e.replaceAll("\r\n"," ").replaceAll("\n"," ").replaceAll(/ +/g," ")},90:function(e,i,t){"use strict";t.d(i,"b",(function(){return o})),t.d(i,"a",(function(){return r})),t.d(i,"d",(function(){return a})),t.d(i,"c",(function(){return l}));var n=t(15);const o=e=>Object(n.reduce)(e,((e,i)=>{var t,o;return Object(n.isEmpty)(null==i?void 0:i.key)||Object(n.isEmpty)(null===(t=i.result)||void 0===t?void 0:t.type)||Object(n.isEmpty)(null===(o=i.result)||void 0===o?void 0:o.value)||(e[i.key]={[i.result.type]:i.result.value}),e}),{}),r=e=>Object(n.reduce)(e,((e,i,t)=>(i&&e.push({key:t,result:{type:Object.keys(i)[0],value:Object.values(i)[0]}}),e)),[]),a=e=>Object(n.reduce)(e,((e,i)=>(Object(n.isEmpty)(null==i?void 0:i.policy)||(e[i.policy.key]=i.percentage),e)),{}),l=(e,i)=>Object(n.reduce)(e,((e,t,n)=>{var o,r;return null!=t&&e.push({policy:{key:n,label:null!==(o=null==i||null===(r=i[n])||void 0===r?void 0:r.name)&&void 0!==o?o:""},percentage:t}),e}),[])}}]);